Permalink
Browse files

Merge branch 'release/2012011000000' into stable

  • Loading branch information...
jcran committed Jan 10, 2012
2 parents f524459 + 753ddb2 commit 9a377923286b791c4d2a0a7a55dc20cd8a3cd60d
Showing with 3,248 additions and 323 deletions.
  1. +4 −0 README
  2. BIN data/armitage/armitage.jar
  3. +33 −0 data/armitage/whatsnew.txt
  4. +3 −0 data/wordlists/http_default_pass.txt
  5. +3 −0 data/wordlists/http_default_userpass.txt
  6. +3 −0 data/wordlists/http_default_users.txt
  7. +1 −0 data/wordlists/root_userpass.txt
  8. +121 −20 lib/lab/driver/remote_esx_driver.rb
  9. +6 −13 lib/lab/driver/vm_driver.rb
  10. +65 −75 lib/lab/modifier/meterpreter_modifier.rb
  11. +10 −9 lib/lab/vm.rb
  12. +8 −13 lib/lab/vm_controller.rb
  13. +4 −3 lib/msf/core/exploit/exe.rb
  14. +5 −1 lib/msf/core/exploit/http/client.rb
  15. +40 −11 lib/msf/core/model/cred.rb
  16. +60 −0 lib/msf/core/post/windows/railgun.rb
  17. +3 −1 lib/msf/core/post/windows/shadowcopy.rb
  18. +30 −18 lib/msf/ui/console/command_dispatcher/core.rb
  19. +3 −3 lib/net/ssh.rb
  20. +11 −4 lib/net/ssh/authentication/key_manager.rb
  21. +17 −0 lib/net/ssh/authentication/methods/publickey.rb
  22. +10 −2 lib/net/ssh/authentication/session.rb
  23. +2 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun.rb.ts.rb
  24. +22 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb
  25. +28 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/platform_util.rb.ut.rb
  26. +9 −21 lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
  27. +8 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb.ut.rb
  28. +105 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb
  29. +127 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb.ut.rb
  30. +21 −25 lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb
  31. +20 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/win_const_manager.rb.ut.rb
  32. +7 −1 lib/rex/proto/http/client.rb
  33. +4 −0 lib/sshkey.rb
  34. +20 −0 lib/sshkey/LICENSE
  35. +71 −0 lib/sshkey/README.md
  36. +186 −0 lib/sshkey/lib/sshkey.rb
  37. +3 −0 lib/sshkey/lib/sshkey/version.rb
  38. +142 −0 modules/auxiliary/analyze/jtr_aix.rb
  39. +1 −1 modules/auxiliary/fuzzers/ftp/client_ftp.rb
  40. +1 −1 modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb
  41. +5 −1 modules/auxiliary/scanner/ftp/ftp_login.rb
  42. +1 −1 modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
  43. +116 −0 modules/auxiliary/scanner/http/drupal_views_user_enum.rb
  44. +17 −2 modules/auxiliary/scanner/http/http_login.rb
  45. +112 −0 modules/auxiliary/scanner/http/sybase_easerver_traversal.rb
  46. +1 −1 modules/auxiliary/scanner/http/webdav_scanner.rb
  47. +5 −9 modules/auxiliary/scanner/smtp/smtp_version.rb
  48. +333 −0 modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb
  49. +6 −5 modules/auxiliary/scanner/ssh/ssh_login.rb
  50. +5 −2 modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb
  51. +4 −6 modules/auxiliary/scanner/telnet/telnet_login.rb
  52. +19 −19 modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
  53. +134 −0 modules/exploits/freebsd/telnet/telnet_encrypt_keyid_bruteforce.rb
  54. +3 −3 modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
  55. +108 −0 modules/exploits/multi/http/op5_license.rb
  56. +108 −0 modules/exploits/multi/http/op5_welcome.rb
  57. +652 −0 modules/exploits/windows/fileformat/adobe_reader_u3d.rb
  58. +1 −1 modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb
  59. +1 −1 modules/exploits/windows/fileformat/foxit_title_bof.rb
  60. +1 −1 modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb
