Merge remote-tracking branch 'upstream/master' into enum_ad_users

2014-01-22 21:48:34 +00:00 · 2014-01-22 21:48:34 +00:00 · c109a32165
parent f571d63088 636c43dcdc
commit c109a32165
12 changed files with 100 additions and 66 deletions
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@ -187,14 +187,14 @@ module Exploit::Remote::HttpClient
      'uri_fake_end'           => datastore['HTTP::uri_fake_end'],
      'uri_fake_params_start'  => datastore['HTTP::uri_fake_params_start'],
      'header_folding'         => datastore['HTTP::header_folding'],
-      'usentlm2_session' => datastore['NTLM::UseNTLM2_session'],
-      'use_ntlmv2'       => datastore['NTLM::UseNTLMv2'],
-      'send_lm'         => datastore['NTLM::SendLM'],
-      'send_ntlm'       => datastore['NTLM::SendNTLM'],
-      'SendSPN'  => datastore['NTLM::SendSPN'],
-      'UseLMKey' => datastore['NTLM::UseLMKey'],
-      'domain' => datastore['DOMAIN'],
-      'DigestAuthIIS' => datastore['DigestAuthIIS']
+      'usentlm2_session'       => datastore['NTLM::UseNTLM2_session'],
+      'use_ntlmv2'             => datastore['NTLM::UseNTLMv2'],
+      'send_lm'                => datastore['NTLM::SendLM'],
+      'send_ntlm'              => datastore['NTLM::SendNTLM'],
+      'SendSPN'                => datastore['NTLM::SendSPN'],
+      'UseLMKey'               => datastore['NTLM::UseLMKey'],
+      'domain'                 => datastore['DOMAIN'],
+      'DigestAuthIIS'          => datastore['DigestAuthIIS']
    )

    # If this connection is global, persist it
--- a/lib/msf/core/exploit/http/server.rb
+++ b/lib/msf/core/exploit/http/server.rb
@ -181,7 +181,8 @@ module Exploit::Remote::HttpServer
        'MsfExploit' => self,
      },
      opts['Comm'],
-      datastore['SSLCert']
+      datastore['SSLCert'],
+      datastore['SSLCompression']
    )

    self.service.server_name = datastore['HTTP::server_name']
@ -200,6 +201,13 @@ module Exploit::Remote::HttpServer

    proto = (datastore["SSL"] ? "https" : "http")

+    # SSLCompression may or may not actually be available. For example, on
+    # Ubuntu, it's disabled by default, unless the correct environment
+    # variable is set. See https://github.com/rapid7/metasploit-framework/pull/2666
+    if proto == "https" and datastore['SSLCompression']
+      print_status("Intentionally using insecure SSL compression. Your operating system might not respect this!")
+    end
+
    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")

    if (opts['ServerHost'] == '0.0.0.0')
--- a/lib/msf/core/exploit/tcp.rb
+++ b/lib/msf/core/exploit/tcp.rb
@ -98,15 +98,15 @@ module Exploit::Remote::Tcp
    end

    nsock = Rex::Socket::Tcp.create(
-      'PeerHost'  =>  opts['RHOST'] || rhost,
-      'PeerPort'  => (opts['RPORT'] || rport).to_i,
-      'LocalHost' =>  opts['CHOST'] || chost || "0.0.0.0",
-      'LocalPort' => (opts['CPORT'] || cport || 0).to_i,
-      'SSL'       =>  dossl,
-      'SSLVersion'=>  opts['SSLVersion'] || ssl_version,
-      'Proxies'   => proxies,
-      'Timeout'   => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
-      'Context'   =>
+      'PeerHost'   =>  opts['RHOST'] || rhost,
+      'PeerPort'   => (opts['RPORT'] || rport).to_i,
+      'LocalHost'  =>  opts['CHOST'] || chost || "0.0.0.0",
+      'LocalPort'  => (opts['CPORT'] || cport || 0).to_i,
+      'SSL'        =>  dossl,
+      'SSLVersion' =>  opts['SSLVersion'] || ssl_version,
+      'Proxies'    => proxies,
+      'Timeout'    => (opts['ConnectTimeout'] || connect_timeout || 10).to_i,
+      'Context'    =>
        {
          'Msf'        => framework,
          'MsfExploit' => self,
@ -300,6 +300,7 @@ module Exploit::Remote::TcpServer
    register_advanced_options(
      [
        OptString.new('ListenerComm', [ false, 'The specific communication channel to use for this service']),
+        OptBool.new('SSLCompression', [ false, 'Enable SSL/TLS-level compression', false ])
      ], Msf::Exploit::Remote::TcpServer)

