This time, it's ensured that generate_uri_checksum(sum) will succeed,
provided the sum is an even number between 80 and 100 (tested)
It's still not great for arbitrary checksum targets, but that's because
there are lots of strings that cannot satisfy the requirement. I kind of
think this is the fault of Rex.
This reverts commit 7161a548f4.
Prepping for a more sane solution that doesn't change the URI sizes and
succeeds without fallingback to a pre-generated list.
Instead of data.each, use the stdlib CSV importer. This will avoid
accidentally splitting on ',' characters at a minimum.
If the device has a serial number and/or a location, keep that and
reflect it in the info.
Also some tests for doing so, all of which pass on Linux, Windows, and
Java meterpreter, as well as shell sessions on Linux and Solaris. They
will fail miserably on Windows shell sessions.
commit 8b4750d0dcbac0686f9403acdf5cab50c918212f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 13 13:14:43 2012 -0600
Add bins for listing all addresses
[Fixes#6476]
commit 213dd92ebc9b706a45725e6515c7939d2edace0e
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 13 02:08:34 2012 -0600
Accept multiple addresses and netmasks
[See #6476]
commit 2e8bd3c3ecfb319bf9456485d2420bb5829b60cc
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 13 01:55:57 2012 -0600
Make inspecting meterpreter packets a little less painful
Not sure why I originally thought there was no way to access extensions'
constants before. A simple `require` makes it all happy.
commit da367907cf579bd3aefaffbc84d2f96a41b85f00
Author: James Lee <egypt@metasploit.com>
Date: Sun Mar 11 22:08:44 2012 -0600
Fix up Linux after changes for Windows
commit ec9f04378b0155f69df95d4a94e62d33ce61977c
Author: James Lee <egypt@metasploit.com>
Date: Sun Mar 11 21:56:11 2012 -0600
Grab IPv6 addresses on Windows when possible
Tries to GetProcAddress of GetAdaptersAddresses and falls back to the
old GetIpAddrTable() function when it isn't available. This should work
on XPSP1 and newer, albeit without netmasks on versions before Vista.
Still trying to figure that one out.
commit 1052ebdcf86114fbc03d1a37ab5d4c6a78e82daa
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 6 15:34:09 2012 -0700
Wrap Windows-specifc headers in ifdef
commit f23f20587b3117c38a77e7e5a93d542411e9504f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 6 14:36:34 2012 -0700
Handle multiple addrs on one iface on the ruby side
commit d7207d075ac6462875d9da531cf20c175629a416
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 5 21:57:39 2012 -0700
Adds IPv6 addrs to win32 get_interfaces response
commit 11ae7e8a45bd56d25841ea8724377e0fb6789d72
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 5 09:07:28 2012 -0700
Don't distinguish between 4 and 6.
The client can figure it out from the length.
commit 2c7490bdf3e4079f30857ee323d2ce23ab1bd9a5
Author: James Lee <egypt@metasploit.com>
Date: Sun Mar 4 04:25:26 2012 -0700
Append to the list instead of assigning to it
All addresses are being sent to the client now. Just need a way to
parse them out correctly on the other side and meterpreter will be able
to list all addresses on all interfaces on Linux. Next step is to
allocate the proper number of TLVs to avoid good ol' stack smashes on
systems with lots of addresses and then make sure we clean all the
memory leaks.
[See #6476]
commit 73bba037ad968b922341c02459017afcc8407a76
Author: James Lee <egypt@metasploit.com>
Date: Sun Mar 4 03:12:28 2012 -0700
Lay the groundwork for returning all addresses
This commit only sends the last interface in the list, but it is looping
through all of them as evidenced by the log, just need to make sure
we're not overwriting as we go.
[See #6476]
The purpose of re-raising an error from a library method like this is to
tell the user in no uncertain terms what all actually went wrong with the
module. This fix will cause a somewhat more pleasant error message than
the default message. Here's the raise from URI:
```
[-] Auxiliary failed: URI::InvalidURIError bad URI(is not URI?): what%ever
[-] Call stack:
[-] /home/todb/.rvm/rubies/ruby-1.9.1-p378/lib/ruby/1.9.1/uri/common.rb:156:in `split'
[-] /home/todb/.rvm/rubies/ruby-1.9.1-p378/lib/ruby/1.9.1/uri/common.rb:174:in `parse'
[-] /home/todb/.rvm/rubies/ruby-1.9.1-p378/lib/ruby/1.9.1/uri/common.rb:626:in `parse'
[-] /home/todb/.rvm/rubies/ruby-1.9.1-p378/lib/ruby/1.9.1/uri/common.rb:724:in `URI'
[-] /home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/http/client.rb:535:in `target_uri'
[-] /home/todb/.msf4/modules/auxiliary/test_uri.rb:20:in `run'
[*] Auxiliary module execution completed
```
And here's the new, Metasploit-specific one:
```
[-] Invalid URI: "what%ever"
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: URIPATH.
