infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

style compliance fixes 

git-svn-id: file:///home/svn/framework3/trunk@9460 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-09 18:41:58 +00:00
parent 816a149e2d
commit d8609b85e3
7 changed files with 144 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/auxiliary/scanner/ftp/ftp_login.rb
View File

@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary
else
return
end
ftp_quit
ftp_quit
end
def ftp_quit
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
send_quit if @ftp_sock
rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET
end
disconnect if @ftp_sock
disconnect if @ftp_sock
@ftp_sock = nil
end
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
def do_login(user=nil,pass=nil)
vprint_status("#{rhost}:#{rport} - Attempting FTP login for '#{user}':'#{pass}'")
this_attempt ||= {}
this_attempt[[user,pass]] ||= 0
this_attempt[[user,pass]] ||= 0
while this_attempt[[user,pass]] <= 3
@ftp_sock = connect(true,false) unless @ftp_sock
begin
@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary
vprint_status("#{rhost}:#{rport} - Failed FTP login for '#{user}':'#{pass}'")
return :fail
end
rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET => e
rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET => e
this_attempt[[user,pass]] += 1
vprint_status "#{rhost}:#{rport} - Caught #{e.class}, reconnecting and retrying"
disconnect

72
modules/encoders/x86/context_cpuid.rb
View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -32,18 +36,18 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
})
register_options(
[
OptString.new('CPUID_KEY',
[ true,
"CPUID key from target host (see tools/context/cpuid-key utility)",
[
OptString.new('CPUID_KEY',
[ true,
"CPUID key from target host (see tools/context/cpuid-key utility)",
"0x00000000"]),
], self.class)
], self.class)
end
def obtain_key(buf, badchars, state)
def obtain_key(buf, badchars, state)
state.key = datastore['CPUID_KEY'].hex
return state.key
end
end
#
# Generates the shikata decoder stub.
@ -63,7 +67,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
# Cache this decoder stub. The reason we cache the decoder stub is
# because we need to ensure that the same stub is returned every time
# for a given encoder state.
# for a given encoder state.
state.decoder_stub = block
end
@ -73,44 +77,45 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
protected
def keygen_stub
payload =
"\x31\xf6" + # xor %esi,%esi
"\x31\xff" + # xor %edi,%edi
"\x89\xf8" + # cpuid_loop: mov %edi,%eax
"\x31\xc9" + # xor %ecx,%ecx
"\x0f\xa2" + # cpuid
"\x31\xc6" + # xor %eax,%esi
"\x39\xf0" + # cmp %esi,%eax
"\x75\x03" + # jne not_first_time
"\x8d\x78\x01" + # lea 0x1(%eax,1),%edi
"\x31\xde" + # not_first_time: xor %ebx,%esi
"\x31\xce" + # xor %ecx,%esi
"\x31\xd6" + # xor %edx,%esi
"\x83\xef\x01" + # sub $0x1,%edi
"\x75\xe6" + # jne cpuid_loop
"\x31\xf6" + # xor %esi,%esi
"\x31\xff" + # xor %edi,%edi
"\x89\xf8" + # cpuid_loop: mov %edi,%eax
"\x31\xc9" + # xor %ecx,%ecx
"\x0f\xa2" + # cpuid
"\x31\xc6" + # xor %eax,%esi
"\x39\xf0" + # cmp %esi,%eax
"\x75\x03" + # jne not_first_time
"\x8d\x78\x01" + # lea 0x1(%eax,1),%edi
"\x31\xde" + # not_first_time: xor %ebx,%esi
"\x31\xce" + # xor %ecx,%esi
"\x31\xd6" + # xor %edx,%esi
"\x83\xef\x01" + # sub $0x1,%edi
"\x75\xe6" + # jne cpuid_loop
"\x89\xf0" # mov %esi,%eax
end
#
# Returns the set of FPU instructions that can be used for the FPU block of
# the decoder stub.
#
def fpu_instructions
fpus = []
0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }
fpus << "\xd9\xd0"
fpus << "\xd9\xe1"
fpus << "\xd9\xf6"
fpus << "\xd9\xf7"
fpus << "\xd9\xe5"
# This FPU instruction seems to fail consistently on Linux
#fpus << "\xdb\xe1"
fpus
end
@ -130,9 +135,8 @@ protected
# FPU blocks
fpu = Rex::Poly::LogicalBlock.new('fpu',
*fpu_instructions)
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv',
"\xd9\x74\x24\xf4")
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4")
# Get EIP off the stack
popeip = Rex::Poly::LogicalBlock.new('popeip',
Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr })
@ -159,7 +163,7 @@ protected
end
# Key initialization block
# Decoder loop block
loop_block = Rex::Poly::LogicalBlock.new('loop_block')
@ -179,9 +183,9 @@ protected
Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) },
Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) },
Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) })
# Loop instruction block
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
"\xe2\xf5")
# Define block dependencies
@ -193,7 +197,7 @@ protected
# Generate a permutation saving the EAX, ECX and ESP registers
loop_inst.generate([
Rex::Arch::X86::EAX,
Rex::Arch::X86::EAX,
Rex::Arch::X86::ESP,
Rex::Arch::X86::ECX ], nil, state.badchars)
end

