infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Moved railgun function definitions into central storage and out of individual modules where possible

unstable
Rob Fuller 2012-02-09 04:56:13 +00:00
parent 3d1c8ae383
commit 1f1e67cb16
10 changed files with 22 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
View File

@ -21,6 +21,17 @@ class Def_netapi32
["PDWORD","lpNameBugger","out"], ["PDWORD","lpNameBugger","out"],
["PDWORD","BufferType","out"] ["PDWORD","BufferType","out"]
]) ])
dll.add_function('NetServerEnum', 'DWORD',[
["PWCHAR","servername","in"],
["DWORD","level","in"],
["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
["DWORD","servertype","in"],
["PWCHAR","domain","in"],
["DWORD","resume_handle","inout"]
])
return dll return dll
end end

6
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb
View File

@ -18,6 +18,12 @@ class Def_ws2_32
["PDWORD","ppResult","out"] ["PDWORD","ppResult","out"]
]) ])
dll.add_function('gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
['DWORD','len','in'],
['DWORD','type','in']
])
dll.add_function('WSAAccept', 'DWORD',[ dll.add_function('WSAAccept', 'DWORD',[
["DWORD","s","in"], ["DWORD","s","in"],
["PBLOB","addr","inout"], ["PBLOB","addr","inout"],

14
modules/post/windows/escalate/net_runtime_modify.rb
View File

@ -124,16 +124,10 @@ class Metasploit3 < Msf::Post
def init_railgun def init_railgun
begin begin
# load the dlls we need rg = session.railgun
if session.railgun.get_dll("advapi32").nil? if (!rg.get_dll('advapi32'))
print_status("Loading advapi.dll...") rg.add_dll('advapi32')
session.railgun.add_dll("advapi32", 'C:\\WINDOWS\\system32\\advapi32.dll') end
end
if session.railgun.advapi32.functions['DeleteService'].nil?
session.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
[ "DWORD", "hService", "in" ]])
end
rescue Exception => e rescue Exception => e
print_error("Could not initalize railgun") print_error("Could not initalize railgun")
print_error("Railgun Error: #{e}") print_error("Railgun Error: #{e}")

5
modules/post/windows/escalate/service_permissions.rb
View File

@ -110,11 +110,6 @@ class Metasploit3 < Msf::Post
end end
#attempt to make new service #attempt to make new service
client.railgun.kernel32.LoadLibraryA("advapi32.dll")
client.railgun.get_dll('advapi32')
client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
[ "DWORD", "hService", "in" ]
])
#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config #SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config

12
modules/post/windows/gather/credentials/enum_picasa_pwds.rb
View File

@ -45,18 +45,6 @@ class Metasploit3 < Msf::Post
if (!rg.get_dll('crypt32')) if (!rg.get_dll('crypt32'))
rg.add_dll('crypt32') rg.add_dll('crypt32')
end end
if (!rg.crypt32.functions["CryptUnprotectData"])
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
["PBLOB","pDataIn", "in"],
["PWCHAR", "szDataDescr", "out"],
["PBLOB", "pOptionalEntropy", "in"],
["PDWORD", "pvReserved", "in"],
["PBLOB", "pPromptStruct", "in"],
["DWORD", "dwFlags", "in"],
["PBLOB", "pDataOut", "out"]
])
end
end end

12
modules/post/windows/gather/credentials/outlook.rb
View File

@ -41,18 +41,6 @@ class Metasploit3 < Msf::Post
if (!rg.get_dll('crypt32')) if (!rg.get_dll('crypt32'))
rg.add_dll('crypt32') rg.add_dll('crypt32')
end end
if (!rg.crypt32.functions["CryptUnprotectData"])
rg.add_function("crypt32", "CryptUnprotectData", "BOOL", [
["PBLOB","pDataIn", "in"],
["PWCHAR", "szDataDescr", "out"],
["PBLOB", "pOptionalEntropy", "in"],
["PDWORD", "pvReserved", "in"],
["PBLOB", "pPromptStruct", "in"],
["DWORD", "dwFlags", "in"],
["PBLOB", "pDataOut", "out"]
])
end
end end

