::File.find did not return an Enumerable when not given a block in
1.8.7; instead it un-idiomatically just raised an exception. The
solution is just to give the block directly to .find instead of trying
to call #each on its return value.
[FixRM #7499]
Makes it work when using meterpreter. Because "quit" or "exit" in the
console ends up calling die() instead of falling through to whatever's
left in the file, a meterpreter session would never reach the code to
delete itself before this change.
[Fixes#38426061, #38097411]
Msf::Modules::Loader::Directory#read_module_content may calculate a non-existent
module_path that gets passed to File.open causing an Errno::ENOENT exception
to be raised when using the module cache with a module that has been
moved to a new path (as is the case that originally found this bug) or
deleted. Now, the exception is rescued and read_module_content returns
an empty string (''), which load_module detects with
module_content.empty? and returns earlier without attempting to module
eval the (empty) content.
As having Msf::Modules::Loader::Directory#read_module_content rescue the
exception, meant there was another place that needed to log and error
and store an error in Msf::ModuleManager#module_load_error_by_path, I
refactored the error reporting to call
Msf::Modules::Loader::Base#load_error, which handles writing to the log
and setting the Hash, so the error reporting is consistent across the
loaders.
The exception hierarchy was also refactored so that
namespace_module.metasploit_class now has an error raising counter-part:
namespace_module.metasploit_class! that can be used with
Msf::Modules::Loader::Base#load_error as it requires an exception, and
not just a string so the exception class, message, and backtrace can be
logged.
* Pulls common code up from several methods into #open_sc_manager
* Deprecates the name Windows::WindowsServices in favor of
Windows::Services. The platform is already clear from the namespace.
* Makes the post/test/services test module actually work
[See #1007]
[See #1012]
Msf::Modules::Loader::Archive#each_module_reference_name tried to check
the enabled types for the module_manager by accessing the
enabledment_by_type Hash, which is protected. Instead, it should use
the public type_enabled? method.
Add specs to test all of Msf::Modules::Loader::Archive while testing
each_module_reference_name. In order to properly test that modules
could be found in archives, I had to produce a fastlib archive, so there
is now a spec for FastLib.dump and FastLib.load. Some specs are marked
pending as I found a bug in FastLib, which has a work-around. The bug
is filed in PivotalTracker as
https://www.pivotaltracker.com/story/show/38730815 and the pending tests
include the URL also in their tags.
Just had a brain fart when converting the hash key names and translated
:mtype to :modification_time instead of the correct :type. Correct key
names are in
Msf::ModuleManager::Cache#module_info_by_path_from_database!.
Msf::Config.install_root already existed, but I didn't know about it
until egypt pointed it out, so remove the new Msf.root and use
Msf::Config.install_root in the specs instead.
Depending on how a socket was created, #getsockname will return either a
struct sockaddr as a String (the default ruby Socket behavior) or an
Array (the extend'd Rex::Socket::Tcp behavior). Avoid the ambiguity when
generating SSL certificates for meterpreter handlers by always picking a
random hostname.
This is by no means a proper fix for the underlying problem of
Socket#getsockname having ambiguous behavior before and after being
extended with Rex::Socket::Tcp. It does, however, solve the immediate
problem of not being able to create tunneled meterpreter sessions over
http(s) sessions.
[SeeRM #7350]
[Fixes#37630057]
Modules were always being detected as having file changes because the
parent_path directory, instead of the actual module_path, was being
passed to module_manager.file_changed?, which caused the modification
times to not match.
To ensure this change fixes the ambiguous module warnings, a full spec
for Msf::Core::Modules::Loader::Base has been written.
spec/msf has moved to spec/lib/msf to match conventional spec layout and
allow for the spec/support directory to not be confused as a lib
subdirectory being tested.
Also adds some clarifying commentation and adds todb to the list of
authors since he wrote the original module for windows upon which this
one is based.
Ensures that the absence of activerecord does not prevent msfconsole
from loading. This returns us to the previous state of affairs where it
is possible to use the framework entirely without a database.
To test:
1. rm -rf lib/gemcache/ruby/1.9.1/gems/activerecord*
2. remove any locally installed versions of activerecord
3. msfconsole
msfconsole should load up with a warning like so:
[-] ***
[-] * WARNING: No database support: LoadError cannot load such file -- active_record
[-] ***
... and should still be functional.