  61. +1 −1 modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb
  62. +1 −1 modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb
  63. +1 −1 modules/exploits/windows/fileformat/nuance_pdf_launch_overflow.rb
  64. +1 −1 modules/exploits/windows/fileformat/videospirit_visprj.rb
  65. +1 −1 modules/exploits/windows/fileformat/wireshark_packet_dect.rb
  66. +2 −2 modules/exploits/windows/fileformat/xion_m3u_sehbof.rb
  67. +2 −2 modules/exploits/windows/ftp/32bitftp_list_reply.rb
  68. +1 −1 modules/exploits/windows/ftp/aasync_list_reply.rb
  69. +2 −2 modules/exploits/windows/ftp/filewrangler_list_reply.rb
  70. +1 −1 modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb
  71. +1 −1 modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb
  72. +1 −1 modules/exploits/windows/ftp/ftpsynch_list_reply.rb
  73. +1 −1 modules/exploits/windows/ftp/gekkomgr_list_reply.rb
  74. +1 −1 modules/exploits/windows/ftp/leapftp_list_reply.rb
  75. +1 −1 modules/exploits/windows/ftp/odin_list_reply.rb
  76. +1 −1 modules/exploits/windows/ftp/seagull_list_reply.rb
  77. +1 −1 modules/exploits/windows/http/integard_password_bof.rb
  78. +91 −0 modules/exploits/windows/http/xampp_webdav_upload_php.rb
  79. +1 −1 modules/exploits/windows/misc/hp_omniinet_4.rb
  80. +1 −1 modules/exploits/windows/misc/wireshark_packet_dect.rb
  81. +42 −17 modules/exploits/windows/scada/codesys_web_server.rb
  82. +1 −1 modules/exploits/windows/scada/iconics_genbroker.rb
  83. +1 −1 modules/exploits/windows/scada/igss9_igssdataserver_listall.rb
  84. +1 −1 modules/payloads/singles/windows/messagebox.rb
  85. +68 −0 modules/post/aix/hashdump.rb
  86. +8 −1 modules/post/windows/manage/vss_create.rb
  87. +8 −1 modules/post/windows/manage/vss_list.rb
  88. +8 −1 modules/post/windows/manage/vss_mount.rb
  89. +8 −1 modules/post/windows/manage/vss_set_storage.rb
  90. +8 −1 modules/post/windows/manage/vss_storage.rb
  91. +2 −2 plugins/lab.rb
  92. +66 −0 scripts/resource/oracle_login.rc
  93. +34 −0 scripts/resource/oracle_sids.rc
  94. +28 −0 scripts/resource/oracle_tns.rc
  95. +3 −0 scripts/resource/run_all_post.rc
View
4 README
@@ -48,12 +48,16 @@ This license does not apply to the following components:
- The Ruby-Lorcon library located under external/ruby-lorcon
- The SNMP library located under lib/snmp
- The Zip library located under lib/zip
+ - The SSHKey library located under lib/sshkey
The latest version of this software is available from http://metasploit.com/
Bug tracking and development information can be found at:
https://dev.metasploit.com/redmine/projects/framework/
+The public GitHub source repository can be found at:
+ https://github.com/rapid7/metasploit-framework
+
Questions and suggestions can be sent to:
msfdev[at]metasploit.com
View
Binary file not shown.
View
@@ -1,6 +1,39 @@
Armitage Changelog
==================
+5 Jan 12
+--------
+- Armitage d-server now transmits hosts, service, and session state only
+ when something has changed. This makes teaming much snappier.
+- Uploading an imported hosts file now shows a progress dialog.
+- File browser upload function no longer blocks the user interface in team
+ mode. A progress dialog is shown for uploading larger files.
+- Removed Ctrl+R refresh hosts shortcut from graph view (it's no longer
+ necessary)
+- Armitage now exits if it was unable to connect to the collaboration server.
+- Hosts -> NMap Scans and Hosts -> MSF Scans dialogs are now populated with
+ the selected values from the target area by default.
+- You may now interact with a Windows command shell through Java meterpreter.
+- Armitage no longer shows Webcam Shot option through Java meterpreter.
