Merge branch 'master' of github.com:rapid7/metasploit-framework

mephos · Feb 6, 2012 · 70f923c · 70f923c
2 parents d6616cd + b03e752
commit 70f923c
Show file tree

Hide file tree

Showing 48 changed files with 1,416 additions and 104 deletions.
diff --git a/data/templates/template_x64_darwin.bin b/data/templates/template_x64_darwin.bin
diff --git a/lib/fastlib.rb b/lib/fastlib.rb
@@ -37,7 +37,7 @@
 #
 class FastLib
 
-	VERSION = "0.0.6"
+	VERSION = "0.0.8"
 
 	FLAG_COMPRESS = 0x01
 	FLAG_ENCRYPT  = 0x02
@@ -249,22 +249,31 @@ def self.post_process(lib, name, data)
 
 	#
 	# This is a stub crypto handler that performs a basic XOR
-	# operation against a fixed one byte key
+	# operation against a fixed one byte key. The two usable IDs
+	# are 12345600 and 00000000
 	#
 	def self.encrypt_12345600(data)
-		data.unpack("C*").map{ |c| c ^ 0x90 }.pack("C*")
+		encrypt_00000000(data)
 	end
 
 	def self.decrypt_12345600(data)
-		encrypt_12345600(data)
+		encrypt_00000000(data)
 	end
 
-	def self.cache
-		@@cache
+	def self.encrypt_00000000(data)
+		data.unpack("C*").map{ |c| c ^ 0x90 }.pack("C*")
 	end
 
-
-
+	def self.decrypt_00000000(data)
+		encrypt_00000000(data)
+	end
+
+	#
+	# Expose the cache to callers
+	#
+	def self.cache
+		@@cache
+	end	
 end
 
 
@@ -330,6 +339,7 @@ def self.cache
 
 	4 bytes: "FAST"
 	4 bytes: NBO header length
+	4 bytes: NBO flags (24-bit crypto ID, 8 bit modes)
 	[
 		4 bytes: name length (0 = End of Names)
 		4 bytes: data offset
@@ -343,6 +353,12 @@ def self.cache
 
 module Kernel #:nodoc:all
 	alias :fastlib_original_require :require
+
+	#
+	# Store the CWD when were initially loaded
+	# required for resolving relative paths
+	#
+	@@fastlib_base_cwd = ::Dir.pwd
 
 	#
 	# This method hooks the original Kernel.require to support
@@ -360,22 +376,16 @@ def fastlib_require(name)
 		return false if fastlib_already_loaded?(name)
 		return false if fastlib_already_tried?(name)
 
-		# TODO: Implement relative path $: checks and adjust the
-		#       search path within archives to match.
-
-		$:.map{ |path| ::Dir["#{path}/*.fastlib"] }.flatten.uniq.each do |lib|
+		# XXX Implement relative search paths within archives 
+		$:.map{ |path| 
+			(path =~ /^([A-Za-z]\:|\/)/ ) ? path : ::File.expand_path( ::File.join(@@fastlib_base_cwd, path) )
+		}.map{  |path| ::Dir["#{path}/*.fastlib"] }.flatten.uniq.each do |lib|
 			data = FastLib.load(lib, name)
 			next if not data
 			$" << name
 
-			begin
-				Object.class_eval(data)
-			rescue ::Exception => e
-				opath,oerror = e.backtrace.shift.split(':', 2)
-				e.backtrace.unshift("#{lib}::#{name}:#{oerror}")
-				raise e
-			end
-
+			Object.class_eval(data, lib + "::" + name)
+
 			return true
 		end
 

diff --git a/lib/msf/core/event_dispatcher.rb b/lib/msf/core/event_dispatcher.rb
@@ -58,6 +58,7 @@ class EventDispatcher
 	def initialize(framework)
 		self.framework = framework
 		self.general_event_subscribers = []
+		self.custom_event_subscribers  = []
 		self.exploit_event_subscribers = []
 		self.session_event_subscribers = []
 		self.db_event_subscribers      = []
@@ -181,7 +182,7 @@ def method_missing(name, *args)
 					sub.send(name, *args)
 				end
 			else
-				general_event_subscribers.each do |sub|
+				(general_event_subscribers + custom_event_subscribers).each do |sub|
 					next if not sub.respond_to?(name)
 					sub.send(name, *args)
 					found = true
@@ -198,9 +199,7 @@ def method_missing(name, *args)
 				remove_event_subscriber(self.send(subscribers), *args)
 			end
 		end
-		if not found
-			elog("Event dispatcher received an unhandled event: #{name}")
-		end
+
 		return found
 	end
 