I missed a spot where I referenced the nested_paths as nested_pathnams
after I renamed the variable. Now, Msf::ModuleManager#add_module_paths
has rspec tests.
Rspec can be invoked with `rake` as the default task or `rake spec`
explicitly.
I changed RuntimeError to ArgumentError since that error was more
specific to having a bad argument error. I adding missing dependencies
to the Gemfile and a require to msf/core/db_manager.rb where it errored
out trying to access Msf::Config when I just did require 'msf/core' in
the spec.
[#36737359]
The merging of reload_module and the various load_module methods
resulted in the module loading from disk, but because the Hash entry in
the module manager was not deleted before on_module_load was called, the
newly reloaded module was logged as an ambiguous module name instead of
a reload. In order to report the reload errors correctly, I determined
that module_load_error_by_reference_name should really be
module_load_error_by_path. I eliminated faild in favor of this new name
since failed was just calling the attribute and the attribute's name is
clearer about the format of the data.
Tested by run rexploit and then exiting over and over with
ms08_067_netapi. When I messed up the file so it couldn't load, by
adding `inclde Exploit` (note mispelling of `include`), it reported the
error to msfconsole. When I removed the bad line and added a puts
"RELOADING <n>", where I kept incrementing n and saving the file, the
new number appeared during each rexploit.
[#36737359]
Write the module_eval backtrace to the log, but only the error's class
and name to Msf::ModuleManager#module_load_error_by_reference_name as
the contents of the Hash are printed in the console, which should never
recieve backtraces.
[#36737359]
Refactor the behavior of loading symbolic modules from cache by renaming
methods so it's clearer what they do and ensure that cached modules from
Fastlibs and directories can both be loaded, which was not previously
possible since the demand_load_module only called load_module_from_file.
[#36737359]
On Linux, some of the unqualified constants that resolve on Mac OS X,
don't resolve, so to prevent errors (and because I can't justify why the
unqualified constants should resolve on OS X), I'm qualifying all the
Msf constants that are referenced in the code I've refactored.
[#36737359]
Fix the YARD docs to document the return values and make them consistent
with the modules being called. Ensure the force flag is passed as an
option to load_modules instead of a positional argument.
[#36737359]
When starting msfconsole, 'bundler/setup' is not required, the
'msf/env/gemcache' is required instead. Unlike 'bundler/setup' the
msf/env gemcache does not do the automatic requires for gems in the
cache, so explicit requires on 'active_support/concern' is needed to get
ActiveSupport::Concern defined. (I could have done require
'active_support' to match the behavior of 'bundler/setup', but a smaller
require seemed more appropriate.
removes unnecessary parens (and yes I confirmed they are properly
paired), and adds some comments regarding this as not being an ideal
solution, but rather a stopgap
Changed lexical scope when I changed the declaration from module Msf;
class ModuleSet to class Msf::ModuleSet so that constants in Msf would
not automatically resolve.
I wasn't using any the features of ActiveSupport::Concern in
Msf::ModuleManager::Reloading, so remove the extend and just include it
as a regular module.
Came up on IRC, I'm not attached to it, but this commit adds the
rename_file method to lib/msf/core/post/file.rb and aliases it to
move_file and mv_file
[Fixes#36737359]
Refactor Msf::ModuleManager into concerns so its easier to understand and
duplicate code can be made DRY. The refactoring also ensures that when
loading from directories, Fastlibs, or reloading, the wrapper module will
always be named so that activesupport/dependencies will function.
[#36737359]
active_support/dependencies cannot resolve missing constants in Metasploit
modules because the wrapper module is anonymous. In order to make the
wrapper module non-anonymous, the module must be assigned to a constant.
Since we don't want modules colliding, the wrapper module needs a unique
name, so use the module lookup name to derive the proper nested module names
to namespace the wrapper module. All derived modules are nested under
Msf::Modules. The name derivation handles invalid characters for constant
names such as digits as the first character or non-alphanumeric character.
