diff --git a/modules/auxiliary/scanner/http/crawler.rb b/modules/auxiliary/scanner/http/crawler.rb index 42fbc03cec..b78f3a820c 100644 --- a/modules/auxiliary/scanner/http/crawler.rb +++ b/modules/auxiliary/scanner/http/crawler.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary page.links end =end - + # # The main callback from the crawler # @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary # - The path of any URL found by the crawler (web.uri, :path => page.path) # - The occurence of any form (web.form :path, :type (get|post|path_info), :params) # - def crawler_process_page(t, page, cnt) + def crawler_process_page(t, page, cnt) msg = "[#{"%.5d" % cnt}/#{"%.5d" % max_page_count}] #{page.code || "ERR"} - #{@current_site.vhost} - #{page.url}" case page.code when 301,302 @@ -68,12 +68,12 @@ class Metasploit3 < Msf::Auxiliary else print_error(msg) end - + # # Process the web page # - info = { + info = { :web_site => @current_site, :path => page.url.path, :query => page.url.query, @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary if page.headers['content-type'] info[:ctype] = page.headers['content-type'] end - + if page.headers['set-cookie'] info[:cookie] = page.headers['set-cookie'] end @@ -97,34 +97,34 @@ class Metasploit3 < Msf::Auxiliary if page.headers['location'] info[:location] = page.headers['location'] end - + if page.headers['last-modified'] info[:mtime] = page.headers['last-modified'] end - + # Report the web page to the database report_web_page(info) # Only process interesting response codes return if not [302, 301, 200, 500, 401, 403, 404].include?(page.code) - # + # # Skip certain types of forms right off the bat # - + # Apache multiview directories return if page.url.query =~ /^C=[A-Z];O=/ # Apache - + # Scrub out the jsessionid appends page.url.path = page.url.path.sub(/;jsessionid=[a-zA-Z0-9]+/, '') - + # # Continue processing forms - # + # forms = [] form_template = { :web_site => @current_site } form = {}.merge(form_template) - + # This page has a query parameter we can test with GET parameters # ex: /test.php?a=b&c=d if page.url.query and not page.url.query.empty? @@ -144,7 +144,7 @@ class Metasploit3 < Msf::Auxiliary form[:params] = [['PATH', path_info]] form[:query] = page.url.query.to_s end - + # This is an application that uses PATH_INFO for parameters: # ex: /index.php/Main_Page/Article01 if not form[:path] and page.url.path.to_s =~ /(.*\/[a-z09A-Z]{3,256}\.[a-z09A-Z]{2,8})(\/.*)/ @@ -155,19 +155,19 @@ class Metasploit3 < Msf::Auxiliary form[:params] = [['PATH', path_info]] form[:query] = page.url.query.to_s end - + # Done processing URI-based forms forms << form if page.doc page.doc.css("form").each do |f| - + target = page.url - + if f['action'] and not f['action'].strip.empty? - action = f['action'] - - # Prepend relative URLs with the current directory + action = f['action'] + + # Prepend relative URLs with the current directory if action[0,1] != "/" and action !~ /\:\/\// # Extract the base href first base = target.path.gsub(/(.*\/)[^\/]+$/, "\\1") @@ -175,12 +175,12 @@ class Metasploit3 < Msf::Auxiliary if bref['href'] base = bref['href'] end - end + end action = (base + "/").sub(/\/\/$/, '/') + action end - + target = page.to_absolute(URI( action )) rescue next - + if not page.in_domain?(target) # Replace 127.0.0.1 and non-qualified hostnames with our page.host # ex: http://localhost/url OR http://www01/url @@ -193,7 +193,7 @@ class Metasploit3 < Msf::Auxiliary end end end - + form = {}.merge!(form_template) form[:method] = (f['method'] || 'GET').upcase form[:query] = target.query.to_s if form[:method] != "GET" @@ -202,13 +202,13 @@ class Metasploit3 < Msf::Auxiliary f.css('input', 'textarea').each do |inp| form[:params] << [inp['name'].to_s, inp['value'] || inp.content || '', { :type => inp['type'].to_s }] end - + # XXX: handle SELECT elements - + forms << form end end - + # Report each of the discovered forms forms.each do |form| next if not form[:method] diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb index a5f85d7dd7..feb2b47959 100644 --- a/modules/auxiliary/scanner/vnc/vnc_login.rb +++ b/modules/auxiliary/scanner/vnc/vnc_login.rb @@ -1,9 +1,9 @@ ## -# $Id: $ +# $Id$ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -22,11 +22,11 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'VNC Authentication Scanner', - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'Description' => %q{ This module will test a VNC server on a range of machines and - report successful logins. Currently it supports RFB protocol - version 3.3, 3.7, and 3.8 using the VNC challenge response + report successful logins. Currently it supports RFB protocol + version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method. }, 'Author' => @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('PASSWORD', [ false, 'The password to test' ]), OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.data_directory, "wordlists", "vnc_passwords.txt") ]), - ], self.class) + ], self.class) end def