@@ -222,6 +221,7 @@ def remove_event_subscriber(array, subscriber) # :nodoc:
 	end
 
 	attr_accessor :general_event_subscribers # :nodoc:
+	attr_accessor :custom_event_subscribers # :nodoc:	
 	attr_accessor :exploit_event_subscribers # :nodoc:
 	attr_accessor :session_event_subscribers # :nodoc:
 	attr_accessor :db_event_subscribers # :nodoc:

diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb
@@ -99,7 +99,11 @@ def open_pcap(opts={})
 			self.capture = ::Pcap.open_offline(cap)
 		else
 			dev ||= ::Pcap.lookupdev
-			system("ifconfig", dev, "up")
+
+			unless RUBY_PLATFORM == "i386-mingw32"
+				system("ifconfig", dev, "up")
+			end
+
 			self.capture = ::Pcap.open_live(dev, len, true, tim)
 			if arp
 				self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)

diff --git a/lib/msf/core/exploit/http/server.rb b/lib/msf/core/exploit/http/server.rb
@@ -112,6 +112,7 @@ def start_service(opts = {})
 		# provided.
 		uopts = {
 			'Proc' => Proc.new { |cli, req|
+					framework.events.on_httpserver_request(self, cli, req)
 					on_request_uri(cli, req)
 				},
 			'Path' => resource_uri

diff --git a/lib/msf/ui/banner.rb b/lib/msf/ui/banner.rb
@@ -262,8 +262,33 @@ module Banner
                      ########################
                       ##     ##   ##     ##
 %clr
-'
-		]
+',
+%Q{
+  %whi+-------------------------------------------------------+
+  %whi|  METASPLOIT by Rapid7                                 |
+  %whi+---------------------------+---------------------------+
+  %whi|      %blu__________________   %whi|                           |
+  %whi|  %yel==c%blu(______(%yelo%blu(______(_%yel()  %whi| %grn|""""""""""""|======\[%red***  %whi|
+  %whi|             %blu)%yel=%blu\\\           %whi| %grn|  %whiEXPLOIT   %grn\\            %whi|
+  %whi|            %blu// \\\\          %whi| %grn|_____________\\_______    %whi|
+  %whi|           %blu//   \\\\         %whi| %grn|==\[%whimsf >%grn\]============\\   %whi|
+  %whi|          %blu//     \\\\        %whi| %grn|______________________\\  %whi|
+  %whi|         %blu// %whiRECON %blu\\\\       %whi| %grn\\(@)(@)(@)(@)(@)(@)(@)/   %whi|
+  %whi|        %blu//         \\\\      %whi|  %grn*********************    %whi|
+  %whi+---------------------------+---------------------------+
+  %whi|      o O o                |        %yel\\'\\/\\/\\/'/         %whi|
+  %whi|              o O          |         %yel)%whi======%yel(          %whi|
+  %whi|                 o         |       %yel.'  %whiLOOT  %yel'.        %whi|
+  %whi| %red|^^^^^^^^^^^^^^\|l%red___      %whi|      %yel/    %grn_||__   %yel\\       %whi|
+  %whi| %red|    %whiPAYLOAD     %red|%whi""\\%red___, %whi|     %yel/    %grn(_||_     %yel\\      %whi|
+  %whi| %red|________________|__|)__| %whi|    %yel|     %grn__||_)     %yel|     %whi|
+  %whi| %red|(@)(@)"""**|(@)(@)**|(@) %whi|    %yel"       %grn||       %yel"     %whi|
+  %whi|  %yel= = = = = = = = = = = =  %whi|     %yel'--------------'      %whi|
+  %whi+---------------------------+---------------------------+%clr
+  %clr
+},]
+
+
 
 
 	#

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -95,6 +95,10 @@ def self.to_executable(framework, arch, plat, code='', opts={})
 			if (plat.index(Msf::Module::Platform::Linux))
 				return to_linux_x64_elf(framework, code, opts)
 			end
+
+			if (plat.index(Msf::Module::Platform::OSX))
+				return to_osx_x64_macho(framework, code)
+			end
 		end
 
 		if(arch.index(ARCH_ARMLE))
@@ -575,6 +579,22 @@ def self.to_osx_x86_macho(framework, code, opts={})
 		return mo
 	end
 
