jvazquez-r7
46b678e9d2
Add msftidy check for datastore option DEBUG usage
2015-04-21 12:22:24 -05:00
jvazquez-r7
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
jvazquez-r7
292087c849
Add check for modules registering a DEBUG option
2015-04-21 11:56:41 -05:00
jvazquez-r7
88ed8406d1
Add check for (v)print_debug to msftidy
2015-04-21 11:27:22 -05:00
William Vu
832487cad7
Consolidate on one check and fix false positives
2015-04-16 18:01:28 -05:00
Christian Mehlmauer
40f6b086c2
fix regex
2015-04-16 21:51:31 +02:00
Christian Mehlmauer
0815791fee
fix regex
2015-04-16 21:48:16 +02:00
Christian Mehlmauer
af277195f5
check for valid values
2015-04-16 21:43:47 +02:00
Christian Mehlmauer
4469fcd9e8
add fail_with error
2015-04-16 20:04:08 +02:00
Tod Beardsley
72b9647b31
Land #5057 , CVE fixups
2015-04-03 16:36:11 -05:00
sinn3r
a333632a69
Add standalone tool for jsobfu
2015-04-03 11:30:23 -05:00
William Vu
df0398f958
Update msftidy for the new CVE format
...
https://cve.mitre.org/cve/identifiers/syntaxchange.html
2015-03-31 22:15:33 -05:00
William Vu
376bf13f1e
Land #5000 , tools/dev/add_pr_fetch.rb
2015-03-24 17:10:49 -05:00
William Vu
aa1a3580b8
chmod +x tools/dev/set_binary_encoding.rb
...
Missed in #4875 .
2015-03-24 17:10:31 -05:00
William Vu
d3773aed55
Rename add-pr-remote.rb to add_pr_fetch.rb
2015-03-24 17:05:43 -05:00
Tod Beardsley
3dec83c1df
Utility for adding PR fetch refs
2015-03-24 10:20:34 -05:00
sinn3r
1910a6c6c5
Correct filename for missing-payload-tests.rb
...
missing-payload-tests.rb is not the correct file format we follow,
it should be missing_payload_tests.rb
2015-03-24 00:50:09 -05:00
Christian Mehlmauer
71c544c3c5
added newline at end of file
2015-03-24 06:19:27 +01:00
sinn3r
315948e403
Extra newline
2015-03-21 13:49:50 -05:00
sinn3r
848dc07020
var name needs a default
2015-03-21 12:20:29 -05:00
sinn3r
f45e8f49eb
Custom var name
2015-03-21 12:18:02 -05:00
sinn3r
2be5ae3bab
Fix bugs
2015-03-21 12:14:00 -05:00
sinn3r
0ff114bcd6
use #!/usr/bin/env ruby
2015-03-20 23:48:13 -05:00
sinn3r
e09f9ca0bc
Provide an example
2015-03-20 20:55:30 -05:00
sinn3r
96bcdd211c
Finished rspec
2015-03-20 20:53:04 -05:00
sinn3r
487ddfc09c
no need for Interrupt
2015-03-20 16:39:00 -05:00
sinn3r
582bfdad64
explain arch
2015-03-20 16:37:42 -05:00
sinn3r
9ecfd36d9e
comments
2015-03-20 16:34:58 -05:00
sinn3r
79a6f1cd09
fix option bug
2015-03-20 16:33:19 -05:00
sinn3r
6da216f3a4
More options
2015-03-20 16:30:29 -05:00
sinn3r
af8f645d1c
This starts to work
2015-03-20 16:15:43 -05:00
sinn3r
fe267fb5a6
Here's a starting point
2015-03-20 14:15:14 -05:00
Brent Cook
db56fcb1b8
update tools/missing-payload-tests to give correct advice
...
The template spec for new payloads needed updating to match the new cached
payload size spec.
2015-03-16 18:10:10 -05:00
William Vu
cd992d5ea6
Land #4875 , rm some old and crufty tools
2015-03-10 00:02:04 -05:00
William Vu
ab70223107
Remove note about resplat.rb in msftidy
2015-03-10 00:00:29 -05:00
HD Moore
99e2b05597
Move the cache update logic into a utility class
2015-03-09 15:29:58 -05:00
HD Moore
8c635243d3
Fix whitespace in the regex, implements Msf::Payload.dynamic_size?
