Merge remote-tracking branch 'upstream/master' into bug/web-vuln-logging

Gemfile

@@ -7,7 +7,7 @@ gem 'activerecord'
 # Needed for some admin modules (scrutinizer_add_user.rb)
 gem 'json'
 # Database models shared between framework and Pro.
-gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.4.0'
+gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.6.0'
 # Needed by msfgui and other rpc components
 gem 'msgpack'
 # Needed by anemone crawler

Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: git://github.com/rapid7/metasploit_data_models.git
-  revision: 448c1065329efea1eac76a3897f626f122666743
+  revision: 0285d6e199f125b33214100dcb0f4eeb12ee765f
-  tag: 0.4.0
+  tag: 0.6.0
   specs:
-    metasploit_data_models (0.4.0)
+    metasploit_data_models (0.6.0)
       activerecord (>= 3.2.10)
       activesupport
       pg
@@ -12,22 +12,22 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.2.11)
+    activemodel (3.2.12)
-      activesupport (= 3.2.11)
+      activesupport (= 3.2.12)
       builder (~> 3.0.0)
-    activerecord (3.2.11)
+    activerecord (3.2.12)
-      activemodel (= 3.2.11)
+      activemodel (= 3.2.12)
-      activesupport (= 3.2.11)
+      activesupport (= 3.2.12)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.11)
+    activesupport (3.2.12)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     arel (3.0.2)
     builder (3.0.4)
-    coderay (1.0.8)
+    coderay (1.0.9)
     diff-lcs (1.1.3)
-    i18n (0.6.1)
+    i18n (0.6.4)
     json (1.7.7)
     method_source (0.8.1)
     msgpack (0.5.2)
@@ -35,10 +35,10 @@ GEM
     nokogiri (1.5.6)
     pcaprub (0.11.3)
     pg (0.14.1)
-    pry (0.9.10)
+    pry (0.9.12)
       coderay (~> 1.0.5)
       method_source (~> 0.8)
-      slop (~> 3.3.1)
+      slop (~> 3.4)
     rake (10.0.2)
     redcarpet (2.2.2)
     robots (0.10.1)
@@ -54,8 +54,8 @@ GEM
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
-    slop (3.3.3)
+    slop (3.4.3)
-    tzinfo (0.3.35)
+    tzinfo (0.3.36)
     yard (0.8.3)
 
 PLATFORMS

Rakefile

@@ -16,11 +16,16 @@ namespace :yard do
       '-',
       'COPYING',
       'HACKING',
-      'THIRD-PARTY.md'
+      'LICENSE',
+      'CONTRIBUTING.md',
   ]
   yard_options = [
       # include documentation for protected methods for developers extending the code.
-      '--protected'
+      '--protected',
+      # Don't bother with files meant to be examples
+      '--exclude', 'samples/',
+      '--exclude', '\.ut\.rb/',
+      '--exclude', '\.ts\.rb/',
   ]
 