[*] Auxiliary module execution completed
```
The user can now tell easily what's wrong with the module configuration,
and doesn't have to parse through a stack trace that leads down into
the Ruby stdlib.
Affects the console's db commands of hosts, services, vulns, creds, notes,
loot
Skips searching entirely unless a search term is provided, and
explicitly casts the term as a Regexp object from the outset.
Avoids using Object#to_sym in preference of Object#intern (safer in
nearly all cases)
Temporarily disables functionality on notes since Array#keep_if isn't
available prior to Ruby 1.9.2
Affects the console's db commands of hosts, services, vulns, creds, notes,
loot
Skips searching entirely unless a search term is provided, and
explicitly casts the term as a Regexp object from the outset.
Avoids using Object#to_sym in preference of Object#intern (safer in
nearly all cases)
Temporarily disables functionality on notes since Array#keep_if isn't
available prior to Ruby 1.9.2
global. This isn't perfect, but we have no better solution unless we
clone the module datastore and unset the default imported_by for the
module run (actively testing that too in a branch)
Squashed commit of the following:
commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:31:03 2012 -0700
Clean up some rdoc comments
This adds categories for the various interfaces that meterpreter and
shell sessions implement so they are grouped logically in the docs.
commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 13:00:25 2012 -0700
Combine the docs into one output dir
There's really no need to separate the API sections into their own
directory. Combining them makes it much easier to read.
commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:27:22 2012 -0700
Keep the order of iface attributes the same accross rubies
1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
end up with ~random order for the display with the previous technique.
Switch to an Array instead of a Hash so it's always the same.
commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:23:35 2012 -0700
Fix a few more compiler warnings
commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:17:39 2012 -0700
Fix a type-safety warning
commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date: Mon Feb 27 15:21:36 2012 -0700
LHOST should be OptAddress, not OptAddressRange
commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date: Sun Feb 26 17:45:59 2012 -0700
Fix a couple of warnings and a typo
commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date: Mon Feb 27 11:54:29 2012 -0600
Fix ctype vs content_type typo
commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date: Sun Feb 26 15:38:33 2012 +0200
Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x
commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date: Sun Feb 26 07:13:13 2012 -0600
add osvdb ref
commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date: Sat Feb 25 18:02:56 2012 -0500
Added aspx target to msfvenom. This in turn added it to msfencode as well.
Ref: https://github.com/rapid7/metasploit-framework/pull/188
Tested on winxp with IIS in .net 1.1 and 2.0 modes
commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date: Sat Feb 25 13:00:48 2012 -0600
Fixes#6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver
commit b3371e8bfeea4d84f9d0cba100352b57d7e9e78b
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 17:07:42 2012 -0700
Simplify logic for whether an inner iface has the same address
commit 5417419f35a40d1c08ca11ca40744722692d3b0d
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:58:16 2012 -0700
Whitespace
commit 9036875c2918439ae23e11ee7b958e30ccc29545
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:53:45 2012 -0700
Set session info before worrying about address
get_interfaces can take a while on Linux, grab uid and hostname earlier
so we can give the user an idea of what they popped as soon as possible.