2015-03-09 13:15:06 -05:00
HD Moore
2e49791bef
This implements payload size caching, speeding up framework loads
2015-03-07 20:44:19 -06:00
Tod Beardsley
0353602829
Add back set_binary_encoding.rb
...
[See #4875 ]
2015-03-05 12:05:05 -06:00
Tod Beardsley
4ad9638682
Remove some old and crufty /tools
...
It's possible someone still wants the Webscarab stand-alone importer,
but I cannot imagine that after years of bitrot that is even viable in
its current state.
The rest of them are all older development tools that are no longer
needed (normal vim/rubymine auto-formatting will do the trick).
2015-03-04 16:46:40 -06:00
sinn3r
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
William Vu
c73892b721
Nuke datastore modification check from orbit
2015-02-11 12:46:40 -06:00
jvazquez-r7
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
William Vu
c8a687db7f
Fix false positive in cookie check
2015-02-09 17:23:59 -06:00
William Vu
4ed3ffa0ed
Fix false positive in snake case check
2015-02-09 16:30:19 -06:00
William Vu
e62f44cc1a
Fix false negative in comment check
...
Adds anchor to regex.
2015-02-09 14:58:02 -06:00
jvazquez-r7
2c7777f831
Land #4601 , @wchen-r7's tool to lookup md5 hashes
2015-01-30 19:04:34 -06:00
jvazquez-r7
4316c379eb
Use unless instead of if not
2015-01-30 19:01:49 -06:00
Tod Beardsley
6269974bab
Drop psuedo-legalese, just give practical warning
2015-01-26 13:15:23 -06:00
sinn3r
6c2e8a16ce
Change warning
2015-01-23 22:50:39 -06:00
sinn3r
2d9b1dbc22
Fix typos
2015-01-23 22:31:37 -06:00
sinn3r
ff0af805e3
Add a warning before use
2015-01-23 22:26:41 -06:00
jvazquez-r7
37bf66b994
Install instaget with Rex::Java::Serialization
2015-01-22 16:54:49 -06:00
jvazquez-r7
5c413a8102
Add support to print objects, arrays and classes details
2015-01-22 14:50:12 -06:00
Tod Beardsley
1d6524b4d9
Revert #4593 , msftidy extraneous comma check
...
Fixes #4626 by ignoring the problem identified.
This reverts commit 7c3378b2e6
, reversing
changes made to cb0257bec7
.
2015-01-22 14:28:27 -06:00
William Vu
cf7555447c
Land #4621 , msftidy whitelist constant
...
Now I'm happy... almost.
2015-01-21 14:03:39 -06:00
William Vu
bbe9fc208e
Update formatting (80 columns)
...
Piped to fmt -78 to account for the indent.
2015-01-21 14:01:44 -06:00
Tod Beardsley
264adf14d1
Add 'tnftp' software to the title whitelist
2015-01-21 11:52:39 -06:00
Tod Beardsley
efebaae251
Make the title whitelist a constant
2015-01-21 11:50:50 -06:00
William Vu
7c3378b2e6
Land #4593 , msftidy extraneous comma check
2015-01-18 00:46:39 -06:00
sinn3r
bff66ade60
Actually, not necessary. Already checked.
2015-01-17 02:28:56 -06:00
sinn3r
45b33bb82f
Handle should be checked
2015-01-17 02:27:14 -06:00
sinn3r
3d93bc06e8
rspec progress
2015-01-16 18:25:54 -06:00
Christian Mehlmauer
596e956660
some changed
2015-01-16 17:53:06 +01:00
sinn3r
64b6c4a0b5
I think unless is preferred
2015-01-16 01:33:09 -06:00
sinn3r
058ef1f167
Uh, what?