    register_evasion_options(
@ -379,6 +380,7 @@ module Exploit::Remote::TcpServer
        'LocalPort' => srvport,
        'SSL'       => ssl,
        'SSLCert'   => ssl_cert,
+        'SSLCompression' => opts['SSLCompression'] || ssl_compression,
        'Comm'      => comm,
        'Context'   =>
          {
@ -464,6 +466,11 @@ module Exploit::Remote::TcpServer
    datastore['SSLCert']
  end

+  # @return [Bool] enable SSL/TLS-level compression
+  def ssl_compression
+    datastore['SSLCompression']
+  end
+
  #
  # Re-generates the payload, substituting the current RHOST and RPORT with
  # the supplied client host and port from the socket.
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb
@ -147,7 +147,7 @@ class Console::CommandDispatcher::Extapi::Adsi

    @@adsi_domain_query_opts.parse(args) { |opt, idx, val|
      case opt
-      when "-s"
+      when "-p"
        page_size = val.to_i
      when "-m"
        max_results = val.to_i
--- a/lib/rex/proto/http/client.rb
+++ b/lib/rex/proto/http/client.rb
@ -180,15 +180,15 @@ class Client
    timeout = (t.nil? or t == -1) ? 0 : t

    self.conn = Rex::Socket::Tcp.create(
-      'PeerHost'  => self.hostname,
-      'PeerPort'  => self.port.to_i,
-      'LocalHost' => self.local_host,
-      'LocalPort' => self.local_port,
-      'Context'   => self.context,
-      'SSL'       => self.ssl,
-      'SSLVersion'=> self.ssl_version,
-      'Proxies'   => self.proxies,
-      'Timeout'   => timeout
+      'PeerHost'   => self.hostname,
+      'PeerPort'   => self.port.to_i,
+      'LocalHost'  => self.local_host,
+      'LocalPort'  => self.local_port,
+      'Context'    => self.context,
+      'SSL'        => self.ssl,
+      'SSLVersion' => self.ssl_version,
+      'Proxies'    => self.proxies,
+      'Timeout'    => timeout
    )
  end

@ -703,7 +703,6 @@ class Client
  # Auth
  attr_accessor :username, :password

-
  # When parsing the request, thunk off the first response from the server, since junk
  attr_accessor :junk_pipeline

--- a/lib/rex/proto/http/server.rb
+++ b/lib/rex/proto/http/server.rb
@ -100,17 +100,17 @@ class Server
  # Initializes an HTTP server as listening on the provided port and
  # hostname.
  #
-  def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {}, comm = nil, ssl_cert = nil)
-    self.listen_host = listen_host
-    self.listen_port = port
-    self.ssl         = ssl
-    self.context     = context
-    self.comm        = comm
-    self.ssl_cert    = ssl_cert
-
-    self.listener    = nil
-    self.resources   = {}
-    self.server_name = DefaultServer
+  def initialize(port = 80, listen_host = '0.0.0.0', ssl = false, context = {}, comm = nil, ssl_cert = nil, ssl_compression = false)
+    self.listen_host     = listen_host
+    self.listen_port     = port
+    self.ssl             = ssl
+    self.context         = context
+    self.comm            = comm
+    self.ssl_cert        = ssl_cert
+    self.ssl_compression = ssl_compression
+    self.listener        = nil
+    self.resources       = {}
+    self.server_name     = DefaultServer
  end

  # More readable inspect that only shows the url and resources
@ -146,6 +146,7 @@ class Server
      'Context'   => self.context,
      'SSL'		=> self.ssl,
      'SSLCert'	=> self.ssl_cert,
+      'SSLCompression' => self.ssl_compression,
      'Comm'      => self.comm
    )

