Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.
Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
Looks like I can't decide on certain style preferences.
Not keen on using blank?, but I've used it before. Time to commit?
Also, fail_with has been fixed for aux and post since #8643. Use it!
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.
Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.
Testing:
Internal tests for resolution of different record types locally
and over pivot sessions.
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.
This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
"ua-parser-js" is an npm module for parsing browser
user-agent strings. Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs. The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
Per discussion with @bcoles in [PR 8759](https://github.com/rapid7/metasploit-framework/pull/8759#issuecomment-325028479), setting a login data's last_attempted_at value while also setting the status to UNTRIED will cause a validation error when there's a running+connected MSF DB.
This PR removes the handful of existing cases we're doing this (thx, @bcoles!).
This module attempts to log into BuildMaster. BuildMaster is an application release automation tool.
More information about BuildMaster:
http://inedo.com/
tried to overcome issues with slowdown
around the 4500 connection mark by using the
supervisor pattern to terminate the threads on
the backend. this seems to get us further, but we still
hit a slowdown and the allocations die out before
we hit any serious usage
To round out implementation of a simple path for users to access
HttpClient like Open or Net::HTTP, create :request_url method which
takes a single URL parameter, uses :request_opts_from_url to build
the request configuration for Rex::Proto::Http::Client, executes
a GET request with it, and disconnects the client unless keepalive
is specified as the second parameter to :request_url.
Example usage of functionality is implemented in http_pdf_authors.
JTR modules should never assume there is always a database
connected while using #wordlist_file, considering a database is
an optional component for Framework.
Fix#8685
To address the complexity which comes with the flexibility offered
by Rex::Proto::Http::Client and its Msf mixin descendant, a simple
process needs to be implemented for issuing a request using only
the URL string in order to provide ease of access to users who may
not have the time to study how these clients work in detail.
Implement :request_opts_from_url in Msf's HttpClient mixin such as
to extract the options required for :send_request_* from a URL
string passed into the method. This approach reduces HTTP requests
in the mixin to `send_request_raw(request_opts_from_url(url))` when
`url` is just a string.
Implement this approach in the http_pdf_authors gather module to
further reduce infrastructure complexity around the simple need to
acquire PDF files via HTTP/S.
Testing:
Local to this module only, and in Pry of course. Seems to work...
Replace Net::HTTP usage with proper Rex::Proto::Http::Client via
the Msf module mixin. Generate the request opts from the same URI
parsed URL string, execute a one shot GET request, disconencting
after reciept of results. Depending on the response code, either
pass back an empty StringIO or if its 200, a StringIO(res.body).
DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.
This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.
Example iptables configuration on MITM host:
iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...
Testing:
Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
Move all output lines out of the execution path in order to reduce
execution time and help win the race against the real response.
Update the IP header ID for responses so as not to return the sent
header value on the wire and alert clever IDS.
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.
Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Add examples of request and response handlers to the native_server
module to show local level accessors handling the same functions
as the Rex::Proto::DNS::Server's own default_dispatch_request.
This version swaps the forwarded response if its available for the
request modification done internally (which should probably be
addressed via a Util mixin for packet generation/alteration).
Built atop the Rex::Proto::DNS work to implement mixins for client
and server functionality, providing common interfaces for querying
domain name servers, and providing domain name services to clients
across Rex sockets. Fully functional native DNS server module is
included to demonstrate functionality, serve as a spoofing DNS
server, a collecting proxy, or any other number of DNS functions.
-----
At the core of this work is a Rex::Proto::DNS::Resolver object
descended from Net::DNS::Resolver with overrides and alterations
for using Rex sockets. The sockets implementation has been in use
internally for a number of years and is well tested. Changes have
been made to provider better interface for higher level components.
The resolver provides forward lookup capability for the server
(Rex::Proto::DNS::Server) which also implements a self-pruning
Cache subclass capable of holding static entries. The server can
operate in TCP or UDP mode, and provides a common abstraction for
addressing TCP and UDP clients by passing a Rex::Socket::Udp
mock client around with the data object to higher level consumers.
Finally, as is standard practice when building full service objects
from Rex to Msf, the server allows consumers to efficiently take
execution control at the request and response handlers by passing
Procs into the constructor (or manually assigning at runtime) for
execution instead of the default call chain.
The service, lookup, and caching functionality is encapsulated and
stands on its own to be used by consumers other than the standard
Msf::Exploit::Remote namespaces. It is intended to serve as the
driver and transport handler for pending DNS tunnel transports,
and can be used by exploit and auxiliary modules directly.
-----
The Msf::Exploit::Remote namespace receives DNS, DNS::Client, and
DNS::Server mixins providing common interfaces for Rex::Proto::DNS
objects. These mixins create convenience methods for executing
queries, serving requests, and configuring the Rex providers.
DNS::Client mixin attempts to "intelligently" configure the client
resolver's name servers and options from the data store. Accessor,
query, and configuration methods are provided in this mixin. Of
note are the wildcard and switchdns methods which were adapted
from prior work by others (likely Carlos Perez) which can be used
by numerous consumer modules. Consumers should use setup_client
during their run call to ensure the resolver is appropriately
configured.
DNS::Server mixin creates common service wrappers for modules to
utilize along with a configuration mechanism analagous to the
one used by the Client mixin, called setup_server, and calling
the setup_client method if present. Note that when setup_server
is called, the consumer does not need to call setup_resolver.
------
At the framework module level, a native dns server is provided
to showcase the mixin functionality and provide everything from
normal DNS services, to tunneling proxies (with cache disabled),
spoofing services, and MITM functionality via the handler Procs
for requests and responses.
Use auxiliary/server/dns/native_server to get started.
-----
Testing:
Basic local testing completed.
Needs to be checked for info leaks - we used to leak a lot.
Needs to be checked for functionality under varying configs.
Notes:
We have a serious problem with the datastore somewhere in the
Msf namespace. Datastore options must be validated with
options.validate(datastore) or they are all Strings, which
completely destroys any type-dependent logic consuming
datastore values. This must be addressed separately and all
calls to options.validate(datastore) should be removed (other
work has included such calls as well, this just proved that
the problem exists upstream).
Future work:
Implement sessions transports atop the DNS infrastructure in
order to provide native DNS tunneling.
Steve Embling
Pearce Barry
Adam Cammack
William Vu
Brendan Coles
RageLtMan
Wei Chen
jgor
h00die
Aaron Soto
bka-dev
Jan-Frederik Rieckers
Brent Cook
james
Jon Hart
Tod Beardsley
juushya
Jeffrey Martin
Nick Marcoccio
RootUp
nromsdahl
Nicholas Starke
Ryan Knell
attackdebris
Austin
Matthew Kienow
Daniel Teixeira
Patrick Webster
lvarela-r7
sho-luv
Brent Cook
Hanno Heinrichs
bwatters-r7
loftwing
Erik Lenoir
Craig Smith
james
zerosum0x0
Christian Mehlmauer
David Maloney
TC Johnson
g0tmi1k
Evgeny Naumov
jvoisin
dmohanty-r7
MD5HashBrowns
Roman
KINGSABRI
William Webb
James Lee
Dylan Davis
root