2015-01-16 01:15:58 -06:00
sinn3r
05458ec81f
I should be done with md5_lookup.rb now
2015-01-16 01:13:37 -06:00
sinn3r
87ab27e9d2
Ugh, typo -_-
2015-01-15 21:52:15 -06:00
sinn3r
7b2458c491
Filter out whitespace
2015-01-15 21:51:58 -06:00
sinn3r
36f8fda0b1
Leave contact info
2015-01-15 21:04:12 -06:00
sinn3r
95895a5969
Small update
2015-01-15 21:00:52 -06:00
sinn3r
754d303f66
Some more doc
2015-01-15 20:59:47 -06:00
sinn3r
1d79a9de20
This is the working version
2015-01-15 20:51:27 -06:00
Christian Mehlmauer
3237dd8591
add comma check to msftidy
2015-01-16 00:13:55 +01:00
sinn3r
6ae66315bd
Block based is safer
2015-01-15 16:05:35 -06:00
sinn3r
35c808d70f
Progress
2015-01-15 15:13:03 -06:00
sinn3r
c3bb02081b
I should be done w/ arg parsing now
2015-01-15 12:18:50 -06:00
sinn3r
fd850d6af6
Argument parsing
2015-01-15 12:03:52 -06:00
sinn3r
d5330bb4a7
Gotta move on to something else right quick, brb
...
stash
2015-01-14 23:34:47 -06:00
sinn3r
18a27d1752
Initial commit of the md5_lookup script (as a standalone tool)
...
Resolve #4399
2015-01-14 13:53:15 -06:00
Christian Mehlmauer
56c1f74d70
modify msftidy regex
2015-01-09 22:07:21 +01:00
Tod Beardsley
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
HD Moore
00590f9f26
Adds Java serialization support, lands #4327
2014-12-13 17:47:53 -06:00
Jon Hart
9bf55ef8f4
Minor improvements to datastore and http// checks in msftidy
2014-12-11 18:36:42 -08:00
Christian Mehlmauer
be1440bcb9
more msftidy checks
2014-12-11 23:10:07 +01:00
jvazquez-r7
564da4446e
Add print friendly to_s
2014-12-07 17:52:09 -06:00
jvazquez-r7
ff99669cfa
Explain better error
2014-12-05 20:30:22 -06:00
jvazquez-r7
b80f6c34c0
Add tool to deserialize streams from files
2014-12-04 12:47:02 -06:00
Spencer McIntyre
eefeb452b1
Fix two typos for payload specs
2014-11-18 08:50:06 -05:00
sinn3r
8da6e0bd5b
Fix bugs
2014-11-05 15:26:00 -06:00
sinn3r
5b8d9e1221
Fix typo
2014-11-05 15:14:35 -06:00
sinn3r
98f5ebd475
Only show bad refs when using -c
2014-11-05 15:07:40 -06:00
sinn3r
3310342a95
Add save-as feature
...
The tool produces A LOT OF results so it's really painful to manually
copy and paste and to be able to use the data. So it should automatically
save.
Tagging the issue here because I forgot to do it:
Fix #4039
2014-11-05 10:58:41 -06:00
sinn3r
f34ad57199
Check module references
2014-11-05 09:57:13 -06:00
Luke Imhoff
c84febea5f
tools/missing-payload-tests.rb
...
MSP-11145
**NOTE: Failing specs**
Add a tool for reading `log/untested-payload.log` and
`framework.payloads` to determine `context`s to add
`spec/modules/payloads_spec.rb` to test the untested payloads.
2014-10-27 13:03:31 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Luke Imhoff
b863978028
Remove fastlib
...
MSP-11368
MSP-11143
Remove fastlib as it slows down the code loading process. From the
previous commit, the mean loading for
`METASPLOIT_FRAMEWORK_PROFILE=true msfconsole -q -x exit` was
27.9530±0.3485 seconds (N=10). The mean after removal of fastlib
was 17.9820±0.6497 seconds (N=10). This means an average 35.67%
reduction in boot time.
2014-09-18 15:24:21 -05:00
William Vu
48e098b172
Remove WVE references from msftidy
2014-09-05 19:28:27 -05:00
Tod Beardsley
c045c9606c
Fix typo in PR #3712
...
Fixes the typo pointed out in
rapid7#3712#discussion_r16750554
Derp
2014-08-26 20:36:28 -05:00
Josh
073c668cd8
Merge pull request #12 from todb-r7/commit-hooks-should-only-check-modules
...
Land 12 from todb, only pre-commit-hook on actual modules
2014-08-26 16:47:23 -05:00
Tod Beardsley
dbdb4afb8c
Add a top anchor to the file match regex.