@ -268,7 +269,8 @@ class Server
    cli.send_response(resp)
  end

-  attr_accessor :listen_port, :listen_host, :server_name, :context, :ssl, :comm, :ssl_cert
+  attr_accessor :listen_port, :listen_host, :server_name, :context, :comm
+  attr_accessor :ssl, :ssl_cert, :ssl_compression
  attr_accessor :listener, :resources

 protected
--- a/lib/rex/socket/parameters.rb
+++ b/lib/rex/socket/parameters.rb
@ -61,6 +61,7 @@ class Rex::Socket::Parameters
  # @option hash [String] 'SSLCert' A file containing an SSL certificate (for
  #   server sockets)
  # @option hash [String] 'SSLCipher' see {#ssl_cipher}
+  # @option hash [Bool] 'SSLCompression' enable SSL-level compression where available
  # @option hash [String] 'SSLVerifyMode' SSL certificate verification
  #   mechanism. One of 'NONE' (default), 'CLIENT_ONCE', 'FAIL_IF_NO_PEER_CERT ', 'PEER'
  # @option hash [String] 'Proxies' List of proxies to use.
@ -126,6 +127,10 @@ class Rex::Socket::Parameters
      self.ssl_verify_mode = hash['SSLVerifyMode']
    end

+    if hash['SSLCompression']
+      self.ssl_compression = hash['SSLCompression']
+    end
+
    if (hash['SSLCipher'])
      self.ssl_cipher = hash['SSLCipher']
    end
@ -334,6 +339,10 @@ class Rex::Socket::Parameters
  # @return [String]
  attr_accessor :ssl_cert

+  # Enables SSL/TLS-level compression
+  # @return [Bool]
+  attr_accessor :ssl_compression
+
  #
  # The SSL context verification mechanism
  #
--- a/lib/rex/socket/ssl_tcp.rb
+++ b/lib/rex/socket/ssl_tcp.rb
@ -110,7 +110,6 @@ begin
      else
        begin
          self.sslsock.connect_nonblock
-
        # Ruby 1.8.7 and 1.9.0/1.9.1 uses a standard Errno
        rescue ::Errno::EAGAIN, ::Errno::EWOULDBLOCK
            IO::select(nil, nil, nil, 0.10)
--- a/lib/rex/socket/ssl_tcp_server.rb
+++ b/lib/rex/socket/ssl_tcp_server.rb
@ -48,7 +48,7 @@ module Rex::Socket::SslTcpServer

  def initsock(params = nil)
    raise RuntimeError, "No OpenSSL support" if not @@loaded_openssl
-    self.sslctx  = makessl(params.ssl_cert)
+    self.sslctx  = makessl(params)
    super
  end

@ -104,9 +104,10 @@ module Rex::Socket::SslTcpServer
  # Create a new ssl context.  If +ssl_cert+ is not given, generates a new
  # key and a leaf certificate with random values.
  #
+  # @param [Rex::Socket::Parameters] params
  # @return [::OpenSSL::SSL::SSLContext]
-  def makessl(ssl_cert=nil)
-
+  def makessl(params)
+    ssl_cert = params.ssl_cert
    if ssl_cert
      cert = OpenSSL::X509::Certificate.new(ssl_cert)
      key = OpenSSL::PKey::RSA.new(ssl_cert)
@ -151,6 +152,14 @@ module Rex::Socket::SslTcpServer
    ctx = OpenSSL::SSL::SSLContext.new()
    ctx.key = key
    ctx.cert = cert
+    ctx.options = 0
+
+    # enable/disable the SSL/TLS-level compression
+    if params.ssl_compression
+      ctx.options &= ~OpenSSL::SSL::OP_NO_COMPRESSION
+    else
+      ctx.options |= OpenSSL::SSL::OP_NO_COMPRESSION
+    end

    ctx.session_id_context = Rex::Text.rand_text(16)