run_host(ip) @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Auxiliary begin each_user_pass { |user, pass| - do_login(user, pass) + do_login(user, pass) } rescue ::Rex::ConnectionError nil diff --git a/modules/exploits/netware/sunrpc/pkernel_callit.rb b/modules/exploits/netware/sunrpc/pkernel_callit.rb old mode 100755 new mode 100644 diff --git a/modules/exploits/test/aggressive.rb b/modules/exploits/test/aggressive.rb index f2b8431919..f53cb3e957 100644 --- a/modules/exploits/test/aggressive.rb +++ b/modules/exploits/test/aggressive.rb @@ -12,6 +12,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking include Msf::Exploit::Remote::Tcp diff --git a/modules/exploits/test/cmdweb.rb b/modules/exploits/test/cmdweb.rb index fbef1695b7..872c5d77f8 100644 --- a/modules/exploits/test/cmdweb.rb +++ b/modules/exploits/test/cmdweb.rb @@ -12,6 +12,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking # =( need more targets and perhaps more OS specific return values OS specific would be preferred include Msf::Exploit::Remote::HttpClient diff --git a/modules/exploits/test/dialup.rb b/modules/exploits/test/dialup.rb index a2cf862578..bb3be6a8c7 100644 --- a/modules/exploits/test/dialup.rb +++ b/modules/exploits/test/dialup.rb @@ -12,6 +12,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking include Msf::Exploit::Remote::Dialup diff --git a/modules/exploits/test/egghunter.rb b/modules/exploits/test/egghunter.rb index 0502b318eb..d79217b694 100644 --- a/modules/exploits/test/egghunter.rb +++ b/modules/exploits/test/egghunter.rb @@ -12,6 +12,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Egghunter diff --git a/modules/exploits/test/exploitme.rb b/modules/exploits/test/exploitme.rb index 47d85bffcd..52038857d8 100644 --- a/modules/exploits/test/exploitme.rb +++ b/modules/exploits/test/exploitme.rb @@ -12,6 +12,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking include Msf::Exploit::Remote::Tcp diff --git a/modules/exploits/test/java_tester.rb b/modules/exploits/test/java_tester.rb index 4698a3b33e..6f06f5d1a9 100644 --- a/modules/exploits/test/java_tester.rb +++ b/modules/exploits/test/java_tester.rb @@ -13,7 +13,7 @@ require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ManualRanking include Msf::Exploit::Java diff --git a/modules/exploits/test/kernel.rb b/modules/exploits/test/kernel.rb index e27ef76533..edb0aa43dd 100644 --- a/modules/exploits/test/kernel.rb +++ b/modules/exploits/test/kernel.rb @@ -15,6 +15,7 @@ require 'msf/core' # This is a test exploit for testing kernel-mode payloads. # class Metasploit3 < Msf::Exploit::Remote + Rank = ManualRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::KernelMode diff --git a/modules/exploits/windows/fileformat/bacnet_csv.rb b/modules/exploits/windows/fileformat/bacnet_csv.rb index 278934fcb8..3fa8661323 100644 --- a/modules/exploits/windows/fileformat/bacnet_csv.rb +++ b/modules/exploits/windows/fileformat/bacnet_csv.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'BACnet OPC Client Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in SCADA + This module exploits a stack buffer overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed. diff --git a/modules/exploits/windows/ftp/32bitftp_list_reply.rb b/modules/exploits/windows/ftp/32bitftp_list_reply.rb index 333ec62009..04da260edf 100644 --- a/modules/exploits/windows/ftp/32bitftp_list_reply.rb +++ b/modules/exploits/windows/ftp/32bitftp_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer diff --git a/modules/exploits/windows/ftp/aasync_list_reply.rb b/modules/exploits/windows/ftp/aasync_list_reply.rb index a4f921f1fd..bd2ecf31c4 100644 --- a/modules/exploits/windows/ftp/aasync_list_reply.rb +++ b/modules/exploits/windows/ftp/aasync_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer diff --git a/modules/exploits/windows/ftp/filewrangler_list_reply.rb b/modules/exploits/windows/ftp/filewrangler_list_reply.rb index e6de334ee6..da8c939fd0 100644 --- a/modules/exploits/windows/ftp/filewrangler_list_reply.rb +++ b/modules/exploits/windows/ftp/filewrangler_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Msf::Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb b/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb index 8c199272e1..f533b2753c 100644 --- a/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Msf::Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/ftppad_list_reply.rb b/modules/exploits/windows/ftp/ftppad_list_reply.rb index 56a08be8d7..d3b36a35cb 100644 --- a/modules/exploits/windows/ftp/ftppad_list_reply.rb +++ b/modules/exploits/windows/ftp/ftppad_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Exploit::Remote::FtpServer diff --git a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb index 814dfc83e4..b4db5063c3 100644 --- a/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb +++ b/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Exploit::Remote::FtpServer include Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/ftpsynch_list_reply.rb b/modules/exploits/windows/ftp/ftpsynch_list_reply.rb