2014-08-26 16:19:29 -05:00
Joshua Smith
622e8a7714
adds better exploit module detection to msftidy
2014-08-26 15:30:08 -05:00
Jon Hart
bfa89bb3a5
Enforce binary encoding on non-modules, no encoding on modules
2014-08-25 13:12:29 -07:00
Tod Beardsley
47cb906408
Remove rubocop and msftidy touchpoints
...
Rubocop replaces the default YAML library which makes development
testing difficult. It does not cause problems on Travis, but according
to reports, it does cause instability with many individual dev
environments.
While I would love to have a more solid source of this bug report, right
now this was an oral report from @shuckins-r7 (who I tend to believe a
lot).
2014-08-12 10:37:58 -05:00
Tod Beardsley
ffafd4c01f
Add NTP fuzzer from @jhart-r7
...
Looks good to me!
2014-07-21 12:38:12 -05:00
Jon Hart
17b0560dff
Add rubygems check to msftidy. remove rubygems.
2014-07-17 09:29:13 -07:00
William Vu
a07656fec6
Land #3536 , msftidy INFO messages aren't blockers
2014-07-16 17:57:48 -05:00
Tod Beardsley
58558e8dfa
Allow INFO msftidy messages
...
INFO level messages should not block commits or be complained about on
merges. They should merely inform the user.
2014-07-16 15:29:23 -05:00
William Vu
ff6c8bd5de
Land #3479 , broken sock.get fix
2014-07-16 14:57:32 -05:00
Tod Beardsley
68980157c8
Just skip if info is suppressed.
2014-07-16 11:20:40 -05:00
Tod Beardsley
81a98081d9
Rubocop checks are optional and info only
...
I like the change but it means that basically everything will fail
forever until we tweak up the config.
2014-07-16 10:26:35 -05:00
Jon Hart
ab73c16d0d
Add Rubocop to msftidy. You now have 15 seconds to comply. You are in direct violation of Penal Code 1.13, Section 9.
2014-07-15 17:11:04 -07:00
William Vu
4904426164
Fix @source and prefer &&
2014-07-14 14:36:08 -05:00
HD Moore
6e8415143c
Fix msftidy and tweak a few modules missing timeouts
2014-06-30 00:46:28 -05:00
HD Moore
a279db7710
Check for sock.get / udp_sock.get issues
2014-06-30 00:40:06 -05:00
William Vu
56c71c7b85
Land #3457 , newline check for msftidy
2014-06-17 14:20:53 -05:00
Christian Mehlmauer
3c00388f87
Add check for newline at end of file
2014-06-17 15:44:43 +02:00
William Vu
7f2b173130
Fix misspelled constant in msftidy
2014-06-12 13:47:44 -05:00
William Vu
3a9f7fb7f9
Land #3405 , improved Nokogiri check for msftidy
2014-05-29 16:21:26 -05:00
William Vu
17fb48eaa3
Refactor check_nokogiri in msftidy
2014-05-29 13:20:23 -05:00
Tod Beardsley
2ce6f325f5
Be more specific with Nokogiri check
...
There are still strong reservations about using Nokogiri to parse
untrusted XML data.
http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/
It is also believed that many desktop operating systems are still
shipping out-of-date and vulnerable libxml2 libraries, which become
exposed via Nokogiri. For example:
http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x
While this isn't a problem for binary builds of Metasploit (Metasploit
Community, Express, or Pro) it can be a problem for development
versions or Kali's / Backtrack's version.
So, the compromise here is to allow for modules that don't directly
expose XML parsing. I can't say for sure that the various libxml2
vulnerabilities (current and future) aren't also exposed via
`Nokogiri::HTML` but I also can't come up with a reasonable demo.
Metasploit committers should still look at any module that relies on
Nokogiri very carefully, and suggest alternatives if there are any. But,
it's sometimes going to be required for complex HTML parsing.
tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you
absolutely must.
2014-05-29 11:52:17 -05:00
Tod Beardsley
d9fbf861d2
Add an environment option to suppress info msgs
...
It's often you want counts of just WARN and ERROR messages, and don't
want to spam yourself with INFO messages that you don't intend to
address anyway. This is most often the case with CI, such as with
https://travis-ci.org/todb-r7/metasploit-framework
2014-05-21 16:20:57 -05:00
Tod Beardsley
765419627b
Demote datastore edits to info status
...