   YARD::Rake::YardocTask.new(:doc) do |t|

data/sql/migrate/20110610085000_move_old_imported_creds_to_new_files.rb

@@ -1,127 +0,0 @@
-class MoveOldImportedCredsToNewFiles < ActiveRecord::Migration
-
-	class ImportedCred < ActiveRecord::Base
-	end
-
-	class CredFile < ActiveRecord::Base
-	end
-
-	class Workspace < ActiveRecord::Base
-	end
-
-	class << self
-
-		def find_or_create_cred_path
-			cred_files_dir = nil
-			msf_base = Msf::Config.install_root
-			pro_base = File.expand_path(File.join(msf_base, "..", "engine", "lib", "pro"))
-			if File.directory? pro_base
-				cred_files_dir = File.expand_path(File.join(msf_base, "..", "cred_files"))
-				FileUtils.mkdir_p(cred_files_dir) unless File.exists?(cred_files_dir)
-				if File.directory?(cred_files_dir) and File.writable?(cred_files_dir)
-				end
-			end
-			return cred_files_dir
-		end
-
-		def find_all_imported_creds_by_workspace
-			valid_ptypes = ["smb_hash", "userpass", "password"]
-			valid_workspaces = Workspace.all.map {|w| w.id}
-			creds = {}
-			ImportedCred.all.each do |cred|
-				next unless cred.ptype
-				next unless valid_ptypes.include? cred.ptype
-				next unless cred.workspace_id
-				next unless valid_workspaces.include? cred.workspace_id
-				creds[cred.workspace_id] ||= []
-				creds[cred.workspace_id] << cred
-			end
-			return creds
-		end
-
-		def sort_creds_into_file_types(old_creds)
-			files = {}
-			old_creds.each do |wid,creds|
-				filedata = {}
-				creds.each do |cred|
-					filedata[cred.ptype] ||= []
-					case cred.ptype
-					when "smb_hash", "userpass"
-						filedata[cred.ptype] << ("%s %s" % [cred.user,cred.pass])
-					when "password"
-						filedata[cred.ptype] << cred.pass.to_s
-					end
-					files[wid] = filedata 
-				end
-			end
-			return files
-		end
-
-		def write_creds_to_files(old_creds,cred_path)
-			file_data_to_write = sort_creds_into_file_types(old_creds)
-			files_written = []
-			file_data_to_write.each do |wid, fdata_hash|
-				fdata_hash.each do |ftype,cred_data|
-					next unless cred_data
-					next if cred_data.empty?
-					fname = File.join(cred_path,"creds_#{wid}_#{ftype}-#{Time.now.utc.to_i}.txt")
-					fdata = cred_data.join("\n")
-					fh = File.open(fname, "wb")
-					begin
-						fh.write fdata
-						fh.flush
-					ensure
-						fh.close 
-					end
-					files_written << fname
-				end
-			end
-			return files_written
-		end
-
-		def register_new_files(new_files)
-			successful_count = 0
-			new_files.each do |fname|
-				next unless File.split(fname).last =~ /^creds_([0-9]+)_(userpass|password|smb_hash)\-[0-9]+\.txt$/
-				wid = $1
-				next unless Workspace.find(wid)
-				ftype = $2
-				actual_ftype = case ftype
-					when "smb_hash", "userpass"
-						"userpass" # They're treated the same
-					when "password"
-						"pass"
-					end
-				next unless actual_ftype
-				say "Registering credential file '%s' for workspace %d as type '%s'" % [fname,wid,actual_ftype]
-				cred_file = CredFile.new
-				cred_file.workspace_id = wid
-				cred_file.created_by = ""
-				cred_file.path = fname
-				cred_file.name = "#{ftype}.txt"
-				cred_file.desc = "Migrated #{ftype} credentials"
-				cred_file.ftype = actual_ftype
-				if cred_file.save
-					successful_count += 1
-					say "Successfully imported #{ftype} credentials for workspace #{wid}"
-				end
-			end
-			successful_count
-		end
-
-	end
-
-	def self.up
-		cred_path = find_or_create_cred_path
-		if cred_path
-			old_imported_creds = find_all_imported_creds_by_workspace
-			new_files = write_creds_to_files(old_imported_creds,cred_path)
-			successful_count = register_new_files(new_files)
-		end
-	end
-
-	# Sorry, can't get the old data back.
-	def self.down
-	end
-
-end

external/source/shellcode/windows/x86/src/block/block_reverse_http.asm

@@ -49,11 +49,12 @@ httpopenrequest:
   pop ecx
   xor edx, edx           ; NULL
   push edx               ; dwContext (NULL)
-  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200) ; dwFlags
+  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
     ;0x80000000 |        ; INTERNET_FLAG_RELOAD
     ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
 	;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
-    ;0x00000200          ; INTERNET_FLAG_NO_UI
+    ;0x00000200 |        ; INTERNET_FLAG_NO_UI
+    ;0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION
   push edx               ; accept types
   push edx               ; referrer
   push edx               ; version

lib/anemone/rex_http.rb

@@ -188,7 +188,9 @@ module Anemone
 			context,
 			url.scheme == "https",
 			'SSLv23',
-			@opts[:proxies]
+			@opts[:proxies],
+                    @opts[:username],
+                    @opts[:password]
 		)
 
 		conn.set_config(

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Gemfile

@@ -1,10 +0,0 @@
-source "http://rubygems.org"
-
-# Specify your gem's dependencies in metasploit_data_models.gemspec
-gemspec
-
-group :test do
-  # rails is only used for testing with a dummy application in spec/dummy
-  gem 'rails'
-  gem 'rspec-rails'
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/Rakefile

