Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve#4507
response_timeout is a method specific to a meterpreter session, not
shell. So if the user is using a shell type payload, he will never
see a backtrace before interacting with the sessions.
Rather than literally returning the default Regex object, override the accessor
to return the string representation. This allows the RPC backend to properly
serialize the options hash values, since msgpack does not know how to serialize
a Regexp object. Fixes#3798.
To verify the fix, run the steps for issue #3798 and ensure that the module
options are returned instead of a backtrace. Also, ensure that the module
continues to work as expected:
```
$ ./msfconsole -q
msf > use auxiliary/scanner/http/scraper
msf auxiliary(scraper) > info
Name: HTTP Page Scraper
Module: auxiliary/scanner/http/scraper
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
et <et@metasploit.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The test path to the page to analize
PATTERN (?i-mx:<title>(.*)<\/title>) yes The regex to use (default regex is a sample to grab page title)
Proxies no Use a proxy chain
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port
THREADS 1 yes The number of concurrent threads
VHOST no HTTP server virtual host
override default attr for OptRegexp
Description:
Scrap defined data from a specific web page based on a regular
expresion
msf auxiliary(scraper) > set RHOSTS lwn.net
RHOSTS => lwn.net
msf auxiliary(scraper) > set RHOSTS 72.51.34.34
RHOSTS => 72.51.34.34
msf auxiliary(scraper) > set VHOST lwn.net
VHOST => lwn.net
msf auxiliary(scraper) > run
[*] [72.51.34.34] / [Welcome to LWN.net [LWN.net]]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
Auxiiary modules already do this, but looks like we forgot to do the
same for post modules.
I also changed the error to allow "reason" in order to be more
informative about what the user should do.
Fix#4307
Rename UDP_SECRET to just SECRET, as it is used for more than just UDP
Rename and properly document GATEWAY option
Introduce an option to configure what UDP port will be probed
If the user supplies an invalid session (as in not on the session
list), it will cause a backtrace, because the setup method from
Msf::PostMixin isn't actually called.
We have thought about implementing this in a new OptSession instead.
But you can't use or even pass framework to option_container.rb, so
this is NOT possible.
The original PR was #3956.
MSP-11671
Add command line option --defer-module-loads to msfconsole. It will
stop `Msf::Ui::Console::Driver` from calling
`framework.modules.init_module_paths` AND
`framework.modules.refresh_cache_from_database`. This flag is only
meant to speed up msfconsole boot when modules do not need to accessed,
such as during cucumber testing of command help or command line options.
MSP-11672
Pass `'DeferModuleLoads' => false` to `Msf::Simple::Framework.create` so
that `framework.modules.init_module_paths` is only called once (directly
in `Msf::Ui::Console::Driver#initialize`) instead of twice (in
`Msf::Simple::Framework.create` and `Msf::Ui::Console::Driver#initialize).
MSP-11672
Calling init_module_paths takes 6 seconds on my machine even when there are no
files to that are changed just because it takes that long to walk the
directories and gather the mtime for each file. Therefore, calling it
more than once should be avoided. Also, there is no reason to call it
twice as to add paths later, `modules.add_module_paths` should be used.
This allows HandlerSSLCert to be used to pass a SSL certificate into the Meterpreter handler. The datastore has to be passed into handle_connection() for this to work, as SSL needs to be initialized on Session.new. This still doesn't pass the datastore into Meterpreter directly, but allows the Session::Meterpreter code to extract and pass down the :ssl_cert option if it was specified. This also fixes SSL certificate caching by expiring the cached cert from the class variables if the configuration has changed. A final change is to create a new SSL SessionID for each connection versus reusing the SSL context, which is incorrect and may lead to problems in the future (if not already).
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
MSP-11614
`Msf::TaskManager` was only used for `Msf::DBManager#sink`, which was
removed because it was unused, so `Msf::TaskManager` can also be
removed.
MSP-11614
`Msf::DBManager::Sink` contains code for a `sink` that is a meant to
serialize database events, but it's unneeded because all database events
go directly through ActiveRecord, which handles threading.
MSP-11605
`Msf::Framework#threads?` returns whether `Msf::Framework#threads` was
ever initialized. If `Msf::Framework#threads?` is true, then threads
need to be cleaned up, while if it is false then no threads need to be
cleaned up from the current framework.