SeeRM #8498
2014-05-21 16:18:36 -05:00
Christian Mehlmauer
3f3283ba06
Resolved some msftidy warnings (Set-Cookie)
2014-05-12 21:23:30 +02:00
Christian Mehlmauer
3f4e9ab18d
msftidy: only check send_request_cgi for vars_get
2014-04-22 19:24:06 +02:00
Christian Mehlmauer
b864c4619d
msftidy - added info messages
...
this commit adds info messages to msftidy to show some info,
but stil exit with status 0 if there are not errors.
2014-04-21 18:04:14 +02:00
Christian Mehlmauer
fc803ae277
Changed msftidy check
...
send_request_raw does not support vars_get so change
the message to switch to send_request_cgi.
See #3272 for more info
2014-04-20 22:41:32 +02:00
William Vu
aeedad262d
Remove unnecessary charclass escapes
2014-04-15 14:14:51 -05:00
William Vu
261572158b
Add paren to list of exclusion chars
2014-04-15 11:20:11 -05:00
William Vu
14c7eb19e6
Make the hash brace optional
2014-04-15 10:06:43 -05:00
William Vu
f3f31005d8
Revert inadvertent fix for vars_get in msftidy
2014-04-14 14:51:52 -05:00
sinn3r
e54a348bd4
Land #3237 - Reconcile test_old_rubies with the other checks
2014-04-11 10:49:23 -05:00
William Vu
8919e21379
Reconcile test_old_rubies with the other checks
...
It is now check_old_rubies.
2014-04-10 21:44:00 -05:00
William Vu
df29578036
Correct check_vars_get to check_request_vars
...
Since check_vars_get also checked for POSTs.
2014-04-10 21:37:59 -05:00
William Vu
79f82be35d
Land #3188 , deluxe msftidy post-merge hook
2014-04-07 14:38:19 -05:00
sinn3r
023bde5b43
Correct msftidy disclosure date check
...
This correct msftidy's disclosure date check to do the following:
1. If the module has a disclosure date, the check should kick in.
2. If the module is an exploit, and doesn't have a disclosure
date, then it will be flagged.
3. If the module is an auxiliary, and doesn't have a disclosure
date, then it will NOT be flgged (because not all aux modules
target bugs/vulns like exploits do).
2014-04-07 14:21:04 -05:00
William Vu
31b3a6973e
Fix symlink commands
2014-04-07 12:40:11 -05:00
William Vu
48ef061c3c
Land #3046 , AIX ibtstat privesc exploit
2014-04-03 17:07:00 -05:00
William Vu
5ac6c4b565
Align msftidy whitelist to 80 columns
2014-04-03 16:54:47 -05:00
Tod Beardsley
e1d819b8b9
Update the comment docs on pre-commit-hook.rb
...
[SeeRM #8779 ]
2014-04-03 15:26:25 -05:00
Tod Beardsley
70c0a19bbe
Be explicit about which mode we're in.
...
[SeeRM #8779 ]
2014-04-03 15:20:50 -05:00
Tod Beardsley
14b47aa67e
Remove the broken SPOTCHECK_RECENT stuff
2014-04-02 11:12:00 -05:00
Tod Beardsley
eb2e4cbdef
Add post-merge capability to pre-commit-hook.rb
...
This will make it possible to run a post-merge check when
pre-commit-hook.rb is referenced as a symlink from .git/hooks/post-merge
The kind of check you're going to do is entirely dependant on the
basename of the file, which is a little weird but convenient.
Verification is a little tricky on this. Coming soon.
2014-04-02 10:19:43 -05:00
Sagi Shahar
becefde52f
Fix bugs and syntax
2014-04-01 00:54:51 +02:00
Christian Mehlmauer
91034722e9
Added check for 'Rank' on Auxiliary modules
2014-03-28 22:43:53 +01:00
FireFart
c023cb2275
make set-cookie header check case insensitive
2014-03-01 13:35:58 +01:00
FireFart
551327bec6
Added a check for Set-Cookie header in msftidy
2014-03-01 13:30:24 +01:00
William Vu
506c354722
Land #3103 , vars_get check for msftidy
2014-03-15 19:57:19 -05:00
William Vu
6aa75a328f
Ax the arbitrary long line warning
...
It's not 80 or 132. ;)
2014-03-14 10:28:58 -05:00
William Vu
f50d6c8709
Remove a couple more instances of "shit"
2014-03-04 15:00:48 -06:00