+- Armitage now detects when it does not have read permissions for the database
+ YAML file and prompts with something helpful. Before it would just freeze
+ with a blank dialog. Not helpful. :)
+- Armitage now only shows services that are open.
+- View -> Reporting -> Export Data now has the capability of dumping the whole
+ database (not just the current workspace).
+- Added a dialog to View -> Reporting Export Data. Now you have the ability to
+ dump all hosts or choose to dump one of the dynamic workspaces. This gives
+ you a lot of flexibility with which hosts are included.
+- Cleaned up exported output of vulnerabilities in the Metasploit database:
+ -- duplicate entries are collapsed to one (this was the fault of my query)
+ -- refs column contains references separated by a comma and a space
+ -- added info and module columns. The module column indicates the appropriate
+ Metasploit module
+ -- Metasploit modules now populate name, info, and module in an appropriate
+ way.
+- Values exported to TSV are cleaned up such that newlines are replaced with a
+ literal \n and tabs are converted to three spaces.
+
30 Dec 11 - last release of the year?
---------
- Hosts -> Clear Database now clears the sessions and clients tables
@@ -12,3 +12,6 @@ user
system
sys
none
+xampp
+wampp
+ppmax2011
@@ -4,3 +4,6 @@ admin 1234
cisco cisco
cisco sanfran
private private
+wampp xampp
+newuser wampp
+xampp-dav-unsecure ppmax2011
@@ -8,3 +8,6 @@ security
user
system
sys
+wampp
+newuser
+xampp-dav-unsecure
@@ -47,3 +47,4 @@ root letmein
root powerapp
root dbps
root ibm
+root monitor
@@ -97,45 +97,146 @@ def delete_snapshot(snapshot, remove_children=false)
def delete_all_snapshots
remote_system_command("vim-cmd vmsvc/snapshot.removeall #{@vmid}")
end
-
- def run_command(command)
+
+ def check_file_exists(file)
+ raise "Not Implemented"
+ end
+
+ def create_directory(directory)
raise "Not Implemented"
end
+
+ def run_command(command, timeout=60)
+
+ setup_session
+ #puts "Using session #{@session}"
+
+ # TODO: pass the timeout down
- def copy_from_guest(from, to)
- if @os == "linux"
- scp_from(from, to)
+ if @session
+ if @session.type == "shell"
+ #puts "Running command via shell: #{command}"
+ @session.shell_command_token(command, timeout)
+ elsif @session.type == "meterpreter"
+ #puts "Running command via meterpreter: #{command}"
+ @session.shell_command(command)
+ end
else
- raise "Unimplemented"
+ raise "No session"
end
end
- def copy_to_guest(from, to)
- if @os == "linux"
- scp_to(from, to)
+ def copy_to_guest(local,remote)
+ setup_session
+ if @session.type == "meterpreter"
+ @session.run_cmd("upload #{local} #{remote}")
else
- raise "Unimplemented"
+ @driver.copy_to(local,remote)
end
end
-
- def check_file_exists(file)
- raise "Not Implemented"
- end
-
- def create_directory(directory)
- raise "Not Implemented"
+
+ def copy_from_guest(local, remote)
+ setup_session
+ if @session.type == "meterpreter"
+ @session.run_cmd("download #{local} #{remote}")
+ else
+ @driver.copy_from(local,remote)
+ end
end
def cleanup
-
end
def running?
power_status_string = `ssh #{@user}@#{@host} \"vim-cmd vmsvc/power.getstate #{@vmid}\"`
return true if power_status_string =~ /Powered on/
- false
end
+private
+
+ def create_framework
+ return if @framework
+ @framework = Msf::Simple::Framework.create
+ end
+
+ # perform the setup only once
+ def setup_session
+ return if @session
+
+ # require the framework (assumes this sits in lib/lab/modifiers)
+ require 'msf/base'
+
+ create_framework # TODO - this should use a single framework for all hosts, not one-per-host
+
+ @session = nil
+ @session_input = Rex::Ui::Text::Input::Buffer.new
+ @session_output = Rex::Ui::Text::Output::Buffer.new
+
+ if @os == "windows"
+ exploit_name = 'windows/smb/psexec'
+
+ # TODO - check for x86, choose the appropriate payload
+
+ payload_name = 'windows/meterpreter/bind_tcp'
+ options = {
+ "RHOST" => @hostname,
+ "SMBUser" => @vm_user,
+ "SMBPass" => @vm_pass}
+
+ #puts "DEBUG: using options #{options}"
+
+ # Initialize the exploit instance
+ exploit = @framework.exploits.create(exploit_name)
+
+ begin
+ # Fire it off.