@@ -1,7 +0,0 @@
-require 'bundler/gem_tasks'
-require 'rspec/core/rake_task'
-
-RSpec::Core::RakeTask.new(:spec)
-
-task :default => :spec
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/app/models/mdm/web_vuln.rb

@@ -1,16 +0,0 @@
-class Mdm::WebVuln < ActiveRecord::Base
-  #
-  # Relations
-  #
-
-  belongs_to :web_site, :class_name => 'Mdm::WebSite'
-
-  #
-  # Serializations
-  #
-
-  serialize :params, MetasploitDataModels::Base64Serializer.new
-
-  ActiveSupport.run_load_hooks(:mdm_web_vuln, self)
-end
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/base64_serializer.rb

@@ -1,35 +0,0 @@
-# 2012-04-23
-#
-# Provides ActiveRecord 3.1x-friendly serialization for descendants of
-# ActiveRecord::Base. Backwards compatible with older YAML methods and
-# will fall back to string decoding in the worst case
-#
-# usage:
-# serialize :foo, MetasploitDataModels::Base64Serializer.new
-#
-module MetasploitDataModels
-  class Base64Serializer
-    def load(value)
-      return {} if value.blank?
-      begin
-        # Load the unpacked Marshal object first
-        Marshal.load(value.unpack('m').first)
-      rescue
-        begin
-          # Support legacy YAML encoding for existing data        
-          YAML.load(value)
-        rescue
-          # Fall back to string decoding
-          value
-        end
-      end
-    end
-
-    def dump(value)
-      # Always store data back in the Marshal format
-      [ Marshal.dump(value) ].pack('m')
-    end
-  end
-end
-
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/engine.rb

@@ -1,7 +0,0 @@
-require 'rails'
-
-module MetasploitDataModels
-  class Engine < Rails::Engine
-
-  end
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/lib/metasploit_data_models/version.rb

@@ -1,7 +0,0 @@
-module MetasploitDataModels
-  # MetasploitDataModels follows the {Semantic Versioning Specification http://semver.org/}.  At this time, the API
-  # is considered unstable because the database migrations are still in metasploit-framework and certain models may not
-  # be shared between metasploit-framework and pro, so models may be removed in the future.  Because of the unstable API
-  # the version should remain below 1.0.0
-  VERSION = '0.4.0'
-end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.4.0/spec/lib/base64_serializer_spec.rb

@@ -1,22 +0,0 @@
-require "spec_helper"
-
-module MetasploitDataModels
-  describe Base64Serializer do
-    subject{Base64Serializer.new}
-
-    let(:test_value){{:foo => "bar", :baz => "baz"}}
-
-    # We make it same way as in class b/c hard to keep a reliable base64
-    # string literal as a fixture
-    let(:base64_fixture){[Marshal.dump(test_value)].pack('m')}
-
-    it "should turn a Hash into proper base64" do
-      subject.dump(test_value).should == base64_fixture
-    end
-
-    it "should turn base64 back into a Hash" do
-      subject.load(base64_fixture).should == test_value
-    end
-  end
-end
-

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/.gitignore

@@ -6,13 +6,19 @@
 *.gem
 # Rubymine project configuration
 .idea
+# logs
+*.log
 # Don't check in rvmrc since this is a gem
 .rvmrc
+# YARD database
+.yardoc
+# coverage report directory for simplecov/Rubymine
+coverage
+# generated yardocs
+doc
 # Installed gem versions.  Not stored for the same reasons as .rvmrc
 Gemfile.lock
 # Packaging directory for builds
 pkg/*
 # Database configuration (with passwords) for specs
 spec/dummy/config/database.yml
-# logs
-*.log

