More predictable than /dev/stdin, which is usually a symlink to
/proc/self/fd/0 or /dev/fd/0, but the feature is not guaranteed to be
present.
This isn't *terribly* useful, but it can be. -x is recommended, but it
doesn't allow for ERB directives. This is mostly for hax.
When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.
There are several scenarios that can trigger a 404 by BES (custom or
default):
* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
If this actually happens, it probably means the attacker gave the
wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
mixin.
Sometimes we forget the set command is context specific. For example,
if run from a module's context, it will set the value in the module's
datastore.
Fix#4641
Modify rename_file to fit the pattern of the other file methods.
Otherwise, calling this yields a backtrace in the logs and it fails.
Steps to verify:
rc script:
```
loadpath test/modules
use exploit/multi/handler
set lhost 172.28.128.1
set lport 8081
set payload windows/meterpreter/reverse_http
run -j
sleep 5
resource test/scripts/test-sessions.rc
Before:
```
[-] FAILED: should move files
[-] Exception: TypeError : true is not a symbol
log file:
[01/27/2015 13:17:23] [d(0)] core: Call stack:
/home/bcook/projects/metasploit-framework/lib/msf/core/post/file.rb:357:in
`rename_file'
/home/bcook/projects/metasploit-framework/test/modules/post/test/file.rb:115:in
`block in test_file'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`call'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`it'
...
```
After, passing sessions instead:
```
post/test/file
SESSION => 1
Setup: changing working directory to %TEMP%
[*] Running against session 1
[*] Session type is meterpreter and platform is x86/win32
[+] should test for file existence
[+] should test for directory existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 11; Failed: 0
```
This should fix up #4642 with respect to #4504.
Squashed commit of the following:
commit 124d53ccb00cd200bede092e893dda7e033d3e17
Merge: cb2bef8 ccad159
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Jan 26 16:23:03 2015 -0600
Merge branch 'feature/creds-blank-finders' into temp
commit ccad159222eaa949d76e22b588d1ac7709fb2f27
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Jan 26 15:58:02 2015 -0600
Clean out whitespace, make vars more meaningful
commit 266b45dff26e2778e43d8e4750d212b5aee5a009
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Jan 26 15:54:32 2015 -0600
Add some specs for regular users and blank users
commit 2e51503f76e9a2f6921c57e86a2f98527f80c874
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Jan 26 15:04:03 2015 -0600
Users should be able to find blank user/pass
This patch fixes a problem with OptRegexp. The OptRegexp class is
always forcing the value to be converted to a string first, which
causes the EXCLUDE option in browser_autopwn to kick in and match
every found autopwn module, so it ignores all of them and you load
nothing (#4616).
It is important to understand that nil actually represents an option
not being set, which is a completely different behavior than having
an empty value (technically "" is still a value, and if there's a
value, it means the option is set). We need to watcher for these
scenarios.
I am restoring the #default method to avoid forcing a to_s, which should
fix the browser autopwn loading problem. And then I changed scraper.rb's
default value for datastore option PATTERN to a string, because still
fixes#3798. The way I see it, #3798 is actually a module-specific issue.
Fix#4616Fix#3798
This is a weak attempt to solve a race condition between modules loading
and cmd_use being fired. Upon startup, saved configurations, running
resource scripts, and running commands will sometimes jump ahead of the
module loading procedure.
I have not discovered where the race actually is and how to cause the
race to happen. However, the timing seems to be fairly close to a second;
by waiting three seconds after trying use again, we seem to be in the
clear, at least according to testing.
Fixes#4549, but better solutions are welcome!
This adds an extra parameter to most of the post/windows/registry
methods called 'view' that specifies if a registry key should be
accessed as a native process, 32-bit or 64-bit.
Support is added to both the Meterpreter and command-line backends. For
the command backend, a lot of boilerplate is removed from each method in
favor of a few shared commands. There is an error hash that never gets
used, so I removed it as well.
This passes the post/test/registry module with meterpreter, but fails
the command line backend. However, it fails in the same way without
these changes (tested on Windows 8), so I suspect that the command line
session was already not working well, at least with newer versions of
Windows. I might look into figuring out how to fix that, but it looks
pretty fragile to me, parsing for english phrases in the output.
the SMTP mixin now supports the Date header.
The user can supply a a value for the Date Header
or else it will automatically use the current local
DateTime. This will help alleviate certain issues
caused by servers setting this field for the cliebnt incorrectly
MSP-9390
- Many code duplications are eliminated from modules in favor of shared
implementations in the framework.
- Paths are properly quoted in shell operations and duplicate operations are
squashed.
- Various subtle bugs in error handling are fixed.
- Error handling is simpler.
- Windows services API is revised and modules are updated to use it.
- various API docs added
- railgun API constants are organized and readable now.