Commit Graph

358 Commits (96706083801d77468f72e0b90ec858a61e453569)

Author SHA1 Message Date
Tod Beardsley 765419627b
Demote datastore edits to info status
SeeRM #8498
2014-05-21 16:18:36 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
Christian Mehlmauer 3f4e9ab18d
msftidy: only check send_request_cgi for vars_get 2014-04-22 19:24:06 +02:00
Christian Mehlmauer b864c4619d
msftidy - added info messages
this commit adds info messages to msftidy to show some info,
but stil exit with status 0 if there are not errors.
2014-04-21 18:04:14 +02:00
Christian Mehlmauer fc803ae277
Changed msftidy check
send_request_raw does not support vars_get so change
the message to switch to send_request_cgi.
See #3272 for more info
2014-04-20 22:41:32 +02:00
William Vu aeedad262d
Remove unnecessary charclass escapes 2014-04-15 14:14:51 -05:00
William Vu 261572158b
Add paren to list of exclusion chars 2014-04-15 11:20:11 -05:00
William Vu 14c7eb19e6
Make the hash brace optional 2014-04-15 10:06:43 -05:00
William Vu f3f31005d8
Revert inadvertent fix for vars_get in msftidy 2014-04-14 14:51:52 -05:00
sinn3r e54a348bd4
Land #3237 - Reconcile test_old_rubies with the other checks 2014-04-11 10:49:23 -05:00
William Vu 8919e21379
Reconcile test_old_rubies with the other checks
It is now check_old_rubies.
2014-04-10 21:44:00 -05:00
William Vu df29578036
Correct check_vars_get to check_request_vars
Since check_vars_get also checked for POSTs.
2014-04-10 21:37:59 -05:00
William Vu 79f82be35d
Land #3188, deluxe msftidy post-merge hook 2014-04-07 14:38:19 -05:00
sinn3r 023bde5b43 Correct msftidy disclosure date check
This correct msftidy's disclosure date check to do the following:

1. If the module has a disclosure date, the check should kick in.
2. If the module is an exploit, and doesn't have a disclosure
   date, then it will be flagged.
3. If the module is an auxiliary, and doesn't have a disclosure
   date, then it will NOT be flgged (because not all aux modules
   target bugs/vulns like exploits do).
2014-04-07 14:21:04 -05:00
William Vu 31b3a6973e
Fix symlink commands 2014-04-07 12:40:11 -05:00
William Vu 48ef061c3c
Land #3046, AIX ibtstat privesc exploit 2014-04-03 17:07:00 -05:00
William Vu 5ac6c4b565
Align msftidy whitelist to 80 columns 2014-04-03 16:54:47 -05:00
Tod Beardsley e1d819b8b9
Update the comment docs on pre-commit-hook.rb
[SeeRM #8779]
2014-04-03 15:26:25 -05:00
Tod Beardsley 70c0a19bbe
Be explicit about which mode we're in.
[SeeRM #8779]
2014-04-03 15:20:50 -05:00
Tod Beardsley 14b47aa67e
Remove the broken SPOTCHECK_RECENT stuff 2014-04-02 11:12:00 -05:00
Tod Beardsley eb2e4cbdef
Add post-merge capability to pre-commit-hook.rb
This will make it possible to run a post-merge check when
pre-commit-hook.rb is referenced as a symlink from .git/hooks/post-merge

The kind of check you're going to do is entirely dependant on the
basename of the file, which is a little weird but convenient.

Verification is a little tricky on this. Coming soon.
2014-04-02 10:19:43 -05:00
Sagi Shahar becefde52f Fix bugs and syntax 2014-04-01 00:54:51 +02:00
Christian Mehlmauer 91034722e9
Added check for 'Rank' on Auxiliary modules 2014-03-28 22:43:53 +01:00
FireFart c023cb2275 make set-cookie header check case insensitive 2014-03-01 13:35:58 +01:00
FireFart 551327bec6 Added a check for Set-Cookie header in msftidy 2014-03-01 13:30:24 +01:00
William Vu 506c354722
Land #3103, vars_get check for msftidy 2014-03-15 19:57:19 -05:00
William Vu 6aa75a328f Ax the arbitrary long line warning
It's not 80 or 132. ;)
2014-03-14 10:28:58 -05:00
William Vu f50d6c8709 Remove a couple more instances of "shit" 2014-03-04 15:00:48 -06:00
FireFart c62f4079f8 Added a check for vars_get in msftidy 2014-03-01 12:02:41 +01:00
Rob Fuller b19a652d78 add -i option as a requirement 2014-02-18 14:08:57 -05:00
sinn3r b5dcc0eb1d Make several changes.
Some important changes:

* Uses optparse to parse argumnets
* Prevent file handle leaks
2014-02-18 12:43:11 -06:00
Rob Fuller 6746793848 make write cleaner 2014-02-17 17:09:50 -05:00
Rob Fuller 11945786c9 standalone iplist creator 2014-02-17 11:22:15 -05:00
sinn3r 38bc587228
Land #2937 - Expand path in metasm_shell 2014-02-02 23:42:50 -06:00
Joe Vennix e50077844c Expand path in metasm_shell#file. 2014-02-02 17:26:48 -06:00
Tod Beardsley 6f93e3fb37
Modules shouldn't use Nokogiri
Nokogiri has a habit of shipping vulnerable builds of libxml2. For
example, see this:

http://www.ubuntu.com/usn/usn-1904-1/

and compare to Nokogiri's bundled requirements:

https://github.com/sparklemotion/nokogiri/blob/master/dependencies.yml

While Nokogiri is quite pleasant to use, it really shouldn't be trusted
to handle potentially malicious data. Imagine if a "vulnerable" target
was actually a malicious honeypot, lying in wait for a poor Metasploit
user to come along and parse out its payload. (OT: does such a thing
have a clever name? If not, I propose "beehive" to imply the offensive
capabilities of such a honeypot.)

Nokogiri is used elsewhere in Metasploit, but those functions handle
data sourced from the Metasploit user herself, so those XML hunks are
nominally trustworthy.
2014-02-02 11:51:21 -06:00
Tod Beardsley 03d65cd2bd
Address @wvu-r7's comments and better filtering 2014-01-31 16:44:42 -06:00
Tod Beardsley 87412be33d
Squash commit Travis-able msftidy checks
This change updates msftidy to be run automatically for new modules
added since the last tag release because we can't rely on folks using
tools/dev/pre-commit-hook before submitting a PR. Now, when one attempts
to open a PR with a non-tidy'ed module, the build will fail out of the
gate.

Related to the 100s of msftidy errors extant today.

[SeeRM #8498]

commit c894e52de5705a1133191be5e9caf3ebdee33621
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Fri Jan 31 14:17:02 2014 -0600

    Add a jacked up title to test travis. Revert this!

commit 2f00c190be71aeb456a7a546071286fd6d670bc1
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Fri Jan 31 11:39:42 2014 -0600

    Allow for checking and spotchecking.

commit db11e8dfad5381030b08c431a183dbafe7a5f304
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 17:16:37 2014 -0600

    Whoops, need to exit an Integer always.

commit 12d131d3157a78ff11e597476138323ed0a062fc
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 16:59:35 2014 -0600

    Allow for exit statuses from msftidy.

commit 2c3b294ff17416f49935472caf2b6be3dbdd93a4
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 15:36:43 2014 -0600

    Be more dynamic about tag checking years

commit d5d8a0b05ac17fb18666a9c252dbb6928d6b5e56
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:36:44 2014 -0600

    Don't warn when there's really nothing

commit fb44a3142fb01eb2647c1c240bb1cc2e7bf59120
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:21:50 2014 -0600

    Revert the intentional failure

    This reverts commit 99a7630b0da301b27ac495cb027009a8cd9e2caf.

    Fun fact: Reverting a commit does not automatically sign with my current
    aliases, one must git revert then git c --amend.

commit 99a7630b0da301b27ac495cb027009a8cd9e2caf
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:08:05 2014 -0600

    Cause an exit status in precommit check

    Maybe travis will see these and fail the build.