79
modules/encoders/x86/context_stat.rb
View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -33,19 +37,19 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
})
register_options(
[
OptString.new('STAT_KEY',
[ true,
"STAT key from target host (see tools/context/stat-key utility)",
"0x00000000"]),
OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls"]),
], self.class)
[
OptString.new('STAT_KEY',
[ true,
"STAT key from target host (see tools/context/stat-key utility)",
"0x00000000"]),
OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls"]),
], self.class)
end
def obtain_key(buf, badchars, state)
def obtain_key(buf, badchars, state)
state.key = datastore['STAT_KEY'].hex
return state.key
end
end
#
# Generates the shikata decoder stub.
@ -65,7 +69,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
# Cache this decoder stub. The reason we cache the decoder stub is
# because we need to ensure that the same stub is returned every time
# for a given encoder state.
# for a given encoder state.
state.decoder_stub = block
end
@ -78,44 +82,45 @@ protected
flen = fname.length
payload =
"\xd9\xee" + # fldz
"\xd9\x74\x24\xf4" + # fnstenv -0xc(%esp)
"\x5b" + # pop %ebx
Rex::Arch::X86.jmp_short(flen) + # jmp over
fname + # the filename
"\x83\xc3\x09" + # over: add $9, %ebx
"\x8d\x53" + # lea filelen(%ebx), %edx
Rex::Arch::X86.pack_lsb(flen) + #
"\x31\xc0" + # xor %eax,%eax
"\x88\x02" + # mov %al,(%edx)
"\x8d\x4c\x24\xa8" + # lea -0x58(%esp),%ecx
"\xb0\xc3" + # mov $0xc3, %al
"\xcd\x80" + # int $0x80
"\x8b\x41\x2c" + # mov 0x2c(%ecx),%eax
"\x33\x41\x48" # xor 0x48(%ecx),%eax
"\xd9\xee" + # fldz
"\xd9\x74\x24\xf4" + # fnstenv -0xc(%esp)
"\x5b" + # pop %ebx
Rex::Arch::X86.jmp_short(flen) + # jmp over
fname + # the filename
"\x83\xc3\x09" + # over: add $9, %ebx
"\x8d\x53" + # lea filelen(%ebx), %edx
Rex::Arch::X86.pack_lsb(flen) + #
"\x31\xc0" + # xor %eax,%eax
"\x88\x02" + # mov %al,(%edx)
"\x8d\x4c\x24\xa8" + # lea -0x58(%esp),%ecx
"\xb0\xc3" + # mov $0xc3, %al
"\xcd\x80" + # int $0x80
"\x8b\x41\x2c" + # mov 0x2c(%ecx),%eax
"\x33\x41\x48" # xor 0x48(%ecx),%eax
end
#
# Returns the set of FPU instructions that can be used for the FPU block of
# the decoder stub.
#
def fpu_instructions
fpus = []
0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }
fpus << "\xd9\xd0"
fpus << "\xd9\xe1"
fpus << "\xd9\xf6"
fpus << "\xd9\xf7"
fpus << "\xd9\xe5"
# This FPU instruction seems to fail consistently on Linux
#fpus << "\xdb\xe1"
fpus
end
@ -133,11 +138,9 @@ protected
endb = Rex::Poly::SymbolicBlock::End.new
# FPU blocks
fpu = Rex::Poly::LogicalBlock.new('fpu',
*fpu_instructions)
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv',
"\xd9\x74\x24\xf4")
fpu = Rex::Poly::LogicalBlock.new('fpu', *fpu_instructions)
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4")
# Get EIP off the stack
popeip = Rex::Poly::LogicalBlock.new('popeip',
Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr })
@ -164,7 +167,7 @@ protected
end
# Key initialization block
# Decoder loop block
loop_block = Rex::Poly::LogicalBlock.new('loop_block')
@ -184,9 +187,9 @@ protected
Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) },
Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) },
Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) })
# Loop instruction block
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
"\xe2\xf5")
# Define block dependencies