The invalid constant name characters are converted to their hex value and
prefixed with X, so '-' in a name become 'X2d'.
for convenience when you don't need/want a full resource file, you just
want to run something quick
example usage:
# say you have a saved config ready to go on load
./msfconsole -s 'exploit -j'
# you can run multiple commands too
./msfconsole -s 'set ConsoleLogging true\nshow options'
Some users requested this be added to the ps
command via a -S opt instead of creating a new command.
This limits the search to only one search parameter at a time
but with the ability to pass RegEx I think that's fine
Often in HTTP modules, people are forced to to use 'data' instead
of 'vars_get' or 'vars_post', because the parameters (especially
the names) are URI-encoded, and the application actually may not
recognize the names/values. The new 'encode_params' option allows
that feature to be disabled. However, to make sure we're not
changing existing HTTP modules' behaviors, 'encode_params' is
still true by default (which is the original behavior we've always
been using).
fs.rb was originally attempting to call the "close" method on a
string holding the temporary path to the file being editted.
Replaced with ::File.delete(temp_path).
findpids calls client.sys.process.get_processes like ps
but then filters out any processes that do not match
one of the process names supplied as arguments to the command.
`findpids explorer.exe notepad.exe` will return all processes
named explorer.exe or notepad.exe Allows for quick searching for
the pid you want. ideal for migration
The 'unless' statement expects there's always a value for USERNAME
and PASSWORD. We might as well just set '' as the default value
to avoid the NoMethodError mistake. Related to bug #7140.
utctl shouldn't check for stdapi_ui_disable_mouse or disable_keyboard
since neither exist.
Removed the check, tested both enable and disable on mouse and keyboard,
uictl seems to work as advertised now.
[FIXRM #7217]
Same semantics as Ruby stdlib File.open - if you give it a block, yields
a new File object and closes it after the block, otherwise same as
File.new.
[FixRM #6481]
This solves the looping problem. Since the TCP connection wouldn't
necessarily close, we couldn't count on a 0-length recv, and the
connection was timing out. Changed it so send_tcp can take a block, in
which we do parsing. AXFR responses are sandwiched between SOA answers,
so when the second one is reached, the transfer is done.
This is also cleaner for existing code that uses send_tcp, since if no
block is passed, it just returns the first response and tears down the
connection, just like it used to.
This required some changes to send_tcp: it now loops, reading as many
length-prefixed DNS responses as are available before the connection
closes. This shouldn't affect other uses of the function, since most
questions only have one response in answer.
AXFR support in net-dns is broken. This fixes it, and makes the
requisite modifications to enum_dns module. Basic problem is that AXFR
responses consist of a chain of DNS replies, not a single reply with
multiple answers. Previously, only the first of these replies, the SOA
record, was returned. Also added some exception handling to avoid
problems like #483.
but it expects a factory object not a string, when setting :proxy => datastore['Proxies'] user got:
"Auxiliary failed: NoMethodError private method `open' called for \"socks4:localhost:1080\":String."
VALID_OPTIONS in ssh.rb now takes :proxies option which is passed to the Rex socket in
Net::SSH::Transport::Session.new.
Testing: block all outgoing to SSH server, try to connect with a proxy. Try with :proxy option,
then merge this pull request and try again.
commit 665f3f5b993dfa48db817f6138ac356919af37fc
Author: Chris Lennert <calennert@gmail.com>
Date: Wed Aug 1 19:44:14 2012 -0500
Two corrections to NetGetJoinInformation args
[Closes#661]
Also gets rid of the conn_ids array, which was never pruned (and
without some extra gymnastics in meterpreter/client.rb *can't* be) when
handler URLs were removed.
Unfortunately, adds a dep on bionic for runtime compilation.
Gets ring0, sets the (res)uid to 0 and jumps to the payload. Still some
payload issues because linux stagers don't mprotect(2) the buffer they
read(2) into. Single payloads work fine, though.
Also cleans up and improves local exploits' ability to compile C.
[SEERM #3038]
When using the reload_all command, the framework will trigger an
'undefined method module_history' error, because we're missing
an accessor.
Also, even though reload_modules returns "counts". That actually
returns a hash instead of a real count of modules... the return
value is also never actually used anywhere. But to make this
part not broken, we return the actual count.
This is a fix for issues related to:
'undefined method `[]' for nil:NilClass'
It is possible that a PDF may not have the 'Size' xref, and people
are running into the 'undefined method'[]' for NilClass' exception.