    Don't forget to revert this commit @todb-r7 !

commit 5a3b2fcd9598fae51a0dd2c7c87680c703a85448
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 13:11:04 2014 -0600

    Update msftidy pre-commit-hook for spotchecking

commit 3f255e36dad9ed3081aaf359f845525d96872ef0
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 12:35:16 2014 -0600

    Travis should run msftidy via precommit hook

commit 0959d9d2d281590a94c0ac960e43b74354e4e21b
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 12:25:53 2014 -0600

    Add SPOTCHECK_RECENT to msftidy.rb
2014-01-31 14:19:04 -06:00
William Vu 7200a4f0e0 Fix in_super-reliant msftidy checks
The conversion from hard tabs to two-space soft tabs broke a few checks.
2014-01-30 14:39:28 -06:00
jvazquez-r7 9db295769d
Land #2905, @wchen-r7's update of exploit checks 2014-01-24 16:49:33 -06:00
Tod Beardsley 2ea3b46988
Remove to_s inside #{} 2014-01-23 14:21:48 -06:00
sinn3r 31c0f45b27 Add routine to check bad check codes 2014-01-22 15:26:16 -06:00
William Vu 3a943c719e Implement a whitelist for suspect capitalization 2014-01-21 09:26:16 -06:00
Tod Beardsley 62c7839b4c
Land #2850, fix msftidy to respect \x22 and \x27 2014-01-16 16:26:34 -06:00
joev 1197426b40
Land PR #2881, @jvazquez-r7's mips stagers. 2014-01-15 12:46:41 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
Ethan Robish 28655d4788 Fixed bug that caused runtime error in module_rank.rb 2014-01-13 19:03:23 -06:00
sinn3r dcf90b7cc7 Change options. And change "checksum" to "hash" 2014-01-13 09:57:28 -06:00
sinn3r 231c757804 Strictly just -q for the quick option 2014-01-13 09:12:16 -06:00
sinn3r ffc9f652cc Fix VirusTotalUtility module scope 2014-01-12 16:12:25 -06:00
sinn3r 02d5931739 Add method scan_by_checksum for virustotal.rb
Allows the user to scan files based on checksusm (without actually
uploading them to VT)
2014-01-12 15:45:16 -06:00
sinn3r 3b095f325f Change default key to Metasploit 2014-01-10 17:34:55 -06:00
sinn3r 807d8c12c7 Have a default API key
Modules now should have a default API key. See the following for
details:
http://blog.virustotal.com/2012/12/public-api-request-rate-limits-and-tool.html
2014-01-10 01:26:42 -06:00
sinn3r 4ba2a53e4a Correct a typo
They caught me. Thanks HD.
2014-01-09 16:40:29 -06:00
William Vu e7026c10ef Update msftidy to check for double quotes 2014-01-08 20:32:30 -06:00
sinn3r 9ddef2fbc9 Update rpsec and the script 2014-01-08 13:22:38 -06:00
sinn3r 60138aba67 Use $stdout 2014-01-08 02:34:27 -06:00
sinn3r 44f89f839d Update documentation 2014-01-07 19:11:08 -06:00
sinn3r 4f7cf0994a Adds a timeout to wait_report method
In case it takes too long to get a report, the method will give up
checking after one hour. The user can still manually check the report
from the analysis link given earlier.
2014-01-07 19:03:42 -06:00
sinn3r 481ec7b9ec Add VirusTotal Scanner Utility
[SeeRM #8733] This a tool that uses VirusTotal's public API to submit
a malware sample for analysis. As an offensive tool developer, this
would provide a convenient way to check and see how AVs react to
something we write.
2014-01-07 18:29:26 -06:00
sinn3r 709a7bfb99
Land #2754 - Created standalone module for cpassword AES decrypt 2013-12-19 12:13:21 -06:00
sinn3r 3c64650a47 +x permission 2013-12-19 12:12:37 -06:00
sinn3r 284b3507ce Convert gpp_standalone.rb into a standalone script in tools 2013-12-19 12:10:00 -06:00
Tod Beardsley 63d1a78cd2
Remove capturing parens and debug hexes. 2013-11-20 17:53:25 -06:00
Tod Beardsley 637ce058f5
Write a nonstupid regex (2-pass test) 2013-11-20 17:47:19 -06:00
Tod Beardsley 0ec9881a22
Fix stdout/stderr check to avoid ruby payloads
[SeeRM #8498]