+ @session = exploit.exploit_simple(
+ 'Payload' => payload_name,
+ 'Options' => options,
+ 'LocalInput' => @session_input,
+ 'LocalOutput' => @session_output)
+ @session.load_stdapi
+
+ #puts "DEBUG: Generated session: #{@session}"
+
+ rescue Exception => e
+ #puts "DEBUG: Unable to exploit"
+ #puts e.to_s
+ end
+ else
+ module_name = 'scanner/ssh/ssh_login'
+
+ # TODO - check for x86, choose the appropriate payload
+
+ payload_name = 'linux/x86/shell_bind_tcp'
+ options = { "RHOSTS" => @hostname,
+ "USERNAME" => @vm_user,
+ "PASSWORD" => @vm_pass,
+ "BLANK_PASSWORDS" => false,
+ "USER_AS_PASS" => false,
+ "VERBOSE" => false}
+
+ # Initialize the module instance
+ aux = @framework.auxiliary.create(module_name)
+
+ #puts "DEBUG: created module: #{aux}"
+
+ begin
+ # Fire it off.
+ aux.run_simple(
+ 'Payload' => payload_name,
+ 'Options' => options,
+ 'LocalInput' => @session_input,
+ 'LocalOutput' => @session_output)
+
+ @session = @framework.sessions.first.last
+ rescue Exception => e
+ #puts "DEBUG: Unable to exploit"
+ #puts e.to_s
+ end
+ end
+ end
+
def get_snapshots
# Command take the format:
# vmware-vim-cmd vmsvc/snapshot.revert [vmid: int] [snapshotlevel: int] [snapshotindex: int]
@@ -147,7 +248,7 @@ def get_snapshots
# ...
snapshots = []
- # Use these to keep track of the parsing...
+ # Use these to keep track of the parsing...
current_tree = -1
current_num = 0
count = 0
@@ -86,11 +86,11 @@ def delete_snapshot(snapshot)
def run_command(command)
raise "Command not Implemented"
end
-
+
def copy_from_guest(from, to)
raise "Command not Implemented"
end
-
+
def copy_to_guest(from, to)
raise "Command not Implemented"
end
@@ -117,7 +117,6 @@ def scp_to(local,remote)
#::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp|
# scp.upload!(from,to)
#end
-
system_command("scp #{local} #{@vm_user}@#{@hostname}:#{remote}")
end
@@ -127,17 +126,13 @@ def scp_from(local,remote)
#::Net::SCP.start(@hostname, @vm_user, :password => @vm_pass) do |scp|
# scp.download!(from,to)
#end
-
system_command("scp #{@vm_user}@#{@hostname}:#{remote} #{local}")
-
end
-
+
def ssh_exec(command)
-
::Net::SSH.start(@hostname, @vm_user, :password => @vm_pass) do |ssh|
result = ssh.exec!(command)
end
-
`scp #{@vm_user}@#{@hostname} from to`
end
@@ -148,7 +143,6 @@ def filter_input(string)
unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\):!]*$/.match string
raise "WARNING! Invalid character in: #{string}"
end
-
string
end
@@ -159,18 +153,17 @@ def filter_command(string)
unless /^[\d\w\s\[\]\{\}\/\\\.\-\"\(\)]*$/.match string
raise "WARNING! Invalid character in: #{string}"
end
-
string
end
-
+
# The only reason we don't filter here is because we need
# the ability to still run clean (controlled entirely by us)
# command lines.
def system_command(command)
`#{command}`
end
-
-
+
+
def remote_system_command(command)
system_command("ssh #{@user}@#{@host} \"#{command}\"")
end
Oops, something went wrong.

0 comments on commit 9a37792

Please sign in to comment.