commit f34b51c6291031ab25b5bfb1ac6307a516ab0ee9
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:48:42 2012 -0700
Clean up rdoc
commit e61a0663454400ec66f59a80d18b0baff4cb8cd9
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:54:45 2012 -0600
Ensure the architecture is only the first word (not the full WOW64
message in some cases)
commit 4c701610976a92298c1182eecc9291a1b301e43b
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:49:17 2012 -0600
More paranoia code, just in case RHOST is set to whitespace
commit c5ff89fe3dc9061e0fa9f761e6530f6571989d28
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:47:01 2012 -0600
A few more small bug fixes to handle cases with an empty string target
host resulting in a bad address
commit 462d0188a1298f29ac83b10349aec6737efc5b19
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 03:55:10 2012 -0600
Fix up the logic (reversed by accident)
commit 2b2b0adaec2448423dbd3ec54d90a5721965e2df
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 23:29:52 2012 -0600
Automatically parse system information and populate the db, identify and
report NAT when detected, show the real session_host in the sessions -l
listing
commit 547a4ab4c62dc3248f847dd5d305ad3b74157348
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:16:03 2012 -0600
Fix typo introduced
commit 27a7b7961e61894bdecd55310a8f45d0917c5a5c
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:11:38 2012 -0600
More session.session_host tweaks
commit e447302a1a9915795e89b5e29c89ff2ab9b6209b
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:08:20 2012 -0600
Additional tunnel_peer changes
commit 93369fcffaf8c6b00d992526b4083acfce036bb3
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:06:21 2012 -0600
Additional changes to session.session_host
commit c3552f66d158685909e2c8b51dfead7c240c4f40
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:00:19 2012 -0600
Merge changes into the new branch
Fixes an issue where a different module load order would result in one
of the vmware modules failing to load be cause vim_soap hadn't been
required yet. Thanks d0rm0us3 for having a weird system and spotting
stuff like this.
This prevents modules that provide OS fingerprint details via
report_host from being overridden with inconclusive or missing OS
details from service fingerprints.
Add in some new OS constants and seperate out the fingerprinting
function from the connection function in order to avoid having errors
swallowed by a rescue.
framework.encoders[reqs['Encoder']] returns nil when, for example, reqs['Encoder'] is in UTF-8 encoding and the corresponding key of the framework.encoders hash in US-ASCII encoding.
Reverting the OptRegexp commit from chao-mu. Before committing to
master, this option type needs to be tested on the various mainstream
UI's (Metasploit Pro, msfgui, and Armitage) to see if they behave
as reasonably as msfconsole. Each UI tends to handle option setting,
passing, and display in their own special way.
This should make it back in by Wednesday, assuming all goes well.
[See #101]
This reverts commit 84db5a21fc, reversing
changes made to 24aaf85a1b.
Pubkeys are now stored as loot, and the Cred model has new and exciting
ways to discover which pubkeys match which privkeys.
Squashed commit of the following:
commit 036d2eb61500da7e161f50d348a44fbf615f6e17
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 22:23:32 2012 -0600
Updates ssh credentials to easily find common keys
Instead of making the modules do all the work of cross-checking keys,
this introduces a few new methods to the Cred model to make this more
universal.
Also includes the long-overdue workspace() method for credentials.
So far, nothing actually implements it, but it's nice that it's there
now.
commit c28430a721fc6272e48329bed902dd5853b4a75a
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 20:10:40 2012 -0600
Adding back cross-checking for privkeys.
Needs to test to see if anything depends on order, but should
be okay to mark up the privkey proof with this as well.
commit dd3563995d4d3c015173e730eebacf471c671b4f
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 16:49:56 2012 -0600
Add SSHKey gem, convert PEM pubkeys to SSH pubkeys
commit 11fc363ebda7bda2c3ad6d940299bf4cbafac6fd
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 13:51:55 2012 -0600
Store pubkeys as loot for reuse.
Yanked cross checking for now, will drop back in before pushing.
commit aad12b31a897db2952999f7be0161df1f59b6000
Author: Tod Beardsley <todb@metasploit.com>
Date: Sun Jan 8 02:10:12 2012 -0600
Fixes up a couple typos in ssh_identify_pubkeys
commit 48937728a92b9ae52d0b93cdcd20bb83f15f8803
Author: Tod Beardsley <todb@metasploit.com>
Date: Sat Jan 7 17:18:33 2012 -0600
Updates to ssh_identify_pubkeys and friends
Switches reporting to cred-based rather than note-based, accurately deal
with DSA keys, adds disable_agent option to other ssh modules, and
reports successful ssh_login attempts pubkey fingerprints as well.
This last thing Leads to some double accounting of creds, so I'm not
super-thrilled, but it sure makes searching for ssh_pubkey types a lot
easier.... maybe a better solution is to just have a special method for
the cred model, though.
module Post
module Meterpreter
module Extensions
module Stdapi
module Railgun
module Type
module PlatformUtil
X86_64 = :x86_64
X86_32 = :x86_32
def self.parse_client_platform(meterp_client_platform)
meterp_client_platform =~ /win64/ ? X86_64 : X86_32
end
end # PlatformUtil
end # Type
end # Railgun
end # Stdapi
end # Extensions
end # Meterpreter
end # Post
end # Rex
Adds the ability to set and use a stack of modules, and to easily switch
between the last two modules used.