This knocks out all the non-datastore editing ERROR messages, so we've
got that going for us. Which is nice.
2013-11-20 17:39:35 -06:00
Tod Beardsley 5ef6c5bb44
Land #2668, avoid tidying nonfiles. 2013-11-20 16:57:57 -06:00
William Vu b75f5a8f45 Avoid crashing when msftidy'ing missing files 2013-11-20 16:36:07 -06:00
William Vu 6c7a98ef47 Be more exact about shebang checking 2013-11-20 15:26:35 -06:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
William Vu 2572d8daad Add #! check to msftidy 2013-11-08 16:11:48 -06:00
William Vu bcc9c760c4 Add +x check to msftidy 2013-11-05 11:50:28 -06:00
sinn3r 079c82d11d
Land #2565 - Show full path in msftidy 2013-10-22 16:05:56 -05:00
William Vu 33c3167362 Show full path instead of just the basename
Since @todb-r7 and I hate having to use find. :/
2013-10-22 14:54:54 -05:00
William Vu 36a7d02001 Update msftidy to check new ZDI reference 2013-10-21 15:31:37 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
Tod Beardsley 3e31235a14
Minor Ruby changes to resplat.rb 2013-10-16 16:37:15 -05:00
Tod Beardsley 3fc1a75a6b
Simplify msftidy with Find.find and add fixed()
Also, enforce binary encoding like the other Metasploit tools.

This opens the door to fixing files that have things that could be fixed
programmatically.

    [SeeRM #8497]
2013-10-16 10:40:42 -05:00
Tod Beardsley 2f2b93cf61
Avoid resplatting resplat.rb 2013-10-15 14:59:56 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley 40106b3f22
Sometimes splats point at a /framework/ URL 2013-10-15 14:12:49 -05:00
Tod Beardsley 01fbbf16de
Add another line to the resplat regex. 2013-10-15 14:06:53 -05:00
Tod Beardsley 81d145ad81
At least offer a solution with msftidy
I would go ahead and fix it for the user, but due to #8497, I can't
yet.
2013-10-15 13:53:38 -05:00
Tod Beardsley e9e6fb7e26
Add msftidy check. 2013-10-15 13:35:52 -05:00
Tod Beardsley 56d4ba8ab8
Add a re-splatting tool for updating comments. 2013-10-15 13:13:00 -05:00
Tod Beardsley 36d058b28c
Warn for tabbed indentation 2013-10-01 12:22:46 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tab Assassin 0ecba377f5 Avoid retabbing things in .git/ 2013-09-30 13:45:34 -05:00
sinn3r c3976e8315 Land #2364 - Update retab util 2013-09-19 22:24:45 -05:00
James Lee 8fe9132159
Land #2358, deprecate funny names 2013-09-18 14:55:33 -05:00
Tod Beardsley 9ee629e2b3 Short circut file checking if it's .rb
Makes things a little faster.
2013-09-13 10:51:50 -05:00
Tod Beardsley 75021bb75b Make retab.rb smarter about ruby file types
Instead of just relying on a filename of *.rb, use the file utility to
determine file type.

For systems that lack lack 'which' and 'file', fall back to filename
matching.

This is useful for retabbing things like 'msfconsole' that don't have a
.rb extension.
2013-09-13 10:25:26 -05:00
Tod Beardsley 5dc3c3c424 Realign retab.rb 2013-09-13 10:15:05 -05:00
Tod Beardsley 32d2f7ffce Hard tabs for now 2013-09-12 16:15:50 -05:00
Tod Beardsley 52843c6a67 Revert whitespace change to msf_tidy.rb
Causing merge conflicts, I'll re-tab it after this PR lands.

This reverts commit 1178da46c6.
2013-09-12 16:14:42 -05:00
Tod Beardsley 1178da46c6 Normalize indentation or @wchen-r7 will be cross 2013-09-12 16:10:43 -05:00
Tod Beardsley cf27b0b457 Add msftidy check for snake_case.rb filenames 2013-09-12 16:06:17 -05:00
sinn3r 8715eb36a8 Land #2300 - chk datastore mods 2013-09-12 15:09:09 -05:00
Tod Beardsley f3ab6d1830 Retab should optionally keep local backups
Local backups are generally not needed since you can just git checkout
old versions anyway before committing. It was nice to have during dev
but generally shouldn't be done now.
2013-09-03 11:54:31 -05:00
Christian Mehlmauer 40e7f45db4 another regex fix 2013-08-30 16:10:16 +02:00