59
modules/encoders/x86/context_time.rb
View File

@ -1,5 +1,9 @@
##
# This file is part of the Metasploit Framework and may be subject to
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
@ -18,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
def initialize
super(
'Name' => 'time(2)-based Context Keyed Payload Encoder',
'Version' => '$Revision: 1$',
'Version' => '$Revision$',
'Description' => %q{
This is a Context-Keyed Payload Encoder based on time(2)
and Shikata Ga Nai.
@ -33,18 +37,18 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
})
register_options(
[
OptString.new('TIME_KEY',
[ true,
"TIME key from target host (see tools/context/time-key utility)",
"0x00000000"])
], self.class)
[
OptString.new('TIME_KEY',
[ true,
"TIME key from target host (see tools/context/time-key utility)",
"0x00000000"])
], self.class)
end
def obtain_key(buf, badchars, state)
def obtain_key(buf, badchars, state)
state.key = datastore['TIME_KEY'].hex
return state.key
end
end
#
# Generates the shikata decoder stub.
@ -64,7 +68,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
# Cache this decoder stub. The reason we cache the decoder stub is
# because we need to ensure that the same stub is returned every time
# for a given encoder state.
# for a given encoder state.
state.decoder_stub = block
end
@ -74,33 +78,34 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
protected
def keygen_stub
payload =
"\x31\xdb" + # xor %ebx,%ebx
"\x8d\x43\x0d" + # lea 0xd(%ebx),%eax
"\xcd\x80" + # int $0x80
"\x66\x31\xc0" # xor %ax,%ax
"\x31\xdb" + # xor %ebx,%ebx
"\x8d\x43\x0d" + # lea 0xd(%ebx),%eax
"\xcd\x80" + # int $0x80
"\x66\x31\xc0" # xor %ax,%ax
end
#
# Returns the set of FPU instructions that can be used for the FPU block of
# the decoder stub.
#
def fpu_instructions
fpus = []
0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr }
0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr }
0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr }
fpus << "\xd9\xd0"
fpus << "\xd9\xe1"
fpus << "\xd9\xf6"
fpus << "\xd9\xf7"
fpus << "\xd9\xe5"
# This FPU instruction seems to fail consistently on Linux
#fpus << "\xdb\xe1"
fpus
end
@ -113,16 +118,14 @@ protected
key_reg = Rex::Poly::LogicalRegister::X86.new('key', 'eax')
count_reg = Rex::Poly::LogicalRegister::X86.new('count', 'ecx')
addr_reg = Rex::Poly::LogicalRegister::X86.new('addr')
# Declare individual blocks
endb = Rex::Poly::SymbolicBlock::End.new
# FPU blocks
fpu = Rex::Poly::LogicalBlock.new('fpu',
*fpu_instructions)
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv',
"\xd9\x74\x24\xf4")
fpu = Rex::Poly::LogicalBlock.new('fpu', *fpu_instructions)
fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4")
# Get EIP off the stack
popeip = Rex::Poly::LogicalBlock.new('popeip',
Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr })
@ -149,7 +152,7 @@ protected
end
# Key initialization block
# Decoder loop block
loop_block = Rex::Poly::LogicalBlock.new('loop_block')
@ -169,9 +172,9 @@ protected
Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) },
Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) },
Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) })
# Loop instruction block
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
loop_inst = Rex::Poly::LogicalBlock.new('loop_inst',
"\xe2\xf5")
# Define block dependencies

0
modules/exploits/osx/http/evocam_webserver.rb Executable file → Normal file
View File