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/.simplecov

@@ -0,0 +1,38 @@
+# RM_INFO is set when using Rubymine.  In Rubymine, starting SimpleCov is
+# controlled by running with coverage, so don't explicitly start coverage (and
+# therefore generate a report) when in Rubymine.  This _will_ generate a report
+# whenever `rake spec` is run.
+unless ENV['RM_INFO']
+	SimpleCov.start
+end
+
+SimpleCov.configure do
+  load_adapter('rails')
+
+  # ignore this file
+	add_filter '.simplecov'
+
+	#
+	# Changed Files in Git Group
+	# @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only
+	#
+
+	untracked = `git ls-files --exclude-standard --others`
+	unstaged = `git diff --name-only`
+	staged = `git diff --name-only --cached`
+	all = untracked + unstaged + staged
+	changed_filenames = all.split("\n")
+
+	add_group 'Changed' do |source_file|
+		changed_filenames.detect { |changed_filename|
+			source_file.filename.end_with?(changed_filename)
+		}
+	end
+
+	#
+	# Specs are reported on to ensure that all examples are being run and all
+	# lets, befores, afters, etc are being used.
+	#
+
+	add_group 'Specs', 'spec'
+end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/.yardopts

@@ -0,0 +1,4 @@
+--markup markdown
+--protected
+{app,lib}/**/*.rb
+db/migrate/*.rb

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/Gemfile

@@ -0,0 +1,25 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in metasploit_data_models.gemspec
+gemspec
+
+# used by dummy application
+group :development, :test do
+  # supplies factories for producing model instance for specs
+  # Version 4.1.0 or newer is needed to support generate calls without the 'FactoryGirl.' in factory definitions syntax.
+  gem 'factory_girl', '>= 4.1.0'
+  # auto-load factories from spec/factories
+  gem 'factory_girl_rails'
+  # rails is only used for the dummy application in spec/dummy
+  gem 'rails'
+end
+
+group :test do
+  # In a full rails project, factory_girl_rails would be in both the :development, and :test group, but since we only
+  # want rails in :test, factory_girl_rails must also only be in :test.
+  # add matchers from shoulda, such as validates_presence_of, which are useful for testing validations
+  gem 'shoulda-matchers'
+  # code coverage of tests
+  gem 'simplecov', :require => false
+  gem 'rspec-rails'
+end

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/Rakefile

@@ -0,0 +1,34 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+APP_RAKEFILE = File.expand_path('../spec/dummy/Rakefile', __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+#
+# load rake files like a normal rails app
+# @see http://viget.com/extend/rails-engine-testing-with-rspec-capybara-and-factorygirl
+#
+
+pathname = Pathname.new(__FILE__)
+root = pathname.parent
+rakefile_glob = root.join('lib', 'tasks', '**', '*.rake').to_path
+
+Dir.glob(rakefile_glob) do |rakefile|
+  load rakefile
+end
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+# Depend on app:db:test:prepare so that test database is recreated just like in a full rails app
+# @see http://viget.com/extend/rails-engine-testing-with-rspec-capybara-and-factorygirl
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task :default => :spec
+

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/app/models/mdm/user.rb

@@ -20,13 +20,6 @@ class Mdm::User < ActiveRecord::Base
   serialized_prefs_attr_accessor :time_zone, :session_key
   serialized_prefs_attr_accessor :last_login_address # specifically NOT last_login_ip to prevent confusion with AuthLogic magic columns (which dont work for serialized fields)
 
-  #
-  # Validations
-  #
-
-  validates :password, :password_is_strong => true
-  validates :password_confirmation, :password_is_strong => true
-
   ActiveSupport.run_load_hooks(:mdm_user, self)
 end
 

lib/gemcache/ruby/1.9.1/gems/metasploit_data_models-0.6.0/app/models/mdm/web_vuln.rb

