Commit Graph

307 Commits (e59f104195f37146cadf3151b32591bfd9153f9b)

Author SHA1 Message Date
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
Christian Mehlmauer 3f4e9ab18d
msftidy: only check send_request_cgi for vars_get 2014-04-22 19:24:06 +02:00
Christian Mehlmauer b864c4619d
msftidy - added info messages
this commit adds info messages to msftidy to show some info,
but stil exit with status 0 if there are not errors.
2014-04-21 18:04:14 +02:00
Christian Mehlmauer fc803ae277
Changed msftidy check
send_request_raw does not support vars_get so change
the message to switch to send_request_cgi.
See #3272 for more info
2014-04-20 22:41:32 +02:00
William Vu aeedad262d
Remove unnecessary charclass escapes 2014-04-15 14:14:51 -05:00
William Vu 261572158b
Add paren to list of exclusion chars 2014-04-15 11:20:11 -05:00
William Vu 14c7eb19e6
Make the hash brace optional 2014-04-15 10:06:43 -05:00
William Vu f3f31005d8
Revert inadvertent fix for vars_get in msftidy 2014-04-14 14:51:52 -05:00
sinn3r e54a348bd4
Land #3237 - Reconcile test_old_rubies with the other checks 2014-04-11 10:49:23 -05:00
William Vu 8919e21379
Reconcile test_old_rubies with the other checks
It is now check_old_rubies.
2014-04-10 21:44:00 -05:00
William Vu df29578036
Correct check_vars_get to check_request_vars
Since check_vars_get also checked for POSTs.
2014-04-10 21:37:59 -05:00
William Vu 79f82be35d
Land #3188, deluxe msftidy post-merge hook 2014-04-07 14:38:19 -05:00
sinn3r 023bde5b43 Correct msftidy disclosure date check
This correct msftidy's disclosure date check to do the following:

1. If the module has a disclosure date, the check should kick in.
2. If the module is an exploit, and doesn't have a disclosure
   date, then it will be flagged.
3. If the module is an auxiliary, and doesn't have a disclosure
   date, then it will NOT be flgged (because not all aux modules
   target bugs/vulns like exploits do).
2014-04-07 14:21:04 -05:00
William Vu 31b3a6973e
Fix symlink commands 2014-04-07 12:40:11 -05:00
William Vu 48ef061c3c
Land #3046, AIX ibtstat privesc exploit 2014-04-03 17:07:00 -05:00
William Vu 5ac6c4b565
Align msftidy whitelist to 80 columns 2014-04-03 16:54:47 -05:00
Tod Beardsley e1d819b8b9
Update the comment docs on pre-commit-hook.rb
[SeeRM #8779]
2014-04-03 15:26:25 -05:00
Tod Beardsley 70c0a19bbe
Be explicit about which mode we're in.
[SeeRM #8779]
2014-04-03 15:20:50 -05:00
Tod Beardsley 14b47aa67e
Remove the broken SPOTCHECK_RECENT stuff 2014-04-02 11:12:00 -05:00
Tod Beardsley eb2e4cbdef
Add post-merge capability to pre-commit-hook.rb
This will make it possible to run a post-merge check when
pre-commit-hook.rb is referenced as a symlink from .git/hooks/post-merge

The kind of check you're going to do is entirely dependant on the
basename of the file, which is a little weird but convenient.

Verification is a little tricky on this. Coming soon.
2014-04-02 10:19:43 -05:00
Sagi Shahar becefde52f Fix bugs and syntax 2014-04-01 00:54:51 +02:00
Christian Mehlmauer 91034722e9
Added check for 'Rank' on Auxiliary modules 2014-03-28 22:43:53 +01:00
FireFart c023cb2275 make set-cookie header check case insensitive 2014-03-01 13:35:58 +01:00
FireFart 551327bec6 Added a check for Set-Cookie header in msftidy 2014-03-01 13:30:24 +01:00
William Vu 506c354722
Land #3103, vars_get check for msftidy 2014-03-15 19:57:19 -05:00
William Vu 6aa75a328f Ax the arbitrary long line warning
It's not 80 or 132. ;)
2014-03-14 10:28:58 -05:00
William Vu f50d6c8709 Remove a couple more instances of "shit" 2014-03-04 15:00:48 -06:00
FireFart c62f4079f8 Added a check for vars_get in msftidy 2014-03-01 12:02:41 +01:00
Rob Fuller b19a652d78 add -i option as a requirement 2014-02-18 14:08:57 -05:00
sinn3r b5dcc0eb1d Make several changes.
Some important changes:

* Uses optparse to parse argumnets
* Prevent file handle leaks
2014-02-18 12:43:11 -06:00
Rob Fuller 6746793848 make write cleaner 2014-02-17 17:09:50 -05:00
Rob Fuller 11945786c9 standalone iplist creator 2014-02-17 11:22:15 -05:00
sinn3r 38bc587228
Land #2937 - Expand path in metasm_shell 2014-02-02 23:42:50 -06:00
Joe Vennix e50077844c Expand path in metasm_shell#file. 2014-02-02 17:26:48 -06:00
Tod Beardsley 6f93e3fb37
Modules shouldn't use Nokogiri
Nokogiri has a habit of shipping vulnerable builds of libxml2. For
example, see this:

http://www.ubuntu.com/usn/usn-1904-1/

and compare to Nokogiri's bundled requirements:

https://github.com/sparklemotion/nokogiri/blob/master/dependencies.yml

While Nokogiri is quite pleasant to use, it really shouldn't be trusted
to handle potentially malicious data. Imagine if a "vulnerable" target
was actually a malicious honeypot, lying in wait for a poor Metasploit
user to come along and parse out its payload. (OT: does such a thing
have a clever name? If not, I propose "beehive" to imply the offensive
capabilities of such a honeypot.)