13
plugins/editor.rb
View File

@ -1,7 +1,12 @@
#
# $Id$
# $Revision$
#
module Msf
###
#
#
# This plugin is a simple editor command, designed to make it easy to edit modules in the console.
#
###
@ -36,14 +41,14 @@ class Plugin::Editor < Msf::Plugin
#
def cmd_edit(*args)
print_line ("Launching editor...")
e = Rex::Compat.getenv("EDITOR") || "vi"
if (not active_module) or (not (path = active_module.file_path))
$stderr.puts "no active module selected"
return nil
end
system(e + " " + path)
end
end
@ -62,7 +67,7 @@ class Plugin::Editor < Msf::Plugin
def cleanup
# If we had previously registered a console dispatcher with the console,
# deregister it now.
remove_console_dispatcher('Editor')
remove_console_dispatcher('Editor')
end
#

39
plugins/wmap.rb Executable file → Normal file
View File

@ -1,7 +1,10 @@
#
# Web assessment for the metasploit framework
# Web assessment for the metasploit framework
# Efrain Torres - et[ ] metasploit.com 2010
#
# $Id$
# $Revision$
#
require 'rabal/tree'
require 'rexml/document'
@ -12,7 +15,7 @@ require 'active_record'
module Msf
#
# Constants
# Constants
#
WMAPVersion = "0.9"
@ -25,7 +28,7 @@ WMAP_EXITIFSESS = true
WMAP_SHOW = 2**0
WMAP_EXPL = 2**1
PROXY_CMDLINE = "../ratproxy/ratproxy"
PROXY_CMDLINE = "../ratproxy/ratproxy"
PROXY_DEFAULTOPTS = " -a -v " + File.join( ENV.fetch('HOME'), '.msf3') + " -b sqlite3.db"
CRAWLER_CMDLINE = "ruby " + File.join(Msf::Config.install_root,"tools", "msfcrawler.rb")
@ -71,28 +74,28 @@ class Plugin::Wmap < Msf::Plugin
def cmd_wmap_attack(*args)
aurl = args.shift
puri = URI.parse(val)
tssl = (puri.scheme == "https") ? true : false
if (puri.host.nil? or puri.host.empty?)
if (puri.host.nil? or puri.host.empty?)
print_error( "Error: target http(s)://target/path")
else
crawldefaultopts = ""
rundefaultopts = ""
crawlopts = crawldefaultopts + " -t " + aurl + " " + args.join(" ")
runopts = rundefaultopts + " -t " + aurl + " " + args.join(" ")
#print_status("Crawling")
#cmd_wmap_crawl(crawlopts)
print_status("Reloading targets")
cmd_wmap_targets("-r")
print_status("Selecting target")
tid = -1
framework.db.each_target do |tgt|
if tgt.host == puri.host and tgt.port.to_i == puri.port.to_i
@ -100,7 +103,7 @@ class Plugin::Wmap < Msf::Plugin
print_status("Target ID: #{tid}")
end
end
seltgt = framework.db.get_target(tid)
if seltgt == nil
print_error("Target id not found.")
@ -410,24 +413,24 @@ class Plugin::Wmap < Msf::Plugin
# First run the WMAP_SERVER plugins
#
case e.wmap_type
when :WMAP_SERVER
when :WMAP_SERVER
if RUN_WMAP_SERVER
matches1[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true
end
when :WMAP_QUERY
if RUN_WMAP_QUERY
matches2[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true
end
end
when :WMAP_BODY
if RUN_WMAP_BODY
if RUN_WMAP_BODY
matches3[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true
end
when :WMAP_HEADERS
if RUN_WMAP_HEADERS
if RUN_WMAP_HEADERS
matches4[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true
end
when :WMAP_UNIQUE_QUERY
if RUN_WMAP_UNIQUE_QUERY
if RUN_WMAP_UNIQUE_QUERY
matches5[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true
end
when :WMAP_GENERIC
@ -1299,7 +1302,7 @@ class Plugin::Wmap < Msf::Plugin
#
def cmd_wmap_crawl(*args)
cmdline = CRAWLER_CMDLINE
crawlopts = CRAWLER_DEFAULTOPTS + " " + args.join(" ")