@@ -0,0 +1,191 @@
+# A Web Vulnerability found during a web scan or web audit.
+#
+# If you need to modify Mdm::WebVuln you can use ActiveSupport.on_load(:mdm_web_vuln) inside an initializer so that
+# your patches are reloaded on each request in development mode for your Rails application.
+#
+# @example extending Mdm::WebVuln
+#   # config/initializers/mdm_web_vuln.rb
+#   ActiveSupport.on_load(:mdm_web_vuln) do
+#     def confidence_percentage
+#       "#{confidence}%"
+#     end
+#   end
+class Mdm::WebVuln < ActiveRecord::Base
+  #
+  # CONSTANTS
+  #
+
+  # A percentage {#confidence} that the vulnerability is real and not a false positive.  0 is not allowed because there
+  # shouldn't be an {Mdm::WebVuln} record if there is 0% {#confidence} in the the finding.
+  CONFIDENCE_RANGE = 1 .. 100
+
+  # Default value for {#params}
+  DEFAULT_PARAMS = []
+
+  # Allowed {#method methods}.
+  METHODS = [
+      'GET',
+      # XXX I don't know why PATH is a valid method when it's not an HTTP Method/Verb
+      'PATH',
+      'POST'
+  ]
+
+  # {#risk Risk} is rated on a scale from 0 (least risky) to 5 (most risky).
+  RISK_RANGE = 0 .. 5
+
+  #
+  # Associations
+  #
+
+  belongs_to :web_site, :class_name => 'Mdm::WebSite'
+
+  #
+  # Attributes
+  #
+
+  # @!attribute [rw] blame
+  #   Who to blame for the vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] category
+  #   Category of this vulnerability.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] confidence
+  #   Percentage confidence scanner or auditor has that this vulnerability is not a false positive
+  #
+  #   @return [Integer] 1% to 100%
+
+  # @!attribute [rw] description
+  #   Description of the vulnerability
+  #
+  #   @return [String, nil]
+
+  # @!attribute [rw] method
+  #   HTTP Methods for request that found vulnerability.  'PATH' is also allowed even though it is not an HTTP Method.
+  #
+  #   @return [String]
+  #   @see METHODS
+
+  # @!attribute [rw] name
+  #   Name of the vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] path
+  #   Path portion of URL
+  #
+  #   @return [String]
+
+  # @!attribute [rw] payload
+  #   Web audit payload that gets executed by the remote server.  Used for code injection vulnerabilities.
+  #
+  #   @return [String, nil]
+
+  # @!attribute [rw] pname
+  #   Name of parameter that demonstrates vulnerability
+  #
+  #   @return [String]
+
+  # @!attribute [rw] proof
+  #   String that proves vulnerability, such as a code snippet, etc.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] query
+  #   The GET query.
+  #
+  #   @return [String]
+
+  # @!attribute [rw] request
+  #
+  #   @return [String]
+
+  # @!attribute [rw] risk
+  #   {RISK_RANGE Risk} of leaving this vulnerability unpatched.
+  #
+  #   @return [Integer]
+
+  #
+  # Validations
+  #
+
+  validates :category, :presence => true
+  validates :confidence,
+            :inclusion => {
+                :in => CONFIDENCE_RANGE
+            }
+  validates :method,
+            :inclusion => {
+                :in => METHODS
+            }
+  validates :name, :presence => true
+  validates :path, :presence => true
+  validates :pname, :presence => true
+  validates :proof, :presence => true
+  validates :risk,
+            :inclusion => {
+                :in => RISK_RANGE
+            }
+  validates :web_site, :presence => true
+
+  #
+  # Serializations
+  #
+
+  # @!attribute [rw] params
+  #   Parameters sent as part of request
+  #
+  #   @return [Array<Array<(String, String)>>] Array of parameter key value pairs
+  serialize :params, MetasploitDataModels::Base64Serializer.new(:default => DEFAULT_PARAMS)
+
+  #
+  # Methods
+  #
+
+  # Parameters sent as part of request.
+  #
+  # @return [Array<Array<(String, String)>>]
+  def params
+    normalize_params(
+        read_attribute(:params)
+    )
+  end
+
+  # Set parameters sent as part of request.
+  #
+  # @param params [Array<Array<(String, String)>>, nil] Array of parameter key value pairs
+  # @return [void]
+  def params=(params)
+    write_attribute(
+        :params,
+        normalize_params(params)
+    )
+  end
+
+  private
+
+  # Creates a duplicate of {DEFAULT_PARAMS} that is safe to modify.
+  #
+  # @return [Array] an empty array
+  def default_params
+    DEFAULT_PARAMS.dup
+  end
+
+  # Returns either the given params or {DEFAULT_PARAMS} if params is `nil`
+  #
+  # @param [Array<Array<(String, String)>>, nil] params
+  # @return [Array<<Array<(String, String)>>] params if not `nil`
+  # @return [nil] if params is `nil`
+  def normalize_params(params)
+    params || default_params
+  end
+
+  # switch back to public for load hooks
+  public
+
+  ActiveSupport.run_load_hooks(:mdm_web_vuln, self)
+end
+