index c81ba6dd1f..15215c1eee 100644 --- a/modules/exploits/windows/ftp/ftpsynch_list_reply.rb +++ b/modules/exploits/windows/ftp/ftpsynch_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Exploit::Remote::FtpServer diff --git a/modules/exploits/windows/ftp/gekkomgr_list_reply.rb b/modules/exploits/windows/ftp/gekkomgr_list_reply.rb index 953aed4f2d..339c4556ce 100644 --- a/modules/exploits/windows/ftp/gekkomgr_list_reply.rb +++ b/modules/exploits/windows/ftp/gekkomgr_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/leapftp_list_reply.rb b/modules/exploits/windows/ftp/leapftp_list_reply.rb index e09a5250d1..00d947fa8e 100644 --- a/modules/exploits/windows/ftp/leapftp_list_reply.rb +++ b/modules/exploits/windows/ftp/leapftp_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Msf::Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/odin_list_reply.rb b/modules/exploits/windows/ftp/odin_list_reply.rb index f80efbb692..db6cf6db77 100644 --- a/modules/exploits/windows/ftp/odin_list_reply.rb +++ b/modules/exploits/windows/ftp/odin_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Msf::Exploit::Remote::Egghunter diff --git a/modules/exploits/windows/ftp/seagull_list_reply.rb b/modules/exploits/windows/ftp/seagull_list_reply.rb index ba82986f66..9ce5044f9e 100644 --- a/modules/exploits/windows/ftp/seagull_list_reply.rb +++ b/modules/exploits/windows/ftp/seagull_list_reply.rb @@ -10,7 +10,7 @@ ## class Metasploit3 < Msf::Exploit::Remote - Ranking = GoodRanking + Rank = GoodRanking include Msf::Exploit::Remote::FtpServer include Msf::Exploit::Omelet diff --git a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb index ac129accf5..e445554107 100644 --- a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb +++ b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb @@ -20,9 +20,9 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Amlibweb NetOpacs webquery.dll Stack Overflow', + 'Name' => 'Amlibweb NetOpacs webquery.dll Stack Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in Amlib's Amlibweb + This module exploits a stack buffer overflow in Amlib's Amlibweb Library Management System (NetOpacs). The webquery.dll API is available through IIS requests. By specifying an overly long string to the 'app' parameter, SeH can be diff --git a/modules/exploits/windows/ldap/pgp_keyserver7.rb b/modules/exploits/windows/ldap/pgp_keyserver7.rb index 2e6b846518..659ed025d5 100644 --- a/modules/exploits/windows/ldap/pgp_keyserver7.rb +++ b/modules/exploits/windows/ldap/pgp_keyserver7.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in the LDAP service that is + This module exploits a stack buffer overflow in the LDAP service that is part of the NAI PGP Enterprise product suite. This module was tested against PGP KeyServer v7.0. Due to space restrictions, egghunter is used to find our payload - therefore you may wish to adjust WfsDelay. diff --git a/modules/exploits/windows/scada/citect_scada_odbc.rb b/modules/exploits/windows/scada/citect_scada_odbc.rb index b38924e947..08656dfcc2 100644 --- a/modules/exploits/windows/scada/citect_scada_odbc.rb +++ b/modules/exploits/windows/scada/citect_scada_odbc.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'CitectSCADA/CitectFacilities ODBC Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in CitectSCADA's ODBC daemon. + This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon. This has only been tested against Citect v5, v6 and v7. }, 'Author' => diff --git a/modules/exploits/windows/scada/moxa_mdmtool.rb b/modules/exploits/windows/scada/moxa_mdmtool.rb index dea7071912..b9cdfbcc14 100644 --- a/modules/exploits/windows/scada/moxa_mdmtool.rb +++ b/modules/exploits/windows/scada/moxa_mdmtool.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow', 'Description' => %q{ - This module exploits a stack overflow in MOXA MDM Tool 2.1. + This module exploits a stack buffer overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code. }, diff --git a/modules/payloads/singles/bsd/x86/exec.rb b/modules/payloads/singles/bsd/x86/exec.rb index c36fc80763..b579b555f1 100644 --- a/modules/payloads/singles/bsd/x86/exec.rb +++ b/modules/payloads/singles/bsd/x86/exec.rb @@ -52,7 +52,7 @@ module Metasploit3 ;; ; ; Name: single_exec -; Platforms: *BSD +; Platforms: *BSD ; Authors: vlad902 ; Version: $Revision$ ; License: @@ -68,31 +68,31 @@ module Metasploit3 ;; ; NULLs are fair game. - push 0x3b - pop eax - cdq + push 0x3b + pop eax + cdq - push edx - push 0x632d - mov edi, esp + push edx + push 0x632d + mov edi, esp - push edx - push 0x68732f6e - push 0x69622f2f - mov ebx, esp + push edx + push 0x68732f6e + push 0x69622f2f + mov ebx, esp - push edx - call getstr + push edx + call getstr db "CMD", 0x00 getstr: - push edi - push ebx - mov ecx, esp - push edx - push ecx - push ebx - push eax - int 0x80 + push edi + push ebx + mov ecx, esp + push edx + push ecx + push ebx + push eax + int 0x80 EOS asm.gsub!(/CMD/, cmd.gsub('"', "\\\"")) payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string