Nokogiri is used elsewhere in Metasploit, but those functions handle
data sourced from the Metasploit user herself, so those XML hunks are
nominally trustworthy.
2014-02-02 11:51:21 -06:00
Tod Beardsley 03d65cd2bd
Address @wvu-r7's comments and better filtering 2014-01-31 16:44:42 -06:00
Tod Beardsley 87412be33d
Squash commit Travis-able msftidy checks
This change updates msftidy to be run automatically for new modules
added since the last tag release because we can't rely on folks using
tools/dev/pre-commit-hook before submitting a PR. Now, when one attempts
to open a PR with a non-tidy'ed module, the build will fail out of the
gate.

Related to the 100s of msftidy errors extant today.

[SeeRM #8498]

commit c894e52de5705a1133191be5e9caf3ebdee33621
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Fri Jan 31 14:17:02 2014 -0600

    Add a jacked up title to test travis. Revert this!

commit 2f00c190be71aeb456a7a546071286fd6d670bc1
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Fri Jan 31 11:39:42 2014 -0600

    Allow for checking and spotchecking.

commit db11e8dfad5381030b08c431a183dbafe7a5f304
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 17:16:37 2014 -0600

    Whoops, need to exit an Integer always.

commit 12d131d3157a78ff11e597476138323ed0a062fc
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 16:59:35 2014 -0600

    Allow for exit statuses from msftidy.

commit 2c3b294ff17416f49935472caf2b6be3dbdd93a4
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 15:36:43 2014 -0600

    Be more dynamic about tag checking years

commit d5d8a0b05ac17fb18666a9c252dbb6928d6b5e56
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:36:44 2014 -0600

    Don't warn when there's really nothing

commit fb44a3142fb01eb2647c1c240bb1cc2e7bf59120
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:21:50 2014 -0600

    Revert the intentional failure

    This reverts commit 99a7630b0da301b27ac495cb027009a8cd9e2caf.

    Fun fact: Reverting a commit does not automatically sign with my current
    aliases, one must git revert then git c --amend.

commit 99a7630b0da301b27ac495cb027009a8cd9e2caf
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 14:08:05 2014 -0600

    Cause an exit status in precommit check

    Maybe travis will see these and fail the build.

    Don't forget to revert this commit @todb-r7 !

commit 5a3b2fcd9598fae51a0dd2c7c87680c703a85448
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 13:11:04 2014 -0600

    Update msftidy pre-commit-hook for spotchecking

commit 3f255e36dad9ed3081aaf359f845525d96872ef0
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 12:35:16 2014 -0600

    Travis should run msftidy via precommit hook

commit 0959d9d2d281590a94c0ac960e43b74354e4e21b
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Thu Jan 30 12:25:53 2014 -0600

    Add SPOTCHECK_RECENT to msftidy.rb
2014-01-31 14:19:04 -06:00
William Vu 7200a4f0e0 Fix in_super-reliant msftidy checks
The conversion from hard tabs to two-space soft tabs broke a few checks.
2014-01-30 14:39:28 -06:00
jvazquez-r7 9db295769d
Land #2905, @wchen-r7's update of exploit checks 2014-01-24 16:49:33 -06:00
Tod Beardsley 2ea3b46988
Remove to_s inside #{} 2014-01-23 14:21:48 -06:00
sinn3r 31c0f45b27 Add routine to check bad check codes 2014-01-22 15:26:16 -06:00
William Vu 3a943c719e Implement a whitelist for suspect capitalization 2014-01-21 09:26:16 -06:00
Tod Beardsley 62c7839b4c
Land #2850, fix msftidy to respect \x22 and \x27 2014-01-16 16:26:34 -06:00
joev 1197426b40
Land PR #2881, @jvazquez-r7's mips stagers. 2014-01-15 12:46:41 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
Ethan Robish 28655d4788 Fixed bug that caused runtime error in module_rank.rb 2014-01-13 19:03:23 -06:00
sinn3r dcf90b7cc7 Change options. And change "checksum" to "hash" 2014-01-13 09:57:28 -06:00
sinn3r 231c757804 Strictly just -q for the quick option 2014-01-13 09:12:16 -06:00
sinn3r ffc9f652cc Fix VirusTotalUtility module scope 2014-01-12 16:12:25 -06:00
sinn3r 02d5931739 Add method scan_by_checksum for virustotal.rb
Allows the user to scan files based on checksusm (without actually
uploading them to VT)
2014-01-12 15:45:16 -06:00