--- a/modules/auxiliary/scanner/printer/printer_download_file.rb
+++ b/modules/auxiliary/scanner/printer/printer_download_file.rb
@ -17,7 +17,7 @@ class Metasploit4 < Msf::Auxiliary
      "Name" => "Printer File Download Scanner",
      "Description" => %q{
        This module downloads a file from a set of printers using the
-        Printer Job Lanaguage (PJL) protocol.
+        Printer Job Language (PJL) protocol.
      },
      "Author" => [
        "wvu", # This implementation
--- a/spec/lib/rex/proto/http/client_spec.rb
+++ b/spec/lib/rex/proto/http/client_spec.rb
@ -222,6 +222,7 @@ describe Rex::Proto::Http::Client do
  end

  # Not super sure why these are protected...
+  # Me either...
  it "should refuse access to its protected accessors" do
    expect {cli.ssl}.to raise_error NoMethodError
    expect {cli.ssl_version}.to raise_error NoMethodError
--- a/spec/lib/rex/proto/pjl/client_spec.rb
+++ b/spec/lib/rex/proto/pjl/client_spec.rb
@ -21,25 +21,25 @@ describe Rex::Proto::PJL::Client do
      Rex::Proto::PJL::Client.new(sock)
    end

-    context ".initialize" do
+    context "#initialize" do
      it "should initialize a 'sock' ivar" do
        cli.instance_variable_get(:@sock).class.should eq(RSpec::Mocks::Mock)
      end
    end

-    context ".begin_job" do
-      it "should send a PJL start request without any errors" do
-        cli.begin_job
+    context "#begin_job" do
+      it "should send a PJL start request without an error" do
+        expect { cli.begin_job }.to_not raise_error
      end
    end

-    context ".end_job" do
-      it "should send a PJL end request" do
-        cli.end_job
+    context "#end_job" do
+      it "should send a PJL end request without an error" do
+        expect { cli.end_job }.to_not raise_error
      end
    end

-    context ".info" do
+    context "#info" do
      it "should raise an exception for not having a category" do
        expect { cli.info(nil) }.to raise_error(ArgumentError)
      end
@ -49,7 +49,7 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".info_id" do
+    context "#info_id" do
      it "should return the version information" do
        fake_version = '"1337"'
        cli.stub(:info).with(an_instance_of(Symbol)).and_return(fake_version)
@ -57,7 +57,7 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".info_variables" do
+    context "#info_variables" do
      it "should return the environment variables" do
        fake_env_vars = "#{Rex::Proto::PJL::Info::VARIABLES}\r\nPASSWORD=DISABLED\f"
        cli.stub(:info).with(an_instance_of(Symbol)).and_return(fake_env_vars)
@ -65,7 +65,7 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".info_filesys" do
+    context "#info_filesys" do
      it "should return the volumes" do
        fake_volumes = "[1 TABLE]\r\nDIR\f"
        cli.stub(:info).with(an_instance_of(Symbol)).and_return(fake_volumes)
@ -73,7 +73,7 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".get_rdymsg" do
+    context "#get_rdymsg" do
      it "should return a READY message" do
        fake_ready_message = 'DISPLAY="RES"'
        cli.stub(:info).with(an_instance_of(Symbol)).and_return(fake_ready_message)
@ -81,23 +81,23 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".set_rdymsg" do
-      it "should send a READY message" do
-        cli.set_rdymsg("")
+    context "#set_rdymsg" do
+      it "should send a READY message without an error" do
+        expect { cli.set_rdymsg("") }.to_not raise_error
      end
    end

-    context ".fsinit" do
+    context "#fsinit" do
      it "should raise an exception due to an invalid volume" do
        expect { cli.fsinit("BAD") }.to raise_error(ArgumentError)
      end

-      it "should send a FS INIT message" do
-        cli.fsinit("1:")
+      it "should send a FS INIT message without an error" do
+        expect { cli.fsinit("1:") }.to_not raise_error
      end
    end

-    context ".fsdirlist" do
+    context "#fsdirlist" do
      it "should reaise an exception due to an invaid path name" do
        expect { cli.fsdirlist("BAD") }.to raise_error(ArgumentError)
      end
@ -112,7 +112,7 @@ describe Rex::Proto::PJL::Client do
      end
    end

-    context ".fsupload" do
+    context "#fsupload" do
      it "should raise an exception due to an invalid path name" do
        expect { cli.fsupload("BAD") }.to raise_error(ArgumentError)
      end