Because the pdf parser always assumes there is a Size field,
so it uses a match() function to find the value for Size, which
can be nil.
See the following bug report for example:
https://dev.metasploit.com/redmine/issues/7014
Something is still broken, my socket() is returning EAFNOSUPPORT whereas
what looks like the same syscall in wunderbar_emporium's exploit.c is
returning a socket. Similarly, my __mmap2() is returning EFAULT when
trying to map anything, not just NULL.
Works well enough on its own. Note that you cannot mix -g and -a since
set doesn't actually parse out dash options in a OptParse sort of way.
That said, setg -a seems to work well. This mixing options business
will need to be addressed soon, but that day is not today.
[Closes#514]
This can currently build an executable that creates a socket, opens a
temporary file, truncates that file with ftruncate(2) and calls
sendfile. Still needs to mmap NULL and figure out ring0 shellcode.
Baby steps.
This should hopefully cut down a bit on support requests from people
asking about old commands they read about in _Metasploit: The
Penetration Tester's Guide_
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.
Squashed commit of the following:
commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date: Wed Apr 4 00:45:24 2012 +0200
Do not break other architectures
even when using `setg AESPassword`
commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date: Tue Apr 3 21:50:42 2012 +0200
binaries
commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date: Tue Apr 3 21:49:10 2012 +0200
Add AES support to Java stager
This is compatible to the AES mode of the JavaPayload project.
I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
is not the supposed way, but it works :-)
This also fixes an issue with report_vuln() from exploited hosts not
setting the service correctly. This introduces a fail_reason method
to the exploit base class, which attempts to determine why an exploit
did not work (closed port, unreachable host, missing page, etc). There
is still quite a bit of work to do around this to finish it up.
The meterpreter API wants arguments in a seperate string (not an array,
mind you) just so it can concatenate them on the server side.
Originally, I worked around that by using Shellwords.shellwords to pull
out the first token. But! Shellwords.shellwords inexplicably and
inexcusably removes backslashes in ways that make it impossible to quote
things on Windows. This commit works around both of those things.
[Fixes#6902] [Closes#409]
Squashed commit of the following:
commit e29bf83196e39853d12b58d77db1ffdb26fbb6eb
Author: James Lee <egypt@metasploit.com>
Date: Tue May 22 10:01:12 2012 -0600
Add references to info output for post modules
commit e0147f0f05375d812ecfd55f9c2cb4bffabc1887
Author: James Lee <egypt@metasploit.com>
Date: Tue May 22 10:05:32 2012 -0600
Put references after description for consistency
Note the syntax change, need to chase this down before pushing upstream
and make sure nobody's relying on that.... and grep says everything's
cool.
[Closes#295]
Squashed commit of the following:
commit 33b7438731ae5377c95d3d752d76eca73bad20ef
Merge: 6d3e6dd 7811b0a
Author: Tod Beardsley <todb@metasploit.com>
Date: Fri May 18 16:55:49 2012 -0500
Merge branch 'master' into HEAD
commit 6d3e6dd6e215f8a4e0b1b53a29329748dad779af
Author: Aram Verstegen <aram.verstegen@gmail.com>
Date: Sat Apr 7 22:58:29 2012 +0200
Automatically configure payloads for wmap-enabled exploits
commit 410008bab7a4845d10d5077d0482899964088bd0
Author: Aram Verstegen <aram.verstegen@gmail.com>
Date: Sat Apr 7 22:58:06 2012 +0200
Exposed exploit_choose_payload as class method Exploit.choose_payload
jvazquez-r7
Tod Beardsley
James Lee
sinn3r
Tasos Laskos
HD Moore
Meatballs1
David Maloney
Luke Imhoff
scriptjunkie
Rob Fuller
corelanc0d3r
Raphael Mudge
m m
kernelsmith
joe
Ramon de C Valle
Samuel Huckins
midnitesnake
Adam Dalton
RageLtMan
Stephen Haywood
eddiezab
m m
Daniel Miller
Chris Lennert
webstersprodigy
Alexandre Maloteaux
kernelsmith
Jeff Jarmoc
Michael Schierl
Brandon Perry
Tod Beardsley
Aram Verstegen