MSP-11605
`Rex::ThreadFactory.provider` needs to be set in
`Msf::Framework#initialize`, but setting it directly to
`Msf::Framework#threads` eliminates the laziness of
`Msf::Framework#threads`. In order keep `framework.threads` lazy,
`framework` is wrapped in a
`Metasploit::Framework::ThreadFactoryProvider`, which responds to
`spawn`, which is needed by `Rex::ThreadFactory`, by calling
`framework.threads.spawn`, which lazily initialized `framework.threads`
when the first thread needs to be spawned.
MSP-11605
Switch `Msf:Framework#db` from being set in `#initialize` to a custom
method that uses `||=` to lazily initialize the `Msf::DBManager` inside
a `synchronize` block to make it thread safe.
MSP-11605
Store options `Hash` passed to `Msf::Framework#new` in `#options` so
that lazily initialized children, such as DBManager, have access to
those options.
MSP-11605
Switch `Msf::Framework#sessions` from being set in `#initialize` to a
custom method that uses `||=` to lazily initialize the
`Msf::SessionManager` inside a `synchronize` block to make it thread
safe.
#4184
* Appears to have been overlooked somehow in the pre-BlackHat crunch
* V5 will not support credentials
* We are implementing full-workspace zip import/export for credentials
MSP-11605
Switch Msf::Framework#threads to a custom method that uses `||=` to
lazily initialize the `Msf::ThreadManager` inside a `synchronize` block
to make it thread safe.
The merge_check_key method (found in Msf::Module::ModuleInfo)) uses
respond_to? to check is our object includes a merge_info_description
method before merging descriptions. The respond_to? method in 2.1.4
by default no longer checks private and protected methods, and this
is breaking our merge_check_key method.
Fix#4163
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
Minor changes to comments
Updated URLs
Added Fedora ROP, cleaned up
Fixing URLs again, typos
Added support for Archlinux (new target)
Added support for OpenSuse (new target)
Tincd is now a separate file, uses the TCP mixin/REX sockets.
Started ARM exploiting
Style changes, improvements according to egyp7's comments
Style changes according to sane rubocop messages
RSA key length other than 256 supported. Different key lengths for client/server supported.
Drop location for binary can be customized
Refactoring: Replaced pop_inbuffer with slice
Refactoring: fail_with is called, renamed method to send_recv to match other protocol classes,
using rand_text_alpha instead of hardcoded \x90,
Fixed fail command usage
Version exploiting ARM with ASLR brute force
Cleaned up version with nicer program flow
More elegant solution for data too large for modulus
Minor changes in comments only (comment about firewalld)
Correct usage of the TCP mixin
Fixes module option so that the path to drop the binary on the server is not validated against the local filesystem
Added comments
Minor edits
Space removal at EOL according to msftidy
- Adding add_host() Although Report host exists, this is a
straightforward method to metasploit-credential::creation::add_host()
- Add workspace.id to the responses of db.current_workspace and
db.workspace and db.get_workspace
Minor tweaks after the PR from @kernelsmith
Remaining items:
1. Handle empty session IDs correctly, for example 'sessions -d' or 'sessions -k'
2. Find a method of explaining the range options in the help text
3. Retest all changed code areas
4. Edit PR Summary to reflect changes to the scope
- Added check for un-detach-able sessions
- Added back the check for session.interactive? when detaching sessions
- Collapse build_jobs_array and build_sessions_array to build_range_array
- Added check for empty or invalid parameters to detach and kill [session | job]
- Reworked session id sanity check around line 1660
- RuboCop/Style guide change: Array.new -> []
- Misc RuboCop/Style guide spacing changes
* Add RPORT as a regular option, define rport
* Add CPORT as an advanced option, define cport
* Change CHOST to an advanced option
* Use a more sane THREADS value since hosts are scanned in batches
This makes it somewhat easier to use FTP server exploit modules in
somewhat more restrictive networks, where you might only have a few
inbound ports to choose from.
rastating
dmooray
sinn3r
William Vu
Meatballs
David Maloney
Sven Vetsch
Christian Mehlmauer
Spencer McIntyre
Brent Cook
jvazquez-r7
Joe Vennix
Tod Beardsley
Trevor Rosen
HD Moore
Sean Verity
James Lee
Luke Imhoff
Jon Hart
Fernando Arias
floyd
Julio Auto
Joshua Smith
Tom Sellers
Matias P. Brutti
agix