[Fixes#6165][Closes#84]
Squashed commit of the following:
commit e41e7f704888b1ce5ad5f23caeee1de13052e3d5
Author: Joshua Smith <kernelsmith@kernelsmith.com>
Date: Mon Dec 26 15:52:08 2011 -0500
pushm/popm working great, let me know if you find bugs
commit 23da8d56ea08ca196e649431e8188b4f29ba97b9
Author: Joshua Smith <kernelsmith@kernelsmith.com>
Date: Mon Dec 26 14:37:18 2011 -0500
Adds the 'previous' command to msfconsole which will load the previously active module as the currently active module, adds @previous_module as a class variable
IMHO rpc client should transform the error code from Msf::RPC::Exception
into it's own Msf::RPC::ServerException and should not take the msgpack
response code.
In deep:
I ran into a '401 invalid auth token' after a token timeout (300s).
RPC Daemon raised a 401 - invalid auth token as expected but rpc client
transformed it to a '200 - invalid auth token' using the successful http
transaction to transport the exception.
Fixes the console to display loot not associated with a host, as when
the CorpWatch modules save loot. Also fixes a typo on
corpwatch_lookup_id.rb
Fixes#6177
This patch adds a Bash output format for msfencode and msfvenom. This is especially useful for local exploitation with shellcode in an environment variable.
Example output:
$ echo 'this is a test' | ./msfvenom -f bash
[-] Using X86 architecture and Windows platform for stdin payload to change use -a and --platform
export buf=\
$'\x74\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74'\
$'\x0a'
It adds unit tests for the new format and also fixes a unit test that was broken (assert_equal 'AAAAAAAAA', Rex::Text.pattern_create(9,['A'])) due to a bug in the shortcut in pattern_create.
server cred module both used the accessor :ptype but report_auth_info looks for :type.
While ptype is what the db field is called, almsot everything else references :type so it is better
for consistency to keep everything at :type.
Fixes#5906
git-svn-id: file:///home/svn/framework3/trunk@14141 4d416f70-5f16-0410-b530-b9f4589650da
<rc_file>
<%
rhost = "192.168.1.1"
smbuser = "test"
smbpass = "pass"
payload = "windows/meterpreter/reverse_http"
puts "This will happen while i preprocess an erb-enabled rc file"
%>
use windows/smb/psexec
set RHOST <%= rhost %>
set SMBUser <%= smbuser %>
set SMBPass <%= smbpass %>
set PAYLOAD <%= payload %>
save
<ruby>
puts "Now, i should print the system path while running the actual resource file! "
puts ENV["PATH"]
puts "end"
</ruby>
<%= puts "This will also happen when i preprocess too" %>
</rc_file>
which will give you output like this:
<output>
[*] Processing /home/jcran/Desktop/test_erb_rc for ERB directives.
This will happen while i preprocess an erb-enabled rc file
This will also happen when i preprocess too
resource (/home/jcran/Desktop/test_erb_rc)> use windows/smb/psexec
resource (/home/jcran/Desktop/test_erb_rc)> set RHOST 192.168.1.1
RHOST => 192.168.1.1
resource (/home/jcran/Desktop/test_erb_rc)> set SMBUser test
SMBUser => test
resource (/home/jcran/Desktop/test_erb_rc)> set SMBPass pass
SMBPass => pass
resource (/home/jcran/Desktop/test_erb_rc)> set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
resource (/home/jcran/Desktop/test_erb_rc)> save
Saved configuration to: /home/jcran/.msf4/config
[*] resource (/home/jcran/Desktop/test_erb_rc)> Ruby Code (115 bytes)
Now, i should print the system path while running the actual resource file!
/home/jcran/.rvm/gems/ruby-1.9.4-p1/bin:/home/jcran/.rvm/gems/ruby-1.9.4-p1@global/bin:/home/jcran/.rvm/rubies/ruby-1.9.4-p1/bin:/home/jcran/.rvm/bin
end
msf exploit(psexec) >
</output>
git-svn-id: file:///home/svn/framework3/trunk@14013 4d416f70-5f16-0410-b530-b9f4589650da