+	def self.to_osx_x64_macho(framework, code, opts={})
+		set_template_default(opts, "template_x64_darwin.bin")
+
+		macho = ''
+
+		File.open(opts[:template], 'rb') { |fd|
+			macho = fd.read(fd.stat.size)
+		}
+
+		bin = macho.index('PAYLOAD:')
+		raise RuntimeError, "Invalid Mac OS X x86_64 Mach-O template: missing \"PAYLOAD:\" tag" if not bin
+		macho[bin, code.length] = code
+
+		return macho
+	end
+
 	#
 	# Create a 64-bit Linux ELF containing the payload provided in +code+
 	#
@@ -1700,7 +1720,13 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts)
 			end
 
 		when 'macho'
-			output = Msf::Util::EXE.to_osx_x86_macho(framework, code, exeopts)
+			if (not arch or (arch.index(ARCH_X86)))
+				output = Msf::Util::EXE.to_osx_x86_macho(framework, code, exeopts)
+			end
+
+			if (arch and (arch.index(ARCH_X86_64) or arch.index(ARCH_X64)))
+				output = Msf::Util::EXE.to_osx_x64_macho(framework, code, exeopts)
+			end
 
 		when 'vba'
 			output = Msf::Util::EXE.to_vba(framework, code, exeopts)

diff --git a/modules/post/windows/gather/usb_history.rb b/modules/post/windows/gather/usb_history.rb
@@ -44,7 +44,7 @@ def run
 		out = "\n"
 
 		@drives.each do |u, v|
-			out << sprintf("%5s\t%75s\n", v, u)
+			out << sprintf("%5s\t%75s\n", v, u.gsub("\x00", ''))
 		end
 
 		print_status(out)

diff --git a/modules/post/windows/manage/download_exec.rb b/modules/post/windows/manage/download_exec.rb
@@ -40,6 +40,7 @@ def initialize(info={})
 		register_advanced_options(
 			[
 				OptString.new('EXEC_STRING',   [false, 'Execution parameters when run from download directory' ]),
+        OptInt.new('EXEC_TIMEOUT',     [true, 'Execution timeout', 60 ]),
 				OptBool.new(  'DELETE',        [true, 'Delete file after execution', false ]),
 			], self.class)
 
@@ -88,8 +89,8 @@ def run
 		end
 
 		outpath = path + '\\' + filename
-		exec = datastore["EXECUTE"]
-		exec_string = datastore["EXEC_STRING"] || ''
+		exec = datastore['EXECUTE']
+		exec_string = datastore['EXEC_STRING'] || ''
 		output = datastore['OUTPUT']
 		remove = datastore['DELETE']
 
@@ -112,14 +113,14 @@ def run
 		# Execute file upon request
 		if exec
 			begin
-				cmd = outpath + ' ' + exec_string
+				cmd = "#{outpath} #{exec_string}"
 
 				# If we don't have the following gsub, we get this error in Windows:
 				# "Operation failed: The system cannot find the file specified"
-				cmd = cmd.gsub(/\\/, '\\\\\\')
+				cmd = cmd.gsub(/\\/, '\\\\\\').gsub(/\s/, '\ ')
 
 				print_status("Executing file: #{cmd}")
-				res = cmd_exec(cmd)
+				res = cmd_exec(cmd, nil, datastore['EXEC_TIMEOUT'])
 				print_good(res) if output and not res.empty?
 			rescue ::Exception => e
 				print_error("Unable to execute: #{e.message}")
@@ -136,4 +137,4 @@ def run
 			end
 		end
 	end
-end
+end
diff --git a/msfbinscan b/msfbinscan
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfcli b/msfcli
@@ -14,11 +14,10 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 
-
 $:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
 
 require 'rex'

diff --git a/msfconsole b/msfconsole
@@ -13,7 +13,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfd b/msfd
@@ -15,7 +15,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfelfscan b/msfelfscan
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfencode b/msfencode
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfmachscan b/msfmachscan
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfpayload b/msfpayload
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfpescan b/msfpescan
@@ -9,7 +9,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfrop b/msfrop
@@ -12,7 +12,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'
 
 

diff --git a/msfrpc b/msfrpc
@@ -13,7 +13,7 @@ while File.symlink?(msfbase)
 	msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
 end
 
-$:.unshift(File.join(File.dirname(msfbase), 'lib'))
+$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
 require 'fastlib'