26
modules/post/windows/gather/enum_domains.rb
View File

@ -25,32 +25,6 @@ class Metasploit3 < Msf::Post
end end
def run def run
#structure
=begin
NET_API_STATUS NetServerEnum(
__in_opt LPCWSTR servername,
__in DWORD level,
__out LPBYTE *bufptr,
__in DWORD prefmaxlen,
__out LPDWORD entriesread,
__out LPDWORD totalentries,
__in DWORD servertype,
__in_opt LPCWSTR domain,
__inout_opt LPDWORD resume_handle
);
=end
client.railgun.add_function('netapi32', 'NetServerEnum', 'DWORD',[
['PWCHAR','servername','in'],
['DWORD','level','in'],
['PDWORD','bufptr','out'],
['DWORD','prefmaxlen','in'],
['PDWORD','entriesread','out'],
['PDWORD','totalentries','out'],
['DWORD','servertype','in'],
['PWCHAR','domain','in'],
['PDWORD','resume_handle','inout']
])
domain_enum = 2147483648 # SV_TYPE_DOMAIN_ENUM = hex 80000000 domain_enum = 2147483648 # SV_TYPE_DOMAIN_ENUM = hex 80000000
buffersize = 500 buffersize = 500

6
modules/post/windows/gather/reverse_lookup.rb
View File

@ -53,12 +53,6 @@ class Metasploit3 < Msf::Post
end end
end end
#Initialize Railgun 'gethostbyaddr' call'
session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
['DWORD','len','in'],
['DWORD','type','in']])
#Generates IP list based on RHOSTS - RangeWalker rocks.... #Generates IP list based on RHOSTS - RangeWalker rocks....
iplist = Rex::Socket::RangeWalker.new(datastore['RHOSTS']) iplist = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])

41
modules/post/windows/recon/computer_browser_discovery.rb
View File

@ -68,47 +68,6 @@ class Metasploit3 < Msf::Post
### MAIN ### ### MAIN ###
client = session client = session
=begin
NET_API_STATUS NetUserEnum(
__in LPCWSTR servername,
__in DWORD level,
__in DWORD filter,
__out LPBYTE *bufptr,
__in DWORD prefmaxlen,
__out LPDWORD entriesread,
__out LPDWORD totalentries,
__inout LPDWORD resume_handle
);
client.railgun.add_function( 'netapi32', 'NetUserEnum', 'DWORD',[
["PWCHAR","servername","in"],
["DWORD","level","in"],
["DWORD","filter","in"],
["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"],
["PDWORD","entriesread","out"],
["PDWORD","totalentries","out"],
["PDWORD","resume_handle","inout"]])
=end
client.railgun.add_function(
'netapi32', 'NetServerEnum', 'DWORD',
[
["PBLOB","servername","in"], ["DWORD","level","in"], ["PDWORD","bufptr","out"],
["DWORD","prefmaxlen","in"], ["PDWORD","entriesread","out"], ["PDWORD","totalentries","out"],
["DWORD","servertype","in"], ["PWCHAR","domain","in"], ["DWORD","resume_handle","inout"]
]
)
client.railgun.add_function(
'ws2_32', 'getaddrinfo', 'DWORD',
[
["PCHAR","pNodeName","in"], ["PCHAR","pServiceName","in"],
["PDWORD","pHints","in"], ["PDWORD","ppResult","out"]
]
)
domain = nil domain = nil
# Default = SV_TYPE_NT # Default = SV_TYPE_NT

1
modules/post/windows/recon/resolve_hostname.rb
View File

@ -28,7 +28,6 @@ class Metasploit3 < Msf::Post
def run def run
### MAIN ### ### MAIN ###
client.railgun.add_function( 'ws2_32', 'getaddrinfo', 'DWORD',[["PCHAR","pNodeName","in"],["PCHAR","pServiceName","in"],["PDWORD","pHints","in"],["PDWORD","ppResult","out"]])
if client.platform =~ /^x64/ if client.platform =~ /^x64/
size = 64 size = 64