diff --git a/modules/auxiliary/scanner/ftp/ftp_login.rb b/modules/auxiliary/scanner/ftp/ftp_login.rb index dc6a37cfe7..65de12b76d 100644 --- a/modules/auxiliary/scanner/ftp/ftp_login.rb +++ b/modules/auxiliary/scanner/ftp/ftp_login.rb @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary else return end - ftp_quit + ftp_quit end def ftp_quit @@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary send_quit if @ftp_sock rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET end - disconnect if @ftp_sock + disconnect if @ftp_sock @ftp_sock = nil end @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary def do_login(user=nil,pass=nil) vprint_status("#{rhost}:#{rport} - Attempting FTP login for '#{user}':'#{pass}'") this_attempt ||= {} - this_attempt[[user,pass]] ||= 0 + this_attempt[[user,pass]] ||= 0 while this_attempt[[user,pass]] <= 3 @ftp_sock = connect(true,false) unless @ftp_sock begin @@ -122,7 +122,7 @@ class Metasploit3 < Msf::Auxiliary vprint_status("#{rhost}:#{rport} - Failed FTP login for '#{user}':'#{pass}'") return :fail end - rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET => e + rescue ::Rex::ConnectionError, EOFError, ::Errno::ECONNRESET => e this_attempt[[user,pass]] += 1 vprint_status "#{rhost}:#{rport} - Caught #{e.class}, reconnecting and retrying" disconnect diff --git a/modules/encoders/x86/context_cpuid.rb b/modules/encoders/x86/context_cpuid.rb index 51f7f10abe..76acec86b2 100644 --- a/modules/encoders/x86/context_cpuid.rb +++ b/modules/encoders/x86/context_cpuid.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -32,18 +36,18 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback }) register_options( - [ - OptString.new('CPUID_KEY', - [ true, - "CPUID key from target host (see tools/context/cpuid-key utility)", + [ + OptString.new('CPUID_KEY', + [ true, + "CPUID key from target host (see tools/context/cpuid-key utility)", "0x00000000"]), - ], self.class) + ], self.class) end - def obtain_key(buf, badchars, state) + def obtain_key(buf, badchars, state) state.key = datastore['CPUID_KEY'].hex return state.key - end + end # # Generates the shikata decoder stub. @@ -63,7 +67,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback # Cache this decoder stub. The reason we cache the decoder stub is # because we need to ensure that the same stub is returned every time - # for a given encoder state. + # for a given encoder state. state.decoder_stub = block end @@ -73,44 +77,45 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback protected def keygen_stub payload = - "\x31\xf6" + # xor %esi,%esi - "\x31\xff" + # xor %edi,%edi - "\x89\xf8" + # cpuid_loop: mov %edi,%eax - "\x31\xc9" + # xor %ecx,%ecx - "\x0f\xa2" + # cpuid - "\x31\xc6" + # xor %eax,%esi - "\x39\xf0" + # cmp %esi,%eax - "\x75\x03" + # jne not_first_time - "\x8d\x78\x01" + # lea 0x1(%eax,1),%edi - "\x31\xde" + # not_first_time: xor %ebx,%esi - "\x31\xce" + # xor %ecx,%esi - "\x31\xd6" + # xor %edx,%esi - "\x83\xef\x01" + # sub $0x1,%edi - "\x75\xe6" + # jne cpuid_loop + "\x31\xf6" + # xor %esi,%esi + "\x31\xff" + # xor %edi,%edi + "\x89\xf8" + # cpuid_loop: mov %edi,%eax + "\x31\xc9" + # xor %ecx,%ecx + "\x0f\xa2" + # cpuid + "\x31\xc6" + # xor %eax,%esi + "\x39\xf0" + # cmp %esi,%eax + "\x75\x03" + # jne not_first_time + "\x8d\x78\x01" + # lea 0x1(%eax,1),%edi + "\x31\xde" + # not_first_time: xor %ebx,%esi + "\x31\xce" + # xor %ecx,%esi + "\x31\xd6" + # xor %edx,%esi + "\x83\xef\x01" + # sub $0x1,%edi + "\x75\xe6" + # jne cpuid_loop "\x89\xf0" # mov %esi,%eax end + # # Returns the set of FPU instructions that can be used for the FPU block of # the decoder stub. # def fpu_instructions fpus = [] - + 0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr } 0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr } - + fpus << "\xd9\xd0" fpus << "\xd9\xe1" fpus << "\xd9\xf6" fpus << "\xd9\xf7" fpus << "\xd9\xe5" - + # This FPU instruction seems to fail consistently on Linux #fpus << "\xdb\xe1" - + fpus end @@ -130,9 +135,8 @@ protected # FPU blocks fpu = Rex::Poly::LogicalBlock.new('fpu', *fpu_instructions) - fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', - "\xd9\x74\x24\xf4") - + fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4") + # Get EIP off the stack popeip = Rex::Poly::LogicalBlock.new('popeip', Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr }) @@ -159,7 +163,7 @@ protected end # Key initialization block - + # Decoder loop block loop_block = Rex::Poly::LogicalBlock.new('loop_block') @@ -179,9 +183,9 @@ protected Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) }, Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) }, Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) }) - + # Loop instruction block - loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', + loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', "\xe2\xf5") # Define block dependencies @@ -193,7 +197,7 @@ protected # Generate a permutation saving the EAX, ECX and ESP registers loop_inst.generate([ - Rex::Arch::X86::EAX, + Rex::Arch::X86::EAX, Rex::Arch::X86::ESP, Rex::Arch::X86::ECX ], nil, state.badchars) end diff --git a/modules/encoders/x86/context_stat.rb b/modules/encoders/x86/context_stat.rb index eaed6f0b77..2424212c51 100644 --- a/modules/encoders/x86/context_stat.rb +++ b/modules/encoders/x86/context_stat.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -33,19 +37,19 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback }) register_options( - [ - OptString.new('STAT_KEY', - [ true, - "STAT key from target host (see tools/context/stat-key utility)", - "0x00000000"]), - OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls"]), - ], self.class) + [ + OptString.new('STAT_KEY', + [ true, + "STAT key from target host (see tools/context/stat-key utility)", + "0x00000000"]), + OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls"]), + ], self.class) end - def obtain_key(buf, badchars, state) + def obtain_key(buf, badchars, state) state.key = datastore['STAT_KEY'].hex return state.key - end + end # # Generates the shikata decoder stub. @@ -65,7 +69,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback # Cache this decoder stub. The reason we cache the decoder stub is # because we need to ensure that the same stub is returned every time - # for a given encoder state. + # for a given encoder state. state.decoder_stub = block end @@ -78,44 +82,45 @@ protected flen = fname.length payload = - "\xd9\xee" + # fldz - "\xd9\x74\x24\xf4" + # fnstenv -0xc(%esp) - "\x5b" + # pop %ebx - Rex::Arch::X86.jmp_short(flen) + # jmp over - fname + # the filename - "\x83\xc3\x09" + # over: add $9, %ebx - "\x8d\x53" + # lea filelen(%ebx), %edx - Rex::Arch::X86.pack_lsb(flen) + # - "\x31\xc0" + # xor %eax,%eax - "\x88\x02" + # mov %al,(%edx) - "\x8d\x4c\x24\xa8" + # lea -0x58(%esp),%ecx - "\xb0\xc3" + # mov $0xc3, %al - "\xcd\x80" + # int $0x80 - "\x8b\x41\x2c" + # mov 0x2c(%ecx),%eax - "\x33\x41\x48" # xor 0x48(%ecx),%eax + "\xd9\xee" + # fldz + "\xd9\x74\x24\xf4" + # fnstenv -0xc(%esp) + "\x5b" + # pop %ebx + Rex::Arch::X86.jmp_short(flen) + # jmp over + fname + # the filename + "\x83\xc3\x09" + # over: add $9, %ebx + "\x8d\x53" + # lea filelen(%ebx), %edx + Rex::Arch::X86.pack_lsb(flen) + # + "\x31\xc0" + # xor %eax,%eax + "\x88\x02" + # mov %al,(%edx) + "\x8d\x4c\x24\xa8" + # lea -0x58(%esp),%ecx + "\xb0\xc3" + # mov $0xc3, %al + "\xcd\x80" + # int $0x80 + "\x8b\x41\x2c" + # mov 0x2c(%ecx),%eax + "\x33\x41\x48" # xor 0x48(%ecx),%eax end + # # Returns the set of FPU instructions that can be used for the FPU block of # the decoder stub. # def fpu_instructions fpus = [] - + 0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr } 0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr } - + fpus << "\xd9\xd0" fpus << "\xd9\xe1" fpus << "\xd9\xf6" fpus << "\xd9\xf7" fpus << "\xd9\xe5" - + # This FPU instruction seems to fail consistently on Linux #fpus << "\xdb\xe1" - + fpus end @@ -133,11 +138,9 @@ protected endb = Rex::Poly::SymbolicBlock::End.new # FPU blocks - fpu = Rex::Poly::LogicalBlock.new('fpu', - *fpu_instructions) - fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', - "\xd9\x74\x24\xf4") - + fpu = Rex::Poly::LogicalBlock.new('fpu', *fpu_instructions) + fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4") + # Get EIP off the stack popeip = Rex::Poly::LogicalBlock.new('popeip', Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr }) @@ -164,7 +167,7 @@ protected end # Key initialization block - + # Decoder loop block loop_block = Rex::Poly::LogicalBlock.new('loop_block') @@ -184,9 +187,9 @@ protected Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) }, Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) }, Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) }) - + # Loop instruction block - loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', + loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', "\xe2\xf5") # Define block dependencies diff --git a/modules/encoders/x86/context_time.rb b/modules/encoders/x86/context_time.rb index 0ca03f069a..82d0331ac9 100644 --- a/modules/encoders/x86/context_time.rb +++ b/modules/encoders/x86/context_time.rb @@ -1,5 +1,9 @@ ## -# This file is part of the Metasploit Framework and may be subject to +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -18,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback def initialize super( 'Name' => 'time(2)-based Context Keyed Payload Encoder', - 'Version' => '$Revision: 1$', + 'Version' => '$Revision$', 'Description' => %q{ This is a Context-Keyed Payload Encoder based on time(2) and Shikata Ga Nai. @@ -33,18 +37,18 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback }) register_options( - [ - OptString.new('TIME_KEY', - [ true, - "TIME key from target host (see tools/context/time-key utility)", - "0x00000000"]) - ], self.class) + [ + OptString.new('TIME_KEY', + [ true, + "TIME key from target host (see tools/context/time-key utility)", + "0x00000000"]) + ], self.class) end - def obtain_key(buf, badchars, state) + def obtain_key(buf, badchars, state) state.key = datastore['TIME_KEY'].hex return state.key - end + end # # Generates the shikata decoder stub. @@ -64,7 +68,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback # Cache this decoder stub. The reason we cache the decoder stub is # because we need to ensure that the same stub is returned every time - # for a given encoder state. + # for a given encoder state. state.decoder_stub = block end @@ -74,33 +78,34 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback protected def keygen_stub payload = - "\x31\xdb" + # xor %ebx,%ebx - "\x8d\x43\x0d" + # lea 0xd(%ebx),%eax - "\xcd\x80" + # int $0x80 - "\x66\x31\xc0" # xor %ax,%ax + "\x31\xdb" + # xor %ebx,%ebx + "\x8d\x43\x0d" + # lea 0xd(%ebx),%eax + "\xcd\x80" + # int $0x80 + "\x66\x31\xc0" # xor %ax,%ax end + # # Returns the set of FPU instructions that can be used for the FPU block of # the decoder stub. # def fpu_instructions fpus = [] - + 0xe8.upto(0xee) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xcf) { |x| fpus << "\xd9" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xda" + x.chr } 0xc0.upto(0xdf) { |x| fpus << "\xdb" + x.chr } 0xc0.upto(0xc7) { |x| fpus << "\xdd" + x.chr } - + fpus << "\xd9\xd0" fpus << "\xd9\xe1" fpus << "\xd9\xf6" fpus << "\xd9\xf7" fpus << "\xd9\xe5" - + # This FPU instruction seems to fail consistently on Linux #fpus << "\xdb\xe1" - + fpus end @@ -113,16 +118,14 @@ protected key_reg = Rex::Poly::LogicalRegister::X86.new('key', 'eax') count_reg = Rex::Poly::LogicalRegister::X86.new('count', 'ecx') addr_reg = Rex::Poly::LogicalRegister::X86.new('addr') - + # Declare individual blocks endb = Rex::Poly::SymbolicBlock::End.new # FPU blocks - fpu = Rex::Poly::LogicalBlock.new('fpu', - *fpu_instructions) - fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', - "\xd9\x74\x24\xf4") - + fpu = Rex::Poly::LogicalBlock.new('fpu', *fpu_instructions) + fnstenv = Rex::Poly::LogicalBlock.new('fnstenv', "\xd9\x74\x24\xf4") + # Get EIP off the stack popeip = Rex::Poly::LogicalBlock.new('popeip', Proc.new { |b| (0x58 + b.regnum_of(addr_reg)).chr }) @@ -149,7 +152,7 @@ protected end # Key initialization block - + # Decoder loop block loop_block = Rex::Poly::LogicalBlock.new('loop_block') @@ -169,9 +172,9 @@ protected Proc.new { |b| xor1.call(b) + add1.call(b) + add4.call(b) }, Proc.new { |b| xor1.call(b) + add4.call(b) + add2.call(b) }, Proc.new { |b| add4.call(b) + xor2.call(b) + add2.call(b) }) - + # Loop instruction block - loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', + loop_inst = Rex::Poly::LogicalBlock.new('loop_inst', "\xe2\xf5") # Define block dependencies diff --git a/modules/exploits/osx/http/evocam_webserver.rb b/modules/exploits/osx/http/evocam_webserver.rb old mode 100755 new mode 100644 diff --git a/plugins/editor.rb b/plugins/editor.rb index f8823f36fd..9c3777a7a9 100644 --- a/plugins/editor.rb +++ b/plugins/editor.rb @@ -1,7 +1,12 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### -# +# # This plugin is a simple editor command, designed to make it easy to edit modules in the console. # ### @@ -36,14 +41,14 @@ class Plugin::Editor < Msf::Plugin # def cmd_edit(*args) print_line ("Launching editor...") - + e = Rex::Compat.getenv("EDITOR") || "vi" if (not active_module) or (not (path = active_module.file_path)) $stderr.puts "no active module selected" return nil end - + system(e + " " + path) end end @@ -62,7 +67,7 @@ class Plugin::Editor < Msf::Plugin def cleanup # If we had previously registered a console dispatcher with the console, # deregister it now. - remove_console_dispatcher('Editor') + remove_console_dispatcher('Editor') end # diff --git a/plugins/wmap.rb b/plugins/wmap.rb old mode 100755 new mode 100644 index a1cc1c77ed..dc98abef06 --- a/plugins/wmap.rb +++ b/plugins/wmap.rb @@ -1,7 +1,10 @@ # -# Web assessment for the metasploit framework +# Web assessment for the metasploit framework # Efrain Torres - et[ ] metasploit.com 2010 # +# $Id$ +# $Revision$ +# require 'rabal/tree' require 'rexml/document' @@ -12,7 +15,7 @@ require 'active_record' module Msf # -# Constants +# Constants # WMAPVersion = "0.9" @@ -25,7 +28,7 @@ WMAP_EXITIFSESS = true WMAP_SHOW = 2**0 WMAP_EXPL = 2**1 -PROXY_CMDLINE = "../ratproxy/ratproxy" +PROXY_CMDLINE = "../ratproxy/ratproxy" PROXY_DEFAULTOPTS = " -a -v " + File.join( ENV.fetch('HOME'), '.msf3') + " -b sqlite3.db" CRAWLER_CMDLINE = "ruby " + File.join(Msf::Config.install_root,"tools", "msfcrawler.rb") @@ -71,28 +74,28 @@ class Plugin::Wmap < Msf::Plugin def cmd_wmap_attack(*args) aurl = args.shift - + puri = URI.parse(val) tssl = (puri.scheme == "https") ? true : false - - if (puri.host.nil? or puri.host.empty?) + + if (puri.host.nil? or puri.host.empty?) print_error( "Error: target http(s)://target/path") else - + crawldefaultopts = "" rundefaultopts = "" crawlopts = crawldefaultopts + " -t " + aurl + " " + args.join(" ") runopts = rundefaultopts + " -t " + aurl + " " + args.join(" ") - + #print_status("Crawling") #cmd_wmap_crawl(crawlopts) - + print_status("Reloading targets") cmd_wmap_targets("-r") - + print_status("Selecting target") - + tid = -1 framework.db.each_target do |tgt| if tgt.host == puri.host and tgt.port.to_i == puri.port.to_i @@ -100,7 +103,7 @@ class Plugin::Wmap < Msf::Plugin print_status("Target ID: #{tid}") end end - + seltgt = framework.db.get_target(tid) if seltgt == nil print_error("Target id not found.") @@ -410,24 +413,24 @@ class Plugin::Wmap < Msf::Plugin # First run the WMAP_SERVER plugins # case e.wmap_type - when :WMAP_SERVER + when :WMAP_SERVER if RUN_WMAP_SERVER matches1[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true end when :WMAP_QUERY if RUN_WMAP_QUERY matches2[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true - end + end when :WMAP_BODY - if RUN_WMAP_BODY + if RUN_WMAP_BODY matches3[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true end when :WMAP_HEADERS - if RUN_WMAP_HEADERS + if RUN_WMAP_HEADERS matches4[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true end when :WMAP_UNIQUE_QUERY - if RUN_WMAP_UNIQUE_QUERY + if RUN_WMAP_UNIQUE_QUERY matches5[[selected_host,selected_port,selected_ssl,mtype[1]+'/'+n]]=true end when :WMAP_GENERIC @@ -1299,7 +1302,7 @@ class Plugin::Wmap < Msf::Plugin # def cmd_wmap_crawl(*args) - + cmdline = CRAWLER_CMDLINE crawlopts = CRAWLER_DEFAULTOPTS + " " + args.join(" ")